cobaltstrike | 90d2ffb58c48cb95a48dcc63d8bc779dcffa8e5e9620af35b6d86d879a641c17

Analysis

max time kernel
141s
max time network
145s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

7a8eecc97d22483b370e7311f0d68809
SHA1

912b9410adede3fcb27e0ee19303ab0d1c7f15ca
SHA256

90d2ffb58c48cb95a48dcc63d8bc779dcffa8e5e9620af35b6d86d879a641c17
SHA512

e09ecc96d9d8bd32a4bc3f83a8f10b1e85f7b1b9e085f974a7b09ae2ce24350d10137dc8c14699cf4f605cc2dfc8af94879444355c0cc4a19d65ef60f1266a4f
SSDEEP

98304:BemTLkNdfE0pZrT56utgpPFotBER/mQ32lUm:Q+u56utgpPF8u/7m

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\XJPXEqU.exe	cobalt_reflective_dll
\Windows\system\GfxFbeM.exe	cobalt_reflective_dll
\Windows\system\EhKeMkp.exe	cobalt_reflective_dll
\Windows\system\AfWNpJc.exe	cobalt_reflective_dll
\Windows\system\zhMdPmD.exe	cobalt_reflective_dll
C:\Windows\system\yPFgTsS.exe	cobalt_reflective_dll
C:\Windows\system\RGrlpou.exe	cobalt_reflective_dll
C:\Windows\system\LnwNhaO.exe	cobalt_reflective_dll
C:\Windows\system\Wbyjuao.exe	cobalt_reflective_dll
C:\Windows\system\TGUDBIT.exe	cobalt_reflective_dll
C:\Windows\system\HIDmSmA.exe	cobalt_reflective_dll
C:\Windows\system\zrrKJsM.exe	cobalt_reflective_dll
\Windows\system\xxGNFZM.exe	cobalt_reflective_dll
C:\Windows\system\OveUbyb.exe	cobalt_reflective_dll
\Windows\system\gqFLXHV.exe	cobalt_reflective_dll
\Windows\system\KnORlPy.exe	cobalt_reflective_dll
\Windows\system\lpKLOvQ.exe	cobalt_reflective_dll
C:\Windows\system\zZeCgkl.exe	cobalt_reflective_dll
C:\Windows\system\AMtylHD.exe	cobalt_reflective_dll
C:\Windows\system\kbdBbFs.exe	cobalt_reflective_dll
C:\Windows\system\jiFJYJq.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\XJPXEqU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\GfxFbeM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\EhKeMkp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\AfWNpJc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\zhMdPmD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\yPFgTsS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\RGrlpou.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\LnwNhaO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\Wbyjuao.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\TGUDBIT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\HIDmSmA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\zrrKJsM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\xxGNFZM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\OveUbyb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\gqFLXHV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\KnORlPy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\lpKLOvQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\zZeCgkl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\AMtylHD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\kbdBbFs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\jiFJYJq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 52 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1896-0-0x000000013F040000-0x000000013F394000-memory.dmp	UPX
\Windows\system\XJPXEqU.exe	UPX
\Windows\system\GfxFbeM.exe	UPX
\Windows\system\EhKeMkp.exe	UPX
behavioral1/memory/2516-28-0x000000013FE90000-0x00000001401E4000-memory.dmp	UPX
\Windows\system\AfWNpJc.exe	UPX
behavioral1/memory/1984-19-0x000000013F930000-0x000000013FC84000-memory.dmp	UPX
\Windows\system\zhMdPmD.exe	UPX
C:\Windows\system\yPFgTsS.exe	UPX
C:\Windows\system\RGrlpou.exe	UPX
C:\Windows\system\LnwNhaO.exe	UPX
C:\Windows\system\Wbyjuao.exe	UPX
C:\Windows\system\TGUDBIT.exe	UPX
C:\Windows\system\HIDmSmA.exe	UPX
C:\Windows\system\zrrKJsM.exe	UPX
behavioral1/memory/2604-100-0x000000013FE40000-0x0000000140194000-memory.dmp	UPX
behavioral1/memory/1132-96-0x000000013FF90000-0x00000001402E4000-memory.dmp	UPX
behavioral1/memory/2404-95-0x000000013FF20000-0x0000000140274000-memory.dmp	UPX
behavioral1/memory/2532-94-0x000000013F6C0000-0x000000013FA14000-memory.dmp	UPX
behavioral1/memory/2548-93-0x000000013F6C0000-0x000000013FA14000-memory.dmp	UPX
\Windows\system\xxGNFZM.exe	UPX
C:\Windows\system\OveUbyb.exe	UPX
\Windows\system\gqFLXHV.exe	UPX
behavioral1/memory/2644-50-0x000000013F210000-0x000000013F564000-memory.dmp	UPX
\Windows\system\KnORlPy.exe	UPX
\Windows\system\lpKLOvQ.exe	UPX
behavioral1/memory/1692-81-0x000000013F5D0000-0x000000013F924000-memory.dmp	UPX
behavioral1/memory/1896-136-0x000000013F040000-0x000000013F394000-memory.dmp	UPX
behavioral1/memory/1688-80-0x000000013F590000-0x000000013F8E4000-memory.dmp	UPX
behavioral1/memory/2728-75-0x000000013FF30000-0x0000000140284000-memory.dmp	UPX
C:\Windows\system\zZeCgkl.exe	UPX
C:\Windows\system\AMtylHD.exe	UPX
behavioral1/memory/2364-70-0x000000013F9B0000-0x000000013FD04000-memory.dmp	UPX
behavioral1/memory/2872-23-0x000000013FBE0000-0x000000013FF34000-memory.dmp	UPX
C:\Windows\system\kbdBbFs.exe	UPX
behavioral1/memory/2568-41-0x000000013F470000-0x000000013F7C4000-memory.dmp	UPX
C:\Windows\system\jiFJYJq.exe	UPX
behavioral1/memory/2364-137-0x000000013F9B0000-0x000000013FD04000-memory.dmp	UPX
behavioral1/memory/1984-139-0x000000013F930000-0x000000013FC84000-memory.dmp	UPX
behavioral1/memory/2516-140-0x000000013FE90000-0x00000001401E4000-memory.dmp	UPX
behavioral1/memory/2872-141-0x000000013FBE0000-0x000000013FF34000-memory.dmp	UPX
behavioral1/memory/2568-142-0x000000013F470000-0x000000013F7C4000-memory.dmp	UPX
behavioral1/memory/2644-143-0x000000013F210000-0x000000013F564000-memory.dmp	UPX
behavioral1/memory/2728-144-0x000000013FF30000-0x0000000140284000-memory.dmp	UPX
behavioral1/memory/2364-145-0x000000013F9B0000-0x000000013FD04000-memory.dmp	UPX
behavioral1/memory/1688-146-0x000000013F590000-0x000000013F8E4000-memory.dmp	UPX
behavioral1/memory/1692-147-0x000000013F5D0000-0x000000013F924000-memory.dmp	UPX
behavioral1/memory/2532-148-0x000000013F6C0000-0x000000013FA14000-memory.dmp	UPX
behavioral1/memory/2404-150-0x000000013FF20000-0x0000000140274000-memory.dmp	UPX
behavioral1/memory/1132-151-0x000000013FF90000-0x00000001402E4000-memory.dmp	UPX
behavioral1/memory/2548-149-0x000000013F6C0000-0x000000013FA14000-memory.dmp	UPX
behavioral1/memory/2604-152-0x000000013FE40000-0x0000000140194000-memory.dmp	UPX

XMRig Miner payload 58 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1896-0-0x000000013F040000-0x000000013F394000-memory.dmp	xmrig
\Windows\system\XJPXEqU.exe	xmrig
\Windows\system\GfxFbeM.exe	xmrig
\Windows\system\EhKeMkp.exe	xmrig
behavioral1/memory/2516-28-0x000000013FE90000-0x00000001401E4000-memory.dmp	xmrig
behavioral1/memory/1896-27-0x000000013FE90000-0x00000001401E4000-memory.dmp	xmrig
\Windows\system\AfWNpJc.exe	xmrig
behavioral1/memory/1984-19-0x000000013F930000-0x000000013FC84000-memory.dmp	xmrig
behavioral1/memory/1896-17-0x000000013F930000-0x000000013FC84000-memory.dmp	xmrig
behavioral1/memory/1896-33-0x000000013FBE0000-0x000000013FF34000-memory.dmp	xmrig
\Windows\system\zhMdPmD.exe	xmrig
C:\Windows\system\yPFgTsS.exe	xmrig
C:\Windows\system\RGrlpou.exe	xmrig
C:\Windows\system\LnwNhaO.exe	xmrig
C:\Windows\system\Wbyjuao.exe	xmrig
C:\Windows\system\TGUDBIT.exe	xmrig
C:\Windows\system\HIDmSmA.exe	xmrig
C:\Windows\system\zrrKJsM.exe	xmrig
behavioral1/memory/2604-100-0x000000013FE40000-0x0000000140194000-memory.dmp	xmrig
behavioral1/memory/1896-97-0x000000013FE40000-0x0000000140194000-memory.dmp	xmrig
behavioral1/memory/1132-96-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
behavioral1/memory/2404-95-0x000000013FF20000-0x0000000140274000-memory.dmp	xmrig
behavioral1/memory/2532-94-0x000000013F6C0000-0x000000013FA14000-memory.dmp	xmrig
behavioral1/memory/2548-93-0x000000013F6C0000-0x000000013FA14000-memory.dmp	xmrig
\Windows\system\xxGNFZM.exe	xmrig
behavioral1/memory/1896-58-0x000000013F6C0000-0x000000013FA14000-memory.dmp	xmrig
C:\Windows\system\OveUbyb.exe	xmrig
\Windows\system\gqFLXHV.exe	xmrig
behavioral1/memory/2644-50-0x000000013F210000-0x000000013F564000-memory.dmp	xmrig
\Windows\system\KnORlPy.exe	xmrig
\Windows\system\lpKLOvQ.exe	xmrig
behavioral1/memory/1692-81-0x000000013F5D0000-0x000000013F924000-memory.dmp	xmrig
behavioral1/memory/1896-136-0x000000013F040000-0x000000013F394000-memory.dmp	xmrig
behavioral1/memory/1688-80-0x000000013F590000-0x000000013F8E4000-memory.dmp	xmrig
behavioral1/memory/2728-75-0x000000013FF30000-0x0000000140284000-memory.dmp	xmrig
C:\Windows\system\zZeCgkl.exe	xmrig
C:\Windows\system\AMtylHD.exe	xmrig
behavioral1/memory/2364-70-0x000000013F9B0000-0x000000013FD04000-memory.dmp	xmrig
behavioral1/memory/2872-23-0x000000013FBE0000-0x000000013FF34000-memory.dmp	xmrig
C:\Windows\system\kbdBbFs.exe	xmrig
behavioral1/memory/1896-43-0x0000000002470000-0x00000000027C4000-memory.dmp	xmrig
behavioral1/memory/2568-41-0x000000013F470000-0x000000013F7C4000-memory.dmp	xmrig
C:\Windows\system\jiFJYJq.exe	xmrig
behavioral1/memory/2364-137-0x000000013F9B0000-0x000000013FD04000-memory.dmp	xmrig
behavioral1/memory/1984-139-0x000000013F930000-0x000000013FC84000-memory.dmp	xmrig
behavioral1/memory/2516-140-0x000000013FE90000-0x00000001401E4000-memory.dmp	xmrig
behavioral1/memory/2872-141-0x000000013FBE0000-0x000000013FF34000-memory.dmp	xmrig
behavioral1/memory/2568-142-0x000000013F470000-0x000000013F7C4000-memory.dmp	xmrig
behavioral1/memory/2644-143-0x000000013F210000-0x000000013F564000-memory.dmp	xmrig
behavioral1/memory/2728-144-0x000000013FF30000-0x0000000140284000-memory.dmp	xmrig
behavioral1/memory/2364-145-0x000000013F9B0000-0x000000013FD04000-memory.dmp	xmrig
behavioral1/memory/1688-146-0x000000013F590000-0x000000013F8E4000-memory.dmp	xmrig
behavioral1/memory/1692-147-0x000000013F5D0000-0x000000013F924000-memory.dmp	xmrig
behavioral1/memory/2532-148-0x000000013F6C0000-0x000000013FA14000-memory.dmp	xmrig
behavioral1/memory/2404-150-0x000000013FF20000-0x0000000140274000-memory.dmp	xmrig
behavioral1/memory/1132-151-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
behavioral1/memory/2548-149-0x000000013F6C0000-0x000000013FA14000-memory.dmp	xmrig
behavioral1/memory/2604-152-0x000000013FE40000-0x0000000140194000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

XJPXEqU.exeGfxFbeM.exeEhKeMkp.exeAfWNpJc.exejiFJYJq.exekbdBbFs.exeOveUbyb.exeAMtylHD.exezZeCgkl.exelpKLOvQ.exeKnORlPy.exegqFLXHV.exexxGNFZM.exezhMdPmD.exeyPFgTsS.exeRGrlpou.exezrrKJsM.exeHIDmSmA.exeTGUDBIT.exeWbyjuao.exeLnwNhaO.exe

pid	process
1984	XJPXEqU.exe
2872	GfxFbeM.exe
2516	EhKeMkp.exe
2568	AfWNpJc.exe
2644	jiFJYJq.exe
2728	kbdBbFs.exe
2364	OveUbyb.exe
1692	AMtylHD.exe
1688	zZeCgkl.exe
2548	lpKLOvQ.exe
2532	KnORlPy.exe
2404	gqFLXHV.exe
1132	xxGNFZM.exe
2604	zhMdPmD.exe
2668	yPFgTsS.exe
2152	RGrlpou.exe
2144	zrrKJsM.exe
1228	HIDmSmA.exe
1596	TGUDBIT.exe
1548	Wbyjuao.exe
540	LnwNhaO.exe

Loads dropped DLL 21 IoCs

Processes:

2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe

pid	process
1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 52 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1896-0-0x000000013F040000-0x000000013F394000-memory.dmp	upx
\Windows\system\XJPXEqU.exe	upx
\Windows\system\GfxFbeM.exe	upx
\Windows\system\EhKeMkp.exe	upx
behavioral1/memory/2516-28-0x000000013FE90000-0x00000001401E4000-memory.dmp	upx
\Windows\system\AfWNpJc.exe	upx
behavioral1/memory/1984-19-0x000000013F930000-0x000000013FC84000-memory.dmp	upx
\Windows\system\zhMdPmD.exe	upx
C:\Windows\system\yPFgTsS.exe	upx
C:\Windows\system\RGrlpou.exe	upx
C:\Windows\system\LnwNhaO.exe	upx
C:\Windows\system\Wbyjuao.exe	upx
C:\Windows\system\TGUDBIT.exe	upx
C:\Windows\system\HIDmSmA.exe	upx
C:\Windows\system\zrrKJsM.exe	upx
behavioral1/memory/2604-100-0x000000013FE40000-0x0000000140194000-memory.dmp	upx
behavioral1/memory/1132-96-0x000000013FF90000-0x00000001402E4000-memory.dmp	upx
behavioral1/memory/2404-95-0x000000013FF20000-0x0000000140274000-memory.dmp	upx
behavioral1/memory/2532-94-0x000000013F6C0000-0x000000013FA14000-memory.dmp	upx
behavioral1/memory/2548-93-0x000000013F6C0000-0x000000013FA14000-memory.dmp	upx
\Windows\system\xxGNFZM.exe	upx
C:\Windows\system\OveUbyb.exe	upx
\Windows\system\gqFLXHV.exe	upx
behavioral1/memory/2644-50-0x000000013F210000-0x000000013F564000-memory.dmp	upx
\Windows\system\KnORlPy.exe	upx
\Windows\system\lpKLOvQ.exe	upx
behavioral1/memory/1692-81-0x000000013F5D0000-0x000000013F924000-memory.dmp	upx
behavioral1/memory/1896-136-0x000000013F040000-0x000000013F394000-memory.dmp	upx
behavioral1/memory/1688-80-0x000000013F590000-0x000000013F8E4000-memory.dmp	upx
behavioral1/memory/2728-75-0x000000013FF30000-0x0000000140284000-memory.dmp	upx
C:\Windows\system\zZeCgkl.exe	upx
C:\Windows\system\AMtylHD.exe	upx
behavioral1/memory/2364-70-0x000000013F9B0000-0x000000013FD04000-memory.dmp	upx
behavioral1/memory/2872-23-0x000000013FBE0000-0x000000013FF34000-memory.dmp	upx
C:\Windows\system\kbdBbFs.exe	upx
behavioral1/memory/2568-41-0x000000013F470000-0x000000013F7C4000-memory.dmp	upx
C:\Windows\system\jiFJYJq.exe	upx
behavioral1/memory/2364-137-0x000000013F9B0000-0x000000013FD04000-memory.dmp	upx
behavioral1/memory/1984-139-0x000000013F930000-0x000000013FC84000-memory.dmp	upx
behavioral1/memory/2516-140-0x000000013FE90000-0x00000001401E4000-memory.dmp	upx
behavioral1/memory/2872-141-0x000000013FBE0000-0x000000013FF34000-memory.dmp	upx
behavioral1/memory/2568-142-0x000000013F470000-0x000000013F7C4000-memory.dmp	upx
behavioral1/memory/2644-143-0x000000013F210000-0x000000013F564000-memory.dmp	upx
behavioral1/memory/2728-144-0x000000013FF30000-0x0000000140284000-memory.dmp	upx
behavioral1/memory/2364-145-0x000000013F9B0000-0x000000013FD04000-memory.dmp	upx
behavioral1/memory/1688-146-0x000000013F590000-0x000000013F8E4000-memory.dmp	upx
behavioral1/memory/1692-147-0x000000013F5D0000-0x000000013F924000-memory.dmp	upx
behavioral1/memory/2532-148-0x000000013F6C0000-0x000000013FA14000-memory.dmp	upx
behavioral1/memory/2404-150-0x000000013FF20000-0x0000000140274000-memory.dmp	upx
behavioral1/memory/1132-151-0x000000013FF90000-0x00000001402E4000-memory.dmp	upx
behavioral1/memory/2548-149-0x000000013F6C0000-0x000000013FA14000-memory.dmp	upx
behavioral1/memory/2604-152-0x000000013FE40000-0x0000000140194000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\KnORlPy.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gqFLXHV.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AMtylHD.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zhMdPmD.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yPFgTsS.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zrrKJsM.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HIDmSmA.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Wbyjuao.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GfxFbeM.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jiFJYJq.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zZeCgkl.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RGrlpou.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XJPXEqU.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EhKeMkp.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kbdBbFs.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xxGNFZM.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TGUDBIT.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LnwNhaO.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AfWNpJc.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lpKLOvQ.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OveUbyb.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 1896 wrote to memory of 1984	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	XJPXEqU.exe
PID 1896 wrote to memory of 1984	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	XJPXEqU.exe
PID 1896 wrote to memory of 1984	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	XJPXEqU.exe
PID 1896 wrote to memory of 2872	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	GfxFbeM.exe
PID 1896 wrote to memory of 2872	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	GfxFbeM.exe
PID 1896 wrote to memory of 2872	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	GfxFbeM.exe
PID 1896 wrote to memory of 2516	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	EhKeMkp.exe
PID 1896 wrote to memory of 2516	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	EhKeMkp.exe
PID 1896 wrote to memory of 2516	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	EhKeMkp.exe
PID 1896 wrote to memory of 2728	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	kbdBbFs.exe
PID 1896 wrote to memory of 2728	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	kbdBbFs.exe
PID 1896 wrote to memory of 2728	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	kbdBbFs.exe
PID 1896 wrote to memory of 2568	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	AfWNpJc.exe
PID 1896 wrote to memory of 2568	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	AfWNpJc.exe
PID 1896 wrote to memory of 2568	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	AfWNpJc.exe
PID 1896 wrote to memory of 2548	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	lpKLOvQ.exe
PID 1896 wrote to memory of 2548	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	lpKLOvQ.exe
PID 1896 wrote to memory of 2548	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	lpKLOvQ.exe
PID 1896 wrote to memory of 2644	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	jiFJYJq.exe
PID 1896 wrote to memory of 2644	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	jiFJYJq.exe
PID 1896 wrote to memory of 2644	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	jiFJYJq.exe
PID 1896 wrote to memory of 2532	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	KnORlPy.exe
PID 1896 wrote to memory of 2532	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	KnORlPy.exe
PID 1896 wrote to memory of 2532	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	KnORlPy.exe
PID 1896 wrote to memory of 2364	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	OveUbyb.exe
PID 1896 wrote to memory of 2364	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	OveUbyb.exe
PID 1896 wrote to memory of 2364	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	OveUbyb.exe
PID 1896 wrote to memory of 2404	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	gqFLXHV.exe
PID 1896 wrote to memory of 2404	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	gqFLXHV.exe
PID 1896 wrote to memory of 2404	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	gqFLXHV.exe
PID 1896 wrote to memory of 1692	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	AMtylHD.exe
PID 1896 wrote to memory of 1692	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	AMtylHD.exe
PID 1896 wrote to memory of 1692	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	AMtylHD.exe
PID 1896 wrote to memory of 1132	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	xxGNFZM.exe
PID 1896 wrote to memory of 1132	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	xxGNFZM.exe
PID 1896 wrote to memory of 1132	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	xxGNFZM.exe
PID 1896 wrote to memory of 1688	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	zZeCgkl.exe
PID 1896 wrote to memory of 1688	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	zZeCgkl.exe
PID 1896 wrote to memory of 1688	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	zZeCgkl.exe
PID 1896 wrote to memory of 2604	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	zhMdPmD.exe
PID 1896 wrote to memory of 2604	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	zhMdPmD.exe
PID 1896 wrote to memory of 2604	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	zhMdPmD.exe
PID 1896 wrote to memory of 2668	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	yPFgTsS.exe
PID 1896 wrote to memory of 2668	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	yPFgTsS.exe
PID 1896 wrote to memory of 2668	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	yPFgTsS.exe
PID 1896 wrote to memory of 2152	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	RGrlpou.exe
PID 1896 wrote to memory of 2152	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	RGrlpou.exe
PID 1896 wrote to memory of 2152	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	RGrlpou.exe
PID 1896 wrote to memory of 2144	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	zrrKJsM.exe
PID 1896 wrote to memory of 2144	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	zrrKJsM.exe
PID 1896 wrote to memory of 2144	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	zrrKJsM.exe
PID 1896 wrote to memory of 1228	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	HIDmSmA.exe
PID 1896 wrote to memory of 1228	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	HIDmSmA.exe
PID 1896 wrote to memory of 1228	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	HIDmSmA.exe
PID 1896 wrote to memory of 1596	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	TGUDBIT.exe
PID 1896 wrote to memory of 1596	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	TGUDBIT.exe
PID 1896 wrote to memory of 1596	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	TGUDBIT.exe
PID 1896 wrote to memory of 1548	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	Wbyjuao.exe
PID 1896 wrote to memory of 1548	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	Wbyjuao.exe
PID 1896 wrote to memory of 1548	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	Wbyjuao.exe
PID 1896 wrote to memory of 540	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	LnwNhaO.exe
PID 1896 wrote to memory of 540	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	LnwNhaO.exe
PID 1896 wrote to memory of 540	1896	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	LnwNhaO.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\System\XJPXEqU.exe
C:\Windows\System\XJPXEqU.exe
2⤵
- Executes dropped EXE
PID:1984

C:\Windows\System\GfxFbeM.exe
C:\Windows\System\GfxFbeM.exe
2⤵
- Executes dropped EXE
PID:2872

C:\Windows\System\EhKeMkp.exe
C:\Windows\System\EhKeMkp.exe
2⤵
- Executes dropped EXE
PID:2516

C:\Windows\System\kbdBbFs.exe
C:\Windows\System\kbdBbFs.exe
2⤵
- Executes dropped EXE
PID:2728

C:\Windows\System\AfWNpJc.exe
C:\Windows\System\AfWNpJc.exe
2⤵
- Executes dropped EXE
PID:2568

C:\Windows\System\lpKLOvQ.exe
C:\Windows\System\lpKLOvQ.exe
2⤵
- Executes dropped EXE
PID:2548

C:\Windows\System\jiFJYJq.exe
C:\Windows\System\jiFJYJq.exe
2⤵
- Executes dropped EXE
PID:2644

C:\Windows\System\KnORlPy.exe
C:\Windows\System\KnORlPy.exe
2⤵
- Executes dropped EXE
PID:2532

C:\Windows\System\OveUbyb.exe
C:\Windows\System\OveUbyb.exe
2⤵
- Executes dropped EXE
PID:2364

C:\Windows\System\gqFLXHV.exe
C:\Windows\System\gqFLXHV.exe
2⤵
- Executes dropped EXE
PID:2404

C:\Windows\System\AMtylHD.exe
C:\Windows\System\AMtylHD.exe
2⤵
- Executes dropped EXE
PID:1692

C:\Windows\System\xxGNFZM.exe
C:\Windows\System\xxGNFZM.exe
2⤵
- Executes dropped EXE
PID:1132

C:\Windows\System\zZeCgkl.exe
C:\Windows\System\zZeCgkl.exe
2⤵
- Executes dropped EXE
PID:1688

C:\Windows\System\zhMdPmD.exe
C:\Windows\System\zhMdPmD.exe
2⤵
- Executes dropped EXE
PID:2604

C:\Windows\System\yPFgTsS.exe
C:\Windows\System\yPFgTsS.exe
2⤵
- Executes dropped EXE
PID:2668

C:\Windows\System\RGrlpou.exe
C:\Windows\System\RGrlpou.exe
2⤵
- Executes dropped EXE
PID:2152

C:\Windows\System\zrrKJsM.exe
C:\Windows\System\zrrKJsM.exe
2⤵
- Executes dropped EXE
PID:2144

C:\Windows\System\HIDmSmA.exe
C:\Windows\System\HIDmSmA.exe
2⤵
- Executes dropped EXE
PID:1228

C:\Windows\System\TGUDBIT.exe
C:\Windows\System\TGUDBIT.exe
2⤵
- Executes dropped EXE
PID:1596

C:\Windows\System\Wbyjuao.exe
C:\Windows\System\Wbyjuao.exe
2⤵
- Executes dropped EXE
PID:1548

C:\Windows\System\LnwNhaO.exe
C:\Windows\System\LnwNhaO.exe
2⤵
- Executes dropped EXE
PID:540

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AMtylHD.exe
Filesize
5.9MB

MD5
bf701f1824b2ccf3e8e949301e39ef74

SHA1
ac3acadf2b93f948b145cde2c110f26e66427316

SHA256
176abaf1963f229ac50fea4fb14396571c1d4ad67462824036b124430a2212a1

SHA512
d16d3515c4ed1b82fd4e7a3428642c81fc73b01f95b796280193e942fcb8be73445a389c4c9daee60a8e46010310f6b8fc3e11bba9ffb7eed1721876a066364e

Download Submit
C:\Windows\system\HIDmSmA.exe
Filesize
5.9MB

MD5
890bb495b5bc9e77e97cc97052d0363f

SHA1
fce9285eca0d13e0ca1a058aff5285031227400d

SHA256
c664cd06479c24a1dfd812ecae913b08be311365cbbd1114ad2ecee955300077

SHA512
15b03d61cd591f99952ea02314d6a445aa9f938f50c2ed21fce128ab5cca031724b6502deb6d656df1eb74d3a425732a268bb25abf4d1729fb82a5f35f773c66

Download Submit
C:\Windows\system\LnwNhaO.exe
Filesize
5.9MB

MD5
fdcd5a92c8b9b73b9728f3afe6ab7277

SHA1
8be86af01a495c0b8bb1ec9493d2b87f9063e9f5

SHA256
c5dbae25374eb31b0649b4dc1452e8d37b46601b4fb765b2ee065121eded4a92

SHA512
e17dc5ce5d532b2a4c5d12a003a08ba80317cdc6d6d979912f1a98967813be477a316551977dbe839c5445bf79421e23144c5d3cdccfcc49a70bd847d98dbb63

Download Submit
C:\Windows\system\OveUbyb.exe
Filesize
5.9MB

MD5
627521511850332a221bb088e2c3553f

SHA1
d86fe7be86b4ba40508a103dddf9df5dcd084b97

SHA256
3e1c4d71d3d557e63c9c32c2e465401d72a952cfa61562051540636b74314be1

SHA512
c018c9ab9f2ce63082e5e332922a24f4116b3f908b3899361f43748fb3cdf76c694543e7eac21717d889adafd9e14f1f9c0003b127f0918da0f27a3898851fc9

Download Submit
C:\Windows\system\RGrlpou.exe
Filesize
5.9MB

MD5
2eba83bde0dbc968979aaee8958504a3

SHA1
e6fbdb8d9179288b164d0ebc933cea8beb20afc8

SHA256
8c14d2d055321d57d8701061a80997e05876c07e0d2afb3de530aa294e83004c

SHA512
f373718c26fc9e82b7740f4e58923e73b960e9f93e206f8fdc7e3fb5c70efff525baab78bf6a3c395caca1addedc8cd92c932de5b8358df25e6429a5d1e3a60b

Download Submit
C:\Windows\system\TGUDBIT.exe
Filesize
5.9MB

MD5
353c523f4b9fc53040ef8ff3baafe680

SHA1
125e70df5cf0e6ba63d9c8f0b8910a3232162f57

SHA256
79722c34011b76d244198eb10a48e40a654d34df25df8cfd410d36cf6a845a4b

SHA512
7fecb47318d151aee335b9d05f2ba2e26baf6bbaf44c97167c3c37b08f9b0e2f6717c35ef02132b8fc6fa50d6ce3c67bbf4e2120930541aa3e3f813c2885d211

Download Submit
C:\Windows\system\Wbyjuao.exe
Filesize
5.9MB

MD5
987a5c3fa51dadbffb965ad5a63b6170

SHA1
33d5529b3909a83717c14f7cbf511c368c5b40a5

SHA256
44e72931a181a6f4c1c5fbe4afa4fc1609ce1a887cf7d3d85547357ea7bac970

SHA512
a58f5ce2d3ee6729bb80e22445d49da32a5b8b1ae1dfdd11ff83f984f9c60ad2bba637f7c903aefe3f6a43098654b8c11f6203d3c5a78afd486328c4a96ccb33

Download Submit
C:\Windows\system\jiFJYJq.exe
Filesize
5.9MB

MD5
a488f3ab5a466296fc50a7fc235f25a9

SHA1
f14ac4d68d8ad45c2add667f7a7bbcfbf1edcb62

SHA256
45deb57098052e7547826577071c9b4b6828378d5655a84b51faff91d413d602

SHA512
54efeb5deafad68a52175b6877e6433f7a38a91627a86dd8f725c001df913040eb7adbd63acf8c90f984a6cfa655e88117492ca3043c342e263801d433b0d491

Download Submit
C:\Windows\system\kbdBbFs.exe
Filesize
5.9MB

MD5
724d315202cca63478458b1ac7624a9d

SHA1
52ba4d25b52e77bf79335179de3bfd8f5d032b58

SHA256
1df35e426f4cc570473da327302b433772faf3a460ee8b44b7f1ad813869f61d

SHA512
b18a40a1417890031adf357875d9e7d0a94eb691db9a6a027384958737f9fd73630538ef5b6910f48017c29f0a1e094d58ec08563db2ab011dcd5843ff6c15c0

Download Submit
C:\Windows\system\yPFgTsS.exe
Filesize
5.9MB

MD5
fe6ad86da097ce0ead43b17cc5d5e6b6

SHA1
830153148c1fd506ce1002b7e85b32a12d575fe9

SHA256
6f1c955206fee91f92a09975ea7a31ff55d0bed22b438e03a792dde7dfe5ab90

SHA512
b35c6ec234c1efa43b651877bd4e82e7214b3f573a27787e54d3917aba12dc765a9347a3ba551c60d47686350f0229ba5b754ad7cc6be8771aa55cd972310483

Download Submit
C:\Windows\system\zZeCgkl.exe
Filesize
5.9MB

MD5
cbf372358a18e5554b6175c3e3d88b44

SHA1
77ccbf0996c59385f17e8cb57b5852c26acc6366

SHA256
a7b4dcfb0ec8a555afdd20aab998eaabdadba52bbb5a90dec5bb4fe68c14d92c

SHA512
263b48bec000acf08a0d923a9093ee6ba6706fd89e57dc77488b690e777177329296ed9d229e9eb2e35d8bdfa7d68ea173a6025ddb2b8daad7efd7fff4c3b0dd

Download Submit
C:\Windows\system\zrrKJsM.exe
Filesize
5.9MB

MD5
efdfb1eb9d7660c5705be95001a6645a

SHA1
88e3b7d436f8dbb18a6710ff74515a4b51afdd4d

SHA256
3e1e751bf54d6dfb04fffa0603785793387608fbc3b6234ef3b97ea386f919b4

SHA512
1e69fbb1fa9e937a6e17da766b4414ffdc2d184ebd045797bb921e11677b06e9ccb8e19baa35804705cbecfdc9f853b6bf57bf90c51822c0681b0c5b155b6fbd

Download Submit
\Windows\system\AfWNpJc.exe
Filesize
5.9MB

MD5
d529386808bcc0330fbd6674280af922

SHA1
98fa7ac51e799d9f647d0fb6b2f3e908ef7840ff

SHA256
1734b566a06eabe57a7436a7ef8f5c4d4bbf91ee8c4609c086e8e2702eb9ed07

SHA512
4ba71ab41a2e2a727acc731adee16ad9783907d4467522335363974fe8c924e764aa4987985f148028f0a482c3cc5a69a60fc2369cbd82c88eb3e715fa588088

Download Submit
\Windows\system\EhKeMkp.exe
Filesize
5.9MB

MD5
d43cbee7157a95775ed042e3e1549123

SHA1
3d2077e5089145e20d3426f58ccb6cff5215a1ed

SHA256
c685dd7814e22c316ea026d6399b8f4f1e51437e259fd386e54aee4f8a714deb

SHA512
7fe13e93a84920bf8b7d49facda9bc478398222637f2caaa633566405e784fd0a5bbb3883608e63d4b654869c8865acd73b48a3daf894fe10b736dc65f1531d3

Download Submit
\Windows\system\GfxFbeM.exe
Filesize
5.9MB

MD5
f0277e726d71ebc442866d2b97b99815

SHA1
c5732d6a540bfb4ce3bedc1af677995f02db2a30

SHA256
b72a182bb61efc7e54eafe5ecd84d1d62c16d5d7bbc364fed82466aff1c539f9

SHA512
030cf424725e1cf34dbfb54a109f37e45e56ff6c70acabcf65aa67a2b2acbb032b6ff6dbefa8ac58d91df1a23c2558997c45bf2d267eb955fb2e2a93ecaa07ea

Download Submit
\Windows\system\KnORlPy.exe
Filesize
5.9MB

MD5
a2480b3337b06820b7f44553308d47da

SHA1
3acfc4a4c7fd5d89ebac322a576b483d4aa8243a

SHA256
7c3180b294c3a8024c76a698cb5a2e3859eb40c3851acb4ae531e57d41ceeb88

SHA512
0985bdad540e985518493eefec248091ea46cace96f879fe9e79d300e5d170e48f9d191c6fc718f58860d9f46712ab1206535fd7eeb6fd45d0b0100004517fb3

Download Submit
\Windows\system\XJPXEqU.exe
Filesize
5.9MB

MD5
25f1ee96df098baab17df3d96e90b3c0

SHA1
65707f5d4a5c11c946ba0b5cd46464f80616eb45

SHA256
dc27e49f532ffcbad6491bb0a1c1af9ed7c67f53d1e37b0d14e835b2b54a2f55

SHA512
44c11905ad66f315e5a6110ac1cbf4bd71309c7bd1c19547004476c26b3b91f97b1810228304af7429520413f94f6e47827deb774fd3b07474352f20cd262157

Download Submit
\Windows\system\gqFLXHV.exe
Filesize
5.9MB

MD5
7d0b5668dbda9d97a83c40baefd3deac

SHA1
9bbe88d0c20d9a1d7cb278d1ce53660b2753b6a6

SHA256
67aa9db8083a945ea907c8a9cf8421a96fe7bd727a426d50e0c50f402daf7441

SHA512
5a8454173441739e0d7db6d944cac9255b6cae51436d8975d8b5fc2a965e599554dd632e171222d3324f748561335b8e3152eee1e48e5bfc5fd624a0f8401f38

Download Submit
\Windows\system\lpKLOvQ.exe
Filesize
5.9MB

MD5
729752e0f2ee200b54fef6d1ce8ed040

SHA1
37ee3b7568aaf52a84af38b6f62f40b2dce31be3

SHA256
83e224528f6fe6d92097d760a8ec2dcb45230f4ed26ac6392885873a19bb42f7

SHA512
8d12a61c4b9264792b7a85621f8b77efb28bcada70cf8ee0e50b2ba2a6d0536a5cd11cae1c3dd3c87843903fb715250338b3be5eee6389081e86cbafdc8f942d

Download Submit
\Windows\system\xxGNFZM.exe
Filesize
5.9MB

MD5
06720a76c4f045f04a9d1283eabfec04

SHA1
190d8f80ede48165c273f36e11dc10cf2fcec77b

SHA256
467a33b973336f701f5e33ef07f8aa3dc22bc9db843961ddbd9935e21e56a474

SHA512
579cd39e126992f68e5a5ec5137aa12c3722625cf2b3e6e165f15cce1e8d1fc76553dcadfd53f5d6bf57f5a3662c190a813e7e6e14b964e892aedb2843e0826a

Download Submit
\Windows\system\zhMdPmD.exe
Filesize
5.9MB

MD5
96338d7d0ce72abf6a0dcb613708a6e5

SHA1
f92078ac204d816fc3e063da0ba596e7b6ef89c9

SHA256
c8ffb688483350c42be65b2f2c92ee7031d5a033663b9da43f8fc69db299a16b

SHA512
674997436db7621db08f27c96e71d8fd0c72e1caa6bc4063e1b3ebc492a3b3ba0d843a4edaf007777a5f5db7c4ff4daae94afdfb2fd36d1f88c690b97a2b8756

Download Submit
memory/1132-151-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/1132-96-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/1688-146-0x000000013F590000-0x000000013F8E4000-memory.dmp

Filesize
3.3MB

Download
memory/1688-80-0x000000013F590000-0x000000013F8E4000-memory.dmp

Filesize
3.3MB

Download
memory/1692-147-0x000000013F5D0000-0x000000013F924000-memory.dmp

Filesize
3.3MB

Download
memory/1692-81-0x000000013F5D0000-0x000000013F924000-memory.dmp

Filesize
3.3MB

Download
memory/1896-71-0x000000013F590000-0x000000013F8E4000-memory.dmp

Filesize
3.3MB

Download
memory/1896-43-0x0000000002470000-0x00000000027C4000-memory.dmp

Filesize
3.3MB

Download
memory/1896-33-0x000000013FBE0000-0x000000013FF34000-memory.dmp

Filesize
3.3MB

Download
memory/1896-79-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/1896-106-0x0000000002470000-0x00000000027C4000-memory.dmp

Filesize
3.3MB

Download
memory/1896-46-0x000000013F6C0000-0x000000013FA14000-memory.dmp

Filesize
3.3MB

Download
memory/1896-17-0x000000013F930000-0x000000013FC84000-memory.dmp

Filesize
3.3MB

Download
memory/1896-0-0x000000013F040000-0x000000013F394000-memory.dmp

Filesize
3.3MB

Download
memory/1896-97-0x000000013FE40000-0x0000000140194000-memory.dmp

Filesize
3.3MB

Download
memory/1896-136-0x000000013F040000-0x000000013F394000-memory.dmp

Filesize
3.3MB

Download
memory/1896-138-0x0000000002470000-0x00000000027C4000-memory.dmp

Filesize
3.3MB

Download
memory/1896-78-0x000000013F5D0000-0x000000013F924000-memory.dmp

Filesize
3.3MB

Download
memory/1896-76-0x000000013F9B0000-0x000000013FD04000-memory.dmp

Filesize
3.3MB

Download
memory/1896-38-0x000000013FF30000-0x0000000140284000-memory.dmp

Filesize
3.3MB

Download
memory/1896-39-0x000000013F470000-0x000000013F7C4000-memory.dmp

Filesize
3.3MB

Download
memory/1896-27-0x000000013FE90000-0x00000001401E4000-memory.dmp

Filesize
3.3MB

Download
memory/1896-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/1896-58-0x000000013F6C0000-0x000000013FA14000-memory.dmp

Filesize
3.3MB

Download
memory/1896-62-0x000000013FF20000-0x0000000140274000-memory.dmp

Filesize
3.3MB

Download
memory/1984-19-0x000000013F930000-0x000000013FC84000-memory.dmp

Filesize
3.3MB

Download
memory/1984-139-0x000000013F930000-0x000000013FC84000-memory.dmp

Filesize
3.3MB

Download
memory/2364-145-0x000000013F9B0000-0x000000013FD04000-memory.dmp

Filesize
3.3MB

Download
memory/2364-70-0x000000013F9B0000-0x000000013FD04000-memory.dmp

Filesize
3.3MB

Download
memory/2364-137-0x000000013F9B0000-0x000000013FD04000-memory.dmp

Filesize
3.3MB

Download
memory/2404-95-0x000000013FF20000-0x0000000140274000-memory.dmp

Filesize
3.3MB

Download
memory/2404-150-0x000000013FF20000-0x0000000140274000-memory.dmp

Filesize
3.3MB

Download
memory/2516-28-0x000000013FE90000-0x00000001401E4000-memory.dmp

Filesize
3.3MB

Download
memory/2516-140-0x000000013FE90000-0x00000001401E4000-memory.dmp

Filesize
3.3MB

Download
memory/2532-148-0x000000013F6C0000-0x000000013FA14000-memory.dmp

Filesize
3.3MB

Download
memory/2532-94-0x000000013F6C0000-0x000000013FA14000-memory.dmp

Filesize
3.3MB

Download
memory/2548-149-0x000000013F6C0000-0x000000013FA14000-memory.dmp

Filesize
3.3MB

Download
memory/2548-93-0x000000013F6C0000-0x000000013FA14000-memory.dmp

Filesize
3.3MB

Download
memory/2568-142-0x000000013F470000-0x000000013F7C4000-memory.dmp

Filesize
3.3MB

Download
memory/2568-41-0x000000013F470000-0x000000013F7C4000-memory.dmp

Filesize
3.3MB

Download
memory/2604-100-0x000000013FE40000-0x0000000140194000-memory.dmp

Filesize
3.3MB

Download
memory/2604-152-0x000000013FE40000-0x0000000140194000-memory.dmp

Filesize
3.3MB

Download
memory/2644-143-0x000000013F210000-0x000000013F564000-memory.dmp

Filesize
3.3MB

Download
memory/2644-50-0x000000013F210000-0x000000013F564000-memory.dmp

Filesize
3.3MB

Download
memory/2728-75-0x000000013FF30000-0x0000000140284000-memory.dmp

Filesize
3.3MB

Download
memory/2728-144-0x000000013FF30000-0x0000000140284000-memory.dmp

Filesize
3.3MB

Download
memory/2872-23-0x000000013FBE0000-0x000000013FF34000-memory.dmp

Filesize
3.3MB

Download
memory/2872-141-0x000000013FBE0000-0x000000013FF34000-memory.dmp

Filesize
3.3MB

Download