cobaltstrike | 2abb44992324bad9929832e618225fb0cb3a8e18d681285211047883662fbf15

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/11/2024, 02:00 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

54b76ed69129f9e8a7530a39dab9d292
SHA1

a6b97c8a24ea3f28bdce010c417e2a76c3f3aaca
SHA256

2abb44992324bad9929832e618225fb0cb3a8e18d681285211047883662fbf15
SHA512

146fc6eb745fddcb701f393444e4f66b3b5befd095956bd98a37701afaa392170beb4589ac87f08bdf5706572cf41fe2c84e6b89ce67a5fe4e4884077a204bd8
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lm:RWWBibf56utgpPFotBER/mQ32lU6

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023ba8-4.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bba-10.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bc3-23.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bc8-24.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bb3-12.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bc9-38.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bca-43.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bce-50.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bd3-58.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bd5-75.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c05-93.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c08-115.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c07-113.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c06-106.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bd4-91.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bd6-88.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023ba9-87.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bd0-56.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c09-135.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c0f-142.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c0a-140.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 44 IoCs

miner

resource	yara_rule
behavioral2/memory/4736-67-0x00007FF6EDB10000-0x00007FF6EDE61000-memory.dmp	xmrig
behavioral2/memory/2948-108-0x00007FF7989D0000-0x00007FF798D21000-memory.dmp	xmrig
behavioral2/memory/384-117-0x00007FF7AA3E0000-0x00007FF7AA731000-memory.dmp	xmrig
behavioral2/memory/1468-111-0x00007FF6C8E80000-0x00007FF6C91D1000-memory.dmp	xmrig
behavioral2/memory/2820-109-0x00007FF71F660000-0x00007FF71F9B1000-memory.dmp	xmrig
behavioral2/memory/412-103-0x00007FF6DF080000-0x00007FF6DF3D1000-memory.dmp	xmrig
behavioral2/memory/3660-84-0x00007FF7F73F0000-0x00007FF7F7741000-memory.dmp	xmrig
behavioral2/memory/3232-73-0x00007FF7CDE60000-0x00007FF7CE1B1000-memory.dmp	xmrig
behavioral2/memory/4256-129-0x00007FF78DA20000-0x00007FF78DD71000-memory.dmp	xmrig
behavioral2/memory/2852-151-0x00007FF691990000-0x00007FF691CE1000-memory.dmp	xmrig
behavioral2/memory/1560-150-0x00007FF6B5600000-0x00007FF6B5951000-memory.dmp	xmrig
behavioral2/memory/4704-148-0x00007FF6A5D70000-0x00007FF6A60C1000-memory.dmp	xmrig
behavioral2/memory/2620-137-0x00007FF709F10000-0x00007FF70A261000-memory.dmp	xmrig
behavioral2/memory/2056-138-0x00007FF7F6D60000-0x00007FF7F70B1000-memory.dmp	xmrig
behavioral2/memory/2260-132-0x00007FF7F7BB0000-0x00007FF7F7F01000-memory.dmp	xmrig
behavioral2/memory/3488-131-0x00007FF6750C0000-0x00007FF675411000-memory.dmp	xmrig
behavioral2/memory/4228-130-0x00007FF67B3D0000-0x00007FF67B721000-memory.dmp	xmrig
behavioral2/memory/5068-128-0x00007FF6231D0000-0x00007FF623521000-memory.dmp	xmrig
behavioral2/memory/1496-127-0x00007FF7CEA60000-0x00007FF7CEDB1000-memory.dmp	xmrig
behavioral2/memory/3584-153-0x00007FF7650D0000-0x00007FF765421000-memory.dmp	xmrig
behavioral2/memory/3088-152-0x00007FF7C1F40000-0x00007FF7C2291000-memory.dmp	xmrig
behavioral2/memory/4736-155-0x00007FF6EDB10000-0x00007FF6EDE61000-memory.dmp	xmrig
behavioral2/memory/2500-176-0x00007FF659FB0000-0x00007FF65A301000-memory.dmp	xmrig
behavioral2/memory/3232-212-0x00007FF7CDE60000-0x00007FF7CE1B1000-memory.dmp	xmrig
behavioral2/memory/3660-214-0x00007FF7F73F0000-0x00007FF7F7741000-memory.dmp	xmrig
behavioral2/memory/412-216-0x00007FF6DF080000-0x00007FF6DF3D1000-memory.dmp	xmrig
behavioral2/memory/2948-220-0x00007FF7989D0000-0x00007FF798D21000-memory.dmp	xmrig
behavioral2/memory/1468-219-0x00007FF6C8E80000-0x00007FF6C91D1000-memory.dmp	xmrig
behavioral2/memory/1496-224-0x00007FF7CEA60000-0x00007FF7CEDB1000-memory.dmp	xmrig
behavioral2/memory/384-223-0x00007FF7AA3E0000-0x00007FF7AA731000-memory.dmp	xmrig
behavioral2/memory/5068-237-0x00007FF6231D0000-0x00007FF623521000-memory.dmp	xmrig
behavioral2/memory/4228-240-0x00007FF67B3D0000-0x00007FF67B721000-memory.dmp	xmrig
behavioral2/memory/4256-241-0x00007FF78DA20000-0x00007FF78DD71000-memory.dmp	xmrig
behavioral2/memory/2260-243-0x00007FF7F7BB0000-0x00007FF7F7F01000-memory.dmp	xmrig
behavioral2/memory/2620-247-0x00007FF709F10000-0x00007FF70A261000-memory.dmp	xmrig
behavioral2/memory/3488-249-0x00007FF6750C0000-0x00007FF675411000-memory.dmp	xmrig
behavioral2/memory/2056-246-0x00007FF7F6D60000-0x00007FF7F70B1000-memory.dmp	xmrig
behavioral2/memory/2820-253-0x00007FF71F660000-0x00007FF71F9B1000-memory.dmp	xmrig
behavioral2/memory/2852-252-0x00007FF691990000-0x00007FF691CE1000-memory.dmp	xmrig
behavioral2/memory/3088-255-0x00007FF7C1F40000-0x00007FF7C2291000-memory.dmp	xmrig
behavioral2/memory/3584-257-0x00007FF7650D0000-0x00007FF765421000-memory.dmp	xmrig
behavioral2/memory/4704-263-0x00007FF6A5D70000-0x00007FF6A60C1000-memory.dmp	xmrig
behavioral2/memory/1560-267-0x00007FF6B5600000-0x00007FF6B5951000-memory.dmp	xmrig
behavioral2/memory/2500-266-0x00007FF659FB0000-0x00007FF65A301000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3232	cvbqmmj.exe
3660	HoMumpq.exe
412	EgkDzAx.exe
1468	fYiuSRX.exe
2948	QXvKwpa.exe
384	EmLeaON.exe
1496	kOEJuhq.exe
5068	HgDwyth.exe
4256	zaukbUv.exe
4228	cdkZqHy.exe
3488	RacdmYU.exe
2260	MJtQfmh.exe
2620	VpWcZzv.exe
2056	sgxQiIZ.exe
2820	czfvRZq.exe
2852	mcHPmsG.exe
3088	GeDrbqa.exe
3584	jCANokm.exe
4704	zdklCAX.exe
1560	nGiiexU.exe
2500	jYIpUNM.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4736-0-0x00007FF6EDB10000-0x00007FF6EDE61000-memory.dmp	upx
behavioral2/files/0x000b000000023ba8-4.dat	upx
behavioral2/files/0x000e000000023bba-10.dat	upx
behavioral2/memory/3660-16-0x00007FF7F73F0000-0x00007FF7F7741000-memory.dmp	upx
behavioral2/files/0x0008000000023bc3-23.dat	upx
behavioral2/files/0x0009000000023bc8-24.dat	upx
behavioral2/memory/412-21-0x00007FF6DF080000-0x00007FF6DF3D1000-memory.dmp	upx
behavioral2/files/0x000a000000023bb3-12.dat	upx
behavioral2/memory/3232-7-0x00007FF7CDE60000-0x00007FF7CE1B1000-memory.dmp	upx
behavioral2/files/0x0009000000023bc9-38.dat	upx
behavioral2/files/0x0009000000023bca-43.dat	upx
behavioral2/files/0x000e000000023bce-50.dat	upx
behavioral2/memory/5068-55-0x00007FF6231D0000-0x00007FF623521000-memory.dmp	upx
behavioral2/files/0x0008000000023bd3-58.dat	upx
behavioral2/memory/4736-67-0x00007FF6EDB10000-0x00007FF6EDE61000-memory.dmp	upx
behavioral2/files/0x0008000000023bd5-75.dat	upx
behavioral2/memory/2056-80-0x00007FF7F6D60000-0x00007FF7F70B1000-memory.dmp	upx
behavioral2/files/0x0008000000023c05-93.dat	upx
behavioral2/memory/2948-108-0x00007FF7989D0000-0x00007FF798D21000-memory.dmp	upx
behavioral2/memory/384-117-0x00007FF7AA3E0000-0x00007FF7AA731000-memory.dmp	upx
behavioral2/files/0x0008000000023c08-115.dat	upx
behavioral2/files/0x0008000000023c07-113.dat	upx
behavioral2/memory/3088-112-0x00007FF7C1F40000-0x00007FF7C2291000-memory.dmp	upx
behavioral2/memory/1468-111-0x00007FF6C8E80000-0x00007FF6C91D1000-memory.dmp	upx
behavioral2/memory/3584-110-0x00007FF7650D0000-0x00007FF765421000-memory.dmp	upx
behavioral2/memory/2820-109-0x00007FF71F660000-0x00007FF71F9B1000-memory.dmp	upx
behavioral2/files/0x0008000000023c06-106.dat	upx
behavioral2/memory/412-103-0x00007FF6DF080000-0x00007FF6DF3D1000-memory.dmp	upx
behavioral2/memory/2852-102-0x00007FF691990000-0x00007FF691CE1000-memory.dmp	upx
behavioral2/memory/2620-95-0x00007FF709F10000-0x00007FF70A261000-memory.dmp	upx
behavioral2/files/0x0008000000023bd4-91.dat	upx
behavioral2/files/0x0008000000023bd6-88.dat	upx
behavioral2/files/0x000c000000023ba9-87.dat	upx
behavioral2/memory/3660-84-0x00007FF7F73F0000-0x00007FF7F7741000-memory.dmp	upx
behavioral2/memory/2260-79-0x00007FF7F7BB0000-0x00007FF7F7F01000-memory.dmp	upx
behavioral2/memory/3232-73-0x00007FF7CDE60000-0x00007FF7CE1B1000-memory.dmp	upx
behavioral2/memory/3488-72-0x00007FF6750C0000-0x00007FF675411000-memory.dmp	upx
behavioral2/memory/4228-66-0x00007FF67B3D0000-0x00007FF67B721000-memory.dmp	upx
behavioral2/memory/4256-57-0x00007FF78DA20000-0x00007FF78DD71000-memory.dmp	upx
behavioral2/files/0x0008000000023bd0-56.dat	upx
behavioral2/memory/1496-42-0x00007FF7CEA60000-0x00007FF7CEDB1000-memory.dmp	upx
behavioral2/memory/384-41-0x00007FF7AA3E0000-0x00007FF7AA731000-memory.dmp	upx
behavioral2/memory/2948-35-0x00007FF7989D0000-0x00007FF798D21000-memory.dmp	upx
behavioral2/memory/1468-27-0x00007FF6C8E80000-0x00007FF6C91D1000-memory.dmp	upx
behavioral2/memory/4256-129-0x00007FF78DA20000-0x00007FF78DD71000-memory.dmp	upx
behavioral2/files/0x0008000000023c09-135.dat	upx
behavioral2/files/0x0008000000023c0f-142.dat	upx
behavioral2/memory/2852-151-0x00007FF691990000-0x00007FF691CE1000-memory.dmp	upx
behavioral2/memory/1560-150-0x00007FF6B5600000-0x00007FF6B5951000-memory.dmp	upx
behavioral2/memory/4704-148-0x00007FF6A5D70000-0x00007FF6A60C1000-memory.dmp	upx
behavioral2/memory/2500-145-0x00007FF659FB0000-0x00007FF65A301000-memory.dmp	upx
behavioral2/memory/2620-137-0x00007FF709F10000-0x00007FF70A261000-memory.dmp	upx
behavioral2/files/0x0008000000023c0a-140.dat	upx
behavioral2/memory/2056-138-0x00007FF7F6D60000-0x00007FF7F70B1000-memory.dmp	upx
behavioral2/memory/2260-132-0x00007FF7F7BB0000-0x00007FF7F7F01000-memory.dmp	upx
behavioral2/memory/3488-131-0x00007FF6750C0000-0x00007FF675411000-memory.dmp	upx
behavioral2/memory/4228-130-0x00007FF67B3D0000-0x00007FF67B721000-memory.dmp	upx
behavioral2/memory/5068-128-0x00007FF6231D0000-0x00007FF623521000-memory.dmp	upx
behavioral2/memory/1496-127-0x00007FF7CEA60000-0x00007FF7CEDB1000-memory.dmp	upx
behavioral2/memory/3584-153-0x00007FF7650D0000-0x00007FF765421000-memory.dmp	upx
behavioral2/memory/3088-152-0x00007FF7C1F40000-0x00007FF7C2291000-memory.dmp	upx
behavioral2/memory/4736-155-0x00007FF6EDB10000-0x00007FF6EDE61000-memory.dmp	upx
behavioral2/memory/2500-176-0x00007FF659FB0000-0x00007FF65A301000-memory.dmp	upx
behavioral2/memory/3232-212-0x00007FF7CDE60000-0x00007FF7CE1B1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\VpWcZzv.exe	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jCANokm.exe	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zdklCAX.exe	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jYIpUNM.exe	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fYiuSRX.exe	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cdkZqHy.exe	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zaukbUv.exe	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MJtQfmh.exe	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GeDrbqa.exe	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EgkDzAx.exe	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EmLeaON.exe	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QXvKwpa.exe	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mcHPmsG.exe	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kOEJuhq.exe	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HgDwyth.exe	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RacdmYU.exe	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sgxQiIZ.exe	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\czfvRZq.exe	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nGiiexU.exe	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cvbqmmj.exe	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HoMumpq.exe	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 3232	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4736 wrote to memory of 3232	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4736 wrote to memory of 3660	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4736 wrote to memory of 3660	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4736 wrote to memory of 412	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4736 wrote to memory of 412	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4736 wrote to memory of 1468	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4736 wrote to memory of 1468	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4736 wrote to memory of 2948	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4736 wrote to memory of 2948	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4736 wrote to memory of 384	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4736 wrote to memory of 384	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4736 wrote to memory of 1496	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4736 wrote to memory of 1496	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4736 wrote to memory of 5068	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4736 wrote to memory of 5068	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4736 wrote to memory of 4256	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4736 wrote to memory of 4256	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4736 wrote to memory of 4228	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4736 wrote to memory of 4228	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4736 wrote to memory of 3488	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4736 wrote to memory of 3488	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4736 wrote to memory of 2260	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4736 wrote to memory of 2260	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4736 wrote to memory of 2620	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4736 wrote to memory of 2620	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4736 wrote to memory of 2056	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4736 wrote to memory of 2056	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4736 wrote to memory of 2820	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4736 wrote to memory of 2820	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4736 wrote to memory of 2852	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4736 wrote to memory of 2852	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4736 wrote to memory of 3088	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4736 wrote to memory of 3088	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4736 wrote to memory of 3584	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4736 wrote to memory of 3584	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4736 wrote to memory of 4704	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4736 wrote to memory of 4704	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4736 wrote to memory of 1560	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4736 wrote to memory of 1560	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4736 wrote to memory of 2500	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4736 wrote to memory of 2500	4736	2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Windows\System\cvbqmmj.exe
  C:\Windows\System\cvbqmmj.exe
  2⤵
  - Executes dropped EXE
  PID:3232
- C:\Windows\System\HoMumpq.exe
  C:\Windows\System\HoMumpq.exe
  2⤵
  - Executes dropped EXE
  PID:3660
- C:\Windows\System\EgkDzAx.exe
  C:\Windows\System\EgkDzAx.exe
  2⤵
  - Executes dropped EXE
  PID:412
- C:\Windows\System\fYiuSRX.exe
  C:\Windows\System\fYiuSRX.exe
  2⤵
  - Executes dropped EXE
  PID:1468
- C:\Windows\System\QXvKwpa.exe
  C:\Windows\System\QXvKwpa.exe
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\System\EmLeaON.exe
  C:\Windows\System\EmLeaON.exe
  2⤵
  - Executes dropped EXE
  PID:384
- C:\Windows\System\kOEJuhq.exe
  C:\Windows\System\kOEJuhq.exe
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Windows\System\HgDwyth.exe
  C:\Windows\System\HgDwyth.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System\zaukbUv.exe
  C:\Windows\System\zaukbUv.exe
  2⤵
  - Executes dropped EXE
  PID:4256
- C:\Windows\System\cdkZqHy.exe
  C:\Windows\System\cdkZqHy.exe
  2⤵
  - Executes dropped EXE
  PID:4228
- C:\Windows\System\RacdmYU.exe
  C:\Windows\System\RacdmYU.exe
  2⤵
  - Executes dropped EXE
  PID:3488
- C:\Windows\System\MJtQfmh.exe
  C:\Windows\System\MJtQfmh.exe
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\System\VpWcZzv.exe
  C:\Windows\System\VpWcZzv.exe
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\System\sgxQiIZ.exe
  C:\Windows\System\sgxQiIZ.exe
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\System\czfvRZq.exe
  C:\Windows\System\czfvRZq.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System\mcHPmsG.exe
  C:\Windows\System\mcHPmsG.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\System\GeDrbqa.exe
  C:\Windows\System\GeDrbqa.exe
  2⤵
  - Executes dropped EXE
  PID:3088
- C:\Windows\System\jCANokm.exe
  C:\Windows\System\jCANokm.exe
  2⤵
  - Executes dropped EXE
  PID:3584
- C:\Windows\System\zdklCAX.exe
  C:\Windows\System\zdklCAX.exe
  2⤵
  - Executes dropped EXE
  PID:4704
- C:\Windows\System\nGiiexU.exe
  C:\Windows\System\nGiiexU.exe
  2⤵
  - Executes dropped EXE
  PID:1560
- C:\Windows\System\jYIpUNM.exe
  C:\Windows\System\jYIpUNM.exe
  2⤵
  - Executes dropped EXE
  PID:2500

Network

DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
DNS

88.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.210.23.2.in-addr.arpa

IN PTR

Response

88.210.23.2.in-addr.arpa

IN PTR

a2-23-210-88deploystaticakamaitechnologiescom
DNS

140.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

140.32.126.40.in-addr.arpa

IN PTR

Response
DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR

Response
DNS

200.163.202.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.163.202.172.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

140.71.91.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

140.71.91.104.in-addr.arpa

IN PTR

Response

140.71.91.104.in-addr.arpa

IN PTR

a104-91-71-140deploystaticakamaitechnologiescom
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response

3.120.209.58:8080

2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe

260 B
5
3.120.209.58:8080

2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe

260 B
5
3.120.209.58:8080

2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe

260 B
5
3.120.209.58:8080

2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe

260 B
5
3.120.209.58:8080

2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe

260 B
5
3.120.209.58:8080

2024-11-18_54b76ed69129f9e8a7530a39dab9d292_cobalt-strike_cobaltstrike_poet-rat.exe

156 B
3

8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

88.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

88.210.23.2.in-addr.arpa
8.8.8.8:53

140.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

140.32.126.40.in-addr.arpa
8.8.8.8:53

228.249.119.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

228.249.119.40.in-addr.arpa
8.8.8.8:53

200.163.202.172.in-addr.arpa

dns

74 B
160 B
1
1

DNS Request

200.163.202.172.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

140.71.91.104.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

140.71.91.104.in-addr.arpa
8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.227.111.52.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EgkDzAx.exe

Filesize
5.2MB

MD5
6abdc77beb36cd50bfd5957cd69a1cd5

SHA1
d4e0dc75c9dc53e1dc4012369f9f02e1c6246375

SHA256
849db4b2dc41d21eee163ed267becbc1fc33724f29df052b6cb0dd4a0eb82982

SHA512
7b033782bbc86abbaa6801115ca90c2f725fb88e2e7da11386de952a0c2e658c4588626c972f8f1295c78a1e4e9e81311d1653ff4780e782cb4415c8fdb5167f

Download Submit
C:\Windows\System\EmLeaON.exe

Filesize
5.2MB

MD5
ea958814544ef1d15af62d7219b5a8e5

SHA1
4eddf3de29d3a716ec6f95bd165c89322b176f37

SHA256
2e284dec51a1ef30a46ff2d504b9646f7a9d80fc7367ded89741de6bed12abb2

SHA512
e4ac795d10be54213261eff9d2ebaff4ae659d285bae72c126f63d1dc73777f7681260a0d6bf4bb7b766afceb8a421454abb8ce400bdbd55f509a2b69bba8fd7

Download Submit
C:\Windows\System\GeDrbqa.exe

Filesize
5.2MB

MD5
80a393f75c52847145a54bae03ef4953

SHA1
2aa508e2735f1866eb2f6b38935b0cc728767509

SHA256
61b7f6ed6188ed93ded33658c49d2dd8409822c21ea8306c0c281f6ade5147af

SHA512
e0541b74653d4a8a90288ca2e0fc29fa80b473c3443514f660e3dbb89f91e5bce7ecd09155b790c52c374fb62289203197f413244555b22929f54f2bd63a2303

Download Submit
C:\Windows\System\HgDwyth.exe

Filesize
5.2MB

MD5
4154fff4ab113e547b422372250608cd

SHA1
8e945d94fddb4aa64eac4c63f45ded89cbeb3c4c

SHA256
3f4098aa73ae372d7cbefe122a4187e123899df0a8c36fc003aa523ccc797066

SHA512
27494339c9f20c0268cb3eeda1225bc99384ef1953fb431853ee08b1b7953f46f856aa421ab29b867f0c276b7c9f2981bad0a494e72c97e13d4394f03256630b

Download Submit
C:\Windows\System\HoMumpq.exe

Filesize
5.2MB

MD5
ba321fadb1f33abea81806a3dd992620

SHA1
fbec48ba9384212bcda8a63a3ca13c1f5d30509b

SHA256
bc6aeb5fef567f62a4e1f3a72c47b8b10165548bd05341f980edd3783267f6e3

SHA512
886c584ef5ae8825d3029630c44a6bbc86b2cbe6c6cc4d652beabd51aa10ee637aef70ad96e619af96330195336c5b7e64a4566d2845f78ac64a04e878ecaf4d

Download Submit
C:\Windows\System\MJtQfmh.exe

Filesize
5.2MB

MD5
a11a4056fa3ce176c85d62e8662cc787

SHA1
b2a4db90220eb121889d844d7071cf2dd386c9fa

SHA256
282ccbff68bfa0fec202c6b830573f2b9402c0c7457e3ded39fa23992b2d34f5

SHA512
e5a96ba07f877af7028c72835c60eb6e5b0965b7bc8f9824b3b0b0d69f9f9c675fe4550859556bd5540e55caffd6a3e513c097d0997cf924a0287cfb6034a26c

Download Submit
C:\Windows\System\QXvKwpa.exe

Filesize
5.2MB

MD5
2d9b06e936272ee0d41e9458010d3818

SHA1
27e947c8ad59c329a34f0653803552178a54160c

SHA256
45074221a90c4cda733a3e10ddff8a918f6a13ce6bb77ac6b707d5b4b48156f5

SHA512
0ec51b93139b63e4ffced7d31272206cf2f8cb57c451be8e27123db5bf105113e78daa68996795757136e93354f7c4062a6b9402ec22d986af7d9ab053369669

Download Submit
C:\Windows\System\RacdmYU.exe

Filesize
5.2MB

MD5
db45b8f5e0f9c1187b385e5005df27df

SHA1
e93da3e5840c1aff8703b58abdc892feb340a56c

SHA256
bb4464965387c74a5810638d7ab2d8ca315351900daa3da3cebc892796298302

SHA512
32905cfecbd8a11d9a502fd355976d322a749aa9455a8c1bc2a413b247ce84a11b2389df2d83e2b566b2d5d7cc20e3f3491e76ed5b51e22b104a0f47da85719e

Download Submit
C:\Windows\System\VpWcZzv.exe

Filesize
5.2MB

MD5
acc82b0d8e50d25d6308064ea4520262

SHA1
554be6969c5d24ddc719bcf75d7385199f9d3b45

SHA256
d37b370a8aec046aa53c67f86dfa97afd04fc45f8468c3560cc6167cc48bcb63

SHA512
658514d4fce02df5c5157d05099338c356969a706f1811f7ea5cc89a9124552d39458f0ece049fd0c9e26733c10cdb34e1d27f18dc33aa9ed86e5e6805ff0b8b

Download Submit
C:\Windows\System\cdkZqHy.exe

Filesize
5.2MB

MD5
6a7e954ef2e525bc712586e76aa1dd60

SHA1
de6f1aa19189b3b5d69a61e493746f24ac24bc9d

SHA256
4b8f0f06533f096889008d2c70d5fba7dde5c7d2701e88aaa4c9488290370063

SHA512
507287eb86b1c3652ddf8efd457e68e493be515c6d739d65c58d12915e2e15c714f59685488c11f304ccc89ae48ee9e7d9ca02093589b9f94c593db543772e71

Download Submit
C:\Windows\System\cvbqmmj.exe

Filesize
5.2MB

MD5
d3fc5d056dabc6b6d4730be51d49d02a

SHA1
805eb24f87799f762590119c1d0213865adbe3be

SHA256
86b0823c129c71d1c09efc833896cdac3e5d8349751d6b7d8346664a3d54d61c

SHA512
e051e0371133deab0e34989a5974dd1774ec46cebcebc667d5ecb1cd8d0b9e22da00903ca06945568770b5f1dfbc52a10b1e77ec6e632e58b6646bae570d4b3e

Download Submit
C:\Windows\System\czfvRZq.exe

Filesize
5.2MB

MD5
33296dfcc3d969d6fd1fb209ee1cc46e

SHA1
d73ef00cb863a80a3a84211a42efe752d56e5f18

SHA256
48a337272efa063d523cbbb8b9484f99ec921e35595db58acd476fbb79378f31

SHA512
4f054dbe58ffa6bb0e6325cd78769a641784d8567372723c0ac0097e2e571899a637e0459402e148d2e0653a4b2da78ed406ea17bfda56bb3c2621b0ff8f6e29

Download Submit
C:\Windows\System\fYiuSRX.exe

Filesize
5.2MB

MD5
165b4b397b4adc51352604e16d25a07e

SHA1
523cbfca101256ec2d2dc51a66bd758413f255a2

SHA256
638f367857d08de93ea98e9d4cf87431a320efced96925da20e16f62031f99b8

SHA512
14b14bf726d9c4652330d2aa6f5815ae6567c862f58493197094ab1901a6a36a9e826e180f4f4b6b15ea1411519071c7305e0c3eb139eef1000bc791dbafa505

Download Submit
C:\Windows\System\jCANokm.exe

Filesize
5.2MB

MD5
424c04033dfa058303a569a789563c17

SHA1
ca026659d321903abc549cd847e78f8405bed31c

SHA256
639b1812cdb3d297ae55bd52fdbe9b7beb4369dc22d57dbe4bf4dbafa025815c

SHA512
ce119df37347fd9b57fc7bb47875acb0f4503359ef974509fda9c2d8acc7ee3379af43ce0cd6b089dc905d066919132bf56313e41a1edec6227e8d68b8ffb6d3

Download Submit
C:\Windows\System\jYIpUNM.exe

Filesize
5.2MB

MD5
56ab0c78084ac336d27ad0c41532aed1

SHA1
d756f33123fafdf23e60fe52ab243d744b8192ff

SHA256
df84e46e75cc2bd7e692aeb5c193fac396020347573ff7dd7b098ec2ba855d61

SHA512
de13fb55c0e4366464017cc885379a54dd62e1e1c1fec45c6b2886bb4c28649b6d171d0d8d8665b464ed8ad5cb13276e807ba98d6211422506aaf48eb129c695

Download Submit
C:\Windows\System\kOEJuhq.exe

Filesize
5.2MB

MD5
dd57805dceff0b9b9c9a7dda44af4287

SHA1
6f1b090495a1ab12cef1f4a082f88fc2e2837d3e

SHA256
5ad731ba2f5a80371577f235f82f52431dfe06dc9876a71796dc5624d5588cbf

SHA512
bd6d016498bd4fa52e76ac5feceaa28439e3ee9ee3e5646d86261817c833fc3b4e1029a702a571d0c49fdf74d257ae77f6e40adeb42895b668e013b381bcfebe

Download Submit
C:\Windows\System\mcHPmsG.exe

Filesize
5.2MB

MD5
743f64f916203b77245f91d7fd1ce769

SHA1
87c9d189712693023c71e7aa8b48090dab645c47

SHA256
d9b1320a27582482f6a3e416efeb91925fc286a8a844e7d42bc14ae55fd1fb0e

SHA512
6cf93fbeb83ff35e10c8613a8f79579edb6dd3189656f7b4425e11f307dbf0d6ddcc48e47f71bebb2795cc4910101d27b306ec5593c2ab2c3b922e7c8877d6df

Download Submit
C:\Windows\System\nGiiexU.exe

Filesize
5.2MB

MD5
b4c52312b8e130b17888991cda2aa313

SHA1
6fae7efd12b5b13ed8d63914230e995a41d2cd3c

SHA256
30c5351bc9ea6826b05a5e09ed33ef0b6ebb3a2b3d8efea0b3b85bb629ea8c30

SHA512
f1d362994a37c858ed0fb3b87e94688839f31bc7d25bcbe15d5e9ea8d169f6fb53fb375acb780f5aac4fd37ff7b48dd313dba2dbd5d6dae8ace4fcd35daaaaa8

Download Submit
C:\Windows\System\sgxQiIZ.exe

Filesize
5.2MB

MD5
33573e1284c33cffb205926317a13e25

SHA1
39d8ddc85d8769cf5695df24023121af5eca6427

SHA256
60805ce02b95157c1d1c02a0b8afbd5c20ae7c19d0ef5dc5586be0c5e1133047

SHA512
18bad1d147b1c457eba3f3e69d85a9702d4291f16c8dcfe670c33b698ba0d19574df1a470a0d61473eb3e2f7dcee3557a5e8a99109ef8ff53e5f3690bc44dcad

Download Submit
C:\Windows\System\zaukbUv.exe

Filesize
5.2MB

MD5
d6acec006e7b3eff1aab28771e0f1645

SHA1
38ccf0f2c42ec88c48181b46fb4853e242ff0261

SHA256
4ba7b1b1e5cc4a838ad1762d5d62f223ad9d0e70b756f6a6ff0cb0201e7269ed

SHA512
f3700751c9278eef08884f4d95197ddd493f391643612cfdee7b7219c26060ecb6df0d1e36f7d898a818d1188ccf1cc41127423e6b6c19313cf1915967aae0e6

Download Submit
C:\Windows\System\zdklCAX.exe

Filesize
5.2MB

MD5
af3cd3e24c3dbfe8b5e0dcde295e50dc

SHA1
2d49b8076ae09baf55c72120fee4e14a3e840320

SHA256
3331951cea47785a504d6f4d3e1683ee9be6d659e74fb60b77ba09c4b706f57a

SHA512
1e5d0d325b7d12ebc8b12aa9ba4c234a2414832d33300b309460b7ca51c33bc0f8206eaa7aebf21968219ede956e675b0287c845251da7ef099b9adbac15a071

Download Submit
memory/384-117-0x00007FF7AA3E0000-0x00007FF7AA731000-memory.dmp

Filesize
3.3MB

Download
memory/384-223-0x00007FF7AA3E0000-0x00007FF7AA731000-memory.dmp

Filesize
3.3MB

Download
memory/384-41-0x00007FF7AA3E0000-0x00007FF7AA731000-memory.dmp

Filesize
3.3MB

Download
memory/412-216-0x00007FF6DF080000-0x00007FF6DF3D1000-memory.dmp

Filesize
3.3MB

Download
memory/412-21-0x00007FF6DF080000-0x00007FF6DF3D1000-memory.dmp

Filesize
3.3MB

Download
memory/412-103-0x00007FF6DF080000-0x00007FF6DF3D1000-memory.dmp

Filesize
3.3MB

Download
memory/1468-111-0x00007FF6C8E80000-0x00007FF6C91D1000-memory.dmp

Filesize
3.3MB

Download
memory/1468-219-0x00007FF6C8E80000-0x00007FF6C91D1000-memory.dmp

Filesize
3.3MB

Download
memory/1468-27-0x00007FF6C8E80000-0x00007FF6C91D1000-memory.dmp

Filesize
3.3MB

Download
memory/1496-42-0x00007FF7CEA60000-0x00007FF7CEDB1000-memory.dmp

Filesize
3.3MB

Download
memory/1496-127-0x00007FF7CEA60000-0x00007FF7CEDB1000-memory.dmp

Filesize
3.3MB

Download
memory/1496-224-0x00007FF7CEA60000-0x00007FF7CEDB1000-memory.dmp

Filesize
3.3MB

Download
memory/1560-267-0x00007FF6B5600000-0x00007FF6B5951000-memory.dmp

Filesize
3.3MB

Download
memory/1560-150-0x00007FF6B5600000-0x00007FF6B5951000-memory.dmp

Filesize
3.3MB

Download
memory/2056-138-0x00007FF7F6D60000-0x00007FF7F70B1000-memory.dmp

Filesize
3.3MB

Download
memory/2056-80-0x00007FF7F6D60000-0x00007FF7F70B1000-memory.dmp

Filesize
3.3MB

Download
memory/2056-246-0x00007FF7F6D60000-0x00007FF7F70B1000-memory.dmp

Filesize
3.3MB

Download
memory/2260-132-0x00007FF7F7BB0000-0x00007FF7F7F01000-memory.dmp

Filesize
3.3MB

Download
memory/2260-79-0x00007FF7F7BB0000-0x00007FF7F7F01000-memory.dmp

Filesize
3.3MB

Download
memory/2260-243-0x00007FF7F7BB0000-0x00007FF7F7F01000-memory.dmp

Filesize
3.3MB

Download
memory/2500-176-0x00007FF659FB0000-0x00007FF65A301000-memory.dmp

Filesize
3.3MB

Download
memory/2500-266-0x00007FF659FB0000-0x00007FF65A301000-memory.dmp

Filesize
3.3MB

Download
memory/2500-145-0x00007FF659FB0000-0x00007FF65A301000-memory.dmp

Filesize
3.3MB

Download
memory/2620-137-0x00007FF709F10000-0x00007FF70A261000-memory.dmp

Filesize
3.3MB

Download
memory/2620-95-0x00007FF709F10000-0x00007FF70A261000-memory.dmp

Filesize
3.3MB

Download
memory/2620-247-0x00007FF709F10000-0x00007FF70A261000-memory.dmp

Filesize
3.3MB

Download
memory/2820-253-0x00007FF71F660000-0x00007FF71F9B1000-memory.dmp

Filesize
3.3MB

Download
memory/2820-109-0x00007FF71F660000-0x00007FF71F9B1000-memory.dmp

Filesize
3.3MB

Download
memory/2852-252-0x00007FF691990000-0x00007FF691CE1000-memory.dmp

Filesize
3.3MB

Download
memory/2852-151-0x00007FF691990000-0x00007FF691CE1000-memory.dmp

Filesize
3.3MB

Download
memory/2852-102-0x00007FF691990000-0x00007FF691CE1000-memory.dmp

Filesize
3.3MB

Download
memory/2948-35-0x00007FF7989D0000-0x00007FF798D21000-memory.dmp

Filesize
3.3MB

Download
memory/2948-220-0x00007FF7989D0000-0x00007FF798D21000-memory.dmp

Filesize
3.3MB

Download
memory/2948-108-0x00007FF7989D0000-0x00007FF798D21000-memory.dmp

Filesize
3.3MB

Download
memory/3088-152-0x00007FF7C1F40000-0x00007FF7C2291000-memory.dmp

Filesize
3.3MB

Download
memory/3088-112-0x00007FF7C1F40000-0x00007FF7C2291000-memory.dmp

Filesize
3.3MB

Download
memory/3088-255-0x00007FF7C1F40000-0x00007FF7C2291000-memory.dmp

Filesize
3.3MB

Download
memory/3232-212-0x00007FF7CDE60000-0x00007FF7CE1B1000-memory.dmp

Filesize
3.3MB

Download
memory/3232-7-0x00007FF7CDE60000-0x00007FF7CE1B1000-memory.dmp

Filesize
3.3MB

Download
memory/3232-73-0x00007FF7CDE60000-0x00007FF7CE1B1000-memory.dmp

Filesize
3.3MB

Download
memory/3488-249-0x00007FF6750C0000-0x00007FF675411000-memory.dmp

Filesize
3.3MB

Download
memory/3488-131-0x00007FF6750C0000-0x00007FF675411000-memory.dmp

Filesize
3.3MB

Download
memory/3488-72-0x00007FF6750C0000-0x00007FF675411000-memory.dmp

Filesize
3.3MB

Download
memory/3584-153-0x00007FF7650D0000-0x00007FF765421000-memory.dmp

Filesize
3.3MB

Download
memory/3584-257-0x00007FF7650D0000-0x00007FF765421000-memory.dmp

Filesize
3.3MB

Download
memory/3584-110-0x00007FF7650D0000-0x00007FF765421000-memory.dmp

Filesize
3.3MB

Download
memory/3660-214-0x00007FF7F73F0000-0x00007FF7F7741000-memory.dmp

Filesize
3.3MB

Download
memory/3660-16-0x00007FF7F73F0000-0x00007FF7F7741000-memory.dmp

Filesize
3.3MB

Download
memory/3660-84-0x00007FF7F73F0000-0x00007FF7F7741000-memory.dmp

Filesize
3.3MB

Download
memory/4228-130-0x00007FF67B3D0000-0x00007FF67B721000-memory.dmp

Filesize
3.3MB

Download
memory/4228-240-0x00007FF67B3D0000-0x00007FF67B721000-memory.dmp

Filesize
3.3MB

Download
memory/4228-66-0x00007FF67B3D0000-0x00007FF67B721000-memory.dmp

Filesize
3.3MB

Download
memory/4256-241-0x00007FF78DA20000-0x00007FF78DD71000-memory.dmp

Filesize
3.3MB

Download
memory/4256-57-0x00007FF78DA20000-0x00007FF78DD71000-memory.dmp

Filesize
3.3MB

Download
memory/4256-129-0x00007FF78DA20000-0x00007FF78DD71000-memory.dmp

Filesize
3.3MB

Download
memory/4704-148-0x00007FF6A5D70000-0x00007FF6A60C1000-memory.dmp

Filesize
3.3MB

Download
memory/4704-263-0x00007FF6A5D70000-0x00007FF6A60C1000-memory.dmp

Filesize
3.3MB

Download
memory/4736-1-0x000001D789B60000-0x000001D789B70000-memory.dmp

Filesize
64KB

Download
memory/4736-67-0x00007FF6EDB10000-0x00007FF6EDE61000-memory.dmp

Filesize
3.3MB

Download
memory/4736-0-0x00007FF6EDB10000-0x00007FF6EDE61000-memory.dmp

Filesize
3.3MB

Download
memory/4736-155-0x00007FF6EDB10000-0x00007FF6EDE61000-memory.dmp

Filesize
3.3MB

Download
memory/5068-55-0x00007FF6231D0000-0x00007FF623521000-memory.dmp

Filesize
3.3MB

Download
memory/5068-128-0x00007FF6231D0000-0x00007FF623521000-memory.dmp

Filesize
3.3MB

Download
memory/5068-237-0x00007FF6231D0000-0x00007FF623521000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.