Malware Analysis Report

2025-03-15 08:02

Sample ID 240815-mhwvgayblh
Target 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat
SHA256 208297709d5170b955043494875092131d07ddc4b69e188d13687d986a8d1232
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

208297709d5170b955043494875092131d07ddc4b69e188d13687d986a8d1232

Threat Level: Known bad

The file 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike family

Cobaltstrike

Cobalt Strike reflective loader

Xmrig family

XMRig Miner payload

xmrig

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-15 10:28

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 10:28

Reported

2024-08-15 10:31

Platform

win7-20240729-en

Max time kernel

140s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\DbkcpEn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bNVftTp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tTtQsNo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YHVqpWc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\awRTQUL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XNYVkuE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CfNTXLV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oDiZrtd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iCZxnZC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jpLbLFI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ucdPksu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Knmjeye.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RQtVjcm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qwwDpjd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\epdNwky.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qqAPBBI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fTYRbcc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kQiAjOf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\baENvmq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IzZHjtn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pVmmHac.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DbkcpEn.exe
PID 2084 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DbkcpEn.exe
PID 2084 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DbkcpEn.exe
PID 2084 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qwwDpjd.exe
PID 2084 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qwwDpjd.exe
PID 2084 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qwwDpjd.exe
PID 2084 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\epdNwky.exe
PID 2084 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\epdNwky.exe
PID 2084 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\epdNwky.exe
PID 2084 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qqAPBBI.exe
PID 2084 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qqAPBBI.exe
PID 2084 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qqAPBBI.exe
PID 2084 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CfNTXLV.exe
PID 2084 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CfNTXLV.exe
PID 2084 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CfNTXLV.exe
PID 2084 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oDiZrtd.exe
PID 2084 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oDiZrtd.exe
PID 2084 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oDiZrtd.exe
PID 2084 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bNVftTp.exe
PID 2084 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bNVftTp.exe
PID 2084 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bNVftTp.exe
PID 2084 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iCZxnZC.exe
PID 2084 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iCZxnZC.exe
PID 2084 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iCZxnZC.exe
PID 2084 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tTtQsNo.exe
PID 2084 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tTtQsNo.exe
PID 2084 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tTtQsNo.exe
PID 2084 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fTYRbcc.exe
PID 2084 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fTYRbcc.exe
PID 2084 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fTYRbcc.exe
PID 2084 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jpLbLFI.exe
PID 2084 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jpLbLFI.exe
PID 2084 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jpLbLFI.exe
PID 2084 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kQiAjOf.exe
PID 2084 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kQiAjOf.exe
PID 2084 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kQiAjOf.exe
PID 2084 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YHVqpWc.exe
PID 2084 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YHVqpWc.exe
PID 2084 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YHVqpWc.exe
PID 2084 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\awRTQUL.exe
PID 2084 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\awRTQUL.exe
PID 2084 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\awRTQUL.exe
PID 2084 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ucdPksu.exe
PID 2084 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ucdPksu.exe
PID 2084 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ucdPksu.exe
PID 2084 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IzZHjtn.exe
PID 2084 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IzZHjtn.exe
PID 2084 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IzZHjtn.exe
PID 2084 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\baENvmq.exe
PID 2084 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\baENvmq.exe
PID 2084 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\baENvmq.exe
PID 2084 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XNYVkuE.exe
PID 2084 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XNYVkuE.exe
PID 2084 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XNYVkuE.exe
PID 2084 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pVmmHac.exe
PID 2084 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pVmmHac.exe
PID 2084 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pVmmHac.exe
PID 2084 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RQtVjcm.exe
PID 2084 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RQtVjcm.exe
PID 2084 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RQtVjcm.exe
PID 2084 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Knmjeye.exe
PID 2084 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Knmjeye.exe
PID 2084 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Knmjeye.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\DbkcpEn.exe

C:\Windows\System\DbkcpEn.exe

C:\Windows\System\qwwDpjd.exe

C:\Windows\System\qwwDpjd.exe

C:\Windows\System\epdNwky.exe

C:\Windows\System\epdNwky.exe

C:\Windows\System\qqAPBBI.exe

C:\Windows\System\qqAPBBI.exe

C:\Windows\System\CfNTXLV.exe

C:\Windows\System\CfNTXLV.exe

C:\Windows\System\oDiZrtd.exe

C:\Windows\System\oDiZrtd.exe

C:\Windows\System\bNVftTp.exe

C:\Windows\System\bNVftTp.exe

C:\Windows\System\iCZxnZC.exe

C:\Windows\System\iCZxnZC.exe

C:\Windows\System\tTtQsNo.exe

C:\Windows\System\tTtQsNo.exe

C:\Windows\System\fTYRbcc.exe

C:\Windows\System\fTYRbcc.exe

C:\Windows\System\jpLbLFI.exe

C:\Windows\System\jpLbLFI.exe

C:\Windows\System\kQiAjOf.exe

C:\Windows\System\kQiAjOf.exe

C:\Windows\System\YHVqpWc.exe

C:\Windows\System\YHVqpWc.exe

C:\Windows\System\awRTQUL.exe

C:\Windows\System\awRTQUL.exe

C:\Windows\System\ucdPksu.exe

C:\Windows\System\ucdPksu.exe

C:\Windows\System\IzZHjtn.exe

C:\Windows\System\IzZHjtn.exe

C:\Windows\System\baENvmq.exe

C:\Windows\System\baENvmq.exe

C:\Windows\System\XNYVkuE.exe

C:\Windows\System\XNYVkuE.exe

C:\Windows\System\pVmmHac.exe

C:\Windows\System\pVmmHac.exe

C:\Windows\System\RQtVjcm.exe

C:\Windows\System\RQtVjcm.exe

C:\Windows\System\Knmjeye.exe

C:\Windows\System\Knmjeye.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2084-0-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2084-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\DbkcpEn.exe

MD5 d73f7b3dc46484a3f43a60b41f17144e
SHA1 71567d6d4efc91ab09d6f7207ab923ab01f932fc
SHA256 280c054317260d9611e77d742c43fab7fa4f3260d15f1b8d623fa7b46a5f3101
SHA512 9021427beb693a079c4b2572f271a9fbffc018c0987f4fbc424f903f632e1d8c7597d8d235deb72d06622c9f209f1288bf6eaca02269e10325088e95c69eb3f0

\Windows\system\epdNwky.exe

MD5 93530e2f9d751e64651a84e10dcad873
SHA1 3c31f1cb1316c8f688127211efa26b26a3312b2f
SHA256 f988d7fd88cd344bd171dfb6c8ec726b31599d09f547ef891a471be1a997e201
SHA512 8e66ded956e9844cae1e62cf198f51c31afb9f4b06c60749d8ca062356cfd68dedf59d7631f51fc62977f9b132ecf75f570d903a35075636816ad9447527c93e

memory/2084-15-0x000000013F9C0000-0x000000013FD11000-memory.dmp

C:\Windows\system\qwwDpjd.exe

MD5 f85bbeb3156be7a676097b1523b4c0a7
SHA1 99f726d8633fda46a6699d44f7f8c26a03bc495f
SHA256 56ea4700084b209b5243f4c8f20e949d2882877ba5b6d91971774a6c0ba64a1f
SHA512 4d3e8e61eaf9b715bb5a2dd0e194b386b7109253e09d131221b492de4a1515ca2d7116bd289067b7b95f85bf0d4ed9fc7492bd4da356a10896423d12fcfc4957

memory/2312-18-0x000000013F790000-0x000000013FAE1000-memory.dmp

memory/2372-19-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/2332-22-0x000000013F9C0000-0x000000013FD11000-memory.dmp

C:\Windows\system\qqAPBBI.exe

MD5 bde6bc248d123165468314b418ec641f
SHA1 9939dc8cf9b4d0a062114399dd931dca3651ba58
SHA256 ffcbb43b0848759d2ec3ecd805a31e3752b44a040b88e9549feac7da42ae3c37
SHA512 076f47d7ba1e5db433c28ca2584a7f16a66590de022ed212043c9294edf61c10ed0a406cfdbf66918df96f10eabe7082989c1c2634061049cf551c034bcce99d

C:\Windows\system\CfNTXLV.exe

MD5 a989dc64b4b01a8c23b6315213572cb3
SHA1 eff5824bd669487f565f1c9d8b9ab023dc4007f7
SHA256 dac1767164610ba857c6752bd3b1dd69d268eb33c503b797a3e8afbb300953eb
SHA512 e7b25fa8ae9459616bdfdf71e9adf864b311b45dacb08d0fd5547f36493cc1c2c24556e9b113e051960cff49478d65d524414bd9392f4485ea7f207e813ca140

memory/2728-34-0x000000013F230000-0x000000013F581000-memory.dmp

memory/2084-38-0x0000000002260000-0x00000000025B1000-memory.dmp

memory/1932-64-0x000000013FC90000-0x000000013FFE1000-memory.dmp

\Windows\system\fTYRbcc.exe

MD5 c24900801220393785e91b6d7628d07f
SHA1 fef9032aaf5c0c1278ad27a1706f81e6ec01b646
SHA256 5ebf510f4ece133fa5d43615d19f447a405a6d6d34267e93cb4d0146bddcff5e
SHA512 fc4dcd480fd88d53ddc9b66a1eac42846e5120bf16d10c599d34bd10e818e21dac6e08ee62d7fe5c8f336175c5e19216d04c761f29ae1637d484eef2020e158c

memory/2084-66-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/2248-50-0x000000013FD10000-0x0000000140061000-memory.dmp

memory/2472-62-0x000000013F510000-0x000000013F861000-memory.dmp

memory/2908-39-0x000000013FBC0000-0x000000013FF11000-memory.dmp

C:\Windows\system\oDiZrtd.exe

MD5 e30ea9d4c0ad503a376b4d98866cb862
SHA1 4aa6585052717c94cace49cf5a718b61f8292c70
SHA256 749b3d249bd5b6f17c8063212f5b35f6d5aad802a1c0e0cf1f94fa2bfdbff199
SHA512 fa608d763c821cd00b27116d72d4ae456575c3b84d4afcb7a38e5b4ca84ff20d4c045bbd164f18f7d463b22bad1ab87fcd650f8d666e1f8ffa07e2775d01a88b

memory/2084-61-0x0000000002260000-0x00000000025B1000-memory.dmp

memory/2312-60-0x000000013F790000-0x000000013FAE1000-memory.dmp

C:\Windows\system\iCZxnZC.exe

MD5 f010de3a2e8d8be80e4215428a5b9c5b
SHA1 7b96c5ddbfbd6b6acd394b57f6ca844a8815bcb5
SHA256 731c07cc599660630815eb848fe22c9345263963fcc14a4bf8b219129c8e48ec
SHA512 499e5df12b05b37f52803f85c7ada974e1126af9504388fe57fde3f2993dce91a1f6569809bc6c464e6f4bb32cb53ecfd50cf2881ff60ae2b0f11c2cb2fa1610

C:\Windows\system\tTtQsNo.exe

MD5 54c59388e240c525411d2951083eb7f8
SHA1 ba5aa52259994b7bb9d3592eab3fbaf1173e9181
SHA256 bbf7ebd9b46657c31c810e3a61c77a357f48ab3f509a4ad4ed386ca23509c917
SHA512 79fc33a72dc7ef29f2811b218c1acaffdcd8684cf27ae0f4a265bc5b7ce80d9cbd4f2cc220fa802269f3bc384927b7aba18d89c5f5e2eed3e620cbb0e5168535

memory/2084-55-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2084-54-0x000000013F510000-0x000000013F861000-memory.dmp

memory/2328-67-0x000000013F470000-0x000000013F7C1000-memory.dmp

C:\Windows\system\bNVftTp.exe

MD5 405a6bd3cc432877e7ccdc91fb61b2e9
SHA1 903ffae805014f24071351ddec9d39609a7c5bf3
SHA256 ad52a879fab6c95cd411fbac37169ca496dee8164d95434e98500e1272da864b
SHA512 c9329d6ff91907d406e0da8ec838a577b801e864b8267fd9fc60ed4d1bf1fd1608a46eecaf0a849f52ef6a81e226ae4c9e5fd09b37f88e67484b8b8edd5f083a

memory/2084-33-0x000000013F230000-0x000000013F581000-memory.dmp

memory/2328-28-0x000000013F470000-0x000000013F7C1000-memory.dmp

memory/2084-27-0x000000013F470000-0x000000013F7C1000-memory.dmp

memory/2084-21-0x000000013F790000-0x000000013FAE1000-memory.dmp

memory/2728-68-0x000000013F230000-0x000000013F581000-memory.dmp

C:\Windows\system\jpLbLFI.exe

MD5 b984b94d78dc7e771174717327ca5361
SHA1 244964be362cc3d9b0f2b890acbbf8c072c07759
SHA256 f4aa492b781b36a5d306c6a95e7cf64cdf5c779900333dc46d590183bb05152b
SHA512 1af6fd24b13ad27671a60094552347d4d488648e1297e9af90644b40ca3af2896be127fa11e1704164ffafe9da4938978b3cdd26d8a5fc521ed87d5c9809e320

memory/2452-82-0x000000013F340000-0x000000013F691000-memory.dmp

memory/2084-84-0x000000013F0D0000-0x000000013F421000-memory.dmp

\Windows\system\kQiAjOf.exe

MD5 921d3156607880b8cb1a29e190f5ad8e
SHA1 b03e612b7580881ce04e8fdc6e8d0dfc98a3f20a
SHA256 81052be0d9446df51e3fc3e19c22d73c9055fecc8e04023a21e43685d8c6521f
SHA512 1f44786f9f82a5a864e7d78caa9751931e7e74f7298a99ed9ec1968ba149895d024da9e3984f8b4bdc66ad9a2da27962e466f69329f072d806f0da9cb7825f4b

memory/2084-80-0x000000013F340000-0x000000013F691000-memory.dmp

memory/2908-78-0x000000013FBC0000-0x000000013FF11000-memory.dmp

memory/2844-72-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/2084-88-0x0000000002260000-0x00000000025B1000-memory.dmp

memory/2472-89-0x000000013F510000-0x000000013F861000-memory.dmp

memory/2228-91-0x000000013F0D0000-0x000000013F421000-memory.dmp

\Windows\system\YHVqpWc.exe

MD5 8c912b9db5a493a5c279b302685689d4
SHA1 e95b017be53b7425497ccd6ba137085514a52fb1
SHA256 024ee3d1f3c1d8ce1c55b059f54f110e2aae84747d766e6bbc57bfb3c1578e2f
SHA512 f773aab898c7e809f71825a7e1fa662fdf763d6f3f69a161d16ea242f8bfd14349fb4ba0e4d9643349c3290c6c6c1c9defdf746827ac163cb096dbbd45521d60

memory/2776-99-0x000000013F410000-0x000000013F761000-memory.dmp

C:\Windows\system\awRTQUL.exe

MD5 0e5c68d7bdec72cf0d8c1c51383a9d57
SHA1 81cce9abdbd15b0bdb970da715870f3149cb0a59
SHA256 50da804b76f2566d602a4e1f1bb995d4e33b74c05d06bc42180b82b97f19725f
SHA512 372b9780e44397af66b94bfb32537c05723d5edd45dbaa1c163c32a3d01e760e5cee2bf192f34adb9402828ac64941774df338cd792f3cb16673226a9339bdbb

memory/320-126-0x000000013F360000-0x000000013F6B1000-memory.dmp

\Windows\system\RQtVjcm.exe

MD5 2f0e8d35213859a0c9a3c208fafce37c
SHA1 d8e4c9bd4fb2d38a8bad1489daa02e6a21e76178
SHA256 58770cb5db2ae9b3e6357ab20a56cd5d34d1b2e16cb71965ae316903effd9fc4
SHA512 5c66db90aa7ae6dd28ad4c5e4d3a7b7af5e37f8342e5e98fdb694b161e7322b20453bfbaace4e2b19ead426c809a2cb75dd432f448d42f2c0059206ce94096b9

\Windows\system\XNYVkuE.exe

MD5 2f345b0899a1fd43080391cfde5530fe
SHA1 3517d69a34f4979120be4a16e815dcdd7b0462ff
SHA256 1b392c93d04bcf972bfabaf8b2def13ba63b046c91f1812b204def88bf181322
SHA512 897b3560436884feb6df1db28002db6c552bcabd1965c7b8f376217cab3c76589f46e1df67e1a00a78ecf9bfa76c370ed4755ad181455e6074ad61f5a6ce5c9b

memory/2084-136-0x0000000002260000-0x00000000025B1000-memory.dmp

C:\Windows\system\Knmjeye.exe

MD5 c9b286637d6f4d74a80500cefbf2264a
SHA1 7d87aa2ac17a35c67be07b9a36e19df09f4ca63e
SHA256 348dde3668614918a11ecaab7a902ea0cdd1b412728232310a52629acc0ad60a
SHA512 7812a865cba02ed01a3298c866ad959523913d2560f118cf137215e979828e3a0c415a021400c8c07b196014244d259af93d0b316730c9f9774bc1a6c85a9fc5

C:\Windows\system\IzZHjtn.exe

MD5 a857e8d1ac736e98551e19096e5c83c5
SHA1 882add19a1762abc3394b7ffc13c9acc01a281ed
SHA256 f076de36e72b85da882fc6812088af3113262dcbe664b710bab747b09ad8697a
SHA512 22c00e73440ae5c427b45151694342c47bf9b1541193f0de99b58187b00f01a443a4ac0529b515dc0840a9fdc75a9be110c3932dd7360b13980cc09e5f5130c4

C:\Windows\system\pVmmHac.exe

MD5 2531171551fd2c98027e9f1caf56a050
SHA1 7cbc2057c58807209ba998e72ce36c62926f5457
SHA256 bcbea8610db54597922a381be02d5970d3a11e387ca040a460f8c65da676bf8c
SHA512 e680f69ebb98e756aed9447a5c303c0f64f3cc437f84f102bf336f566cb586c300df7c7f9759a3b7002e48ada678a9cc453bf24346b1a2f5c3510cd208effc9f

C:\Windows\system\baENvmq.exe

MD5 1b8f1baee111e2122bef272af9dea6b7
SHA1 b101dd0669541b981cb2f7d352b92bdd642bcbd6
SHA256 136a7e5e85efba62003243be6bce383c1b93a1ab64b593b12f9c19b455385d25
SHA512 0cdb362e0f740045967d97e07721aab69899c9bd8ca19abbb986597bf15fefe1b4cf4ab7ef98785d72f07968b73f37e98549a96227653b7127cafe730a312069

C:\Windows\system\ucdPksu.exe

MD5 b8612a1da5de6346501e592df86f15ee
SHA1 bdc1237b4f046f19136dc9a08ba60a3bffe1c0d1
SHA256 e76f8cdfe1c38a27788d2695698ab055b3e7bcef961be57d92f376526b5db308
SHA512 87b13f694ab1a1cb35656c0e5e75aaf91af7bf1d4e118a5d4f385dfadb71a0339c8071464fae1cc62a6d45036ef6ea9f6056989fa9f082e6d691cd671de3cd03

memory/2084-98-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/2084-96-0x000000013F410000-0x000000013F761000-memory.dmp

memory/1932-95-0x000000013FC90000-0x000000013FFE1000-memory.dmp

memory/2084-140-0x000000013F340000-0x000000013F691000-memory.dmp

memory/2844-139-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/2452-144-0x000000013F340000-0x000000013F691000-memory.dmp

memory/2084-149-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2084-145-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2084-157-0x000000013F410000-0x000000013F761000-memory.dmp

memory/2776-158-0x000000013F410000-0x000000013F761000-memory.dmp

memory/320-160-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/860-169-0x000000013F450000-0x000000013F7A1000-memory.dmp

memory/1448-170-0x000000013F7C0000-0x000000013FB11000-memory.dmp

memory/2668-168-0x000000013FFF0000-0x0000000140341000-memory.dmp

memory/2420-166-0x000000013FBD0000-0x000000013FF21000-memory.dmp

memory/284-164-0x000000013FED0000-0x0000000140221000-memory.dmp

memory/1376-167-0x000000013F630000-0x000000013F981000-memory.dmp

memory/1516-165-0x000000013F700000-0x000000013FA51000-memory.dmp

memory/2084-171-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2372-226-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/2312-228-0x000000013F790000-0x000000013FAE1000-memory.dmp

memory/2332-230-0x000000013F9C0000-0x000000013FD11000-memory.dmp

memory/2908-232-0x000000013FBC0000-0x000000013FF11000-memory.dmp

memory/2248-234-0x000000013FD10000-0x0000000140061000-memory.dmp

memory/2728-237-0x000000013F230000-0x000000013F581000-memory.dmp

memory/2328-238-0x000000013F470000-0x000000013F7C1000-memory.dmp

memory/1932-241-0x000000013FC90000-0x000000013FFE1000-memory.dmp

memory/2472-247-0x000000013F510000-0x000000013F861000-memory.dmp

memory/2844-246-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/2452-249-0x000000013F340000-0x000000013F691000-memory.dmp

memory/2228-251-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2776-263-0x000000013F410000-0x000000013F761000-memory.dmp

memory/320-264-0x000000013F360000-0x000000013F6B1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 10:28

Reported

2024-08-15 10:31

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\awRTQUL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XNYVkuE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pVmmHac.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DbkcpEn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oDiZrtd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YHVqpWc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CfNTXLV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jpLbLFI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\baENvmq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fTYRbcc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ucdPksu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RQtVjcm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qwwDpjd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iCZxnZC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tTtQsNo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kQiAjOf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IzZHjtn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Knmjeye.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\epdNwky.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qqAPBBI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bNVftTp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4748 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DbkcpEn.exe
PID 4748 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DbkcpEn.exe
PID 4748 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qwwDpjd.exe
PID 4748 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qwwDpjd.exe
PID 4748 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\epdNwky.exe
PID 4748 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\epdNwky.exe
PID 4748 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qqAPBBI.exe
PID 4748 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qqAPBBI.exe
PID 4748 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CfNTXLV.exe
PID 4748 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CfNTXLV.exe
PID 4748 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oDiZrtd.exe
PID 4748 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oDiZrtd.exe
PID 4748 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bNVftTp.exe
PID 4748 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bNVftTp.exe
PID 4748 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iCZxnZC.exe
PID 4748 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iCZxnZC.exe
PID 4748 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tTtQsNo.exe
PID 4748 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tTtQsNo.exe
PID 4748 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fTYRbcc.exe
PID 4748 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fTYRbcc.exe
PID 4748 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jpLbLFI.exe
PID 4748 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jpLbLFI.exe
PID 4748 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kQiAjOf.exe
PID 4748 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kQiAjOf.exe
PID 4748 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YHVqpWc.exe
PID 4748 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YHVqpWc.exe
PID 4748 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\awRTQUL.exe
PID 4748 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\awRTQUL.exe
PID 4748 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ucdPksu.exe
PID 4748 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ucdPksu.exe
PID 4748 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IzZHjtn.exe
PID 4748 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IzZHjtn.exe
PID 4748 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\baENvmq.exe
PID 4748 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\baENvmq.exe
PID 4748 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XNYVkuE.exe
PID 4748 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XNYVkuE.exe
PID 4748 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pVmmHac.exe
PID 4748 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pVmmHac.exe
PID 4748 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RQtVjcm.exe
PID 4748 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RQtVjcm.exe
PID 4748 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Knmjeye.exe
PID 4748 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Knmjeye.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\DbkcpEn.exe

C:\Windows\System\DbkcpEn.exe

C:\Windows\System\qwwDpjd.exe

C:\Windows\System\qwwDpjd.exe

C:\Windows\System\epdNwky.exe

C:\Windows\System\epdNwky.exe

C:\Windows\System\qqAPBBI.exe

C:\Windows\System\qqAPBBI.exe

C:\Windows\System\CfNTXLV.exe

C:\Windows\System\CfNTXLV.exe

C:\Windows\System\oDiZrtd.exe

C:\Windows\System\oDiZrtd.exe

C:\Windows\System\bNVftTp.exe

C:\Windows\System\bNVftTp.exe

C:\Windows\System\iCZxnZC.exe

C:\Windows\System\iCZxnZC.exe

C:\Windows\System\tTtQsNo.exe

C:\Windows\System\tTtQsNo.exe

C:\Windows\System\fTYRbcc.exe

C:\Windows\System\fTYRbcc.exe

C:\Windows\System\jpLbLFI.exe

C:\Windows\System\jpLbLFI.exe

C:\Windows\System\kQiAjOf.exe

C:\Windows\System\kQiAjOf.exe

C:\Windows\System\YHVqpWc.exe

C:\Windows\System\YHVqpWc.exe

C:\Windows\System\awRTQUL.exe

C:\Windows\System\awRTQUL.exe

C:\Windows\System\ucdPksu.exe

C:\Windows\System\ucdPksu.exe

C:\Windows\System\IzZHjtn.exe

C:\Windows\System\IzZHjtn.exe

C:\Windows\System\baENvmq.exe

C:\Windows\System\baENvmq.exe

C:\Windows\System\XNYVkuE.exe

C:\Windows\System\XNYVkuE.exe

C:\Windows\System\pVmmHac.exe

C:\Windows\System\pVmmHac.exe

C:\Windows\System\RQtVjcm.exe

C:\Windows\System\RQtVjcm.exe

C:\Windows\System\Knmjeye.exe

C:\Windows\System\Knmjeye.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp

Files

memory/4748-0-0x00007FF732D70000-0x00007FF7330C1000-memory.dmp

memory/4748-1-0x0000026B31830000-0x0000026B31840000-memory.dmp

C:\Windows\System\DbkcpEn.exe

MD5 d73f7b3dc46484a3f43a60b41f17144e
SHA1 71567d6d4efc91ab09d6f7207ab923ab01f932fc
SHA256 280c054317260d9611e77d742c43fab7fa4f3260d15f1b8d623fa7b46a5f3101
SHA512 9021427beb693a079c4b2572f271a9fbffc018c0987f4fbc424f903f632e1d8c7597d8d235deb72d06622c9f209f1288bf6eaca02269e10325088e95c69eb3f0

C:\Windows\System\qwwDpjd.exe

MD5 f85bbeb3156be7a676097b1523b4c0a7
SHA1 99f726d8633fda46a6699d44f7f8c26a03bc495f
SHA256 56ea4700084b209b5243f4c8f20e949d2882877ba5b6d91971774a6c0ba64a1f
SHA512 4d3e8e61eaf9b715bb5a2dd0e194b386b7109253e09d131221b492de4a1515ca2d7116bd289067b7b95f85bf0d4ed9fc7492bd4da356a10896423d12fcfc4957

C:\Windows\System\epdNwky.exe

MD5 93530e2f9d751e64651a84e10dcad873
SHA1 3c31f1cb1316c8f688127211efa26b26a3312b2f
SHA256 f988d7fd88cd344bd171dfb6c8ec726b31599d09f547ef891a471be1a997e201
SHA512 8e66ded956e9844cae1e62cf198f51c31afb9f4b06c60749d8ca062356cfd68dedf59d7631f51fc62977f9b132ecf75f570d903a35075636816ad9447527c93e

C:\Windows\System\bNVftTp.exe

MD5 405a6bd3cc432877e7ccdc91fb61b2e9
SHA1 903ffae805014f24071351ddec9d39609a7c5bf3
SHA256 ad52a879fab6c95cd411fbac37169ca496dee8164d95434e98500e1272da864b
SHA512 c9329d6ff91907d406e0da8ec838a577b801e864b8267fd9fc60ed4d1bf1fd1608a46eecaf0a849f52ef6a81e226ae4c9e5fd09b37f88e67484b8b8edd5f083a

C:\Windows\System\iCZxnZC.exe

MD5 f010de3a2e8d8be80e4215428a5b9c5b
SHA1 7b96c5ddbfbd6b6acd394b57f6ca844a8815bcb5
SHA256 731c07cc599660630815eb848fe22c9345263963fcc14a4bf8b219129c8e48ec
SHA512 499e5df12b05b37f52803f85c7ada974e1126af9504388fe57fde3f2993dce91a1f6569809bc6c464e6f4bb32cb53ecfd50cf2881ff60ae2b0f11c2cb2fa1610

C:\Windows\System\YHVqpWc.exe

MD5 8c912b9db5a493a5c279b302685689d4
SHA1 e95b017be53b7425497ccd6ba137085514a52fb1
SHA256 024ee3d1f3c1d8ce1c55b059f54f110e2aae84747d766e6bbc57bfb3c1578e2f
SHA512 f773aab898c7e809f71825a7e1fa662fdf763d6f3f69a161d16ea242f8bfd14349fb4ba0e4d9643349c3290c6c6c1c9defdf746827ac163cb096dbbd45521d60

C:\Windows\System\fTYRbcc.exe

MD5 c24900801220393785e91b6d7628d07f
SHA1 fef9032aaf5c0c1278ad27a1706f81e6ec01b646
SHA256 5ebf510f4ece133fa5d43615d19f447a405a6d6d34267e93cb4d0146bddcff5e
SHA512 fc4dcd480fd88d53ddc9b66a1eac42846e5120bf16d10c599d34bd10e818e21dac6e08ee62d7fe5c8f336175c5e19216d04c761f29ae1637d484eef2020e158c

memory/2264-70-0x00007FF650D00000-0x00007FF651051000-memory.dmp

C:\Windows\System\jpLbLFI.exe

MD5 b984b94d78dc7e771174717327ca5361
SHA1 244964be362cc3d9b0f2b890acbbf8c072c07759
SHA256 f4aa492b781b36a5d306c6a95e7cf64cdf5c779900333dc46d590183bb05152b
SHA512 1af6fd24b13ad27671a60094552347d4d488648e1297e9af90644b40ca3af2896be127fa11e1704164ffafe9da4938978b3cdd26d8a5fc521ed87d5c9809e320

C:\Windows\System\IzZHjtn.exe

MD5 a857e8d1ac736e98551e19096e5c83c5
SHA1 882add19a1762abc3394b7ffc13c9acc01a281ed
SHA256 f076de36e72b85da882fc6812088af3113262dcbe664b710bab747b09ad8697a
SHA512 22c00e73440ae5c427b45151694342c47bf9b1541193f0de99b58187b00f01a443a4ac0529b515dc0840a9fdc75a9be110c3932dd7360b13980cc09e5f5130c4

memory/4068-99-0x00007FF76E510000-0x00007FF76E861000-memory.dmp

memory/2088-107-0x00007FF604DB0000-0x00007FF605101000-memory.dmp

C:\Windows\System\RQtVjcm.exe

MD5 2f0e8d35213859a0c9a3c208fafce37c
SHA1 d8e4c9bd4fb2d38a8bad1489daa02e6a21e76178
SHA256 58770cb5db2ae9b3e6357ab20a56cd5d34d1b2e16cb71965ae316903effd9fc4
SHA512 5c66db90aa7ae6dd28ad4c5e4d3a7b7af5e37f8342e5e98fdb694b161e7322b20453bfbaace4e2b19ead426c809a2cb75dd432f448d42f2c0059206ce94096b9

C:\Windows\System\Knmjeye.exe

MD5 c9b286637d6f4d74a80500cefbf2264a
SHA1 7d87aa2ac17a35c67be07b9a36e19df09f4ca63e
SHA256 348dde3668614918a11ecaab7a902ea0cdd1b412728232310a52629acc0ad60a
SHA512 7812a865cba02ed01a3298c866ad959523913d2560f118cf137215e979828e3a0c415a021400c8c07b196014244d259af93d0b316730c9f9774bc1a6c85a9fc5

C:\Windows\System\pVmmHac.exe

MD5 2531171551fd2c98027e9f1caf56a050
SHA1 7cbc2057c58807209ba998e72ce36c62926f5457
SHA256 bcbea8610db54597922a381be02d5970d3a11e387ca040a460f8c65da676bf8c
SHA512 e680f69ebb98e756aed9447a5c303c0f64f3cc437f84f102bf336f566cb586c300df7c7f9759a3b7002e48ada678a9cc453bf24346b1a2f5c3510cd208effc9f

C:\Windows\System\XNYVkuE.exe

MD5 2f345b0899a1fd43080391cfde5530fe
SHA1 3517d69a34f4979120be4a16e815dcdd7b0462ff
SHA256 1b392c93d04bcf972bfabaf8b2def13ba63b046c91f1812b204def88bf181322
SHA512 897b3560436884feb6df1db28002db6c552bcabd1965c7b8f376217cab3c76589f46e1df67e1a00a78ecf9bfa76c370ed4755ad181455e6074ad61f5a6ce5c9b

memory/1992-103-0x00007FF6C4810000-0x00007FF6C4B61000-memory.dmp

memory/4064-102-0x00007FF708590000-0x00007FF7088E1000-memory.dmp

C:\Windows\System\baENvmq.exe

MD5 1b8f1baee111e2122bef272af9dea6b7
SHA1 b101dd0669541b981cb2f7d352b92bdd642bcbd6
SHA256 136a7e5e85efba62003243be6bce383c1b93a1ab64b593b12f9c19b455385d25
SHA512 0cdb362e0f740045967d97e07721aab69899c9bd8ca19abbb986597bf15fefe1b4cf4ab7ef98785d72f07968b73f37e98549a96227653b7127cafe730a312069

C:\Windows\System\ucdPksu.exe

MD5 b8612a1da5de6346501e592df86f15ee
SHA1 bdc1237b4f046f19136dc9a08ba60a3bffe1c0d1
SHA256 e76f8cdfe1c38a27788d2695698ab055b3e7bcef961be57d92f376526b5db308
SHA512 87b13f694ab1a1cb35656c0e5e75aaf91af7bf1d4e118a5d4f385dfadb71a0339c8071464fae1cc62a6d45036ef6ea9f6056989fa9f082e6d691cd671de3cd03

C:\Windows\System\awRTQUL.exe

MD5 0e5c68d7bdec72cf0d8c1c51383a9d57
SHA1 81cce9abdbd15b0bdb970da715870f3149cb0a59
SHA256 50da804b76f2566d602a4e1f1bb995d4e33b74c05d06bc42180b82b97f19725f
SHA512 372b9780e44397af66b94bfb32537c05723d5edd45dbaa1c163c32a3d01e760e5cee2bf192f34adb9402828ac64941774df338cd792f3cb16673226a9339bdbb

memory/2192-88-0x00007FF687D40000-0x00007FF688091000-memory.dmp

C:\Windows\System\kQiAjOf.exe

MD5 921d3156607880b8cb1a29e190f5ad8e
SHA1 b03e612b7580881ce04e8fdc6e8d0dfc98a3f20a
SHA256 81052be0d9446df51e3fc3e19c22d73c9055fecc8e04023a21e43685d8c6521f
SHA512 1f44786f9f82a5a864e7d78caa9751931e7e74f7298a99ed9ec1968ba149895d024da9e3984f8b4bdc66ad9a2da27962e466f69329f072d806f0da9cb7825f4b

memory/3048-75-0x00007FF609260000-0x00007FF6095B1000-memory.dmp

memory/2688-62-0x00007FF6BB640000-0x00007FF6BB991000-memory.dmp

C:\Windows\System\tTtQsNo.exe

MD5 54c59388e240c525411d2951083eb7f8
SHA1 ba5aa52259994b7bb9d3592eab3fbaf1173e9181
SHA256 bbf7ebd9b46657c31c810e3a61c77a357f48ab3f509a4ad4ed386ca23509c917
SHA512 79fc33a72dc7ef29f2811b218c1acaffdcd8684cf27ae0f4a265bc5b7ce80d9cbd4f2cc220fa802269f3bc384927b7aba18d89c5f5e2eed3e620cbb0e5168535

memory/4696-53-0x00007FF76E110000-0x00007FF76E461000-memory.dmp

C:\Windows\System\oDiZrtd.exe

MD5 e30ea9d4c0ad503a376b4d98866cb862
SHA1 4aa6585052717c94cace49cf5a718b61f8292c70
SHA256 749b3d249bd5b6f17c8063212f5b35f6d5aad802a1c0e0cf1f94fa2bfdbff199
SHA512 fa608d763c821cd00b27116d72d4ae456575c3b84d4afcb7a38e5b4ca84ff20d4c045bbd164f18f7d463b22bad1ab87fcd650f8d666e1f8ffa07e2775d01a88b

memory/3468-34-0x00007FF668E10000-0x00007FF669161000-memory.dmp

C:\Windows\System\CfNTXLV.exe

MD5 a989dc64b4b01a8c23b6315213572cb3
SHA1 eff5824bd669487f565f1c9d8b9ab023dc4007f7
SHA256 dac1767164610ba857c6752bd3b1dd69d268eb33c503b797a3e8afbb300953eb
SHA512 e7b25fa8ae9459616bdfdf71e9adf864b311b45dacb08d0fd5547f36493cc1c2c24556e9b113e051960cff49478d65d524414bd9392f4485ea7f207e813ca140

C:\Windows\System\qqAPBBI.exe

MD5 bde6bc248d123165468314b418ec641f
SHA1 9939dc8cf9b4d0a062114399dd931dca3651ba58
SHA256 ffcbb43b0848759d2ec3ecd805a31e3752b44a040b88e9549feac7da42ae3c37
SHA512 076f47d7ba1e5db433c28ca2584a7f16a66590de022ed212043c9294edf61c10ed0a406cfdbf66918df96f10eabe7082989c1c2634061049cf551c034bcce99d

memory/4600-20-0x00007FF79ED70000-0x00007FF79F0C1000-memory.dmp

memory/3488-19-0x00007FF73D600000-0x00007FF73D951000-memory.dmp

memory/5036-12-0x00007FF6F8E80000-0x00007FF6F91D1000-memory.dmp

memory/116-120-0x00007FF686CC0000-0x00007FF687011000-memory.dmp

memory/3064-121-0x00007FF62AF80000-0x00007FF62B2D1000-memory.dmp

memory/3720-123-0x00007FF7BE2E0000-0x00007FF7BE631000-memory.dmp

memory/4892-125-0x00007FF60BAF0000-0x00007FF60BE41000-memory.dmp

memory/3896-126-0x00007FF67A000000-0x00007FF67A351000-memory.dmp

memory/668-124-0x00007FF6210E0000-0x00007FF621431000-memory.dmp

memory/1360-127-0x00007FF6EB2C0000-0x00007FF6EB611000-memory.dmp

memory/1560-122-0x00007FF7764A0000-0x00007FF7767F1000-memory.dmp

memory/4600-131-0x00007FF79ED70000-0x00007FF79F0C1000-memory.dmp

memory/3488-130-0x00007FF73D600000-0x00007FF73D951000-memory.dmp

memory/5036-129-0x00007FF6F8E80000-0x00007FF6F91D1000-memory.dmp

memory/4748-128-0x00007FF732D70000-0x00007FF7330C1000-memory.dmp

memory/4068-143-0x00007FF76E510000-0x00007FF76E861000-memory.dmp

memory/4064-146-0x00007FF708590000-0x00007FF7088E1000-memory.dmp

memory/2192-140-0x00007FF687D40000-0x00007FF688091000-memory.dmp

memory/1992-147-0x00007FF6C4810000-0x00007FF6C4B61000-memory.dmp

memory/4748-150-0x00007FF732D70000-0x00007FF7330C1000-memory.dmp

memory/4748-151-0x00007FF732D70000-0x00007FF7330C1000-memory.dmp

memory/5036-212-0x00007FF6F8E80000-0x00007FF6F91D1000-memory.dmp

memory/3488-214-0x00007FF73D600000-0x00007FF73D951000-memory.dmp

memory/3468-216-0x00007FF668E10000-0x00007FF669161000-memory.dmp

memory/4696-218-0x00007FF76E110000-0x00007FF76E461000-memory.dmp

memory/4600-220-0x00007FF79ED70000-0x00007FF79F0C1000-memory.dmp

memory/2688-223-0x00007FF6BB640000-0x00007FF6BB991000-memory.dmp

memory/2088-224-0x00007FF604DB0000-0x00007FF605101000-memory.dmp

memory/2264-226-0x00007FF650D00000-0x00007FF651051000-memory.dmp

memory/116-229-0x00007FF686CC0000-0x00007FF687011000-memory.dmp

memory/3048-230-0x00007FF609260000-0x00007FF6095B1000-memory.dmp

memory/2192-238-0x00007FF687D40000-0x00007FF688091000-memory.dmp

memory/3064-240-0x00007FF62AF80000-0x00007FF62B2D1000-memory.dmp

memory/1560-244-0x00007FF7764A0000-0x00007FF7767F1000-memory.dmp

memory/3720-242-0x00007FF7BE2E0000-0x00007FF7BE631000-memory.dmp

memory/4068-246-0x00007FF76E510000-0x00007FF76E861000-memory.dmp

memory/4892-254-0x00007FF60BAF0000-0x00007FF60BE41000-memory.dmp

memory/4064-253-0x00007FF708590000-0x00007FF7088E1000-memory.dmp

memory/668-258-0x00007FF6210E0000-0x00007FF621431000-memory.dmp

memory/1360-257-0x00007FF6EB2C0000-0x00007FF6EB611000-memory.dmp

memory/3896-249-0x00007FF67A000000-0x00007FF67A351000-memory.dmp

memory/1992-251-0x00007FF6C4810000-0x00007FF6C4B61000-memory.dmp