cobaltstrike | 33f46ef55469f3ec834da05b32b19fbd2d6dde0cee007399470beae879ea3801

Analysis

max time kernel
139s
max time network
148s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

80e1fa2ee4c973f58400ab974187c75a
SHA1

4facca4418b25e222791385aff211867a4ca7f17
SHA256

33f46ef55469f3ec834da05b32b19fbd2d6dde0cee007399470beae879ea3801
SHA512

8c5abce98017ea65896b900e48ac7579ad021ba3f4560a49b5e0b6667ccc3b6389ce533aaf39fee4a86d4d2ea8247d984ec9f4c1a2cd57706c1f3f7fdccc7103
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUP:Q+856utgpPF8u/7P

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\BlANNKq.exe	cobalt_reflective_dll
\Windows\system\XXSnQgC.exe	cobalt_reflective_dll
C:\Windows\system\MipylSz.exe	cobalt_reflective_dll
\Windows\system\FlvqaMe.exe	cobalt_reflective_dll
\Windows\system\qyXxwfE.exe	cobalt_reflective_dll
\Windows\system\DVSMxEq.exe	cobalt_reflective_dll
\Windows\system\eJPtKCI.exe	cobalt_reflective_dll
\Windows\system\CXRPSyD.exe	cobalt_reflective_dll
\Windows\system\oBxiNGR.exe	cobalt_reflective_dll
C:\Windows\system\JTwMjCE.exe	cobalt_reflective_dll
C:\Windows\system\CdfWzuY.exe	cobalt_reflective_dll
C:\Windows\system\IRJKkrI.exe	cobalt_reflective_dll
C:\Windows\system\QLmTKEM.exe	cobalt_reflective_dll
C:\Windows\system\AqBDFJO.exe	cobalt_reflective_dll
C:\Windows\system\kyrsBks.exe	cobalt_reflective_dll
\Windows\system\oxwEPvy.exe	cobalt_reflective_dll
C:\Windows\system\LJgomjl.exe	cobalt_reflective_dll
C:\Windows\system\PGYNcJM.exe	cobalt_reflective_dll
\Windows\system\LCQbLOQ.exe	cobalt_reflective_dll
C:\Windows\system\wXLpifw.exe	cobalt_reflective_dll
C:\Windows\system\XzukAXA.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\BlANNKq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\XXSnQgC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\MipylSz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\FlvqaMe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\qyXxwfE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\DVSMxEq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\eJPtKCI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\CXRPSyD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\oBxiNGR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\JTwMjCE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\CdfWzuY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\IRJKkrI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\QLmTKEM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\AqBDFJO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\kyrsBks.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\oxwEPvy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\LJgomjl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\PGYNcJM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\LCQbLOQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\wXLpifw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\XzukAXA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 59 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2192-1-0x000000013FF90000-0x00000001402E4000-memory.dmp	UPX
\Windows\system\BlANNKq.exe	UPX
behavioral1/memory/1788-9-0x000000013FB00000-0x000000013FE54000-memory.dmp	UPX
\Windows\system\XXSnQgC.exe	UPX
behavioral1/memory/1036-15-0x000000013F900000-0x000000013FC54000-memory.dmp	UPX
C:\Windows\system\MipylSz.exe	UPX
behavioral1/memory/2532-22-0x000000013F300000-0x000000013F654000-memory.dmp	UPX
\Windows\system\FlvqaMe.exe	UPX
behavioral1/memory/2644-30-0x000000013F890000-0x000000013FBE4000-memory.dmp	UPX
\Windows\system\qyXxwfE.exe	UPX
\Windows\system\DVSMxEq.exe	UPX
\Windows\system\eJPtKCI.exe	UPX
behavioral1/memory/2304-50-0x000000013F900000-0x000000013FC54000-memory.dmp	UPX
behavioral1/memory/2660-49-0x000000013F320000-0x000000013F674000-memory.dmp	UPX
behavioral1/memory/2420-46-0x000000013FBB0000-0x000000013FF04000-memory.dmp	UPX
\Windows\system\CXRPSyD.exe	UPX
behavioral1/memory/2192-56-0x000000013FF90000-0x00000001402E4000-memory.dmp	UPX
behavioral1/memory/2396-57-0x000000013F1E0000-0x000000013F534000-memory.dmp	UPX
\Windows\system\oBxiNGR.exe	UPX
behavioral1/memory/2556-63-0x000000013FD70000-0x00000001400C4000-memory.dmp	UPX
behavioral1/memory/1788-62-0x000000013FB00000-0x000000013FE54000-memory.dmp	UPX
C:\Windows\system\JTwMjCE.exe	UPX
behavioral1/memory/2084-71-0x000000013FF80000-0x00000001402D4000-memory.dmp	UPX
C:\Windows\system\CdfWzuY.exe	UPX
behavioral1/memory/776-79-0x000000013F6C0000-0x000000013FA14000-memory.dmp	UPX
behavioral1/memory/1036-76-0x000000013F900000-0x000000013FC54000-memory.dmp	UPX
C:\Windows\system\IRJKkrI.exe	UPX
behavioral1/memory/2616-87-0x000000013F710000-0x000000013FA64000-memory.dmp	UPX
behavioral1/memory/2532-84-0x000000013F300000-0x000000013F654000-memory.dmp	UPX
C:\Windows\system\QLmTKEM.exe	UPX
behavioral1/memory/2700-93-0x000000013F270000-0x000000013F5C4000-memory.dmp	UPX
C:\Windows\system\AqBDFJO.exe	UPX
behavioral1/memory/2836-99-0x000000013F1C0000-0x000000013F514000-memory.dmp	UPX
C:\Windows\system\kyrsBks.exe	UPX
\Windows\system\oxwEPvy.exe	UPX
C:\Windows\system\LJgomjl.exe	UPX
C:\Windows\system\PGYNcJM.exe	UPX
\Windows\system\LCQbLOQ.exe	UPX
C:\Windows\system\wXLpifw.exe	UPX
C:\Windows\system\XzukAXA.exe	UPX
behavioral1/memory/2556-136-0x000000013FD70000-0x00000001400C4000-memory.dmp	UPX
behavioral1/memory/2084-138-0x000000013FF80000-0x00000001402D4000-memory.dmp	UPX
behavioral1/memory/776-140-0x000000013F6C0000-0x000000013FA14000-memory.dmp	UPX
behavioral1/memory/2700-143-0x000000013F270000-0x000000013F5C4000-memory.dmp	UPX
behavioral1/memory/2836-144-0x000000013F1C0000-0x000000013F514000-memory.dmp	UPX
behavioral1/memory/1788-146-0x000000013FB00000-0x000000013FE54000-memory.dmp	UPX
behavioral1/memory/1036-147-0x000000013F900000-0x000000013FC54000-memory.dmp	UPX
behavioral1/memory/2532-148-0x000000013F300000-0x000000013F654000-memory.dmp	UPX
behavioral1/memory/2644-149-0x000000013F890000-0x000000013FBE4000-memory.dmp	UPX
behavioral1/memory/2420-150-0x000000013FBB0000-0x000000013FF04000-memory.dmp	UPX
behavioral1/memory/2660-151-0x000000013F320000-0x000000013F674000-memory.dmp	UPX
behavioral1/memory/2304-152-0x000000013F900000-0x000000013FC54000-memory.dmp	UPX
behavioral1/memory/2396-153-0x000000013F1E0000-0x000000013F534000-memory.dmp	UPX
behavioral1/memory/2556-154-0x000000013FD70000-0x00000001400C4000-memory.dmp	UPX
behavioral1/memory/2084-155-0x000000013FF80000-0x00000001402D4000-memory.dmp	UPX
behavioral1/memory/776-156-0x000000013F6C0000-0x000000013FA14000-memory.dmp	UPX
behavioral1/memory/2616-157-0x000000013F710000-0x000000013FA64000-memory.dmp	UPX
behavioral1/memory/2700-158-0x000000013F270000-0x000000013F5C4000-memory.dmp	UPX
behavioral1/memory/2836-159-0x000000013F1C0000-0x000000013F514000-memory.dmp	UPX

XMRig Miner payload 61 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2192-1-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
\Windows\system\BlANNKq.exe	xmrig
behavioral1/memory/1788-9-0x000000013FB00000-0x000000013FE54000-memory.dmp	xmrig
\Windows\system\XXSnQgC.exe	xmrig
behavioral1/memory/1036-15-0x000000013F900000-0x000000013FC54000-memory.dmp	xmrig
C:\Windows\system\MipylSz.exe	xmrig
behavioral1/memory/2532-22-0x000000013F300000-0x000000013F654000-memory.dmp	xmrig
\Windows\system\FlvqaMe.exe	xmrig
behavioral1/memory/2644-30-0x000000013F890000-0x000000013FBE4000-memory.dmp	xmrig
\Windows\system\qyXxwfE.exe	xmrig
\Windows\system\DVSMxEq.exe	xmrig
\Windows\system\eJPtKCI.exe	xmrig
behavioral1/memory/2304-50-0x000000013F900000-0x000000013FC54000-memory.dmp	xmrig
behavioral1/memory/2660-49-0x000000013F320000-0x000000013F674000-memory.dmp	xmrig
behavioral1/memory/2420-46-0x000000013FBB0000-0x000000013FF04000-memory.dmp	xmrig
\Windows\system\CXRPSyD.exe	xmrig
behavioral1/memory/2192-56-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
behavioral1/memory/2396-57-0x000000013F1E0000-0x000000013F534000-memory.dmp	xmrig
\Windows\system\oBxiNGR.exe	xmrig
behavioral1/memory/2556-63-0x000000013FD70000-0x00000001400C4000-memory.dmp	xmrig
behavioral1/memory/1788-62-0x000000013FB00000-0x000000013FE54000-memory.dmp	xmrig
C:\Windows\system\JTwMjCE.exe	xmrig
behavioral1/memory/2084-71-0x000000013FF80000-0x00000001402D4000-memory.dmp	xmrig
C:\Windows\system\CdfWzuY.exe	xmrig
behavioral1/memory/776-79-0x000000013F6C0000-0x000000013FA14000-memory.dmp	xmrig
behavioral1/memory/2192-77-0x000000013F6C0000-0x000000013FA14000-memory.dmp	xmrig
behavioral1/memory/1036-76-0x000000013F900000-0x000000013FC54000-memory.dmp	xmrig
C:\Windows\system\IRJKkrI.exe	xmrig
behavioral1/memory/2616-87-0x000000013F710000-0x000000013FA64000-memory.dmp	xmrig
behavioral1/memory/2532-84-0x000000013F300000-0x000000013F654000-memory.dmp	xmrig
C:\Windows\system\QLmTKEM.exe	xmrig
behavioral1/memory/2700-93-0x000000013F270000-0x000000013F5C4000-memory.dmp	xmrig
C:\Windows\system\AqBDFJO.exe	xmrig
behavioral1/memory/2836-99-0x000000013F1C0000-0x000000013F514000-memory.dmp	xmrig
C:\Windows\system\kyrsBks.exe	xmrig
\Windows\system\oxwEPvy.exe	xmrig
C:\Windows\system\LJgomjl.exe	xmrig
C:\Windows\system\PGYNcJM.exe	xmrig
\Windows\system\LCQbLOQ.exe	xmrig
C:\Windows\system\wXLpifw.exe	xmrig
C:\Windows\system\XzukAXA.exe	xmrig
behavioral1/memory/2556-136-0x000000013FD70000-0x00000001400C4000-memory.dmp	xmrig
behavioral1/memory/2084-138-0x000000013FF80000-0x00000001402D4000-memory.dmp	xmrig
behavioral1/memory/2192-139-0x000000013F6C0000-0x000000013FA14000-memory.dmp	xmrig
behavioral1/memory/776-140-0x000000013F6C0000-0x000000013FA14000-memory.dmp	xmrig
behavioral1/memory/2700-143-0x000000013F270000-0x000000013F5C4000-memory.dmp	xmrig
behavioral1/memory/2836-144-0x000000013F1C0000-0x000000013F514000-memory.dmp	xmrig
behavioral1/memory/1788-146-0x000000013FB00000-0x000000013FE54000-memory.dmp	xmrig
behavioral1/memory/1036-147-0x000000013F900000-0x000000013FC54000-memory.dmp	xmrig
behavioral1/memory/2532-148-0x000000013F300000-0x000000013F654000-memory.dmp	xmrig
behavioral1/memory/2644-149-0x000000013F890000-0x000000013FBE4000-memory.dmp	xmrig
behavioral1/memory/2420-150-0x000000013FBB0000-0x000000013FF04000-memory.dmp	xmrig
behavioral1/memory/2660-151-0x000000013F320000-0x000000013F674000-memory.dmp	xmrig
behavioral1/memory/2304-152-0x000000013F900000-0x000000013FC54000-memory.dmp	xmrig
behavioral1/memory/2396-153-0x000000013F1E0000-0x000000013F534000-memory.dmp	xmrig
behavioral1/memory/2556-154-0x000000013FD70000-0x00000001400C4000-memory.dmp	xmrig
behavioral1/memory/2084-155-0x000000013FF80000-0x00000001402D4000-memory.dmp	xmrig
behavioral1/memory/776-156-0x000000013F6C0000-0x000000013FA14000-memory.dmp	xmrig
behavioral1/memory/2616-157-0x000000013F710000-0x000000013FA64000-memory.dmp	xmrig
behavioral1/memory/2700-158-0x000000013F270000-0x000000013F5C4000-memory.dmp	xmrig
behavioral1/memory/2836-159-0x000000013F1C0000-0x000000013F514000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

BlANNKq.exeXXSnQgC.exeMipylSz.exeFlvqaMe.exeDVSMxEq.exeqyXxwfE.exeeJPtKCI.exeCXRPSyD.exeoBxiNGR.exeJTwMjCE.exeCdfWzuY.exeIRJKkrI.exeQLmTKEM.exeAqBDFJO.exeoxwEPvy.exekyrsBks.exeXzukAXA.exeLJgomjl.exewXLpifw.exePGYNcJM.exeLCQbLOQ.exe

pid	process
1788	BlANNKq.exe
1036	XXSnQgC.exe
2532	MipylSz.exe
2644	FlvqaMe.exe
2420	DVSMxEq.exe
2660	qyXxwfE.exe
2304	eJPtKCI.exe
2396	CXRPSyD.exe
2556	oBxiNGR.exe
2084	JTwMjCE.exe
776	CdfWzuY.exe
2616	IRJKkrI.exe
2700	QLmTKEM.exe
2836	AqBDFJO.exe
816	oxwEPvy.exe
292	kyrsBks.exe
2276	XzukAXA.exe
328	LJgomjl.exe
2176	wXLpifw.exe
1260	PGYNcJM.exe
2872	LCQbLOQ.exe

Loads dropped DLL 21 IoCs

Processes:

2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe

pid	process
2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2192-1-0x000000013FF90000-0x00000001402E4000-memory.dmp	upx
\Windows\system\BlANNKq.exe	upx
behavioral1/memory/1788-9-0x000000013FB00000-0x000000013FE54000-memory.dmp	upx
\Windows\system\XXSnQgC.exe	upx
behavioral1/memory/2192-6-0x000000013FB00000-0x000000013FE54000-memory.dmp	upx
behavioral1/memory/1036-15-0x000000013F900000-0x000000013FC54000-memory.dmp	upx
C:\Windows\system\MipylSz.exe	upx
behavioral1/memory/2532-22-0x000000013F300000-0x000000013F654000-memory.dmp	upx
\Windows\system\FlvqaMe.exe	upx
behavioral1/memory/2644-30-0x000000013F890000-0x000000013FBE4000-memory.dmp	upx
\Windows\system\qyXxwfE.exe	upx
\Windows\system\DVSMxEq.exe	upx
\Windows\system\eJPtKCI.exe	upx
behavioral1/memory/2304-50-0x000000013F900000-0x000000013FC54000-memory.dmp	upx
behavioral1/memory/2660-49-0x000000013F320000-0x000000013F674000-memory.dmp	upx
behavioral1/memory/2420-46-0x000000013FBB0000-0x000000013FF04000-memory.dmp	upx
\Windows\system\CXRPSyD.exe	upx
behavioral1/memory/2192-56-0x000000013FF90000-0x00000001402E4000-memory.dmp	upx
behavioral1/memory/2396-57-0x000000013F1E0000-0x000000013F534000-memory.dmp	upx
\Windows\system\oBxiNGR.exe	upx
behavioral1/memory/2556-63-0x000000013FD70000-0x00000001400C4000-memory.dmp	upx
behavioral1/memory/1788-62-0x000000013FB00000-0x000000013FE54000-memory.dmp	upx
C:\Windows\system\JTwMjCE.exe	upx
behavioral1/memory/2084-71-0x000000013FF80000-0x00000001402D4000-memory.dmp	upx
C:\Windows\system\CdfWzuY.exe	upx
behavioral1/memory/776-79-0x000000013F6C0000-0x000000013FA14000-memory.dmp	upx
behavioral1/memory/1036-76-0x000000013F900000-0x000000013FC54000-memory.dmp	upx
C:\Windows\system\IRJKkrI.exe	upx
behavioral1/memory/2616-87-0x000000013F710000-0x000000013FA64000-memory.dmp	upx
behavioral1/memory/2532-84-0x000000013F300000-0x000000013F654000-memory.dmp	upx
C:\Windows\system\QLmTKEM.exe	upx
behavioral1/memory/2700-93-0x000000013F270000-0x000000013F5C4000-memory.dmp	upx
C:\Windows\system\AqBDFJO.exe	upx
behavioral1/memory/2836-99-0x000000013F1C0000-0x000000013F514000-memory.dmp	upx
C:\Windows\system\kyrsBks.exe	upx
\Windows\system\oxwEPvy.exe	upx
C:\Windows\system\LJgomjl.exe	upx
C:\Windows\system\PGYNcJM.exe	upx
\Windows\system\LCQbLOQ.exe	upx
C:\Windows\system\wXLpifw.exe	upx
C:\Windows\system\XzukAXA.exe	upx
behavioral1/memory/2556-136-0x000000013FD70000-0x00000001400C4000-memory.dmp	upx
behavioral1/memory/2084-138-0x000000013FF80000-0x00000001402D4000-memory.dmp	upx
behavioral1/memory/776-140-0x000000013F6C0000-0x000000013FA14000-memory.dmp	upx
behavioral1/memory/2700-143-0x000000013F270000-0x000000013F5C4000-memory.dmp	upx
behavioral1/memory/2836-144-0x000000013F1C0000-0x000000013F514000-memory.dmp	upx
behavioral1/memory/1788-146-0x000000013FB00000-0x000000013FE54000-memory.dmp	upx
behavioral1/memory/1036-147-0x000000013F900000-0x000000013FC54000-memory.dmp	upx
behavioral1/memory/2532-148-0x000000013F300000-0x000000013F654000-memory.dmp	upx
behavioral1/memory/2644-149-0x000000013F890000-0x000000013FBE4000-memory.dmp	upx
behavioral1/memory/2420-150-0x000000013FBB0000-0x000000013FF04000-memory.dmp	upx
behavioral1/memory/2660-151-0x000000013F320000-0x000000013F674000-memory.dmp	upx
behavioral1/memory/2304-152-0x000000013F900000-0x000000013FC54000-memory.dmp	upx
behavioral1/memory/2396-153-0x000000013F1E0000-0x000000013F534000-memory.dmp	upx
behavioral1/memory/2556-154-0x000000013FD70000-0x00000001400C4000-memory.dmp	upx
behavioral1/memory/2084-155-0x000000013FF80000-0x00000001402D4000-memory.dmp	upx
behavioral1/memory/776-156-0x000000013F6C0000-0x000000013FA14000-memory.dmp	upx
behavioral1/memory/2616-157-0x000000013F710000-0x000000013FA64000-memory.dmp	upx
behavioral1/memory/2700-158-0x000000013F270000-0x000000013F5C4000-memory.dmp	upx
behavioral1/memory/2836-159-0x000000013F1C0000-0x000000013F514000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\QLmTKEM.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AqBDFJO.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oxwEPvy.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BlANNKq.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DVSMxEq.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CXRPSyD.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JTwMjCE.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CdfWzuY.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XXSnQgC.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eJPtKCI.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LJgomjl.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wXLpifw.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FlvqaMe.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IRJKkrI.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kyrsBks.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XzukAXA.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LCQbLOQ.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MipylSz.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qyXxwfE.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oBxiNGR.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PGYNcJM.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 2192 wrote to memory of 1788	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	BlANNKq.exe
PID 2192 wrote to memory of 1788	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	BlANNKq.exe
PID 2192 wrote to memory of 1788	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	BlANNKq.exe
PID 2192 wrote to memory of 1036	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	XXSnQgC.exe
PID 2192 wrote to memory of 1036	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	XXSnQgC.exe
PID 2192 wrote to memory of 1036	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	XXSnQgC.exe
PID 2192 wrote to memory of 2532	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	MipylSz.exe
PID 2192 wrote to memory of 2532	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	MipylSz.exe
PID 2192 wrote to memory of 2532	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	MipylSz.exe
PID 2192 wrote to memory of 2644	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	FlvqaMe.exe
PID 2192 wrote to memory of 2644	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	FlvqaMe.exe
PID 2192 wrote to memory of 2644	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	FlvqaMe.exe
PID 2192 wrote to memory of 2660	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	qyXxwfE.exe
PID 2192 wrote to memory of 2660	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	qyXxwfE.exe
PID 2192 wrote to memory of 2660	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	qyXxwfE.exe
PID 2192 wrote to memory of 2420	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	DVSMxEq.exe
PID 2192 wrote to memory of 2420	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	DVSMxEq.exe
PID 2192 wrote to memory of 2420	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	DVSMxEq.exe
PID 2192 wrote to memory of 2304	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	eJPtKCI.exe
PID 2192 wrote to memory of 2304	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	eJPtKCI.exe
PID 2192 wrote to memory of 2304	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	eJPtKCI.exe
PID 2192 wrote to memory of 2396	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	CXRPSyD.exe
PID 2192 wrote to memory of 2396	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	CXRPSyD.exe
PID 2192 wrote to memory of 2396	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	CXRPSyD.exe
PID 2192 wrote to memory of 2556	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	oBxiNGR.exe
PID 2192 wrote to memory of 2556	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	oBxiNGR.exe
PID 2192 wrote to memory of 2556	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	oBxiNGR.exe
PID 2192 wrote to memory of 2084	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	JTwMjCE.exe
PID 2192 wrote to memory of 2084	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	JTwMjCE.exe
PID 2192 wrote to memory of 2084	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	JTwMjCE.exe
PID 2192 wrote to memory of 776	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	CdfWzuY.exe
PID 2192 wrote to memory of 776	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	CdfWzuY.exe
PID 2192 wrote to memory of 776	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	CdfWzuY.exe
PID 2192 wrote to memory of 2616	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	IRJKkrI.exe
PID 2192 wrote to memory of 2616	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	IRJKkrI.exe
PID 2192 wrote to memory of 2616	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	IRJKkrI.exe
PID 2192 wrote to memory of 2700	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	QLmTKEM.exe
PID 2192 wrote to memory of 2700	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	QLmTKEM.exe
PID 2192 wrote to memory of 2700	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	QLmTKEM.exe
PID 2192 wrote to memory of 2836	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	AqBDFJO.exe
PID 2192 wrote to memory of 2836	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	AqBDFJO.exe
PID 2192 wrote to memory of 2836	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	AqBDFJO.exe
PID 2192 wrote to memory of 816	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	oxwEPvy.exe
PID 2192 wrote to memory of 816	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	oxwEPvy.exe
PID 2192 wrote to memory of 816	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	oxwEPvy.exe
PID 2192 wrote to memory of 292	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	kyrsBks.exe
PID 2192 wrote to memory of 292	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	kyrsBks.exe
PID 2192 wrote to memory of 292	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	kyrsBks.exe
PID 2192 wrote to memory of 2276	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	XzukAXA.exe
PID 2192 wrote to memory of 2276	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	XzukAXA.exe
PID 2192 wrote to memory of 2276	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	XzukAXA.exe
PID 2192 wrote to memory of 328	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	LJgomjl.exe
PID 2192 wrote to memory of 328	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	LJgomjl.exe
PID 2192 wrote to memory of 328	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	LJgomjl.exe
PID 2192 wrote to memory of 2176	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	wXLpifw.exe
PID 2192 wrote to memory of 2176	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	wXLpifw.exe
PID 2192 wrote to memory of 2176	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	wXLpifw.exe
PID 2192 wrote to memory of 1260	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	PGYNcJM.exe
PID 2192 wrote to memory of 1260	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	PGYNcJM.exe
PID 2192 wrote to memory of 1260	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	PGYNcJM.exe
PID 2192 wrote to memory of 2872	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	LCQbLOQ.exe
PID 2192 wrote to memory of 2872	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	LCQbLOQ.exe
PID 2192 wrote to memory of 2872	2192	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	LCQbLOQ.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\System\BlANNKq.exe
C:\Windows\System\BlANNKq.exe
2⤵
- Executes dropped EXE
PID:1788

C:\Windows\System\XXSnQgC.exe
C:\Windows\System\XXSnQgC.exe
2⤵
- Executes dropped EXE
PID:1036

C:\Windows\System\MipylSz.exe
C:\Windows\System\MipylSz.exe
2⤵
- Executes dropped EXE
PID:2532

C:\Windows\System\FlvqaMe.exe
C:\Windows\System\FlvqaMe.exe
2⤵
- Executes dropped EXE
PID:2644

C:\Windows\System\qyXxwfE.exe
C:\Windows\System\qyXxwfE.exe
2⤵
- Executes dropped EXE
PID:2660

C:\Windows\System\DVSMxEq.exe
C:\Windows\System\DVSMxEq.exe
2⤵
- Executes dropped EXE
PID:2420

C:\Windows\System\eJPtKCI.exe
C:\Windows\System\eJPtKCI.exe
2⤵
- Executes dropped EXE
PID:2304

C:\Windows\System\CXRPSyD.exe
C:\Windows\System\CXRPSyD.exe
2⤵
- Executes dropped EXE
PID:2396

C:\Windows\System\oBxiNGR.exe
C:\Windows\System\oBxiNGR.exe
2⤵
- Executes dropped EXE
PID:2556

C:\Windows\System\JTwMjCE.exe
C:\Windows\System\JTwMjCE.exe
2⤵
- Executes dropped EXE
PID:2084

C:\Windows\System\CdfWzuY.exe
C:\Windows\System\CdfWzuY.exe
2⤵
- Executes dropped EXE
PID:776

C:\Windows\System\IRJKkrI.exe
C:\Windows\System\IRJKkrI.exe
2⤵
- Executes dropped EXE
PID:2616

C:\Windows\System\QLmTKEM.exe
C:\Windows\System\QLmTKEM.exe
2⤵
- Executes dropped EXE
PID:2700

C:\Windows\System\AqBDFJO.exe
C:\Windows\System\AqBDFJO.exe
2⤵
- Executes dropped EXE
PID:2836

C:\Windows\System\oxwEPvy.exe
C:\Windows\System\oxwEPvy.exe
2⤵
- Executes dropped EXE
PID:816

C:\Windows\System\kyrsBks.exe
C:\Windows\System\kyrsBks.exe
2⤵
- Executes dropped EXE
PID:292

C:\Windows\System\XzukAXA.exe
C:\Windows\System\XzukAXA.exe
2⤵
- Executes dropped EXE
PID:2276

C:\Windows\System\LJgomjl.exe
C:\Windows\System\LJgomjl.exe
2⤵
- Executes dropped EXE
PID:328

C:\Windows\System\wXLpifw.exe
C:\Windows\System\wXLpifw.exe
2⤵
- Executes dropped EXE
PID:2176

C:\Windows\System\PGYNcJM.exe
C:\Windows\System\PGYNcJM.exe
2⤵
- Executes dropped EXE
PID:1260

C:\Windows\System\LCQbLOQ.exe
C:\Windows\System\LCQbLOQ.exe
2⤵
- Executes dropped EXE
PID:2872

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AqBDFJO.exe
Filesize
5.9MB

MD5
c107cd353852a1efdbdf6288e4b954c3

SHA1
a36d8443c4580660bb1ed79d63689f54235c13b3

SHA256
dc11b42e6bf7adfc4be8cd90e763f9f1f7ed4752abcc52cb98072c35e1384d07

SHA512
c21b1fdffdf1351ac16599da13e685694a67e1c62c9ca4c5e08feeb6e8f8c8ca33ea0fe2326736da9a4c209441fe6857b606afee0601136bf37e8aadae4cd8a9

Download Submit
C:\Windows\system\CdfWzuY.exe
Filesize
5.9MB

MD5
f35c87bd74f9b65aa031d324918dc395

SHA1
8c247aa9e1c9e44a1608879fcd012dda7edc72a7

SHA256
b0acf3d35414de64f44088cdb48b87a0b9a6f0ab92582b472f6d75f5f06f2ca5

SHA512
67abfdf3322c8e081816576a7be677ba9075607ed2d79c9ca5142cb36bcb80eeaa77d43f3ab21775ad46679bd6210c07f0c6b78c11c25b020c6306cf5412b710

Download Submit
C:\Windows\system\IRJKkrI.exe
Filesize
5.9MB

MD5
33586cb4a817a120e77e601e6580a21a

SHA1
9712f74ce93609907b1f95059c8e6c02dd16e774

SHA256
3b8fa4c59c80b6f86f283f2139d8bf158de4dbf485a521c298a4ab2b9b23b1b1

SHA512
2cf0cf8f15782201c6cdad51a0f2b4e75dcf1e073dd96e575cd3da18450b4977bcebbd33a147232615264b5b902946f4200f5d5b41734bcea5412b3afbcbe2dd

Download Submit
C:\Windows\system\JTwMjCE.exe
Filesize
5.9MB

MD5
b3f6a99e00501a76a2fe13d83474dae1

SHA1
0cb42c230f988d461b73472037463cbe2255c51a

SHA256
d457ab2ff8e0705ff4b9f5748a489f59efd11d2742881c0bb26db463b94d47ec

SHA512
7b16adec25e942bba02d15bd3f1ea0e684fd4d5925e93c77b7636df748e4ae6cce16dc7c018cc5603b50f650a000d4d825f9738b1e3417fa3e4cc4864c2a7c18

Download Submit
C:\Windows\system\LJgomjl.exe
Filesize
5.9MB

MD5
ffc6db81dd2c285c8b40858f94065b0e

SHA1
30c1f02bd5304d656e5620078b88c11cbe8f37e2

SHA256
7d6d2bb9a9f78d720e13cbe269c0b87a55cd17cac6e02594647ad1299f48e892

SHA512
61f24edeb04ddc8628f8c85fdca04865b974a84de5bfb6d6276ca462233f4b865a97f3125279525d90d00c6feb0811ba04a149acb8b192b648bc60941c742c21

Download Submit
C:\Windows\system\MipylSz.exe
Filesize
5.9MB

MD5
78e1de6c0ce7e58521b423d8ac51f101

SHA1
dc8aa45aeb9d1641ca430d982a68f3fb5efd691d

SHA256
edb8c4ee4624f4a3b7d19c971b1ecde3215ebc258d26a063a5d43946d92fa850

SHA512
dba566c7ab0efdf9bf604cb8c5c05cbe8b7222d65d3cdbcf53766bfb9adfa61f9024d4d4a21a2c4bd01629fec7b468a2182e49164446b8d8c730b07592ccf4a3

Download Submit
C:\Windows\system\PGYNcJM.exe
Filesize
5.9MB

MD5
0db98266b4501d11d301c5d6fbe2a011

SHA1
57c576cf9ac16a92e57720da6f855baa4542f071

SHA256
2f0b57cf8ec98be956ed74b27d8de5e7aaecb28b2051684791d12b56408eb209

SHA512
6bea64702b3983a352eea5d8527d9495481af96a6c7c205c097373b1d488641dec1c0cf029a8babb9ea5425ccc1e94e017257ce706ed5e89cd07d8f6053d7f6b

Download Submit
C:\Windows\system\QLmTKEM.exe
Filesize
5.9MB

MD5
8a3e9d0137585b9bcb27fbbd191b80a1

SHA1
ad1bfc2071519bef81c73c0b6168834efcd714e0

SHA256
33003e6467342f0afc6b107a2fe1d15040b4d336782d96421ab7f31e27691a42

SHA512
db37faec1be878216c27fa30f762e115d0910c2d388952d9f89361c491b987006daa90c065b5e2a28f3fdbaef3323eb064572e5de1b484e6cb75ecaac8fbc6de

Download Submit
C:\Windows\system\XzukAXA.exe
Filesize
5.9MB

MD5
769823eafaa828bf4b00a83447c3ea10

SHA1
71841e5622cb78b30aa2928ea5eadd1f452081c0

SHA256
a68bbdad13fad18afb39b7fcf1e9378ab240e7ddadbbd16d2e605e7aa418b234

SHA512
cddeffddaf2b5702573b74fb19881f3ce68c3ba5de4940805ee4bc08c60afa2c4e3b218ae21302a418415ecd3ff48789187c980acccab26f3a14af2799818777

Download Submit
C:\Windows\system\kyrsBks.exe
Filesize
5.9MB

MD5
b00eb73bf6b17107af55e2c265f0cdc5

SHA1
6df098d90f741d60a36121d54f698b59cde5b8b6

SHA256
5ada2670b3132eddf9fe4ab96a7c565d20925fa9af2ae4a3622b774245f1b32e

SHA512
a93d3ca969a23419b8fa9fa2306532a30c333937a007df1b81e72e22a9790c703e98ea8332587072a355d70b572b62ce45125f9bee46853c31cd7e82e816dfb0

Download Submit
C:\Windows\system\wXLpifw.exe
Filesize
5.9MB

MD5
b91741aa995e99e21eeb4ddbdaae38a2

SHA1
2c3737ebe414b30b8e4d5894860be5f3c9b1e2f4

SHA256
ff5820e6b0c7e505d69da86603c7bded5c78d766984c7eec74e8b75680f3a123

SHA512
0f0bdaf231de0815f329267c56543ad9d2b366dbfa14adaf7ba16775a392fd8f0f93ede6726491c9feccf8b8df4b56d75cc33aebddf4b7191d8b448b4c2d5dd7

Download Submit
\Windows\system\BlANNKq.exe
Filesize
5.9MB

MD5
9da0afb0283b1f8ff6c7b55e226e7b54

SHA1
91697d73a42c6ba869d8757b203e74c52e95d07b

SHA256
2f2ad7a87569598855aca602e61a1567c49d17f408ef4dff5786fe08d4c7fc09

SHA512
857e75b230fe035ad98a08b41a3dfbc3fbc70a52fd828139386af86d327f4139ea70f408e4c8eccec7b59571fdeb292dcce0a4f357f6c69f112de6ab3831a282

Download Submit
\Windows\system\CXRPSyD.exe
Filesize
5.9MB

MD5
7c6ac8b2715d076a0871c7e83c5941aa

SHA1
08ce125e401f1751586d0bf1a056fabf8536c26a

SHA256
b3f730dc045a1f1bfd2c125d08fd3658b2721791e129670f0e6a22d4c0c018e3

SHA512
e5fa3a30662053d2c15fe3047e25f77c6e0e4727d7cc20e74581be9fe93e208b14ac2b18d1992d43bcd9b4ca8852532c0f6862c4a1a8322e0f1ff996ae9d7430

Download Submit
\Windows\system\DVSMxEq.exe
Filesize
5.9MB

MD5
7aae6656e12d2b127ad12075c22aab76

SHA1
10cd00b3ba049517351c1244ba175dbee1b2bf75

SHA256
f07ef5c13f11c42624dd31ceab6410595ec6ef815443160926beb3ecd4688462

SHA512
1114d96309cd99ea1ac5dce1ba5aedb8d8494f737261d2f1e73ecd8d011776d29336560253f1d8f9e7de20adb32db6698f40643819443365253b828713f19926

Download Submit
\Windows\system\FlvqaMe.exe
Filesize
5.9MB

MD5
1af17ca2af2351572253911409e2b0c9

SHA1
d69400b7a0ff56f926b7fa9a06cabd013ec003d8

SHA256
a3d4bdbfec52420d8ab97c1248254df82261367d1d30d34ab58843bf10b59a3c

SHA512
eccb255d9dd344cdbb9c3de1142f08ccac01ddefea2cd5813e76e5a9bba8d9236a0e4aedbf9a30b5491d2e80b5a8771bc11bd72f4c42b02b3fe9fe5bbcbeb52f

Download Submit
\Windows\system\LCQbLOQ.exe
Filesize
5.9MB

MD5
086b9eb486dd0f6be948e7f08d721bef

SHA1
c492521f7668ac1382fd89df5fb385c4357ac486

SHA256
dd41ff2095c775c0ea02dc4386ae8d268de1fa3013e329f4bc57e9757dcc5d42

SHA512
0a369787de22dd2a6c750f2bb57f1e3578addb9cf15ecebcbd7025f926fbd77b2f97f827642d79333de46ccc23955e379f18782425a03726a8e00cca58bf3890

Download Submit
\Windows\system\XXSnQgC.exe
Filesize
5.9MB

MD5
0f759d03a42d80630e2c1b8eae7eaf20

SHA1
6d8153afcabf146331d23e2a400fb0b24e308276

SHA256
0ccc4f18cd2a0740941e8556b8dad48f78a1a94514090958d1fec2e2701507d1

SHA512
23b127cd9e3d8ab9315d5f54f4d238c1def46c28c817c05e9cc02ffe7b235310e581657cf32010f0400807738e0254710a8f1a77530004bf334eedf0bba33ec9

Download Submit
\Windows\system\eJPtKCI.exe
Filesize
5.9MB

MD5
8cf213b21fd3a428156c46346ae4c80f

SHA1
cbf3b0b2b7bf817299314d7c717892579211ff13

SHA256
45fff5577b710b0c60d1bc012301add010e4d9d32b3680bc4551646972995b0e

SHA512
962d068c5e002ce4dbf94390fe9986600cf30bd54dcec728ac9d2828e8b3d03c14522cd67e77571f8612d226775cc2257e543724168b0e9c872b1817cbc276fd

Download Submit
\Windows\system\oBxiNGR.exe
Filesize
5.9MB

MD5
ee914ec67042e2dbaaa64208bd4f1ca8

SHA1
c091fb6ad91ab1fed5a446ad61837463cd6cd1f2

SHA256
a4b2efee3ac758594a0e0937d266afabdf216ecb4a430d3021015d2da8ee71f8

SHA512
1447403959fd18c6eef85a343887109d9ea26069b7e4a95e91c86262f157c068824cc6fda4d64f2953733dab9f2f9f13c945c0e1bdd6847366e77b61ddaca18f

Download Submit
\Windows\system\oxwEPvy.exe
Filesize
5.9MB

MD5
c1928b333ac4fbfd5b1b6685d7d70593

SHA1
e47458acbe71eb78d73f0aa566cbd46e50e1f4d4

SHA256
6939f3e40b1608a7a7b4a1e9ae724c360ae54deda88bf81a703cc7a6ff7c313d

SHA512
dfd7b2c3a5619f2db3d7606fd170581b40b1a899e960c97670b8e3e7fae4f4d0faf2cdb8839c24ea93fa5037f51b6f5a50ca8627f0af156c7d0b80a4ff7ca8a6

Download Submit
\Windows\system\qyXxwfE.exe
Filesize
5.9MB

MD5
1c1884980da077ab6a31bc2ce1db3133

SHA1
a2e52320f159804bc5934a8a489a655746743b04

SHA256
687e67a8837cb7d7b2a73d74b9cc4e4bdbb45792643cb7c8055cab49e8902bb3

SHA512
d53b9a34a3ed9366add8187466ae7de9342f6813cbade651e7dfd79aa23d23257ae671c4f5ff340588b131e6099c0c6d224d6c48a2cac9c124c8fdd217f9bbac

Download Submit
memory/776-140-0x000000013F6C0000-0x000000013FA14000-memory.dmp

Filesize
3.3MB

Download
memory/776-79-0x000000013F6C0000-0x000000013FA14000-memory.dmp

Filesize
3.3MB

Download
memory/776-156-0x000000013F6C0000-0x000000013FA14000-memory.dmp

Filesize
3.3MB

Download
memory/1036-147-0x000000013F900000-0x000000013FC54000-memory.dmp

Filesize
3.3MB

Download
memory/1036-76-0x000000013F900000-0x000000013FC54000-memory.dmp

Filesize
3.3MB

Download
memory/1036-15-0x000000013F900000-0x000000013FC54000-memory.dmp

Filesize
3.3MB

Download
memory/1788-62-0x000000013FB00000-0x000000013FE54000-memory.dmp

Filesize
3.3MB

Download
memory/1788-146-0x000000013FB00000-0x000000013FE54000-memory.dmp

Filesize
3.3MB

Download
memory/1788-9-0x000000013FB00000-0x000000013FE54000-memory.dmp

Filesize
3.3MB

Download
memory/2084-71-0x000000013FF80000-0x00000001402D4000-memory.dmp

Filesize
3.3MB

Download
memory/2084-155-0x000000013FF80000-0x00000001402D4000-memory.dmp

Filesize
3.3MB

Download
memory/2084-138-0x000000013FF80000-0x00000001402D4000-memory.dmp

Filesize
3.3MB

Download
memory/2192-139-0x000000013F6C0000-0x000000013FA14000-memory.dmp

Filesize
3.3MB

Download
memory/2192-37-0x000000013F320000-0x000000013F674000-memory.dmp

Filesize
3.3MB

Download
memory/2192-77-0x000000013F6C0000-0x000000013FA14000-memory.dmp

Filesize
3.3MB

Download
memory/2192-86-0x000000013F710000-0x000000013FA64000-memory.dmp

Filesize
3.3MB

Download
memory/2192-141-0x000000013F710000-0x000000013FA64000-memory.dmp

Filesize
3.3MB

Download
memory/2192-48-0x000000013F900000-0x000000013FC54000-memory.dmp

Filesize
3.3MB

Download
memory/2192-0-0x0000000001BA0000-0x0000000001BB0000-memory.dmp

Filesize
64KB

Download
memory/2192-137-0x00000000021A0000-0x00000000024F4000-memory.dmp

Filesize
3.3MB

Download
memory/2192-91-0x000000013F270000-0x000000013F5C4000-memory.dmp

Filesize
3.3MB

Download
memory/2192-56-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2192-145-0x000000013F460000-0x000000013F7B4000-memory.dmp

Filesize
3.3MB

Download
memory/2192-13-0x000000013F900000-0x000000013FC54000-memory.dmp

Filesize
3.3MB

Download
memory/2192-21-0x000000013F300000-0x000000013F654000-memory.dmp

Filesize
3.3MB

Download
memory/2192-29-0x000000013F890000-0x000000013FBE4000-memory.dmp

Filesize
3.3MB

Download
memory/2192-142-0x000000013F270000-0x000000013F5C4000-memory.dmp

Filesize
3.3MB

Download
memory/2192-6-0x000000013FB00000-0x000000013FE54000-memory.dmp

Filesize
3.3MB

Download
memory/2192-68-0x00000000021A0000-0x00000000024F4000-memory.dmp

Filesize
3.3MB

Download
memory/2192-1-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2192-102-0x000000013F460000-0x000000013F7B4000-memory.dmp

Filesize
3.3MB

Download
memory/2304-50-0x000000013F900000-0x000000013FC54000-memory.dmp

Filesize
3.3MB

Download
memory/2304-152-0x000000013F900000-0x000000013FC54000-memory.dmp

Filesize
3.3MB

Download
memory/2396-57-0x000000013F1E0000-0x000000013F534000-memory.dmp

Filesize
3.3MB

Download
memory/2396-153-0x000000013F1E0000-0x000000013F534000-memory.dmp

Filesize
3.3MB

Download
memory/2420-150-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download
memory/2420-46-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download
memory/2532-22-0x000000013F300000-0x000000013F654000-memory.dmp

Filesize
3.3MB

Download
memory/2532-84-0x000000013F300000-0x000000013F654000-memory.dmp

Filesize
3.3MB

Download
memory/2532-148-0x000000013F300000-0x000000013F654000-memory.dmp

Filesize
3.3MB

Download
memory/2556-63-0x000000013FD70000-0x00000001400C4000-memory.dmp

Filesize
3.3MB

Download
memory/2556-136-0x000000013FD70000-0x00000001400C4000-memory.dmp

Filesize
3.3MB

Download
memory/2556-154-0x000000013FD70000-0x00000001400C4000-memory.dmp

Filesize
3.3MB

Download
memory/2616-157-0x000000013F710000-0x000000013FA64000-memory.dmp

Filesize
3.3MB

Download
memory/2616-87-0x000000013F710000-0x000000013FA64000-memory.dmp

Filesize
3.3MB

Download
memory/2644-149-0x000000013F890000-0x000000013FBE4000-memory.dmp

Filesize
3.3MB

Download
memory/2644-30-0x000000013F890000-0x000000013FBE4000-memory.dmp

Filesize
3.3MB

Download
memory/2660-151-0x000000013F320000-0x000000013F674000-memory.dmp

Filesize
3.3MB

Download
memory/2660-49-0x000000013F320000-0x000000013F674000-memory.dmp

Filesize
3.3MB

Download
memory/2700-93-0x000000013F270000-0x000000013F5C4000-memory.dmp

Filesize
3.3MB

Download
memory/2700-143-0x000000013F270000-0x000000013F5C4000-memory.dmp

Filesize
3.3MB

Download
memory/2700-158-0x000000013F270000-0x000000013F5C4000-memory.dmp

Filesize
3.3MB

Download
memory/2836-144-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/2836-99-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/2836-159-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download