cobaltstrike | d56132e46463cdf42200e09296eaa1f1f06e14c7fc4dc744b6e9285a43468705

Analysis

max time kernel
140s
max time network
144s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 08:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

5d59fe46c0d31b4a0eb288f172e13091
SHA1

e1cada080ecf1abb42de361f3a96a58d477fe102
SHA256

d56132e46463cdf42200e09296eaa1f1f06e14c7fc4dc744b6e9285a43468705
SHA512

3053c5ee21fbc1b77ba8c43538539932418f3f7ad80e22af0ae6301435b7a3990734ae49e006e5de248c1d2825d277417ec8e80a54e87f5d761bd39624908673
SSDEEP

98304:BemTLkNdfE0pZrT56utgpPFotBER/mQ32lUi:Q+u56utgpPF8u/7i

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\system\SktHBJr.exe	cobalt_reflective_dll
C:\Windows\system\hjxQEDM.exe	cobalt_reflective_dll
C:\Windows\system\SIBTVbM.exe	cobalt_reflective_dll
C:\Windows\system\AEgHfJV.exe	cobalt_reflective_dll
C:\Windows\system\ptTqLFJ.exe	cobalt_reflective_dll
C:\Windows\system\HjgBgNV.exe	cobalt_reflective_dll
C:\Windows\system\CKGGsPX.exe	cobalt_reflective_dll
C:\Windows\system\WYfBCWq.exe	cobalt_reflective_dll
C:\Windows\system\hZybfJt.exe	cobalt_reflective_dll
C:\Windows\system\HASCOQW.exe	cobalt_reflective_dll
C:\Windows\system\sSQWAfr.exe	cobalt_reflective_dll
C:\Windows\system\qFMMsgZ.exe	cobalt_reflective_dll
C:\Windows\system\zvhFwzA.exe	cobalt_reflective_dll
\Windows\system\hikCDjX.exe	cobalt_reflective_dll
C:\Windows\system\KENkEuP.exe	cobalt_reflective_dll
C:\Windows\system\LwBOzfa.exe	cobalt_reflective_dll
C:\Windows\system\PgQhQcj.exe	cobalt_reflective_dll
C:\Windows\system\CMKEkTB.exe	cobalt_reflective_dll
C:\Windows\system\EzxByCx.exe	cobalt_reflective_dll
C:\Windows\system\naMngrI.exe	cobalt_reflective_dll
C:\Windows\system\bqCeLHI.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\system\SktHBJr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\hjxQEDM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\SIBTVbM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\AEgHfJV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ptTqLFJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\HjgBgNV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\CKGGsPX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\WYfBCWq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\hZybfJt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\HASCOQW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\sSQWAfr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\qFMMsgZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\zvhFwzA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\hikCDjX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\KENkEuP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\LwBOzfa.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\PgQhQcj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\CMKEkTB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\EzxByCx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\naMngrI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\bqCeLHI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 55 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2984-0-0x000000013FD20000-0x0000000140074000-memory.dmp	UPX
C:\Windows\system\SktHBJr.exe	UPX
behavioral1/memory/1760-19-0x000000013FE30000-0x0000000140184000-memory.dmp	UPX
C:\Windows\system\hjxQEDM.exe	UPX
behavioral1/memory/1684-91-0x000000013F060000-0x000000013F3B4000-memory.dmp	UPX
C:\Windows\system\SIBTVbM.exe	UPX
C:\Windows\system\AEgHfJV.exe	UPX
C:\Windows\system\ptTqLFJ.exe	UPX
C:\Windows\system\HjgBgNV.exe	UPX
C:\Windows\system\CKGGsPX.exe	UPX
C:\Windows\system\WYfBCWq.exe	UPX
C:\Windows\system\hZybfJt.exe	UPX
behavioral1/memory/2332-82-0x000000013F840000-0x000000013FB94000-memory.dmp	UPX
behavioral1/memory/2524-80-0x000000013F450000-0x000000013F7A4000-memory.dmp	UPX
C:\Windows\system\HASCOQW.exe	UPX
behavioral1/memory/2380-135-0x000000013F930000-0x000000013FC84000-memory.dmp	UPX
behavioral1/memory/2984-94-0x000000013FD20000-0x0000000140074000-memory.dmp	UPX
C:\Windows\system\sSQWAfr.exe	UPX
C:\Windows\system\qFMMsgZ.exe	UPX
behavioral1/memory/2580-74-0x000000013FB10000-0x000000013FE64000-memory.dmp	UPX
C:\Windows\system\zvhFwzA.exe	UPX
behavioral1/memory/2784-47-0x000000013F330000-0x000000013F684000-memory.dmp	UPX
\Windows\system\hikCDjX.exe	UPX
behavioral1/memory/2760-36-0x000000013FE60000-0x00000001401B4000-memory.dmp	UPX
behavioral1/memory/2836-34-0x000000013F080000-0x000000013F3D4000-memory.dmp	UPX
C:\Windows\system\KENkEuP.exe	UPX
C:\Windows\system\LwBOzfa.exe	UPX
behavioral1/memory/2568-70-0x000000013F880000-0x000000013FBD4000-memory.dmp	UPX
behavioral1/memory/2692-66-0x000000013FEB0000-0x0000000140204000-memory.dmp	UPX
behavioral1/memory/2784-136-0x000000013F330000-0x000000013F684000-memory.dmp	UPX
behavioral1/memory/2620-61-0x000000013F3D0000-0x000000013F724000-memory.dmp	UPX
C:\Windows\system\PgQhQcj.exe	UPX
behavioral1/memory/2380-43-0x000000013F930000-0x000000013FC84000-memory.dmp	UPX
C:\Windows\system\CMKEkTB.exe	UPX
C:\Windows\system\EzxByCx.exe	UPX
C:\Windows\system\naMngrI.exe	UPX
behavioral1/memory/2284-27-0x000000013F0F0000-0x000000013F444000-memory.dmp	UPX
C:\Windows\system\bqCeLHI.exe	UPX
behavioral1/memory/2580-137-0x000000013FB10000-0x000000013FE64000-memory.dmp	UPX
behavioral1/memory/2524-138-0x000000013F450000-0x000000013F7A4000-memory.dmp	UPX
behavioral1/memory/2332-139-0x000000013F840000-0x000000013FB94000-memory.dmp	UPX
behavioral1/memory/1684-140-0x000000013F060000-0x000000013F3B4000-memory.dmp	UPX
behavioral1/memory/1760-142-0x000000013FE30000-0x0000000140184000-memory.dmp	UPX
behavioral1/memory/2284-143-0x000000013F0F0000-0x000000013F444000-memory.dmp	UPX
behavioral1/memory/2836-144-0x000000013F080000-0x000000013F3D4000-memory.dmp	UPX
behavioral1/memory/2760-145-0x000000013FE60000-0x00000001401B4000-memory.dmp	UPX
behavioral1/memory/2784-146-0x000000013F330000-0x000000013F684000-memory.dmp	UPX
behavioral1/memory/2380-147-0x000000013F930000-0x000000013FC84000-memory.dmp	UPX
behavioral1/memory/2620-148-0x000000013F3D0000-0x000000013F724000-memory.dmp	UPX
behavioral1/memory/2568-149-0x000000013F880000-0x000000013FBD4000-memory.dmp	UPX
behavioral1/memory/2692-150-0x000000013FEB0000-0x0000000140204000-memory.dmp	UPX
behavioral1/memory/1684-152-0x000000013F060000-0x000000013F3B4000-memory.dmp	UPX
behavioral1/memory/2580-151-0x000000013FB10000-0x000000013FE64000-memory.dmp	UPX
behavioral1/memory/2524-153-0x000000013F450000-0x000000013F7A4000-memory.dmp	UPX
behavioral1/memory/2332-154-0x000000013F840000-0x000000013FB94000-memory.dmp	UPX

XMRig Miner payload 58 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2984-0-0x000000013FD20000-0x0000000140074000-memory.dmp	xmrig
C:\Windows\system\SktHBJr.exe	xmrig
behavioral1/memory/1760-19-0x000000013FE30000-0x0000000140184000-memory.dmp	xmrig
C:\Windows\system\hjxQEDM.exe	xmrig
behavioral1/memory/2984-81-0x000000013F840000-0x000000013FB94000-memory.dmp	xmrig
behavioral1/memory/1684-91-0x000000013F060000-0x000000013F3B4000-memory.dmp	xmrig
C:\Windows\system\SIBTVbM.exe	xmrig
C:\Windows\system\AEgHfJV.exe	xmrig
C:\Windows\system\ptTqLFJ.exe	xmrig
C:\Windows\system\HjgBgNV.exe	xmrig
C:\Windows\system\CKGGsPX.exe	xmrig
behavioral1/memory/2984-111-0x000000013F980000-0x000000013FCD4000-memory.dmp	xmrig
C:\Windows\system\WYfBCWq.exe	xmrig
C:\Windows\system\hZybfJt.exe	xmrig
behavioral1/memory/2332-82-0x000000013F840000-0x000000013FB94000-memory.dmp	xmrig
behavioral1/memory/2524-80-0x000000013F450000-0x000000013F7A4000-memory.dmp	xmrig
C:\Windows\system\HASCOQW.exe	xmrig
behavioral1/memory/2380-135-0x000000013F930000-0x000000013FC84000-memory.dmp	xmrig
behavioral1/memory/2984-94-0x000000013FD20000-0x0000000140074000-memory.dmp	xmrig
C:\Windows\system\sSQWAfr.exe	xmrig
C:\Windows\system\qFMMsgZ.exe	xmrig
behavioral1/memory/2580-74-0x000000013FB10000-0x000000013FE64000-memory.dmp	xmrig
C:\Windows\system\zvhFwzA.exe	xmrig
behavioral1/memory/2784-47-0x000000013F330000-0x000000013F684000-memory.dmp	xmrig
\Windows\system\hikCDjX.exe	xmrig
behavioral1/memory/2760-36-0x000000013FE60000-0x00000001401B4000-memory.dmp	xmrig
behavioral1/memory/2836-34-0x000000013F080000-0x000000013F3D4000-memory.dmp	xmrig
C:\Windows\system\KENkEuP.exe	xmrig
C:\Windows\system\LwBOzfa.exe	xmrig
behavioral1/memory/2568-70-0x000000013F880000-0x000000013FBD4000-memory.dmp	xmrig
behavioral1/memory/2984-67-0x000000013F880000-0x000000013FBD4000-memory.dmp	xmrig
behavioral1/memory/2692-66-0x000000013FEB0000-0x0000000140204000-memory.dmp	xmrig
behavioral1/memory/2784-136-0x000000013F330000-0x000000013F684000-memory.dmp	xmrig
behavioral1/memory/2620-61-0x000000013F3D0000-0x000000013F724000-memory.dmp	xmrig
C:\Windows\system\PgQhQcj.exe	xmrig
behavioral1/memory/2380-43-0x000000013F930000-0x000000013FC84000-memory.dmp	xmrig
C:\Windows\system\CMKEkTB.exe	xmrig
C:\Windows\system\EzxByCx.exe	xmrig
C:\Windows\system\naMngrI.exe	xmrig
behavioral1/memory/2284-27-0x000000013F0F0000-0x000000013F444000-memory.dmp	xmrig
C:\Windows\system\bqCeLHI.exe	xmrig
behavioral1/memory/2580-137-0x000000013FB10000-0x000000013FE64000-memory.dmp	xmrig
behavioral1/memory/2524-138-0x000000013F450000-0x000000013F7A4000-memory.dmp	xmrig
behavioral1/memory/2332-139-0x000000013F840000-0x000000013FB94000-memory.dmp	xmrig
behavioral1/memory/1684-140-0x000000013F060000-0x000000013F3B4000-memory.dmp	xmrig
behavioral1/memory/1760-142-0x000000013FE30000-0x0000000140184000-memory.dmp	xmrig
behavioral1/memory/2284-143-0x000000013F0F0000-0x000000013F444000-memory.dmp	xmrig
behavioral1/memory/2836-144-0x000000013F080000-0x000000013F3D4000-memory.dmp	xmrig
behavioral1/memory/2760-145-0x000000013FE60000-0x00000001401B4000-memory.dmp	xmrig
behavioral1/memory/2784-146-0x000000013F330000-0x000000013F684000-memory.dmp	xmrig
behavioral1/memory/2380-147-0x000000013F930000-0x000000013FC84000-memory.dmp	xmrig
behavioral1/memory/2620-148-0x000000013F3D0000-0x000000013F724000-memory.dmp	xmrig
behavioral1/memory/2568-149-0x000000013F880000-0x000000013FBD4000-memory.dmp	xmrig
behavioral1/memory/2692-150-0x000000013FEB0000-0x0000000140204000-memory.dmp	xmrig
behavioral1/memory/1684-152-0x000000013F060000-0x000000013F3B4000-memory.dmp	xmrig
behavioral1/memory/2580-151-0x000000013FB10000-0x000000013FE64000-memory.dmp	xmrig
behavioral1/memory/2524-153-0x000000013F450000-0x000000013F7A4000-memory.dmp	xmrig
behavioral1/memory/2332-154-0x000000013F840000-0x000000013FB94000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

SktHBJr.exeKENkEuP.exebqCeLHI.exenaMngrI.exeEzxByCx.exeCMKEkTB.exezvhFwzA.exehikCDjX.exePgQhQcj.exeLwBOzfa.exehjxQEDM.exeqFMMsgZ.exesSQWAfr.exeHASCOQW.exehZybfJt.exeWYfBCWq.exeCKGGsPX.exeHjgBgNV.exeptTqLFJ.exeAEgHfJV.exeSIBTVbM.exe

pid	process
1760	SktHBJr.exe
2284	KENkEuP.exe
2836	bqCeLHI.exe
2760	naMngrI.exe
2380	EzxByCx.exe
2784	CMKEkTB.exe
2620	zvhFwzA.exe
2692	hikCDjX.exe
2568	PgQhQcj.exe
2580	LwBOzfa.exe
2524	hjxQEDM.exe
2332	qFMMsgZ.exe
1684	sSQWAfr.exe
2920	HASCOQW.exe
3048	hZybfJt.exe
864	WYfBCWq.exe
2888	CKGGsPX.exe
3044	HjgBgNV.exe
2716	ptTqLFJ.exe
316	AEgHfJV.exe
2500	SIBTVbM.exe

Loads dropped DLL 21 IoCs

Processes:

2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe

pid	process
2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 55 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2984-0-0x000000013FD20000-0x0000000140074000-memory.dmp	upx
C:\Windows\system\SktHBJr.exe	upx
behavioral1/memory/1760-19-0x000000013FE30000-0x0000000140184000-memory.dmp	upx
C:\Windows\system\hjxQEDM.exe	upx
behavioral1/memory/1684-91-0x000000013F060000-0x000000013F3B4000-memory.dmp	upx
C:\Windows\system\SIBTVbM.exe	upx
C:\Windows\system\AEgHfJV.exe	upx
C:\Windows\system\ptTqLFJ.exe	upx
C:\Windows\system\HjgBgNV.exe	upx
C:\Windows\system\CKGGsPX.exe	upx
C:\Windows\system\WYfBCWq.exe	upx
C:\Windows\system\hZybfJt.exe	upx
behavioral1/memory/2332-82-0x000000013F840000-0x000000013FB94000-memory.dmp	upx
behavioral1/memory/2524-80-0x000000013F450000-0x000000013F7A4000-memory.dmp	upx
C:\Windows\system\HASCOQW.exe	upx
behavioral1/memory/2380-135-0x000000013F930000-0x000000013FC84000-memory.dmp	upx
behavioral1/memory/2984-94-0x000000013FD20000-0x0000000140074000-memory.dmp	upx
C:\Windows\system\sSQWAfr.exe	upx
C:\Windows\system\qFMMsgZ.exe	upx
behavioral1/memory/2580-74-0x000000013FB10000-0x000000013FE64000-memory.dmp	upx
C:\Windows\system\zvhFwzA.exe	upx
behavioral1/memory/2784-47-0x000000013F330000-0x000000013F684000-memory.dmp	upx
\Windows\system\hikCDjX.exe	upx
behavioral1/memory/2760-36-0x000000013FE60000-0x00000001401B4000-memory.dmp	upx
behavioral1/memory/2836-34-0x000000013F080000-0x000000013F3D4000-memory.dmp	upx
C:\Windows\system\KENkEuP.exe	upx
C:\Windows\system\LwBOzfa.exe	upx
behavioral1/memory/2568-70-0x000000013F880000-0x000000013FBD4000-memory.dmp	upx
behavioral1/memory/2692-66-0x000000013FEB0000-0x0000000140204000-memory.dmp	upx
behavioral1/memory/2784-136-0x000000013F330000-0x000000013F684000-memory.dmp	upx
behavioral1/memory/2620-61-0x000000013F3D0000-0x000000013F724000-memory.dmp	upx
C:\Windows\system\PgQhQcj.exe	upx
behavioral1/memory/2380-43-0x000000013F930000-0x000000013FC84000-memory.dmp	upx
C:\Windows\system\CMKEkTB.exe	upx
C:\Windows\system\EzxByCx.exe	upx
C:\Windows\system\naMngrI.exe	upx
behavioral1/memory/2284-27-0x000000013F0F0000-0x000000013F444000-memory.dmp	upx
C:\Windows\system\bqCeLHI.exe	upx
behavioral1/memory/2580-137-0x000000013FB10000-0x000000013FE64000-memory.dmp	upx
behavioral1/memory/2524-138-0x000000013F450000-0x000000013F7A4000-memory.dmp	upx
behavioral1/memory/2332-139-0x000000013F840000-0x000000013FB94000-memory.dmp	upx
behavioral1/memory/1684-140-0x000000013F060000-0x000000013F3B4000-memory.dmp	upx
behavioral1/memory/1760-142-0x000000013FE30000-0x0000000140184000-memory.dmp	upx
behavioral1/memory/2284-143-0x000000013F0F0000-0x000000013F444000-memory.dmp	upx
behavioral1/memory/2836-144-0x000000013F080000-0x000000013F3D4000-memory.dmp	upx
behavioral1/memory/2760-145-0x000000013FE60000-0x00000001401B4000-memory.dmp	upx
behavioral1/memory/2784-146-0x000000013F330000-0x000000013F684000-memory.dmp	upx
behavioral1/memory/2380-147-0x000000013F930000-0x000000013FC84000-memory.dmp	upx
behavioral1/memory/2620-148-0x000000013F3D0000-0x000000013F724000-memory.dmp	upx
behavioral1/memory/2568-149-0x000000013F880000-0x000000013FBD4000-memory.dmp	upx
behavioral1/memory/2692-150-0x000000013FEB0000-0x0000000140204000-memory.dmp	upx
behavioral1/memory/1684-152-0x000000013F060000-0x000000013F3B4000-memory.dmp	upx
behavioral1/memory/2580-151-0x000000013FB10000-0x000000013FE64000-memory.dmp	upx
behavioral1/memory/2524-153-0x000000013F450000-0x000000013F7A4000-memory.dmp	upx
behavioral1/memory/2332-154-0x000000013F840000-0x000000013FB94000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\LwBOzfa.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CKGGsPX.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HjgBgNV.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SIBTVbM.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PgQhQcj.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qFMMsgZ.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WYfBCWq.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CMKEkTB.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bqCeLHI.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EzxByCx.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\naMngrI.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hjxQEDM.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sSQWAfr.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hZybfJt.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AEgHfJV.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SktHBJr.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zvhFwzA.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hikCDjX.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HASCOQW.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ptTqLFJ.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KENkEuP.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 2984 wrote to memory of 1760	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	SktHBJr.exe
PID 2984 wrote to memory of 1760	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	SktHBJr.exe
PID 2984 wrote to memory of 1760	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	SktHBJr.exe
PID 2984 wrote to memory of 2836	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	bqCeLHI.exe
PID 2984 wrote to memory of 2836	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	bqCeLHI.exe
PID 2984 wrote to memory of 2836	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	bqCeLHI.exe
PID 2984 wrote to memory of 2284	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	KENkEuP.exe
PID 2984 wrote to memory of 2284	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	KENkEuP.exe
PID 2984 wrote to memory of 2284	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	KENkEuP.exe
PID 2984 wrote to memory of 2380	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	EzxByCx.exe
PID 2984 wrote to memory of 2380	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	EzxByCx.exe
PID 2984 wrote to memory of 2380	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	EzxByCx.exe
PID 2984 wrote to memory of 2760	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	naMngrI.exe
PID 2984 wrote to memory of 2760	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	naMngrI.exe
PID 2984 wrote to memory of 2760	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	naMngrI.exe
PID 2984 wrote to memory of 2620	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	zvhFwzA.exe
PID 2984 wrote to memory of 2620	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	zvhFwzA.exe
PID 2984 wrote to memory of 2620	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	zvhFwzA.exe
PID 2984 wrote to memory of 2784	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	CMKEkTB.exe
PID 2984 wrote to memory of 2784	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	CMKEkTB.exe
PID 2984 wrote to memory of 2784	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	CMKEkTB.exe
PID 2984 wrote to memory of 2692	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	hikCDjX.exe
PID 2984 wrote to memory of 2692	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	hikCDjX.exe
PID 2984 wrote to memory of 2692	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	hikCDjX.exe
PID 2984 wrote to memory of 2568	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	PgQhQcj.exe
PID 2984 wrote to memory of 2568	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	PgQhQcj.exe
PID 2984 wrote to memory of 2568	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	PgQhQcj.exe
PID 2984 wrote to memory of 2524	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	hjxQEDM.exe
PID 2984 wrote to memory of 2524	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	hjxQEDM.exe
PID 2984 wrote to memory of 2524	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	hjxQEDM.exe
PID 2984 wrote to memory of 2580	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	LwBOzfa.exe
PID 2984 wrote to memory of 2580	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	LwBOzfa.exe
PID 2984 wrote to memory of 2580	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	LwBOzfa.exe
PID 2984 wrote to memory of 2332	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	qFMMsgZ.exe
PID 2984 wrote to memory of 2332	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	qFMMsgZ.exe
PID 2984 wrote to memory of 2332	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	qFMMsgZ.exe
PID 2984 wrote to memory of 1684	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	sSQWAfr.exe
PID 2984 wrote to memory of 1684	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	sSQWAfr.exe
PID 2984 wrote to memory of 1684	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	sSQWAfr.exe
PID 2984 wrote to memory of 2888	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	CKGGsPX.exe
PID 2984 wrote to memory of 2888	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	CKGGsPX.exe
PID 2984 wrote to memory of 2888	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	CKGGsPX.exe
PID 2984 wrote to memory of 2920	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	HASCOQW.exe
PID 2984 wrote to memory of 2920	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	HASCOQW.exe
PID 2984 wrote to memory of 2920	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	HASCOQW.exe
PID 2984 wrote to memory of 3044	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	HjgBgNV.exe
PID 2984 wrote to memory of 3044	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	HjgBgNV.exe
PID 2984 wrote to memory of 3044	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	HjgBgNV.exe
PID 2984 wrote to memory of 3048	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	hZybfJt.exe
PID 2984 wrote to memory of 3048	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	hZybfJt.exe
PID 2984 wrote to memory of 3048	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	hZybfJt.exe
PID 2984 wrote to memory of 2716	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	ptTqLFJ.exe
PID 2984 wrote to memory of 2716	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	ptTqLFJ.exe
PID 2984 wrote to memory of 2716	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	ptTqLFJ.exe
PID 2984 wrote to memory of 864	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	WYfBCWq.exe
PID 2984 wrote to memory of 864	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	WYfBCWq.exe
PID 2984 wrote to memory of 864	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	WYfBCWq.exe
PID 2984 wrote to memory of 316	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	AEgHfJV.exe
PID 2984 wrote to memory of 316	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	AEgHfJV.exe
PID 2984 wrote to memory of 316	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	AEgHfJV.exe
PID 2984 wrote to memory of 2500	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	SIBTVbM.exe
PID 2984 wrote to memory of 2500	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	SIBTVbM.exe
PID 2984 wrote to memory of 2500	2984	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	SIBTVbM.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\System\SktHBJr.exe
C:\Windows\System\SktHBJr.exe
2⤵
- Executes dropped EXE
PID:1760

C:\Windows\System\bqCeLHI.exe
C:\Windows\System\bqCeLHI.exe
2⤵
- Executes dropped EXE
PID:2836

C:\Windows\System\KENkEuP.exe
C:\Windows\System\KENkEuP.exe
2⤵
- Executes dropped EXE
PID:2284

C:\Windows\System\EzxByCx.exe
C:\Windows\System\EzxByCx.exe
2⤵
- Executes dropped EXE
PID:2380

C:\Windows\System\naMngrI.exe
C:\Windows\System\naMngrI.exe
2⤵
- Executes dropped EXE
PID:2760

C:\Windows\System\zvhFwzA.exe
C:\Windows\System\zvhFwzA.exe
2⤵
- Executes dropped EXE
PID:2620

C:\Windows\System\CMKEkTB.exe
C:\Windows\System\CMKEkTB.exe
2⤵
- Executes dropped EXE
PID:2784

C:\Windows\System\hikCDjX.exe
C:\Windows\System\hikCDjX.exe
2⤵
- Executes dropped EXE
PID:2692

C:\Windows\System\PgQhQcj.exe
C:\Windows\System\PgQhQcj.exe
2⤵
- Executes dropped EXE
PID:2568

C:\Windows\System\hjxQEDM.exe
C:\Windows\System\hjxQEDM.exe
2⤵
- Executes dropped EXE
PID:2524

C:\Windows\System\LwBOzfa.exe
C:\Windows\System\LwBOzfa.exe
2⤵
- Executes dropped EXE
PID:2580

C:\Windows\System\qFMMsgZ.exe
C:\Windows\System\qFMMsgZ.exe
2⤵
- Executes dropped EXE
PID:2332

C:\Windows\System\sSQWAfr.exe
C:\Windows\System\sSQWAfr.exe
2⤵
- Executes dropped EXE
PID:1684

C:\Windows\System\CKGGsPX.exe
C:\Windows\System\CKGGsPX.exe
2⤵
- Executes dropped EXE
PID:2888

C:\Windows\System\HASCOQW.exe
C:\Windows\System\HASCOQW.exe
2⤵
- Executes dropped EXE
PID:2920

C:\Windows\System\HjgBgNV.exe
C:\Windows\System\HjgBgNV.exe
2⤵
- Executes dropped EXE
PID:3044

C:\Windows\System\hZybfJt.exe
C:\Windows\System\hZybfJt.exe
2⤵
- Executes dropped EXE
PID:3048

C:\Windows\System\ptTqLFJ.exe
C:\Windows\System\ptTqLFJ.exe
2⤵
- Executes dropped EXE
PID:2716

C:\Windows\System\WYfBCWq.exe
C:\Windows\System\WYfBCWq.exe
2⤵
- Executes dropped EXE
PID:864

C:\Windows\System\AEgHfJV.exe
C:\Windows\System\AEgHfJV.exe
2⤵
- Executes dropped EXE
PID:316

C:\Windows\System\SIBTVbM.exe
C:\Windows\System\SIBTVbM.exe
2⤵
- Executes dropped EXE
PID:2500

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AEgHfJV.exe
Filesize
5.9MB

MD5
9bb24a66ee0826e4245aa9811173fdae

SHA1
cc063698c3c1155b30259b36d5d1c37ea08d2bb7

SHA256
8be9517a24dc594164647402ca53de7720559c490f89f17db3b098c44fef2cfb

SHA512
7138ec0f07548f08ad2d94682082137797da8f16e2c2fbb36f2d04ad1d02ef3d76e197b99b1109d6d5d884da727349d313b2c84f10348c494a9428216a2bd667

Download Submit
C:\Windows\system\CKGGsPX.exe
Filesize
5.9MB

MD5
8cfb83d0442eed489a57a83b26c045db

SHA1
5bc7f103db8d43639e6148f048e1e894f90fccba

SHA256
2b6e8ed3469ce708dc66b67707d53ea2c5694d0654c433c5329796f8ef9ff73d

SHA512
0cd69a49f1e1a2053c588f32ffd4ae6929d3c9456c19300d22d824fa6498ee928ba417005211d10a77559cf9cadf8564b33f28febdb3e5f4c8c62ead873eb1c8

Download Submit
C:\Windows\system\CMKEkTB.exe
Filesize
5.9MB

MD5
06555f028ee8b02d0219a7fa6524fdc6

SHA1
fc948fc96342abef77c14f4592ef6bd7c9270fd8

SHA256
86e8fc70fa806708c9fc8c92ab58e1e551ea1c4b9422c4e751da698701bd9bd9

SHA512
beca8c26083be8c1696572564b1333854f564177e940c1984402ab1b40c189697498a7510dbf5b2a1bd1ba9eb4d169009326517bf50a6fb21991700ec3936c6d

Download Submit
C:\Windows\system\EzxByCx.exe
Filesize
5.9MB

MD5
bc86f06f5c8c8fff9a43577121ae49f4

SHA1
903861af2b7e7335d19c89c0c213a7b67a22dd89

SHA256
75984e04d4eff565407657c4063fd5ca1f069486dcb3dadb54a53fb964ce80d2

SHA512
00361bc5c2ef4e57c81e38ed3ef28e7e3641123cec86739dee0f9d6612dda8c8d9941a4c5c0944b072236d93e89653c17b3ef17a006013bb4b0bfc7473b94d90

Download Submit
C:\Windows\system\HASCOQW.exe
Filesize
5.9MB

MD5
1e477211154efa3d23db7790f1c4473a

SHA1
937d9caee5e415b5dac14558bf55e22fb1866d9b

SHA256
118b7e1ef92358526e3c35c6ffca4695e798fa625d423fc6061484ec3e3dd35b

SHA512
b8ef6bd1699dac6039a20c0ae83d72684914829eda5a5e1bb3a6fe2b1a5811bba86ec3968e8e898296b93971867abbfd5a5ef19ca52da6b8905febd62e52d0e1

Download Submit
C:\Windows\system\HjgBgNV.exe
Filesize
5.9MB

MD5
7a01656d86beb85e5fda46594d0d6c90

SHA1
e89be0814f740809987686c2e7a2e6c1a90092ac

SHA256
7ee542d17bd842f3b526a927656522680b51dbe86a7fbb73a74de52351cfd78a

SHA512
f1fe2b0c937fd310b105f0e54e245d89f3e8e116e9e5fef28c7ac1373af5a4858d5435e289f98a461f7d971e516c634c3c8821c6b7f4ee926668f960129c526c

Download Submit
C:\Windows\system\KENkEuP.exe
Filesize
5.9MB

MD5
d663f6bb45da955e6a92f2a24f836899

SHA1
49efc0768307c5a6920303bd7646106f2c1a1d21

SHA256
2af36ce9fdda7dd75d22e1616d9e76b64a82fd4db2dc1e9c8bfa7b19161e6f54

SHA512
b148a3448d97f19cc1d17314675c769ef11783a04ca038a2132191e6f623442f226d3808c6d151f9db0bc2c8e280c12bbdb02daf2dbfd849635067126d43e1a2

Download Submit
C:\Windows\system\LwBOzfa.exe
Filesize
5.9MB

MD5
017b73bb83c947490d3ca31056d7ebd6

SHA1
c62921bbf03c7024c11bf6eb92f31331ee681ddb

SHA256
26d14833dcfbb847cb6920a8b4191e30f116c7c7ca7e1c507b05a20ae421628a

SHA512
c052aac1a60301827ccf6fe2d6f317ef16625a2b9239cfb2c82381652095453654ba19bce8021dde2367741095b5f52f0b2f214be55417bd3e7775c3abeee011

Download Submit
C:\Windows\system\PgQhQcj.exe
Filesize
5.9MB

MD5
2b3e74cd615a6b69bc70a3c1cb2cc5d2

SHA1
980f8742343c097607eda61d1f199b292ab59095

SHA256
9be397b1dcfc7f4856e021259e42989a1323779f7a1acaaeb5f485b64cbf184f

SHA512
629bd76f29324c73b05110fa6de73dd4ce3b3400483d633d2880d0fc49655bb9f27efd40f928dfa757586cf23a5e0e70be95b17c5c75d3d78bc493b0a3dab80e

Download Submit
C:\Windows\system\SIBTVbM.exe
Filesize
5.9MB

MD5
6f1a9648975c5a4f27e9789e56be24d0

SHA1
a87693a92401f5a0b4f0e3b6063d5791d8e50f4d

SHA256
0f7d1ce16898d704c456b2265d2aed94231e2696e36f193b7c4ab8f351e4edf9

SHA512
1f29acdea91a57d5db58737d57b61f3d8ddcb2608a60009bd9f16780256112fe722646c41105f4a4b04161d13ecb937af6096da0adc03237ad195ffcbb3c11db

Download Submit
C:\Windows\system\SktHBJr.exe
Filesize
5.9MB

MD5
93da6fa288e21fdbfab5787dbe20a8f9

SHA1
10f71331525ea033bd25de6070061bbd60beeb01

SHA256
413eb49d83ce6d0ef31400aa361a4f616fe033549590e9e8fc17bd68a0b45f07

SHA512
f72654f8abb7842ca10f98dd1b5c4dee1e4508966d4c8316a8891c85b2075b7ca215565f9b53aaa3e405c962cd3d087fcc8b7b3f4f62bf6cec3062833123bf03

Download Submit
C:\Windows\system\WYfBCWq.exe
Filesize
5.9MB

MD5
fd0e1d46177bce455c3f6bbc126d8f20

SHA1
0ba0f2cdbece39d72a810ad21c3367a9fdcd981a

SHA256
10e6f5f14ec678e618efb6fc89d6b9e968b9c5a69338eeb778d792551aee8a01

SHA512
19e008526e1cda32890609230488ef96d142ea2dc54501ced4726ba55c483ac6f91c27fe2506d2cf283ac588c5a550afe2a433aff2de8a34c02c9a155c736038

Download Submit
C:\Windows\system\bqCeLHI.exe
Filesize
5.9MB

MD5
0416ff0934cbbf9173a5704f18713fb6

SHA1
29574f5c1ecab173c944950d8719971898471afd

SHA256
ebc2050cc9c26710d7143802a1de0e92811d58e7558128264996f8803ada2968

SHA512
5f9aa2bb8f5eaafed2aab55c8b10f6561184c5ef4897331ae28ae8919a69c14ba694b01f3ae7a5978fd95cd9f7abaa6519753125b4d0e6f5c51345cf018215f3

Download Submit
C:\Windows\system\hZybfJt.exe
Filesize
5.9MB

MD5
b27df64857201ee719883424d9b0399f

SHA1
e38191db402519ba890bcd938fded9e94532ac06

SHA256
ac290b91ed8e373da7ede75bfe8faf87c2362eb56c09e1200ed7414ef9ef42b7

SHA512
a6022262fe68c263cc7ce029055becce604a74034b2b1dceca4cde915fefee678b14a774979a3ebe5b8ef2136fba77955ea137dc35af58da8d12f86be2fcfcba

Download Submit
C:\Windows\system\hjxQEDM.exe
Filesize
5.9MB

MD5
ec40f1b55203cab465f327d4b6af9ee1

SHA1
107ef11c12176f8243411be7a36daa582596acaa

SHA256
068fea625708ec77087f46ac3c3ed6980f49b6c3f02f80076e1c662d7b26100d

SHA512
bc64c71b59219215ec76726417ba76e5e5386c347217212b30a21481bb69bdfd7fb3434e0191d2d29d5b4b18cab78c3b714985754c77a5b754048e8529639523

Download Submit
C:\Windows\system\naMngrI.exe
Filesize
5.9MB

MD5
6b8857404dcee5bac9af394fc7f4f47c

SHA1
1941be9aab8f28fa929e3afaf128c31b7a16c11e

SHA256
f414a700383fe27cd98fac14f2b982f56c35614c28a7f2689df90dee336c1212

SHA512
fd7d9ef0d3db50b210a4d04d5011f9d02d1490214abc273940ea415d99b2133a4fbed9a4196641385d71449b142f37eccf4fd49eb7c12502352a6adf7d1014e5

Download Submit
C:\Windows\system\ptTqLFJ.exe
Filesize
5.9MB

MD5
8386c265b78b045f3ca8ae19e5ea450c

SHA1
8e11a67c3ab5d7bca5ec739fee3f798701a34c9c

SHA256
9132202b95287e4d313ae0383fd4c0024bd1105017134660bc341ac8bc06f126

SHA512
8de42e6be0de593b810eedc96bd618e81063580b79ae4fd6d1df8e0cddb9810515ec22428399c18473647e82498958eaaab43c53f65cc9c5d123218e4656f4c1

Download Submit
C:\Windows\system\qFMMsgZ.exe
Filesize
5.9MB

MD5
8aeeb5ab31b9370e89a44990434daabb

SHA1
9eb61ee30ba634d3bc068e21244066d39753ff6d

SHA256
2a24e97076a4760912d7f25f5db86e8d30808b1dcb2d4f6c0b93273b45564a29

SHA512
0cc4a5f12ab7f3c94417321a5eb8ce0d5b10b9b0bf0715d01b05d38173b0443ed1f49dc47599cdd587ef969e89445563bb6c0a3581f0a46685503d0d52a30518

Download Submit
C:\Windows\system\sSQWAfr.exe
Filesize
5.9MB

MD5
0de1df526b230f1bfaa764f15477ff54

SHA1
8959c1153cf27fe12a38232e69c67159558f54d4

SHA256
ccc56cef19a8b7e2cd2f315ad763685c526c2fadfa0217df23e15dcf211ef02b

SHA512
1822052f9758b1885fd72aa10d5b86da1bb7cc42296a64844ecee61ae2104a6db870853b6cd6a9f938cfc294cdd1314a692bbabcfa8b8e61c92386378fd7bc23

Download Submit
C:\Windows\system\zvhFwzA.exe
Filesize
5.9MB

MD5
70530304bf28f7c6b013eb1ef0b0cd0b

SHA1
cff94371c6fb3c4d5d739a2621ba236cfca15e57

SHA256
097f2bd3a8ce6e414bf051e201b29ce85eda34882cd252a92f73c050ba57d710

SHA512
f2fcf749a0d1b0499dd6aa795546f13f5dd06467b8e5664330511ec6539be1c898a33c32ca10a13d6b08ba5746bc7cfdd8b8aaf36971e33fb44f2c501889b7cc

Download Submit
\Windows\system\hikCDjX.exe
Filesize
5.9MB

MD5
ff853881f5d677638867ddb7865db6a7

SHA1
e8934282fcbe274e9cbe249b3f6d70cf0a750464

SHA256
cc8c5b3953309a6f99ed9ebc34f5744f95e72540212af152c7fc2fa9e5adba58

SHA512
3910f89fe41ce8247d6cdf809f1a528899cc0f174ddf6418e38e49532120e92d27d70714be8987b8b87fa444211f14f0537ecc0cf27140258f7b179d964b4b75

Download Submit
memory/1684-91-0x000000013F060000-0x000000013F3B4000-memory.dmp

Filesize
3.3MB

Download
memory/1684-140-0x000000013F060000-0x000000013F3B4000-memory.dmp

Filesize
3.3MB

Download
memory/1684-152-0x000000013F060000-0x000000013F3B4000-memory.dmp

Filesize
3.3MB

Download
memory/1760-19-0x000000013FE30000-0x0000000140184000-memory.dmp

Filesize
3.3MB

Download
memory/1760-142-0x000000013FE30000-0x0000000140184000-memory.dmp

Filesize
3.3MB

Download
memory/2284-143-0x000000013F0F0000-0x000000013F444000-memory.dmp

Filesize
3.3MB

Download
memory/2284-27-0x000000013F0F0000-0x000000013F444000-memory.dmp

Filesize
3.3MB

Download
memory/2332-82-0x000000013F840000-0x000000013FB94000-memory.dmp

Filesize
3.3MB

Download
memory/2332-154-0x000000013F840000-0x000000013FB94000-memory.dmp

Filesize
3.3MB

Download
memory/2332-139-0x000000013F840000-0x000000013FB94000-memory.dmp

Filesize
3.3MB

Download
memory/2380-147-0x000000013F930000-0x000000013FC84000-memory.dmp

Filesize
3.3MB

Download
memory/2380-135-0x000000013F930000-0x000000013FC84000-memory.dmp

Filesize
3.3MB

Download
memory/2380-43-0x000000013F930000-0x000000013FC84000-memory.dmp

Filesize
3.3MB

Download
memory/2524-138-0x000000013F450000-0x000000013F7A4000-memory.dmp

Filesize
3.3MB

Download
memory/2524-80-0x000000013F450000-0x000000013F7A4000-memory.dmp

Filesize
3.3MB

Download
memory/2524-153-0x000000013F450000-0x000000013F7A4000-memory.dmp

Filesize
3.3MB

Download
memory/2568-70-0x000000013F880000-0x000000013FBD4000-memory.dmp

Filesize
3.3MB

Download
memory/2568-149-0x000000013F880000-0x000000013FBD4000-memory.dmp

Filesize
3.3MB

Download
memory/2580-74-0x000000013FB10000-0x000000013FE64000-memory.dmp

Filesize
3.3MB

Download
memory/2580-151-0x000000013FB10000-0x000000013FE64000-memory.dmp

Filesize
3.3MB

Download
memory/2580-137-0x000000013FB10000-0x000000013FE64000-memory.dmp

Filesize
3.3MB

Download
memory/2620-148-0x000000013F3D0000-0x000000013F724000-memory.dmp

Filesize
3.3MB

Download
memory/2620-61-0x000000013F3D0000-0x000000013F724000-memory.dmp

Filesize
3.3MB

Download
memory/2692-150-0x000000013FEB0000-0x0000000140204000-memory.dmp

Filesize
3.3MB

Download
memory/2692-66-0x000000013FEB0000-0x0000000140204000-memory.dmp

Filesize
3.3MB

Download
memory/2760-145-0x000000013FE60000-0x00000001401B4000-memory.dmp

Filesize
3.3MB

Download
memory/2760-36-0x000000013FE60000-0x00000001401B4000-memory.dmp

Filesize
3.3MB

Download
memory/2784-136-0x000000013F330000-0x000000013F684000-memory.dmp

Filesize
3.3MB

Download
memory/2784-146-0x000000013F330000-0x000000013F684000-memory.dmp

Filesize
3.3MB

Download
memory/2784-47-0x000000013F330000-0x000000013F684000-memory.dmp

Filesize
3.3MB

Download
memory/2836-34-0x000000013F080000-0x000000013F3D4000-memory.dmp

Filesize
3.3MB

Download
memory/2836-144-0x000000013F080000-0x000000013F3D4000-memory.dmp

Filesize
3.3MB

Download
memory/2984-1-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2984-11-0x00000000021F0000-0x0000000002544000-memory.dmp

Filesize
3.3MB

Download
memory/2984-111-0x000000013F980000-0x000000013FCD4000-memory.dmp

Filesize
3.3MB

Download
memory/2984-112-0x00000000021F0000-0x0000000002544000-memory.dmp

Filesize
3.3MB

Download
memory/2984-141-0x00000000021F0000-0x0000000002544000-memory.dmp

Filesize
3.3MB

Download
memory/2984-81-0x000000013F840000-0x000000013FB94000-memory.dmp

Filesize
3.3MB

Download
memory/2984-44-0x000000013F330000-0x000000013F684000-memory.dmp

Filesize
3.3MB

Download
memory/2984-25-0x000000013F0F0000-0x000000013F444000-memory.dmp

Filesize
3.3MB

Download
memory/2984-48-0x00000000021F0000-0x0000000002544000-memory.dmp

Filesize
3.3MB

Download
memory/2984-29-0x00000000021F0000-0x0000000002544000-memory.dmp

Filesize
3.3MB

Download
memory/2984-31-0x000000013F080000-0x000000013F3D4000-memory.dmp

Filesize
3.3MB

Download
memory/2984-32-0x000000013F930000-0x000000013FC84000-memory.dmp

Filesize
3.3MB

Download
memory/2984-94-0x000000013FD20000-0x0000000140074000-memory.dmp

Filesize
3.3MB

Download
memory/2984-87-0x000000013F060000-0x000000013F3B4000-memory.dmp

Filesize
3.3MB

Download
memory/2984-0-0x000000013FD20000-0x0000000140074000-memory.dmp

Filesize
3.3MB

Download
memory/2984-67-0x000000013F880000-0x000000013FBD4000-memory.dmp

Filesize
3.3MB

Download
memory/2984-73-0x000000013F450000-0x000000013F7A4000-memory.dmp

Filesize
3.3MB

Download
memory/2984-72-0x00000000021F0000-0x0000000002544000-memory.dmp

Filesize
3.3MB

Download