cobaltstrike | 6cfb4a7457748063f10dbf8a5f8e23622f375595767e0cd330a940bef42b81d0

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/12/2024, 03:46 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

044d3b2c5ac3e5b5e2853b70131b35ba
SHA1

d3a1b49800e9b5f463cde0dfcdb70b7eac5815a5
SHA256

6cfb4a7457748063f10dbf8a5f8e23622f375595767e0cd330a940bef42b81d0
SHA512

17ce3919ffb75e0f6758e503a0ab965626ff3395d8034616c99729b80dc634b2ab27c1447be86701ece1779c06e86586b7a4cd47b42d884af9233d73f1134886
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l0:RWWBibd56utgpPFotBER/mQ32lUQ

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023cb6-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbb-9.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cba-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbc-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbd-29.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbe-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc0-50.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc1-58.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc5-80.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc4-79.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc3-85.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc2-73.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbf-49.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023cb7-40.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc6-95.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc7-102.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc9-107.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccb-117.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccd-125.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccc-136.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cca-126.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/4556-63-0x00007FF61F510000-0x00007FF61F861000-memory.dmp	xmrig
behavioral2/memory/3944-89-0x00007FF6BAEA0000-0x00007FF6BB1F1000-memory.dmp	xmrig
behavioral2/memory/1440-81-0x00007FF6DDB30000-0x00007FF6DDE81000-memory.dmp	xmrig
behavioral2/memory/1292-76-0x00007FF618BE0000-0x00007FF618F31000-memory.dmp	xmrig
behavioral2/memory/3164-69-0x00007FF7CB990000-0x00007FF7CBCE1000-memory.dmp	xmrig
behavioral2/memory/912-60-0x00007FF6B8360000-0x00007FF6B86B1000-memory.dmp	xmrig
behavioral2/memory/2388-47-0x00007FF7DB280000-0x00007FF7DB5D1000-memory.dmp	xmrig
behavioral2/memory/5036-45-0x00007FF7787B0000-0x00007FF778B01000-memory.dmp	xmrig
behavioral2/memory/4616-92-0x00007FF7AB9F0000-0x00007FF7ABD41000-memory.dmp	xmrig
behavioral2/memory/3048-100-0x00007FF736A40000-0x00007FF736D91000-memory.dmp	xmrig
behavioral2/memory/1840-108-0x00007FF638280000-0x00007FF6385D1000-memory.dmp	xmrig
behavioral2/memory/5032-141-0x00007FF688240000-0x00007FF688591000-memory.dmp	xmrig
behavioral2/memory/4928-140-0x00007FF7161B0000-0x00007FF716501000-memory.dmp	xmrig
behavioral2/memory/4520-142-0x00007FF72F480000-0x00007FF72F7D1000-memory.dmp	xmrig
behavioral2/memory/2696-149-0x00007FF7C6710000-0x00007FF7C6A61000-memory.dmp	xmrig
behavioral2/memory/5060-151-0x00007FF735C10000-0x00007FF735F61000-memory.dmp	xmrig
behavioral2/memory/776-150-0x00007FF61B140000-0x00007FF61B491000-memory.dmp	xmrig
behavioral2/memory/3048-152-0x00007FF736A40000-0x00007FF736D91000-memory.dmp	xmrig
behavioral2/memory/2716-155-0x00007FF60C990000-0x00007FF60CCE1000-memory.dmp	xmrig
behavioral2/memory/2212-156-0x00007FF70A230000-0x00007FF70A581000-memory.dmp	xmrig
behavioral2/memory/4436-157-0x00007FF6DD7D0000-0x00007FF6DDB21000-memory.dmp	xmrig
behavioral2/memory/4556-153-0x00007FF61F510000-0x00007FF61F861000-memory.dmp	xmrig
behavioral2/memory/3156-164-0x00007FF72DB80000-0x00007FF72DED1000-memory.dmp	xmrig
behavioral2/memory/1288-166-0x00007FF62C6C0000-0x00007FF62CA11000-memory.dmp	xmrig
behavioral2/memory/4556-177-0x00007FF61F510000-0x00007FF61F861000-memory.dmp	xmrig
behavioral2/memory/1292-210-0x00007FF618BE0000-0x00007FF618F31000-memory.dmp	xmrig
behavioral2/memory/3164-214-0x00007FF7CB990000-0x00007FF7CBCE1000-memory.dmp	xmrig
behavioral2/memory/1440-216-0x00007FF6DDB30000-0x00007FF6DDE81000-memory.dmp	xmrig
behavioral2/memory/3944-218-0x00007FF6BAEA0000-0x00007FF6BB1F1000-memory.dmp	xmrig
behavioral2/memory/5036-227-0x00007FF7787B0000-0x00007FF778B01000-memory.dmp	xmrig
behavioral2/memory/2388-229-0x00007FF7DB280000-0x00007FF7DB5D1000-memory.dmp	xmrig
behavioral2/memory/4616-231-0x00007FF7AB9F0000-0x00007FF7ABD41000-memory.dmp	xmrig
behavioral2/memory/1840-233-0x00007FF638280000-0x00007FF6385D1000-memory.dmp	xmrig
behavioral2/memory/912-235-0x00007FF6B8360000-0x00007FF6B86B1000-memory.dmp	xmrig
behavioral2/memory/776-245-0x00007FF61B140000-0x00007FF61B491000-memory.dmp	xmrig
behavioral2/memory/4928-248-0x00007FF7161B0000-0x00007FF716501000-memory.dmp	xmrig
behavioral2/memory/4520-247-0x00007FF72F480000-0x00007FF72F7D1000-memory.dmp	xmrig
behavioral2/memory/2696-243-0x00007FF7C6710000-0x00007FF7C6A61000-memory.dmp	xmrig
behavioral2/memory/5060-241-0x00007FF735C10000-0x00007FF735F61000-memory.dmp	xmrig
behavioral2/memory/3048-257-0x00007FF736A40000-0x00007FF736D91000-memory.dmp	xmrig
behavioral2/memory/2716-259-0x00007FF60C990000-0x00007FF60CCE1000-memory.dmp	xmrig
behavioral2/memory/4436-261-0x00007FF6DD7D0000-0x00007FF6DDB21000-memory.dmp	xmrig
behavioral2/memory/2212-263-0x00007FF70A230000-0x00007FF70A581000-memory.dmp	xmrig
behavioral2/memory/5032-265-0x00007FF688240000-0x00007FF688591000-memory.dmp	xmrig
behavioral2/memory/1288-267-0x00007FF62C6C0000-0x00007FF62CA11000-memory.dmp	xmrig
behavioral2/memory/3156-269-0x00007FF72DB80000-0x00007FF72DED1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1292	pVzcHue.exe
3164	XFftnfG.exe
1440	uRjbuzu.exe
3944	leFcbAX.exe
4616	IgdbwTO.exe
5036	iYqUfKG.exe
2388	aTFtFzG.exe
912	gjHLfTS.exe
1840	FKbAkoG.exe
4928	VAtRaJT.exe
4520	ZcPdzsW.exe
2696	UntqUDz.exe
776	Fxmatzx.exe
5060	mnRKUvm.exe
3048	xHapBQS.exe
4436	UGBhsZB.exe
2716	vCFPCyO.exe
2212	Jnkopct.exe
1288	TjSalcn.exe
3156	mGyKzvk.exe
5032	VerBVnO.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4556-0-0x00007FF61F510000-0x00007FF61F861000-memory.dmp	upx
behavioral2/files/0x0008000000023cb6-5.dat	upx
behavioral2/files/0x0007000000023cbb-9.dat	upx
behavioral2/files/0x0007000000023cba-10.dat	upx
behavioral2/files/0x0007000000023cbc-23.dat	upx
behavioral2/memory/3944-24-0x00007FF6BAEA0000-0x00007FF6BB1F1000-memory.dmp	upx
behavioral2/memory/1440-19-0x00007FF6DDB30000-0x00007FF6DDE81000-memory.dmp	upx
behavioral2/memory/3164-14-0x00007FF7CB990000-0x00007FF7CBCE1000-memory.dmp	upx
behavioral2/memory/1292-7-0x00007FF618BE0000-0x00007FF618F31000-memory.dmp	upx
behavioral2/files/0x0007000000023cbd-29.dat	upx
behavioral2/files/0x0007000000023cbe-35.dat	upx
behavioral2/files/0x0007000000023cc0-50.dat	upx
behavioral2/files/0x0007000000023cc1-58.dat	upx
behavioral2/memory/4556-63-0x00007FF61F510000-0x00007FF61F861000-memory.dmp	upx
behavioral2/files/0x0007000000023cc5-80.dat	upx
behavioral2/files/0x0007000000023cc4-79.dat	upx
behavioral2/files/0x0007000000023cc3-85.dat	upx
behavioral2/memory/3944-89-0x00007FF6BAEA0000-0x00007FF6BB1F1000-memory.dmp	upx
behavioral2/memory/5060-88-0x00007FF735C10000-0x00007FF735F61000-memory.dmp	upx
behavioral2/memory/776-82-0x00007FF61B140000-0x00007FF61B491000-memory.dmp	upx
behavioral2/memory/1440-81-0x00007FF6DDB30000-0x00007FF6DDE81000-memory.dmp	upx
behavioral2/memory/2696-77-0x00007FF7C6710000-0x00007FF7C6A61000-memory.dmp	upx
behavioral2/memory/1292-76-0x00007FF618BE0000-0x00007FF618F31000-memory.dmp	upx
behavioral2/files/0x0007000000023cc2-73.dat	upx
behavioral2/memory/4520-70-0x00007FF72F480000-0x00007FF72F7D1000-memory.dmp	upx
behavioral2/memory/3164-69-0x00007FF7CB990000-0x00007FF7CBCE1000-memory.dmp	upx
behavioral2/memory/4928-64-0x00007FF7161B0000-0x00007FF716501000-memory.dmp	upx
behavioral2/memory/912-60-0x00007FF6B8360000-0x00007FF6B86B1000-memory.dmp	upx
behavioral2/memory/1840-54-0x00007FF638280000-0x00007FF6385D1000-memory.dmp	upx
behavioral2/files/0x0007000000023cbf-49.dat	upx
behavioral2/memory/2388-47-0x00007FF7DB280000-0x00007FF7DB5D1000-memory.dmp	upx
behavioral2/memory/5036-45-0x00007FF7787B0000-0x00007FF778B01000-memory.dmp	upx
behavioral2/files/0x0008000000023cb7-40.dat	upx
behavioral2/memory/4616-33-0x00007FF7AB9F0000-0x00007FF7ABD41000-memory.dmp	upx
behavioral2/memory/4616-92-0x00007FF7AB9F0000-0x00007FF7ABD41000-memory.dmp	upx
behavioral2/files/0x0007000000023cc6-95.dat	upx
behavioral2/memory/3048-100-0x00007FF736A40000-0x00007FF736D91000-memory.dmp	upx
behavioral2/files/0x0007000000023cc7-102.dat	upx
behavioral2/files/0x0007000000023cc9-107.dat	upx
behavioral2/memory/1840-108-0x00007FF638280000-0x00007FF6385D1000-memory.dmp	upx
behavioral2/files/0x0007000000023ccb-117.dat	upx
behavioral2/files/0x0007000000023ccd-125.dat	upx
behavioral2/memory/1288-129-0x00007FF62C6C0000-0x00007FF62CA11000-memory.dmp	upx
behavioral2/memory/3156-138-0x00007FF72DB80000-0x00007FF72DED1000-memory.dmp	upx
behavioral2/memory/5032-141-0x00007FF688240000-0x00007FF688591000-memory.dmp	upx
behavioral2/memory/4928-140-0x00007FF7161B0000-0x00007FF716501000-memory.dmp	upx
behavioral2/files/0x0007000000023ccc-136.dat	upx
behavioral2/files/0x0007000000023cca-126.dat	upx
behavioral2/memory/2212-121-0x00007FF70A230000-0x00007FF70A581000-memory.dmp	upx
behavioral2/memory/2716-111-0x00007FF60C990000-0x00007FF60CCE1000-memory.dmp	upx
behavioral2/memory/4436-104-0x00007FF6DD7D0000-0x00007FF6DDB21000-memory.dmp	upx
behavioral2/memory/4520-142-0x00007FF72F480000-0x00007FF72F7D1000-memory.dmp	upx
behavioral2/memory/2696-149-0x00007FF7C6710000-0x00007FF7C6A61000-memory.dmp	upx
behavioral2/memory/5060-151-0x00007FF735C10000-0x00007FF735F61000-memory.dmp	upx
behavioral2/memory/776-150-0x00007FF61B140000-0x00007FF61B491000-memory.dmp	upx
behavioral2/memory/3048-152-0x00007FF736A40000-0x00007FF736D91000-memory.dmp	upx
behavioral2/memory/2716-155-0x00007FF60C990000-0x00007FF60CCE1000-memory.dmp	upx
behavioral2/memory/2212-156-0x00007FF70A230000-0x00007FF70A581000-memory.dmp	upx
behavioral2/memory/4436-157-0x00007FF6DD7D0000-0x00007FF6DDB21000-memory.dmp	upx
behavioral2/memory/4556-153-0x00007FF61F510000-0x00007FF61F861000-memory.dmp	upx
behavioral2/memory/3156-164-0x00007FF72DB80000-0x00007FF72DED1000-memory.dmp	upx
behavioral2/memory/1288-166-0x00007FF62C6C0000-0x00007FF62CA11000-memory.dmp	upx
behavioral2/memory/4556-177-0x00007FF61F510000-0x00007FF61F861000-memory.dmp	upx
behavioral2/memory/1292-210-0x00007FF618BE0000-0x00007FF618F31000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\gjHLfTS.exe	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZcPdzsW.exe	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xHapBQS.exe	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TjSalcn.exe	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\leFcbAX.exe	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VAtRaJT.exe	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Fxmatzx.exe	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UGBhsZB.exe	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Jnkopct.exe	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XFftnfG.exe	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IgdbwTO.exe	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aTFtFzG.exe	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mnRKUvm.exe	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VerBVnO.exe	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uRjbuzu.exe	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iYqUfKG.exe	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FKbAkoG.exe	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UntqUDz.exe	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vCFPCyO.exe	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mGyKzvk.exe	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pVzcHue.exe	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4556 wrote to memory of 1292	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4556 wrote to memory of 1292	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4556 wrote to memory of 3164	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4556 wrote to memory of 3164	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4556 wrote to memory of 1440	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4556 wrote to memory of 1440	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4556 wrote to memory of 3944	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4556 wrote to memory of 3944	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4556 wrote to memory of 4616	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4556 wrote to memory of 4616	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4556 wrote to memory of 2388	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4556 wrote to memory of 2388	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4556 wrote to memory of 5036	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4556 wrote to memory of 5036	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4556 wrote to memory of 912	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4556 wrote to memory of 912	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4556 wrote to memory of 1840	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4556 wrote to memory of 1840	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4556 wrote to memory of 4928	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4556 wrote to memory of 4928	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4556 wrote to memory of 4520	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4556 wrote to memory of 4520	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4556 wrote to memory of 2696	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4556 wrote to memory of 2696	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4556 wrote to memory of 776	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4556 wrote to memory of 776	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4556 wrote to memory of 5060	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4556 wrote to memory of 5060	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4556 wrote to memory of 3048	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4556 wrote to memory of 3048	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4556 wrote to memory of 4436	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4556 wrote to memory of 4436	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4556 wrote to memory of 2716	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4556 wrote to memory of 2716	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4556 wrote to memory of 2212	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4556 wrote to memory of 2212	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4556 wrote to memory of 1288	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4556 wrote to memory of 1288	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4556 wrote to memory of 3156	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4556 wrote to memory of 3156	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4556 wrote to memory of 5032	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4556 wrote to memory of 5032	4556	2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Windows\System\pVzcHue.exe
  C:\Windows\System\pVzcHue.exe
  2⤵
  - Executes dropped EXE
  PID:1292
- C:\Windows\System\XFftnfG.exe
  C:\Windows\System\XFftnfG.exe
  2⤵
  - Executes dropped EXE
  PID:3164
- C:\Windows\System\uRjbuzu.exe
  C:\Windows\System\uRjbuzu.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System\leFcbAX.exe
  C:\Windows\System\leFcbAX.exe
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Windows\System\IgdbwTO.exe
  C:\Windows\System\IgdbwTO.exe
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Windows\System\aTFtFzG.exe
  C:\Windows\System\aTFtFzG.exe
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\System\iYqUfKG.exe
  C:\Windows\System\iYqUfKG.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System\gjHLfTS.exe
  C:\Windows\System\gjHLfTS.exe
  2⤵
  - Executes dropped EXE
  PID:912
- C:\Windows\System\FKbAkoG.exe
  C:\Windows\System\FKbAkoG.exe
  2⤵
  - Executes dropped EXE
  PID:1840
- C:\Windows\System\VAtRaJT.exe
  C:\Windows\System\VAtRaJT.exe
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Windows\System\ZcPdzsW.exe
  C:\Windows\System\ZcPdzsW.exe
  2⤵
  - Executes dropped EXE
  PID:4520
- C:\Windows\System\UntqUDz.exe
  C:\Windows\System\UntqUDz.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System\Fxmatzx.exe
  C:\Windows\System\Fxmatzx.exe
  2⤵
  - Executes dropped EXE
  PID:776
- C:\Windows\System\mnRKUvm.exe
  C:\Windows\System\mnRKUvm.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Windows\System\xHapBQS.exe
  C:\Windows\System\xHapBQS.exe
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\System\UGBhsZB.exe
  C:\Windows\System\UGBhsZB.exe
  2⤵
  - Executes dropped EXE
  PID:4436
- C:\Windows\System\vCFPCyO.exe
  C:\Windows\System\vCFPCyO.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System\Jnkopct.exe
  C:\Windows\System\Jnkopct.exe
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\System\TjSalcn.exe
  C:\Windows\System\TjSalcn.exe
  2⤵
  - Executes dropped EXE
  PID:1288
- C:\Windows\System\mGyKzvk.exe
  C:\Windows\System\mGyKzvk.exe
  2⤵
  - Executes dropped EXE
  PID:3156
- C:\Windows\System\VerBVnO.exe
  C:\Windows\System\VerBVnO.exe
  2⤵
  - Executes dropped EXE
  PID:5032

Network

DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

4.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.159.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR

Response
DNS

53.210.109.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

53.210.109.20.in-addr.arpa

IN PTR

Response
DNS

104.219.191.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.219.191.52.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

88.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.210.23.2.in-addr.arpa

IN PTR

Response

88.210.23.2.in-addr.arpa

IN PTR

a2-23-210-88deploystaticakamaitechnologiescom
DNS

43.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR

Response

3.120.209.58:8080

2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe

260 B
5
3.120.209.58:8080

2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe

260 B
5
3.120.209.58:8080

2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe

260 B
5
3.120.209.58:8080

2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe

260 B
5
3.120.209.58:8080

2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe

260 B
5
3.120.209.58:8080

2024-12-19_044d3b2c5ac3e5b5e2853b70131b35ba_cobalt-strike_cobaltstrike_poet-rat.exe

156 B
3

8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

4.159.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

4.159.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

228.249.119.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

228.249.119.40.in-addr.arpa
8.8.8.8:53

53.210.109.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

53.210.109.20.in-addr.arpa
8.8.8.8:53

104.219.191.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

104.219.191.52.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

88.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

88.210.23.2.in-addr.arpa
8.8.8.8:53

43.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

43.229.111.52.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\FKbAkoG.exe

Filesize
5.2MB

MD5
b4ecef6a2feb98ab2cf2cfe1498733e3

SHA1
23cacc1900584af3f3258b759fd202200e9879d0

SHA256
6a6552696b8650800ccd8a9f8dc664d74cd61c0c017eeacacfd8a0ce6d79be4e

SHA512
bcdf987e47db6da2a3a9db672a742f3b6d35d1aa3a4aa358d2c52b10291039ce951f649c0425732958c845cecb7d3119b1ac4c91f546da49851e192ec3cd4d25

Download Submit
C:\Windows\System\Fxmatzx.exe

Filesize
5.2MB

MD5
b167b9318d5d80cd46b7814011045697

SHA1
a1e051dd4347ac903532322bd2e9bab06d824d08

SHA256
c090b23fc84376d4d8d7283f2c273dc1dc08a4dccfea0c9cc8061f247ed6410e

SHA512
bbc1a698ab186120e864cb7f5826cb28fbd328b79fbc4e7a2d24b4c0992d6220a2709891d1a1012664db8f9f2ef01d270872917454805c977d5c57d8c5e6613c

Download Submit
C:\Windows\System\IgdbwTO.exe

Filesize
5.2MB

MD5
8f5674fa63d55681a16f168e1f9f748a

SHA1
2f1d7c751b97f8374c489c276e06b43b1f49ff80

SHA256
b664dd95be603ba3aad8819edcf9bc582fb893e66150c767f55cac74e8e6bf54

SHA512
f61d0473d604ffe429deece924ce000067c098cd274b52f847c138cbac4383d1507c280ea9407f4cfb723b106e73b5a018a5d551c59607190890d9565e782a64

Download Submit
C:\Windows\System\Jnkopct.exe

Filesize
5.2MB

MD5
92bcc545caea253b92291f22321876a4

SHA1
24ef5aa2a905e0dc52de56cb1b0c2a478b46532d

SHA256
420368c493cdd3153f2dc704a1cbd4db6ea193b6f6ee4b8c2cb259adb1295af8

SHA512
2139b2bea62672918b11f798f5b11166ce19dfe6d9884478470bb76f27784b7da7301b46bbe9d9a4003c22e42a923cf18cd55b36f8663717b22f54f32e67490d

Download Submit
C:\Windows\System\TjSalcn.exe

Filesize
5.2MB

MD5
51c8ee649d6f87d63747c3644da974b1

SHA1
cac39778537885a3fcd8fabd7e6b14be2486ce9e

SHA256
b49fcd8eb85f7e40c88a73f318ea7d4b0bb1cc3e819c9151690d0866c1aad23d

SHA512
0af2ae999660aa6e75ae9873394b4a39c0284c8a9402e659e9db4b64cab8691a3bd374a2f06fd1f980646819dbf805ff882e9d92f104076f599815e61e16cef8

Download Submit
C:\Windows\System\UGBhsZB.exe

Filesize
5.2MB

MD5
0f73341b0635c99927521a2612e1c358

SHA1
e73605a30bf2c0f05794809e7ea92f442b2024f7

SHA256
c36a9ada12d60300f4f2d3c696c32bbb5e8e29f9b55d6479e4a89e6fb9c1954a

SHA512
3dcfcad8a6ac3d5654f0bc0234a980575a731f2248a1ed266d647d7e974467d2b2cb7bfe2c1babeaaeadf151c2b998b28160c894201e0b64b3b5bdf908a0daec

Download Submit
C:\Windows\System\UntqUDz.exe

Filesize
5.2MB

MD5
4f18732310a322fb301c44282b3cdc40

SHA1
880de302a629bc62bd4a034ddd8ecbe8dd5b1238

SHA256
de3c1d1e90690248a8839bd376cbc7cf16284ea9b7fcae5410e9df66412e0082

SHA512
e2717f47ceac80891767066c96641dacc886334060eb02f8b80fd2569591d5392c8190ff12d2a6525d6fe9320a5279b1dd1799a5ad3cfdaa544c2976b25d73c4

Download Submit
C:\Windows\System\VAtRaJT.exe

Filesize
5.2MB

MD5
9068e3b485022d9b3cfc831fbb6c8b4b

SHA1
44740419b842166940431cff915c2710df4636be

SHA256
277bd7f54e7d8f0b5e49f6fc52c8ea2fc36bcc66dc894dacd041a4ae92eef9cb

SHA512
c42d6ea89c19fc8829f3ef144c97d91d6b1945509421ac820ddd01feaef717fd35aee350c7e5c6b8e8b4c7f16fa52fcbad95b63f41da001d12770e294640c343

Download Submit
C:\Windows\System\VerBVnO.exe

Filesize
5.2MB

MD5
d1a9a34dca91122eb31132de392e0fa3

SHA1
459d2f10e75df04032e105539889b87efa802124

SHA256
b216cee0600cde61646975bdf12c944603c17c77d423dfbbf7f064c6ed27da9c

SHA512
1e6419ec5d94f10201c67cff89ff01c4598cd8e714ce477dfdd5d09cdf30668ef4531ce1379464e2b1c4067c7b7640c550a67cd360abeffaf493f89c5c598a6d

Download Submit
C:\Windows\System\XFftnfG.exe

Filesize
5.2MB

MD5
ac6da6e7d6d768d2bb127b01410c22c5

SHA1
9efa9d1908a7e4c45753183aa04595d0e271d40b

SHA256
43569cb158d90fae06b072f2997330c8259eee2eef5e8703f5df98dd52e97dff

SHA512
a3405e8c25cd4124bcf5f5530f01ef572e928a605df27b9be45f0958bf342616dd674692c4dbdc35a878c47760650a1c0ea0fec27396c7bd0f02803825feda03

Download Submit
C:\Windows\System\ZcPdzsW.exe

Filesize
5.2MB

MD5
8259073b40b9753d6d59a9bbb230facc

SHA1
87a2c85501d8d5241dd591ebbb74b3ee93280c12

SHA256
48fca9b7513bed2f77c856f7b7e81e3f41271a8338de5834548bca116a4df355

SHA512
1f396b4aa9e3ad9703e61616b9f5fa9836c9a1d52dd1e6c2fbd5b57393499dbe469f9261a3108cce80268cee8fb2f140bf8e14b16f5053cb8e445f1ef86254ed

Download Submit
C:\Windows\System\aTFtFzG.exe

Filesize
5.2MB

MD5
2231a2f8171b288ed1104c3ee0fae4a9

SHA1
3e27c81d297191fe9fa9da9e56a3d988ca27f93c

SHA256
84b66d5b46c40e9456253a76978556cf447010c69d98ce1f44ef6ea538b83f6b

SHA512
8c197bc49c07628c68ee5ba1738fc11f4adf01a6ccd4e51b573150fac7357e581e07b37c59e753baa2f8e01ce1756b28ae61e8618e4d36cfef74d040728da6d3

Download Submit
C:\Windows\System\gjHLfTS.exe

Filesize
5.2MB

MD5
4b1725f3337c47af4b8a7feebb23bcb7

SHA1
47459af3b2b1f0f8923bf982ea148afe44c0b66d

SHA256
767019298ec9c79a620db874341e71734ccddb55ac089a35a323f2d2188b8fa8

SHA512
2af88ffae98f92921ea65c4d89bed9fff8439eb81f6d87543d5ae5d91b487d6b118917c003e25cd11233177bd674836a260ff9279937a1280bed189711854316

Download Submit
C:\Windows\System\iYqUfKG.exe

Filesize
5.2MB

MD5
86a5edba2a30d6710a07ddf9e3396a00

SHA1
7b5fd4c93ae0dd50a81e804846ca5c6eda135902

SHA256
0e9a900c01e8b3878d5523c2d0e8f72a2449648a68231c78162a4b5f32bfc101

SHA512
3952c35e84dd2af35b303572587afe8d861ac51cbdefcbf584a4ed4e1bc8fbe4e3f2c27ad2248593ba60d9d9137bcb7aae08d8375e7ad2913b1a8a52e9a9357f

Download Submit
C:\Windows\System\leFcbAX.exe

Filesize
5.2MB

MD5
9d8b0257e37bdfb459d59b00d947fca2

SHA1
a5b09e77142ef74a8f31055f56b1f18e999e0470

SHA256
493c65e90a8cb10a042dc26892530d5eda5f18cc1d025cfe525800efdef1c57e

SHA512
a3f758be598f50951c4a01701c5f65d7a0630dc1a37208bee9945706be39329627e2a335758f09d00db73f2b82041e32c582d6863d146bef63d9758fb6b72d05

Download Submit
C:\Windows\System\mGyKzvk.exe

Filesize
5.2MB

MD5
fe571505a8c94402dd424dae0ddbec76

SHA1
c654fdf8e55b3c4f5c4817d0f03c7216ffe753ac

SHA256
ffd60e26d8e2408ff2a49254419aedcfae5014e472aea8449762388879c243a4

SHA512
ab2f4e5400d861849629971a2a75002c016c6a3d1a52db8d7ec8c45d7462223a4389a6b995901effecefdbc166f230e3c06f945c96c39bc19039d566b23574a0

Download Submit
C:\Windows\System\mnRKUvm.exe

Filesize
5.2MB

MD5
2a64951f7c850ee9d57dd4b266476030

SHA1
1702d25a2ca8b55cc4d1194e0d509c7944245818

SHA256
5313d75ff1a090c5c032ce27efd035d00e2076a5ed1095afbd7f104360975fca

SHA512
657c94693263d5d24c8f6758b86e9eb156abda6efcf647a7e880840afcb7a7455eb68591af55e44f39f3f11d2598f1824e9d96f86be1df61e946ca2fd24ebd78

Download Submit
C:\Windows\System\pVzcHue.exe

Filesize
5.2MB

MD5
0e09bfa3ad2924534315db1fca7d757e

SHA1
b92ef3833d11ac0ef9c61570ed8869afb7d6d288

SHA256
9fe09bac3c97dd8a4c453e66ba7d0d29d0d485e04b7d5cd8be8eae32f7f19577

SHA512
db5c212054d8e9d95ffa7b8a937a8abccdc57b6808ef6112f629ce0259fb6115d9d482ad5046a1486fbde362ed75aa729673d81415ac68dd566aabcf2b9662ee

Download Submit
C:\Windows\System\uRjbuzu.exe

Filesize
5.2MB

MD5
cadfe51b4db8f2591dffb0e5e62bb679

SHA1
d1f17d10b9f9ee37e4b2f56b228d82619fe17791

SHA256
9d45b5f312cfd4ab2f79cc9acc269a4a445f91f6f7f4b0744a1af61ffd4dc027

SHA512
8291cf46da99d61f5596f6900dc821ca964b5cf7c47b3a8dbb612abefc3eeaaad374db1638d88cec301ab19925bee03f7d6f93fac03b853222a29d47e53a1f6d

Download Submit
C:\Windows\System\vCFPCyO.exe

Filesize
5.2MB

MD5
103d385cbad19f20d1d3f3d9f1966345

SHA1
e5f2ebe4c5eb00ca6eec560106d94b2f38daec68

SHA256
b5cd0bf5b4d71a1e2a73b397db8bf7e1ffff00af6c74bd5d9ad45b23101e31d2

SHA512
20aabd14d3e8364bc8e89bb20fe90db71f075e15bf9543fb9e095379d6f88108bca06500b381fd99376e67add602ca40496ad500a8a2b9cc46319b606cc7ae1a

Download Submit
C:\Windows\System\xHapBQS.exe

Filesize
5.2MB

MD5
3919de58b14038ddd9c763c711bbd3ca

SHA1
eb0f6a9b7542ae80fcafbcec41914cb63340c542

SHA256
9055ae2f85a37cd74edd973e10fab35a04da01f2445ae9974cbd12ef41ad2ba5

SHA512
0a700b9ede91872ca9b55fe7c43f9ffb5d75648a5f3d65633040e32773572cdbd1987d0bfffa3909ad2ec80e03f5f697dcb768da21b14ad430062145ff075fa1

Download Submit
memory/776-245-0x00007FF61B140000-0x00007FF61B491000-memory.dmp

Filesize
3.3MB

Download
memory/776-82-0x00007FF61B140000-0x00007FF61B491000-memory.dmp

Filesize
3.3MB

Download
memory/776-150-0x00007FF61B140000-0x00007FF61B491000-memory.dmp

Filesize
3.3MB

Download
memory/912-235-0x00007FF6B8360000-0x00007FF6B86B1000-memory.dmp

Filesize
3.3MB

Download
memory/912-60-0x00007FF6B8360000-0x00007FF6B86B1000-memory.dmp

Filesize
3.3MB

Download
memory/1288-129-0x00007FF62C6C0000-0x00007FF62CA11000-memory.dmp

Filesize
3.3MB

Download
memory/1288-267-0x00007FF62C6C0000-0x00007FF62CA11000-memory.dmp

Filesize
3.3MB

Download
memory/1288-166-0x00007FF62C6C0000-0x00007FF62CA11000-memory.dmp

Filesize
3.3MB

Download
memory/1292-210-0x00007FF618BE0000-0x00007FF618F31000-memory.dmp

Filesize
3.3MB

Download
memory/1292-7-0x00007FF618BE0000-0x00007FF618F31000-memory.dmp

Filesize
3.3MB

Download
memory/1292-76-0x00007FF618BE0000-0x00007FF618F31000-memory.dmp

Filesize
3.3MB

Download
memory/1440-19-0x00007FF6DDB30000-0x00007FF6DDE81000-memory.dmp

Filesize
3.3MB

Download
memory/1440-216-0x00007FF6DDB30000-0x00007FF6DDE81000-memory.dmp

Filesize
3.3MB

Download
memory/1440-81-0x00007FF6DDB30000-0x00007FF6DDE81000-memory.dmp

Filesize
3.3MB

Download
memory/1840-108-0x00007FF638280000-0x00007FF6385D1000-memory.dmp

Filesize
3.3MB

Download
memory/1840-233-0x00007FF638280000-0x00007FF6385D1000-memory.dmp

Filesize
3.3MB

Download
memory/1840-54-0x00007FF638280000-0x00007FF6385D1000-memory.dmp

Filesize
3.3MB

Download
memory/2212-121-0x00007FF70A230000-0x00007FF70A581000-memory.dmp

Filesize
3.3MB

Download
memory/2212-156-0x00007FF70A230000-0x00007FF70A581000-memory.dmp

Filesize
3.3MB

Download
memory/2212-263-0x00007FF70A230000-0x00007FF70A581000-memory.dmp

Filesize
3.3MB

Download
memory/2388-229-0x00007FF7DB280000-0x00007FF7DB5D1000-memory.dmp

Filesize
3.3MB

Download
memory/2388-47-0x00007FF7DB280000-0x00007FF7DB5D1000-memory.dmp

Filesize
3.3MB

Download
memory/2696-149-0x00007FF7C6710000-0x00007FF7C6A61000-memory.dmp

Filesize
3.3MB

Download
memory/2696-77-0x00007FF7C6710000-0x00007FF7C6A61000-memory.dmp

Filesize
3.3MB

Download
memory/2696-243-0x00007FF7C6710000-0x00007FF7C6A61000-memory.dmp

Filesize
3.3MB

Download
memory/2716-259-0x00007FF60C990000-0x00007FF60CCE1000-memory.dmp

Filesize
3.3MB

Download
memory/2716-155-0x00007FF60C990000-0x00007FF60CCE1000-memory.dmp

Filesize
3.3MB

Download
memory/2716-111-0x00007FF60C990000-0x00007FF60CCE1000-memory.dmp

Filesize
3.3MB

Download
memory/3048-152-0x00007FF736A40000-0x00007FF736D91000-memory.dmp

Filesize
3.3MB

Download
memory/3048-257-0x00007FF736A40000-0x00007FF736D91000-memory.dmp

Filesize
3.3MB

Download
memory/3048-100-0x00007FF736A40000-0x00007FF736D91000-memory.dmp

Filesize
3.3MB

Download
memory/3156-138-0x00007FF72DB80000-0x00007FF72DED1000-memory.dmp

Filesize
3.3MB

Download
memory/3156-164-0x00007FF72DB80000-0x00007FF72DED1000-memory.dmp

Filesize
3.3MB

Download
memory/3156-269-0x00007FF72DB80000-0x00007FF72DED1000-memory.dmp

Filesize
3.3MB

Download
memory/3164-214-0x00007FF7CB990000-0x00007FF7CBCE1000-memory.dmp

Filesize
3.3MB

Download
memory/3164-69-0x00007FF7CB990000-0x00007FF7CBCE1000-memory.dmp

Filesize
3.3MB

Download
memory/3164-14-0x00007FF7CB990000-0x00007FF7CBCE1000-memory.dmp

Filesize
3.3MB

Download
memory/3944-89-0x00007FF6BAEA0000-0x00007FF6BB1F1000-memory.dmp

Filesize
3.3MB

Download
memory/3944-218-0x00007FF6BAEA0000-0x00007FF6BB1F1000-memory.dmp

Filesize
3.3MB

Download
memory/3944-24-0x00007FF6BAEA0000-0x00007FF6BB1F1000-memory.dmp

Filesize
3.3MB

Download
memory/4436-261-0x00007FF6DD7D0000-0x00007FF6DDB21000-memory.dmp

Filesize
3.3MB

Download
memory/4436-157-0x00007FF6DD7D0000-0x00007FF6DDB21000-memory.dmp

Filesize
3.3MB

Download
memory/4436-104-0x00007FF6DD7D0000-0x00007FF6DDB21000-memory.dmp

Filesize
3.3MB

Download
memory/4520-247-0x00007FF72F480000-0x00007FF72F7D1000-memory.dmp

Filesize
3.3MB

Download
memory/4520-70-0x00007FF72F480000-0x00007FF72F7D1000-memory.dmp

Filesize
3.3MB

Download
memory/4520-142-0x00007FF72F480000-0x00007FF72F7D1000-memory.dmp

Filesize
3.3MB

Download
memory/4556-153-0x00007FF61F510000-0x00007FF61F861000-memory.dmp

Filesize
3.3MB

Download
memory/4556-1-0x00000132946D0000-0x00000132946E0000-memory.dmp

Filesize
64KB

Download
memory/4556-63-0x00007FF61F510000-0x00007FF61F861000-memory.dmp

Filesize
3.3MB

Download
memory/4556-177-0x00007FF61F510000-0x00007FF61F861000-memory.dmp

Filesize
3.3MB

Download
memory/4556-0-0x00007FF61F510000-0x00007FF61F861000-memory.dmp

Filesize
3.3MB

Download
memory/4616-231-0x00007FF7AB9F0000-0x00007FF7ABD41000-memory.dmp

Filesize
3.3MB

Download
memory/4616-92-0x00007FF7AB9F0000-0x00007FF7ABD41000-memory.dmp

Filesize
3.3MB

Download
memory/4616-33-0x00007FF7AB9F0000-0x00007FF7ABD41000-memory.dmp

Filesize
3.3MB

Download
memory/4928-140-0x00007FF7161B0000-0x00007FF716501000-memory.dmp

Filesize
3.3MB

Download
memory/4928-248-0x00007FF7161B0000-0x00007FF716501000-memory.dmp

Filesize
3.3MB

Download
memory/4928-64-0x00007FF7161B0000-0x00007FF716501000-memory.dmp

Filesize
3.3MB

Download
memory/5032-141-0x00007FF688240000-0x00007FF688591000-memory.dmp

Filesize
3.3MB

Download
memory/5032-265-0x00007FF688240000-0x00007FF688591000-memory.dmp

Filesize
3.3MB

Download
memory/5036-227-0x00007FF7787B0000-0x00007FF778B01000-memory.dmp

Filesize
3.3MB

Download
memory/5036-45-0x00007FF7787B0000-0x00007FF778B01000-memory.dmp

Filesize
3.3MB

Download
memory/5060-88-0x00007FF735C10000-0x00007FF735F61000-memory.dmp

Filesize
3.3MB

Download
memory/5060-241-0x00007FF735C10000-0x00007FF735F61000-memory.dmp

Filesize
3.3MB

Download
memory/5060-151-0x00007FF735C10000-0x00007FF735F61000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.