cobaltstrike | 119c1b7241fdba86a110afc28592ca2f7a1dfdcb1bc9c2b1418ed3550f862ca7

Analysis

max time kernel
139s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

1ba7dce749c70d4130881dd902ebd925
SHA1

2af95dbec622e3312c8d3da8f17939ec00349f6f
SHA256

119c1b7241fdba86a110afc28592ca2f7a1dfdcb1bc9c2b1418ed3550f862ca7
SHA512

7af91a363a8d20d6cbd2a473cb5c16bbe11edc9af30a1b7e4f96f3efc3c0316ae2ee341d9bcdc649c49bb2f5b65f4ba0b7126f55ea3b1414b74db92fa2a04228
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUD:T+856utgpPF8u/7D

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\EnJKxix.exe	cobalt_reflective_dll
\Windows\system\DUfaQoF.exe	cobalt_reflective_dll
C:\Windows\system\zgxsDIL.exe	cobalt_reflective_dll
\Windows\system\wXxlXgy.exe	cobalt_reflective_dll
C:\Windows\system\qeOlPZS.exe	cobalt_reflective_dll
C:\Windows\system\zheKxuf.exe	cobalt_reflective_dll
C:\Windows\system\nzxUqoE.exe	cobalt_reflective_dll
C:\Windows\system\SeqXiKG.exe	cobalt_reflective_dll
C:\Windows\system\EgRNEdN.exe	cobalt_reflective_dll
C:\Windows\system\BnHWMks.exe	cobalt_reflective_dll
C:\Windows\system\qhEsgZq.exe	cobalt_reflective_dll
\Windows\system\CvOciID.exe	cobalt_reflective_dll
C:\Windows\system\pWJInmj.exe	cobalt_reflective_dll
C:\Windows\system\LQfCHNH.exe	cobalt_reflective_dll
C:\Windows\system\NHErExQ.exe	cobalt_reflective_dll
C:\Windows\system\ePMtBLu.exe	cobalt_reflective_dll
C:\Windows\system\qbiwsbf.exe	cobalt_reflective_dll
C:\Windows\system\CGXdsfs.exe	cobalt_reflective_dll
C:\Windows\system\rtXXEFw.exe	cobalt_reflective_dll
C:\Windows\system\AYHomis.exe	cobalt_reflective_dll
C:\Windows\system\FbJAthL.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\EnJKxix.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\DUfaQoF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\zgxsDIL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\wXxlXgy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\qeOlPZS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\zheKxuf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\nzxUqoE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\SeqXiKG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\EgRNEdN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\BnHWMks.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\qhEsgZq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\CvOciID.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\pWJInmj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\LQfCHNH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\NHErExQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ePMtBLu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\qbiwsbf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\CGXdsfs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\rtXXEFw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\AYHomis.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\FbJAthL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 59 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2980-0-0x000000013F8D0000-0x000000013FC24000-memory.dmp	UPX
\Windows\system\EnJKxix.exe	UPX
behavioral1/memory/2980-6-0x000000013FC40000-0x000000013FF94000-memory.dmp	UPX
\Windows\system\DUfaQoF.exe	UPX
behavioral1/memory/2700-16-0x000000013F840000-0x000000013FB94000-memory.dmp	UPX
behavioral1/memory/1804-14-0x000000013FC40000-0x000000013FF94000-memory.dmp	UPX
C:\Windows\system\zgxsDIL.exe	UPX
behavioral1/memory/2400-23-0x000000013FCC0000-0x0000000140014000-memory.dmp	UPX
\Windows\system\wXxlXgy.exe	UPX
behavioral1/memory/2708-39-0x000000013FF40000-0x0000000140294000-memory.dmp	UPX
behavioral1/memory/2752-54-0x000000013FCF0000-0x0000000140044000-memory.dmp	UPX
C:\Windows\system\qeOlPZS.exe	UPX
C:\Windows\system\zheKxuf.exe	UPX
C:\Windows\system\nzxUqoE.exe	UPX
behavioral1/memory/1792-64-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	UPX
behavioral1/memory/2564-70-0x000000013FD00000-0x0000000140054000-memory.dmp	UPX
behavioral1/memory/2764-58-0x000000013FAC0000-0x000000013FE14000-memory.dmp	UPX
behavioral1/memory/2980-69-0x000000013F8D0000-0x000000013FC24000-memory.dmp	UPX
C:\Windows\system\SeqXiKG.exe	UPX
behavioral1/memory/2528-50-0x000000013FB40000-0x000000013FE94000-memory.dmp	UPX
C:\Windows\system\EgRNEdN.exe	UPX
behavioral1/memory/2716-37-0x000000013FD90000-0x00000001400E4000-memory.dmp	UPX
C:\Windows\system\BnHWMks.exe	UPX
behavioral1/memory/1804-72-0x000000013FC40000-0x000000013FF94000-memory.dmp	UPX
behavioral1/memory/2400-87-0x000000013FCC0000-0x0000000140014000-memory.dmp	UPX
behavioral1/memory/2876-94-0x000000013FA10000-0x000000013FD64000-memory.dmp	UPX
C:\Windows\system\qhEsgZq.exe	UPX
behavioral1/memory/2800-110-0x000000013F920000-0x000000013FC74000-memory.dmp	UPX
behavioral1/memory/2528-113-0x000000013FB40000-0x000000013FE94000-memory.dmp	UPX
\Windows\system\CvOciID.exe	UPX
C:\Windows\system\pWJInmj.exe	UPX
behavioral1/memory/2996-111-0x000000013F610000-0x000000013F964000-memory.dmp	UPX
behavioral1/memory/3036-109-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	UPX
C:\Windows\system\LQfCHNH.exe	UPX
C:\Windows\system\NHErExQ.exe	UPX
C:\Windows\system\ePMtBLu.exe	UPX
C:\Windows\system\qbiwsbf.exe	UPX
C:\Windows\system\CGXdsfs.exe	UPX
C:\Windows\system\rtXXEFw.exe	UPX
C:\Windows\system\AYHomis.exe	UPX
C:\Windows\system\FbJAthL.exe	UPX
behavioral1/memory/2752-141-0x000000013FCF0000-0x0000000140044000-memory.dmp	UPX
behavioral1/memory/2764-142-0x000000013FAC0000-0x000000013FE14000-memory.dmp	UPX
behavioral1/memory/2564-144-0x000000013FD00000-0x0000000140054000-memory.dmp	UPX
behavioral1/memory/2876-145-0x000000013FA10000-0x000000013FD64000-memory.dmp	UPX
behavioral1/memory/2700-146-0x000000013F840000-0x000000013FB94000-memory.dmp	UPX
behavioral1/memory/1804-147-0x000000013FC40000-0x000000013FF94000-memory.dmp	UPX
behavioral1/memory/2400-148-0x000000013FCC0000-0x0000000140014000-memory.dmp	UPX
behavioral1/memory/2716-149-0x000000013FD90000-0x00000001400E4000-memory.dmp	UPX
behavioral1/memory/2708-150-0x000000013FF40000-0x0000000140294000-memory.dmp	UPX
behavioral1/memory/2528-151-0x000000013FB40000-0x000000013FE94000-memory.dmp	UPX
behavioral1/memory/2752-152-0x000000013FCF0000-0x0000000140044000-memory.dmp	UPX
behavioral1/memory/1792-153-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	UPX
behavioral1/memory/2564-155-0x000000013FD00000-0x0000000140054000-memory.dmp	UPX
behavioral1/memory/2764-154-0x000000013FAC0000-0x000000013FE14000-memory.dmp	UPX
behavioral1/memory/3036-157-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	UPX
behavioral1/memory/2876-156-0x000000013FA10000-0x000000013FD64000-memory.dmp	UPX
behavioral1/memory/2800-158-0x000000013F920000-0x000000013FC74000-memory.dmp	UPX
behavioral1/memory/2996-159-0x000000013F610000-0x000000013F964000-memory.dmp	UPX

XMRig Miner payload 61 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2980-0-0x000000013F8D0000-0x000000013FC24000-memory.dmp	xmrig
\Windows\system\EnJKxix.exe	xmrig
behavioral1/memory/2980-6-0x000000013FC40000-0x000000013FF94000-memory.dmp	xmrig
\Windows\system\DUfaQoF.exe	xmrig
behavioral1/memory/2700-16-0x000000013F840000-0x000000013FB94000-memory.dmp	xmrig
behavioral1/memory/1804-14-0x000000013FC40000-0x000000013FF94000-memory.dmp	xmrig
C:\Windows\system\zgxsDIL.exe	xmrig
behavioral1/memory/2400-23-0x000000013FCC0000-0x0000000140014000-memory.dmp	xmrig
\Windows\system\wXxlXgy.exe	xmrig
behavioral1/memory/2708-39-0x000000013FF40000-0x0000000140294000-memory.dmp	xmrig
behavioral1/memory/2752-54-0x000000013FCF0000-0x0000000140044000-memory.dmp	xmrig
C:\Windows\system\qeOlPZS.exe	xmrig
C:\Windows\system\zheKxuf.exe	xmrig
C:\Windows\system\nzxUqoE.exe	xmrig
behavioral1/memory/1792-64-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	xmrig
behavioral1/memory/2564-70-0x000000013FD00000-0x0000000140054000-memory.dmp	xmrig
behavioral1/memory/2764-58-0x000000013FAC0000-0x000000013FE14000-memory.dmp	xmrig
behavioral1/memory/2980-69-0x000000013F8D0000-0x000000013FC24000-memory.dmp	xmrig
C:\Windows\system\SeqXiKG.exe	xmrig
behavioral1/memory/2528-50-0x000000013FB40000-0x000000013FE94000-memory.dmp	xmrig
C:\Windows\system\EgRNEdN.exe	xmrig
behavioral1/memory/2716-37-0x000000013FD90000-0x00000001400E4000-memory.dmp	xmrig
C:\Windows\system\BnHWMks.exe	xmrig
behavioral1/memory/1804-72-0x000000013FC40000-0x000000013FF94000-memory.dmp	xmrig
behavioral1/memory/2400-87-0x000000013FCC0000-0x0000000140014000-memory.dmp	xmrig
behavioral1/memory/2876-94-0x000000013FA10000-0x000000013FD64000-memory.dmp	xmrig
behavioral1/memory/2980-92-0x0000000002300000-0x0000000002654000-memory.dmp	xmrig
C:\Windows\system\qhEsgZq.exe	xmrig
behavioral1/memory/2800-110-0x000000013F920000-0x000000013FC74000-memory.dmp	xmrig
behavioral1/memory/2528-113-0x000000013FB40000-0x000000013FE94000-memory.dmp	xmrig
\Windows\system\CvOciID.exe	xmrig
C:\Windows\system\pWJInmj.exe	xmrig
behavioral1/memory/2996-111-0x000000013F610000-0x000000013F964000-memory.dmp	xmrig
behavioral1/memory/3036-109-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	xmrig
C:\Windows\system\LQfCHNH.exe	xmrig
C:\Windows\system\NHErExQ.exe	xmrig
C:\Windows\system\ePMtBLu.exe	xmrig
C:\Windows\system\qbiwsbf.exe	xmrig
behavioral1/memory/2980-81-0x0000000002300000-0x0000000002654000-memory.dmp	xmrig
C:\Windows\system\CGXdsfs.exe	xmrig
C:\Windows\system\rtXXEFw.exe	xmrig
C:\Windows\system\AYHomis.exe	xmrig
C:\Windows\system\FbJAthL.exe	xmrig
behavioral1/memory/2752-141-0x000000013FCF0000-0x0000000140044000-memory.dmp	xmrig
behavioral1/memory/2764-142-0x000000013FAC0000-0x000000013FE14000-memory.dmp	xmrig
behavioral1/memory/2564-144-0x000000013FD00000-0x0000000140054000-memory.dmp	xmrig
behavioral1/memory/2876-145-0x000000013FA10000-0x000000013FD64000-memory.dmp	xmrig
behavioral1/memory/2700-146-0x000000013F840000-0x000000013FB94000-memory.dmp	xmrig
behavioral1/memory/1804-147-0x000000013FC40000-0x000000013FF94000-memory.dmp	xmrig
behavioral1/memory/2400-148-0x000000013FCC0000-0x0000000140014000-memory.dmp	xmrig
behavioral1/memory/2716-149-0x000000013FD90000-0x00000001400E4000-memory.dmp	xmrig
behavioral1/memory/2708-150-0x000000013FF40000-0x0000000140294000-memory.dmp	xmrig
behavioral1/memory/2528-151-0x000000013FB40000-0x000000013FE94000-memory.dmp	xmrig
behavioral1/memory/2752-152-0x000000013FCF0000-0x0000000140044000-memory.dmp	xmrig
behavioral1/memory/1792-153-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	xmrig
behavioral1/memory/2564-155-0x000000013FD00000-0x0000000140054000-memory.dmp	xmrig
behavioral1/memory/2764-154-0x000000013FAC0000-0x000000013FE14000-memory.dmp	xmrig
behavioral1/memory/3036-157-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	xmrig
behavioral1/memory/2876-156-0x000000013FA10000-0x000000013FD64000-memory.dmp	xmrig
behavioral1/memory/2800-158-0x000000013F920000-0x000000013FC74000-memory.dmp	xmrig
behavioral1/memory/2996-159-0x000000013F610000-0x000000013F964000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

EnJKxix.exeDUfaQoF.exezgxsDIL.exewXxlXgy.exeBnHWMks.exezheKxuf.exeEgRNEdN.exeqeOlPZS.exenzxUqoE.exeSeqXiKG.exeqbiwsbf.exeePMtBLu.exeNHErExQ.exeLQfCHNH.exeqhEsgZq.exepWJInmj.exeCvOciID.exeCGXdsfs.exertXXEFw.exeFbJAthL.exeAYHomis.exe

pid	process
1804	EnJKxix.exe
2700	DUfaQoF.exe
2400	zgxsDIL.exe
2716	wXxlXgy.exe
2708	BnHWMks.exe
2528	zheKxuf.exe
2752	EgRNEdN.exe
2764	qeOlPZS.exe
1792	nzxUqoE.exe
2564	SeqXiKG.exe
2876	qbiwsbf.exe
3036	ePMtBLu.exe
2800	NHErExQ.exe
2996	LQfCHNH.exe
1976	qhEsgZq.exe
340	pWJInmj.exe
896	CvOciID.exe
2808	CGXdsfs.exe
2864	rtXXEFw.exe
1628	FbJAthL.exe
1248	AYHomis.exe

Loads dropped DLL 21 IoCs

Processes:

2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe

pid	process
2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2980-0-0x000000013F8D0000-0x000000013FC24000-memory.dmp	upx
\Windows\system\EnJKxix.exe	upx
behavioral1/memory/2980-6-0x000000013FC40000-0x000000013FF94000-memory.dmp	upx
\Windows\system\DUfaQoF.exe	upx
behavioral1/memory/2700-16-0x000000013F840000-0x000000013FB94000-memory.dmp	upx
behavioral1/memory/1804-14-0x000000013FC40000-0x000000013FF94000-memory.dmp	upx
C:\Windows\system\zgxsDIL.exe	upx
behavioral1/memory/2400-23-0x000000013FCC0000-0x0000000140014000-memory.dmp	upx
\Windows\system\wXxlXgy.exe	upx
behavioral1/memory/2708-39-0x000000013FF40000-0x0000000140294000-memory.dmp	upx
behavioral1/memory/2752-54-0x000000013FCF0000-0x0000000140044000-memory.dmp	upx
C:\Windows\system\qeOlPZS.exe	upx
C:\Windows\system\zheKxuf.exe	upx
C:\Windows\system\nzxUqoE.exe	upx
behavioral1/memory/1792-64-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	upx
behavioral1/memory/2564-70-0x000000013FD00000-0x0000000140054000-memory.dmp	upx
behavioral1/memory/2764-58-0x000000013FAC0000-0x000000013FE14000-memory.dmp	upx
behavioral1/memory/2980-69-0x000000013F8D0000-0x000000013FC24000-memory.dmp	upx
C:\Windows\system\SeqXiKG.exe	upx
behavioral1/memory/2528-50-0x000000013FB40000-0x000000013FE94000-memory.dmp	upx
C:\Windows\system\EgRNEdN.exe	upx
behavioral1/memory/2716-37-0x000000013FD90000-0x00000001400E4000-memory.dmp	upx
C:\Windows\system\BnHWMks.exe	upx
behavioral1/memory/1804-72-0x000000013FC40000-0x000000013FF94000-memory.dmp	upx
behavioral1/memory/2400-87-0x000000013FCC0000-0x0000000140014000-memory.dmp	upx
behavioral1/memory/2876-94-0x000000013FA10000-0x000000013FD64000-memory.dmp	upx
C:\Windows\system\qhEsgZq.exe	upx
behavioral1/memory/2800-110-0x000000013F920000-0x000000013FC74000-memory.dmp	upx
behavioral1/memory/2528-113-0x000000013FB40000-0x000000013FE94000-memory.dmp	upx
\Windows\system\CvOciID.exe	upx
C:\Windows\system\pWJInmj.exe	upx
behavioral1/memory/2996-111-0x000000013F610000-0x000000013F964000-memory.dmp	upx
behavioral1/memory/3036-109-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	upx
C:\Windows\system\LQfCHNH.exe	upx
C:\Windows\system\NHErExQ.exe	upx
C:\Windows\system\ePMtBLu.exe	upx
C:\Windows\system\qbiwsbf.exe	upx
C:\Windows\system\CGXdsfs.exe	upx
C:\Windows\system\rtXXEFw.exe	upx
C:\Windows\system\AYHomis.exe	upx
C:\Windows\system\FbJAthL.exe	upx
behavioral1/memory/2752-141-0x000000013FCF0000-0x0000000140044000-memory.dmp	upx
behavioral1/memory/2764-142-0x000000013FAC0000-0x000000013FE14000-memory.dmp	upx
behavioral1/memory/2564-144-0x000000013FD00000-0x0000000140054000-memory.dmp	upx
behavioral1/memory/2876-145-0x000000013FA10000-0x000000013FD64000-memory.dmp	upx
behavioral1/memory/2700-146-0x000000013F840000-0x000000013FB94000-memory.dmp	upx
behavioral1/memory/1804-147-0x000000013FC40000-0x000000013FF94000-memory.dmp	upx
behavioral1/memory/2400-148-0x000000013FCC0000-0x0000000140014000-memory.dmp	upx
behavioral1/memory/2716-149-0x000000013FD90000-0x00000001400E4000-memory.dmp	upx
behavioral1/memory/2708-150-0x000000013FF40000-0x0000000140294000-memory.dmp	upx
behavioral1/memory/2528-151-0x000000013FB40000-0x000000013FE94000-memory.dmp	upx
behavioral1/memory/2752-152-0x000000013FCF0000-0x0000000140044000-memory.dmp	upx
behavioral1/memory/1792-153-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	upx
behavioral1/memory/2564-155-0x000000013FD00000-0x0000000140054000-memory.dmp	upx
behavioral1/memory/2764-154-0x000000013FAC0000-0x000000013FE14000-memory.dmp	upx
behavioral1/memory/3036-157-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	upx
behavioral1/memory/2876-156-0x000000013FA10000-0x000000013FD64000-memory.dmp	upx
behavioral1/memory/2800-158-0x000000013F920000-0x000000013FC74000-memory.dmp	upx
behavioral1/memory/2996-159-0x000000013F610000-0x000000013F964000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\EnJKxix.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zgxsDIL.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zheKxuf.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qeOlPZS.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qbiwsbf.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qhEsgZq.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wXxlXgy.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EgRNEdN.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nzxUqoE.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NHErExQ.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CGXdsfs.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SeqXiKG.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ePMtBLu.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pWJInmj.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CvOciID.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FbJAthL.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DUfaQoF.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BnHWMks.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LQfCHNH.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rtXXEFw.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AYHomis.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 2980 wrote to memory of 1804	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	EnJKxix.exe
PID 2980 wrote to memory of 1804	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	EnJKxix.exe
PID 2980 wrote to memory of 1804	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	EnJKxix.exe
PID 2980 wrote to memory of 2700	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	DUfaQoF.exe
PID 2980 wrote to memory of 2700	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	DUfaQoF.exe
PID 2980 wrote to memory of 2700	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	DUfaQoF.exe
PID 2980 wrote to memory of 2400	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	zgxsDIL.exe
PID 2980 wrote to memory of 2400	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	zgxsDIL.exe
PID 2980 wrote to memory of 2400	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	zgxsDIL.exe
PID 2980 wrote to memory of 2716	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	wXxlXgy.exe
PID 2980 wrote to memory of 2716	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	wXxlXgy.exe
PID 2980 wrote to memory of 2716	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	wXxlXgy.exe
PID 2980 wrote to memory of 2708	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	BnHWMks.exe
PID 2980 wrote to memory of 2708	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	BnHWMks.exe
PID 2980 wrote to memory of 2708	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	BnHWMks.exe
PID 2980 wrote to memory of 2528	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	zheKxuf.exe
PID 2980 wrote to memory of 2528	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	zheKxuf.exe
PID 2980 wrote to memory of 2528	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	zheKxuf.exe
PID 2980 wrote to memory of 2764	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	qeOlPZS.exe
PID 2980 wrote to memory of 2764	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	qeOlPZS.exe
PID 2980 wrote to memory of 2764	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	qeOlPZS.exe
PID 2980 wrote to memory of 2752	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	EgRNEdN.exe
PID 2980 wrote to memory of 2752	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	EgRNEdN.exe
PID 2980 wrote to memory of 2752	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	EgRNEdN.exe
PID 2980 wrote to memory of 1792	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	nzxUqoE.exe
PID 2980 wrote to memory of 1792	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	nzxUqoE.exe
PID 2980 wrote to memory of 1792	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	nzxUqoE.exe
PID 2980 wrote to memory of 2564	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	SeqXiKG.exe
PID 2980 wrote to memory of 2564	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	SeqXiKG.exe
PID 2980 wrote to memory of 2564	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	SeqXiKG.exe
PID 2980 wrote to memory of 2800	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	NHErExQ.exe
PID 2980 wrote to memory of 2800	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	NHErExQ.exe
PID 2980 wrote to memory of 2800	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	NHErExQ.exe
PID 2980 wrote to memory of 2876	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	qbiwsbf.exe
PID 2980 wrote to memory of 2876	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	qbiwsbf.exe
PID 2980 wrote to memory of 2876	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	qbiwsbf.exe
PID 2980 wrote to memory of 2996	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	LQfCHNH.exe
PID 2980 wrote to memory of 2996	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	LQfCHNH.exe
PID 2980 wrote to memory of 2996	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	LQfCHNH.exe
PID 2980 wrote to memory of 3036	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	ePMtBLu.exe
PID 2980 wrote to memory of 3036	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	ePMtBLu.exe
PID 2980 wrote to memory of 3036	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	ePMtBLu.exe
PID 2980 wrote to memory of 340	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	pWJInmj.exe
PID 2980 wrote to memory of 340	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	pWJInmj.exe
PID 2980 wrote to memory of 340	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	pWJInmj.exe
PID 2980 wrote to memory of 1976	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	qhEsgZq.exe
PID 2980 wrote to memory of 1976	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	qhEsgZq.exe
PID 2980 wrote to memory of 1976	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	qhEsgZq.exe
PID 2980 wrote to memory of 896	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	CvOciID.exe
PID 2980 wrote to memory of 896	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	CvOciID.exe
PID 2980 wrote to memory of 896	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	CvOciID.exe
PID 2980 wrote to memory of 2808	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	CGXdsfs.exe
PID 2980 wrote to memory of 2808	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	CGXdsfs.exe
PID 2980 wrote to memory of 2808	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	CGXdsfs.exe
PID 2980 wrote to memory of 2864	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	rtXXEFw.exe
PID 2980 wrote to memory of 2864	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	rtXXEFw.exe
PID 2980 wrote to memory of 2864	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	rtXXEFw.exe
PID 2980 wrote to memory of 1628	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	FbJAthL.exe
PID 2980 wrote to memory of 1628	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	FbJAthL.exe
PID 2980 wrote to memory of 1628	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	FbJAthL.exe
PID 2980 wrote to memory of 1248	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	AYHomis.exe
PID 2980 wrote to memory of 1248	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	AYHomis.exe
PID 2980 wrote to memory of 1248	2980	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	AYHomis.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\System\EnJKxix.exe
C:\Windows\System\EnJKxix.exe
2⤵
- Executes dropped EXE
PID:1804

C:\Windows\System\DUfaQoF.exe
C:\Windows\System\DUfaQoF.exe
2⤵
- Executes dropped EXE
PID:2700

C:\Windows\System\zgxsDIL.exe
C:\Windows\System\zgxsDIL.exe
2⤵
- Executes dropped EXE
PID:2400

C:\Windows\System\wXxlXgy.exe
C:\Windows\System\wXxlXgy.exe
2⤵
- Executes dropped EXE
PID:2716

C:\Windows\System\BnHWMks.exe
C:\Windows\System\BnHWMks.exe
2⤵
- Executes dropped EXE
PID:2708

C:\Windows\System\zheKxuf.exe
C:\Windows\System\zheKxuf.exe
2⤵
- Executes dropped EXE
PID:2528

C:\Windows\System\qeOlPZS.exe
C:\Windows\System\qeOlPZS.exe
2⤵
- Executes dropped EXE
PID:2764

C:\Windows\System\EgRNEdN.exe
C:\Windows\System\EgRNEdN.exe
2⤵
- Executes dropped EXE
PID:2752

C:\Windows\System\nzxUqoE.exe
C:\Windows\System\nzxUqoE.exe
2⤵
- Executes dropped EXE
PID:1792

C:\Windows\System\SeqXiKG.exe
C:\Windows\System\SeqXiKG.exe
2⤵
- Executes dropped EXE
PID:2564

C:\Windows\System\NHErExQ.exe
C:\Windows\System\NHErExQ.exe
2⤵
- Executes dropped EXE
PID:2800

C:\Windows\System\qbiwsbf.exe
C:\Windows\System\qbiwsbf.exe
2⤵
- Executes dropped EXE
PID:2876

C:\Windows\System\LQfCHNH.exe
C:\Windows\System\LQfCHNH.exe
2⤵
- Executes dropped EXE
PID:2996

C:\Windows\System\ePMtBLu.exe
C:\Windows\System\ePMtBLu.exe
2⤵
- Executes dropped EXE
PID:3036

C:\Windows\System\pWJInmj.exe
C:\Windows\System\pWJInmj.exe
2⤵
- Executes dropped EXE
PID:340

C:\Windows\System\qhEsgZq.exe
C:\Windows\System\qhEsgZq.exe
2⤵
- Executes dropped EXE
PID:1976

C:\Windows\System\CvOciID.exe
C:\Windows\System\CvOciID.exe
2⤵
- Executes dropped EXE
PID:896

C:\Windows\System\CGXdsfs.exe
C:\Windows\System\CGXdsfs.exe
2⤵
- Executes dropped EXE
PID:2808

C:\Windows\System\rtXXEFw.exe
C:\Windows\System\rtXXEFw.exe
2⤵
- Executes dropped EXE
PID:2864

C:\Windows\System\FbJAthL.exe
C:\Windows\System\FbJAthL.exe
2⤵
- Executes dropped EXE
PID:1628

C:\Windows\System\AYHomis.exe
C:\Windows\System\AYHomis.exe
2⤵
- Executes dropped EXE
PID:1248

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AYHomis.exe
Filesize
5.9MB

MD5
6974f527f1a443944b74c8580a78b857

SHA1
bfe0b3c7c0e156c77e956d904db1b373069227d2

SHA256
fbfa8e8fda5a69e5317af50f0dda180b1aecfb77f68591c6b6e15d6bc1574ef6

SHA512
2444a0ff6645463cfbfea74ced1e5bb4bf247926eb955b7f679bf9a3c27638fd1106023d7cc023d299ff8604d7d107942c5eea89e7a7e4cf2d3d1b0a256b2bee

Download Submit
C:\Windows\system\BnHWMks.exe
Filesize
5.9MB

MD5
c0fc71b9cdd98d464bd4411dccdfc4f2

SHA1
66a332464c83ed6f573126b8a058bd69a1bab860

SHA256
9b0ad2699b70a96de35bdc4b266099fd5946b2a0cae175d91abcb1aa5c3efaa6

SHA512
26ae4a86b29b00faa51e58299531fa1ea7b238787d0df89e076ce3a39854df62f8f5d68efa8cdfceabb03f4f5a4eb0f7367a0980407080095e5a12be3837e9ec

Download Submit
C:\Windows\system\CGXdsfs.exe
Filesize
5.9MB

MD5
34da6baad1ecdfeff495a110739f4a59

SHA1
91e58d38b90f6e7ab7b5b3a43cdd4d85fe078278

SHA256
e54033124f1832b52a0c4dcd4639b0cf5660c5acef8f1d130c5d60b9872c6ef5

SHA512
ae300468a2bec3eede0d2b897aa6bbcf36015f7624451fbde88ace6071f79d404d60b790f25ca16f29d3c49153dadf38be10f513b6df4b69f3a83712a0695f41

Download Submit
C:\Windows\system\EgRNEdN.exe
Filesize
5.9MB

MD5
cce6d2e0fc459296a540ddce3f391376

SHA1
8ee347a85f56541155c372f2323097b49fd8d643

SHA256
ddb5481a12b6219f9c8b08afab73aaf74c58de402d25be45e8b9a193f7a3249b

SHA512
e8f6c10ef09b239dcab91d3627f78d02d254c7bea679b6964b30c70666b03ca3ea9f6bc2f76283aab8d70d6e4722dfe4e42433e95fff12db0b86753636dc98d6

Download Submit
C:\Windows\system\FbJAthL.exe
Filesize
5.9MB

MD5
e44c4a527ebdbb9332eaf30d0785b11c

SHA1
b2042017ab7adc7eb32d7026618c4ddef555a85b

SHA256
c4bd008aabda3a1884a5717d4791968ab8dc76e130ed5d4e243d56243705c836

SHA512
71f9188888dd455e459e9b64261911f7f409dbc41b42159cda55c180b96cd09517cf50a1ad0fc8211de5e1c255136b53501a5e8c554c9c438f01276151484383

Download Submit
C:\Windows\system\LQfCHNH.exe
Filesize
5.9MB

MD5
9ae06d8e509710b36973f4d438f9813d

SHA1
75d7c20953fe63052c4734cdaeb341d1e4c0bd5c

SHA256
2e99822d6a5957502a80da1ec5bbf09504b085c4bf6acab1d1b247bcec1f4ce5

SHA512
4fa83e21b69d69a1a5f364f6448de8fedbd04c5fe753e3d05ebaba260f76fab5ee6eff4c88323a13c0ac1be500f145ee2bf0a5dca470b464e2409640e6c0c1b5

Download Submit
C:\Windows\system\NHErExQ.exe
Filesize
5.9MB

MD5
ec6fe6625d5faccaf95bd8f3f3c1f7bd

SHA1
8c350e946fa7158191f75d1562600bc3a5f96991

SHA256
c4170735894d336d44cf180d19d4ea1a338a1bbdb77e1ae2ed9627b3c1154492

SHA512
5b422701bd5a8d989758e7bd114cca7a40add0524f8085f18441eadbb9b22f32608a9425bc1dc8ddd621ac3c72948f7210d6226fa37742b8676b9c9398dd4e3c

Download Submit
C:\Windows\system\SeqXiKG.exe
Filesize
5.9MB

MD5
94662d90e4dac4401410b80718a86d79

SHA1
656b590e4100db9d6252fbdb545553f99368d114

SHA256
639cbcd5bbd2bf680d3f2e2db8b5c41a943a72f687ecbaeba26bf51feac9087a

SHA512
c0914a222535b38f97e821e5920ff8a8d4a88550d1eca1e555c7f16d5605f1d421434c93e850f05205e81f5acc19c53ed4bb94e10441566d1282e22fc9ccaed4

Download Submit
C:\Windows\system\ePMtBLu.exe
Filesize
5.9MB

MD5
8ca405eea7f605219d0d93538bafb4d7

SHA1
a10c292d26ffe79460ac79246d77ea3477489fd4

SHA256
d45b50e262faac1d13807367b73d37820ec0c6f659b3df7cc221b2c4e3abeba4

SHA512
e46cb5da56ea09f2deeb53ed8a6e3cffad21eddd7c85595b7dee83e9dcdd35ae4ab36e17224533578dd6607f85629f21f1bf99c57ed80dc88ac29d51a45e19f3

Download Submit
C:\Windows\system\nzxUqoE.exe
Filesize
5.9MB

MD5
1f44215431da252ff1115a9add14a5c5

SHA1
bd4dfbe86366f940011be66e5f78738755bb3b80

SHA256
9b9976b31e01b3a8560bc0a51d3588b21b72c48d8cc7abe5178e221d421f9c4f

SHA512
84f5a365cb6f35cbc2e8c332108077e4320e5165011d72ed9a5231561a5dd1592a3564e0419618c42fac3846e67ae0c603e7b4aa7d6871bf476c00bb53a33d35

Download Submit
C:\Windows\system\pWJInmj.exe
Filesize
5.9MB

MD5
a4c0f8e13f62e83d274fc17491589d50

SHA1
3f920d4cbb71966196ae48cc8124e6b1a329ca96

SHA256
085978fc5926d98e20aa85c73c70c5205686225602e1e2d75767caf065893575

SHA512
2c475db6a3cc6393bb9a8084b440ba6ffcd98801fc62b5e81ce2d7d104b4b3b53c4c4d91e491990892e69ef073b80ed0a220089c09b669c9e2f92907a166007d

Download Submit
C:\Windows\system\qbiwsbf.exe
Filesize
5.9MB

MD5
ae2d92465b93cad022e5a50660bc1f3f

SHA1
ff960413f3c72505cb59074b73030c2381d6d75e

SHA256
cc90c83a47aec4e7945fe5dddee03d530fb97cb04a42a7d05057212ff584c7f4

SHA512
f91a3795db8196a2782ac613b03af675721e21360574cf731ea3a445aa35cae29e6db16d71e9b67a7c2ba9eb3b2a857bd543c840f46f67316a2253394ebea26f

Download Submit
C:\Windows\system\qeOlPZS.exe
Filesize
5.9MB

MD5
e79ce538f99bd91a94373498133f8687

SHA1
33e41388dc97610d2fae9164706a0584905470c7

SHA256
b9fa13f9020a760049b90edf2a1150be6b3fb9884cbcd18987feae5bfc8614c3

SHA512
05d464193a07b0511ed2c092ad245a0ea7f60879995863609686e54313f5089c4e2bf9016b437cbf4de959ba86f554692e0afc39c8fa838e5ebb32a6654d6b3d

Download Submit
C:\Windows\system\qhEsgZq.exe
Filesize
5.9MB

MD5
1023d0582600fd9f49065a129812e124

SHA1
a751e2e22bcac49a6dbb1c67f45102aab29f0d5f

SHA256
c232bac6c66e889bbb92bf14c2f7a682e84c20966a091f9c225d131a78d91747

SHA512
fc0dfe266ac037b72b5c6faa392efe66b938a0e41e9da607b7befd132772d8eece3ac38b6750669141183182eb69c69387d4c9b667103427850ec3248b7f9120

Download Submit
C:\Windows\system\rtXXEFw.exe
Filesize
5.9MB

MD5
714d90c534e37dccb83be8a7c3d898a5

SHA1
75916d3387e0643270beaa4fa2ea045760d029e1

SHA256
0d37f8654c0685cc8f8b09512ea87e07aa6c788da67b188a9fc87f0ce96aa1d0

SHA512
b4ae6b00b8e385c2b0145a70986585ba33630da054666d58e85154d279f2f06e2e75e01f70b547a2d6a9538e8b967ae9507969931ff7d51e0f22dd40ce538b36

Download Submit
C:\Windows\system\zgxsDIL.exe
Filesize
5.9MB

MD5
bf7c8c36a6e89378602a0bd12037ac51

SHA1
ed1b503befbb42657cd87d421f2652c3d75d7670

SHA256
a21bc73b21d8653ab59f1028f6b5dec4ec7640c8189808de155901a1d145af86

SHA512
0fd7693b2fba79416b5dbb0453dd4cb3126a107e0bfb14fe7dc24a46a04c5e4ec3a44cecf8fc3289592eec2000e63a62a65d0eb3da9a2f3c25b53b823022051e

Download Submit
C:\Windows\system\zheKxuf.exe
Filesize
5.9MB

MD5
6e184170dae4649cc037d5117ac9250f

SHA1
847a883f5ad41b6bdb80e1bfeca3fa1214511229

SHA256
732c0d90b3fc03fb0483b996521853e1804257ae7c1b79f1b09dd971c8fa21bb

SHA512
9d5e1c03ada9117766e7b7da389885fb20618b6e2c227b3b4f9e9e10e278fd941084b47d06c6d294791ebd627475bf12a094e2900c6854f06c92461feb92f961

Download Submit
\Windows\system\CvOciID.exe
Filesize
5.9MB

MD5
92e1ea5d8365c7561a1ca26f9ee530d8

SHA1
ff4e584a5d1a62acadaa8dfc9182b0a380dc649f

SHA256
fa7ab4b53caaa2e33afe024dd076b9ac2fcc4a080460d571d1ddb8f074d867d1

SHA512
f8944116fbcb6057ee0c349b712c108944db0b6c126af18af5d1cde86465dbdaace100503b9ba1b2a5cbf70d190a68665e7d5801694898b641dfb22cd237d775

Download Submit
\Windows\system\DUfaQoF.exe
Filesize
5.9MB

MD5
aff14f9d56afda56fb136da6b4a1d6a1

SHA1
2698d1552d69b9e1af5222a6f921c75ea1ddd74b

SHA256
fa14b2a71859fa2c85b1d06654278df191cb0ef49ab2a407dca993f2957fa61b

SHA512
7a3abccb6f306c51aa141b8d26c53caf10465cb911402e8bb4757006f2423a1017ddab85eeda54dcbaaa165c983fbe298ff0a47fb805cf3cb9b454f8cba2fff2

Download Submit
\Windows\system\EnJKxix.exe
Filesize
5.9MB

MD5
087fabedd6db7118509f066b1f128965

SHA1
e4deb2c159b5e43463b9938e989af509502d3b8e

SHA256
004dd8aac01f6f5392212dc6fcb2e86b441a6aa0cb48bb769e388d11252ba078

SHA512
7e324b11f763f7c19061b27222f1f29b8a77b08abc46c8e33c28dc30abd70e344677007748cf8299a6de9c9244f16325b880b3c0e8df618a574a566c1428e118

Download Submit
\Windows\system\wXxlXgy.exe
Filesize
5.9MB

MD5
f4d75e05519643df2f4618c9ea19480e

SHA1
227d63b85a39c7c271923558958f04094bdc7da2

SHA256
fcc2f909a1bcb1b4f5cac3567a50835a67f811958a2fbcaeb37ef902d5fc3596

SHA512
86c9cb8a9c3b46c0cf489a486d4213e0bd7f2a9b169341958e3e73536a6b2f784ab833448166c3ae2708becc8454838ac9d68b6c4076a06715f86450bb151273

Download Submit
memory/1792-64-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

Filesize
3.3MB

Download
memory/1792-153-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

Filesize
3.3MB

Download
memory/1804-147-0x000000013FC40000-0x000000013FF94000-memory.dmp

Filesize
3.3MB

Download
memory/1804-14-0x000000013FC40000-0x000000013FF94000-memory.dmp

Filesize
3.3MB

Download
memory/1804-72-0x000000013FC40000-0x000000013FF94000-memory.dmp

Filesize
3.3MB

Download
memory/2400-148-0x000000013FCC0000-0x0000000140014000-memory.dmp

Filesize
3.3MB

Download
memory/2400-87-0x000000013FCC0000-0x0000000140014000-memory.dmp

Filesize
3.3MB

Download
memory/2400-23-0x000000013FCC0000-0x0000000140014000-memory.dmp

Filesize
3.3MB

Download
memory/2528-113-0x000000013FB40000-0x000000013FE94000-memory.dmp

Filesize
3.3MB

Download
memory/2528-151-0x000000013FB40000-0x000000013FE94000-memory.dmp

Filesize
3.3MB

Download
memory/2528-50-0x000000013FB40000-0x000000013FE94000-memory.dmp

Filesize
3.3MB

Download
memory/2564-155-0x000000013FD00000-0x0000000140054000-memory.dmp

Filesize
3.3MB

Download
memory/2564-144-0x000000013FD00000-0x0000000140054000-memory.dmp

Filesize
3.3MB

Download
memory/2564-70-0x000000013FD00000-0x0000000140054000-memory.dmp

Filesize
3.3MB

Download
memory/2700-16-0x000000013F840000-0x000000013FB94000-memory.dmp

Filesize
3.3MB

Download
memory/2700-146-0x000000013F840000-0x000000013FB94000-memory.dmp

Filesize
3.3MB

Download
memory/2708-39-0x000000013FF40000-0x0000000140294000-memory.dmp

Filesize
3.3MB

Download
memory/2708-150-0x000000013FF40000-0x0000000140294000-memory.dmp

Filesize
3.3MB

Download
memory/2716-37-0x000000013FD90000-0x00000001400E4000-memory.dmp

Filesize
3.3MB

Download
memory/2716-149-0x000000013FD90000-0x00000001400E4000-memory.dmp

Filesize
3.3MB

Download
memory/2752-141-0x000000013FCF0000-0x0000000140044000-memory.dmp

Filesize
3.3MB

Download
memory/2752-54-0x000000013FCF0000-0x0000000140044000-memory.dmp

Filesize
3.3MB

Download
memory/2752-152-0x000000013FCF0000-0x0000000140044000-memory.dmp

Filesize
3.3MB

Download
memory/2764-58-0x000000013FAC0000-0x000000013FE14000-memory.dmp

Filesize
3.3MB

Download
memory/2764-142-0x000000013FAC0000-0x000000013FE14000-memory.dmp

Filesize
3.3MB

Download
memory/2764-154-0x000000013FAC0000-0x000000013FE14000-memory.dmp

Filesize
3.3MB

Download
memory/2800-110-0x000000013F920000-0x000000013FC74000-memory.dmp

Filesize
3.3MB

Download
memory/2800-158-0x000000013F920000-0x000000013FC74000-memory.dmp

Filesize
3.3MB

Download
memory/2876-145-0x000000013FA10000-0x000000013FD64000-memory.dmp

Filesize
3.3MB

Download
memory/2876-94-0x000000013FA10000-0x000000013FD64000-memory.dmp

Filesize
3.3MB

Download
memory/2876-156-0x000000013FA10000-0x000000013FD64000-memory.dmp

Filesize
3.3MB

Download
memory/2980-33-0x000000013FD90000-0x00000001400E4000-memory.dmp

Filesize
3.3MB

Download
memory/2980-15-0x0000000002300000-0x0000000002654000-memory.dmp

Filesize
3.3MB

Download
memory/2980-101-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

Filesize
3.3MB

Download
memory/2980-21-0x000000013FCC0000-0x0000000140014000-memory.dmp

Filesize
3.3MB

Download
memory/2980-81-0x0000000002300000-0x0000000002654000-memory.dmp

Filesize
3.3MB

Download
memory/2980-46-0x0000000002300000-0x0000000002654000-memory.dmp

Filesize
3.3MB

Download
memory/2980-143-0x0000000002300000-0x0000000002654000-memory.dmp

Filesize
3.3MB

Download
memory/2980-53-0x000000013FCF0000-0x0000000140044000-memory.dmp

Filesize
3.3MB

Download
memory/2980-99-0x0000000002300000-0x0000000002654000-memory.dmp

Filesize
3.3MB

Download
memory/2980-108-0x0000000002300000-0x0000000002654000-memory.dmp

Filesize
3.3MB

Download
memory/2980-71-0x000000013FC40000-0x000000013FF94000-memory.dmp

Filesize
3.3MB

Download
memory/2980-119-0x0000000002300000-0x0000000002654000-memory.dmp

Filesize
3.3MB

Download
memory/2980-6-0x000000013FC40000-0x000000013FF94000-memory.dmp

Filesize
3.3MB

Download
memory/2980-52-0x0000000002300000-0x0000000002654000-memory.dmp

Filesize
3.3MB

Download
memory/2980-59-0x0000000002300000-0x0000000002654000-memory.dmp

Filesize
3.3MB

Download
memory/2980-0-0x000000013F8D0000-0x000000013FC24000-memory.dmp

Filesize
3.3MB

Download
memory/2980-44-0x000000013FF40000-0x0000000140294000-memory.dmp

Filesize
3.3MB

Download
memory/2980-1-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2980-92-0x0000000002300000-0x0000000002654000-memory.dmp

Filesize
3.3MB

Download
memory/2980-69-0x000000013F8D0000-0x000000013FC24000-memory.dmp

Filesize
3.3MB

Download
memory/2996-111-0x000000013F610000-0x000000013F964000-memory.dmp

Filesize
3.3MB

Download
memory/2996-159-0x000000013F610000-0x000000013F964000-memory.dmp

Filesize
3.3MB

Download
memory/3036-157-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

Filesize
3.3MB

Download
memory/3036-109-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

Filesize
3.3MB

Download