Analysis
-
max time kernel
140s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 00:04
Behavioral task
behavioral1
Sample
2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240611-en
General
-
Target
2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.9MB
-
MD5
3afcde20958797e27d30b301afbb9dd9
-
SHA1
3629e1e51a5af395ec54f83ddcda9fc7d44f04dc
-
SHA256
7e0ad8c2d8110217e8130a8d6cba6fcd287672fb11fda49a0508d5cddde68777
-
SHA512
bc3a4da74f20819b4c1518e38ded53bb122a9f2768f58a6a8bca20236f1b83ccf3113f39a4ff8fd1ed1411751a5c02b425faa8231794bbdb649408dc53270e3d
-
SSDEEP
98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUr:Q+856utgpPF8u/7r
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
Processes:
resource yara_rule \Windows\system\AfIKQkq.exe cobalt_reflective_dll \Windows\system\lSkkmgx.exe cobalt_reflective_dll \Windows\system\rTlZodY.exe cobalt_reflective_dll C:\Windows\system\SYqRnmI.exe cobalt_reflective_dll C:\Windows\system\ORJJRxU.exe cobalt_reflective_dll C:\Windows\system\YkPibec.exe cobalt_reflective_dll C:\Windows\system\DVUzMfy.exe cobalt_reflective_dll C:\Windows\system\RJpBvDA.exe cobalt_reflective_dll \Windows\system\LdnpXhe.exe cobalt_reflective_dll \Windows\system\vltasxn.exe cobalt_reflective_dll C:\Windows\system\DVwUCzH.exe cobalt_reflective_dll \Windows\system\ZTVtEEm.exe cobalt_reflective_dll C:\Windows\system\kauFuMH.exe cobalt_reflective_dll \Windows\system\bmGZnOz.exe cobalt_reflective_dll C:\Windows\system\qtQyqvo.exe cobalt_reflective_dll C:\Windows\system\UqQajjJ.exe cobalt_reflective_dll C:\Windows\system\BmsBCoH.exe cobalt_reflective_dll C:\Windows\system\xhskZQj.exe cobalt_reflective_dll C:\Windows\system\HiwCTjN.exe cobalt_reflective_dll C:\Windows\system\NDCJOrc.exe cobalt_reflective_dll C:\Windows\system\UtJfWal.exe cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Detects Reflective DLL injection artifacts 21 IoCs
Processes:
resource yara_rule \Windows\system\AfIKQkq.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\lSkkmgx.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\rTlZodY.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\SYqRnmI.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\ORJJRxU.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\YkPibec.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\DVUzMfy.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\RJpBvDA.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\LdnpXhe.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\vltasxn.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\DVwUCzH.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\ZTVtEEm.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\kauFuMH.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\bmGZnOz.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\qtQyqvo.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\UqQajjJ.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\BmsBCoH.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\xhskZQj.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\HiwCTjN.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\NDCJOrc.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\UtJfWal.exe INDICATOR_SUSPICIOUS_ReflectiveLoader -
UPX dump on OEP (original entry point) 58 IoCs
Processes:
resource yara_rule behavioral1/memory/1380-0-0x000000013FE80000-0x00000001401D4000-memory.dmp UPX \Windows\system\AfIKQkq.exe UPX behavioral1/memory/1380-6-0x0000000002230000-0x0000000002584000-memory.dmp UPX \Windows\system\lSkkmgx.exe UPX behavioral1/memory/2812-14-0x000000013FD10000-0x0000000140064000-memory.dmp UPX \Windows\system\rTlZodY.exe UPX behavioral1/memory/2588-17-0x000000013F220000-0x000000013F574000-memory.dmp UPX C:\Windows\system\SYqRnmI.exe UPX behavioral1/memory/2504-39-0x000000013FD20000-0x0000000140074000-memory.dmp UPX C:\Windows\system\ORJJRxU.exe UPX C:\Windows\system\YkPibec.exe UPX C:\Windows\system\DVUzMfy.exe UPX behavioral1/memory/2200-56-0x000000013FE20000-0x0000000140174000-memory.dmp UPX behavioral1/memory/2532-50-0x000000013F3C0000-0x000000013F714000-memory.dmp UPX behavioral1/memory/2648-42-0x000000013FD60000-0x00000001400B4000-memory.dmp UPX behavioral1/memory/2700-35-0x000000013F9F0000-0x000000013FD44000-memory.dmp UPX behavioral1/memory/2596-27-0x000000013FA50000-0x000000013FDA4000-memory.dmp UPX C:\Windows\system\RJpBvDA.exe UPX \Windows\system\LdnpXhe.exe UPX \Windows\system\vltasxn.exe UPX C:\Windows\system\DVwUCzH.exe UPX behavioral1/memory/1380-73-0x000000013FE80000-0x00000001401D4000-memory.dmp UPX \Windows\system\ZTVtEEm.exe UPX behavioral1/memory/2964-90-0x000000013FC60000-0x000000013FFB4000-memory.dmp UPX behavioral1/memory/1956-88-0x000000013F930000-0x000000013FC84000-memory.dmp UPX behavioral1/memory/2804-87-0x000000013FF00000-0x0000000140254000-memory.dmp UPX behavioral1/memory/1916-86-0x000000013F6B0000-0x000000013FA04000-memory.dmp UPX behavioral1/memory/2568-82-0x000000013F260000-0x000000013F5B4000-memory.dmp UPX behavioral1/memory/2812-97-0x000000013FD10000-0x0000000140064000-memory.dmp UPX behavioral1/memory/2992-99-0x000000013F780000-0x000000013FAD4000-memory.dmp UPX C:\Windows\system\kauFuMH.exe UPX \Windows\system\bmGZnOz.exe UPX C:\Windows\system\qtQyqvo.exe UPX C:\Windows\system\UqQajjJ.exe UPX C:\Windows\system\BmsBCoH.exe UPX C:\Windows\system\xhskZQj.exe UPX C:\Windows\system\HiwCTjN.exe UPX C:\Windows\system\NDCJOrc.exe UPX behavioral1/memory/2596-135-0x000000013FA50000-0x000000013FDA4000-memory.dmp UPX C:\Windows\system\UtJfWal.exe UPX behavioral1/memory/2504-136-0x000000013FD20000-0x0000000140074000-memory.dmp UPX behavioral1/memory/2648-137-0x000000013FD60000-0x00000001400B4000-memory.dmp UPX behavioral1/memory/2200-139-0x000000013FE20000-0x0000000140174000-memory.dmp UPX behavioral1/memory/2804-140-0x000000013FF00000-0x0000000140254000-memory.dmp UPX behavioral1/memory/2588-143-0x000000013F220000-0x000000013F574000-memory.dmp UPX behavioral1/memory/2812-144-0x000000013FD10000-0x0000000140064000-memory.dmp UPX behavioral1/memory/2700-145-0x000000013F9F0000-0x000000013FD44000-memory.dmp UPX behavioral1/memory/2596-146-0x000000013FA50000-0x000000013FDA4000-memory.dmp UPX behavioral1/memory/2504-147-0x000000013FD20000-0x0000000140074000-memory.dmp UPX behavioral1/memory/2648-148-0x000000013FD60000-0x00000001400B4000-memory.dmp UPX behavioral1/memory/2532-149-0x000000013F3C0000-0x000000013F714000-memory.dmp UPX behavioral1/memory/2200-150-0x000000013FE20000-0x0000000140174000-memory.dmp UPX behavioral1/memory/2568-151-0x000000013F260000-0x000000013F5B4000-memory.dmp UPX behavioral1/memory/2964-152-0x000000013FC60000-0x000000013FFB4000-memory.dmp UPX behavioral1/memory/1916-153-0x000000013F6B0000-0x000000013FA04000-memory.dmp UPX behavioral1/memory/1956-154-0x000000013F930000-0x000000013FC84000-memory.dmp UPX behavioral1/memory/2804-155-0x000000013FF00000-0x0000000140254000-memory.dmp UPX behavioral1/memory/2992-156-0x000000013F780000-0x000000013FAD4000-memory.dmp UPX -
XMRig Miner payload 63 IoCs
Processes:
resource yara_rule behavioral1/memory/1380-0-0x000000013FE80000-0x00000001401D4000-memory.dmp xmrig \Windows\system\AfIKQkq.exe xmrig behavioral1/memory/1380-6-0x0000000002230000-0x0000000002584000-memory.dmp xmrig \Windows\system\lSkkmgx.exe xmrig behavioral1/memory/2812-14-0x000000013FD10000-0x0000000140064000-memory.dmp xmrig \Windows\system\rTlZodY.exe xmrig behavioral1/memory/2588-17-0x000000013F220000-0x000000013F574000-memory.dmp xmrig C:\Windows\system\SYqRnmI.exe xmrig behavioral1/memory/2504-39-0x000000013FD20000-0x0000000140074000-memory.dmp xmrig C:\Windows\system\ORJJRxU.exe xmrig behavioral1/memory/1380-31-0x000000013F9F0000-0x000000013FD44000-memory.dmp xmrig C:\Windows\system\YkPibec.exe xmrig C:\Windows\system\DVUzMfy.exe xmrig behavioral1/memory/2200-56-0x000000013FE20000-0x0000000140174000-memory.dmp xmrig behavioral1/memory/2532-50-0x000000013F3C0000-0x000000013F714000-memory.dmp xmrig behavioral1/memory/2648-42-0x000000013FD60000-0x00000001400B4000-memory.dmp xmrig behavioral1/memory/2700-35-0x000000013F9F0000-0x000000013FD44000-memory.dmp xmrig behavioral1/memory/2596-27-0x000000013FA50000-0x000000013FDA4000-memory.dmp xmrig C:\Windows\system\RJpBvDA.exe xmrig \Windows\system\LdnpXhe.exe xmrig \Windows\system\vltasxn.exe xmrig C:\Windows\system\DVwUCzH.exe xmrig behavioral1/memory/1380-73-0x000000013FE80000-0x00000001401D4000-memory.dmp xmrig \Windows\system\ZTVtEEm.exe xmrig behavioral1/memory/2964-90-0x000000013FC60000-0x000000013FFB4000-memory.dmp xmrig behavioral1/memory/1380-89-0x000000013F930000-0x000000013FC84000-memory.dmp xmrig behavioral1/memory/1956-88-0x000000013F930000-0x000000013FC84000-memory.dmp xmrig behavioral1/memory/2804-87-0x000000013FF00000-0x0000000140254000-memory.dmp xmrig behavioral1/memory/1916-86-0x000000013F6B0000-0x000000013FA04000-memory.dmp xmrig behavioral1/memory/1380-84-0x0000000002230000-0x0000000002584000-memory.dmp xmrig behavioral1/memory/2568-82-0x000000013F260000-0x000000013F5B4000-memory.dmp xmrig behavioral1/memory/2812-97-0x000000013FD10000-0x0000000140064000-memory.dmp xmrig behavioral1/memory/2992-99-0x000000013F780000-0x000000013FAD4000-memory.dmp xmrig C:\Windows\system\kauFuMH.exe xmrig \Windows\system\bmGZnOz.exe xmrig C:\Windows\system\qtQyqvo.exe xmrig C:\Windows\system\UqQajjJ.exe xmrig C:\Windows\system\BmsBCoH.exe xmrig C:\Windows\system\xhskZQj.exe xmrig C:\Windows\system\HiwCTjN.exe xmrig behavioral1/memory/1380-98-0x000000013F780000-0x000000013FAD4000-memory.dmp xmrig C:\Windows\system\NDCJOrc.exe xmrig behavioral1/memory/2596-135-0x000000013FA50000-0x000000013FDA4000-memory.dmp xmrig C:\Windows\system\UtJfWal.exe xmrig behavioral1/memory/2504-136-0x000000013FD20000-0x0000000140074000-memory.dmp xmrig behavioral1/memory/2648-137-0x000000013FD60000-0x00000001400B4000-memory.dmp xmrig behavioral1/memory/2200-139-0x000000013FE20000-0x0000000140174000-memory.dmp xmrig behavioral1/memory/2804-140-0x000000013FF00000-0x0000000140254000-memory.dmp xmrig behavioral1/memory/1380-141-0x000000013F780000-0x000000013FAD4000-memory.dmp xmrig behavioral1/memory/2588-143-0x000000013F220000-0x000000013F574000-memory.dmp xmrig behavioral1/memory/2812-144-0x000000013FD10000-0x0000000140064000-memory.dmp xmrig behavioral1/memory/2700-145-0x000000013F9F0000-0x000000013FD44000-memory.dmp xmrig behavioral1/memory/2596-146-0x000000013FA50000-0x000000013FDA4000-memory.dmp xmrig behavioral1/memory/2504-147-0x000000013FD20000-0x0000000140074000-memory.dmp xmrig behavioral1/memory/2648-148-0x000000013FD60000-0x00000001400B4000-memory.dmp xmrig behavioral1/memory/2532-149-0x000000013F3C0000-0x000000013F714000-memory.dmp xmrig behavioral1/memory/2200-150-0x000000013FE20000-0x0000000140174000-memory.dmp xmrig behavioral1/memory/2568-151-0x000000013F260000-0x000000013F5B4000-memory.dmp xmrig behavioral1/memory/2964-152-0x000000013FC60000-0x000000013FFB4000-memory.dmp xmrig behavioral1/memory/1916-153-0x000000013F6B0000-0x000000013FA04000-memory.dmp xmrig behavioral1/memory/1956-154-0x000000013F930000-0x000000013FC84000-memory.dmp xmrig behavioral1/memory/2804-155-0x000000013FF00000-0x0000000140254000-memory.dmp xmrig behavioral1/memory/2992-156-0x000000013F780000-0x000000013FAD4000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
Processes:
AfIKQkq.exelSkkmgx.exerTlZodY.exeRJpBvDA.exeSYqRnmI.exeORJJRxU.exeYkPibec.exeDVUzMfy.exeUtJfWal.exevltasxn.exeDVwUCzH.exeLdnpXhe.exeZTVtEEm.exeNDCJOrc.exeBmsBCoH.exeHiwCTjN.exeUqQajjJ.exexhskZQj.exeqtQyqvo.exekauFuMH.exebmGZnOz.exepid process 2812 AfIKQkq.exe 2588 lSkkmgx.exe 2596 rTlZodY.exe 2700 RJpBvDA.exe 2504 SYqRnmI.exe 2648 ORJJRxU.exe 2532 YkPibec.exe 2200 DVUzMfy.exe 2568 UtJfWal.exe 1916 vltasxn.exe 2964 DVwUCzH.exe 2804 LdnpXhe.exe 1956 ZTVtEEm.exe 2992 NDCJOrc.exe 3024 BmsBCoH.exe 1584 HiwCTjN.exe 1908 UqQajjJ.exe 2240 xhskZQj.exe 276 qtQyqvo.exe 2780 kauFuMH.exe 2796 bmGZnOz.exe -
Loads dropped DLL 21 IoCs
Processes:
2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exepid process 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe -
Processes:
resource yara_rule behavioral1/memory/1380-0-0x000000013FE80000-0x00000001401D4000-memory.dmp upx \Windows\system\AfIKQkq.exe upx behavioral1/memory/1380-6-0x0000000002230000-0x0000000002584000-memory.dmp upx \Windows\system\lSkkmgx.exe upx behavioral1/memory/2812-14-0x000000013FD10000-0x0000000140064000-memory.dmp upx \Windows\system\rTlZodY.exe upx behavioral1/memory/2588-17-0x000000013F220000-0x000000013F574000-memory.dmp upx C:\Windows\system\SYqRnmI.exe upx behavioral1/memory/2504-39-0x000000013FD20000-0x0000000140074000-memory.dmp upx C:\Windows\system\ORJJRxU.exe upx C:\Windows\system\YkPibec.exe upx C:\Windows\system\DVUzMfy.exe upx behavioral1/memory/2200-56-0x000000013FE20000-0x0000000140174000-memory.dmp upx behavioral1/memory/2532-50-0x000000013F3C0000-0x000000013F714000-memory.dmp upx behavioral1/memory/2648-42-0x000000013FD60000-0x00000001400B4000-memory.dmp upx behavioral1/memory/2700-35-0x000000013F9F0000-0x000000013FD44000-memory.dmp upx behavioral1/memory/2596-27-0x000000013FA50000-0x000000013FDA4000-memory.dmp upx C:\Windows\system\RJpBvDA.exe upx \Windows\system\LdnpXhe.exe upx \Windows\system\vltasxn.exe upx C:\Windows\system\DVwUCzH.exe upx behavioral1/memory/1380-73-0x000000013FE80000-0x00000001401D4000-memory.dmp upx \Windows\system\ZTVtEEm.exe upx behavioral1/memory/2964-90-0x000000013FC60000-0x000000013FFB4000-memory.dmp upx behavioral1/memory/1956-88-0x000000013F930000-0x000000013FC84000-memory.dmp upx behavioral1/memory/2804-87-0x000000013FF00000-0x0000000140254000-memory.dmp upx behavioral1/memory/1916-86-0x000000013F6B0000-0x000000013FA04000-memory.dmp upx behavioral1/memory/2568-82-0x000000013F260000-0x000000013F5B4000-memory.dmp upx behavioral1/memory/2812-97-0x000000013FD10000-0x0000000140064000-memory.dmp upx behavioral1/memory/2992-99-0x000000013F780000-0x000000013FAD4000-memory.dmp upx C:\Windows\system\kauFuMH.exe upx \Windows\system\bmGZnOz.exe upx C:\Windows\system\qtQyqvo.exe upx C:\Windows\system\UqQajjJ.exe upx C:\Windows\system\BmsBCoH.exe upx C:\Windows\system\xhskZQj.exe upx C:\Windows\system\HiwCTjN.exe upx C:\Windows\system\NDCJOrc.exe upx behavioral1/memory/2596-135-0x000000013FA50000-0x000000013FDA4000-memory.dmp upx C:\Windows\system\UtJfWal.exe upx behavioral1/memory/2504-136-0x000000013FD20000-0x0000000140074000-memory.dmp upx behavioral1/memory/2648-137-0x000000013FD60000-0x00000001400B4000-memory.dmp upx behavioral1/memory/2200-139-0x000000013FE20000-0x0000000140174000-memory.dmp upx behavioral1/memory/2804-140-0x000000013FF00000-0x0000000140254000-memory.dmp upx behavioral1/memory/2588-143-0x000000013F220000-0x000000013F574000-memory.dmp upx behavioral1/memory/2812-144-0x000000013FD10000-0x0000000140064000-memory.dmp upx behavioral1/memory/2700-145-0x000000013F9F0000-0x000000013FD44000-memory.dmp upx behavioral1/memory/2596-146-0x000000013FA50000-0x000000013FDA4000-memory.dmp upx behavioral1/memory/2504-147-0x000000013FD20000-0x0000000140074000-memory.dmp upx behavioral1/memory/2648-148-0x000000013FD60000-0x00000001400B4000-memory.dmp upx behavioral1/memory/2532-149-0x000000013F3C0000-0x000000013F714000-memory.dmp upx behavioral1/memory/2200-150-0x000000013FE20000-0x0000000140174000-memory.dmp upx behavioral1/memory/2568-151-0x000000013F260000-0x000000013F5B4000-memory.dmp upx behavioral1/memory/2964-152-0x000000013FC60000-0x000000013FFB4000-memory.dmp upx behavioral1/memory/1916-153-0x000000013F6B0000-0x000000013FA04000-memory.dmp upx behavioral1/memory/1956-154-0x000000013F930000-0x000000013FC84000-memory.dmp upx behavioral1/memory/2804-155-0x000000013FF00000-0x0000000140254000-memory.dmp upx behavioral1/memory/2992-156-0x000000013F780000-0x000000013FAD4000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
Processes:
2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exedescription ioc process File created C:\Windows\System\ORJJRxU.exe 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\vltasxn.exe 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\UqQajjJ.exe 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\LdnpXhe.exe 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\bmGZnOz.exe 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\AfIKQkq.exe 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\lSkkmgx.exe 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\SYqRnmI.exe 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\YkPibec.exe 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\DVUzMfy.exe 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\UtJfWal.exe 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\DVwUCzH.exe 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ZTVtEEm.exe 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\HiwCTjN.exe 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\qtQyqvo.exe 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\kauFuMH.exe 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\rTlZodY.exe 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\RJpBvDA.exe 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\NDCJOrc.exe 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\BmsBCoH.exe 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\xhskZQj.exe 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exedescription pid process Token: SeLockMemoryPrivilege 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exedescription pid process target process PID 1380 wrote to memory of 2812 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe AfIKQkq.exe PID 1380 wrote to memory of 2812 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe AfIKQkq.exe PID 1380 wrote to memory of 2812 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe AfIKQkq.exe PID 1380 wrote to memory of 2588 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe lSkkmgx.exe PID 1380 wrote to memory of 2588 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe lSkkmgx.exe PID 1380 wrote to memory of 2588 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe lSkkmgx.exe PID 1380 wrote to memory of 2596 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe rTlZodY.exe PID 1380 wrote to memory of 2596 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe rTlZodY.exe PID 1380 wrote to memory of 2596 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe rTlZodY.exe PID 1380 wrote to memory of 2700 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe RJpBvDA.exe PID 1380 wrote to memory of 2700 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe RJpBvDA.exe PID 1380 wrote to memory of 2700 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe RJpBvDA.exe PID 1380 wrote to memory of 2648 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe ORJJRxU.exe PID 1380 wrote to memory of 2648 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe ORJJRxU.exe PID 1380 wrote to memory of 2648 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe ORJJRxU.exe PID 1380 wrote to memory of 2504 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe SYqRnmI.exe PID 1380 wrote to memory of 2504 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe SYqRnmI.exe PID 1380 wrote to memory of 2504 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe SYqRnmI.exe PID 1380 wrote to memory of 2532 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe YkPibec.exe PID 1380 wrote to memory of 2532 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe YkPibec.exe PID 1380 wrote to memory of 2532 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe YkPibec.exe PID 1380 wrote to memory of 2200 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe DVUzMfy.exe PID 1380 wrote to memory of 2200 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe DVUzMfy.exe PID 1380 wrote to memory of 2200 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe DVUzMfy.exe PID 1380 wrote to memory of 2568 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe UtJfWal.exe PID 1380 wrote to memory of 2568 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe UtJfWal.exe PID 1380 wrote to memory of 2568 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe UtJfWal.exe PID 1380 wrote to memory of 2964 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe DVwUCzH.exe PID 1380 wrote to memory of 2964 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe DVwUCzH.exe PID 1380 wrote to memory of 2964 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe DVwUCzH.exe PID 1380 wrote to memory of 1916 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe vltasxn.exe PID 1380 wrote to memory of 1916 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe vltasxn.exe PID 1380 wrote to memory of 1916 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe vltasxn.exe PID 1380 wrote to memory of 1956 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe ZTVtEEm.exe PID 1380 wrote to memory of 1956 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe ZTVtEEm.exe PID 1380 wrote to memory of 1956 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe ZTVtEEm.exe PID 1380 wrote to memory of 2804 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe LdnpXhe.exe PID 1380 wrote to memory of 2804 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe LdnpXhe.exe PID 1380 wrote to memory of 2804 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe LdnpXhe.exe PID 1380 wrote to memory of 2992 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe NDCJOrc.exe PID 1380 wrote to memory of 2992 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe NDCJOrc.exe PID 1380 wrote to memory of 2992 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe NDCJOrc.exe PID 1380 wrote to memory of 3024 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe BmsBCoH.exe PID 1380 wrote to memory of 3024 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe BmsBCoH.exe PID 1380 wrote to memory of 3024 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe BmsBCoH.exe PID 1380 wrote to memory of 1584 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe HiwCTjN.exe PID 1380 wrote to memory of 1584 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe HiwCTjN.exe PID 1380 wrote to memory of 1584 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe HiwCTjN.exe PID 1380 wrote to memory of 1908 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe UqQajjJ.exe PID 1380 wrote to memory of 1908 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe UqQajjJ.exe PID 1380 wrote to memory of 1908 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe UqQajjJ.exe PID 1380 wrote to memory of 2240 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe xhskZQj.exe PID 1380 wrote to memory of 2240 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe xhskZQj.exe PID 1380 wrote to memory of 2240 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe xhskZQj.exe PID 1380 wrote to memory of 276 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe qtQyqvo.exe PID 1380 wrote to memory of 276 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe qtQyqvo.exe PID 1380 wrote to memory of 276 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe qtQyqvo.exe PID 1380 wrote to memory of 2780 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe kauFuMH.exe PID 1380 wrote to memory of 2780 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe kauFuMH.exe PID 1380 wrote to memory of 2780 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe kauFuMH.exe PID 1380 wrote to memory of 2796 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe bmGZnOz.exe PID 1380 wrote to memory of 2796 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe bmGZnOz.exe PID 1380 wrote to memory of 2796 1380 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe bmGZnOz.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\System\AfIKQkq.exeC:\Windows\System\AfIKQkq.exe2⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\System\lSkkmgx.exeC:\Windows\System\lSkkmgx.exe2⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\System\rTlZodY.exeC:\Windows\System\rTlZodY.exe2⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\System\RJpBvDA.exeC:\Windows\System\RJpBvDA.exe2⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\System\ORJJRxU.exeC:\Windows\System\ORJJRxU.exe2⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\System\SYqRnmI.exeC:\Windows\System\SYqRnmI.exe2⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\System\YkPibec.exeC:\Windows\System\YkPibec.exe2⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\System\DVUzMfy.exeC:\Windows\System\DVUzMfy.exe2⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\System\UtJfWal.exeC:\Windows\System\UtJfWal.exe2⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\System\DVwUCzH.exeC:\Windows\System\DVwUCzH.exe2⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\System\vltasxn.exeC:\Windows\System\vltasxn.exe2⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\System\ZTVtEEm.exeC:\Windows\System\ZTVtEEm.exe2⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\System\LdnpXhe.exeC:\Windows\System\LdnpXhe.exe2⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\System\NDCJOrc.exeC:\Windows\System\NDCJOrc.exe2⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\System\BmsBCoH.exeC:\Windows\System\BmsBCoH.exe2⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\System\HiwCTjN.exeC:\Windows\System\HiwCTjN.exe2⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\System\UqQajjJ.exeC:\Windows\System\UqQajjJ.exe2⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\System\xhskZQj.exeC:\Windows\System\xhskZQj.exe2⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\System\qtQyqvo.exeC:\Windows\System\qtQyqvo.exe2⤵
- Executes dropped EXE
PID:276 -
C:\Windows\System\kauFuMH.exeC:\Windows\System\kauFuMH.exe2⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\System\bmGZnOz.exeC:\Windows\System\bmGZnOz.exe2⤵
- Executes dropped EXE
PID:2796
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD5b517fbd02688684f67f164568452c3a8
SHA109a65321e4bac58b6183b3d49b1d71d28ecf9134
SHA25686b97b11d1dfd069bc4ffdb211f7d4868fb1fb265767f01f7e908cb330eb0275
SHA512f1f9c2327ff3fb0439b9eb4d79ab605868100f26b651b5ed6a2ae31e14d10e21aaf32205f2fa894c40180f21209c7e4b767e7045579fda29f7404a2736531e77
-
Filesize
5.9MB
MD52f31bfef7e3f4565e11e5298f68121fd
SHA1c0680c23e6491d318afa44a8732b68c1e8b94e0e
SHA2569a16d0ba26431c001d9e5a8fde1690359819e841e1c24a5551df956864b6e94b
SHA512f39796bbe5b971cea200310d0192b63618232e5bb85a8b1abe87088acb3eb017f6fb760b112fce918ec0c15674aee9afaf80c7f440705f1587b5b85000e2a0d8
-
Filesize
5.9MB
MD5aae1c3ad9ac20a1d1175a9ac586bc132
SHA16e53449e618869c75fbcd8e4cc34665c4442e680
SHA25668083322c961fc026e0f23807dfff6aec5999c94cd7e0a7b261225c732d63b41
SHA5128a8f95380cf083003aa1c1ed66a3f3c53901626aa0201420d248f83607bf78de74bbd81b8378bdb74f34a182f43957936f989f7fc4938e2469705b3d85c7e51a
-
Filesize
5.9MB
MD5ddffddf3da95900c6d5f9c930fb0fb19
SHA1cb1a527f0bb7b683537e72924e07368fb1762df9
SHA25683c73eb0c3cef536f28333791b155a6c5af4c855d324ed8564d1cc1b78368050
SHA512eb0e34e5e2e5c3617c28d6d7d32ff56607060493cb7a50042bd371019559edcfd61af2d98807218c267e9d7bd0ae54fbe86058feb900b5ffdd4232ba043bfe29
-
Filesize
5.9MB
MD54e86821d63c2a82491ae97921d40dc8f
SHA1d087402e72b6fab9ed747f4eb7c2eaf39923404b
SHA2565be8f78eb40817419fa1fb331dac4af871a6c7b2025cfb9c3b6c47f93c20c03d
SHA51265c28f4008013eb57c8f77b833d05af7ec291fa1a8f67bb3c9f612a328f9745fe8d65d6a09e2eef31f666a8c7e00d3263f03178895c4141236b20c0e3cee2f37
-
Filesize
5.9MB
MD56ef5865916026df5ad8820ae718756d0
SHA1322ee2e91ce2d41ee3df592b47656229eafe73e2
SHA2561b62b9ca0d42d00988bb117918af8b7e6820cd16d4fb7b493932e61a7c98731b
SHA5120afc94453bf8ac16e914aae856564cbbad4ff6c055830daddc9c8118e70b343989cc64606802ea6a6806303d40cec53d73f0e495246aeae1af07e06287057109
-
Filesize
5.9MB
MD5d002aaba2bbec53adc84f44de2a67901
SHA13ce90c916f3aa2c69450d9b3915ef4a32278854a
SHA2565d47ecd2b40e5f91b5c5edfcbdcf4019028fa5cdca31cfa4dd91fa22d28b9b01
SHA512cd5e8d419e9a7d77057a247450fb56d560dd05516a6b31ae0fbdb49ef6d83f9e7f3af16f4645eface6d0b0feb0a51fd43ebf38fb89703154752961fb653fe767
-
Filesize
5.9MB
MD550680a4a5bf72d57aee49761c563b2ce
SHA1fe43416f4e36903105a2e0746332599fd40e008a
SHA2563ee0e56deb91617402a06510b706745e676355f34abba9eb772ef2d9aa3633d5
SHA5121e0ee0943a34a1c8181e3ccb66dc8b8ff90d4a71f73ef372c7559e79205cf3e0957d892a31b56a5a93556651def0a55e44eb49516edbee8e1435270562198cac
-
Filesize
5.9MB
MD5a9e767f35ea616867a204a767c9b8a5e
SHA10ba6e0b1d3c3a43ef75c6221337a4b9fb4cdc761
SHA256f6dbbcf9010aeea7fd6186dc9a037ee8cd18849facba1968f3a048bd6d9838df
SHA51205f40d0ed5ad2df3783a58a4d7ab55b65e6d545fba52640c9a1210dd6075ec64f23e46d40d7fd1eb25b0c4bccafb68d91114bec2743618ae7eb0d6504e497d4d
-
Filesize
5.9MB
MD568cb329837d9525850082335e7b12e33
SHA1ad692cccb2330f1a56602f20777de157c332cc15
SHA256f6f6f67a7a4b6e4df7666fffc8adcd178849250a73d2be0d6c2fda6a9dee9915
SHA512d809d99fb87dba1d97152c8745e3fb2dbd5ba5d97d666d256e304093865a3ed8cc799bf1c536cb901610dfabf5fed6bc607ef3bdc2a75d4274a85fee2d160c12
-
Filesize
5.9MB
MD503b27faaeeaec5e5f82efb616b9a6687
SHA100aebd9848719008e22416e3601040d1aba1fbca
SHA25651434632f3b376b555ecfda8488dde7cb73a4dadd67092478306e93ba0323e17
SHA5126223c3b699da528b07937d49cfc0732d109516a0604922a3667e41c32273472b6bc85e19b291510c8676885ec2c6067549c84ee928400a8d695362d41f37e19c
-
Filesize
5.9MB
MD54088a1f998edd0e5fc004e1db9086375
SHA1987e3c1d87d83b0cdf9b0701aa6896e91fe00f24
SHA256c3e81740b0380276d18169ae866290eb70a677bd048706fa6dd6e6e9fdcda5cc
SHA512109f533f4545c95bac0239acf45c80d8ae6dd46418ef66a2f1a67b705c7da02553279c1387572f18d05bc86e0de97b9177fce64c6dd4dc34e7a838ecb6402463
-
Filesize
5.9MB
MD5367819c068575f8025139111563376d8
SHA1602b45b0719ef99c07195b16bbd87c907df06b0d
SHA2564125453cde213f0e39179b274002deeb450193014e5546e2792c556804bc7574
SHA5121b8b4561baec060ae0bdc7ec657198b6e0e942db636e4bc8a0ea4cabe84e6adb1c0a9f7f6f6f0556e356f8b97d0810349bd43fea142f417723778ba693998b76
-
Filesize
5.9MB
MD5a9bf57423792668f10d9d046b2f11b65
SHA18476cdfb8496f796c5e2d37e7cee9214ad331855
SHA256bd1859e326dc2ce8d5ede56adff2dc57f8e7bb15b9896d084f84fe70e24ef47a
SHA5125d9953ef8f8bf12c42c809a10581a4536ac65965f9770e51b075489a8ea5a3aa5c5aa4ed579c8e0ec6cd786146ed1ca2e4a5ff9c3b0439b3ff20cc1e3b970ba9
-
Filesize
5.9MB
MD5a6db5eb50ed8d24cb71292a6f2732398
SHA1f65db97485c59d03277a229b957c99a84b6a8f93
SHA2567ff7cdaa1f7ec5836328ad155558aac47e9821d4736e7b93aed71c6650913608
SHA512af160d40a059c10f64dba978b1f4953dd7b001dff88377bda7224741ad874dd0d1a25301eff5299abb7e2d52151d4121f457dd4d1adae41c31adddcd7a148bc0
-
Filesize
5.9MB
MD5be15b94b14e1fc6937d84ee4c9fc6fae
SHA129186b16ec020cfb18b3304247e3f1ddc4b2baf5
SHA25607b350e44b12ee5e59b398426aa0bbf4547690710058d18af6ec0093a876772f
SHA512e62295c5395c9d42ec7d7a7e3755f201b5b692ec01a6f2d6350f88add9c7b3031d37bd01a1bac6319c02075a476ac24ad818e4840de364ea095aedf229004918
-
Filesize
5.9MB
MD5c70332dd94b180e57b9ed632bc99f399
SHA1218dba45d147e03cfbd3116c265d67edb778e6c6
SHA2569b9fe60b4340d83ac622c7d3b4c057029e050159ee59446c4f1aaad11f717d3b
SHA512816908c25fc848dca5056fe382b3ecacc6471e8bfe29ae1ba7aaab0583dca064986dd6131648c9e6cace076c0baa02168d2f3776ea060fe597c955cdfde54816
-
Filesize
5.9MB
MD5625da2864aed8ffd76644ebcd8d4962a
SHA17acf60deea254c7d6b4432fc9610bbd1bc12d448
SHA256ce29005612d42f6f4d912686cb938bdbbc122a10ab691efb6b975ea0d35d8317
SHA5120512943e5933743fb0755c095977daf12df23ffe9506aa6d4ba7102bca1ff2d1e5ccc8c892c68981a0dc551919a4d82f6eaaa7d5ecaefe6a3d8a2d0cc5e4852c
-
Filesize
5.9MB
MD54b15ab14a5e348a227fd941223980dc1
SHA160613033e4848839ca4df24431c3eaac4dd43e89
SHA256c970cc52e895ff624f42326938bb1ed3cd7d69a54bee0f351fcd8288fdbaa153
SHA512da162a12d7375c6af6137a5c75ba4019c122bd121dda6fe2056a861bc952ff80ce452ca5c05b49a99ddc6502168a33c2e4b3ea3687a348f5ea3386f45de1a0b8
-
Filesize
5.9MB
MD5868ad2d6810b1ec16d62f3634b75d341
SHA1469e5e3384b3a49cca4b63050009f08fc079bfb4
SHA256914dfa62c57c36d4a64446df01fc20c75cec9a8b52534520031040c1b8868512
SHA512b512bda4a5c4921a8544add35c22110a50402da7220fc211037307cf5b68af652ca6c7521cda3547ca852fae833b0c694acadb7437b1c68ba69ee380159cb7f8
-
Filesize
5.9MB
MD5a4c23c7837c24f386b64c7a9338c76cc
SHA1bcf132a27fe049d8de37575fd4a9b8397c6aa873
SHA256e6dc0b948d32ee1c72b2d38696da178106c7385132e540204425c382463a0a4e
SHA512ef9bdf093c2f264ee111ca3ebe9e5a783206ef8c58f4941d8520f847623fcefe15e192d6c8b9e7385a87be8485c6c4062c2371bb930d9c45f0fab5b3f986a510