cobaltstrike | da4889eae0a9dcba87de468da19d5fc1ec5b16e673419eb8b9d43bed09f7e7ff

Analysis

max time kernel
140s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

f7f6f9f9302926b518975b7a884e32f2
SHA1

d69d7debc202be0769c2fbab3ea94a646a84a59a
SHA256

da4889eae0a9dcba87de468da19d5fc1ec5b16e673419eb8b9d43bed09f7e7ff
SHA512

de48dcab63d2eeced6d25042f7c843df66c7288f0eea6666e3f2a81666c51b002f0935c9e98a29201cb1d39b3045da20c22d3f4739f99c07d91ed255dcc06bfd
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUO:Q+856utgpPF8u/7O

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\eyhCbBZ.exe	cobalt_reflective_dll
\Windows\system\pwsNBrl.exe	cobalt_reflective_dll
\Windows\system\yYhkEnp.exe	cobalt_reflective_dll
\Windows\system\hVoluqX.exe	cobalt_reflective_dll
C:\Windows\system\RJudDAN.exe	cobalt_reflective_dll
C:\Windows\system\uQwqEbT.exe	cobalt_reflective_dll
C:\Windows\system\rfJkERE.exe	cobalt_reflective_dll
\Windows\system\XFiutRe.exe	cobalt_reflective_dll
C:\Windows\system\mqBMjgf.exe	cobalt_reflective_dll
C:\Windows\system\OsYKDPt.exe	cobalt_reflective_dll
C:\Windows\system\CtSkQTX.exe	cobalt_reflective_dll
C:\Windows\system\LttLIUC.exe	cobalt_reflective_dll
C:\Windows\system\zKkYMut.exe	cobalt_reflective_dll
C:\Windows\system\SGSAXhu.exe	cobalt_reflective_dll
C:\Windows\system\WAVurIN.exe	cobalt_reflective_dll
C:\Windows\system\lfIyIvG.exe	cobalt_reflective_dll
C:\Windows\system\gzBZrml.exe	cobalt_reflective_dll
C:\Windows\system\prrQvDJ.exe	cobalt_reflective_dll
C:\Windows\system\vgJEKpb.exe	cobalt_reflective_dll
C:\Windows\system\zFVMZuG.exe	cobalt_reflective_dll
C:\Windows\system\tgPobZI.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\eyhCbBZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\pwsNBrl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\yYhkEnp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\hVoluqX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\RJudDAN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\uQwqEbT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\rfJkERE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\XFiutRe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\mqBMjgf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\OsYKDPt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\CtSkQTX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\LttLIUC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\zKkYMut.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\SGSAXhu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\WAVurIN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\lfIyIvG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\gzBZrml.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\prrQvDJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\vgJEKpb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\zFVMZuG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\tgPobZI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 53 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2128-0-0x000000013F300000-0x000000013F654000-memory.dmp	UPX
\Windows\system\eyhCbBZ.exe	UPX
\Windows\system\pwsNBrl.exe	UPX
\Windows\system\yYhkEnp.exe	UPX
behavioral1/memory/344-22-0x000000013F840000-0x000000013FB94000-memory.dmp	UPX
\Windows\system\hVoluqX.exe	UPX
behavioral1/memory/1716-26-0x000000013FA80000-0x000000013FDD4000-memory.dmp	UPX
C:\Windows\system\RJudDAN.exe	UPX
behavioral1/memory/2812-43-0x000000013F2E0000-0x000000013F634000-memory.dmp	UPX
C:\Windows\system\uQwqEbT.exe	UPX
C:\Windows\system\rfJkERE.exe	UPX
\Windows\system\XFiutRe.exe	UPX
behavioral1/memory/2824-72-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	UPX
C:\Windows\system\mqBMjgf.exe	UPX
behavioral1/memory/2548-93-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	UPX
C:\Windows\system\OsYKDPt.exe	UPX
C:\Windows\system\CtSkQTX.exe	UPX
C:\Windows\system\LttLIUC.exe	UPX
C:\Windows\system\zKkYMut.exe	UPX
C:\Windows\system\SGSAXhu.exe	UPX
C:\Windows\system\WAVurIN.exe	UPX
C:\Windows\system\lfIyIvG.exe	UPX
behavioral1/memory/1832-100-0x000000013FE20000-0x0000000140174000-memory.dmp	UPX
behavioral1/memory/2812-136-0x000000013F2E0000-0x000000013F634000-memory.dmp	UPX
C:\Windows\system\gzBZrml.exe	UPX
behavioral1/memory/2332-86-0x000000013F850000-0x000000013FBA4000-memory.dmp	UPX
behavioral1/memory/2128-85-0x000000013F300000-0x000000013F654000-memory.dmp	UPX
C:\Windows\system\prrQvDJ.exe	UPX
behavioral1/memory/2500-78-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	UPX
C:\Windows\system\vgJEKpb.exe	UPX
behavioral1/memory/2700-65-0x000000013FA50000-0x000000013FDA4000-memory.dmp	UPX
behavioral1/memory/2696-58-0x000000013F230000-0x000000013F584000-memory.dmp	UPX
C:\Windows\system\zFVMZuG.exe	UPX
behavioral1/memory/2636-51-0x000000013F610000-0x000000013F964000-memory.dmp	UPX
behavioral1/memory/2828-40-0x000000013FA30000-0x000000013FD84000-memory.dmp	UPX
behavioral1/memory/2448-34-0x000000013F480000-0x000000013F7D4000-memory.dmp	UPX
behavioral1/memory/1992-32-0x000000013F970000-0x000000013FCC4000-memory.dmp	UPX
C:\Windows\system\tgPobZI.exe	UPX
behavioral1/memory/2500-139-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	UPX
behavioral1/memory/344-143-0x000000013F840000-0x000000013FB94000-memory.dmp	UPX
behavioral1/memory/1716-144-0x000000013FA80000-0x000000013FDD4000-memory.dmp	UPX
behavioral1/memory/1992-145-0x000000013F970000-0x000000013FCC4000-memory.dmp	UPX
behavioral1/memory/2448-146-0x000000013F480000-0x000000013F7D4000-memory.dmp	UPX
behavioral1/memory/2828-147-0x000000013FA30000-0x000000013FD84000-memory.dmp	UPX
behavioral1/memory/2636-149-0x000000013F610000-0x000000013F964000-memory.dmp	UPX
behavioral1/memory/2812-148-0x000000013F2E0000-0x000000013F634000-memory.dmp	UPX
behavioral1/memory/2696-150-0x000000013F230000-0x000000013F584000-memory.dmp	UPX
behavioral1/memory/2700-151-0x000000013FA50000-0x000000013FDA4000-memory.dmp	UPX
behavioral1/memory/2824-152-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	UPX
behavioral1/memory/2500-153-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	UPX
behavioral1/memory/2332-154-0x000000013F850000-0x000000013FBA4000-memory.dmp	UPX
behavioral1/memory/2548-155-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	UPX
behavioral1/memory/1832-156-0x000000013FE20000-0x0000000140174000-memory.dmp	UPX

XMRig Miner payload 57 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2128-0-0x000000013F300000-0x000000013F654000-memory.dmp	xmrig
\Windows\system\eyhCbBZ.exe	xmrig
\Windows\system\pwsNBrl.exe	xmrig
\Windows\system\yYhkEnp.exe	xmrig
behavioral1/memory/344-22-0x000000013F840000-0x000000013FB94000-memory.dmp	xmrig
\Windows\system\hVoluqX.exe	xmrig
behavioral1/memory/1716-26-0x000000013FA80000-0x000000013FDD4000-memory.dmp	xmrig
behavioral1/memory/2128-35-0x000000013FA80000-0x000000013FDD4000-memory.dmp	xmrig
C:\Windows\system\RJudDAN.exe	xmrig
behavioral1/memory/2812-43-0x000000013F2E0000-0x000000013F634000-memory.dmp	xmrig
C:\Windows\system\uQwqEbT.exe	xmrig
C:\Windows\system\rfJkERE.exe	xmrig
\Windows\system\XFiutRe.exe	xmrig
behavioral1/memory/2824-72-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	xmrig
C:\Windows\system\mqBMjgf.exe	xmrig
behavioral1/memory/2548-93-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	xmrig
C:\Windows\system\OsYKDPt.exe	xmrig
C:\Windows\system\CtSkQTX.exe	xmrig
C:\Windows\system\LttLIUC.exe	xmrig
C:\Windows\system\zKkYMut.exe	xmrig
C:\Windows\system\SGSAXhu.exe	xmrig
C:\Windows\system\WAVurIN.exe	xmrig
C:\Windows\system\lfIyIvG.exe	xmrig
behavioral1/memory/1832-100-0x000000013FE20000-0x0000000140174000-memory.dmp	xmrig
behavioral1/memory/2812-136-0x000000013F2E0000-0x000000013F634000-memory.dmp	xmrig
C:\Windows\system\gzBZrml.exe	xmrig
behavioral1/memory/2332-86-0x000000013F850000-0x000000013FBA4000-memory.dmp	xmrig
behavioral1/memory/2128-85-0x000000013F300000-0x000000013F654000-memory.dmp	xmrig
C:\Windows\system\prrQvDJ.exe	xmrig
behavioral1/memory/2500-78-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	xmrig
C:\Windows\system\vgJEKpb.exe	xmrig
behavioral1/memory/2700-65-0x000000013FA50000-0x000000013FDA4000-memory.dmp	xmrig
behavioral1/memory/2696-58-0x000000013F230000-0x000000013F584000-memory.dmp	xmrig
C:\Windows\system\zFVMZuG.exe	xmrig
behavioral1/memory/2636-51-0x000000013F610000-0x000000013F964000-memory.dmp	xmrig
behavioral1/memory/2128-41-0x0000000002310000-0x0000000002664000-memory.dmp	xmrig
behavioral1/memory/2828-40-0x000000013FA30000-0x000000013FD84000-memory.dmp	xmrig
behavioral1/memory/2448-34-0x000000013F480000-0x000000013F7D4000-memory.dmp	xmrig
behavioral1/memory/1992-32-0x000000013F970000-0x000000013FCC4000-memory.dmp	xmrig
behavioral1/memory/2128-29-0x000000013F970000-0x000000013FCC4000-memory.dmp	xmrig
C:\Windows\system\tgPobZI.exe	xmrig
behavioral1/memory/2500-139-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	xmrig
behavioral1/memory/2128-140-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	xmrig
behavioral1/memory/344-143-0x000000013F840000-0x000000013FB94000-memory.dmp	xmrig
behavioral1/memory/1716-144-0x000000013FA80000-0x000000013FDD4000-memory.dmp	xmrig
behavioral1/memory/1992-145-0x000000013F970000-0x000000013FCC4000-memory.dmp	xmrig
behavioral1/memory/2448-146-0x000000013F480000-0x000000013F7D4000-memory.dmp	xmrig
behavioral1/memory/2828-147-0x000000013FA30000-0x000000013FD84000-memory.dmp	xmrig
behavioral1/memory/2636-149-0x000000013F610000-0x000000013F964000-memory.dmp	xmrig
behavioral1/memory/2812-148-0x000000013F2E0000-0x000000013F634000-memory.dmp	xmrig
behavioral1/memory/2696-150-0x000000013F230000-0x000000013F584000-memory.dmp	xmrig
behavioral1/memory/2700-151-0x000000013FA50000-0x000000013FDA4000-memory.dmp	xmrig
behavioral1/memory/2824-152-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	xmrig
behavioral1/memory/2500-153-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	xmrig
behavioral1/memory/2332-154-0x000000013F850000-0x000000013FBA4000-memory.dmp	xmrig
behavioral1/memory/2548-155-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	xmrig
behavioral1/memory/1832-156-0x000000013FE20000-0x0000000140174000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

eyhCbBZ.exepwsNBrl.exeyYhkEnp.exehVoluqX.exetgPobZI.exeRJudDAN.exeuQwqEbT.exerfJkERE.exezFVMZuG.exeXFiutRe.exevgJEKpb.exemqBMjgf.exeprrQvDJ.exegzBZrml.exelfIyIvG.exeOsYKDPt.exeWAVurIN.exeSGSAXhu.exezKkYMut.exeCtSkQTX.exeLttLIUC.exe

pid	process
344	eyhCbBZ.exe
1716	pwsNBrl.exe
1992	yYhkEnp.exe
2828	hVoluqX.exe
2448	tgPobZI.exe
2812	RJudDAN.exe
2636	uQwqEbT.exe
2696	rfJkERE.exe
2700	zFVMZuG.exe
2824	XFiutRe.exe
2500	vgJEKpb.exe
2332	mqBMjgf.exe
2548	prrQvDJ.exe
1832	gzBZrml.exe
316	lfIyIvG.exe
1940	OsYKDPt.exe
1752	WAVurIN.exe
1808	SGSAXhu.exe
904	zKkYMut.exe
1692	CtSkQTX.exe
2212	LttLIUC.exe

Loads dropped DLL 21 IoCs

Processes:

2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe

pid	process
2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 53 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2128-0-0x000000013F300000-0x000000013F654000-memory.dmp	upx
\Windows\system\eyhCbBZ.exe	upx
\Windows\system\pwsNBrl.exe	upx
\Windows\system\yYhkEnp.exe	upx
behavioral1/memory/344-22-0x000000013F840000-0x000000013FB94000-memory.dmp	upx
\Windows\system\hVoluqX.exe	upx
behavioral1/memory/1716-26-0x000000013FA80000-0x000000013FDD4000-memory.dmp	upx
C:\Windows\system\RJudDAN.exe	upx
behavioral1/memory/2812-43-0x000000013F2E0000-0x000000013F634000-memory.dmp	upx
C:\Windows\system\uQwqEbT.exe	upx
C:\Windows\system\rfJkERE.exe	upx
\Windows\system\XFiutRe.exe	upx
behavioral1/memory/2824-72-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	upx
C:\Windows\system\mqBMjgf.exe	upx
behavioral1/memory/2548-93-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	upx
C:\Windows\system\OsYKDPt.exe	upx
C:\Windows\system\CtSkQTX.exe	upx
C:\Windows\system\LttLIUC.exe	upx
C:\Windows\system\zKkYMut.exe	upx
C:\Windows\system\SGSAXhu.exe	upx
C:\Windows\system\WAVurIN.exe	upx
C:\Windows\system\lfIyIvG.exe	upx
behavioral1/memory/1832-100-0x000000013FE20000-0x0000000140174000-memory.dmp	upx
behavioral1/memory/2812-136-0x000000013F2E0000-0x000000013F634000-memory.dmp	upx
C:\Windows\system\gzBZrml.exe	upx
behavioral1/memory/2332-86-0x000000013F850000-0x000000013FBA4000-memory.dmp	upx
behavioral1/memory/2128-85-0x000000013F300000-0x000000013F654000-memory.dmp	upx
C:\Windows\system\prrQvDJ.exe	upx
behavioral1/memory/2500-78-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	upx
C:\Windows\system\vgJEKpb.exe	upx
behavioral1/memory/2700-65-0x000000013FA50000-0x000000013FDA4000-memory.dmp	upx
behavioral1/memory/2696-58-0x000000013F230000-0x000000013F584000-memory.dmp	upx
C:\Windows\system\zFVMZuG.exe	upx
behavioral1/memory/2636-51-0x000000013F610000-0x000000013F964000-memory.dmp	upx
behavioral1/memory/2828-40-0x000000013FA30000-0x000000013FD84000-memory.dmp	upx
behavioral1/memory/2448-34-0x000000013F480000-0x000000013F7D4000-memory.dmp	upx
behavioral1/memory/1992-32-0x000000013F970000-0x000000013FCC4000-memory.dmp	upx
C:\Windows\system\tgPobZI.exe	upx
behavioral1/memory/2500-139-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	upx
behavioral1/memory/344-143-0x000000013F840000-0x000000013FB94000-memory.dmp	upx
behavioral1/memory/1716-144-0x000000013FA80000-0x000000013FDD4000-memory.dmp	upx
behavioral1/memory/1992-145-0x000000013F970000-0x000000013FCC4000-memory.dmp	upx
behavioral1/memory/2448-146-0x000000013F480000-0x000000013F7D4000-memory.dmp	upx
behavioral1/memory/2828-147-0x000000013FA30000-0x000000013FD84000-memory.dmp	upx
behavioral1/memory/2636-149-0x000000013F610000-0x000000013F964000-memory.dmp	upx
behavioral1/memory/2812-148-0x000000013F2E0000-0x000000013F634000-memory.dmp	upx
behavioral1/memory/2696-150-0x000000013F230000-0x000000013F584000-memory.dmp	upx
behavioral1/memory/2700-151-0x000000013FA50000-0x000000013FDA4000-memory.dmp	upx
behavioral1/memory/2824-152-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	upx
behavioral1/memory/2500-153-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	upx
behavioral1/memory/2332-154-0x000000013F850000-0x000000013FBA4000-memory.dmp	upx
behavioral1/memory/2548-155-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	upx
behavioral1/memory/1832-156-0x000000013FE20000-0x0000000140174000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\XFiutRe.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WAVurIN.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LttLIUC.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eyhCbBZ.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yYhkEnp.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mqBMjgf.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\prrQvDJ.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gzBZrml.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tgPobZI.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rfJkERE.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vgJEKpb.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OsYKDPt.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zKkYMut.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hVoluqX.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zFVMZuG.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uQwqEbT.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lfIyIvG.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SGSAXhu.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CtSkQTX.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pwsNBrl.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RJudDAN.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 2128 wrote to memory of 344	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	eyhCbBZ.exe
PID 2128 wrote to memory of 344	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	eyhCbBZ.exe
PID 2128 wrote to memory of 344	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	eyhCbBZ.exe
PID 2128 wrote to memory of 1716	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	pwsNBrl.exe
PID 2128 wrote to memory of 1716	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	pwsNBrl.exe
PID 2128 wrote to memory of 1716	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	pwsNBrl.exe
PID 2128 wrote to memory of 1992	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	yYhkEnp.exe
PID 2128 wrote to memory of 1992	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	yYhkEnp.exe
PID 2128 wrote to memory of 1992	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	yYhkEnp.exe
PID 2128 wrote to memory of 2828	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	hVoluqX.exe
PID 2128 wrote to memory of 2828	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	hVoluqX.exe
PID 2128 wrote to memory of 2828	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	hVoluqX.exe
PID 2128 wrote to memory of 2448	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	tgPobZI.exe
PID 2128 wrote to memory of 2448	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	tgPobZI.exe
PID 2128 wrote to memory of 2448	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	tgPobZI.exe
PID 2128 wrote to memory of 2812	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	RJudDAN.exe
PID 2128 wrote to memory of 2812	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	RJudDAN.exe
PID 2128 wrote to memory of 2812	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	RJudDAN.exe
PID 2128 wrote to memory of 2636	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	uQwqEbT.exe
PID 2128 wrote to memory of 2636	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	uQwqEbT.exe
PID 2128 wrote to memory of 2636	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	uQwqEbT.exe
PID 2128 wrote to memory of 2696	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	rfJkERE.exe
PID 2128 wrote to memory of 2696	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	rfJkERE.exe
PID 2128 wrote to memory of 2696	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	rfJkERE.exe
PID 2128 wrote to memory of 2700	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	zFVMZuG.exe
PID 2128 wrote to memory of 2700	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	zFVMZuG.exe
PID 2128 wrote to memory of 2700	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	zFVMZuG.exe
PID 2128 wrote to memory of 2824	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	XFiutRe.exe
PID 2128 wrote to memory of 2824	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	XFiutRe.exe
PID 2128 wrote to memory of 2824	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	XFiutRe.exe
PID 2128 wrote to memory of 2500	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	vgJEKpb.exe
PID 2128 wrote to memory of 2500	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	vgJEKpb.exe
PID 2128 wrote to memory of 2500	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	vgJEKpb.exe
PID 2128 wrote to memory of 2332	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	mqBMjgf.exe
PID 2128 wrote to memory of 2332	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	mqBMjgf.exe
PID 2128 wrote to memory of 2332	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	mqBMjgf.exe
PID 2128 wrote to memory of 2548	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	prrQvDJ.exe
PID 2128 wrote to memory of 2548	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	prrQvDJ.exe
PID 2128 wrote to memory of 2548	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	prrQvDJ.exe
PID 2128 wrote to memory of 1832	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	gzBZrml.exe
PID 2128 wrote to memory of 1832	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	gzBZrml.exe
PID 2128 wrote to memory of 1832	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	gzBZrml.exe
PID 2128 wrote to memory of 316	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	lfIyIvG.exe
PID 2128 wrote to memory of 316	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	lfIyIvG.exe
PID 2128 wrote to memory of 316	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	lfIyIvG.exe
PID 2128 wrote to memory of 1940	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	OsYKDPt.exe
PID 2128 wrote to memory of 1940	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	OsYKDPt.exe
PID 2128 wrote to memory of 1940	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	OsYKDPt.exe
PID 2128 wrote to memory of 1752	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	WAVurIN.exe
PID 2128 wrote to memory of 1752	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	WAVurIN.exe
PID 2128 wrote to memory of 1752	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	WAVurIN.exe
PID 2128 wrote to memory of 1808	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	SGSAXhu.exe
PID 2128 wrote to memory of 1808	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	SGSAXhu.exe
PID 2128 wrote to memory of 1808	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	SGSAXhu.exe
PID 2128 wrote to memory of 904	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	zKkYMut.exe
PID 2128 wrote to memory of 904	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	zKkYMut.exe
PID 2128 wrote to memory of 904	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	zKkYMut.exe
PID 2128 wrote to memory of 1692	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	CtSkQTX.exe
PID 2128 wrote to memory of 1692	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	CtSkQTX.exe
PID 2128 wrote to memory of 1692	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	CtSkQTX.exe
PID 2128 wrote to memory of 2212	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	LttLIUC.exe
PID 2128 wrote to memory of 2212	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	LttLIUC.exe
PID 2128 wrote to memory of 2212	2128	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	LttLIUC.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\System\eyhCbBZ.exe
C:\Windows\System\eyhCbBZ.exe
2⤵
- Executes dropped EXE
PID:344

C:\Windows\System\pwsNBrl.exe
C:\Windows\System\pwsNBrl.exe
2⤵
- Executes dropped EXE
PID:1716

C:\Windows\System\yYhkEnp.exe
C:\Windows\System\yYhkEnp.exe
2⤵
- Executes dropped EXE
PID:1992

C:\Windows\System\hVoluqX.exe
C:\Windows\System\hVoluqX.exe
2⤵
- Executes dropped EXE
PID:2828

C:\Windows\System\tgPobZI.exe
C:\Windows\System\tgPobZI.exe
2⤵
- Executes dropped EXE
PID:2448

C:\Windows\System\RJudDAN.exe
C:\Windows\System\RJudDAN.exe
2⤵
- Executes dropped EXE
PID:2812

C:\Windows\System\uQwqEbT.exe
C:\Windows\System\uQwqEbT.exe
2⤵
- Executes dropped EXE
PID:2636

C:\Windows\System\rfJkERE.exe
C:\Windows\System\rfJkERE.exe
2⤵
- Executes dropped EXE
PID:2696

C:\Windows\System\zFVMZuG.exe
C:\Windows\System\zFVMZuG.exe
2⤵
- Executes dropped EXE
PID:2700

C:\Windows\System\XFiutRe.exe
C:\Windows\System\XFiutRe.exe
2⤵
- Executes dropped EXE
PID:2824

C:\Windows\System\vgJEKpb.exe
C:\Windows\System\vgJEKpb.exe
2⤵
- Executes dropped EXE
PID:2500

C:\Windows\System\mqBMjgf.exe
C:\Windows\System\mqBMjgf.exe
2⤵
- Executes dropped EXE
PID:2332

C:\Windows\System\prrQvDJ.exe
C:\Windows\System\prrQvDJ.exe
2⤵
- Executes dropped EXE
PID:2548

C:\Windows\System\gzBZrml.exe
C:\Windows\System\gzBZrml.exe
2⤵
- Executes dropped EXE
PID:1832

C:\Windows\System\lfIyIvG.exe
C:\Windows\System\lfIyIvG.exe
2⤵
- Executes dropped EXE
PID:316

C:\Windows\System\OsYKDPt.exe
C:\Windows\System\OsYKDPt.exe
2⤵
- Executes dropped EXE
PID:1940

C:\Windows\System\WAVurIN.exe
C:\Windows\System\WAVurIN.exe
2⤵
- Executes dropped EXE
PID:1752

C:\Windows\System\SGSAXhu.exe
C:\Windows\System\SGSAXhu.exe
2⤵
- Executes dropped EXE
PID:1808

C:\Windows\System\zKkYMut.exe
C:\Windows\System\zKkYMut.exe
2⤵
- Executes dropped EXE
PID:904

C:\Windows\System\CtSkQTX.exe
C:\Windows\System\CtSkQTX.exe
2⤵
- Executes dropped EXE
PID:1692

C:\Windows\System\LttLIUC.exe
C:\Windows\System\LttLIUC.exe
2⤵
- Executes dropped EXE
PID:2212

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\CtSkQTX.exe
Filesize
5.9MB

MD5
b22bc8c738cbaf78568bb7e7c425ffca

SHA1
2144e6f53610fdb5d26218d8c5ed71a910512a70

SHA256
8f797006b5928be2da03358f5067036f6403b8121cf607714735906ea45b5ca5

SHA512
40eead91048ea0ccd9433c9803cbdb167ffdd444e61f69fa8b5ca7cd4210c4f95342a3f288918957e92ad37847f26102ff6435229c1818aad1f65fdcae1826f6

Download Submit
C:\Windows\system\LttLIUC.exe
Filesize
5.9MB

MD5
da1394d6f085c7a0655bf192de6e5792

SHA1
662959bb76584f34fb05137dfe9d964f1ce22828

SHA256
b776411150521be9058878adb6aa4c9a0f419a4feb74bb8907d28d6624cc7ed4

SHA512
2206deaf76159bd729643a2773f92f1c1259669b6a6d343fdb2b897c596abd3a62ed8ef648be5e851f12bb33fdecbffe207fe82c4bf77ec2d5ba5ec0155db027

Download Submit
C:\Windows\system\OsYKDPt.exe
Filesize
5.9MB

MD5
ad0e6b824c34f29424e82bbde3d6da8e

SHA1
32e1428f53bc0795c65b9afaa726eff0ba8c19b7

SHA256
dcf7b540c0b5fc7b68ec26ef2f3daad536a90d1ef418df86efd2947aedfa2909

SHA512
337bd69bbe38696c1a33e70e4676a52dc6fd66e3f15c676f50e656814cdb19616ccd9c1b4f0a9b763517efe688866fd32d3e4f1f6d2b30158304cc1145a8af72

Download Submit
C:\Windows\system\RJudDAN.exe
Filesize
5.9MB

MD5
d3625746ea7be5b3be57a5678b685c17

SHA1
6138c22a8b246af8c23350ec92f248704297c112

SHA256
c84d880170fe8e1f32d07b0ea6876dfefa1e15a97ea35d3a4f38c54c40537fec

SHA512
b92d01f238e90a762fa0d2fcacf8d91f35a3f96c81cd767796e7bf33e163b1b42fac25d8f9d7699288e775873a8888adaa09df0e09e36589b1acca9ac34c066a

Download Submit
C:\Windows\system\SGSAXhu.exe
Filesize
5.9MB

MD5
441a9f512d27f55329b1e15dc6a60394

SHA1
28bb8bc1a729e20bc3dc40c8275b591d81b532c1

SHA256
9f4fbd346853fe5ad0d45108a519f224d8f61dbdac10ba06b21bead686c5317c

SHA512
7702e163f851b6e67045012505fa79bd4f98f149e23b30e6c2bf9207ee3c3f6318a69e9106a35fb8bca381ef12c86e6612cc02ae107c2552f9af169d0f4166ac

Download Submit
C:\Windows\system\WAVurIN.exe
Filesize
5.9MB

MD5
50775246ae803655dd9f104d870e2987

SHA1
3d01c872fb5692ffd00641f190cb281dd4037c5d

SHA256
d9e457020cc30a80d9faf4e958e07de471c170bf58579aeb70b07e6ce9df68fc

SHA512
7f68005849b70a0bfc8617f8456553fcd9805c700225d2d21c4a6eb6d204e4a626b1bb3fb35678eadddb1c67087cc1f0066312a472bf2842c3c57f3d501836da

Download Submit
C:\Windows\system\gzBZrml.exe
Filesize
5.9MB

MD5
106474fd0e9d4a779d76244a396c6546

SHA1
989833b4f09165a6afaaddfaac5e8e88edcfb634

SHA256
e3e43922a9d5e28e9e772aa36e0cffc6a633bac65ff100267893f3d2f1d6d4c2

SHA512
04eaab507ba49430b570efdee2980a7ffa39c4c579d9ac01f39d7167b2793363c136f79895e8881807e6b1a12593dfcb6621cee27b53dff67f56fce762a17c7f

Download Submit
C:\Windows\system\lfIyIvG.exe
Filesize
5.9MB

MD5
3750ec1e9cc11da8e229d2537eaa36b0

SHA1
ee341ec7f2cdaf855c2216de33b0be5ff4066a91

SHA256
94e87ba1e0a4192436f961c3b9fdc795b94c862b8700f1bcba8cbbeacaf5b6dc

SHA512
a6c02a623c1d06393d37ac6c1b6c9cb9de6d1790336243751955b6f3ed04361c4a7f99106c1e6ece24f8a68564f0f83bd1ddbf1727d87ff500591fd66a618aa3

Download Submit
C:\Windows\system\mqBMjgf.exe
Filesize
5.9MB

MD5
c941b5e703190bb18777493774748ba4

SHA1
bc57a23c14446afdee919b760e2e93645652d6f2

SHA256
76447a02a8b2bbe8ad7dfdbf8afdd76b38c878c5b01bab252b46ce39de3fee7e

SHA512
c20fccd143dcbe2cf0f22519ecab36e97623c4edbf0a24d18ec5a02c9b7034a9f2113469067cb6f44b1119d0b04f2c75903e9b57497c0e0c5e7ef86179280d54

Download Submit
C:\Windows\system\prrQvDJ.exe
Filesize
5.9MB

MD5
faa6a3b5c842e291dcd9789044ac87b0

SHA1
97ea2a823578c2c4bba32531afc9292ff374baa4

SHA256
598a73dcd01d3216fdf436165cc48085141bd362b3ad77af7088d210d057882a

SHA512
51c1d8d480ef7600cdb19aec57683adec4c9a8aec5159b8685c9938678a1bfc4fa92b22585718d219edc762de4456ef0044a93a4edd0ef4c0e7ae707990e949a

Download Submit
C:\Windows\system\rfJkERE.exe
Filesize
5.9MB

MD5
ae0d08c66058b471ae230ad1dd2b4f2f

SHA1
829b11f6ac5933bb30c6baf3e07c1e1674b2e7e6

SHA256
18617fbb07c86a4ec59e2863024f6ac4d05addfb45d91a06650b95b9e0918831

SHA512
844a7f95de1b6780329c3e8d840e56bbc4726101c807c519c5be4d9dd322da9be5ec8632b1f45b2e672572e6b1366449aee5f00cc06056bd37abf0000057be98

Download Submit
C:\Windows\system\tgPobZI.exe
Filesize
5.9MB

MD5
236bb6603b471cd16ca8e1bba1ae2b9b

SHA1
11c826134fc192cdaad4b47a1b5f706b76c47eb9

SHA256
1834c0d3f28b7687e512d75b8a66c640f863ff27d0c4033072c2636898c552b5

SHA512
8b2e09b785be9765606d0e7d9ff5ba95f8e889169775119e57f4562ba5f2f76e8b1129bdde0bec03b145ef137bd81b17cf39b55fdee133cadeff61b2dd4615f0

Download Submit
C:\Windows\system\uQwqEbT.exe
Filesize
5.9MB

MD5
fe827197bf7bc60a31acba3503d9b4ff

SHA1
c7b29596cb64413061e2b1952777e2ed2f872a23

SHA256
b5bd6bc0b34fcdbde659680c798d175c7d0571021e7588a20b5523b81d651b3f

SHA512
7a0f7225492529256b031f6c25997fb7ab7b544b165d00b120d7b693128ee13ea2e03a78527bdba282640e63b933346322b36739d2722949b7252578372ab4d6

Download Submit
C:\Windows\system\vgJEKpb.exe
Filesize
5.9MB

MD5
0ae5b157635ff87f61e41388060df950

SHA1
60e0e27c19a8955aef96981bca73c8ddf942a368

SHA256
0278e0cef247085d88d0105abe5762a84e74309ea76064b4fa547d5787cf823c

SHA512
0332f384380ed8ba841a74eb3672d2d4e98132757dc696f454d4439c0b5eca5367cc57fa930e2fa0b8a6a4c1021c1874ea16d4d3bab417cc7fc90d13bce75a35

Download Submit
C:\Windows\system\zFVMZuG.exe
Filesize
5.9MB

MD5
779e0f85918f4670c3631a9fc1d78396

SHA1
c7f12fc80cf91bd5bbc0e3fc9055243af9f53e5b

SHA256
b282e7b1636809a531b8c77764e90f36b9360425da2788ac0c48272f44788e07

SHA512
3d35941ece088d7759e55dc15d16efb43824bfd648b2d215fb90b26b1333adac99106e455d3cb921a31fbaa36999932aecc67007004d8c69a8dc158570c0f90f

Download Submit
C:\Windows\system\zKkYMut.exe
Filesize
5.9MB

MD5
bf517b9538e50c2fd83b6a90065bd1aa

SHA1
36882d1590a0c817468535a30cfae51af5a59ef0

SHA256
354ce775d696f33b906f787522e16d4cee65d20f08926f6f74c19f631c839a89

SHA512
84fc06c745a68dc5d40c8654c43e2672181d75e201a5154f875277bfbc4b43daffbb76a3d77c1bc0e8f71c2ca6f8318e46ee4a37fd11ecb6ef58716325b51468

Download Submit
\Windows\system\XFiutRe.exe
Filesize
5.9MB

MD5
bf17e7b09de403ceab1b34ff7d35b38e

SHA1
802173d3ff363cfc6f7c20b6eff620c24dd87058

SHA256
8025f50e9853d3222aa7840daf0f1964270598cbb965112f415b3d19ecaf694f

SHA512
02e0f4984c7f256508f157dab23873baae2271a95918b37b14eede34c70f81fe5757570bf16815ace76197e49be942c5c6b508292407c4f2fccc25a8dee20409

Download Submit
\Windows\system\eyhCbBZ.exe
Filesize
5.9MB

MD5
59c4be5c1ff3d1145e458bec3a33335e

SHA1
bbb9f57287c1781761a985a4244a14b5668bb8c6

SHA256
e417df9a947719386aaa3bd49f8f5348ccfb20f2b93be86e62fe0c1c5fec9f80

SHA512
3c231bd30c8e86303059bb4debfa8fadb4db30f39fe1c9ee44b3c0fa3db7536b5e4f4021f55009f669598ad84eef9bcc6ed7f169de24327f0c37017bae1a5533

Download Submit
\Windows\system\hVoluqX.exe
Filesize
5.9MB

MD5
06c934f618138fc3f7844854ad111b90

SHA1
27a5e9f7a6fa3e985905e2ac23c2a880bc29cacf

SHA256
d3fc7dbe97c28deff80d2d0de36ea5e3cac0fa3b58d559a386b45a544e9d6c60

SHA512
2e9d2cd82ec611bad64dc006a149f25ffb48c6967ae0b765bb4b1636652ad65de0387200ad3b779a69b9c6bc8966dc204867abe8cff54d05c8ca7f6a2ae47895

Download Submit
\Windows\system\pwsNBrl.exe
Filesize
5.9MB

MD5
f712c5f429648f0f76fa11ed09b91719

SHA1
7a6b25ee477462274f59c5ebd835035ecd895bf4

SHA256
6c1e1a9405b2c5a30b81fb2916891ed30b018923640d4645e375210b34cb5fc8

SHA512
e79eb3664dc0c25608218895ed9f8fbbfb1c36a561d9e912b275857522dbac97ef002852d144eff458f8f7885791c75b036fb6452ececbaab0a32ec5d2439012

Download Submit
\Windows\system\yYhkEnp.exe
Filesize
5.9MB

MD5
ce88959ff01b99648b309ef849c1308d

SHA1
f86e3e09b0219ede6bb05b8743c46505c93eb50e

SHA256
6493cccf6a0cd834a01c79164668fdfcc90068b72efedc1c6ec3d45e76df222f

SHA512
8deaaf99dacca6ef385ce19c89366e7254c372ca21f66a3fdd8d5dc02ff2bff94890d2bf1f18e95676172032daced2fad5ca7eaf837203b30187bd9bc2ab188a

Download Submit
memory/344-22-0x000000013F840000-0x000000013FB94000-memory.dmp

Filesize
3.3MB

Download
memory/344-143-0x000000013F840000-0x000000013FB94000-memory.dmp

Filesize
3.3MB

Download
memory/1716-26-0x000000013FA80000-0x000000013FDD4000-memory.dmp

Filesize
3.3MB

Download
memory/1716-144-0x000000013FA80000-0x000000013FDD4000-memory.dmp

Filesize
3.3MB

Download
memory/1832-100-0x000000013FE20000-0x0000000140174000-memory.dmp

Filesize
3.3MB

Download
memory/1832-156-0x000000013FE20000-0x0000000140174000-memory.dmp

Filesize
3.3MB

Download
memory/1992-145-0x000000013F970000-0x000000013FCC4000-memory.dmp

Filesize
3.3MB

Download
memory/1992-32-0x000000013F970000-0x000000013FCC4000-memory.dmp

Filesize
3.3MB

Download
memory/2128-77-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

Filesize
3.3MB

Download
memory/2128-29-0x000000013F970000-0x000000013FCC4000-memory.dmp

Filesize
3.3MB

Download
memory/2128-92-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

Filesize
3.3MB

Download
memory/2128-1-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2128-85-0x000000013F300000-0x000000013F654000-memory.dmp

Filesize
3.3MB

Download
memory/2128-99-0x000000013FE20000-0x0000000140174000-memory.dmp

Filesize
3.3MB

Download
memory/2128-36-0x000000013FA30000-0x000000013FD84000-memory.dmp

Filesize
3.3MB

Download
memory/2128-0-0x000000013F300000-0x000000013F654000-memory.dmp

Filesize
3.3MB

Download
memory/2128-106-0x000000013FD80000-0x00000001400D4000-memory.dmp

Filesize
3.3MB

Download
memory/2128-71-0x0000000002310000-0x0000000002664000-memory.dmp

Filesize
3.3MB

Download
memory/2128-35-0x000000013FA80000-0x000000013FDD4000-memory.dmp

Filesize
3.3MB

Download
memory/2128-64-0x000000013FA50000-0x000000013FDA4000-memory.dmp

Filesize
3.3MB

Download
memory/2128-142-0x000000013FD80000-0x00000001400D4000-memory.dmp

Filesize
3.3MB

Download
memory/2128-141-0x000000013FE20000-0x0000000140174000-memory.dmp

Filesize
3.3MB

Download
memory/2128-140-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

Filesize
3.3MB

Download
memory/2128-50-0x0000000002310000-0x0000000002664000-memory.dmp

Filesize
3.3MB

Download
memory/2128-41-0x0000000002310000-0x0000000002664000-memory.dmp

Filesize
3.3MB

Download
memory/2128-138-0x0000000002310000-0x0000000002664000-memory.dmp

Filesize
3.3MB

Download
memory/2128-137-0x0000000002310000-0x0000000002664000-memory.dmp

Filesize
3.3MB

Download
memory/2128-33-0x0000000002310000-0x0000000002664000-memory.dmp

Filesize
3.3MB

Download
memory/2128-18-0x000000013F840000-0x000000013FB94000-memory.dmp

Filesize
3.3MB

Download
memory/2128-57-0x0000000002310000-0x0000000002664000-memory.dmp

Filesize
3.3MB

Download
memory/2332-86-0x000000013F850000-0x000000013FBA4000-memory.dmp

Filesize
3.3MB

Download
memory/2332-154-0x000000013F850000-0x000000013FBA4000-memory.dmp

Filesize
3.3MB

Download
memory/2448-34-0x000000013F480000-0x000000013F7D4000-memory.dmp

Filesize
3.3MB

Download
memory/2448-146-0x000000013F480000-0x000000013F7D4000-memory.dmp

Filesize
3.3MB

Download
memory/2500-78-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

Filesize
3.3MB

Download
memory/2500-139-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

Filesize
3.3MB

Download
memory/2500-153-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

Filesize
3.3MB

Download
memory/2548-155-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

Filesize
3.3MB

Download
memory/2548-93-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

Filesize
3.3MB

Download
memory/2636-51-0x000000013F610000-0x000000013F964000-memory.dmp

Filesize
3.3MB

Download
memory/2636-149-0x000000013F610000-0x000000013F964000-memory.dmp

Filesize
3.3MB

Download
memory/2696-150-0x000000013F230000-0x000000013F584000-memory.dmp

Filesize
3.3MB

Download
memory/2696-58-0x000000013F230000-0x000000013F584000-memory.dmp

Filesize
3.3MB

Download
memory/2700-65-0x000000013FA50000-0x000000013FDA4000-memory.dmp

Filesize
3.3MB

Download
memory/2700-151-0x000000013FA50000-0x000000013FDA4000-memory.dmp

Filesize
3.3MB

Download
memory/2812-43-0x000000013F2E0000-0x000000013F634000-memory.dmp

Filesize
3.3MB

Download
memory/2812-148-0x000000013F2E0000-0x000000013F634000-memory.dmp

Filesize
3.3MB

Download
memory/2812-136-0x000000013F2E0000-0x000000013F634000-memory.dmp

Filesize
3.3MB

Download
memory/2824-152-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

Filesize
3.3MB

Download
memory/2824-72-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

Filesize
3.3MB

Download
memory/2828-147-0x000000013FA30000-0x000000013FD84000-memory.dmp

Filesize
3.3MB

Download
memory/2828-40-0x000000013FA30000-0x000000013FD84000-memory.dmp

Filesize
3.3MB

Download