cobaltstrike | b501f3100bfac73023d7772e7fec733787acf11561c6c0bd6c0f34ba0682ae58

Analysis

max time kernel
135s
max time network
144s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

2d406d9f1318c70a630caebc5f9cd253
SHA1

c3af47f0cc5b6a85956ce9fea7691bb3320a8a5c
SHA256

b501f3100bfac73023d7772e7fec733787acf11561c6c0bd6c0f34ba0682ae58
SHA512

4c240306750f36661f1ed4fb20edc53f2074f4f6c288ed7baa7a779f137d7dfb3799bd8c3e1c0d9fefb05c63d5070b85d9cdbfcdde253d81ed96ecf21b8284ff
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUj:Q+856utgpPF8u/7j

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\system\YePAPIE.exe	cobalt_reflective_dll
C:\Windows\system\VOgZmbs.exe	cobalt_reflective_dll
\Windows\system\rfVwMtM.exe	cobalt_reflective_dll
C:\Windows\system\kwlBJrK.exe	cobalt_reflective_dll
\Windows\system\XZWzjof.exe	cobalt_reflective_dll
\Windows\system\JBIFflc.exe	cobalt_reflective_dll
\Windows\system\JIxBjWt.exe	cobalt_reflective_dll
\Windows\system\TFmBXTG.exe	cobalt_reflective_dll
C:\Windows\system\cBxOxZh.exe	cobalt_reflective_dll
\Windows\system\ujUsZtM.exe	cobalt_reflective_dll
\Windows\system\EqAlnhl.exe	cobalt_reflective_dll
\Windows\system\AtDCTMr.exe	cobalt_reflective_dll
\Windows\system\GrPOdOT.exe	cobalt_reflective_dll
C:\Windows\system\ZJagHJi.exe	cobalt_reflective_dll
C:\Windows\system\QdUFpYp.exe	cobalt_reflective_dll
\Windows\system\cyevwoA.exe	cobalt_reflective_dll
C:\Windows\system\mQStkON.exe	cobalt_reflective_dll
C:\Windows\system\ljLTzpX.exe	cobalt_reflective_dll
\Windows\system\qNPZMCd.exe	cobalt_reflective_dll
C:\Windows\system\KMWGrVX.exe	cobalt_reflective_dll
C:\Windows\system\lenyjLB.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\system\YePAPIE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\VOgZmbs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\rfVwMtM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\kwlBJrK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\XZWzjof.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\JBIFflc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\JIxBjWt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\TFmBXTG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\cBxOxZh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\ujUsZtM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\EqAlnhl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\AtDCTMr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\GrPOdOT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ZJagHJi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\QdUFpYp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\cyevwoA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\mQStkON.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ljLTzpX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\qNPZMCd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\KMWGrVX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\lenyjLB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 53 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1028-0-0x000000013FD40000-0x0000000140094000-memory.dmp	UPX
C:\Windows\system\YePAPIE.exe	UPX
C:\Windows\system\VOgZmbs.exe	UPX
\Windows\system\rfVwMtM.exe	UPX
behavioral1/memory/2652-23-0x000000013F1E0000-0x000000013F534000-memory.dmp	UPX
behavioral1/memory/2012-22-0x000000013FC40000-0x000000013FF94000-memory.dmp	UPX
C:\Windows\system\kwlBJrK.exe	UPX
\Windows\system\XZWzjof.exe	UPX
\Windows\system\JBIFflc.exe	UPX
behavioral1/memory/2656-41-0x000000013F600000-0x000000013F954000-memory.dmp	UPX
\Windows\system\JIxBjWt.exe	UPX
behavioral1/memory/2628-44-0x000000013FCF0000-0x0000000140044000-memory.dmp	UPX
behavioral1/memory/2816-37-0x000000013FCF0000-0x0000000140044000-memory.dmp	UPX
behavioral1/memory/1740-18-0x000000013F620000-0x000000013F974000-memory.dmp	UPX
\Windows\system\TFmBXTG.exe	UPX
C:\Windows\system\cBxOxZh.exe	UPX
behavioral1/memory/2540-57-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	UPX
\Windows\system\ujUsZtM.exe	UPX
behavioral1/memory/1028-68-0x000000013FD40000-0x0000000140094000-memory.dmp	UPX
\Windows\system\EqAlnhl.exe	UPX
behavioral1/memory/2872-51-0x000000013F380000-0x000000013F6D4000-memory.dmp	UPX
\Windows\system\AtDCTMr.exe	UPX
\Windows\system\GrPOdOT.exe	UPX
C:\Windows\system\ZJagHJi.exe	UPX
C:\Windows\system\QdUFpYp.exe	UPX
\Windows\system\cyevwoA.exe	UPX
behavioral1/memory/2908-130-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	UPX
behavioral1/memory/3044-132-0x000000013FAD0000-0x000000013FE24000-memory.dmp	UPX
C:\Windows\system\mQStkON.exe	UPX
behavioral1/memory/2868-122-0x000000013F380000-0x000000013F6D4000-memory.dmp	UPX
C:\Windows\system\ljLTzpX.exe	UPX
behavioral1/memory/2692-116-0x000000013F6B0000-0x000000013FA04000-memory.dmp	UPX
behavioral1/memory/316-120-0x000000013F350000-0x000000013F6A4000-memory.dmp	UPX
behavioral1/memory/1160-119-0x000000013FE30000-0x0000000140184000-memory.dmp	UPX
\Windows\system\qNPZMCd.exe	UPX
C:\Windows\system\KMWGrVX.exe	UPX
C:\Windows\system\lenyjLB.exe	UPX
behavioral1/memory/2816-135-0x000000013FCF0000-0x0000000140044000-memory.dmp	UPX
behavioral1/memory/2540-136-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	UPX
behavioral1/memory/2652-141-0x000000013F1E0000-0x000000013F534000-memory.dmp	UPX
behavioral1/memory/2012-140-0x000000013FC40000-0x000000013FF94000-memory.dmp	UPX
behavioral1/memory/1740-139-0x000000013F620000-0x000000013F974000-memory.dmp	UPX
behavioral1/memory/2656-143-0x000000013F600000-0x000000013F954000-memory.dmp	UPX
behavioral1/memory/2628-144-0x000000013FCF0000-0x0000000140044000-memory.dmp	UPX
behavioral1/memory/2816-142-0x000000013FCF0000-0x0000000140044000-memory.dmp	UPX
behavioral1/memory/2872-145-0x000000013F380000-0x000000013F6D4000-memory.dmp	UPX
behavioral1/memory/2692-147-0x000000013F6B0000-0x000000013FA04000-memory.dmp	UPX
behavioral1/memory/2540-146-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	UPX
behavioral1/memory/1160-148-0x000000013FE30000-0x0000000140184000-memory.dmp	UPX
behavioral1/memory/316-149-0x000000013F350000-0x000000013F6A4000-memory.dmp	UPX
behavioral1/memory/2868-150-0x000000013F380000-0x000000013F6D4000-memory.dmp	UPX
behavioral1/memory/3044-151-0x000000013FAD0000-0x000000013FE24000-memory.dmp	UPX
behavioral1/memory/2908-152-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	UPX

XMRig Miner payload 54 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1028-0-0x000000013FD40000-0x0000000140094000-memory.dmp	xmrig
C:\Windows\system\YePAPIE.exe	xmrig
C:\Windows\system\VOgZmbs.exe	xmrig
\Windows\system\rfVwMtM.exe	xmrig
behavioral1/memory/2652-23-0x000000013F1E0000-0x000000013F534000-memory.dmp	xmrig
behavioral1/memory/2012-22-0x000000013FC40000-0x000000013FF94000-memory.dmp	xmrig
C:\Windows\system\kwlBJrK.exe	xmrig
\Windows\system\XZWzjof.exe	xmrig
\Windows\system\JBIFflc.exe	xmrig
behavioral1/memory/2656-41-0x000000013F600000-0x000000013F954000-memory.dmp	xmrig
\Windows\system\JIxBjWt.exe	xmrig
behavioral1/memory/2628-44-0x000000013FCF0000-0x0000000140044000-memory.dmp	xmrig
behavioral1/memory/1028-43-0x0000000002250000-0x00000000025A4000-memory.dmp	xmrig
behavioral1/memory/2816-37-0x000000013FCF0000-0x0000000140044000-memory.dmp	xmrig
behavioral1/memory/1740-18-0x000000013F620000-0x000000013F974000-memory.dmp	xmrig
\Windows\system\TFmBXTG.exe	xmrig
C:\Windows\system\cBxOxZh.exe	xmrig
behavioral1/memory/2540-57-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	xmrig
\Windows\system\ujUsZtM.exe	xmrig
behavioral1/memory/1028-68-0x000000013FD40000-0x0000000140094000-memory.dmp	xmrig
\Windows\system\EqAlnhl.exe	xmrig
behavioral1/memory/2872-51-0x000000013F380000-0x000000013F6D4000-memory.dmp	xmrig
\Windows\system\AtDCTMr.exe	xmrig
\Windows\system\GrPOdOT.exe	xmrig
C:\Windows\system\ZJagHJi.exe	xmrig
C:\Windows\system\QdUFpYp.exe	xmrig
\Windows\system\cyevwoA.exe	xmrig
behavioral1/memory/2908-130-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	xmrig
behavioral1/memory/3044-132-0x000000013FAD0000-0x000000013FE24000-memory.dmp	xmrig
C:\Windows\system\mQStkON.exe	xmrig
behavioral1/memory/2868-122-0x000000013F380000-0x000000013F6D4000-memory.dmp	xmrig
C:\Windows\system\ljLTzpX.exe	xmrig
behavioral1/memory/2692-116-0x000000013F6B0000-0x000000013FA04000-memory.dmp	xmrig
behavioral1/memory/316-120-0x000000013F350000-0x000000013F6A4000-memory.dmp	xmrig
behavioral1/memory/1160-119-0x000000013FE30000-0x0000000140184000-memory.dmp	xmrig
\Windows\system\qNPZMCd.exe	xmrig
C:\Windows\system\KMWGrVX.exe	xmrig
C:\Windows\system\lenyjLB.exe	xmrig
behavioral1/memory/2816-135-0x000000013FCF0000-0x0000000140044000-memory.dmp	xmrig
behavioral1/memory/2540-136-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	xmrig
behavioral1/memory/2652-141-0x000000013F1E0000-0x000000013F534000-memory.dmp	xmrig
behavioral1/memory/2012-140-0x000000013FC40000-0x000000013FF94000-memory.dmp	xmrig
behavioral1/memory/1740-139-0x000000013F620000-0x000000013F974000-memory.dmp	xmrig
behavioral1/memory/2656-143-0x000000013F600000-0x000000013F954000-memory.dmp	xmrig
behavioral1/memory/2628-144-0x000000013FCF0000-0x0000000140044000-memory.dmp	xmrig
behavioral1/memory/2816-142-0x000000013FCF0000-0x0000000140044000-memory.dmp	xmrig
behavioral1/memory/2872-145-0x000000013F380000-0x000000013F6D4000-memory.dmp	xmrig
behavioral1/memory/2692-147-0x000000013F6B0000-0x000000013FA04000-memory.dmp	xmrig
behavioral1/memory/2540-146-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	xmrig
behavioral1/memory/1160-148-0x000000013FE30000-0x0000000140184000-memory.dmp	xmrig
behavioral1/memory/316-149-0x000000013F350000-0x000000013F6A4000-memory.dmp	xmrig
behavioral1/memory/2868-150-0x000000013F380000-0x000000013F6D4000-memory.dmp	xmrig
behavioral1/memory/3044-151-0x000000013FAD0000-0x000000013FE24000-memory.dmp	xmrig
behavioral1/memory/2908-152-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

YePAPIE.exerfVwMtM.exeVOgZmbs.exekwlBJrK.exeXZWzjof.exeJBIFflc.exeJIxBjWt.exeTFmBXTG.execBxOxZh.exeujUsZtM.exeEqAlnhl.exelenyjLB.exeKMWGrVX.exeqNPZMCd.exeAtDCTMr.exeGrPOdOT.exeQdUFpYp.exeZJagHJi.execyevwoA.exeljLTzpX.exemQStkON.exe

pid	process
1740	YePAPIE.exe
2012	rfVwMtM.exe
2652	VOgZmbs.exe
2816	kwlBJrK.exe
2656	XZWzjof.exe
2628	JBIFflc.exe
2872	JIxBjWt.exe
2540	TFmBXTG.exe
2692	cBxOxZh.exe
1160	ujUsZtM.exe
316	EqAlnhl.exe
2868	lenyjLB.exe
2908	KMWGrVX.exe
3044	qNPZMCd.exe
812	AtDCTMr.exe
2740	GrPOdOT.exe
1984	QdUFpYp.exe
2720	ZJagHJi.exe
1968	cyevwoA.exe
2920	ljLTzpX.exe
1464	mQStkON.exe

Loads dropped DLL 21 IoCs

Processes:

2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe

pid	process
1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 53 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1028-0-0x000000013FD40000-0x0000000140094000-memory.dmp	upx
C:\Windows\system\YePAPIE.exe	upx
C:\Windows\system\VOgZmbs.exe	upx
\Windows\system\rfVwMtM.exe	upx
behavioral1/memory/2652-23-0x000000013F1E0000-0x000000013F534000-memory.dmp	upx
behavioral1/memory/2012-22-0x000000013FC40000-0x000000013FF94000-memory.dmp	upx
C:\Windows\system\kwlBJrK.exe	upx
\Windows\system\XZWzjof.exe	upx
\Windows\system\JBIFflc.exe	upx
behavioral1/memory/2656-41-0x000000013F600000-0x000000013F954000-memory.dmp	upx
\Windows\system\JIxBjWt.exe	upx
behavioral1/memory/2628-44-0x000000013FCF0000-0x0000000140044000-memory.dmp	upx
behavioral1/memory/2816-37-0x000000013FCF0000-0x0000000140044000-memory.dmp	upx
behavioral1/memory/1740-18-0x000000013F620000-0x000000013F974000-memory.dmp	upx
\Windows\system\TFmBXTG.exe	upx
C:\Windows\system\cBxOxZh.exe	upx
behavioral1/memory/2540-57-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	upx
\Windows\system\ujUsZtM.exe	upx
behavioral1/memory/1028-68-0x000000013FD40000-0x0000000140094000-memory.dmp	upx
\Windows\system\EqAlnhl.exe	upx
behavioral1/memory/2872-51-0x000000013F380000-0x000000013F6D4000-memory.dmp	upx
\Windows\system\AtDCTMr.exe	upx
\Windows\system\GrPOdOT.exe	upx
C:\Windows\system\ZJagHJi.exe	upx
C:\Windows\system\QdUFpYp.exe	upx
\Windows\system\cyevwoA.exe	upx
behavioral1/memory/2908-130-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	upx
behavioral1/memory/3044-132-0x000000013FAD0000-0x000000013FE24000-memory.dmp	upx
C:\Windows\system\mQStkON.exe	upx
behavioral1/memory/2868-122-0x000000013F380000-0x000000013F6D4000-memory.dmp	upx
C:\Windows\system\ljLTzpX.exe	upx
behavioral1/memory/2692-116-0x000000013F6B0000-0x000000013FA04000-memory.dmp	upx
behavioral1/memory/316-120-0x000000013F350000-0x000000013F6A4000-memory.dmp	upx
behavioral1/memory/1160-119-0x000000013FE30000-0x0000000140184000-memory.dmp	upx
\Windows\system\qNPZMCd.exe	upx
C:\Windows\system\KMWGrVX.exe	upx
C:\Windows\system\lenyjLB.exe	upx
behavioral1/memory/2816-135-0x000000013FCF0000-0x0000000140044000-memory.dmp	upx
behavioral1/memory/2540-136-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	upx
behavioral1/memory/2652-141-0x000000013F1E0000-0x000000013F534000-memory.dmp	upx
behavioral1/memory/2012-140-0x000000013FC40000-0x000000013FF94000-memory.dmp	upx
behavioral1/memory/1740-139-0x000000013F620000-0x000000013F974000-memory.dmp	upx
behavioral1/memory/2656-143-0x000000013F600000-0x000000013F954000-memory.dmp	upx
behavioral1/memory/2628-144-0x000000013FCF0000-0x0000000140044000-memory.dmp	upx
behavioral1/memory/2816-142-0x000000013FCF0000-0x0000000140044000-memory.dmp	upx
behavioral1/memory/2872-145-0x000000013F380000-0x000000013F6D4000-memory.dmp	upx
behavioral1/memory/2692-147-0x000000013F6B0000-0x000000013FA04000-memory.dmp	upx
behavioral1/memory/2540-146-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	upx
behavioral1/memory/1160-148-0x000000013FE30000-0x0000000140184000-memory.dmp	upx
behavioral1/memory/316-149-0x000000013F350000-0x000000013F6A4000-memory.dmp	upx
behavioral1/memory/2868-150-0x000000013F380000-0x000000013F6D4000-memory.dmp	upx
behavioral1/memory/3044-151-0x000000013FAD0000-0x000000013FE24000-memory.dmp	upx
behavioral1/memory/2908-152-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\VOgZmbs.exe	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qNPZMCd.exe	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cyevwoA.exe	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mQStkON.exe	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YePAPIE.exe	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kwlBJrK.exe	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JIxBjWt.exe	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TFmBXTG.exe	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EqAlnhl.exe	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GrPOdOT.exe	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cBxOxZh.exe	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ujUsZtM.exe	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lenyjLB.exe	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QdUFpYp.exe	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ljLTzpX.exe	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rfVwMtM.exe	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JBIFflc.exe	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XZWzjof.exe	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KMWGrVX.exe	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AtDCTMr.exe	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZJagHJi.exe	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 1028 wrote to memory of 1740	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	YePAPIE.exe
PID 1028 wrote to memory of 1740	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	YePAPIE.exe
PID 1028 wrote to memory of 1740	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	YePAPIE.exe
PID 1028 wrote to memory of 2012	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	rfVwMtM.exe
PID 1028 wrote to memory of 2012	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	rfVwMtM.exe
PID 1028 wrote to memory of 2012	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	rfVwMtM.exe
PID 1028 wrote to memory of 2652	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	VOgZmbs.exe
PID 1028 wrote to memory of 2652	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	VOgZmbs.exe
PID 1028 wrote to memory of 2652	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	VOgZmbs.exe
PID 1028 wrote to memory of 2816	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	kwlBJrK.exe
PID 1028 wrote to memory of 2816	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	kwlBJrK.exe
PID 1028 wrote to memory of 2816	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	kwlBJrK.exe
PID 1028 wrote to memory of 2628	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	JBIFflc.exe
PID 1028 wrote to memory of 2628	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	JBIFflc.exe
PID 1028 wrote to memory of 2628	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	JBIFflc.exe
PID 1028 wrote to memory of 2656	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	XZWzjof.exe
PID 1028 wrote to memory of 2656	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	XZWzjof.exe
PID 1028 wrote to memory of 2656	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	XZWzjof.exe
PID 1028 wrote to memory of 2872	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	JIxBjWt.exe
PID 1028 wrote to memory of 2872	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	JIxBjWt.exe
PID 1028 wrote to memory of 2872	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	JIxBjWt.exe
PID 1028 wrote to memory of 2540	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	TFmBXTG.exe
PID 1028 wrote to memory of 2540	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	TFmBXTG.exe
PID 1028 wrote to memory of 2540	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	TFmBXTG.exe
PID 1028 wrote to memory of 2692	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	cBxOxZh.exe
PID 1028 wrote to memory of 2692	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	cBxOxZh.exe
PID 1028 wrote to memory of 2692	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	cBxOxZh.exe
PID 1028 wrote to memory of 1160	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	ujUsZtM.exe
PID 1028 wrote to memory of 1160	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	ujUsZtM.exe
PID 1028 wrote to memory of 1160	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	ujUsZtM.exe
PID 1028 wrote to memory of 316	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	EqAlnhl.exe
PID 1028 wrote to memory of 316	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	EqAlnhl.exe
PID 1028 wrote to memory of 316	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	EqAlnhl.exe
PID 1028 wrote to memory of 2868	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	lenyjLB.exe
PID 1028 wrote to memory of 2868	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	lenyjLB.exe
PID 1028 wrote to memory of 2868	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	lenyjLB.exe
PID 1028 wrote to memory of 2908	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	KMWGrVX.exe
PID 1028 wrote to memory of 2908	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	KMWGrVX.exe
PID 1028 wrote to memory of 2908	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	KMWGrVX.exe
PID 1028 wrote to memory of 3044	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	qNPZMCd.exe
PID 1028 wrote to memory of 3044	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	qNPZMCd.exe
PID 1028 wrote to memory of 3044	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	qNPZMCd.exe
PID 1028 wrote to memory of 812	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	AtDCTMr.exe
PID 1028 wrote to memory of 812	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	AtDCTMr.exe
PID 1028 wrote to memory of 812	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	AtDCTMr.exe
PID 1028 wrote to memory of 2740	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	GrPOdOT.exe
PID 1028 wrote to memory of 2740	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	GrPOdOT.exe
PID 1028 wrote to memory of 2740	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	GrPOdOT.exe
PID 1028 wrote to memory of 1984	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	QdUFpYp.exe
PID 1028 wrote to memory of 1984	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	QdUFpYp.exe
PID 1028 wrote to memory of 1984	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	QdUFpYp.exe
PID 1028 wrote to memory of 1968	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	cyevwoA.exe
PID 1028 wrote to memory of 1968	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	cyevwoA.exe
PID 1028 wrote to memory of 1968	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	cyevwoA.exe
PID 1028 wrote to memory of 2720	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	ZJagHJi.exe
PID 1028 wrote to memory of 2720	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	ZJagHJi.exe
PID 1028 wrote to memory of 2720	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	ZJagHJi.exe
PID 1028 wrote to memory of 1464	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	mQStkON.exe
PID 1028 wrote to memory of 1464	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	mQStkON.exe
PID 1028 wrote to memory of 1464	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	mQStkON.exe
PID 1028 wrote to memory of 2920	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	ljLTzpX.exe
PID 1028 wrote to memory of 2920	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	ljLTzpX.exe
PID 1028 wrote to memory of 2920	1028	2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe	ljLTzpX.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\System\YePAPIE.exe
C:\Windows\System\YePAPIE.exe
2⤵
- Executes dropped EXE
PID:1740

C:\Windows\System\rfVwMtM.exe
C:\Windows\System\rfVwMtM.exe
2⤵
- Executes dropped EXE
PID:2012

C:\Windows\System\VOgZmbs.exe
C:\Windows\System\VOgZmbs.exe
2⤵
- Executes dropped EXE
PID:2652

C:\Windows\System\kwlBJrK.exe
C:\Windows\System\kwlBJrK.exe
2⤵
- Executes dropped EXE
PID:2816

C:\Windows\System\JBIFflc.exe
C:\Windows\System\JBIFflc.exe
2⤵
- Executes dropped EXE
PID:2628

C:\Windows\System\XZWzjof.exe
C:\Windows\System\XZWzjof.exe
2⤵
- Executes dropped EXE
PID:2656

C:\Windows\System\JIxBjWt.exe
C:\Windows\System\JIxBjWt.exe
2⤵
- Executes dropped EXE
PID:2872

C:\Windows\System\TFmBXTG.exe
C:\Windows\System\TFmBXTG.exe
2⤵
- Executes dropped EXE
PID:2540

C:\Windows\System\cBxOxZh.exe
C:\Windows\System\cBxOxZh.exe
2⤵
- Executes dropped EXE
PID:2692

C:\Windows\System\ujUsZtM.exe
C:\Windows\System\ujUsZtM.exe
2⤵
- Executes dropped EXE
PID:1160

C:\Windows\System\EqAlnhl.exe
C:\Windows\System\EqAlnhl.exe
2⤵
- Executes dropped EXE
PID:316

C:\Windows\System\lenyjLB.exe
C:\Windows\System\lenyjLB.exe
2⤵
- Executes dropped EXE
PID:2868

C:\Windows\System\KMWGrVX.exe
C:\Windows\System\KMWGrVX.exe
2⤵
- Executes dropped EXE
PID:2908

C:\Windows\System\qNPZMCd.exe
C:\Windows\System\qNPZMCd.exe
2⤵
- Executes dropped EXE
PID:3044

C:\Windows\System\AtDCTMr.exe
C:\Windows\System\AtDCTMr.exe
2⤵
- Executes dropped EXE
PID:812

C:\Windows\System\GrPOdOT.exe
C:\Windows\System\GrPOdOT.exe
2⤵
- Executes dropped EXE
PID:2740

C:\Windows\System\QdUFpYp.exe
C:\Windows\System\QdUFpYp.exe
2⤵
- Executes dropped EXE
PID:1984

C:\Windows\System\cyevwoA.exe
C:\Windows\System\cyevwoA.exe
2⤵
- Executes dropped EXE
PID:1968

C:\Windows\System\ZJagHJi.exe
C:\Windows\System\ZJagHJi.exe
2⤵
- Executes dropped EXE
PID:2720

C:\Windows\System\mQStkON.exe
C:\Windows\System\mQStkON.exe
2⤵
- Executes dropped EXE
PID:1464

C:\Windows\System\ljLTzpX.exe
C:\Windows\System\ljLTzpX.exe
2⤵
- Executes dropped EXE
PID:2920

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\KMWGrVX.exe
Filesize
5.9MB

MD5
9f175a2fac2c024ad67c2b5b29d224b7

SHA1
74457d45e3f0abfe81318837e91a97643b904898

SHA256
ce1b034a7beb5c8a10f93fe5662d0f6c5366249589ba77449a45b08eaa3839e9

SHA512
e80cc693be25ef88488b53524a53203a3c79ea233997f8d71f892c3fbc4811a0ade9ac233627bbece6d0cfedc381f0a7abcad4c1d4b97f1d6b593107e0f7b254

Download Submit
C:\Windows\system\QdUFpYp.exe
Filesize
5.9MB

MD5
32aa2c5a15a460f20709fa527ec3a9cb

SHA1
873da4c2322b19837cf936758641ea37719c66ed

SHA256
6fac3369d2b05dda3b43251be34d96559fff6bcacabc3cb98d93003bbe642944

SHA512
066327ce81a342f50498d16d2a485110b23d5caf0456b9e6b83789e59d85021185fba0e771aad61d09aec0f0afc0292bf6d829bfaea63afc0a55e72163f12f49

Download Submit
C:\Windows\system\VOgZmbs.exe
Filesize
5.9MB

MD5
9f1249d2415f5edcde72833cc21f0f9a

SHA1
70dab8b1b9be297aec44c71b3ed279342f985175

SHA256
c34d3b61b1738ed442b84383f8ba14b12106f2c12e942c3eeebbccc2f6a08b5f

SHA512
895b5d327eab27821f2d755c8e2b5a09999f3fb5fb261e22720620c05a90672f41de39c2f59985e712dbd9e670abfcf990e0b65b0e8d76012eb769b8e69b8e0d

Download Submit
C:\Windows\system\YePAPIE.exe
Filesize
5.9MB

MD5
4a2e29d92118c84fd7e26080a75ad32b

SHA1
96c9c8a52c80215d20da2b7f4f708e5e7456c92a

SHA256
56f2692ea1fc9377861723ba10ed3c4db5f3c1203861b390f8fa7e88fc8d8606

SHA512
e716bb2117bc4c404e43a5dc5bcf7b10f866897d5af0a3c2277952d391956b0041b7dc89c7c376243afe7053778b1b9537caaa7ceb57153f40db234f996a0fb0

Download Submit
C:\Windows\system\ZJagHJi.exe
Filesize
5.9MB

MD5
6ac36276726e844f16197e2cec5e2cd9

SHA1
c4a3ec4b8cec3d93fe514a696d37b87d00e69800

SHA256
2be6c8dcf36e190011df1fff833d5d7f9c20aa14b65a953915a507d298f2a105

SHA512
73633a21f5d2c8edd99878c8730697d25a79752416a5ca10cd0de2cb9cee9d4cc4b6f7ec9e5278806f609f2bf1a83782b61e826ed9834a256014044b7553e17d

Download Submit
C:\Windows\system\cBxOxZh.exe
Filesize
5.9MB

MD5
c1e46e114a530c5e3e6cfdd4caaacc43

SHA1
f3255a28fbec310c7b62aa2f438d3d6916b5ab1a

SHA256
82bc03ea8f5c71377129c44c668ade232c9ccf722a913991aa78df6f77e67770

SHA512
b3988e27f034ccd606dc7f968c78c5dd7488aba34085d20789e809d31fbf3fc0b0283521e3fc2d06ebc0996f420abe08f3f824a7c193ec6e172549fc7f616f82

Download Submit
C:\Windows\system\kwlBJrK.exe
Filesize
5.9MB

MD5
9c8a4aa17afdb30105e4f23ced8c2f10

SHA1
85339b7dc00cd2db8fc7d4166638854243c0c77b

SHA256
787456210248d9692d0ec8eeaabc34dadb93e186c69bf83da0a0f597dfe7c98b

SHA512
54b9bd41d768a2b2b70e924511966c107b050c2fba645c86036d45e8d85ed21ed44a7073a0e2b95b5bd107d5ac1a44467c30560d36e4c5ba6ac0016e089d6fd6

Download Submit
C:\Windows\system\lenyjLB.exe
Filesize
5.9MB

MD5
01d8d21c8cc43f8ae21ffbe1d41ac44f

SHA1
9eab48366f84a4da8b75795eb8687e5fd51d107d

SHA256
a30d746ecf1cb771403b0d21578334a95f8c6c66fd7e7b4ec64abb3da5f52524

SHA512
8e8e9a6bc89388d24c2173900cb436b6e20135036815f1830438f84b82b2169ce94b6ba4f9870f38cf48f5eb9d8af2523145f309ef0544a0864a788466c57ec4

Download Submit
C:\Windows\system\ljLTzpX.exe
Filesize
5.9MB

MD5
13f1b11165fc84b417ae4bbce301d35c

SHA1
0370a9d8169729a93a6eed0a1bf775c2b2cfaa3e

SHA256
f2244f36b3dd01d7b49c440a620b08d4a605769001896165616609b24524d5a6

SHA512
de8d7da0a2e4ce20e0f7805a2c53e9ebc989dc2a90afcd758120a8f8ed4470f33f4f8bff9339fd5bb485f89d8c312c838968ef5218214694e2c967dfcb748d9b

Download Submit
C:\Windows\system\mQStkON.exe
Filesize
5.9MB

MD5
c759e4f00ae7ece2a20fb8ff9e0e472f

SHA1
ac98da93e6ef5f5ed570cf468d90af82fc97aab6

SHA256
f3013fad9dcb2f8ec3fe360393104744839b3f3c5a1e6d9fc6da5c755aff6958

SHA512
9aca99614bb1bcfe07ecca2d170fcca18f07cd23f0fce33edbe6550fc0a159812779f1d438140f09b5e634acb46e65b04c562586ee872e82d8a1b29ae37fbb9a

Download Submit
\Windows\system\AtDCTMr.exe
Filesize
5.9MB

MD5
9846901833aef7fc5a5ec1376a09808e

SHA1
a1d7e6b64a35195e83fbb516534289d7463fcd40

SHA256
21dd7f2b2e371bc9bd0a5ee1dd45e50e7343c32cd59b67a8f0d05833a2f5eeda

SHA512
9962aaa94c53a164faab54d60ab57f6ce26ab4c5adb6ff555d02da18a59044138dfef73c24c4ea330fed184fabd44c9b6305335a83c3fd0c6d8ff7a0ee5303f7

Download Submit
\Windows\system\EqAlnhl.exe
Filesize
5.9MB

MD5
aa854a3fbd0e5039d85ef1c6a554588a

SHA1
961f781651a4ab7b10d6355e81496ed3efa1549c

SHA256
9533e04069be095abc4726e97b00c215059adb1889aea0df0d8da85e75f91209

SHA512
67f89c761e1209842b28076d87cdfef2d1d1b8c3134f7907f4cf4b683520e6dfe3442d061966c18edd7ef8cac3c08a28220a22fe3ed7c597e6e8cdede39c5652

Download Submit
\Windows\system\GrPOdOT.exe
Filesize
5.9MB

MD5
63ecb1456bfb210ca61de609eecfe0f3

SHA1
138afce48fceae2ae8660c9a96189aaa1ac032e6

SHA256
430bd625afb3d6f8e7e5782231f8ddca807626d700df9b8846764542eca29c25

SHA512
938a173c124834bd9302db663b521e909de1056e9d79b8551ff9396e95f7c5e48e9df3b8db7aabf93f3d20f14a789e1f4e6fca4d68b0e12d5f79223c027a1bf2

Download Submit
\Windows\system\JBIFflc.exe
Filesize
5.9MB

MD5
42ebb672a8365fa71ae98c3cbb6ae738

SHA1
6dae2744b9eec1bb47b5107c1a7494080d46d998

SHA256
98c835449098415470837969a938a80a03e2416c80a99d70b4a4cbb487ece1c2

SHA512
be19f151805dafdcca8a0b9c9e895e5b07ec050252b9b2b5548ea7fa4b6cc1acee7cf21ddeabd091811d0f8a577f93afbffad09899bc174d72706fa1941456aa

Download Submit
\Windows\system\JIxBjWt.exe
Filesize
5.9MB

MD5
80a25897db053e80099428309f1394c7

SHA1
584a54c255ce6a3d9c79ba1db648bf92e65e5545

SHA256
19636999665e57ed3051029643a15fe755d3afd96821394cbba1171fcafba658

SHA512
3339473de5932b7392af446e005e845e936ea000313acf26b9562e42ea6483ee6cb14fbb04c7b0ca0f450e30ad523325fbdcf4d1aa649316734e9d03f88f8b4b

Download Submit
\Windows\system\TFmBXTG.exe
Filesize
5.9MB

MD5
125ef8396756ec72c9a594f44bcaf72a

SHA1
b725c398514d865cf6e71ce62a46dc795f276c7a

SHA256
64bda3eba7d6563fe6d27251a32d768d41b6d8858a78657b8238727dbf652f69

SHA512
d1fc1076d24c2e49482bc9b7c6a42d78cec2a5c6946bee6b41af87e545e680b7c3b6d42a535a79d25a714e6facf040fad021c831be630488b753d68d9dddfbaa

Download Submit
\Windows\system\XZWzjof.exe
Filesize
5.9MB

MD5
9f99fc51cf4374b71853e0bf199d6cb6

SHA1
2c881758c6ae6d81c09660b47b6815fe5ef27c7f

SHA256
954196210b5c99cb5bff4eb1e31dd8791c578f875d01266f8235f1b811cd2b2c

SHA512
bbbb275202891abcfa11fa2f7db496a4a9f843087afd409fc0081eae7c4801f60f91e221e48d72a9d2a8232c91969d1c3b969db60093fc4edb20b3bb4494586a

Download Submit
\Windows\system\cyevwoA.exe
Filesize
5.9MB

MD5
04626313ab0c01c8434b46f2e40f105d

SHA1
4d2f14c24b28e0a2d69d6b3e670d47b844ff3def

SHA256
e318e1d84e48fd696588e5a67af419d27f4f208c07240e07e6470a56d5d54cdd

SHA512
8452a3d2c1beeb5044a9cee9abd46967dfd7e78b0ede36432ef2fb547c2b2ab80a2802766623015c826869207cdd33cbb591c392d5c68b5777834c1c92dc06e9

Download Submit
\Windows\system\qNPZMCd.exe
Filesize
5.9MB

MD5
dbfaac8c8ba94151de1b2f178eaad647

SHA1
ba0810428d81548c671a4a5ecaed2c60a19341c6

SHA256
17c087909ec390bebfbecc14f1f43a332dabf64a44e53ac88c6bf2b8d2c33053

SHA512
2c722c926a96d621ff6072660bd3238bbd0752c41bb202c1715238b518f89c98ca0805e1c097b84519954287178aae25d251d06af0d97b3dc8e269ec29a92c9a

Download Submit
\Windows\system\rfVwMtM.exe
Filesize
5.9MB

MD5
5d3520957469a213ad4098cfbd559940

SHA1
623d3b705baefcbdda03fa65e7fb98f12f4ea6a4

SHA256
3293404f98406007efa20f9112a4493860d50d2eb54f7a850d53cf054ea7a3de

SHA512
52b0431fe93709925095645c778d7b4387966b936ca8c35521fb4b81e31fe1b791d396821ce025601905c825891a56e4f0916974621069077bca034de83e7061

Download Submit
\Windows\system\ujUsZtM.exe
Filesize
5.9MB

MD5
13ad8ab197b488c9e92a9f5390c8c262

SHA1
7c276e6943f2167cf9a688a8f69d9562049316ce

SHA256
7577e6b79d98c5b640a8c577ebd544668552d4703b1cf1b1105b4091e4800dde

SHA512
d2ea6b3a0df38b419325e56a489cb686812d743780090954538a05d67dbc0ee46f2fb4a4a15f14c5c6a1558b62af2e4444c5db0d2430a72ea0eab95fdd807745

Download Submit
memory/316-149-0x000000013F350000-0x000000013F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/316-120-0x000000013F350000-0x000000013F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/1028-40-0x000000013F600000-0x000000013F954000-memory.dmp

Filesize
3.3MB

Download
memory/1028-43-0x0000000002250000-0x00000000025A4000-memory.dmp

Filesize
3.3MB

Download
memory/1028-15-0x000000013F620000-0x000000013F974000-memory.dmp

Filesize
3.3MB

Download
memory/1028-55-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

Filesize
3.3MB

Download
memory/1028-68-0x000000013FD40000-0x0000000140094000-memory.dmp

Filesize
3.3MB

Download
memory/1028-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/1028-20-0x0000000002250000-0x00000000025A4000-memory.dmp

Filesize
3.3MB

Download
memory/1028-137-0x000000013F350000-0x000000013F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/1028-0-0x000000013FD40000-0x0000000140094000-memory.dmp

Filesize
3.3MB

Download
memory/1028-28-0x0000000002250000-0x00000000025A4000-memory.dmp

Filesize
3.3MB

Download
memory/1028-138-0x000000013F380000-0x000000013F6D4000-memory.dmp

Filesize
3.3MB

Download
memory/1028-46-0x000000013F380000-0x000000013F6D4000-memory.dmp

Filesize
3.3MB

Download
memory/1028-21-0x000000013F1E0000-0x000000013F534000-memory.dmp

Filesize
3.3MB

Download
memory/1028-129-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

Filesize
3.3MB

Download
memory/1028-133-0x000000013F350000-0x000000013F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/1028-134-0x000000013F380000-0x000000013F6D4000-memory.dmp

Filesize
3.3MB

Download
memory/1028-101-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Filesize
3.3MB

Download
memory/1028-131-0x0000000002250000-0x00000000025A4000-memory.dmp

Filesize
3.3MB

Download
memory/1160-119-0x000000013FE30000-0x0000000140184000-memory.dmp

Filesize
3.3MB

Download
memory/1160-148-0x000000013FE30000-0x0000000140184000-memory.dmp

Filesize
3.3MB

Download
memory/1740-139-0x000000013F620000-0x000000013F974000-memory.dmp

Filesize
3.3MB

Download
memory/1740-18-0x000000013F620000-0x000000013F974000-memory.dmp

Filesize
3.3MB

Download
memory/2012-140-0x000000013FC40000-0x000000013FF94000-memory.dmp

Filesize
3.3MB

Download
memory/2012-22-0x000000013FC40000-0x000000013FF94000-memory.dmp

Filesize
3.3MB

Download
memory/2540-146-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

Filesize
3.3MB

Download
memory/2540-136-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

Filesize
3.3MB

Download
memory/2540-57-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

Filesize
3.3MB

Download
memory/2628-144-0x000000013FCF0000-0x0000000140044000-memory.dmp

Filesize
3.3MB

Download
memory/2628-44-0x000000013FCF0000-0x0000000140044000-memory.dmp

Filesize
3.3MB

Download
memory/2652-23-0x000000013F1E0000-0x000000013F534000-memory.dmp

Filesize
3.3MB

Download
memory/2652-141-0x000000013F1E0000-0x000000013F534000-memory.dmp

Filesize
3.3MB

Download
memory/2656-41-0x000000013F600000-0x000000013F954000-memory.dmp

Filesize
3.3MB

Download
memory/2656-143-0x000000013F600000-0x000000013F954000-memory.dmp

Filesize
3.3MB

Download
memory/2692-147-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Filesize
3.3MB

Download
memory/2692-116-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Filesize
3.3MB

Download
memory/2816-37-0x000000013FCF0000-0x0000000140044000-memory.dmp

Filesize
3.3MB

Download
memory/2816-135-0x000000013FCF0000-0x0000000140044000-memory.dmp

Filesize
3.3MB

Download
memory/2816-142-0x000000013FCF0000-0x0000000140044000-memory.dmp

Filesize
3.3MB

Download
memory/2868-122-0x000000013F380000-0x000000013F6D4000-memory.dmp

Filesize
3.3MB

Download
memory/2868-150-0x000000013F380000-0x000000013F6D4000-memory.dmp

Filesize
3.3MB

Download
memory/2872-145-0x000000013F380000-0x000000013F6D4000-memory.dmp

Filesize
3.3MB

Download
memory/2872-51-0x000000013F380000-0x000000013F6D4000-memory.dmp

Filesize
3.3MB

Download
memory/2908-130-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

Filesize
3.3MB

Download
memory/2908-152-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

Filesize
3.3MB

Download
memory/3044-132-0x000000013FAD0000-0x000000013FE24000-memory.dmp

Filesize
3.3MB

Download
memory/3044-151-0x000000013FAD0000-0x000000013FE24000-memory.dmp

Filesize
3.3MB

Download