cobaltstrike | 133733bcdc40011509f82498b38480d38b381133a731d628ae8e2926d2139dcb

Analysis

max time kernel
125s
max time network
139s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

755db3989b25cb17784c3b2c578c5657
SHA1

941d0edffbd783e22eeca82d0061e4ac6b83c2b5
SHA256

133733bcdc40011509f82498b38480d38b381133a731d628ae8e2926d2139dcb
SHA512

367a136b742de604a890763c276091b88958f99826e46a35dce945967b2a89b3e6b30194c5ef749c5c5f8ce0c05caf11be7d50e3d6caaf0771f9afe53adcc63b
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUd:Q+856utgpPF8u/7d

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\ftOheVX.exe	cobalt_reflective_dll
C:\Windows\system\wMnznLA.exe	cobalt_reflective_dll
C:\Windows\system\voVQOJk.exe	cobalt_reflective_dll
\Windows\system\UmjMXhQ.exe	cobalt_reflective_dll
C:\Windows\system\aELtPHd.exe	cobalt_reflective_dll
C:\Windows\system\ilXwGWh.exe	cobalt_reflective_dll
C:\Windows\system\SygfcrU.exe	cobalt_reflective_dll
C:\Windows\system\dEUvAaT.exe	cobalt_reflective_dll
\Windows\system\ENTgooL.exe	cobalt_reflective_dll
C:\Windows\system\gEZxQwx.exe	cobalt_reflective_dll
C:\Windows\system\qASADpO.exe	cobalt_reflective_dll
\Windows\system\IiKBgAn.exe	cobalt_reflective_dll
C:\Windows\system\aemVKzh.exe	cobalt_reflective_dll
\Windows\system\houGYMS.exe	cobalt_reflective_dll
\Windows\system\zCbJtpo.exe	cobalt_reflective_dll
C:\Windows\system\ouQToyH.exe	cobalt_reflective_dll
C:\Windows\system\iZMgzVh.exe	cobalt_reflective_dll
C:\Windows\system\lntIsZJ.exe	cobalt_reflective_dll
C:\Windows\system\brjKfGL.exe	cobalt_reflective_dll
C:\Windows\system\GVwMGJv.exe	cobalt_reflective_dll
C:\Windows\system\CGCMggr.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\ftOheVX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\wMnznLA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\voVQOJk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\UmjMXhQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\aELtPHd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ilXwGWh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\SygfcrU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\dEUvAaT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\ENTgooL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\gEZxQwx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\qASADpO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\IiKBgAn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\aemVKzh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\houGYMS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\zCbJtpo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ouQToyH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\iZMgzVh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\lntIsZJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\brjKfGL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\GVwMGJv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\CGCMggr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 57 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2580-0-0x000000013F080000-0x000000013F3D4000-memory.dmp	UPX
\Windows\system\ftOheVX.exe	UPX
behavioral1/memory/2588-9-0x000000013FD80000-0x00000001400D4000-memory.dmp	UPX
C:\Windows\system\wMnznLA.exe	UPX
behavioral1/memory/2644-16-0x000000013F3F0000-0x000000013F744000-memory.dmp	UPX
C:\Windows\system\voVQOJk.exe	UPX
behavioral1/memory/2652-22-0x000000013F380000-0x000000013F6D4000-memory.dmp	UPX
\Windows\system\UmjMXhQ.exe	UPX
behavioral1/memory/2628-32-0x000000013FB40000-0x000000013FE94000-memory.dmp	UPX
C:\Windows\system\aELtPHd.exe	UPX
behavioral1/memory/2784-36-0x000000013F180000-0x000000013F4D4000-memory.dmp	UPX
behavioral1/memory/2580-40-0x000000013F080000-0x000000013F3D4000-memory.dmp	UPX
behavioral1/memory/2520-44-0x000000013FB10000-0x000000013FE64000-memory.dmp	UPX
C:\Windows\system\ilXwGWh.exe	UPX
C:\Windows\system\SygfcrU.exe	UPX
C:\Windows\system\dEUvAaT.exe	UPX
\Windows\system\ENTgooL.exe	UPX
behavioral1/memory/2608-64-0x000000013FC80000-0x000000013FFD4000-memory.dmp	UPX
C:\Windows\system\gEZxQwx.exe	UPX
behavioral1/memory/2652-71-0x000000013F380000-0x000000013F6D4000-memory.dmp	UPX
behavioral1/memory/2512-59-0x000000013F050000-0x000000013F3A4000-memory.dmp	UPX
behavioral1/memory/2316-72-0x000000013F780000-0x000000013FAD4000-memory.dmp	UPX
behavioral1/memory/2228-68-0x000000013F480000-0x000000013F7D4000-memory.dmp	UPX
C:\Windows\system\qASADpO.exe	UPX
\Windows\system\IiKBgAn.exe	UPX
behavioral1/memory/800-85-0x000000013F910000-0x000000013FC64000-memory.dmp	UPX
C:\Windows\system\aemVKzh.exe	UPX
\Windows\system\houGYMS.exe	UPX
\Windows\system\zCbJtpo.exe	UPX
C:\Windows\system\ouQToyH.exe	UPX
C:\Windows\system\iZMgzVh.exe	UPX
C:\Windows\system\lntIsZJ.exe	UPX
C:\Windows\system\brjKfGL.exe	UPX
C:\Windows\system\GVwMGJv.exe	UPX
behavioral1/memory/2844-102-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	UPX
C:\Windows\system\CGCMggr.exe	UPX
behavioral1/memory/1668-91-0x000000013FDE0000-0x0000000140134000-memory.dmp	UPX
behavioral1/memory/2784-81-0x000000013F180000-0x000000013F4D4000-memory.dmp	UPX
behavioral1/memory/2480-77-0x000000013F940000-0x000000013FC94000-memory.dmp	UPX
behavioral1/memory/2480-140-0x000000013F940000-0x000000013FC94000-memory.dmp	UPX
behavioral1/memory/800-143-0x000000013F910000-0x000000013FC64000-memory.dmp	UPX
behavioral1/memory/1668-144-0x000000013FDE0000-0x0000000140134000-memory.dmp	UPX
behavioral1/memory/2844-146-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	UPX
behavioral1/memory/2588-148-0x000000013FD80000-0x00000001400D4000-memory.dmp	UPX
behavioral1/memory/2644-149-0x000000013F3F0000-0x000000013F744000-memory.dmp	UPX
behavioral1/memory/2652-150-0x000000013F380000-0x000000013F6D4000-memory.dmp	UPX
behavioral1/memory/2628-151-0x000000013FB40000-0x000000013FE94000-memory.dmp	UPX
behavioral1/memory/2520-152-0x000000013FB10000-0x000000013FE64000-memory.dmp	UPX
behavioral1/memory/2784-153-0x000000013F180000-0x000000013F4D4000-memory.dmp	UPX
behavioral1/memory/2608-155-0x000000013FC80000-0x000000013FFD4000-memory.dmp	UPX
behavioral1/memory/2512-154-0x000000013F050000-0x000000013F3A4000-memory.dmp	UPX
behavioral1/memory/2228-156-0x000000013F480000-0x000000013F7D4000-memory.dmp	UPX
behavioral1/memory/2480-157-0x000000013F940000-0x000000013FC94000-memory.dmp	UPX
behavioral1/memory/800-158-0x000000013F910000-0x000000013FC64000-memory.dmp	UPX
behavioral1/memory/1668-159-0x000000013FDE0000-0x0000000140134000-memory.dmp	UPX
behavioral1/memory/2844-160-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	UPX
behavioral1/memory/2316-161-0x000000013F780000-0x000000013FAD4000-memory.dmp	UPX

XMRig Miner payload 62 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2580-0-0x000000013F080000-0x000000013F3D4000-memory.dmp	xmrig
\Windows\system\ftOheVX.exe	xmrig
behavioral1/memory/2588-9-0x000000013FD80000-0x00000001400D4000-memory.dmp	xmrig
C:\Windows\system\wMnznLA.exe	xmrig
behavioral1/memory/2644-16-0x000000013F3F0000-0x000000013F744000-memory.dmp	xmrig
C:\Windows\system\voVQOJk.exe	xmrig
behavioral1/memory/2652-22-0x000000013F380000-0x000000013F6D4000-memory.dmp	xmrig
\Windows\system\UmjMXhQ.exe	xmrig
behavioral1/memory/2580-26-0x000000013FB40000-0x000000013FE94000-memory.dmp	xmrig
behavioral1/memory/2628-32-0x000000013FB40000-0x000000013FE94000-memory.dmp	xmrig
C:\Windows\system\aELtPHd.exe	xmrig
behavioral1/memory/2784-36-0x000000013F180000-0x000000013F4D4000-memory.dmp	xmrig
behavioral1/memory/2580-40-0x000000013F080000-0x000000013F3D4000-memory.dmp	xmrig
behavioral1/memory/2580-43-0x000000013FB10000-0x000000013FE64000-memory.dmp	xmrig
behavioral1/memory/2520-44-0x000000013FB10000-0x000000013FE64000-memory.dmp	xmrig
C:\Windows\system\ilXwGWh.exe	xmrig
C:\Windows\system\SygfcrU.exe	xmrig
C:\Windows\system\dEUvAaT.exe	xmrig
\Windows\system\ENTgooL.exe	xmrig
behavioral1/memory/2608-64-0x000000013FC80000-0x000000013FFD4000-memory.dmp	xmrig
C:\Windows\system\gEZxQwx.exe	xmrig
behavioral1/memory/2652-71-0x000000013F380000-0x000000013F6D4000-memory.dmp	xmrig
behavioral1/memory/2512-59-0x000000013F050000-0x000000013F3A4000-memory.dmp	xmrig
behavioral1/memory/2580-57-0x00000000023C0000-0x0000000002714000-memory.dmp	xmrig
behavioral1/memory/2316-72-0x000000013F780000-0x000000013FAD4000-memory.dmp	xmrig
behavioral1/memory/2228-68-0x000000013F480000-0x000000013F7D4000-memory.dmp	xmrig
C:\Windows\system\qASADpO.exe	xmrig
\Windows\system\IiKBgAn.exe	xmrig
behavioral1/memory/800-85-0x000000013F910000-0x000000013FC64000-memory.dmp	xmrig
C:\Windows\system\aemVKzh.exe	xmrig
\Windows\system\houGYMS.exe	xmrig
\Windows\system\zCbJtpo.exe	xmrig
C:\Windows\system\ouQToyH.exe	xmrig
C:\Windows\system\iZMgzVh.exe	xmrig
C:\Windows\system\lntIsZJ.exe	xmrig
C:\Windows\system\brjKfGL.exe	xmrig
C:\Windows\system\GVwMGJv.exe	xmrig
behavioral1/memory/2844-102-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	xmrig
C:\Windows\system\CGCMggr.exe	xmrig
behavioral1/memory/1668-91-0x000000013FDE0000-0x0000000140134000-memory.dmp	xmrig
behavioral1/memory/2784-81-0x000000013F180000-0x000000013F4D4000-memory.dmp	xmrig
behavioral1/memory/2480-77-0x000000013F940000-0x000000013FC94000-memory.dmp	xmrig
behavioral1/memory/2580-74-0x000000013F940000-0x000000013FC94000-memory.dmp	xmrig
behavioral1/memory/2480-140-0x000000013F940000-0x000000013FC94000-memory.dmp	xmrig
behavioral1/memory/800-143-0x000000013F910000-0x000000013FC64000-memory.dmp	xmrig
behavioral1/memory/1668-144-0x000000013FDE0000-0x0000000140134000-memory.dmp	xmrig
behavioral1/memory/2844-146-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	xmrig
behavioral1/memory/2580-147-0x000000013F3F0000-0x000000013F744000-memory.dmp	xmrig
behavioral1/memory/2588-148-0x000000013FD80000-0x00000001400D4000-memory.dmp	xmrig
behavioral1/memory/2644-149-0x000000013F3F0000-0x000000013F744000-memory.dmp	xmrig
behavioral1/memory/2652-150-0x000000013F380000-0x000000013F6D4000-memory.dmp	xmrig
behavioral1/memory/2628-151-0x000000013FB40000-0x000000013FE94000-memory.dmp	xmrig
behavioral1/memory/2520-152-0x000000013FB10000-0x000000013FE64000-memory.dmp	xmrig
behavioral1/memory/2784-153-0x000000013F180000-0x000000013F4D4000-memory.dmp	xmrig
behavioral1/memory/2608-155-0x000000013FC80000-0x000000013FFD4000-memory.dmp	xmrig
behavioral1/memory/2512-154-0x000000013F050000-0x000000013F3A4000-memory.dmp	xmrig
behavioral1/memory/2228-156-0x000000013F480000-0x000000013F7D4000-memory.dmp	xmrig
behavioral1/memory/2480-157-0x000000013F940000-0x000000013FC94000-memory.dmp	xmrig
behavioral1/memory/800-158-0x000000013F910000-0x000000013FC64000-memory.dmp	xmrig
behavioral1/memory/1668-159-0x000000013FDE0000-0x0000000140134000-memory.dmp	xmrig
behavioral1/memory/2844-160-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	xmrig
behavioral1/memory/2316-161-0x000000013F780000-0x000000013FAD4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

ftOheVX.exewMnznLA.exevoVQOJk.exeUmjMXhQ.exeaELtPHd.exeilXwGWh.exedEUvAaT.exeSygfcrU.exeENTgooL.exegEZxQwx.exeqASADpO.exeIiKBgAn.exeaemVKzh.exeCGCMggr.exeGVwMGJv.exebrjKfGL.exelntIsZJ.exeiZMgzVh.exeouQToyH.exehouGYMS.exezCbJtpo.exe

pid	process
2588	ftOheVX.exe
2644	wMnznLA.exe
2652	voVQOJk.exe
2628	UmjMXhQ.exe
2784	aELtPHd.exe
2520	ilXwGWh.exe
2608	dEUvAaT.exe
2512	SygfcrU.exe
2228	ENTgooL.exe
2316	gEZxQwx.exe
2480	qASADpO.exe
800	IiKBgAn.exe
1668	aemVKzh.exe
2844	CGCMggr.exe
2984	GVwMGJv.exe
2556	brjKfGL.exe
2324	lntIsZJ.exe
1912	iZMgzVh.exe
2056	ouQToyH.exe
948	houGYMS.exe
804	zCbJtpo.exe

Loads dropped DLL 21 IoCs

Processes:

2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe

pid	process
2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2580-0-0x000000013F080000-0x000000013F3D4000-memory.dmp	upx
\Windows\system\ftOheVX.exe	upx
behavioral1/memory/2588-9-0x000000013FD80000-0x00000001400D4000-memory.dmp	upx
C:\Windows\system\wMnznLA.exe	upx
behavioral1/memory/2644-16-0x000000013F3F0000-0x000000013F744000-memory.dmp	upx
C:\Windows\system\voVQOJk.exe	upx
behavioral1/memory/2652-22-0x000000013F380000-0x000000013F6D4000-memory.dmp	upx
\Windows\system\UmjMXhQ.exe	upx
behavioral1/memory/2628-32-0x000000013FB40000-0x000000013FE94000-memory.dmp	upx
C:\Windows\system\aELtPHd.exe	upx
behavioral1/memory/2784-36-0x000000013F180000-0x000000013F4D4000-memory.dmp	upx
behavioral1/memory/2580-40-0x000000013F080000-0x000000013F3D4000-memory.dmp	upx
behavioral1/memory/2520-44-0x000000013FB10000-0x000000013FE64000-memory.dmp	upx
C:\Windows\system\ilXwGWh.exe	upx
C:\Windows\system\SygfcrU.exe	upx
C:\Windows\system\dEUvAaT.exe	upx
\Windows\system\ENTgooL.exe	upx
behavioral1/memory/2608-64-0x000000013FC80000-0x000000013FFD4000-memory.dmp	upx
C:\Windows\system\gEZxQwx.exe	upx
behavioral1/memory/2652-71-0x000000013F380000-0x000000013F6D4000-memory.dmp	upx
behavioral1/memory/2512-59-0x000000013F050000-0x000000013F3A4000-memory.dmp	upx
behavioral1/memory/2316-72-0x000000013F780000-0x000000013FAD4000-memory.dmp	upx
behavioral1/memory/2228-68-0x000000013F480000-0x000000013F7D4000-memory.dmp	upx
C:\Windows\system\qASADpO.exe	upx
\Windows\system\IiKBgAn.exe	upx
behavioral1/memory/800-85-0x000000013F910000-0x000000013FC64000-memory.dmp	upx
C:\Windows\system\aemVKzh.exe	upx
\Windows\system\houGYMS.exe	upx
\Windows\system\zCbJtpo.exe	upx
C:\Windows\system\ouQToyH.exe	upx
C:\Windows\system\iZMgzVh.exe	upx
C:\Windows\system\lntIsZJ.exe	upx
C:\Windows\system\brjKfGL.exe	upx
C:\Windows\system\GVwMGJv.exe	upx
behavioral1/memory/2844-102-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	upx
C:\Windows\system\CGCMggr.exe	upx
behavioral1/memory/1668-91-0x000000013FDE0000-0x0000000140134000-memory.dmp	upx
behavioral1/memory/2784-81-0x000000013F180000-0x000000013F4D4000-memory.dmp	upx
behavioral1/memory/2480-77-0x000000013F940000-0x000000013FC94000-memory.dmp	upx
behavioral1/memory/2480-140-0x000000013F940000-0x000000013FC94000-memory.dmp	upx
behavioral1/memory/800-143-0x000000013F910000-0x000000013FC64000-memory.dmp	upx
behavioral1/memory/1668-144-0x000000013FDE0000-0x0000000140134000-memory.dmp	upx
behavioral1/memory/2844-146-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	upx
behavioral1/memory/2588-148-0x000000013FD80000-0x00000001400D4000-memory.dmp	upx
behavioral1/memory/2644-149-0x000000013F3F0000-0x000000013F744000-memory.dmp	upx
behavioral1/memory/2652-150-0x000000013F380000-0x000000013F6D4000-memory.dmp	upx
behavioral1/memory/2628-151-0x000000013FB40000-0x000000013FE94000-memory.dmp	upx
behavioral1/memory/2520-152-0x000000013FB10000-0x000000013FE64000-memory.dmp	upx
behavioral1/memory/2784-153-0x000000013F180000-0x000000013F4D4000-memory.dmp	upx
behavioral1/memory/2608-155-0x000000013FC80000-0x000000013FFD4000-memory.dmp	upx
behavioral1/memory/2512-154-0x000000013F050000-0x000000013F3A4000-memory.dmp	upx
behavioral1/memory/2228-156-0x000000013F480000-0x000000013F7D4000-memory.dmp	upx
behavioral1/memory/2480-157-0x000000013F940000-0x000000013FC94000-memory.dmp	upx
behavioral1/memory/800-158-0x000000013F910000-0x000000013FC64000-memory.dmp	upx
behavioral1/memory/1668-159-0x000000013FDE0000-0x0000000140134000-memory.dmp	upx
behavioral1/memory/2844-160-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	upx
behavioral1/memory/2316-161-0x000000013F780000-0x000000013FAD4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\CGCMggr.exe	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iZMgzVh.exe	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ouQToyH.exe	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ftOheVX.exe	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wMnznLA.exe	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aELtPHd.exe	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qASADpO.exe	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IiKBgAn.exe	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aemVKzh.exe	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SygfcrU.exe	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lntIsZJ.exe	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\houGYMS.exe	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zCbJtpo.exe	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gEZxQwx.exe	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ENTgooL.exe	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GVwMGJv.exe	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\brjKfGL.exe	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\voVQOJk.exe	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UmjMXhQ.exe	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ilXwGWh.exe	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dEUvAaT.exe	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 2580 wrote to memory of 2588	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	ftOheVX.exe
PID 2580 wrote to memory of 2588	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	ftOheVX.exe
PID 2580 wrote to memory of 2588	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	ftOheVX.exe
PID 2580 wrote to memory of 2644	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	wMnznLA.exe
PID 2580 wrote to memory of 2644	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	wMnznLA.exe
PID 2580 wrote to memory of 2644	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	wMnznLA.exe
PID 2580 wrote to memory of 2652	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	voVQOJk.exe
PID 2580 wrote to memory of 2652	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	voVQOJk.exe
PID 2580 wrote to memory of 2652	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	voVQOJk.exe
PID 2580 wrote to memory of 2628	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	UmjMXhQ.exe
PID 2580 wrote to memory of 2628	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	UmjMXhQ.exe
PID 2580 wrote to memory of 2628	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	UmjMXhQ.exe
PID 2580 wrote to memory of 2784	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	aELtPHd.exe
PID 2580 wrote to memory of 2784	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	aELtPHd.exe
PID 2580 wrote to memory of 2784	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	aELtPHd.exe
PID 2580 wrote to memory of 2520	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	ilXwGWh.exe
PID 2580 wrote to memory of 2520	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	ilXwGWh.exe
PID 2580 wrote to memory of 2520	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	ilXwGWh.exe
PID 2580 wrote to memory of 2608	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	dEUvAaT.exe
PID 2580 wrote to memory of 2608	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	dEUvAaT.exe
PID 2580 wrote to memory of 2608	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	dEUvAaT.exe
PID 2580 wrote to memory of 2512	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	SygfcrU.exe
PID 2580 wrote to memory of 2512	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	SygfcrU.exe
PID 2580 wrote to memory of 2512	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	SygfcrU.exe
PID 2580 wrote to memory of 2316	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	gEZxQwx.exe
PID 2580 wrote to memory of 2316	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	gEZxQwx.exe
PID 2580 wrote to memory of 2316	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	gEZxQwx.exe
PID 2580 wrote to memory of 2228	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	ENTgooL.exe
PID 2580 wrote to memory of 2228	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	ENTgooL.exe
PID 2580 wrote to memory of 2228	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	ENTgooL.exe
PID 2580 wrote to memory of 2480	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	qASADpO.exe
PID 2580 wrote to memory of 2480	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	qASADpO.exe
PID 2580 wrote to memory of 2480	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	qASADpO.exe
PID 2580 wrote to memory of 800	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	IiKBgAn.exe
PID 2580 wrote to memory of 800	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	IiKBgAn.exe
PID 2580 wrote to memory of 800	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	IiKBgAn.exe
PID 2580 wrote to memory of 1668	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	aemVKzh.exe
PID 2580 wrote to memory of 1668	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	aemVKzh.exe
PID 2580 wrote to memory of 1668	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	aemVKzh.exe
PID 2580 wrote to memory of 2844	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	CGCMggr.exe
PID 2580 wrote to memory of 2844	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	CGCMggr.exe
PID 2580 wrote to memory of 2844	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	CGCMggr.exe
PID 2580 wrote to memory of 2984	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	GVwMGJv.exe
PID 2580 wrote to memory of 2984	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	GVwMGJv.exe
PID 2580 wrote to memory of 2984	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	GVwMGJv.exe
PID 2580 wrote to memory of 2556	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	brjKfGL.exe
PID 2580 wrote to memory of 2556	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	brjKfGL.exe
PID 2580 wrote to memory of 2556	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	brjKfGL.exe
PID 2580 wrote to memory of 2324	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	lntIsZJ.exe
PID 2580 wrote to memory of 2324	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	lntIsZJ.exe
PID 2580 wrote to memory of 2324	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	lntIsZJ.exe
PID 2580 wrote to memory of 1912	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	iZMgzVh.exe
PID 2580 wrote to memory of 1912	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	iZMgzVh.exe
PID 2580 wrote to memory of 1912	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	iZMgzVh.exe
PID 2580 wrote to memory of 2056	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	ouQToyH.exe
PID 2580 wrote to memory of 2056	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	ouQToyH.exe
PID 2580 wrote to memory of 2056	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	ouQToyH.exe
PID 2580 wrote to memory of 948	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	houGYMS.exe
PID 2580 wrote to memory of 948	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	houGYMS.exe
PID 2580 wrote to memory of 948	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	houGYMS.exe
PID 2580 wrote to memory of 804	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	zCbJtpo.exe
PID 2580 wrote to memory of 804	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	zCbJtpo.exe
PID 2580 wrote to memory of 804	2580	2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe	zCbJtpo.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\System\ftOheVX.exe
C:\Windows\System\ftOheVX.exe
2⤵
- Executes dropped EXE
PID:2588

C:\Windows\System\wMnznLA.exe
C:\Windows\System\wMnznLA.exe
2⤵
- Executes dropped EXE
PID:2644

C:\Windows\System\voVQOJk.exe
C:\Windows\System\voVQOJk.exe
2⤵
- Executes dropped EXE
PID:2652

C:\Windows\System\UmjMXhQ.exe
C:\Windows\System\UmjMXhQ.exe
2⤵
- Executes dropped EXE
PID:2628

C:\Windows\System\aELtPHd.exe
C:\Windows\System\aELtPHd.exe
2⤵
- Executes dropped EXE
PID:2784

C:\Windows\System\ilXwGWh.exe
C:\Windows\System\ilXwGWh.exe
2⤵
- Executes dropped EXE
PID:2520

C:\Windows\System\dEUvAaT.exe
C:\Windows\System\dEUvAaT.exe
2⤵
- Executes dropped EXE
PID:2608

C:\Windows\System\SygfcrU.exe
C:\Windows\System\SygfcrU.exe
2⤵
- Executes dropped EXE
PID:2512

C:\Windows\System\gEZxQwx.exe
C:\Windows\System\gEZxQwx.exe
2⤵
- Executes dropped EXE
PID:2316

C:\Windows\System\ENTgooL.exe
C:\Windows\System\ENTgooL.exe
2⤵
- Executes dropped EXE
PID:2228

C:\Windows\System\qASADpO.exe
C:\Windows\System\qASADpO.exe
2⤵
- Executes dropped EXE
PID:2480

C:\Windows\System\IiKBgAn.exe
C:\Windows\System\IiKBgAn.exe
2⤵
- Executes dropped EXE
PID:800

C:\Windows\System\aemVKzh.exe
C:\Windows\System\aemVKzh.exe
2⤵
- Executes dropped EXE
PID:1668

C:\Windows\System\CGCMggr.exe
C:\Windows\System\CGCMggr.exe
2⤵
- Executes dropped EXE
PID:2844

C:\Windows\System\GVwMGJv.exe
C:\Windows\System\GVwMGJv.exe
2⤵
- Executes dropped EXE
PID:2984

C:\Windows\System\brjKfGL.exe
C:\Windows\System\brjKfGL.exe
2⤵
- Executes dropped EXE
PID:2556

C:\Windows\System\lntIsZJ.exe
C:\Windows\System\lntIsZJ.exe
2⤵
- Executes dropped EXE
PID:2324

C:\Windows\System\iZMgzVh.exe
C:\Windows\System\iZMgzVh.exe
2⤵
- Executes dropped EXE
PID:1912

C:\Windows\System\ouQToyH.exe
C:\Windows\System\ouQToyH.exe
2⤵
- Executes dropped EXE
PID:2056

C:\Windows\System\houGYMS.exe
C:\Windows\System\houGYMS.exe
2⤵
- Executes dropped EXE
PID:948

C:\Windows\System\zCbJtpo.exe
C:\Windows\System\zCbJtpo.exe
2⤵
- Executes dropped EXE
PID:804

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\CGCMggr.exe
Filesize
5.9MB

MD5
345dd3be472ca8cb765d53c2a495aa3b

SHA1
d3a16315d9f32f9b2add6703c17a6497cbe240c6

SHA256
46ab59a52edd7039e4ee355ed1eb5b2b668d6bbf5628c7643d6e455d1efba6d3

SHA512
9c9482032473fab963759338eae3792c7fd454b26c77037635fced2c966f38ffdc0b25e9459a3ba78703e9e208ae2f27ea7cea94c93888dfc280f0751601344b

Download Submit
C:\Windows\system\GVwMGJv.exe
Filesize
5.9MB

MD5
0f9672eb44033f2a8c1217c1bba66ff2

SHA1
1965985b540c0fccebe92fb74df552fbfed10ac4

SHA256
8d1ce83adf2889f80ac8e126ee2f0919ac26e844cf52de8c8183b563c6a7e8f2

SHA512
48daecdd08b1c16c1df6f0186d5c56a4f549b4f4a319811e45eb7c0327f57f45af8c8f6dca5043f6ffed7fbd7945142576dc46f4f4aa0c44eef4f30c0af3a39a

Download Submit
C:\Windows\system\SygfcrU.exe
Filesize
5.9MB

MD5
2cf2e67010d6a5ead1c658e49623ff33

SHA1
99ed5e17d168e86c1887b087c29890e27a721fca

SHA256
06d2232e31d7a0f2024d6b7108324d81ae1ce7b00f39172bc881e718a4e5bb2c

SHA512
24c4d97149f0939fdf2d88e5c396e7ed16b163148f27f1a8391f9ec353d5ddef04302d8bfdb30d051ade5083e482d8f7f925dde8a50641555b952d0c848e6816

Download Submit
C:\Windows\system\aELtPHd.exe
Filesize
5.9MB

MD5
b7a3db72f4bc0a45dde25c740bb09a31

SHA1
8ac2e3f7988048b3f035c3291de627552dfc7bee

SHA256
48a1872d7acdae0c4ce0ec2c0d000d50f085d1a2af5a1aa514d9eb4b4b131655

SHA512
149795b60b354d64a289e585ef0a1985ea1caeab3cda4a8d53d32eefb4d6b01ff601c184679c60eb215cefe03340526d8bb3b26ddaacca8069dae48daa8b9fd8

Download Submit
C:\Windows\system\aemVKzh.exe
Filesize
5.9MB

MD5
6e801dc29f89b7217e610df0451d52ca

SHA1
c36a6b83f9a11b2e614fe5f68304a430be754bf5

SHA256
969a66a6bff83e6687bb50a6e5cba4c91d5c7a544b2e191937973f1688360c0f

SHA512
54d6cbf2866a0fa6e4963320b64e43b318544ffd8958e16351ff207030c865750e26166b6fe80c04d46a5cb9c5185bebdadc2d275e720960abfb0e5e642907de

Download Submit
C:\Windows\system\brjKfGL.exe
Filesize
5.9MB

MD5
48aede63f1ef6c345e6575abf54a854e

SHA1
a8b4885fb37d9b17e4444f0ad26bb727f033ff61

SHA256
34b93e5c2deb29e0e9a2d3b2cefc98c4bb16dfe5ffbfaed40f5e3c2f668376ac

SHA512
6197f3d7805a2b292a4fbc0ab6fb9eb5031982f3980f34ce5eb46f81af76ff9f979843cf32730092e7f555b358e888e8439f1591972bd44c2e6c2153fbc9dfbc

Download Submit
C:\Windows\system\dEUvAaT.exe
Filesize
5.9MB

MD5
ff9a249a2a21bcb5c2d5664036574124

SHA1
e31325bcd9efa457e5e827d59af408a3c4efdc66

SHA256
7688119faf166aae8da7473514edc8a02cbf9e727d464e91aa8d79e50456bc94

SHA512
6bee2113d61fe4c29f60ce239f6daf21a3c88fc316b45925ef6fdd9c5e482811841c6a9edda02ec8089a1207caceda531addba32c9309f570e29f6fbf164d2db

Download Submit
C:\Windows\system\gEZxQwx.exe
Filesize
5.9MB

MD5
1c940482952c2e8b6c230d480cac0936

SHA1
55744e0f49b8295018d84bf759066d504566d838

SHA256
937a83f3d75710573382c9e9fb91936344a1d847653e4fc45962340c4a160fd3

SHA512
b9da65284a19b16d92e7b1edae77cdebf05a5627401a70ae7cf5fcaa5ba0f80704108d04d972e8306696ae47e80ed4c1cead622f4928ebdd8074692a8762fea9

Download Submit
C:\Windows\system\iZMgzVh.exe
Filesize
5.9MB

MD5
8a13ce5b4fafcf9bb845a8bde5071f25

SHA1
e1f43a52438ae95601d89ac201964d02330eddb3

SHA256
8ae6e88cad511b76eea56f2255c2c959d7a44aca30a6ae22a7948885c916e53d

SHA512
2da4f5386a31d89c30e2dd800a9c235e413d1b5d4633e79aafba0626e6901ace26381730d5de6b0485b5caf2fd9fa13948b2682930d18b8c90a23d063ca58105

Download Submit
C:\Windows\system\ilXwGWh.exe
Filesize
5.9MB

MD5
d7a01a591986badceef9b0988d98bc34

SHA1
73ae65b182dd5a200a208d28d9c8957688699982

SHA256
6dcac8adb85522c8b07c23c3d6f81483d7f395c460f0ec7930a30d49ff04bcee

SHA512
35652da1ecb0a52ded8b730a90d77313392f615d68292764e93fdb437020dadf47e2577f769a4e5263fede3245458717f44e1878523657318db08b6f08d121ac

Download Submit
C:\Windows\system\lntIsZJ.exe
Filesize
5.9MB

MD5
b6a91782a672f2b72b82ad834c6608f7

SHA1
539b3c77c3d471235fdc932b89d83d6aada80597

SHA256
1e49528f81355f68343e29dba51adb58daf30a77e81ae67f4ccc7ec70ea2d735

SHA512
b54bc4df1d53018e42df14cb34d69c50acfaba73717d203aa97e3f90c32f6bbf203cbc4af69184968c966ea7145fb2fde1c752acb9085d29ba6c391922ee9634

Download Submit
C:\Windows\system\ouQToyH.exe
Filesize
5.9MB

MD5
55a168336cdbeb94690af31fd4fda5e3

SHA1
5bd5f366539265deaef43df0e38cfc24051c7c07

SHA256
966d1227b75e20d7790f511e56dc63f85e3fb621390ded5530304a77bc3fba29

SHA512
b99964580b692f470a30c5c32ea6794596f6e5a0e31e5a6919460e182a24a26527b505930a8adcf77cbce063d1d558d175df9f51e383f483cd13b0c951c9b5f0

Download Submit
C:\Windows\system\qASADpO.exe
Filesize
5.9MB

MD5
54a1c95128e1e85c4daa1ae31d5d20f5

SHA1
f86b161b6a7b17600e7e38438b5f5678241e1e05

SHA256
37d3366221b6fe3f4dd9d62990ef1cf916566dcdd6acb3ce873a5130ba4e5fa2

SHA512
4b1e9baf01e101d24ebf3630d772aa74e150e2c06dc94ae72634837189a2fd39db6ed8efeb62781acc98e91d9837c8b08ff91aaae6dee5c107cac9cc0defac1a

Download Submit
C:\Windows\system\voVQOJk.exe
Filesize
5.9MB

MD5
d07d1dd6021b827c584b863354fe7946

SHA1
1c592f19b48da1dbcd02e5df1d16cc8efca70d43

SHA256
6575d5e75fe434c43d8ad2b71f14ac7db380cb60d1d71515d69ed3262db53eed

SHA512
7651f95048bcae280d55a96acdbadfaed1d618ecd6209a369ba624c511a121a0f952b489ae85073ded390e9723b111393eea341255b533a97910eff7d74e760b

Download Submit
C:\Windows\system\wMnznLA.exe
Filesize
5.9MB

MD5
aa36cd627643f2510f6732854616b2de

SHA1
4322e66384f5efea105ca1943833496bcada9d93

SHA256
fbe977cb586e12364c011f35109630fc1109540385c03992e18802894a9715f4

SHA512
802ad4646e58bdc2ba8d379e490d9d4177c801a6890fc7e5151ba7dbaf74fe550d33cb57c0d21daf6ac87994cc100d62d6acc504939134916c6a3cd72c414b1f

Download Submit
\Windows\system\ENTgooL.exe
Filesize
5.9MB

MD5
63cb7b819a7539dfc8dc7d12df47b237

SHA1
2da1bd94ebd9cd263e02066a60527e14924a532a

SHA256
b6f9d80451f85009cd6514ac60320010c6b3c17a8bff53fd6c5757b6dd981b67

SHA512
704db969adbff83a66f5ec72effb6cbf676ca88b1fce3b220b4443a439dc8439323b0ddbe01b1c4289fb06de4abc0e55a2660d1e5eb458c5e5bd4a5f7915793d

Download Submit
\Windows\system\IiKBgAn.exe
Filesize
5.9MB

MD5
fbdfaa34778b38dd540812d95d7b38cd

SHA1
0b972a9b9de02cb1a91836bc4386f97765d3513d

SHA256
99a5791040cade5fb28b9beb684371401c43eff5798038599c0e6d2405e02813

SHA512
823b567fee66cd31091f0ce243e79e51273cddfafccde79112d28f84455754a6810ee886ac0b66b2d44050051ff3565d903094d964973c8332779a26df7deb62

Download Submit
\Windows\system\UmjMXhQ.exe
Filesize
5.9MB

MD5
138178a1d34a74f69e07dd917b41bc1d

SHA1
450a9157634ccea4d1d6ed45a3b435f9333c89b5

SHA256
a8ce7e96d9a7d119a054e3c933e33beceda75d8c42ddf730df01c2fbe1d4a0a3

SHA512
195392b7b14d2c0facecf5b2d11472955eca45f66db988b2456a645b4142c6b60a0792e3c2e1afcd69404de926f42d74eea7f453ae820de331f3e7f889ebf425

Download Submit
\Windows\system\ftOheVX.exe
Filesize
5.9MB

MD5
51be5b80d4cbf8a47b11b9794d2c176a

SHA1
76e20f133905757359a5b585ad19b15600fb7538

SHA256
37f166200d49608bf20c7d25509e052356d92cbe03cf24fd58f69337e52aeb54

SHA512
3cf0e520fab2cecb6320e11b64f0e213af28e177afb44dae8249371e271c890a94f64dd7559f4cc09b85e0d8954e39963d82f57d4b8323a507b3df932e29d4da

Download Submit
\Windows\system\houGYMS.exe
Filesize
5.9MB

MD5
f0bc4a06fa56c79f74e99eba5b25307f

SHA1
535ecba60252109116af6b31c10c6178742adf20

SHA256
455cb31bb05273d4b3f05d9e98af3cf0aff57a3721948c64affaf5a2759804e6

SHA512
0ec2c6783c4b419efce1bc7277248c92361f493098c7578e4e25c9c3ce9ebd045da61fb8ff7eaaf59d19d8af716856d69387be1b348a1403910c8aee589c9f81

Download Submit
\Windows\system\zCbJtpo.exe
Filesize
5.9MB

MD5
0d39403bbf6491db9455b60536104733

SHA1
898345a7a089d1c5048c4df35a7ca0743397b7ba

SHA256
7c340d3bb02a3f66660dbae6913aae8977877b87bfecd344c68f429496f79f78

SHA512
346e5d31066147ca8ca1e0cf920a62a9b02798c9c46b7c25afc06f67575a5eb4a8dbc4b4bb2f0b109f63caeeec2617181ee01159b55d2809bb7ae89164935427

Download Submit
memory/800-158-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/800-85-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/800-143-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/1668-144-0x000000013FDE0000-0x0000000140134000-memory.dmp

Filesize
3.3MB

Download
memory/1668-91-0x000000013FDE0000-0x0000000140134000-memory.dmp

Filesize
3.3MB

Download
memory/1668-159-0x000000013FDE0000-0x0000000140134000-memory.dmp

Filesize
3.3MB

Download
memory/2228-156-0x000000013F480000-0x000000013F7D4000-memory.dmp

Filesize
3.3MB

Download
memory/2228-68-0x000000013F480000-0x000000013F7D4000-memory.dmp

Filesize
3.3MB

Download
memory/2316-72-0x000000013F780000-0x000000013FAD4000-memory.dmp

Filesize
3.3MB

Download
memory/2316-161-0x000000013F780000-0x000000013FAD4000-memory.dmp

Filesize
3.3MB

Download
memory/2480-77-0x000000013F940000-0x000000013FC94000-memory.dmp

Filesize
3.3MB

Download
memory/2480-140-0x000000013F940000-0x000000013FC94000-memory.dmp

Filesize
3.3MB

Download
memory/2480-157-0x000000013F940000-0x000000013FC94000-memory.dmp

Filesize
3.3MB

Download
memory/2512-154-0x000000013F050000-0x000000013F3A4000-memory.dmp

Filesize
3.3MB

Download
memory/2512-59-0x000000013F050000-0x000000013F3A4000-memory.dmp

Filesize
3.3MB

Download
memory/2520-44-0x000000013FB10000-0x000000013FE64000-memory.dmp

Filesize
3.3MB

Download
memory/2520-152-0x000000013FB10000-0x000000013FE64000-memory.dmp

Filesize
3.3MB

Download
memory/2580-95-0x000000013FC80000-0x000000013FFD4000-memory.dmp

Filesize
3.3MB

Download
memory/2580-82-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/2580-0-0x000000013F080000-0x000000013F3D4000-memory.dmp

Filesize
3.3MB

Download
memory/2580-57-0x00000000023C0000-0x0000000002714000-memory.dmp

Filesize
3.3MB

Download
memory/2580-1-0x0000000000090000-0x00000000000A0000-memory.dmp

Filesize
64KB

Download
memory/2580-69-0x00000000023C0000-0x0000000002714000-memory.dmp

Filesize
3.3MB

Download
memory/2580-67-0x000000013F480000-0x000000013F7D4000-memory.dmp

Filesize
3.3MB

Download
memory/2580-66-0x000000013F780000-0x000000013FAD4000-memory.dmp

Filesize
3.3MB

Download
memory/2580-105-0x000000013F3F0000-0x000000013F744000-memory.dmp

Filesize
3.3MB

Download
memory/2580-20-0x00000000023C0000-0x0000000002714000-memory.dmp

Filesize
3.3MB

Download
memory/2580-101-0x000000013F480000-0x000000013F7D4000-memory.dmp

Filesize
3.3MB

Download
memory/2580-100-0x000000013F780000-0x000000013FAD4000-memory.dmp

Filesize
3.3MB

Download
memory/2580-96-0x00000000023C0000-0x0000000002714000-memory.dmp

Filesize
3.3MB

Download
memory/2580-43-0x000000013FB10000-0x000000013FE64000-memory.dmp

Filesize
3.3MB

Download
memory/2580-139-0x000000013F940000-0x000000013FC94000-memory.dmp

Filesize
3.3MB

Download
memory/2580-147-0x000000013F3F0000-0x000000013F744000-memory.dmp

Filesize
3.3MB

Download
memory/2580-8-0x000000013FD80000-0x00000001400D4000-memory.dmp

Filesize
3.3MB

Download
memory/2580-40-0x000000013F080000-0x000000013F3D4000-memory.dmp

Filesize
3.3MB

Download
memory/2580-74-0x000000013F940000-0x000000013FC94000-memory.dmp

Filesize
3.3MB

Download
memory/2580-15-0x000000013F3F0000-0x000000013F744000-memory.dmp

Filesize
3.3MB

Download
memory/2580-141-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/2580-145-0x00000000023C0000-0x0000000002714000-memory.dmp

Filesize
3.3MB

Download
memory/2580-26-0x000000013FB40000-0x000000013FE94000-memory.dmp

Filesize
3.3MB

Download
memory/2588-148-0x000000013FD80000-0x00000001400D4000-memory.dmp

Filesize
3.3MB

Download
memory/2588-9-0x000000013FD80000-0x00000001400D4000-memory.dmp

Filesize
3.3MB

Download
memory/2608-155-0x000000013FC80000-0x000000013FFD4000-memory.dmp

Filesize
3.3MB

Download
memory/2608-64-0x000000013FC80000-0x000000013FFD4000-memory.dmp

Filesize
3.3MB

Download
memory/2628-32-0x000000013FB40000-0x000000013FE94000-memory.dmp

Filesize
3.3MB

Download
memory/2628-151-0x000000013FB40000-0x000000013FE94000-memory.dmp

Filesize
3.3MB

Download
memory/2644-16-0x000000013F3F0000-0x000000013F744000-memory.dmp

Filesize
3.3MB

Download
memory/2644-149-0x000000013F3F0000-0x000000013F744000-memory.dmp

Filesize
3.3MB

Download
memory/2652-150-0x000000013F380000-0x000000013F6D4000-memory.dmp

Filesize
3.3MB

Download
memory/2652-22-0x000000013F380000-0x000000013F6D4000-memory.dmp

Filesize
3.3MB

Download
memory/2652-71-0x000000013F380000-0x000000013F6D4000-memory.dmp

Filesize
3.3MB

Download
memory/2784-153-0x000000013F180000-0x000000013F4D4000-memory.dmp

Filesize
3.3MB

Download
memory/2784-36-0x000000013F180000-0x000000013F4D4000-memory.dmp

Filesize
3.3MB

Download
memory/2784-81-0x000000013F180000-0x000000013F4D4000-memory.dmp

Filesize
3.3MB

Download
memory/2844-146-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

Filesize
3.3MB

Download
memory/2844-102-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

Filesize
3.3MB

Download
memory/2844-160-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

Filesize
3.3MB

Download