cobaltstrike | 9e06c80d196357b9186ac87ef45340436ce70bed5321980e7432fdc1ee07926c

Analysis

max time kernel
142s
max time network
146s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

b0887affde9e562dcb9420b870c62b35
SHA1

b8e66f915a8ca0b9092d28637fdfcfe633306678
SHA256

9e06c80d196357b9186ac87ef45340436ce70bed5321980e7432fdc1ee07926c
SHA512

e2b5ea11a29f725850851c33712ca3ddc003a7a34527acc8655f35b7ab382f22d9741f665b2863d706ddbd90d33da12722cd22a7689bb4c03a646b2cbe3d3389
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU3:Q+856utgpPF8u/73

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\system\UiWmzBl.exe	cobalt_reflective_dll
\Windows\system\IBYzrIv.exe	cobalt_reflective_dll
C:\Windows\system\QVSUDMR.exe	cobalt_reflective_dll
\Windows\system\wptfawH.exe	cobalt_reflective_dll
C:\Windows\system\bYTjfEQ.exe	cobalt_reflective_dll
C:\Windows\system\QfzJqWC.exe	cobalt_reflective_dll
C:\Windows\system\ubSVwOv.exe	cobalt_reflective_dll
\Windows\system\MvwqyNI.exe	cobalt_reflective_dll
C:\Windows\system\LALXfrU.exe	cobalt_reflective_dll
C:\Windows\system\qNjXuPB.exe	cobalt_reflective_dll
C:\Windows\system\BRqKtBg.exe	cobalt_reflective_dll
C:\Windows\system\hhAGcis.exe	cobalt_reflective_dll
C:\Windows\system\OcIsmgy.exe	cobalt_reflective_dll
C:\Windows\system\pFreTGv.exe	cobalt_reflective_dll
C:\Windows\system\rkPXngq.exe	cobalt_reflective_dll
C:\Windows\system\eHQZGZn.exe	cobalt_reflective_dll
C:\Windows\system\luPqsVz.exe	cobalt_reflective_dll
\Windows\system\kUkRCZu.exe	cobalt_reflective_dll
C:\Windows\system\txqIwhB.exe	cobalt_reflective_dll
C:\Windows\system\zklPevg.exe	cobalt_reflective_dll
C:\Windows\system\GiqJURa.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\system\UiWmzBl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\IBYzrIv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\QVSUDMR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\wptfawH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\bYTjfEQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\QfzJqWC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ubSVwOv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\MvwqyNI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\LALXfrU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\qNjXuPB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\BRqKtBg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\hhAGcis.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\OcIsmgy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\pFreTGv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\rkPXngq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\eHQZGZn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\luPqsVz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\kUkRCZu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\txqIwhB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\zklPevg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\GiqJURa.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 55 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2056-0-0x000000013FB60000-0x000000013FEB4000-memory.dmp	UPX
C:\Windows\system\UiWmzBl.exe	UPX
\Windows\system\IBYzrIv.exe	UPX
C:\Windows\system\QVSUDMR.exe	UPX
behavioral1/memory/1508-15-0x000000013F0F0000-0x000000013F444000-memory.dmp	UPX
\Windows\system\wptfawH.exe	UPX
behavioral1/memory/2320-36-0x000000013F9E0000-0x000000013FD34000-memory.dmp	UPX
behavioral1/memory/2024-34-0x000000013F230000-0x000000013F584000-memory.dmp	UPX
C:\Windows\system\bYTjfEQ.exe	UPX
behavioral1/memory/2792-74-0x000000013F3F0000-0x000000013F744000-memory.dmp	UPX
C:\Windows\system\QfzJqWC.exe	UPX
C:\Windows\system\ubSVwOv.exe	UPX
\Windows\system\MvwqyNI.exe	UPX
C:\Windows\system\LALXfrU.exe	UPX
C:\Windows\system\qNjXuPB.exe	UPX
C:\Windows\system\BRqKtBg.exe	UPX
C:\Windows\system\hhAGcis.exe	UPX
C:\Windows\system\OcIsmgy.exe	UPX
behavioral1/memory/2964-109-0x000000013FA50000-0x000000013FDA4000-memory.dmp	UPX
C:\Windows\system\pFreTGv.exe	UPX
behavioral1/memory/2320-135-0x000000013F9E0000-0x000000013FD34000-memory.dmp	UPX
behavioral1/memory/2504-84-0x000000013F350000-0x000000013F6A4000-memory.dmp	UPX
behavioral1/memory/2620-96-0x000000013F2B0000-0x000000013F604000-memory.dmp	UPX
behavioral1/memory/2972-91-0x000000013F4B0000-0x000000013F804000-memory.dmp	UPX
behavioral1/memory/2056-90-0x000000013FB60000-0x000000013FEB4000-memory.dmp	UPX
C:\Windows\system\rkPXngq.exe	UPX
C:\Windows\system\eHQZGZn.exe	UPX
behavioral1/memory/2604-59-0x000000013F830000-0x000000013FB84000-memory.dmp	UPX
C:\Windows\system\luPqsVz.exe	UPX
behavioral1/memory/2740-136-0x000000013FE50000-0x00000001401A4000-memory.dmp	UPX
behavioral1/memory/2876-76-0x000000013F110000-0x000000013F464000-memory.dmp	UPX
\Windows\system\kUkRCZu.exe	UPX
behavioral1/memory/2716-72-0x000000013F7D0000-0x000000013FB24000-memory.dmp	UPX
C:\Windows\system\txqIwhB.exe	UPX
behavioral1/memory/2704-66-0x000000013F210000-0x000000013F564000-memory.dmp	UPX
C:\Windows\system\zklPevg.exe	UPX
behavioral1/memory/2740-42-0x000000013FE50000-0x00000001401A4000-memory.dmp	UPX
C:\Windows\system\GiqJURa.exe	UPX
behavioral1/memory/2692-31-0x000000013FB60000-0x000000013FEB4000-memory.dmp	UPX
behavioral1/memory/2972-27-0x000000013F4B0000-0x000000013F804000-memory.dmp	UPX
behavioral1/memory/2876-137-0x000000013F110000-0x000000013F464000-memory.dmp	UPX
behavioral1/memory/1508-139-0x000000013F0F0000-0x000000013F444000-memory.dmp	UPX
behavioral1/memory/2972-140-0x000000013F4B0000-0x000000013F804000-memory.dmp	UPX
behavioral1/memory/2692-141-0x000000013FB60000-0x000000013FEB4000-memory.dmp	UPX
behavioral1/memory/2024-142-0x000000013F230000-0x000000013F584000-memory.dmp	UPX
behavioral1/memory/2320-143-0x000000013F9E0000-0x000000013FD34000-memory.dmp	UPX
behavioral1/memory/2740-144-0x000000013FE50000-0x00000001401A4000-memory.dmp	UPX
behavioral1/memory/2604-145-0x000000013F830000-0x000000013FB84000-memory.dmp	UPX
behavioral1/memory/2704-146-0x000000013F210000-0x000000013F564000-memory.dmp	UPX
behavioral1/memory/2716-147-0x000000013F7D0000-0x000000013FB24000-memory.dmp	UPX
behavioral1/memory/2792-148-0x000000013F3F0000-0x000000013F744000-memory.dmp	UPX
behavioral1/memory/2504-149-0x000000013F350000-0x000000013F6A4000-memory.dmp	UPX
behavioral1/memory/2964-151-0x000000013FA50000-0x000000013FDA4000-memory.dmp	UPX
behavioral1/memory/2876-152-0x000000013F110000-0x000000013F464000-memory.dmp	UPX
behavioral1/memory/2620-150-0x000000013F2B0000-0x000000013F604000-memory.dmp	UPX

XMRig Miner payload 56 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2056-0-0x000000013FB60000-0x000000013FEB4000-memory.dmp	xmrig
C:\Windows\system\UiWmzBl.exe	xmrig
\Windows\system\IBYzrIv.exe	xmrig
C:\Windows\system\QVSUDMR.exe	xmrig
behavioral1/memory/1508-15-0x000000013F0F0000-0x000000013F444000-memory.dmp	xmrig
\Windows\system\wptfawH.exe	xmrig
behavioral1/memory/2320-36-0x000000013F9E0000-0x000000013FD34000-memory.dmp	xmrig
behavioral1/memory/2024-34-0x000000013F230000-0x000000013F584000-memory.dmp	xmrig
C:\Windows\system\bYTjfEQ.exe	xmrig
behavioral1/memory/2792-74-0x000000013F3F0000-0x000000013F744000-memory.dmp	xmrig
C:\Windows\system\QfzJqWC.exe	xmrig
C:\Windows\system\ubSVwOv.exe	xmrig
\Windows\system\MvwqyNI.exe	xmrig
C:\Windows\system\LALXfrU.exe	xmrig
C:\Windows\system\qNjXuPB.exe	xmrig
C:\Windows\system\BRqKtBg.exe	xmrig
C:\Windows\system\hhAGcis.exe	xmrig
C:\Windows\system\OcIsmgy.exe	xmrig
behavioral1/memory/2964-109-0x000000013FA50000-0x000000013FDA4000-memory.dmp	xmrig
C:\Windows\system\pFreTGv.exe	xmrig
behavioral1/memory/2320-135-0x000000013F9E0000-0x000000013FD34000-memory.dmp	xmrig
behavioral1/memory/2504-84-0x000000013F350000-0x000000013F6A4000-memory.dmp	xmrig
behavioral1/memory/2620-96-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
behavioral1/memory/2972-91-0x000000013F4B0000-0x000000013F804000-memory.dmp	xmrig
behavioral1/memory/2056-90-0x000000013FB60000-0x000000013FEB4000-memory.dmp	xmrig
C:\Windows\system\rkPXngq.exe	xmrig
C:\Windows\system\eHQZGZn.exe	xmrig
behavioral1/memory/2604-59-0x000000013F830000-0x000000013FB84000-memory.dmp	xmrig
C:\Windows\system\luPqsVz.exe	xmrig
behavioral1/memory/2740-136-0x000000013FE50000-0x00000001401A4000-memory.dmp	xmrig
behavioral1/memory/2876-76-0x000000013F110000-0x000000013F464000-memory.dmp	xmrig
\Windows\system\kUkRCZu.exe	xmrig
behavioral1/memory/2716-72-0x000000013F7D0000-0x000000013FB24000-memory.dmp	xmrig
C:\Windows\system\txqIwhB.exe	xmrig
behavioral1/memory/2056-68-0x000000013F3F0000-0x000000013F744000-memory.dmp	xmrig
behavioral1/memory/2704-66-0x000000013F210000-0x000000013F564000-memory.dmp	xmrig
C:\Windows\system\zklPevg.exe	xmrig
behavioral1/memory/2740-42-0x000000013FE50000-0x00000001401A4000-memory.dmp	xmrig
C:\Windows\system\GiqJURa.exe	xmrig
behavioral1/memory/2692-31-0x000000013FB60000-0x000000013FEB4000-memory.dmp	xmrig
behavioral1/memory/2972-27-0x000000013F4B0000-0x000000013F804000-memory.dmp	xmrig
behavioral1/memory/2876-137-0x000000013F110000-0x000000013F464000-memory.dmp	xmrig
behavioral1/memory/1508-139-0x000000013F0F0000-0x000000013F444000-memory.dmp	xmrig
behavioral1/memory/2972-140-0x000000013F4B0000-0x000000013F804000-memory.dmp	xmrig
behavioral1/memory/2692-141-0x000000013FB60000-0x000000013FEB4000-memory.dmp	xmrig
behavioral1/memory/2024-142-0x000000013F230000-0x000000013F584000-memory.dmp	xmrig
behavioral1/memory/2320-143-0x000000013F9E0000-0x000000013FD34000-memory.dmp	xmrig
behavioral1/memory/2740-144-0x000000013FE50000-0x00000001401A4000-memory.dmp	xmrig
behavioral1/memory/2604-145-0x000000013F830000-0x000000013FB84000-memory.dmp	xmrig
behavioral1/memory/2704-146-0x000000013F210000-0x000000013F564000-memory.dmp	xmrig
behavioral1/memory/2716-147-0x000000013F7D0000-0x000000013FB24000-memory.dmp	xmrig
behavioral1/memory/2792-148-0x000000013F3F0000-0x000000013F744000-memory.dmp	xmrig
behavioral1/memory/2504-149-0x000000013F350000-0x000000013F6A4000-memory.dmp	xmrig
behavioral1/memory/2964-151-0x000000013FA50000-0x000000013FDA4000-memory.dmp	xmrig
behavioral1/memory/2876-152-0x000000013F110000-0x000000013F464000-memory.dmp	xmrig
behavioral1/memory/2620-150-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

UiWmzBl.exeQVSUDMR.exewptfawH.exeIBYzrIv.exeGiqJURa.exebYTjfEQ.exezklPevg.exeluPqsVz.exeQfzJqWC.exetxqIwhB.exekUkRCZu.exeeHQZGZn.exerkPXngq.exepFreTGv.exeubSVwOv.exeOcIsmgy.exeMvwqyNI.exehhAGcis.exeBRqKtBg.exeLALXfrU.exeqNjXuPB.exe

pid	process
1508	UiWmzBl.exe
2972	QVSUDMR.exe
2024	wptfawH.exe
2692	IBYzrIv.exe
2320	GiqJURa.exe
2740	bYTjfEQ.exe
2604	zklPevg.exe
2704	luPqsVz.exe
2716	QfzJqWC.exe
2792	txqIwhB.exe
2876	kUkRCZu.exe
2504	eHQZGZn.exe
2620	rkPXngq.exe
2964	pFreTGv.exe
2148	ubSVwOv.exe
2200	OcIsmgy.exe
768	MvwqyNI.exe
1044	hhAGcis.exe
1668	BRqKtBg.exe
2044	LALXfrU.exe
1428	qNjXuPB.exe

Loads dropped DLL 21 IoCs

Processes:

2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe

pid	process
2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 55 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2056-0-0x000000013FB60000-0x000000013FEB4000-memory.dmp	upx
C:\Windows\system\UiWmzBl.exe	upx
\Windows\system\IBYzrIv.exe	upx
C:\Windows\system\QVSUDMR.exe	upx
behavioral1/memory/1508-15-0x000000013F0F0000-0x000000013F444000-memory.dmp	upx
\Windows\system\wptfawH.exe	upx
behavioral1/memory/2320-36-0x000000013F9E0000-0x000000013FD34000-memory.dmp	upx
behavioral1/memory/2024-34-0x000000013F230000-0x000000013F584000-memory.dmp	upx
C:\Windows\system\bYTjfEQ.exe	upx
behavioral1/memory/2792-74-0x000000013F3F0000-0x000000013F744000-memory.dmp	upx
C:\Windows\system\QfzJqWC.exe	upx
C:\Windows\system\ubSVwOv.exe	upx
\Windows\system\MvwqyNI.exe	upx
C:\Windows\system\LALXfrU.exe	upx
C:\Windows\system\qNjXuPB.exe	upx
C:\Windows\system\BRqKtBg.exe	upx
C:\Windows\system\hhAGcis.exe	upx
C:\Windows\system\OcIsmgy.exe	upx
behavioral1/memory/2964-109-0x000000013FA50000-0x000000013FDA4000-memory.dmp	upx
C:\Windows\system\pFreTGv.exe	upx
behavioral1/memory/2320-135-0x000000013F9E0000-0x000000013FD34000-memory.dmp	upx
behavioral1/memory/2504-84-0x000000013F350000-0x000000013F6A4000-memory.dmp	upx
behavioral1/memory/2620-96-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
behavioral1/memory/2972-91-0x000000013F4B0000-0x000000013F804000-memory.dmp	upx
behavioral1/memory/2056-90-0x000000013FB60000-0x000000013FEB4000-memory.dmp	upx
C:\Windows\system\rkPXngq.exe	upx
C:\Windows\system\eHQZGZn.exe	upx
behavioral1/memory/2604-59-0x000000013F830000-0x000000013FB84000-memory.dmp	upx
C:\Windows\system\luPqsVz.exe	upx
behavioral1/memory/2740-136-0x000000013FE50000-0x00000001401A4000-memory.dmp	upx
behavioral1/memory/2876-76-0x000000013F110000-0x000000013F464000-memory.dmp	upx
\Windows\system\kUkRCZu.exe	upx
behavioral1/memory/2716-72-0x000000013F7D0000-0x000000013FB24000-memory.dmp	upx
C:\Windows\system\txqIwhB.exe	upx
behavioral1/memory/2704-66-0x000000013F210000-0x000000013F564000-memory.dmp	upx
C:\Windows\system\zklPevg.exe	upx
behavioral1/memory/2740-42-0x000000013FE50000-0x00000001401A4000-memory.dmp	upx
C:\Windows\system\GiqJURa.exe	upx
behavioral1/memory/2692-31-0x000000013FB60000-0x000000013FEB4000-memory.dmp	upx
behavioral1/memory/2972-27-0x000000013F4B0000-0x000000013F804000-memory.dmp	upx
behavioral1/memory/2876-137-0x000000013F110000-0x000000013F464000-memory.dmp	upx
behavioral1/memory/1508-139-0x000000013F0F0000-0x000000013F444000-memory.dmp	upx
behavioral1/memory/2972-140-0x000000013F4B0000-0x000000013F804000-memory.dmp	upx
behavioral1/memory/2692-141-0x000000013FB60000-0x000000013FEB4000-memory.dmp	upx
behavioral1/memory/2024-142-0x000000013F230000-0x000000013F584000-memory.dmp	upx
behavioral1/memory/2320-143-0x000000013F9E0000-0x000000013FD34000-memory.dmp	upx
behavioral1/memory/2740-144-0x000000013FE50000-0x00000001401A4000-memory.dmp	upx
behavioral1/memory/2604-145-0x000000013F830000-0x000000013FB84000-memory.dmp	upx
behavioral1/memory/2704-146-0x000000013F210000-0x000000013F564000-memory.dmp	upx
behavioral1/memory/2716-147-0x000000013F7D0000-0x000000013FB24000-memory.dmp	upx
behavioral1/memory/2792-148-0x000000013F3F0000-0x000000013F744000-memory.dmp	upx
behavioral1/memory/2504-149-0x000000013F350000-0x000000013F6A4000-memory.dmp	upx
behavioral1/memory/2964-151-0x000000013FA50000-0x000000013FDA4000-memory.dmp	upx
behavioral1/memory/2876-152-0x000000013F110000-0x000000013F464000-memory.dmp	upx
behavioral1/memory/2620-150-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\rkPXngq.exe	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pFreTGv.exe	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BRqKtBg.exe	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QVSUDMR.exe	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GiqJURa.exe	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\luPqsVz.exe	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OcIsmgy.exe	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LALXfrU.exe	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MvwqyNI.exe	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hhAGcis.exe	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UiWmzBl.exe	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QfzJqWC.exe	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kUkRCZu.exe	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\txqIwhB.exe	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eHQZGZn.exe	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ubSVwOv.exe	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wptfawH.exe	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IBYzrIv.exe	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bYTjfEQ.exe	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zklPevg.exe	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qNjXuPB.exe	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 2056 wrote to memory of 1508	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	UiWmzBl.exe
PID 2056 wrote to memory of 1508	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	UiWmzBl.exe
PID 2056 wrote to memory of 1508	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	UiWmzBl.exe
PID 2056 wrote to memory of 2972	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	QVSUDMR.exe
PID 2056 wrote to memory of 2972	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	QVSUDMR.exe
PID 2056 wrote to memory of 2972	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	QVSUDMR.exe
PID 2056 wrote to memory of 2024	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	wptfawH.exe
PID 2056 wrote to memory of 2024	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	wptfawH.exe
PID 2056 wrote to memory of 2024	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	wptfawH.exe
PID 2056 wrote to memory of 2320	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	GiqJURa.exe
PID 2056 wrote to memory of 2320	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	GiqJURa.exe
PID 2056 wrote to memory of 2320	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	GiqJURa.exe
PID 2056 wrote to memory of 2692	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	IBYzrIv.exe
PID 2056 wrote to memory of 2692	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	IBYzrIv.exe
PID 2056 wrote to memory of 2692	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	IBYzrIv.exe
PID 2056 wrote to memory of 2740	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	bYTjfEQ.exe
PID 2056 wrote to memory of 2740	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	bYTjfEQ.exe
PID 2056 wrote to memory of 2740	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	bYTjfEQ.exe
PID 2056 wrote to memory of 2604	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	zklPevg.exe
PID 2056 wrote to memory of 2604	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	zklPevg.exe
PID 2056 wrote to memory of 2604	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	zklPevg.exe
PID 2056 wrote to memory of 2704	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	luPqsVz.exe
PID 2056 wrote to memory of 2704	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	luPqsVz.exe
PID 2056 wrote to memory of 2704	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	luPqsVz.exe
PID 2056 wrote to memory of 2716	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	QfzJqWC.exe
PID 2056 wrote to memory of 2716	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	QfzJqWC.exe
PID 2056 wrote to memory of 2716	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	QfzJqWC.exe
PID 2056 wrote to memory of 2876	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	kUkRCZu.exe
PID 2056 wrote to memory of 2876	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	kUkRCZu.exe
PID 2056 wrote to memory of 2876	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	kUkRCZu.exe
PID 2056 wrote to memory of 2792	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	txqIwhB.exe
PID 2056 wrote to memory of 2792	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	txqIwhB.exe
PID 2056 wrote to memory of 2792	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	txqIwhB.exe
PID 2056 wrote to memory of 2504	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	eHQZGZn.exe
PID 2056 wrote to memory of 2504	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	eHQZGZn.exe
PID 2056 wrote to memory of 2504	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	eHQZGZn.exe
PID 2056 wrote to memory of 2620	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	rkPXngq.exe
PID 2056 wrote to memory of 2620	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	rkPXngq.exe
PID 2056 wrote to memory of 2620	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	rkPXngq.exe
PID 2056 wrote to memory of 2148	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	ubSVwOv.exe
PID 2056 wrote to memory of 2148	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	ubSVwOv.exe
PID 2056 wrote to memory of 2148	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	ubSVwOv.exe
PID 2056 wrote to memory of 2964	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	pFreTGv.exe
PID 2056 wrote to memory of 2964	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	pFreTGv.exe
PID 2056 wrote to memory of 2964	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	pFreTGv.exe
PID 2056 wrote to memory of 768	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	MvwqyNI.exe
PID 2056 wrote to memory of 768	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	MvwqyNI.exe
PID 2056 wrote to memory of 768	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	MvwqyNI.exe
PID 2056 wrote to memory of 2200	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	OcIsmgy.exe
PID 2056 wrote to memory of 2200	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	OcIsmgy.exe
PID 2056 wrote to memory of 2200	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	OcIsmgy.exe
PID 2056 wrote to memory of 1044	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	hhAGcis.exe
PID 2056 wrote to memory of 1044	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	hhAGcis.exe
PID 2056 wrote to memory of 1044	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	hhAGcis.exe
PID 2056 wrote to memory of 1668	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	BRqKtBg.exe
PID 2056 wrote to memory of 1668	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	BRqKtBg.exe
PID 2056 wrote to memory of 1668	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	BRqKtBg.exe
PID 2056 wrote to memory of 2044	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	LALXfrU.exe
PID 2056 wrote to memory of 2044	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	LALXfrU.exe
PID 2056 wrote to memory of 2044	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	LALXfrU.exe
PID 2056 wrote to memory of 1428	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	qNjXuPB.exe
PID 2056 wrote to memory of 1428	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	qNjXuPB.exe
PID 2056 wrote to memory of 1428	2056	2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe	qNjXuPB.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\System\UiWmzBl.exe
C:\Windows\System\UiWmzBl.exe
2⤵
- Executes dropped EXE
PID:1508

C:\Windows\System\QVSUDMR.exe
C:\Windows\System\QVSUDMR.exe
2⤵
- Executes dropped EXE
PID:2972

C:\Windows\System\wptfawH.exe
C:\Windows\System\wptfawH.exe
2⤵
- Executes dropped EXE
PID:2024

C:\Windows\System\GiqJURa.exe
C:\Windows\System\GiqJURa.exe
2⤵
- Executes dropped EXE
PID:2320

C:\Windows\System\IBYzrIv.exe
C:\Windows\System\IBYzrIv.exe
2⤵
- Executes dropped EXE
PID:2692

C:\Windows\System\bYTjfEQ.exe
C:\Windows\System\bYTjfEQ.exe
2⤵
- Executes dropped EXE
PID:2740

C:\Windows\System\zklPevg.exe
C:\Windows\System\zklPevg.exe
2⤵
- Executes dropped EXE
PID:2604

C:\Windows\System\luPqsVz.exe
C:\Windows\System\luPqsVz.exe
2⤵
- Executes dropped EXE
PID:2704

C:\Windows\System\QfzJqWC.exe
C:\Windows\System\QfzJqWC.exe
2⤵
- Executes dropped EXE
PID:2716

C:\Windows\System\kUkRCZu.exe
C:\Windows\System\kUkRCZu.exe
2⤵
- Executes dropped EXE
PID:2876

C:\Windows\System\txqIwhB.exe
C:\Windows\System\txqIwhB.exe
2⤵
- Executes dropped EXE
PID:2792

C:\Windows\System\eHQZGZn.exe
C:\Windows\System\eHQZGZn.exe
2⤵
- Executes dropped EXE
PID:2504

C:\Windows\System\rkPXngq.exe
C:\Windows\System\rkPXngq.exe
2⤵
- Executes dropped EXE
PID:2620

C:\Windows\System\ubSVwOv.exe
C:\Windows\System\ubSVwOv.exe
2⤵
- Executes dropped EXE
PID:2148

C:\Windows\System\pFreTGv.exe
C:\Windows\System\pFreTGv.exe
2⤵
- Executes dropped EXE
PID:2964

C:\Windows\System\MvwqyNI.exe
C:\Windows\System\MvwqyNI.exe
2⤵
- Executes dropped EXE
PID:768

C:\Windows\System\OcIsmgy.exe
C:\Windows\System\OcIsmgy.exe
2⤵
- Executes dropped EXE
PID:2200

C:\Windows\System\hhAGcis.exe
C:\Windows\System\hhAGcis.exe
2⤵
- Executes dropped EXE
PID:1044

C:\Windows\System\BRqKtBg.exe
C:\Windows\System\BRqKtBg.exe
2⤵
- Executes dropped EXE
PID:1668

C:\Windows\System\LALXfrU.exe
C:\Windows\System\LALXfrU.exe
2⤵
- Executes dropped EXE
PID:2044

C:\Windows\System\qNjXuPB.exe
C:\Windows\System\qNjXuPB.exe
2⤵
- Executes dropped EXE
PID:1428

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BRqKtBg.exe
Filesize
5.9MB

MD5
feb4f43171df5be7b2e90c8ac15d52ae

SHA1
fb8fa3f50e57af27a971fd4db41a0f90b329b0e7

SHA256
aa9067e649f043ff26a5478112002728e1d4ba4b5a44cbae53e9a3a5432e5465

SHA512
1047aff972d359fe7cde562d3528777228eb0431f603a36c2f337825740864db5d91d31e5f8da2794c34f2bf2c3e26a20b142617d030e014ee5694d34868fd25

Download Submit
C:\Windows\system\GiqJURa.exe
Filesize
5.9MB

MD5
667354188761882bdf6fd487954c2169

SHA1
2fcadbc89a750bc65dd6e8f734b6133cf0ca75a3

SHA256
397f81359d41b90bab2b3a576aadf7fcb6ce1c3591ad5fe6ec302bcbdfa04d8c

SHA512
44354dbe90ba3d36379a42956e60ec2b45e96cc818c79d9a1d9d2036f8a50ba0d87c0488ffd83239a9bb2017c0f87fa153ad6004d7e3218d8f71bad13fe2ba39

Download Submit
C:\Windows\system\LALXfrU.exe
Filesize
5.9MB

MD5
4539d372448d97cc806d2231720afad9

SHA1
2ced51ef9221b8edc96516e72122eccbb1419e2d

SHA256
c3ae489a1a8f36946555e280005a5a445299673f072020e24bc889cba70be8f6

SHA512
072c0153e5c5344da043314279f4f3bfc72cb5aab3c23a33edebadb2d1dfc6b1e5d6483e2ed70c85c54b41017b9d3e2080b92132666385754799e31cfb737dc5

Download Submit
C:\Windows\system\OcIsmgy.exe
Filesize
5.9MB

MD5
88227995f910c0903e6081f4618ffbe5

SHA1
9d3082f82b823574a6995d6b470a3ae0b9410cb9

SHA256
1768fa0321b827979809bf5ae1de45adc4c0b0376edda873812c0b828e855a78

SHA512
2ec9ee93391b6f614ad0969f6941f5eabed59cd47ab2b941773b6bd8763addbb341dec40828b130e93dc7edfb708e35503db6aba6868c59483dd18d3a68704e9

Download Submit
C:\Windows\system\QVSUDMR.exe
Filesize
5.9MB

MD5
5d68642bb3c32c4dd39e366377b54327

SHA1
c8b389b1f10c4f1905902e8669e1ff18454a1d1a

SHA256
f4bee0db429b72276f59d922e32e667c50ffc9825d507288472382efada40251

SHA512
90d8aea678d1277604b1864f38924e94fde6e76e568bb550e25e89849571639007fe50d440ab3d64fe0b215fcc4b32ac448653f3d513c514932e7b460e468b2d

Download Submit
C:\Windows\system\QfzJqWC.exe
Filesize
5.9MB

MD5
28158159edf3651c788d9c77cd52b9b1

SHA1
e20e5be11a8e4dd270268cbcdd84cf3300719600

SHA256
9b12a40d07cc06bf4ddf13410755440b886585443cb457a21333198eba8e6273

SHA512
8cbe6f202112cb31f5464e75421e5bf6cad7dfe26db1e07194405734d128d003baf59f1535bb6057eb85f5a83ca46bcc3d4bcafc9aaef25f330fb52a7101ff94

Download Submit
C:\Windows\system\UiWmzBl.exe
Filesize
5.9MB

MD5
dba1329ba470d1a6f71c29c5dc14e3b4

SHA1
8939c6746490d1041e7442eb1d479efebf56964e

SHA256
4a94eee8a10b1eb5c613a85996df119a282b26a93aea69ee1452bac6dd7fa631

SHA512
71b978a7a0c68391e6e98aeb62c2c117d2792add0093802c7f3d6133ed6f98fe64756b442664c2d4595eb64a7378fd6a2a14479884618de847219a17004eaa25

Download Submit
C:\Windows\system\bYTjfEQ.exe
Filesize
5.9MB

MD5
b49d6c2f5d9c9df530368311f91e1452

SHA1
c620c61adbf17b30d3255cc3893bbdb556f0ee80

SHA256
13624aa95222992b6bd1733adc90b68d259c8602477bfaf5c2719253fbbba236

SHA512
787e364211e7013a18f24d49b90ad74edd44e4a38fb94ded013b53776b289b000958a69534a2ae2fe8cf7a786675cc6f222f783d0e2cde096bba29768150376a

Download Submit
C:\Windows\system\eHQZGZn.exe
Filesize
5.9MB

MD5
e810f3f2f14a67f664c6523f72de7ff5

SHA1
75c8617bd482fbd296f2ecdb084b9453772c4ece

SHA256
1fa49f6a80a98e508a45c38065cc81da23cacf9ff5384adcdf3b0b3e922c97dc

SHA512
c19b86f4ce0b42cb241b2f9a669c69de2c9c0ad76ecdb9ab47c03b49635b57219ca642169bc2dac774433afcd19b17dbe1da953534c0a2f63ec8d967b4184970

Download Submit
C:\Windows\system\hhAGcis.exe
Filesize
5.9MB

MD5
8990df7c90e62d792c71227566a9ee6b

SHA1
68dc136d916d0130f8149136cb9c5436c2229744

SHA256
f501e49ae03ae72956d53f467badc411489da886204969b7b16e5b4cce79ed03

SHA512
5ad47f09198d2373aacf5120a9f6a253303b321b1043400f0c9c6ad8b00f474b4faf7106a32cc7bcad88b4b8c0fd06bcd4291365d5d3b0713ac0722bd4cd4ffa

Download Submit
C:\Windows\system\luPqsVz.exe
Filesize
5.9MB

MD5
f70f79d733a28f4d26a9223f63410fbb

SHA1
48a471a282e2b3d1662f439f934b449f345c1ebb

SHA256
d9c58fb3147021e3827abc8a770b03111cdc705b2c5bc448b60eb90fd7b5edf8

SHA512
8b32a83e56b354e2cbb69005b4cfd472ba1956c7913e21c9c93ce7b320ec9af56f88aceb815a1d424b55f15d0fe5cb5913eee4cb768f51d0ed3e01507563fb83

Download Submit
C:\Windows\system\pFreTGv.exe
Filesize
5.9MB

MD5
89db638b16557b1ea7579c66070fd784

SHA1
85e6de449ebdec68c9a1fe3ed86ad7ee3a8b0efb

SHA256
0389be5da89f6766fbe9dd9006fb017aaa732d731c046ba85eb50e1c3c9b32b4

SHA512
b8e4e7c880c61d3101b1873b4975a69e6995e7842b9f070e6e405ae90acb96709b125a3cafb17cf22a18e3eccd330777267919888db4d5518ee120893cda68ed

Download Submit
C:\Windows\system\qNjXuPB.exe
Filesize
5.9MB

MD5
2916de78777b4f443f2500517331bfd3

SHA1
4a19dcd649f4d166e0c977a0cb8e33b66b5f74d1

SHA256
abd0dda5d9f969faccebd0dd1376cb46dc8a04c693ad33cafe14bbe8ed1ef26d

SHA512
d3ab86347cee7b85f13e763eec4776a0a2177423e4ca844d3ea56a8150cb27a1dded57aaae47ebde8f50d4bfdea853db6d71a5097f7b0368f176d6dff199f487

Download Submit
C:\Windows\system\rkPXngq.exe
Filesize
5.9MB

MD5
a9d5601544324b5f278b6ec33c8839ee

SHA1
bfad6a6d5b9d443000a5fa03dc1c8afb73dd5733

SHA256
93db643a56686bf4a60e98423afee4a9228066f8518c6268d8c61cf846f75ddd

SHA512
14b3e92acb24ce509769b2e87f31f660fd32dbebe9f85d6b5946eefbf3c986b0e80abf06e1f1dacc5ebd54e8af02ee65bef10ee9232f8e53ea645c74399584b9

Download Submit
C:\Windows\system\txqIwhB.exe
Filesize
5.9MB

MD5
3774b8848cc61b459c98fa54c7b39871

SHA1
26942471d316f2b4bdbaa67b081b49f1f55096d6

SHA256
c1b69dede3412c2b14e60e83773ada5b06d835e16fd8b338efacbe56ecaae8d6

SHA512
4239d992050d5aa2ddc6f0f8466e3ebcd114fb99bd2af6022a68bc8bed9b198bf39c46817907be08558eeac5341980b8d7d4f82277b5f52d6776388f138b3f89

Download Submit
C:\Windows\system\ubSVwOv.exe
Filesize
5.9MB

MD5
daa453b9f691d9d73b12b1b6c6b8a438

SHA1
190c94625492416e572186fe3f5169113db9b536

SHA256
324babb47c69b714e1177b13390dcb5bcac261c0256f72c80014f81f19ad0dba

SHA512
19d8256591e354979bb685dd5981bf56d562a49992edda8f0a4098f23cea0bdd4d143396ef039b254f69fef468beb8dc0e248b9fa675a60d9edfb5a462b89754

Download Submit
C:\Windows\system\zklPevg.exe
Filesize
5.9MB

MD5
e6cbc78bfcc562e91b3a2acc4c5a0760

SHA1
cfd830a007e97c62facd4f6f5eea846744c92673

SHA256
70fd69cc01beca1d04cb2fbd32329f434eff50d908e2bcc15780db84be210444

SHA512
c305704cd40c7dc7b4d34b76355c1f0c6719482330376212970801a966f4c91ebbaaa7aae1e1cf6b30dbc48e2feda5bc70419e952fce83607630071e6cf75774

Download Submit
\Windows\system\IBYzrIv.exe
Filesize
5.9MB

MD5
1cd30cf45b4cd26c8d21d569e8c3eeb4

SHA1
79ef85bf45eb1dbf3948dd39caeb9a3535be2269

SHA256
79085577b60aa73e937d5a9bb98f375944559f874e0267024970e1e0b7cae516

SHA512
1b5f893eb3baee0ed80f48455e7cd99a9e1ff4985f50689eb222478a64f0e94a4d487644968aeb52407232178913bced8dcaeeeffbb4bec11ecdaab2c67134db

Download Submit
\Windows\system\MvwqyNI.exe
Filesize
5.9MB

MD5
31b2a7b4554cbd34e1990c95f54bb7d2

SHA1
1d50c759da33c1e7bb645fa793c93aaa7a60dd9e

SHA256
7670999afcd4909c543c16868e2d4abd781a5acc3ceb174d5bbb7dcf99c94fad

SHA512
d1d5f0d317430f48ddf3947e8018d5c001028a3579b424cdede7266c4e8c06933d89192c3456a1e24ae57523af1334b5da136e239ce445586fc7a17c8ac49c57

Download Submit
\Windows\system\kUkRCZu.exe
Filesize
5.9MB

MD5
ff8398841ba29593d831476129dcbb7e

SHA1
cf782f197605e2b4ea003e70c74d986a6d2997aa

SHA256
e70084e653dcf011f34a4cbca3c78e6fe4b149529d08b5eb786f98f7e519d6bc

SHA512
0a7bb10562591a5220e175bd4571c456ae3b2f8c5374e0ebf4b141a9cb6683feeef4c5af90b0ae3de8c8153da12ab3ca1cfe9f0fac3d0f55e0d05ab590250fad

Download Submit
\Windows\system\wptfawH.exe
Filesize
5.9MB

MD5
b19d46454598ff7d7005e878e95d92a2

SHA1
4ee80073675a78e1c488d962cf1a82e37dbc6fdc

SHA256
c26b7ff49a2d05bbc5ff590a24d58009bc6fb286c1a99a41e058a7b6c1299900

SHA512
fef0b6110c54500c0c1269049f651c85d363d1dcc0320ed76312a48f573f3751fd4f3f4752f10e7f2bb0ebb4756fe69111ca6c2899eeb9ce82a242f9ce723723

Download Submit
memory/1508-139-0x000000013F0F0000-0x000000013F444000-memory.dmp

Filesize
3.3MB

Download
memory/1508-15-0x000000013F0F0000-0x000000013F444000-memory.dmp

Filesize
3.3MB

Download
memory/2024-142-0x000000013F230000-0x000000013F584000-memory.dmp

Filesize
3.3MB

Download
memory/2024-34-0x000000013F230000-0x000000013F584000-memory.dmp

Filesize
3.3MB

Download
memory/2056-138-0x0000000002380000-0x00000000026D4000-memory.dmp

Filesize
3.3MB

Download
memory/2056-70-0x000000013F7D0000-0x000000013FB24000-memory.dmp

Filesize
3.3MB

Download
memory/2056-98-0x0000000002380000-0x00000000026D4000-memory.dmp

Filesize
3.3MB

Download
memory/2056-83-0x000000013F350000-0x000000013F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/2056-97-0x000000013F0F0000-0x000000013F444000-memory.dmp

Filesize
3.3MB

Download
memory/2056-0-0x000000013FB60000-0x000000013FEB4000-memory.dmp

Filesize
3.3MB

Download
memory/2056-29-0x0000000002380000-0x00000000026D4000-memory.dmp

Filesize
3.3MB

Download
memory/2056-90-0x000000013FB60000-0x000000013FEB4000-memory.dmp

Filesize
3.3MB

Download
memory/2056-32-0x000000013F4B0000-0x000000013F804000-memory.dmp

Filesize
3.3MB

Download
memory/2056-8-0x000000013F0F0000-0x000000013F444000-memory.dmp

Filesize
3.3MB

Download
memory/2056-1-0x0000000000200000-0x0000000000210000-memory.dmp

Filesize
64KB

Download
memory/2056-41-0x0000000002380000-0x00000000026D4000-memory.dmp

Filesize
3.3MB

Download
memory/2056-23-0x000000013F230000-0x000000013F584000-memory.dmp

Filesize
3.3MB

Download
memory/2056-65-0x000000013F210000-0x000000013F564000-memory.dmp

Filesize
3.3MB

Download
memory/2056-68-0x000000013F3F0000-0x000000013F744000-memory.dmp

Filesize
3.3MB

Download
memory/2056-71-0x000000013F110000-0x000000013F464000-memory.dmp

Filesize
3.3MB

Download
memory/2320-36-0x000000013F9E0000-0x000000013FD34000-memory.dmp

Filesize
3.3MB

Download
memory/2320-135-0x000000013F9E0000-0x000000013FD34000-memory.dmp

Filesize
3.3MB

Download
memory/2320-143-0x000000013F9E0000-0x000000013FD34000-memory.dmp

Filesize
3.3MB

Download
memory/2504-149-0x000000013F350000-0x000000013F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/2504-84-0x000000013F350000-0x000000013F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/2604-145-0x000000013F830000-0x000000013FB84000-memory.dmp

Filesize
3.3MB

Download
memory/2604-59-0x000000013F830000-0x000000013FB84000-memory.dmp

Filesize
3.3MB

Download
memory/2620-96-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2620-150-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2692-31-0x000000013FB60000-0x000000013FEB4000-memory.dmp

Filesize
3.3MB

Download
memory/2692-141-0x000000013FB60000-0x000000013FEB4000-memory.dmp

Filesize
3.3MB

Download
memory/2704-146-0x000000013F210000-0x000000013F564000-memory.dmp

Filesize
3.3MB

Download
memory/2704-66-0x000000013F210000-0x000000013F564000-memory.dmp

Filesize
3.3MB

Download
memory/2716-147-0x000000013F7D0000-0x000000013FB24000-memory.dmp

Filesize
3.3MB

Download
memory/2716-72-0x000000013F7D0000-0x000000013FB24000-memory.dmp

Filesize
3.3MB

Download
memory/2740-144-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download
memory/2740-42-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download
memory/2740-136-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download
memory/2792-148-0x000000013F3F0000-0x000000013F744000-memory.dmp

Filesize
3.3MB

Download
memory/2792-74-0x000000013F3F0000-0x000000013F744000-memory.dmp

Filesize
3.3MB

Download
memory/2876-76-0x000000013F110000-0x000000013F464000-memory.dmp

Filesize
3.3MB

Download
memory/2876-137-0x000000013F110000-0x000000013F464000-memory.dmp

Filesize
3.3MB

Download
memory/2876-152-0x000000013F110000-0x000000013F464000-memory.dmp

Filesize
3.3MB

Download
memory/2964-109-0x000000013FA50000-0x000000013FDA4000-memory.dmp

Filesize
3.3MB

Download
memory/2964-151-0x000000013FA50000-0x000000013FDA4000-memory.dmp

Filesize
3.3MB

Download
memory/2972-140-0x000000013F4B0000-0x000000013F804000-memory.dmp

Filesize
3.3MB

Download
memory/2972-27-0x000000013F4B0000-0x000000013F804000-memory.dmp

Filesize
3.3MB

Download
memory/2972-91-0x000000013F4B0000-0x000000013F804000-memory.dmp

Filesize
3.3MB

Download