cobaltstrike | 0f834825e381d257401550e01f5cbb614c613420b683b53c4fb9a4822c21a517

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

4e0e0b027c36f5e0ca87d7bd177ca4bb
SHA1

3681dc25df8ffbb27f2fe4239f7f2d9c6072299f
SHA256

0f834825e381d257401550e01f5cbb614c613420b683b53c4fb9a4822c21a517
SHA512

97cd79a9ad4f4d1be151ad735924d599204c49b2da592c36d7820be57ccc72a134babd792cd951f707c374bda2bdbafbdab1e7d5d4f6e581c213a8abbf129a24
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU6:Q+856utgpPF8u/76

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\zqtpqeM.exe	cobalt_reflective_dll
\Windows\system\LyzHETX.exe	cobalt_reflective_dll
C:\Windows\system\FSUAFUx.exe	cobalt_reflective_dll
\Windows\system\xRcpVlb.exe	cobalt_reflective_dll
C:\Windows\system\zCwGBlX.exe	cobalt_reflective_dll
C:\Windows\system\BRQcdML.exe	cobalt_reflective_dll
C:\Windows\system\RWODoVb.exe	cobalt_reflective_dll
\Windows\system\SnsvSnH.exe	cobalt_reflective_dll
C:\Windows\system\feJhtJz.exe	cobalt_reflective_dll
C:\Windows\system\YhFRJIm.exe	cobalt_reflective_dll
C:\Windows\system\epFeYvi.exe	cobalt_reflective_dll
C:\Windows\system\dYzVTTO.exe	cobalt_reflective_dll
C:\Windows\system\MrjASOa.exe	cobalt_reflective_dll
C:\Windows\system\lPjLJKz.exe	cobalt_reflective_dll
C:\Windows\system\PvWucwC.exe	cobalt_reflective_dll
C:\Windows\system\ySJDbsy.exe	cobalt_reflective_dll
C:\Windows\system\wgBtMEe.exe	cobalt_reflective_dll
C:\Windows\system\VkGoaaD.exe	cobalt_reflective_dll
C:\Windows\system\mroSnaF.exe	cobalt_reflective_dll
C:\Windows\system\kHoVBff.exe	cobalt_reflective_dll
C:\Windows\system\aocPJyK.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\zqtpqeM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\LyzHETX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\FSUAFUx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\xRcpVlb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\zCwGBlX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\BRQcdML.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\RWODoVb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\SnsvSnH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\feJhtJz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\YhFRJIm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\epFeYvi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\dYzVTTO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\MrjASOa.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\lPjLJKz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\PvWucwC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ySJDbsy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\wgBtMEe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\VkGoaaD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\mroSnaF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\kHoVBff.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\aocPJyK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 55 IoCs

Processes:

resource	yara_rule
behavioral1/memory/756-0-0x000000013FE60000-0x00000001401B4000-memory.dmp	UPX
\Windows\system\zqtpqeM.exe	UPX
behavioral1/memory/2352-9-0x000000013F4E0000-0x000000013F834000-memory.dmp	UPX
\Windows\system\LyzHETX.exe	UPX
behavioral1/memory/2264-15-0x000000013F250000-0x000000013F5A4000-memory.dmp	UPX
C:\Windows\system\FSUAFUx.exe	UPX
behavioral1/memory/2588-21-0x000000013FF90000-0x00000001402E4000-memory.dmp	UPX
\Windows\system\xRcpVlb.exe	UPX
behavioral1/memory/756-51-0x000000013FE60000-0x00000001401B4000-memory.dmp	UPX
C:\Windows\system\zCwGBlX.exe	UPX
C:\Windows\system\BRQcdML.exe	UPX
C:\Windows\system\RWODoVb.exe	UPX
\Windows\system\SnsvSnH.exe	UPX
C:\Windows\system\feJhtJz.exe	UPX
C:\Windows\system\YhFRJIm.exe	UPX
C:\Windows\system\epFeYvi.exe	UPX
C:\Windows\system\dYzVTTO.exe	UPX
C:\Windows\system\MrjASOa.exe	UPX
behavioral1/memory/2972-88-0x000000013FA30000-0x000000013FD84000-memory.dmp	UPX
behavioral1/memory/1452-83-0x000000013F790000-0x000000013FAE4000-memory.dmp	UPX
C:\Windows\system\lPjLJKz.exe	UPX
C:\Windows\system\PvWucwC.exe	UPX
behavioral1/memory/2324-77-0x000000013F830000-0x000000013FB84000-memory.dmp	UPX
behavioral1/memory/2564-71-0x000000013F0D0000-0x000000013F424000-memory.dmp	UPX
C:\Windows\system\ySJDbsy.exe	UPX
behavioral1/memory/2588-69-0x000000013FF90000-0x00000001402E4000-memory.dmp	UPX
behavioral1/memory/2432-64-0x000000013F850000-0x000000013FBA4000-memory.dmp	UPX
behavioral1/memory/2264-62-0x000000013F250000-0x000000013F5A4000-memory.dmp	UPX
behavioral1/memory/2484-56-0x000000013F080000-0x000000013F3D4000-memory.dmp	UPX
C:\Windows\system\wgBtMEe.exe	UPX
behavioral1/memory/3056-52-0x000000013F320000-0x000000013F674000-memory.dmp	UPX
C:\Windows\system\VkGoaaD.exe	UPX
behavioral1/memory/2472-45-0x000000013FD70000-0x00000001400C4000-memory.dmp	UPX
C:\Windows\system\mroSnaF.exe	UPX
behavioral1/memory/1724-38-0x000000013F6D0000-0x000000013FA24000-memory.dmp	UPX
C:\Windows\system\kHoVBff.exe	UPX
behavioral1/memory/2592-33-0x000000013F280000-0x000000013F5D4000-memory.dmp	UPX
C:\Windows\system\aocPJyK.exe	UPX
behavioral1/memory/2656-27-0x000000013F100000-0x000000013F454000-memory.dmp	UPX
behavioral1/memory/1452-141-0x000000013F790000-0x000000013FAE4000-memory.dmp	UPX
behavioral1/memory/2972-143-0x000000013FA30000-0x000000013FD84000-memory.dmp	UPX
behavioral1/memory/2352-145-0x000000013F4E0000-0x000000013F834000-memory.dmp	UPX
behavioral1/memory/2264-146-0x000000013F250000-0x000000013F5A4000-memory.dmp	UPX
behavioral1/memory/1724-155-0x000000013F6D0000-0x000000013FA24000-memory.dmp	UPX
behavioral1/memory/2324-157-0x000000013F830000-0x000000013FB84000-memory.dmp	UPX
behavioral1/memory/2472-156-0x000000013FD70000-0x00000001400C4000-memory.dmp	UPX
behavioral1/memory/2588-154-0x000000013FF90000-0x00000001402E4000-memory.dmp	UPX
behavioral1/memory/2972-153-0x000000013FA30000-0x000000013FD84000-memory.dmp	UPX
behavioral1/memory/2564-152-0x000000013F0D0000-0x000000013F424000-memory.dmp	UPX
behavioral1/memory/2656-151-0x000000013F100000-0x000000013F454000-memory.dmp	UPX
behavioral1/memory/1452-150-0x000000013F790000-0x000000013FAE4000-memory.dmp	UPX
behavioral1/memory/2432-149-0x000000013F850000-0x000000013FBA4000-memory.dmp	UPX
behavioral1/memory/2484-148-0x000000013F080000-0x000000013F3D4000-memory.dmp	UPX
behavioral1/memory/3056-147-0x000000013F320000-0x000000013F674000-memory.dmp	UPX
behavioral1/memory/2592-158-0x000000013F280000-0x000000013F5D4000-memory.dmp	UPX

XMRig Miner payload 61 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/756-0-0x000000013FE60000-0x00000001401B4000-memory.dmp	xmrig
\Windows\system\zqtpqeM.exe	xmrig
behavioral1/memory/2352-9-0x000000013F4E0000-0x000000013F834000-memory.dmp	xmrig
behavioral1/memory/756-8-0x000000013F4E0000-0x000000013F834000-memory.dmp	xmrig
\Windows\system\LyzHETX.exe	xmrig
behavioral1/memory/2264-15-0x000000013F250000-0x000000013F5A4000-memory.dmp	xmrig
C:\Windows\system\FSUAFUx.exe	xmrig
behavioral1/memory/2588-21-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
\Windows\system\xRcpVlb.exe	xmrig
behavioral1/memory/756-37-0x000000013F6D0000-0x000000013FA24000-memory.dmp	xmrig
behavioral1/memory/756-51-0x000000013FE60000-0x00000001401B4000-memory.dmp	xmrig
C:\Windows\system\zCwGBlX.exe	xmrig
C:\Windows\system\BRQcdML.exe	xmrig
C:\Windows\system\RWODoVb.exe	xmrig
\Windows\system\SnsvSnH.exe	xmrig
C:\Windows\system\feJhtJz.exe	xmrig
C:\Windows\system\YhFRJIm.exe	xmrig
C:\Windows\system\epFeYvi.exe	xmrig
C:\Windows\system\dYzVTTO.exe	xmrig
C:\Windows\system\MrjASOa.exe	xmrig
behavioral1/memory/2972-88-0x000000013FA30000-0x000000013FD84000-memory.dmp	xmrig
behavioral1/memory/1452-83-0x000000013F790000-0x000000013FAE4000-memory.dmp	xmrig
C:\Windows\system\lPjLJKz.exe	xmrig
behavioral1/memory/756-82-0x000000013F790000-0x000000013FAE4000-memory.dmp	xmrig
C:\Windows\system\PvWucwC.exe	xmrig
behavioral1/memory/2324-77-0x000000013F830000-0x000000013FB84000-memory.dmp	xmrig
behavioral1/memory/2564-71-0x000000013F0D0000-0x000000013F424000-memory.dmp	xmrig
C:\Windows\system\ySJDbsy.exe	xmrig
behavioral1/memory/2588-69-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
behavioral1/memory/2432-64-0x000000013F850000-0x000000013FBA4000-memory.dmp	xmrig
behavioral1/memory/2264-62-0x000000013F250000-0x000000013F5A4000-memory.dmp	xmrig
behavioral1/memory/2484-56-0x000000013F080000-0x000000013F3D4000-memory.dmp	xmrig
C:\Windows\system\wgBtMEe.exe	xmrig
behavioral1/memory/3056-52-0x000000013F320000-0x000000013F674000-memory.dmp	xmrig
C:\Windows\system\VkGoaaD.exe	xmrig
behavioral1/memory/2472-45-0x000000013FD70000-0x00000001400C4000-memory.dmp	xmrig
C:\Windows\system\mroSnaF.exe	xmrig
behavioral1/memory/1724-38-0x000000013F6D0000-0x000000013FA24000-memory.dmp	xmrig
C:\Windows\system\kHoVBff.exe	xmrig
behavioral1/memory/2592-33-0x000000013F280000-0x000000013F5D4000-memory.dmp	xmrig
C:\Windows\system\aocPJyK.exe	xmrig
behavioral1/memory/2656-27-0x000000013F100000-0x000000013F454000-memory.dmp	xmrig
behavioral1/memory/756-117-0x000000013F850000-0x000000013FBA4000-memory.dmp	xmrig
behavioral1/memory/756-118-0x000000013F0D0000-0x000000013F424000-memory.dmp	xmrig
behavioral1/memory/756-140-0x000000013F790000-0x000000013FAE4000-memory.dmp	xmrig
behavioral1/memory/1452-141-0x000000013F790000-0x000000013FAE4000-memory.dmp	xmrig
behavioral1/memory/2972-143-0x000000013FA30000-0x000000013FD84000-memory.dmp	xmrig
behavioral1/memory/2352-145-0x000000013F4E0000-0x000000013F834000-memory.dmp	xmrig
behavioral1/memory/2264-146-0x000000013F250000-0x000000013F5A4000-memory.dmp	xmrig
behavioral1/memory/1724-155-0x000000013F6D0000-0x000000013FA24000-memory.dmp	xmrig
behavioral1/memory/2324-157-0x000000013F830000-0x000000013FB84000-memory.dmp	xmrig
behavioral1/memory/2472-156-0x000000013FD70000-0x00000001400C4000-memory.dmp	xmrig
behavioral1/memory/2588-154-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
behavioral1/memory/2972-153-0x000000013FA30000-0x000000013FD84000-memory.dmp	xmrig
behavioral1/memory/2564-152-0x000000013F0D0000-0x000000013F424000-memory.dmp	xmrig
behavioral1/memory/2656-151-0x000000013F100000-0x000000013F454000-memory.dmp	xmrig
behavioral1/memory/1452-150-0x000000013F790000-0x000000013FAE4000-memory.dmp	xmrig
behavioral1/memory/2432-149-0x000000013F850000-0x000000013FBA4000-memory.dmp	xmrig
behavioral1/memory/2484-148-0x000000013F080000-0x000000013F3D4000-memory.dmp	xmrig
behavioral1/memory/3056-147-0x000000013F320000-0x000000013F674000-memory.dmp	xmrig
behavioral1/memory/2592-158-0x000000013F280000-0x000000013F5D4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

zqtpqeM.exeLyzHETX.exeFSUAFUx.exexRcpVlb.exeaocPJyK.exekHoVBff.exemroSnaF.exeVkGoaaD.exewgBtMEe.exezCwGBlX.exeBRQcdML.exeySJDbsy.exePvWucwC.exelPjLJKz.exeMrjASOa.exeRWODoVb.exeepFeYvi.exedYzVTTO.exeYhFRJIm.exefeJhtJz.exeSnsvSnH.exe

pid	process
2352	zqtpqeM.exe
2264	LyzHETX.exe
2588	FSUAFUx.exe
2656	xRcpVlb.exe
2592	aocPJyK.exe
1724	kHoVBff.exe
2472	mroSnaF.exe
3056	VkGoaaD.exe
2484	wgBtMEe.exe
2432	zCwGBlX.exe
2564	BRQcdML.exe
2324	ySJDbsy.exe
1452	PvWucwC.exe
2972	lPjLJKz.exe
1152	MrjASOa.exe
1120	RWODoVb.exe
1676	epFeYvi.exe
2848	dYzVTTO.exe
380	YhFRJIm.exe
2780	feJhtJz.exe
1744	SnsvSnH.exe

Loads dropped DLL 21 IoCs

Processes:

2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe

pid	process
756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 55 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/756-0-0x000000013FE60000-0x00000001401B4000-memory.dmp	upx
\Windows\system\zqtpqeM.exe	upx
behavioral1/memory/2352-9-0x000000013F4E0000-0x000000013F834000-memory.dmp	upx
\Windows\system\LyzHETX.exe	upx
behavioral1/memory/2264-15-0x000000013F250000-0x000000013F5A4000-memory.dmp	upx
C:\Windows\system\FSUAFUx.exe	upx
behavioral1/memory/2588-21-0x000000013FF90000-0x00000001402E4000-memory.dmp	upx
\Windows\system\xRcpVlb.exe	upx
behavioral1/memory/756-51-0x000000013FE60000-0x00000001401B4000-memory.dmp	upx
C:\Windows\system\zCwGBlX.exe	upx
C:\Windows\system\BRQcdML.exe	upx
C:\Windows\system\RWODoVb.exe	upx
\Windows\system\SnsvSnH.exe	upx
C:\Windows\system\feJhtJz.exe	upx
C:\Windows\system\YhFRJIm.exe	upx
C:\Windows\system\epFeYvi.exe	upx
C:\Windows\system\dYzVTTO.exe	upx
C:\Windows\system\MrjASOa.exe	upx
behavioral1/memory/2972-88-0x000000013FA30000-0x000000013FD84000-memory.dmp	upx
behavioral1/memory/1452-83-0x000000013F790000-0x000000013FAE4000-memory.dmp	upx
C:\Windows\system\lPjLJKz.exe	upx
C:\Windows\system\PvWucwC.exe	upx
behavioral1/memory/2324-77-0x000000013F830000-0x000000013FB84000-memory.dmp	upx
behavioral1/memory/2564-71-0x000000013F0D0000-0x000000013F424000-memory.dmp	upx
C:\Windows\system\ySJDbsy.exe	upx
behavioral1/memory/2588-69-0x000000013FF90000-0x00000001402E4000-memory.dmp	upx
behavioral1/memory/2432-64-0x000000013F850000-0x000000013FBA4000-memory.dmp	upx
behavioral1/memory/2264-62-0x000000013F250000-0x000000013F5A4000-memory.dmp	upx
behavioral1/memory/2484-56-0x000000013F080000-0x000000013F3D4000-memory.dmp	upx
C:\Windows\system\wgBtMEe.exe	upx
behavioral1/memory/3056-52-0x000000013F320000-0x000000013F674000-memory.dmp	upx
C:\Windows\system\VkGoaaD.exe	upx
behavioral1/memory/2472-45-0x000000013FD70000-0x00000001400C4000-memory.dmp	upx
C:\Windows\system\mroSnaF.exe	upx
behavioral1/memory/1724-38-0x000000013F6D0000-0x000000013FA24000-memory.dmp	upx
C:\Windows\system\kHoVBff.exe	upx
behavioral1/memory/2592-33-0x000000013F280000-0x000000013F5D4000-memory.dmp	upx
C:\Windows\system\aocPJyK.exe	upx
behavioral1/memory/2656-27-0x000000013F100000-0x000000013F454000-memory.dmp	upx
behavioral1/memory/1452-141-0x000000013F790000-0x000000013FAE4000-memory.dmp	upx
behavioral1/memory/2972-143-0x000000013FA30000-0x000000013FD84000-memory.dmp	upx
behavioral1/memory/2352-145-0x000000013F4E0000-0x000000013F834000-memory.dmp	upx
behavioral1/memory/2264-146-0x000000013F250000-0x000000013F5A4000-memory.dmp	upx
behavioral1/memory/1724-155-0x000000013F6D0000-0x000000013FA24000-memory.dmp	upx
behavioral1/memory/2324-157-0x000000013F830000-0x000000013FB84000-memory.dmp	upx
behavioral1/memory/2472-156-0x000000013FD70000-0x00000001400C4000-memory.dmp	upx
behavioral1/memory/2588-154-0x000000013FF90000-0x00000001402E4000-memory.dmp	upx
behavioral1/memory/2972-153-0x000000013FA30000-0x000000013FD84000-memory.dmp	upx
behavioral1/memory/2564-152-0x000000013F0D0000-0x000000013F424000-memory.dmp	upx
behavioral1/memory/2656-151-0x000000013F100000-0x000000013F454000-memory.dmp	upx
behavioral1/memory/1452-150-0x000000013F790000-0x000000013FAE4000-memory.dmp	upx
behavioral1/memory/2432-149-0x000000013F850000-0x000000013FBA4000-memory.dmp	upx
behavioral1/memory/2484-148-0x000000013F080000-0x000000013F3D4000-memory.dmp	upx
behavioral1/memory/3056-147-0x000000013F320000-0x000000013F674000-memory.dmp	upx
behavioral1/memory/2592-158-0x000000013F280000-0x000000013F5D4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\xRcpVlb.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mroSnaF.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YhFRJIm.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zqtpqeM.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aocPJyK.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kHoVBff.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dYzVTTO.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MrjASOa.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SnsvSnH.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LyzHETX.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VkGoaaD.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zCwGBlX.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ySJDbsy.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PvWucwC.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lPjLJKz.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FSUAFUx.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wgBtMEe.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BRQcdML.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RWODoVb.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\epFeYvi.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\feJhtJz.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 756 wrote to memory of 2352	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	zqtpqeM.exe
PID 756 wrote to memory of 2352	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	zqtpqeM.exe
PID 756 wrote to memory of 2352	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	zqtpqeM.exe
PID 756 wrote to memory of 2264	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	LyzHETX.exe
PID 756 wrote to memory of 2264	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	LyzHETX.exe
PID 756 wrote to memory of 2264	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	LyzHETX.exe
PID 756 wrote to memory of 2588	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	FSUAFUx.exe
PID 756 wrote to memory of 2588	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	FSUAFUx.exe
PID 756 wrote to memory of 2588	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	FSUAFUx.exe
PID 756 wrote to memory of 2656	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	xRcpVlb.exe
PID 756 wrote to memory of 2656	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	xRcpVlb.exe
PID 756 wrote to memory of 2656	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	xRcpVlb.exe
PID 756 wrote to memory of 2592	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	aocPJyK.exe
PID 756 wrote to memory of 2592	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	aocPJyK.exe
PID 756 wrote to memory of 2592	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	aocPJyK.exe
PID 756 wrote to memory of 1724	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	kHoVBff.exe
PID 756 wrote to memory of 1724	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	kHoVBff.exe
PID 756 wrote to memory of 1724	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	kHoVBff.exe
PID 756 wrote to memory of 2472	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	mroSnaF.exe
PID 756 wrote to memory of 2472	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	mroSnaF.exe
PID 756 wrote to memory of 2472	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	mroSnaF.exe
PID 756 wrote to memory of 3056	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	VkGoaaD.exe
PID 756 wrote to memory of 3056	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	VkGoaaD.exe
PID 756 wrote to memory of 3056	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	VkGoaaD.exe
PID 756 wrote to memory of 2484	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	wgBtMEe.exe
PID 756 wrote to memory of 2484	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	wgBtMEe.exe
PID 756 wrote to memory of 2484	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	wgBtMEe.exe
PID 756 wrote to memory of 2432	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	zCwGBlX.exe
PID 756 wrote to memory of 2432	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	zCwGBlX.exe
PID 756 wrote to memory of 2432	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	zCwGBlX.exe
PID 756 wrote to memory of 2564	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	BRQcdML.exe
PID 756 wrote to memory of 2564	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	BRQcdML.exe
PID 756 wrote to memory of 2564	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	BRQcdML.exe
PID 756 wrote to memory of 2324	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	ySJDbsy.exe
PID 756 wrote to memory of 2324	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	ySJDbsy.exe
PID 756 wrote to memory of 2324	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	ySJDbsy.exe
PID 756 wrote to memory of 1452	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	PvWucwC.exe
PID 756 wrote to memory of 1452	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	PvWucwC.exe
PID 756 wrote to memory of 1452	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	PvWucwC.exe
PID 756 wrote to memory of 2972	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	lPjLJKz.exe
PID 756 wrote to memory of 2972	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	lPjLJKz.exe
PID 756 wrote to memory of 2972	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	lPjLJKz.exe
PID 756 wrote to memory of 1152	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	MrjASOa.exe
PID 756 wrote to memory of 1152	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	MrjASOa.exe
PID 756 wrote to memory of 1152	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	MrjASOa.exe
PID 756 wrote to memory of 1120	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	RWODoVb.exe
PID 756 wrote to memory of 1120	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	RWODoVb.exe
PID 756 wrote to memory of 1120	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	RWODoVb.exe
PID 756 wrote to memory of 1676	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	epFeYvi.exe
PID 756 wrote to memory of 1676	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	epFeYvi.exe
PID 756 wrote to memory of 1676	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	epFeYvi.exe
PID 756 wrote to memory of 2848	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	dYzVTTO.exe
PID 756 wrote to memory of 2848	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	dYzVTTO.exe
PID 756 wrote to memory of 2848	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	dYzVTTO.exe
PID 756 wrote to memory of 380	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	YhFRJIm.exe
PID 756 wrote to memory of 380	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	YhFRJIm.exe
PID 756 wrote to memory of 380	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	YhFRJIm.exe
PID 756 wrote to memory of 2780	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	feJhtJz.exe
PID 756 wrote to memory of 2780	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	feJhtJz.exe
PID 756 wrote to memory of 2780	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	feJhtJz.exe
PID 756 wrote to memory of 1744	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	SnsvSnH.exe
PID 756 wrote to memory of 1744	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	SnsvSnH.exe
PID 756 wrote to memory of 1744	756	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	SnsvSnH.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\System\zqtpqeM.exe
C:\Windows\System\zqtpqeM.exe
2⤵
- Executes dropped EXE
PID:2352

C:\Windows\System\LyzHETX.exe
C:\Windows\System\LyzHETX.exe
2⤵
- Executes dropped EXE
PID:2264

C:\Windows\System\FSUAFUx.exe
C:\Windows\System\FSUAFUx.exe
2⤵
- Executes dropped EXE
PID:2588

C:\Windows\System\xRcpVlb.exe
C:\Windows\System\xRcpVlb.exe
2⤵
- Executes dropped EXE
PID:2656

C:\Windows\System\aocPJyK.exe
C:\Windows\System\aocPJyK.exe
2⤵
- Executes dropped EXE
PID:2592

C:\Windows\System\kHoVBff.exe
C:\Windows\System\kHoVBff.exe
2⤵
- Executes dropped EXE
PID:1724

C:\Windows\System\mroSnaF.exe
C:\Windows\System\mroSnaF.exe
2⤵
- Executes dropped EXE
PID:2472

C:\Windows\System\VkGoaaD.exe
C:\Windows\System\VkGoaaD.exe
2⤵
- Executes dropped EXE
PID:3056

C:\Windows\System\wgBtMEe.exe
C:\Windows\System\wgBtMEe.exe
2⤵
- Executes dropped EXE
PID:2484

C:\Windows\System\zCwGBlX.exe
C:\Windows\System\zCwGBlX.exe
2⤵
- Executes dropped EXE
PID:2432

C:\Windows\System\BRQcdML.exe
C:\Windows\System\BRQcdML.exe
2⤵
- Executes dropped EXE
PID:2564

C:\Windows\System\ySJDbsy.exe
C:\Windows\System\ySJDbsy.exe
2⤵
- Executes dropped EXE
PID:2324

C:\Windows\System\PvWucwC.exe
C:\Windows\System\PvWucwC.exe
2⤵
- Executes dropped EXE
PID:1452

C:\Windows\System\lPjLJKz.exe
C:\Windows\System\lPjLJKz.exe
2⤵
- Executes dropped EXE
PID:2972

C:\Windows\System\MrjASOa.exe
C:\Windows\System\MrjASOa.exe
2⤵
- Executes dropped EXE
PID:1152

C:\Windows\System\RWODoVb.exe
C:\Windows\System\RWODoVb.exe
2⤵
- Executes dropped EXE
PID:1120

C:\Windows\System\epFeYvi.exe
C:\Windows\System\epFeYvi.exe
2⤵
- Executes dropped EXE
PID:1676

C:\Windows\System\dYzVTTO.exe
C:\Windows\System\dYzVTTO.exe
2⤵
- Executes dropped EXE
PID:2848

C:\Windows\System\YhFRJIm.exe
C:\Windows\System\YhFRJIm.exe
2⤵
- Executes dropped EXE
PID:380

C:\Windows\System\feJhtJz.exe
C:\Windows\System\feJhtJz.exe
2⤵
- Executes dropped EXE
PID:2780

C:\Windows\System\SnsvSnH.exe
C:\Windows\System\SnsvSnH.exe
2⤵
- Executes dropped EXE
PID:1744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BRQcdML.exe
Filesize
5.9MB

MD5
c45d1d56386744e690d569dac1b88700

SHA1
40a60521859bfde9e77a0616fcb8ff143976932d

SHA256
5a3d1123c43dd2e5e69c276b7c7af43340159978456a24053d79a700c8ac996a

SHA512
fd5740ae96c2c53288d7c0792330c404eb56f3f7c890f90dbd8ebe47f6d49c3b64117c7e406fec0aec4359f43b61513e8311b28767dec43a95f3723678de99e3

Download Submit
C:\Windows\system\FSUAFUx.exe
Filesize
5.9MB

MD5
583fff7ae87900d861886e124314565f

SHA1
9095ec5ce06a55e6a4940e1f65e3fa9679f48c1c

SHA256
8a8a5caf98c6443d3f970579cb30b7d50214b0e2d59af76b4e50eb5961d86e3a

SHA512
726c4b7321697dfcac7e8d4e5ff67071df3093c7cd2b3b1e4706aa7da853bb3f46440c419e01857a97e0b10a37ed135b11d44773f58be2436e55c1a791bcb973

Download Submit
C:\Windows\system\MrjASOa.exe
Filesize
5.9MB

MD5
f5f873c5b4755301aaeb54f021d03e65

SHA1
9a701b78eed0459fb7e3c995342bb28fc544b8e1

SHA256
cf04013b2aed2a04518b886d55a39c4fc6e27028cc413bd98b624b5e8e293c74

SHA512
4801bf8862398a8654a81f145b34a3b49c46c5938dafb3ed9a98215ae10d9f12303c8fa2d5cf448306c126f524c5f466f0bd6aebf62fc05c6b9c89659eab6ed5

Download Submit
C:\Windows\system\PvWucwC.exe
Filesize
5.9MB

MD5
eabead199db2dbcdecfcc58ac196caf1

SHA1
c9a234d34b678bf4894b4ddbd530d8968671cf28

SHA256
cb73765880f192509398824e8ed2339c83d343a79196e89a78bfe5d885d4b272

SHA512
7dc18e7b2b4c965c8f510c712dd1cb75aa89222989de11df1b338b6303273640be356198e80592ffffe9f18cf827fb1ae266ddadfd30dd6380c18f3db15deb64

Download Submit
C:\Windows\system\RWODoVb.exe
Filesize
5.9MB

MD5
221eed26cd2b08b69d7c9b90e0ebbb63

SHA1
0b2088799ea17f0c2ea281c4905635c6e842ff58

SHA256
52aeb808cde8130fdb51dea202bf9a73e00ac48e92640b641e1ef23f5802c58c

SHA512
3d374961afcf1c17c4fe7916775706e7f5e00a1b200e3f7eac75003989387f12ef7f6c8c184bc80dbc1d17d83d9a495829d7a40eedc8c9ca8ebc32549e99939c

Download Submit
C:\Windows\system\VkGoaaD.exe
Filesize
5.9MB

MD5
4ef5c9231a1290e22021d50630a22349

SHA1
18c2504e3cfa642f586e39c682cef084c9b1b0c8

SHA256
b3776257e94264aedf1adb5000a71f5725b2cbed9334daf9ec44c986ea62d5c9

SHA512
71c3ec8752860c38eeef3b4c10068bb29f1fa8ef605f0550755841d4814a67416087d1f95257cf770c3488b872b2e7bcb15bff28fc37447ae55b200be18a675a

Download Submit
C:\Windows\system\YhFRJIm.exe
Filesize
5.9MB

MD5
949395f2a6a8265233584931c3943ef6

SHA1
99121a7b1ed0946b034f6ec8e54e8589c803c1a2

SHA256
20d5062c787841e6cc0c43a24607d067543223bc490890fb6987ee52f7b613fd

SHA512
63fe612c5bd46b875bb3de2b653db170e46fa8bae484c3815e01758d5f189e707b569db552e5260a301b2f46e4c69f338a6d68849c6b8e3c4bab85ee0e5d4c70

Download Submit
C:\Windows\system\aocPJyK.exe
Filesize
5.9MB

MD5
11aaeb6a54c045cd600ac1d0c8deea2c

SHA1
4ecb12e350f6dc147b670899f25b53441c23b7c0

SHA256
4f132ac72046f6a3f039af38981ca372befac07b0771b796f5ed9e0d51e7defe

SHA512
01ab7395a35bfc5723b0f05c75a9f5e62bf194e0ee9d5deae38c27584a83d2505abe98caedff31d11b0406e4dbb6d1bef965a9cb140a4560fef857ffa5cfeb44

Download Submit
C:\Windows\system\dYzVTTO.exe
Filesize
5.9MB

MD5
dcf6678c64eef0fc1612e3498f724cee

SHA1
79567cf92b2d5d1c535c401fb761b1f13d12adaa

SHA256
3ad511fbd957de595bd8857e4d7f91b6e96d717e04ed4ca65792cae8bd8301c6

SHA512
26372011a678dd68475230bcbc149b06747e560bdea2e96093f029a4566a0e7406227e8e1e240f167ceb5489c69c359e11069f1fe50c24d7c3eb43f069889c9d

Download Submit
C:\Windows\system\epFeYvi.exe
Filesize
5.9MB

MD5
391e1f65d17e80a6e1583b894a1fb679

SHA1
c92bd3521823c51d2c9c14db87bc674469f9a1b0

SHA256
bb731274d111a9519e2bdb6c5d22bc64a0ce99fec5c6d5b19730d93d7bc8d408

SHA512
170595bf9a19594aac2aa3611df26bcbb3832606a1e3f19be6d032a5c4d32d4f06ca95fbd6dd7248959f03b6d0ce18ead8b13b6397e1f1cb1939b63a4cbc8cfa

Download Submit
C:\Windows\system\feJhtJz.exe
Filesize
5.9MB

MD5
ed99b1eff963854d27cf7a99418e0a88

SHA1
52e72475c9215e5186dab38770cb9f76b59d5c79

SHA256
51225a2b839b9d43580a79fd096cbfee666c31814a59918cc7330018e62f2ceb

SHA512
bf48a98861544d4377f33b7fab14c6ecbd87755b0568a6e8e3f0eb14c6ed5f64300875bd556770bc22bc4b20488b1b898b9db94ad0fab524ffea04f065464c3a

Download Submit
C:\Windows\system\kHoVBff.exe
Filesize
5.9MB

MD5
063bdfac8297b6b5b5a3ff9e0a158131

SHA1
8432da9b93fe333e4bee24f6275b52c364539b3e

SHA256
beaf9d39802b8785e6ab688940f7ca5f946bd306bc8215c682ebfb49a8028bad

SHA512
0f6031faaa62a68eda5f4184a58e6cb70f5fb802d1800846c12b6745933553416f80fdb3e68c9a763a9a869680fc4c192683531f62c1aca53a6e0df88334c15f

Download Submit
C:\Windows\system\lPjLJKz.exe
Filesize
5.9MB

MD5
ba52332e9c8c93a8ddbed4ba9ec77d67

SHA1
08f420ae520424c7c545ab6ef88a039fb36c7996

SHA256
218a34f6ed901992108809c9ed60b60750c1b2f1d1c0fd2e139b1a090afb2448

SHA512
5b02eb4b5d42cc68175ea5dede2bab6a9ab67bb33194e681271e8618c20db55f153e22f881aed40f111752d5fab83fc2c7735ab05ff07aac095bac776bce2760

Download Submit
C:\Windows\system\mroSnaF.exe
Filesize
5.9MB

MD5
c1ebc773865451e0b2ea076e6b48e82d

SHA1
f2561ffe851ec60d1ca8525f285f05268be49041

SHA256
e09efd445e97720fbfc987a8f1ddb9f3ac558d3e0fa6f6dffacf5534185b273e

SHA512
865bd44cf1d03da4df566927f207e5cd6c87edff2bf51b5d487491c0a8f319dedc50c362dae6ed8fef645ce3d73f9ce2d7cfbd1f32815c700a3dcbdee843c6fa

Download Submit
C:\Windows\system\wgBtMEe.exe
Filesize
5.9MB

MD5
2745b03b47f154aad713da9813dffbff

SHA1
90cfba4d80e755d183698945ec28b45a4a72da48

SHA256
9aa2a17da7e5d2e6e5217765e0d6ef92e6137c9422b076833276b4c2b61d40fa

SHA512
3f9e47804dcef45b60ca801c54f7288f99d776d5a911345b115fcbf09ba2fb85fa33b986adc4908b2c8c7dd2100526d8efc58ca29f6b3ba36966f978c328423e

Download Submit
C:\Windows\system\ySJDbsy.exe
Filesize
5.9MB

MD5
f969bb82de5307b6b07a8d6d143506f6

SHA1
70b8901037b5f80db3005bc206ab1cc513ca05b6

SHA256
daa04463d2fb21badcefb3b938a6c7cb50ce9d7922e5c9b336b7c136b84f6b4a

SHA512
bdd6e7089ae349ef361798cd44eba15aa714bd202f73e12bc31e25e7a970a9f3a8ab0775ce498319890bf9c832f04c10fcb176db091dca7e4c45d923e9bebdaf

Download Submit
C:\Windows\system\zCwGBlX.exe
Filesize
5.9MB

MD5
7b7ec9d5ec62f2f827fffcda459fb601

SHA1
f5cc06819d6ff9474c3369438a6a17eedac574c2

SHA256
5760b6c83fa49adf4ed232186ac453bd48e35c0428c990bd5ccd11c66208f82c

SHA512
67449529cf5f372a9d2e8efb33e2de5c2c2e8df257b827d60ed5223bb0cd142bfeab92df710d0ff6f8723ce826e23f2de39468af12e0477ec634ce13e08bfb51

Download Submit
\Windows\system\LyzHETX.exe
Filesize
5.9MB

MD5
4598eff25b32a744ebc6e9b94a532797

SHA1
be9d6859e3b2bd7541db5b3bde395afaed8d60a5

SHA256
e04323fdfd7c8f14af4c911d506c20f7718d47abf467b508f79662e8fc0ae14d

SHA512
ee0f47ead3f92de6e79b21d2533956fe3899b29aae29f7811d5ac8ab889cc8be8d4ca48f779c9fc43ef128b32dddfab375cfc03d771de0fdd5b797edb071282c

Download Submit
\Windows\system\SnsvSnH.exe
Filesize
5.9MB

MD5
f87f4ce5cc287480fe05f498a81a49c8

SHA1
abddda7461c1768fd3d8cfc52492f1d0720363c3

SHA256
2f4bd13f83917adae7f0accdff0546f6cf865d24e0a5a8db2ea551ba56980beb

SHA512
c86668d58d3af46225aa493cf4ef917aea466615cc6d37f5a495afe1e32d508aa0414c961a9ca5415371200f8798cb14c85ad148b74746bb290f58860cc67739

Download Submit
\Windows\system\xRcpVlb.exe
Filesize
5.9MB

MD5
2f59113600917b365de089624b7b7cca

SHA1
97408e1abd3e1dff66a7effb24afce3feb4ea448

SHA256
1c5d34152abe9b4de7f2b0e5c1a8d259ced08b55a5c5272cc9244ac2b2d5f807

SHA512
b7f1fda7fec9fcaa879269a0eb9951bad35d1fa0bb037c6199f6a55c96e477201173e1ef8bb64d9e73aa552e34e9385cc3efa489b7d3fa7049fdbb47a0e75709

Download Submit
\Windows\system\zqtpqeM.exe
Filesize
5.9MB

MD5
86d5ad997e98ddcd792baca56d83e7ad

SHA1
6394332506be7c520dbe3a02d4474635b213bd13

SHA256
ce893359a042f471c65649b27751cbd31f875c0066aee0ed4f391bf64888b626

SHA512
e276483c42e06592ad329f71ff7b188142fad35b477370b7871581f46659254946e56052e81cd430092ca7911ceae97e46e38fa5efeb6e9bd4fe75ee019fea13

Download Submit
memory/756-118-0x000000013F0D0000-0x000000013F424000-memory.dmp

Filesize
3.3MB

Download
memory/756-140-0x000000013F790000-0x000000013FAE4000-memory.dmp

Filesize
3.3MB

Download
memory/756-76-0x000000013F830000-0x000000013FB84000-memory.dmp

Filesize
3.3MB

Download
memory/756-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/756-25-0x000000013F100000-0x000000013F454000-memory.dmp

Filesize
3.3MB

Download
memory/756-51-0x000000013FE60000-0x00000001401B4000-memory.dmp

Filesize
3.3MB

Download
memory/756-82-0x000000013F790000-0x000000013FAE4000-memory.dmp

Filesize
3.3MB

Download
memory/756-37-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/756-8-0x000000013F4E0000-0x000000013F834000-memory.dmp

Filesize
3.3MB

Download
memory/756-144-0x000000013F860000-0x000000013FBB4000-memory.dmp

Filesize
3.3MB

Download
memory/756-142-0x000000013FA30000-0x000000013FD84000-memory.dmp

Filesize
3.3MB

Download
memory/756-70-0x000000013F0D0000-0x000000013F424000-memory.dmp

Filesize
3.3MB

Download
memory/756-44-0x00000000023A0000-0x00000000026F4000-memory.dmp

Filesize
3.3MB

Download
memory/756-32-0x000000013F280000-0x000000013F5D4000-memory.dmp

Filesize
3.3MB

Download
memory/756-63-0x000000013F850000-0x000000013FBA4000-memory.dmp

Filesize
3.3MB

Download
memory/756-93-0x000000013F860000-0x000000013FBB4000-memory.dmp

Filesize
3.3MB

Download
memory/756-139-0x000000013F830000-0x000000013FB84000-memory.dmp

Filesize
3.3MB

Download
memory/756-14-0x000000013F250000-0x000000013F5A4000-memory.dmp

Filesize
3.3MB

Download
memory/756-0-0x000000013FE60000-0x00000001401B4000-memory.dmp

Filesize
3.3MB

Download
memory/756-117-0x000000013F850000-0x000000013FBA4000-memory.dmp

Filesize
3.3MB

Download
memory/756-48-0x000000013F320000-0x000000013F674000-memory.dmp

Filesize
3.3MB

Download
memory/756-20-0x00000000023A0000-0x00000000026F4000-memory.dmp

Filesize
3.3MB

Download
memory/1452-141-0x000000013F790000-0x000000013FAE4000-memory.dmp

Filesize
3.3MB

Download
memory/1452-83-0x000000013F790000-0x000000013FAE4000-memory.dmp

Filesize
3.3MB

Download
memory/1452-150-0x000000013F790000-0x000000013FAE4000-memory.dmp

Filesize
3.3MB

Download
memory/1724-155-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/1724-38-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/2264-62-0x000000013F250000-0x000000013F5A4000-memory.dmp

Filesize
3.3MB

Download
memory/2264-15-0x000000013F250000-0x000000013F5A4000-memory.dmp

Filesize
3.3MB

Download
memory/2264-146-0x000000013F250000-0x000000013F5A4000-memory.dmp

Filesize
3.3MB

Download
memory/2324-157-0x000000013F830000-0x000000013FB84000-memory.dmp

Filesize
3.3MB

Download
memory/2324-77-0x000000013F830000-0x000000013FB84000-memory.dmp

Filesize
3.3MB

Download
memory/2352-145-0x000000013F4E0000-0x000000013F834000-memory.dmp

Filesize
3.3MB

Download
memory/2352-9-0x000000013F4E0000-0x000000013F834000-memory.dmp

Filesize
3.3MB

Download
memory/2432-149-0x000000013F850000-0x000000013FBA4000-memory.dmp

Filesize
3.3MB

Download
memory/2432-64-0x000000013F850000-0x000000013FBA4000-memory.dmp

Filesize
3.3MB

Download
memory/2472-45-0x000000013FD70000-0x00000001400C4000-memory.dmp

Filesize
3.3MB

Download
memory/2472-156-0x000000013FD70000-0x00000001400C4000-memory.dmp

Filesize
3.3MB

Download
memory/2484-56-0x000000013F080000-0x000000013F3D4000-memory.dmp

Filesize
3.3MB

Download
memory/2484-148-0x000000013F080000-0x000000013F3D4000-memory.dmp

Filesize
3.3MB

Download
memory/2564-71-0x000000013F0D0000-0x000000013F424000-memory.dmp

Filesize
3.3MB

Download
memory/2564-152-0x000000013F0D0000-0x000000013F424000-memory.dmp

Filesize
3.3MB

Download
memory/2588-154-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2588-69-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2588-21-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2592-33-0x000000013F280000-0x000000013F5D4000-memory.dmp

Filesize
3.3MB

Download
memory/2592-158-0x000000013F280000-0x000000013F5D4000-memory.dmp

Filesize
3.3MB

Download
memory/2656-151-0x000000013F100000-0x000000013F454000-memory.dmp

Filesize
3.3MB

Download
memory/2656-27-0x000000013F100000-0x000000013F454000-memory.dmp

Filesize
3.3MB

Download
memory/2972-153-0x000000013FA30000-0x000000013FD84000-memory.dmp

Filesize
3.3MB

Download
memory/2972-88-0x000000013FA30000-0x000000013FD84000-memory.dmp

Filesize
3.3MB

Download
memory/2972-143-0x000000013FA30000-0x000000013FD84000-memory.dmp

Filesize
3.3MB

Download
memory/3056-52-0x000000013F320000-0x000000013F674000-memory.dmp

Filesize
3.3MB

Download
memory/3056-147-0x000000013F320000-0x000000013F674000-memory.dmp

Filesize
3.3MB

Download