cobaltstrike | bd8c88455e79dcf2211ebe1e27ee828fa94fd189943c063dc3d172ca9e968192

Analysis

max time kernel
125s
max time network
139s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

b49480422c90786723fb6501c8024acd
SHA1

67528ab2fcb212d7cb36b2efae68898dc3e89b71
SHA256

bd8c88455e79dcf2211ebe1e27ee828fa94fd189943c063dc3d172ca9e968192
SHA512

ec7713af0080034612d8fa8f9ff033d120bb263e4d60cc59d495d32b3c39af6dbabdd1984d61a4dcc66d01d8d82dfc11f859f4e640e92575372eca46c0d3a631
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUp:Q+856utgpPF8u/7p

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\fgYFgHW.exe	cobalt_reflective_dll
C:\Windows\system\fTLSsgV.exe	cobalt_reflective_dll
C:\Windows\system\aUIUElm.exe	cobalt_reflective_dll
\Windows\system\lIgskMm.exe	cobalt_reflective_dll
\Windows\system\BqcGzzk.exe	cobalt_reflective_dll
\Windows\system\kkrkjkt.exe	cobalt_reflective_dll
C:\Windows\system\kxTWSrO.exe	cobalt_reflective_dll
\Windows\system\iYSMuYU.exe	cobalt_reflective_dll
C:\Windows\system\xXZZWKF.exe	cobalt_reflective_dll
\Windows\system\nUdYlyi.exe	cobalt_reflective_dll
C:\Windows\system\RVICoaZ.exe	cobalt_reflective_dll
\Windows\system\IbcNBqu.exe	cobalt_reflective_dll
\Windows\system\ynhKBKn.exe	cobalt_reflective_dll
C:\Windows\system\aSbnput.exe	cobalt_reflective_dll
C:\Windows\system\Teerzcr.exe	cobalt_reflective_dll
C:\Windows\system\xOmTbvp.exe	cobalt_reflective_dll
C:\Windows\system\yvysSnB.exe	cobalt_reflective_dll
C:\Windows\system\KVYdYmF.exe	cobalt_reflective_dll
C:\Windows\system\GzqisrQ.exe	cobalt_reflective_dll
C:\Windows\system\CjfYUHx.exe	cobalt_reflective_dll
C:\Windows\system\kpAcRue.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\fgYFgHW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\fTLSsgV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\aUIUElm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\lIgskMm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\BqcGzzk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\kkrkjkt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\kxTWSrO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\iYSMuYU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\xXZZWKF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\nUdYlyi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\RVICoaZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\IbcNBqu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\ynhKBKn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\aSbnput.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\Teerzcr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\xOmTbvp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\yvysSnB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\KVYdYmF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\GzqisrQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\CjfYUHx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\kpAcRue.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 59 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2448-0-0x000000013FFE0000-0x0000000140334000-memory.dmp	UPX
\Windows\system\fgYFgHW.exe	UPX
behavioral1/memory/1664-8-0x000000013F6E0000-0x000000013FA34000-memory.dmp	UPX
C:\Windows\system\fTLSsgV.exe	UPX
C:\Windows\system\aUIUElm.exe	UPX
behavioral1/memory/1092-15-0x000000013F080000-0x000000013F3D4000-memory.dmp	UPX
behavioral1/memory/2724-23-0x000000013F700000-0x000000013FA54000-memory.dmp	UPX
\Windows\system\lIgskMm.exe	UPX
behavioral1/memory/2720-29-0x000000013F860000-0x000000013FBB4000-memory.dmp	UPX
\Windows\system\BqcGzzk.exe	UPX
behavioral1/memory/2504-35-0x000000013FAC0000-0x000000013FE14000-memory.dmp	UPX
\Windows\system\kkrkjkt.exe	UPX
C:\Windows\system\kxTWSrO.exe	UPX
\Windows\system\iYSMuYU.exe	UPX
behavioral1/memory/2524-61-0x000000013F900000-0x000000013FC54000-memory.dmp	UPX
behavioral1/memory/2556-63-0x000000013F610000-0x000000013F964000-memory.dmp	UPX
behavioral1/memory/2820-65-0x000000013F220000-0x000000013F574000-memory.dmp	UPX
behavioral1/memory/2692-66-0x000000013F1F0000-0x000000013F544000-memory.dmp	UPX
behavioral1/memory/2492-70-0x000000013F250000-0x000000013F5A4000-memory.dmp	UPX
C:\Windows\system\xXZZWKF.exe	UPX
\Windows\system\nUdYlyi.exe	UPX
C:\Windows\system\RVICoaZ.exe	UPX
behavioral1/memory/568-85-0x000000013FE80000-0x00000001401D4000-memory.dmp	UPX
behavioral1/memory/1684-77-0x000000013FFC0000-0x0000000140314000-memory.dmp	UPX
behavioral1/memory/1092-73-0x000000013F080000-0x000000013F3D4000-memory.dmp	UPX
behavioral1/memory/1664-72-0x000000013F6E0000-0x000000013FA34000-memory.dmp	UPX
\Windows\system\IbcNBqu.exe	UPX
behavioral1/memory/1100-99-0x000000013F3F0000-0x000000013F744000-memory.dmp	UPX
\Windows\system\ynhKBKn.exe	UPX
C:\Windows\system\aSbnput.exe	UPX
C:\Windows\system\Teerzcr.exe	UPX
C:\Windows\system\xOmTbvp.exe	UPX
C:\Windows\system\yvysSnB.exe	UPX
C:\Windows\system\KVYdYmF.exe	UPX
behavioral1/memory/2504-106-0x000000013FAC0000-0x000000013FE14000-memory.dmp	UPX
C:\Windows\system\GzqisrQ.exe	UPX
behavioral1/memory/2972-92-0x000000013F520000-0x000000013F874000-memory.dmp	UPX
C:\Windows\system\CjfYUHx.exe	UPX
behavioral1/memory/2448-64-0x000000013FFE0000-0x0000000140334000-memory.dmp	UPX
C:\Windows\system\kpAcRue.exe	UPX
behavioral1/memory/2492-138-0x000000013F250000-0x000000013F5A4000-memory.dmp	UPX
behavioral1/memory/1684-140-0x000000013FFC0000-0x0000000140314000-memory.dmp	UPX
behavioral1/memory/568-141-0x000000013FE80000-0x00000001401D4000-memory.dmp	UPX
behavioral1/memory/2972-143-0x000000013F520000-0x000000013F874000-memory.dmp	UPX
behavioral1/memory/1100-145-0x000000013F3F0000-0x000000013F744000-memory.dmp	UPX
behavioral1/memory/1664-147-0x000000013F6E0000-0x000000013FA34000-memory.dmp	UPX
behavioral1/memory/1092-148-0x000000013F080000-0x000000013F3D4000-memory.dmp	UPX
behavioral1/memory/2724-149-0x000000013F700000-0x000000013FA54000-memory.dmp	UPX
behavioral1/memory/2720-150-0x000000013F860000-0x000000013FBB4000-memory.dmp	UPX
behavioral1/memory/2504-151-0x000000013FAC0000-0x000000013FE14000-memory.dmp	UPX
behavioral1/memory/2524-152-0x000000013F900000-0x000000013FC54000-memory.dmp	UPX
behavioral1/memory/2692-154-0x000000013F1F0000-0x000000013F544000-memory.dmp	UPX
behavioral1/memory/2820-153-0x000000013F220000-0x000000013F574000-memory.dmp	UPX
behavioral1/memory/2556-155-0x000000013F610000-0x000000013F964000-memory.dmp	UPX
behavioral1/memory/1684-156-0x000000013FFC0000-0x0000000140314000-memory.dmp	UPX
behavioral1/memory/2492-157-0x000000013F250000-0x000000013F5A4000-memory.dmp	UPX
behavioral1/memory/568-158-0x000000013FE80000-0x00000001401D4000-memory.dmp	UPX
behavioral1/memory/2972-159-0x000000013F520000-0x000000013F874000-memory.dmp	UPX
behavioral1/memory/1100-160-0x000000013F3F0000-0x000000013F744000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2448-0-0x000000013FFE0000-0x0000000140334000-memory.dmp	xmrig
\Windows\system\fgYFgHW.exe	xmrig
behavioral1/memory/1664-8-0x000000013F6E0000-0x000000013FA34000-memory.dmp	xmrig
C:\Windows\system\fTLSsgV.exe	xmrig
C:\Windows\system\aUIUElm.exe	xmrig
behavioral1/memory/1092-15-0x000000013F080000-0x000000013F3D4000-memory.dmp	xmrig
behavioral1/memory/2724-23-0x000000013F700000-0x000000013FA54000-memory.dmp	xmrig
\Windows\system\lIgskMm.exe	xmrig
behavioral1/memory/2720-29-0x000000013F860000-0x000000013FBB4000-memory.dmp	xmrig
behavioral1/memory/2448-26-0x000000013F860000-0x000000013FBB4000-memory.dmp	xmrig
\Windows\system\BqcGzzk.exe	xmrig
behavioral1/memory/2504-35-0x000000013FAC0000-0x000000013FE14000-memory.dmp	xmrig
\Windows\system\kkrkjkt.exe	xmrig
C:\Windows\system\kxTWSrO.exe	xmrig
\Windows\system\iYSMuYU.exe	xmrig
behavioral1/memory/2524-61-0x000000013F900000-0x000000013FC54000-memory.dmp	xmrig
behavioral1/memory/2556-63-0x000000013F610000-0x000000013F964000-memory.dmp	xmrig
behavioral1/memory/2820-65-0x000000013F220000-0x000000013F574000-memory.dmp	xmrig
behavioral1/memory/2692-66-0x000000013F1F0000-0x000000013F544000-memory.dmp	xmrig
behavioral1/memory/2492-70-0x000000013F250000-0x000000013F5A4000-memory.dmp	xmrig
C:\Windows\system\xXZZWKF.exe	xmrig
\Windows\system\nUdYlyi.exe	xmrig
C:\Windows\system\RVICoaZ.exe	xmrig
behavioral1/memory/568-85-0x000000013FE80000-0x00000001401D4000-memory.dmp	xmrig
behavioral1/memory/1684-77-0x000000013FFC0000-0x0000000140314000-memory.dmp	xmrig
behavioral1/memory/2448-74-0x00000000024F0000-0x0000000002844000-memory.dmp	xmrig
behavioral1/memory/1092-73-0x000000013F080000-0x000000013F3D4000-memory.dmp	xmrig
behavioral1/memory/1664-72-0x000000013F6E0000-0x000000013FA34000-memory.dmp	xmrig
\Windows\system\IbcNBqu.exe	xmrig
behavioral1/memory/1100-99-0x000000013F3F0000-0x000000013F744000-memory.dmp	xmrig
\Windows\system\ynhKBKn.exe	xmrig
C:\Windows\system\aSbnput.exe	xmrig
C:\Windows\system\Teerzcr.exe	xmrig
C:\Windows\system\xOmTbvp.exe	xmrig
C:\Windows\system\yvysSnB.exe	xmrig
C:\Windows\system\KVYdYmF.exe	xmrig
behavioral1/memory/2448-107-0x000000013F690000-0x000000013F9E4000-memory.dmp	xmrig
behavioral1/memory/2504-106-0x000000013FAC0000-0x000000013FE14000-memory.dmp	xmrig
C:\Windows\system\GzqisrQ.exe	xmrig
behavioral1/memory/2972-92-0x000000013F520000-0x000000013F874000-memory.dmp	xmrig
C:\Windows\system\CjfYUHx.exe	xmrig
behavioral1/memory/2448-67-0x000000013F250000-0x000000013F5A4000-memory.dmp	xmrig
behavioral1/memory/2448-64-0x000000013FFE0000-0x0000000140334000-memory.dmp	xmrig
C:\Windows\system\kpAcRue.exe	xmrig
behavioral1/memory/2492-138-0x000000013F250000-0x000000013F5A4000-memory.dmp	xmrig
behavioral1/memory/1684-140-0x000000013FFC0000-0x0000000140314000-memory.dmp	xmrig
behavioral1/memory/568-141-0x000000013FE80000-0x00000001401D4000-memory.dmp	xmrig
behavioral1/memory/2448-142-0x000000013F520000-0x000000013F874000-memory.dmp	xmrig
behavioral1/memory/2972-143-0x000000013F520000-0x000000013F874000-memory.dmp	xmrig
behavioral1/memory/1100-145-0x000000013F3F0000-0x000000013F744000-memory.dmp	xmrig
behavioral1/memory/2448-146-0x000000013F690000-0x000000013F9E4000-memory.dmp	xmrig
behavioral1/memory/1664-147-0x000000013F6E0000-0x000000013FA34000-memory.dmp	xmrig
behavioral1/memory/1092-148-0x000000013F080000-0x000000013F3D4000-memory.dmp	xmrig
behavioral1/memory/2724-149-0x000000013F700000-0x000000013FA54000-memory.dmp	xmrig
behavioral1/memory/2720-150-0x000000013F860000-0x000000013FBB4000-memory.dmp	xmrig
behavioral1/memory/2504-151-0x000000013FAC0000-0x000000013FE14000-memory.dmp	xmrig
behavioral1/memory/2524-152-0x000000013F900000-0x000000013FC54000-memory.dmp	xmrig
behavioral1/memory/2692-154-0x000000013F1F0000-0x000000013F544000-memory.dmp	xmrig
behavioral1/memory/2820-153-0x000000013F220000-0x000000013F574000-memory.dmp	xmrig
behavioral1/memory/2556-155-0x000000013F610000-0x000000013F964000-memory.dmp	xmrig
behavioral1/memory/1684-156-0x000000013FFC0000-0x0000000140314000-memory.dmp	xmrig
behavioral1/memory/2492-157-0x000000013F250000-0x000000013F5A4000-memory.dmp	xmrig
behavioral1/memory/568-158-0x000000013FE80000-0x00000001401D4000-memory.dmp	xmrig
behavioral1/memory/2972-159-0x000000013F520000-0x000000013F874000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

fgYFgHW.exefTLSsgV.exeaUIUElm.exelIgskMm.exeBqcGzzk.exekpAcRue.exekkrkjkt.exekxTWSrO.exeiYSMuYU.exexXZZWKF.exenUdYlyi.exeRVICoaZ.exeCjfYUHx.exeIbcNBqu.exeGzqisrQ.exeKVYdYmF.exeyvysSnB.exexOmTbvp.exeTeerzcr.exeaSbnput.exeynhKBKn.exe

pid	process
1664	fgYFgHW.exe
1092	fTLSsgV.exe
2724	aUIUElm.exe
2720	lIgskMm.exe
2504	BqcGzzk.exe
2524	kpAcRue.exe
2820	kkrkjkt.exe
2692	kxTWSrO.exe
2556	iYSMuYU.exe
2492	xXZZWKF.exe
1684	nUdYlyi.exe
568	RVICoaZ.exe
2972	CjfYUHx.exe
1100	IbcNBqu.exe
2848	GzqisrQ.exe
2176	KVYdYmF.exe
1528	yvysSnB.exe
1636	xOmTbvp.exe
2560	Teerzcr.exe
2312	aSbnput.exe
1352	ynhKBKn.exe

Loads dropped DLL 21 IoCs

Processes:

2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe

pid	process
2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2448-0-0x000000013FFE0000-0x0000000140334000-memory.dmp	upx
\Windows\system\fgYFgHW.exe	upx
behavioral1/memory/1664-8-0x000000013F6E0000-0x000000013FA34000-memory.dmp	upx
C:\Windows\system\fTLSsgV.exe	upx
C:\Windows\system\aUIUElm.exe	upx
behavioral1/memory/1092-15-0x000000013F080000-0x000000013F3D4000-memory.dmp	upx
behavioral1/memory/2724-23-0x000000013F700000-0x000000013FA54000-memory.dmp	upx
\Windows\system\lIgskMm.exe	upx
behavioral1/memory/2720-29-0x000000013F860000-0x000000013FBB4000-memory.dmp	upx
behavioral1/memory/2448-26-0x000000013F860000-0x000000013FBB4000-memory.dmp	upx
\Windows\system\BqcGzzk.exe	upx
behavioral1/memory/2504-35-0x000000013FAC0000-0x000000013FE14000-memory.dmp	upx
\Windows\system\kkrkjkt.exe	upx
C:\Windows\system\kxTWSrO.exe	upx
\Windows\system\iYSMuYU.exe	upx
behavioral1/memory/2524-61-0x000000013F900000-0x000000013FC54000-memory.dmp	upx
behavioral1/memory/2556-63-0x000000013F610000-0x000000013F964000-memory.dmp	upx
behavioral1/memory/2820-65-0x000000013F220000-0x000000013F574000-memory.dmp	upx
behavioral1/memory/2692-66-0x000000013F1F0000-0x000000013F544000-memory.dmp	upx
behavioral1/memory/2492-70-0x000000013F250000-0x000000013F5A4000-memory.dmp	upx
C:\Windows\system\xXZZWKF.exe	upx
\Windows\system\nUdYlyi.exe	upx
C:\Windows\system\RVICoaZ.exe	upx
behavioral1/memory/568-85-0x000000013FE80000-0x00000001401D4000-memory.dmp	upx
behavioral1/memory/1684-77-0x000000013FFC0000-0x0000000140314000-memory.dmp	upx
behavioral1/memory/1092-73-0x000000013F080000-0x000000013F3D4000-memory.dmp	upx
behavioral1/memory/1664-72-0x000000013F6E0000-0x000000013FA34000-memory.dmp	upx
\Windows\system\IbcNBqu.exe	upx
behavioral1/memory/1100-99-0x000000013F3F0000-0x000000013F744000-memory.dmp	upx
\Windows\system\ynhKBKn.exe	upx
C:\Windows\system\aSbnput.exe	upx
C:\Windows\system\Teerzcr.exe	upx
C:\Windows\system\xOmTbvp.exe	upx
C:\Windows\system\yvysSnB.exe	upx
C:\Windows\system\KVYdYmF.exe	upx
behavioral1/memory/2504-106-0x000000013FAC0000-0x000000013FE14000-memory.dmp	upx
C:\Windows\system\GzqisrQ.exe	upx
behavioral1/memory/2972-92-0x000000013F520000-0x000000013F874000-memory.dmp	upx
C:\Windows\system\CjfYUHx.exe	upx
behavioral1/memory/2448-64-0x000000013FFE0000-0x0000000140334000-memory.dmp	upx
C:\Windows\system\kpAcRue.exe	upx
behavioral1/memory/2492-138-0x000000013F250000-0x000000013F5A4000-memory.dmp	upx
behavioral1/memory/1684-140-0x000000013FFC0000-0x0000000140314000-memory.dmp	upx
behavioral1/memory/568-141-0x000000013FE80000-0x00000001401D4000-memory.dmp	upx
behavioral1/memory/2972-143-0x000000013F520000-0x000000013F874000-memory.dmp	upx
behavioral1/memory/1100-145-0x000000013F3F0000-0x000000013F744000-memory.dmp	upx
behavioral1/memory/1664-147-0x000000013F6E0000-0x000000013FA34000-memory.dmp	upx
behavioral1/memory/1092-148-0x000000013F080000-0x000000013F3D4000-memory.dmp	upx
behavioral1/memory/2724-149-0x000000013F700000-0x000000013FA54000-memory.dmp	upx
behavioral1/memory/2720-150-0x000000013F860000-0x000000013FBB4000-memory.dmp	upx
behavioral1/memory/2504-151-0x000000013FAC0000-0x000000013FE14000-memory.dmp	upx
behavioral1/memory/2524-152-0x000000013F900000-0x000000013FC54000-memory.dmp	upx
behavioral1/memory/2692-154-0x000000013F1F0000-0x000000013F544000-memory.dmp	upx
behavioral1/memory/2820-153-0x000000013F220000-0x000000013F574000-memory.dmp	upx
behavioral1/memory/2556-155-0x000000013F610000-0x000000013F964000-memory.dmp	upx
behavioral1/memory/1684-156-0x000000013FFC0000-0x0000000140314000-memory.dmp	upx
behavioral1/memory/2492-157-0x000000013F250000-0x000000013F5A4000-memory.dmp	upx
behavioral1/memory/568-158-0x000000013FE80000-0x00000001401D4000-memory.dmp	upx
behavioral1/memory/2972-159-0x000000013F520000-0x000000013F874000-memory.dmp	upx
behavioral1/memory/1100-160-0x000000013F3F0000-0x000000013F744000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\aUIUElm.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kpAcRue.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kkrkjkt.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GzqisrQ.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aSbnput.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fgYFgHW.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kxTWSrO.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xXZZWKF.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RVICoaZ.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yvysSnB.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BqcGzzk.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iYSMuYU.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CjfYUHx.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KVYdYmF.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Teerzcr.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lIgskMm.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nUdYlyi.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IbcNBqu.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xOmTbvp.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ynhKBKn.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fTLSsgV.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 2448 wrote to memory of 1664	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	fgYFgHW.exe
PID 2448 wrote to memory of 1664	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	fgYFgHW.exe
PID 2448 wrote to memory of 1664	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	fgYFgHW.exe
PID 2448 wrote to memory of 1092	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	fTLSsgV.exe
PID 2448 wrote to memory of 1092	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	fTLSsgV.exe
PID 2448 wrote to memory of 1092	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	fTLSsgV.exe
PID 2448 wrote to memory of 2724	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	aUIUElm.exe
PID 2448 wrote to memory of 2724	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	aUIUElm.exe
PID 2448 wrote to memory of 2724	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	aUIUElm.exe
PID 2448 wrote to memory of 2720	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	lIgskMm.exe
PID 2448 wrote to memory of 2720	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	lIgskMm.exe
PID 2448 wrote to memory of 2720	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	lIgskMm.exe
PID 2448 wrote to memory of 2504	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	BqcGzzk.exe
PID 2448 wrote to memory of 2504	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	BqcGzzk.exe
PID 2448 wrote to memory of 2504	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	BqcGzzk.exe
PID 2448 wrote to memory of 2524	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	kpAcRue.exe
PID 2448 wrote to memory of 2524	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	kpAcRue.exe
PID 2448 wrote to memory of 2524	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	kpAcRue.exe
PID 2448 wrote to memory of 2820	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	kkrkjkt.exe
PID 2448 wrote to memory of 2820	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	kkrkjkt.exe
PID 2448 wrote to memory of 2820	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	kkrkjkt.exe
PID 2448 wrote to memory of 2692	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	kxTWSrO.exe
PID 2448 wrote to memory of 2692	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	kxTWSrO.exe
PID 2448 wrote to memory of 2692	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	kxTWSrO.exe
PID 2448 wrote to memory of 2492	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	xXZZWKF.exe
PID 2448 wrote to memory of 2492	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	xXZZWKF.exe
PID 2448 wrote to memory of 2492	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	xXZZWKF.exe
PID 2448 wrote to memory of 2556	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	iYSMuYU.exe
PID 2448 wrote to memory of 2556	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	iYSMuYU.exe
PID 2448 wrote to memory of 2556	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	iYSMuYU.exe
PID 2448 wrote to memory of 1684	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	nUdYlyi.exe
PID 2448 wrote to memory of 1684	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	nUdYlyi.exe
PID 2448 wrote to memory of 1684	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	nUdYlyi.exe
PID 2448 wrote to memory of 568	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	RVICoaZ.exe
PID 2448 wrote to memory of 568	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	RVICoaZ.exe
PID 2448 wrote to memory of 568	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	RVICoaZ.exe
PID 2448 wrote to memory of 2972	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	CjfYUHx.exe
PID 2448 wrote to memory of 2972	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	CjfYUHx.exe
PID 2448 wrote to memory of 2972	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	CjfYUHx.exe
PID 2448 wrote to memory of 1100	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	IbcNBqu.exe
PID 2448 wrote to memory of 1100	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	IbcNBqu.exe
PID 2448 wrote to memory of 1100	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	IbcNBqu.exe
PID 2448 wrote to memory of 2848	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	GzqisrQ.exe
PID 2448 wrote to memory of 2848	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	GzqisrQ.exe
PID 2448 wrote to memory of 2848	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	GzqisrQ.exe
PID 2448 wrote to memory of 2176	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	KVYdYmF.exe
PID 2448 wrote to memory of 2176	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	KVYdYmF.exe
PID 2448 wrote to memory of 2176	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	KVYdYmF.exe
PID 2448 wrote to memory of 1528	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	yvysSnB.exe
PID 2448 wrote to memory of 1528	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	yvysSnB.exe
PID 2448 wrote to memory of 1528	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	yvysSnB.exe
PID 2448 wrote to memory of 1636	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	xOmTbvp.exe
PID 2448 wrote to memory of 1636	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	xOmTbvp.exe
PID 2448 wrote to memory of 1636	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	xOmTbvp.exe
PID 2448 wrote to memory of 2560	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	Teerzcr.exe
PID 2448 wrote to memory of 2560	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	Teerzcr.exe
PID 2448 wrote to memory of 2560	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	Teerzcr.exe
PID 2448 wrote to memory of 2312	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	aSbnput.exe
PID 2448 wrote to memory of 2312	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	aSbnput.exe
PID 2448 wrote to memory of 2312	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	aSbnput.exe
PID 2448 wrote to memory of 1352	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	ynhKBKn.exe
PID 2448 wrote to memory of 1352	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	ynhKBKn.exe
PID 2448 wrote to memory of 1352	2448	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	ynhKBKn.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448

C:\Windows\System\fgYFgHW.exe
C:\Windows\System\fgYFgHW.exe
2⤵
- Executes dropped EXE
PID:1664

C:\Windows\System\fTLSsgV.exe
C:\Windows\System\fTLSsgV.exe
2⤵
- Executes dropped EXE
PID:1092

C:\Windows\System\aUIUElm.exe
C:\Windows\System\aUIUElm.exe
2⤵
- Executes dropped EXE
PID:2724

C:\Windows\System\lIgskMm.exe
C:\Windows\System\lIgskMm.exe
2⤵
- Executes dropped EXE
PID:2720

C:\Windows\System\BqcGzzk.exe
C:\Windows\System\BqcGzzk.exe
2⤵
- Executes dropped EXE
PID:2504

C:\Windows\System\kpAcRue.exe
C:\Windows\System\kpAcRue.exe
2⤵
- Executes dropped EXE
PID:2524

C:\Windows\System\kkrkjkt.exe
C:\Windows\System\kkrkjkt.exe
2⤵
- Executes dropped EXE
PID:2820

C:\Windows\System\kxTWSrO.exe
C:\Windows\System\kxTWSrO.exe
2⤵
- Executes dropped EXE
PID:2692

C:\Windows\System\xXZZWKF.exe
C:\Windows\System\xXZZWKF.exe
2⤵
- Executes dropped EXE
PID:2492

C:\Windows\System\iYSMuYU.exe
C:\Windows\System\iYSMuYU.exe
2⤵
- Executes dropped EXE
PID:2556

C:\Windows\System\nUdYlyi.exe
C:\Windows\System\nUdYlyi.exe
2⤵
- Executes dropped EXE
PID:1684

C:\Windows\System\RVICoaZ.exe
C:\Windows\System\RVICoaZ.exe
2⤵
- Executes dropped EXE
PID:568

C:\Windows\System\CjfYUHx.exe
C:\Windows\System\CjfYUHx.exe
2⤵
- Executes dropped EXE
PID:2972

C:\Windows\System\IbcNBqu.exe
C:\Windows\System\IbcNBqu.exe
2⤵
- Executes dropped EXE
PID:1100

C:\Windows\System\GzqisrQ.exe
C:\Windows\System\GzqisrQ.exe
2⤵
- Executes dropped EXE
PID:2848

C:\Windows\System\KVYdYmF.exe
C:\Windows\System\KVYdYmF.exe
2⤵
- Executes dropped EXE
PID:2176

C:\Windows\System\yvysSnB.exe
C:\Windows\System\yvysSnB.exe
2⤵
- Executes dropped EXE
PID:1528

C:\Windows\System\xOmTbvp.exe
C:\Windows\System\xOmTbvp.exe
2⤵
- Executes dropped EXE
PID:1636

C:\Windows\System\Teerzcr.exe
C:\Windows\System\Teerzcr.exe
2⤵
- Executes dropped EXE
PID:2560

C:\Windows\System\aSbnput.exe
C:\Windows\System\aSbnput.exe
2⤵
- Executes dropped EXE
PID:2312

C:\Windows\System\ynhKBKn.exe
C:\Windows\System\ynhKBKn.exe
2⤵
- Executes dropped EXE
PID:1352

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\CjfYUHx.exe
Filesize
5.9MB

MD5
516d0a8270ffd90b3aa04f0ff35fb0d5

SHA1
f7d9b47baf6092a53224eff55423dc1d515e66ac

SHA256
d48799fdcce7ff0b21b1577cb3447d365d0934af3fe57c042639591fdc541869

SHA512
55581a4d523f867ce099f71284290f7748860612ff6c213e93ce81039d169201d0eaf72b67f4d62636eb1040c6c27bead698ab96de90e2cbc3e543df329e61ac

Download Submit
C:\Windows\system\GzqisrQ.exe
Filesize
5.9MB

MD5
0b41071ab8efba71445928166350316a

SHA1
7eb3c278890521f7e68d1f615558c1a3c627b373

SHA256
8bc10a2b922be47f2b6ab1fbdc66b0619fc6ca1bd51465275858c7b2fdd69617

SHA512
73046b04c7d51b6ebc5237816a4dc8fe990630efea39d48bcd526fb8c578db10fab792413b258460e68093a9da0a8df1736658645a6359d13649e26b8454bdc3

Download Submit
C:\Windows\system\KVYdYmF.exe
Filesize
5.9MB

MD5
fb25a91ee8148571322b00972acf9e4b

SHA1
d5b2c4b69c8f20e744ad95315f48f861e868f474

SHA256
5b4c91d087d21b1d74fbe4f67e50066f7f03035a84d3e2c428a8704481418315

SHA512
682cc39d2967dc8fdbd8afb2ebd762fc6907531efebc80df097f24b4a6e0545c4e0bfbf4afd314f86082282f4b0e5a3040044943b0213e0e887c5ebaeff9fbde

Download Submit
C:\Windows\system\RVICoaZ.exe
Filesize
5.9MB

MD5
0d0345f05bf9650cd32def2f6a99e92c

SHA1
add5378541e93f1ae2a483d0b9935514e520720d

SHA256
f9b91e9a5c078017df225f9630ed1113077e124f3bbe0e9a081166c8e8947b2d

SHA512
e95f8eafa1d77b1d16a72c00b21e6eccee1d0e3021273d0558e17a45b1060e1e4e6146545b1c83d9bcd964b0795d4a7891f42db40cf4c2136460888bb171be86

Download Submit
C:\Windows\system\Teerzcr.exe
Filesize
5.9MB

MD5
bf4a3abe2677db8635b91e7cdd2df541

SHA1
21bff9af515e09d2bc6776eb1973d02b62ada669

SHA256
f7f5e432939e842741c3c422a9aa385a192081ae9d80be2ffca08424f3c6d958

SHA512
07f070022b1caca6f20cf93042579467c65f34d78071999f54b8b0d151d5c0ccc4755c78b23c22baf48b112e8bd1d1efd032f1a06205713aac01a79825ad085f

Download Submit
C:\Windows\system\aSbnput.exe
Filesize
5.9MB

MD5
a4c93bf0e85ed7d4fb35471cf3381b1d

SHA1
b0d4e31d37eaa75bbc69e14109ca0b5cfb05dc04

SHA256
95a66afe16aea98eb58afd6d3bb12bbb156448054c4ebe49764b3574cc9f6dca

SHA512
a54a73cb31b179eceb7946a2e16316285c12269d98dc67b36f009863a3afcf1ccbb0bec23c8639ac17e5a76a7eda6dbd57ca27e5dddb9c3d208173e3544f97eb

Download Submit
C:\Windows\system\aUIUElm.exe
Filesize
5.9MB

MD5
53e84c94c978f34d5af7ae5e39e1898b

SHA1
2a8323f910f9db1508d8638e296f29fa94a629c5

SHA256
d1132f1363d077ec1813c5b0cc7c14bbc29cc493c1ac1fb3db810687f4acca4e

SHA512
630ff20f0212dc02bb4c3660dc86aa50b8b1243abf23036cacfa15900b9b05ca3a6ce2d863832057de6edab67417a279118142773fc1a49c56adc0481709e45b

Download Submit
C:\Windows\system\fTLSsgV.exe
Filesize
5.9MB

MD5
2f15200a753992b8cb99839c41af2677

SHA1
9819c9f2ca8e11c952f68eebecb12118ca652f7d

SHA256
b6ca8abe372b0c36a7d57cdf286972b66caf3668e6f159d9ed6a95b487ec9011

SHA512
f26b12f4cbb2efbe0069b83a5dd40f41362217bde5a2e0ec93cb7a22729985e459e4a3d09554f761398e8fec42e1bea411d6bea07403501ff93eebb10f0c64b7

Download Submit
C:\Windows\system\kpAcRue.exe
Filesize
5.9MB

MD5
6bdf10c734cb90c16630712357c19e91

SHA1
e1cd58eb99025c40e2cb8fa1123ba0eb800a7e7d

SHA256
a817e04136a9c6d7e3a04993d2b4a9f59ec1c7faefee3b270d96760896b9f990

SHA512
3fd4ce18c44dc56b977a4b664afec9e2a0fc5c72f83a7093e4d5126c887a6f4ad7a354af6db1a779bd8e2b5472b79b7a91ac0ac38408736404355eccfa7bee80

Download Submit
C:\Windows\system\kxTWSrO.exe
Filesize
5.9MB

MD5
0a66d13bcab04f3048408ee7f935e66a

SHA1
3eb59e1193dc89009088afab45d00f537fd8e58e

SHA256
7806e6ddfba3f74103a6b7ef84466923e8252a317689fc35e8655a4d8d3c7cbb

SHA512
637f37be12bfb11dba571a7adc954b659d79a6695b3ae5b06ea9d8447eb6cc1f2e376bd6f9b7d52246ac0613d747bdbc7a559f8c45952f04cf602645514c1061

Download Submit
C:\Windows\system\xOmTbvp.exe
Filesize
5.9MB

MD5
ce5f285999b239a9c6e7b6c7dce6a3e2

SHA1
688f39549619b30df0a4ec66409db15aafdf8fbb

SHA256
f4a63e4fabf9c2f3685a6b6c94703b9711dd8e3d2713d507d64619049af4e54d

SHA512
328ab147979907021eb6742ed269da12c7f9482c7a95161b0a89414ff020f4903544cbc6695071ca7dde98af238ba991f701c3cefd01a03a7eede3b81fb1779b

Download Submit
C:\Windows\system\xXZZWKF.exe
Filesize
5.9MB

MD5
85f24b07f9d6e22b25da6ee54f0d9676

SHA1
ea23f7093d3a9eefd415cb971a27c68da9c63c5e

SHA256
0db6925ad7a074538815121a1da46ec16022b1caabe113597e521b9380320646

SHA512
c5715e8208f47a6eaaf477188a45e09d6e89e31221c819a2191c630d72d7b9c180eadae0863cbae110d2e2a6533ff99cf54b34028b8c701698b3164385ba8eef

Download Submit
C:\Windows\system\yvysSnB.exe
Filesize
5.9MB

MD5
6b8ae37ed21b350e1780be61db351ed5

SHA1
56d50241079caa360a62aa77b4991b12928c2e0b

SHA256
15e9694be6efd4ff8419149e7e1a5c838ffabeb32067eee100290c4d2ea33351

SHA512
9596f9a0f47779233ca64e4179cb27a4445beb55471903232cd842d264f3fa44ca7f08fddda237e7baf1264f835008338053f5e6f1b7a4b1afb284a4d45570bc

Download Submit
\Windows\system\BqcGzzk.exe
Filesize
5.9MB

MD5
454b8cff9ed44e6c7f1a46ca9d60b8ff

SHA1
41fcb6841affc046d85438d9ac10b5f73cc7d8c9

SHA256
926de82ec15f332224139cb5c552d17b39ef7fccec4e097b6c40f51e4236e665

SHA512
640899104a74c8de954bb80bf8508d6791d2039c6f9cea448e17583a4e596cd15fd3406fc68125f790e50d3c011bd873a8a363012facb17f6f809c1b00d370df

Download Submit
\Windows\system\IbcNBqu.exe
Filesize
5.9MB

MD5
c3b9fa992060b26509f391510ac37dc9

SHA1
245c01c5d0988850a47ba40153a5b6508dd2f506

SHA256
5ff23bd40b1d344a4643bd8c3b7a274a94dc793483430e7a4a9ff5e99c3b0902

SHA512
9724f60fc21a4e046faa790a8fc6833eea52dd5bc8985291a094b45006713c26ff6410c3358d5dbfe28f5c735b367f3b31ec07524939a2fe6dcf9bd77c766cdc

Download Submit
\Windows\system\fgYFgHW.exe
Filesize
5.9MB

MD5
9b9b0b180d7deea2a9884a49e0f79438

SHA1
6f7f247454e7b20fa4a549d8c7e19b0622754fb8

SHA256
e9466a5627285b7b6a4e193d34f849aa215a612c23d1096ac698c09b5018276a

SHA512
abaa576082a9bce61ec609108d37726473ffb308e9886042a8fa628298b79426435787fced5b7dc6d946938277423ba4485bc2a2f845e5c1faef4791c83cf7f7

Download Submit
\Windows\system\iYSMuYU.exe
Filesize
5.9MB

MD5
d52cc562f5f662707286525b94389f6a

SHA1
7dddf12e527b47ccb0ed0658d3e95718c0da137d

SHA256
1add77a5a0c14bcce002122289c2df91b98bf7af0e4e503cfc8fa5236b3877c3

SHA512
8f42e840b1efe9fc4c0f4da1d3b949deab9fa649a6458519911dd803c2600e90a4c48d10599d47250775c4fcebf88d4fe90682b549b7b103fb1dc9fba6795d12

Download Submit
\Windows\system\kkrkjkt.exe
Filesize
5.9MB

MD5
a966c1bef3f6958f2e82683035f450c9

SHA1
7eb6c0ac29dfbd74eeb6b87c6f16455e73794cec

SHA256
bff7385a37836029edc01b1158842a96362d32e0ab01c4ae498349f22635a78f

SHA512
8468dcf8694410650abe75126e84eddcefe1bccf6e3213490802f33220824170daf7ca8b9a79d21f3e6770f019037ea9f443b3ac73789950606adb7bf3a9bc90

Download Submit
\Windows\system\lIgskMm.exe
Filesize
5.9MB

MD5
332d98f0a33a36efb90f4a22122d009d

SHA1
f1b481394354856600256cb58186412f8f724c52

SHA256
dc3b5146c329b9637a8b307723cac216d93d370e30d97fc11f3b0898e3cb685e

SHA512
b198ac27159045022803a48eb7a25c6770a6d17a6205fbdb1957fa39c299f7a43504374dd20e3f41ef5e63745c90b1e11b30fdc71f76dc58a908bd7b2d7674c6

Download Submit
\Windows\system\nUdYlyi.exe
Filesize
5.9MB

MD5
3cf99f75aa002c4ce800079cacea39aa

SHA1
8c91ff30fb92c6bb9bea5f438cea448346b877b9

SHA256
dbe76744b77d6262ca3dfe931bb8fd7bb7f277b625017a2442efe2b86fbde224

SHA512
b452828e713be097f09be3116741ec282d4c37ad09a1b7f15791d29b8dddcd576c36b667e4bec44f384396bee4721cd89832ee1d78436fb79ce6f268a40d6798

Download Submit
\Windows\system\ynhKBKn.exe
Filesize
5.9MB

MD5
aed104fa2d318b7d114aebdea7645cba

SHA1
7c280f7106882987b18268cf503fe5e7ed15a480

SHA256
5ebee3520dfdfe082ae7e912ddbef8f642d5b646f8fed2cb9c793d7d60f9d235

SHA512
7ce91d3a1ef6c37ac2ecb9bc8ef9c1164f0fdef44b378ad3797a4a911d4864a9f90ede7accb11ec5dbfd211f05215fed0ea348d7ea590bef7b0f05e8098fb6e6

Download Submit
memory/568-158-0x000000013FE80000-0x00000001401D4000-memory.dmp

Filesize
3.3MB

Download
memory/568-141-0x000000013FE80000-0x00000001401D4000-memory.dmp

Filesize
3.3MB

Download
memory/568-85-0x000000013FE80000-0x00000001401D4000-memory.dmp

Filesize
3.3MB

Download
memory/1092-148-0x000000013F080000-0x000000013F3D4000-memory.dmp

Filesize
3.3MB

Download
memory/1092-15-0x000000013F080000-0x000000013F3D4000-memory.dmp

Filesize
3.3MB

Download
memory/1092-73-0x000000013F080000-0x000000013F3D4000-memory.dmp

Filesize
3.3MB

Download
memory/1100-145-0x000000013F3F0000-0x000000013F744000-memory.dmp

Filesize
3.3MB

Download
memory/1100-99-0x000000013F3F0000-0x000000013F744000-memory.dmp

Filesize
3.3MB

Download
memory/1100-160-0x000000013F3F0000-0x000000013F744000-memory.dmp

Filesize
3.3MB

Download
memory/1664-147-0x000000013F6E0000-0x000000013FA34000-memory.dmp

Filesize
3.3MB

Download
memory/1664-72-0x000000013F6E0000-0x000000013FA34000-memory.dmp

Filesize
3.3MB

Download
memory/1664-8-0x000000013F6E0000-0x000000013FA34000-memory.dmp

Filesize
3.3MB

Download
memory/1684-140-0x000000013FFC0000-0x0000000140314000-memory.dmp

Filesize
3.3MB

Download
memory/1684-77-0x000000013FFC0000-0x0000000140314000-memory.dmp

Filesize
3.3MB

Download
memory/1684-156-0x000000013FFC0000-0x0000000140314000-memory.dmp

Filesize
3.3MB

Download
memory/2448-98-0x000000013F3F0000-0x000000013F744000-memory.dmp

Filesize
3.3MB

Download
memory/2448-142-0x000000013F520000-0x000000013F874000-memory.dmp

Filesize
3.3MB

Download
memory/2448-144-0x000000013F3F0000-0x000000013F744000-memory.dmp

Filesize
3.3MB

Download
memory/2448-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2448-13-0x000000013F080000-0x000000013F3D4000-memory.dmp

Filesize
3.3MB

Download
memory/2448-21-0x000000013F700000-0x000000013FA54000-memory.dmp

Filesize
3.3MB

Download
memory/2448-62-0x000000013F220000-0x000000013F574000-memory.dmp

Filesize
3.3MB

Download
memory/2448-107-0x000000013F690000-0x000000013F9E4000-memory.dmp

Filesize
3.3MB

Download
memory/2448-84-0x00000000024F0000-0x0000000002844000-memory.dmp

Filesize
3.3MB

Download
memory/2448-33-0x000000013FAC0000-0x000000013FE14000-memory.dmp

Filesize
3.3MB

Download
memory/2448-68-0x000000013F610000-0x000000013F964000-memory.dmp

Filesize
3.3MB

Download
memory/2448-26-0x000000013F860000-0x000000013FBB4000-memory.dmp

Filesize
3.3MB

Download
memory/2448-74-0x00000000024F0000-0x0000000002844000-memory.dmp

Filesize
3.3MB

Download
memory/2448-89-0x000000013F520000-0x000000013F874000-memory.dmp

Filesize
3.3MB

Download
memory/2448-54-0x000000013F900000-0x000000013FC54000-memory.dmp

Filesize
3.3MB

Download
memory/2448-67-0x000000013F250000-0x000000013F5A4000-memory.dmp

Filesize
3.3MB

Download
memory/2448-64-0x000000013FFE0000-0x0000000140334000-memory.dmp

Filesize
3.3MB

Download
memory/2448-146-0x000000013F690000-0x000000013F9E4000-memory.dmp

Filesize
3.3MB

Download
memory/2448-0-0x000000013FFE0000-0x0000000140334000-memory.dmp

Filesize
3.3MB

Download
memory/2448-139-0x00000000024F0000-0x0000000002844000-memory.dmp

Filesize
3.3MB

Download
memory/2492-138-0x000000013F250000-0x000000013F5A4000-memory.dmp

Filesize
3.3MB

Download
memory/2492-70-0x000000013F250000-0x000000013F5A4000-memory.dmp

Filesize
3.3MB

Download
memory/2492-157-0x000000013F250000-0x000000013F5A4000-memory.dmp

Filesize
3.3MB

Download
memory/2504-106-0x000000013FAC0000-0x000000013FE14000-memory.dmp

Filesize
3.3MB

Download
memory/2504-35-0x000000013FAC0000-0x000000013FE14000-memory.dmp

Filesize
3.3MB

Download
memory/2504-151-0x000000013FAC0000-0x000000013FE14000-memory.dmp

Filesize
3.3MB

Download
memory/2524-61-0x000000013F900000-0x000000013FC54000-memory.dmp

Filesize
3.3MB

Download
memory/2524-152-0x000000013F900000-0x000000013FC54000-memory.dmp

Filesize
3.3MB

Download
memory/2556-63-0x000000013F610000-0x000000013F964000-memory.dmp

Filesize
3.3MB

Download
memory/2556-155-0x000000013F610000-0x000000013F964000-memory.dmp

Filesize
3.3MB

Download
memory/2692-66-0x000000013F1F0000-0x000000013F544000-memory.dmp

Filesize
3.3MB

Download
memory/2692-154-0x000000013F1F0000-0x000000013F544000-memory.dmp

Filesize
3.3MB

Download
memory/2720-150-0x000000013F860000-0x000000013FBB4000-memory.dmp

Filesize
3.3MB

Download
memory/2720-29-0x000000013F860000-0x000000013FBB4000-memory.dmp

Filesize
3.3MB

Download
memory/2724-149-0x000000013F700000-0x000000013FA54000-memory.dmp

Filesize
3.3MB

Download
memory/2724-23-0x000000013F700000-0x000000013FA54000-memory.dmp

Filesize
3.3MB

Download
memory/2820-153-0x000000013F220000-0x000000013F574000-memory.dmp

Filesize
3.3MB

Download
memory/2820-65-0x000000013F220000-0x000000013F574000-memory.dmp

Filesize
3.3MB

Download
memory/2972-92-0x000000013F520000-0x000000013F874000-memory.dmp

Filesize
3.3MB

Download
memory/2972-143-0x000000013F520000-0x000000013F874000-memory.dmp

Filesize
3.3MB

Download
memory/2972-159-0x000000013F520000-0x000000013F874000-memory.dmp

Filesize
3.3MB

Download