cobaltstrike | 58cdb8e8bf5d224d58ae0a45b1b2754da11d5208d38aa4e4bfb0a408756b1550

Analysis

max time kernel
142s
max time network
146s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 06:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

4290ad2a8dd4993c88b7199cc093469c
SHA1

47559ea5c19b0858c30204b84f23a1724cdb3976
SHA256

58cdb8e8bf5d224d58ae0a45b1b2754da11d5208d38aa4e4bfb0a408756b1550
SHA512

726c53158a6dae0a8c952727908b4c4f0e339fdfcbf8851ade92280fda992af629c0463f6e2ee37e9ef59c1ecf8a6ced78bc8119db50758ff5ded5c0f3b10f21
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUb:T+856utgpPF8u/7b

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\system\SNfQyPb.exe	cobalt_reflective_dll
C:\Windows\system\nBKXHkG.exe	cobalt_reflective_dll
C:\Windows\system\FDnUyHB.exe	cobalt_reflective_dll
\Windows\system\JEZeIDw.exe	cobalt_reflective_dll
C:\Windows\system\KEAYhIc.exe	cobalt_reflective_dll
\Windows\system\lHSrNvh.exe	cobalt_reflective_dll
C:\Windows\system\OTOGCCJ.exe	cobalt_reflective_dll
C:\Windows\system\polKHmg.exe	cobalt_reflective_dll
C:\Windows\system\UVbQMTH.exe	cobalt_reflective_dll
\Windows\system\btHvsop.exe	cobalt_reflective_dll
C:\Windows\system\QjopsRu.exe	cobalt_reflective_dll
C:\Windows\system\yfWjVhp.exe	cobalt_reflective_dll
C:\Windows\system\CPKLlsm.exe	cobalt_reflective_dll
C:\Windows\system\LrUzBoC.exe	cobalt_reflective_dll
C:\Windows\system\DnEQAHQ.exe	cobalt_reflective_dll
C:\Windows\system\VHWQGKz.exe	cobalt_reflective_dll
C:\Windows\system\lPTOHtB.exe	cobalt_reflective_dll
C:\Windows\system\dxXohBr.exe	cobalt_reflective_dll
C:\Windows\system\cQpbjOJ.exe	cobalt_reflective_dll
C:\Windows\system\VrzpcBw.exe	cobalt_reflective_dll
\Windows\system\SIqqxaN.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\system\SNfQyPb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\nBKXHkG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\FDnUyHB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\JEZeIDw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\KEAYhIc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\lHSrNvh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\OTOGCCJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\polKHmg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\UVbQMTH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\btHvsop.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\QjopsRu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\yfWjVhp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\CPKLlsm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\LrUzBoC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\DnEQAHQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\VHWQGKz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\lPTOHtB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\dxXohBr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\cQpbjOJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\VrzpcBw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\SIqqxaN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 53 IoCs

Processes:

resource	yara_rule
behavioral1/memory/620-0-0x000000013FD00000-0x0000000140054000-memory.dmp	UPX
C:\Windows\system\SNfQyPb.exe	UPX
behavioral1/memory/2744-9-0x000000013F660000-0x000000013F9B4000-memory.dmp	UPX
C:\Windows\system\nBKXHkG.exe	UPX
behavioral1/memory/2232-15-0x000000013FF90000-0x00000001402E4000-memory.dmp	UPX
C:\Windows\system\FDnUyHB.exe	UPX
behavioral1/memory/2672-21-0x000000013F240000-0x000000013F594000-memory.dmp	UPX
\Windows\system\JEZeIDw.exe	UPX
C:\Windows\system\KEAYhIc.exe	UPX
\Windows\system\lHSrNvh.exe	UPX
C:\Windows\system\OTOGCCJ.exe	UPX
behavioral1/memory/2504-63-0x000000013F620000-0x000000013F974000-memory.dmp	UPX
C:\Windows\system\polKHmg.exe	UPX
C:\Windows\system\UVbQMTH.exe	UPX
\Windows\system\btHvsop.exe	UPX
C:\Windows\system\QjopsRu.exe	UPX
C:\Windows\system\yfWjVhp.exe	UPX
C:\Windows\system\CPKLlsm.exe	UPX
behavioral1/memory/2636-108-0x000000013FD40000-0x0000000140094000-memory.dmp	UPX
C:\Windows\system\LrUzBoC.exe	UPX
C:\Windows\system\DnEQAHQ.exe	UPX
behavioral1/memory/1304-104-0x000000013F360000-0x000000013F6B4000-memory.dmp	UPX
C:\Windows\system\VHWQGKz.exe	UPX
behavioral1/memory/2672-90-0x000000013F240000-0x000000013F594000-memory.dmp	UPX
behavioral1/memory/2520-88-0x000000013FF20000-0x0000000140274000-memory.dmp	UPX
behavioral1/memory/2960-87-0x000000013F1E0000-0x000000013F534000-memory.dmp	UPX
C:\Windows\system\lPTOHtB.exe	UPX
behavioral1/memory/2232-79-0x000000013FF90000-0x00000001402E4000-memory.dmp	UPX
behavioral1/memory/2952-70-0x000000013F0D0000-0x000000013F424000-memory.dmp	UPX
C:\Windows\system\dxXohBr.exe	UPX
C:\Windows\system\cQpbjOJ.exe	UPX
behavioral1/memory/620-62-0x000000013FD00000-0x0000000140054000-memory.dmp	UPX
behavioral1/memory/2656-56-0x000000013FE10000-0x0000000140164000-memory.dmp	UPX
C:\Windows\system\VrzpcBw.exe	UPX
behavioral1/memory/2496-49-0x000000013FCE0000-0x0000000140034000-memory.dmp	UPX
behavioral1/memory/2484-48-0x000000013FB70000-0x000000013FEC4000-memory.dmp	UPX
\Windows\system\SIqqxaN.exe	UPX
behavioral1/memory/2468-36-0x000000013F8C0000-0x000000013FC14000-memory.dmp	UPX
behavioral1/memory/2668-29-0x000000013FF10000-0x0000000140264000-memory.dmp	UPX
behavioral1/memory/2744-139-0x000000013F660000-0x000000013F9B4000-memory.dmp	UPX
behavioral1/memory/2672-141-0x000000013F240000-0x000000013F594000-memory.dmp	UPX
behavioral1/memory/2668-140-0x000000013FF10000-0x0000000140264000-memory.dmp	UPX
behavioral1/memory/2468-142-0x000000013F8C0000-0x000000013FC14000-memory.dmp	UPX
behavioral1/memory/2484-143-0x000000013FB70000-0x000000013FEC4000-memory.dmp	UPX
behavioral1/memory/2496-144-0x000000013FCE0000-0x0000000140034000-memory.dmp	UPX
behavioral1/memory/2656-145-0x000000013FE10000-0x0000000140164000-memory.dmp	UPX
behavioral1/memory/2504-146-0x000000013F620000-0x000000013F974000-memory.dmp	UPX
behavioral1/memory/2952-147-0x000000013F0D0000-0x000000013F424000-memory.dmp	UPX
behavioral1/memory/2960-148-0x000000013F1E0000-0x000000013F534000-memory.dmp	UPX
behavioral1/memory/2520-149-0x000000013FF20000-0x0000000140274000-memory.dmp	UPX
behavioral1/memory/1304-150-0x000000013F360000-0x000000013F6B4000-memory.dmp	UPX
behavioral1/memory/2636-151-0x000000013FD40000-0x0000000140094000-memory.dmp	UPX
behavioral1/memory/2232-152-0x000000013FF90000-0x00000001402E4000-memory.dmp	UPX

XMRig Miner payload 55 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/620-0-0x000000013FD00000-0x0000000140054000-memory.dmp	xmrig
C:\Windows\system\SNfQyPb.exe	xmrig
behavioral1/memory/2744-9-0x000000013F660000-0x000000013F9B4000-memory.dmp	xmrig
C:\Windows\system\nBKXHkG.exe	xmrig
behavioral1/memory/2232-15-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
C:\Windows\system\FDnUyHB.exe	xmrig
behavioral1/memory/2672-21-0x000000013F240000-0x000000013F594000-memory.dmp	xmrig
\Windows\system\JEZeIDw.exe	xmrig
C:\Windows\system\KEAYhIc.exe	xmrig
\Windows\system\lHSrNvh.exe	xmrig
C:\Windows\system\OTOGCCJ.exe	xmrig
behavioral1/memory/2504-63-0x000000013F620000-0x000000013F974000-memory.dmp	xmrig
C:\Windows\system\polKHmg.exe	xmrig
C:\Windows\system\UVbQMTH.exe	xmrig
\Windows\system\btHvsop.exe	xmrig
C:\Windows\system\QjopsRu.exe	xmrig
C:\Windows\system\yfWjVhp.exe	xmrig
C:\Windows\system\CPKLlsm.exe	xmrig
behavioral1/memory/2636-108-0x000000013FD40000-0x0000000140094000-memory.dmp	xmrig
C:\Windows\system\LrUzBoC.exe	xmrig
C:\Windows\system\DnEQAHQ.exe	xmrig
behavioral1/memory/1304-104-0x000000013F360000-0x000000013F6B4000-memory.dmp	xmrig
C:\Windows\system\VHWQGKz.exe	xmrig
behavioral1/memory/2672-90-0x000000013F240000-0x000000013F594000-memory.dmp	xmrig
behavioral1/memory/620-89-0x000000013F360000-0x000000013F6B4000-memory.dmp	xmrig
behavioral1/memory/2520-88-0x000000013FF20000-0x0000000140274000-memory.dmp	xmrig
behavioral1/memory/2960-87-0x000000013F1E0000-0x000000013F534000-memory.dmp	xmrig
C:\Windows\system\lPTOHtB.exe	xmrig
behavioral1/memory/2232-79-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
behavioral1/memory/2952-70-0x000000013F0D0000-0x000000013F424000-memory.dmp	xmrig
C:\Windows\system\dxXohBr.exe	xmrig
C:\Windows\system\cQpbjOJ.exe	xmrig
behavioral1/memory/620-62-0x000000013FD00000-0x0000000140054000-memory.dmp	xmrig
behavioral1/memory/2656-56-0x000000013FE10000-0x0000000140164000-memory.dmp	xmrig
C:\Windows\system\VrzpcBw.exe	xmrig
behavioral1/memory/2496-49-0x000000013FCE0000-0x0000000140034000-memory.dmp	xmrig
behavioral1/memory/2484-48-0x000000013FB70000-0x000000013FEC4000-memory.dmp	xmrig
\Windows\system\SIqqxaN.exe	xmrig
behavioral1/memory/2468-36-0x000000013F8C0000-0x000000013FC14000-memory.dmp	xmrig
behavioral1/memory/2668-29-0x000000013FF10000-0x0000000140264000-memory.dmp	xmrig
behavioral1/memory/620-138-0x000000013F1E0000-0x000000013F534000-memory.dmp	xmrig
behavioral1/memory/2744-139-0x000000013F660000-0x000000013F9B4000-memory.dmp	xmrig
behavioral1/memory/2672-141-0x000000013F240000-0x000000013F594000-memory.dmp	xmrig
behavioral1/memory/2668-140-0x000000013FF10000-0x0000000140264000-memory.dmp	xmrig
behavioral1/memory/2468-142-0x000000013F8C0000-0x000000013FC14000-memory.dmp	xmrig
behavioral1/memory/2484-143-0x000000013FB70000-0x000000013FEC4000-memory.dmp	xmrig
behavioral1/memory/2496-144-0x000000013FCE0000-0x0000000140034000-memory.dmp	xmrig
behavioral1/memory/2656-145-0x000000013FE10000-0x0000000140164000-memory.dmp	xmrig
behavioral1/memory/2504-146-0x000000013F620000-0x000000013F974000-memory.dmp	xmrig
behavioral1/memory/2952-147-0x000000013F0D0000-0x000000013F424000-memory.dmp	xmrig
behavioral1/memory/2960-148-0x000000013F1E0000-0x000000013F534000-memory.dmp	xmrig
behavioral1/memory/2520-149-0x000000013FF20000-0x0000000140274000-memory.dmp	xmrig
behavioral1/memory/1304-150-0x000000013F360000-0x000000013F6B4000-memory.dmp	xmrig
behavioral1/memory/2636-151-0x000000013FD40000-0x0000000140094000-memory.dmp	xmrig
behavioral1/memory/2232-152-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

SNfQyPb.exenBKXHkG.exeFDnUyHB.exeJEZeIDw.exeKEAYhIc.exelHSrNvh.exeSIqqxaN.exeVrzpcBw.exeOTOGCCJ.execQpbjOJ.exedxXohBr.exelPTOHtB.exeVHWQGKz.exeUVbQMTH.exepolKHmg.exeCPKLlsm.exeyfWjVhp.exeQjopsRu.exeDnEQAHQ.exeLrUzBoC.exebtHvsop.exe

pid	process
2744	SNfQyPb.exe
2232	nBKXHkG.exe
2672	FDnUyHB.exe
2668	JEZeIDw.exe
2468	KEAYhIc.exe
2484	lHSrNvh.exe
2496	SIqqxaN.exe
2656	VrzpcBw.exe
2504	OTOGCCJ.exe
2952	cQpbjOJ.exe
2960	dxXohBr.exe
2520	lPTOHtB.exe
1304	VHWQGKz.exe
2636	UVbQMTH.exe
608	polKHmg.exe
1004	CPKLlsm.exe
352	yfWjVhp.exe
1888	QjopsRu.exe
1452	DnEQAHQ.exe
652	LrUzBoC.exe
768	btHvsop.exe

Loads dropped DLL 21 IoCs

Processes:

2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe

pid	process
620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 53 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/620-0-0x000000013FD00000-0x0000000140054000-memory.dmp	upx
C:\Windows\system\SNfQyPb.exe	upx
behavioral1/memory/2744-9-0x000000013F660000-0x000000013F9B4000-memory.dmp	upx
C:\Windows\system\nBKXHkG.exe	upx
behavioral1/memory/2232-15-0x000000013FF90000-0x00000001402E4000-memory.dmp	upx
C:\Windows\system\FDnUyHB.exe	upx
behavioral1/memory/2672-21-0x000000013F240000-0x000000013F594000-memory.dmp	upx
\Windows\system\JEZeIDw.exe	upx
C:\Windows\system\KEAYhIc.exe	upx
\Windows\system\lHSrNvh.exe	upx
C:\Windows\system\OTOGCCJ.exe	upx
behavioral1/memory/2504-63-0x000000013F620000-0x000000013F974000-memory.dmp	upx
C:\Windows\system\polKHmg.exe	upx
C:\Windows\system\UVbQMTH.exe	upx
\Windows\system\btHvsop.exe	upx
C:\Windows\system\QjopsRu.exe	upx
C:\Windows\system\yfWjVhp.exe	upx
C:\Windows\system\CPKLlsm.exe	upx
behavioral1/memory/2636-108-0x000000013FD40000-0x0000000140094000-memory.dmp	upx
C:\Windows\system\LrUzBoC.exe	upx
C:\Windows\system\DnEQAHQ.exe	upx
behavioral1/memory/1304-104-0x000000013F360000-0x000000013F6B4000-memory.dmp	upx
C:\Windows\system\VHWQGKz.exe	upx
behavioral1/memory/2672-90-0x000000013F240000-0x000000013F594000-memory.dmp	upx
behavioral1/memory/2520-88-0x000000013FF20000-0x0000000140274000-memory.dmp	upx
behavioral1/memory/2960-87-0x000000013F1E0000-0x000000013F534000-memory.dmp	upx
C:\Windows\system\lPTOHtB.exe	upx
behavioral1/memory/2232-79-0x000000013FF90000-0x00000001402E4000-memory.dmp	upx
behavioral1/memory/2952-70-0x000000013F0D0000-0x000000013F424000-memory.dmp	upx
C:\Windows\system\dxXohBr.exe	upx
C:\Windows\system\cQpbjOJ.exe	upx
behavioral1/memory/620-62-0x000000013FD00000-0x0000000140054000-memory.dmp	upx
behavioral1/memory/2656-56-0x000000013FE10000-0x0000000140164000-memory.dmp	upx
C:\Windows\system\VrzpcBw.exe	upx
behavioral1/memory/2496-49-0x000000013FCE0000-0x0000000140034000-memory.dmp	upx
behavioral1/memory/2484-48-0x000000013FB70000-0x000000013FEC4000-memory.dmp	upx
\Windows\system\SIqqxaN.exe	upx
behavioral1/memory/2468-36-0x000000013F8C0000-0x000000013FC14000-memory.dmp	upx
behavioral1/memory/2668-29-0x000000013FF10000-0x0000000140264000-memory.dmp	upx
behavioral1/memory/2744-139-0x000000013F660000-0x000000013F9B4000-memory.dmp	upx
behavioral1/memory/2672-141-0x000000013F240000-0x000000013F594000-memory.dmp	upx
behavioral1/memory/2668-140-0x000000013FF10000-0x0000000140264000-memory.dmp	upx
behavioral1/memory/2468-142-0x000000013F8C0000-0x000000013FC14000-memory.dmp	upx
behavioral1/memory/2484-143-0x000000013FB70000-0x000000013FEC4000-memory.dmp	upx
behavioral1/memory/2496-144-0x000000013FCE0000-0x0000000140034000-memory.dmp	upx
behavioral1/memory/2656-145-0x000000013FE10000-0x0000000140164000-memory.dmp	upx
behavioral1/memory/2504-146-0x000000013F620000-0x000000013F974000-memory.dmp	upx
behavioral1/memory/2952-147-0x000000013F0D0000-0x000000013F424000-memory.dmp	upx
behavioral1/memory/2960-148-0x000000013F1E0000-0x000000013F534000-memory.dmp	upx
behavioral1/memory/2520-149-0x000000013FF20000-0x0000000140274000-memory.dmp	upx
behavioral1/memory/1304-150-0x000000013F360000-0x000000013F6B4000-memory.dmp	upx
behavioral1/memory/2636-151-0x000000013FD40000-0x0000000140094000-memory.dmp	upx
behavioral1/memory/2232-152-0x000000013FF90000-0x00000001402E4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\SIqqxaN.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cQpbjOJ.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lPTOHtB.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\btHvsop.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SNfQyPb.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OTOGCCJ.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yfWjVhp.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DnEQAHQ.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KEAYhIc.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dxXohBr.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VHWQGKz.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\polKHmg.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CPKLlsm.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LrUzBoC.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nBKXHkG.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FDnUyHB.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JEZeIDw.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lHSrNvh.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VrzpcBw.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UVbQMTH.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QjopsRu.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 620 wrote to memory of 2744	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	SNfQyPb.exe
PID 620 wrote to memory of 2744	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	SNfQyPb.exe
PID 620 wrote to memory of 2744	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	SNfQyPb.exe
PID 620 wrote to memory of 2232	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	nBKXHkG.exe
PID 620 wrote to memory of 2232	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	nBKXHkG.exe
PID 620 wrote to memory of 2232	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	nBKXHkG.exe
PID 620 wrote to memory of 2672	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	FDnUyHB.exe
PID 620 wrote to memory of 2672	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	FDnUyHB.exe
PID 620 wrote to memory of 2672	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	FDnUyHB.exe
PID 620 wrote to memory of 2668	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	JEZeIDw.exe
PID 620 wrote to memory of 2668	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	JEZeIDw.exe
PID 620 wrote to memory of 2668	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	JEZeIDw.exe
PID 620 wrote to memory of 2468	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	KEAYhIc.exe
PID 620 wrote to memory of 2468	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	KEAYhIc.exe
PID 620 wrote to memory of 2468	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	KEAYhIc.exe
PID 620 wrote to memory of 2496	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	SIqqxaN.exe
PID 620 wrote to memory of 2496	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	SIqqxaN.exe
PID 620 wrote to memory of 2496	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	SIqqxaN.exe
PID 620 wrote to memory of 2484	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	lHSrNvh.exe
PID 620 wrote to memory of 2484	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	lHSrNvh.exe
PID 620 wrote to memory of 2484	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	lHSrNvh.exe
PID 620 wrote to memory of 2656	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	VrzpcBw.exe
PID 620 wrote to memory of 2656	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	VrzpcBw.exe
PID 620 wrote to memory of 2656	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	VrzpcBw.exe
PID 620 wrote to memory of 2504	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	OTOGCCJ.exe
PID 620 wrote to memory of 2504	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	OTOGCCJ.exe
PID 620 wrote to memory of 2504	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	OTOGCCJ.exe
PID 620 wrote to memory of 2952	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	cQpbjOJ.exe
PID 620 wrote to memory of 2952	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	cQpbjOJ.exe
PID 620 wrote to memory of 2952	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	cQpbjOJ.exe
PID 620 wrote to memory of 2960	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	dxXohBr.exe
PID 620 wrote to memory of 2960	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	dxXohBr.exe
PID 620 wrote to memory of 2960	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	dxXohBr.exe
PID 620 wrote to memory of 1304	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	VHWQGKz.exe
PID 620 wrote to memory of 1304	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	VHWQGKz.exe
PID 620 wrote to memory of 1304	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	VHWQGKz.exe
PID 620 wrote to memory of 2520	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	lPTOHtB.exe
PID 620 wrote to memory of 2520	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	lPTOHtB.exe
PID 620 wrote to memory of 2520	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	lPTOHtB.exe
PID 620 wrote to memory of 2636	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	UVbQMTH.exe
PID 620 wrote to memory of 2636	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	UVbQMTH.exe
PID 620 wrote to memory of 2636	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	UVbQMTH.exe
PID 620 wrote to memory of 608	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	polKHmg.exe
PID 620 wrote to memory of 608	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	polKHmg.exe
PID 620 wrote to memory of 608	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	polKHmg.exe
PID 620 wrote to memory of 352	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	yfWjVhp.exe
PID 620 wrote to memory of 352	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	yfWjVhp.exe
PID 620 wrote to memory of 352	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	yfWjVhp.exe
PID 620 wrote to memory of 1004	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	CPKLlsm.exe
PID 620 wrote to memory of 1004	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	CPKLlsm.exe
PID 620 wrote to memory of 1004	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	CPKLlsm.exe
PID 620 wrote to memory of 1888	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	QjopsRu.exe
PID 620 wrote to memory of 1888	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	QjopsRu.exe
PID 620 wrote to memory of 1888	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	QjopsRu.exe
PID 620 wrote to memory of 1452	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	DnEQAHQ.exe
PID 620 wrote to memory of 1452	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	DnEQAHQ.exe
PID 620 wrote to memory of 1452	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	DnEQAHQ.exe
PID 620 wrote to memory of 768	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	btHvsop.exe
PID 620 wrote to memory of 768	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	btHvsop.exe
PID 620 wrote to memory of 768	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	btHvsop.exe
PID 620 wrote to memory of 652	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	LrUzBoC.exe
PID 620 wrote to memory of 652	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	LrUzBoC.exe
PID 620 wrote to memory of 652	620	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	LrUzBoC.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:620

C:\Windows\System\SNfQyPb.exe
C:\Windows\System\SNfQyPb.exe
2⤵
- Executes dropped EXE
PID:2744

C:\Windows\System\nBKXHkG.exe
C:\Windows\System\nBKXHkG.exe
2⤵
- Executes dropped EXE
PID:2232

C:\Windows\System\FDnUyHB.exe
C:\Windows\System\FDnUyHB.exe
2⤵
- Executes dropped EXE
PID:2672

C:\Windows\System\JEZeIDw.exe
C:\Windows\System\JEZeIDw.exe
2⤵
- Executes dropped EXE
PID:2668

C:\Windows\System\KEAYhIc.exe
C:\Windows\System\KEAYhIc.exe
2⤵
- Executes dropped EXE
PID:2468

C:\Windows\System\SIqqxaN.exe
C:\Windows\System\SIqqxaN.exe
2⤵
- Executes dropped EXE
PID:2496

C:\Windows\System\lHSrNvh.exe
C:\Windows\System\lHSrNvh.exe
2⤵
- Executes dropped EXE
PID:2484

C:\Windows\System\VrzpcBw.exe
C:\Windows\System\VrzpcBw.exe
2⤵
- Executes dropped EXE
PID:2656

C:\Windows\System\OTOGCCJ.exe
C:\Windows\System\OTOGCCJ.exe
2⤵
- Executes dropped EXE
PID:2504

C:\Windows\System\cQpbjOJ.exe
C:\Windows\System\cQpbjOJ.exe
2⤵
- Executes dropped EXE
PID:2952

C:\Windows\System\dxXohBr.exe
C:\Windows\System\dxXohBr.exe
2⤵
- Executes dropped EXE
PID:2960

C:\Windows\System\VHWQGKz.exe
C:\Windows\System\VHWQGKz.exe
2⤵
- Executes dropped EXE
PID:1304

C:\Windows\System\lPTOHtB.exe
C:\Windows\System\lPTOHtB.exe
2⤵
- Executes dropped EXE
PID:2520

C:\Windows\System\UVbQMTH.exe
C:\Windows\System\UVbQMTH.exe
2⤵
- Executes dropped EXE
PID:2636

C:\Windows\System\polKHmg.exe
C:\Windows\System\polKHmg.exe
2⤵
- Executes dropped EXE
PID:608

C:\Windows\System\yfWjVhp.exe
C:\Windows\System\yfWjVhp.exe
2⤵
- Executes dropped EXE
PID:352

C:\Windows\System\CPKLlsm.exe
C:\Windows\System\CPKLlsm.exe
2⤵
- Executes dropped EXE
PID:1004

C:\Windows\System\QjopsRu.exe
C:\Windows\System\QjopsRu.exe
2⤵
- Executes dropped EXE
PID:1888

C:\Windows\System\DnEQAHQ.exe
C:\Windows\System\DnEQAHQ.exe
2⤵
- Executes dropped EXE
PID:1452

C:\Windows\System\btHvsop.exe
C:\Windows\System\btHvsop.exe
2⤵
- Executes dropped EXE
PID:768

C:\Windows\System\LrUzBoC.exe
C:\Windows\System\LrUzBoC.exe
2⤵
- Executes dropped EXE
PID:652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\CPKLlsm.exe
Filesize
5.9MB

MD5
750674b5efbc858d4c9e8083bb65e049

SHA1
6deb63281f1aa977035719a61496ac23358b87ed

SHA256
5dc7564f2e440e2c5889c31ccb2b6ac3c631fa2169a8428a369ead8b3d46fca7

SHA512
38a991693a66f78beb17aae511222179eed309d9e8012878252f1e6e859b427a535ea3e4979ae2a389e6dd1d83f32e511927a29dcaee33262dc3268b00b98590

Download Submit
C:\Windows\system\DnEQAHQ.exe
Filesize
5.9MB

MD5
f2f3dbf2fced36493fd18973a4f8f6c2

SHA1
31802edfaa709e2a380d5e4f654654e18606d08e

SHA256
86d2317eb538a65a095bfd38b8b23e2907c914d21622e63a184d77cb8c2dfeb9

SHA512
4c353af09c7d0ef27b606586cb68666b7e934301f37f8b00439f99b2c391b2ab3e2959de4b28872991c05ab88958fce0ab8f96d7435bdb614decbc28a6551ab1

Download Submit
C:\Windows\system\FDnUyHB.exe
Filesize
5.9MB

MD5
0ee22d1d4f3911ad1ffb38bd6d56d827

SHA1
0c0bb8848fae0fd92fa4845a40c019f3d1a5fcb1

SHA256
00b31d249fd023c256bfcf3c43348f1fa716637e9e49c09165dc6a50c24ebde8

SHA512
2d37dfbd52ab9f39945cf47feb0a66a89a6466d24e0b97461a978a4c21d45e08b00b87e9b9d26b6efd8d6ffb105a17260aebabf25f64227c1b9568789f88f18d

Download Submit
C:\Windows\system\KEAYhIc.exe
Filesize
5.9MB

MD5
e48de80ca96f31eb0fd583feddb09e63

SHA1
70a0c94b1acb5dc194c9ab0196c46c0a4958c9ea

SHA256
b75a8057b7a85312831b003728406235308e7aca3d112172bafeeed350da7129

SHA512
358c51e92d42740502ad9c1271353f556b39bf3bde81854d2a5630b785071431a836f37111c481d2c9c234f61863e2b8eee4e659f46c3f9a2a2a331d2090a2bf

Download Submit
C:\Windows\system\LrUzBoC.exe
Filesize
5.9MB

MD5
4bfbda2715f6ee574d1f383d4d8d2bc4

SHA1
35225df94c8de3216f55dadef4a860b11cd239d6

SHA256
19e4b87ed7d1ffc805201dfd304f08fe0c1aaaa02579e9fc866472c5faa2a826

SHA512
5999f8e5c19ad3a1d26b06b24d98643aa1494aac1c7333474c0bba52a44bbcbf4830386712aa0ee9da4f5631056bb8a2ce6628049de5e3a349efa957b3dd1add

Download Submit
C:\Windows\system\OTOGCCJ.exe
Filesize
5.9MB

MD5
de5b77d07364fa02f44f552050c80389

SHA1
a9b146bd2433a95864b0b13ace5f4e869337e6cd

SHA256
2a325fac067e65b8dfb150d0f00409ba37fa2fdb7a4f5c2306443cc5eedbd567

SHA512
019564fad2870403f4ce4fd8416299233ebb911df89561726c8cd0fd67525d3d5bf047f7dd20a4e94ec761e5aba4d080905265e0d4db1a3f32a552e52870118e

Download Submit
C:\Windows\system\QjopsRu.exe
Filesize
5.9MB

MD5
b8115f53b37d2047753fae6eef2e19ae

SHA1
b007fc4474be115ccfd14022cdee1126ed84c473

SHA256
5731e0defa0f9a74c9db02424ac325ef2e440592d4f44aadd9cd50d615a60bbb

SHA512
7361cbcf8141e3d9d04c97a0ea1ed4156d6186911fb60eceb8a302c85abb2f0ada6133f8800e9d7670db17a3a2cad6e999333703c59887bd8d5a578d61bd0d05

Download Submit
C:\Windows\system\SNfQyPb.exe
Filesize
5.9MB

MD5
4eaf6018ecc2f744c1e82beaeeb774c1

SHA1
7d3885a3fca8f34945cd4201ca0921a8fe075df8

SHA256
f6a1023df35e1172d9069d38f5e4eeefe84f93b9ddd59400f5be9f558380af24

SHA512
a82b519b357e078bfb7575c91158af8fa392a326ad436237b12d346925f5dde65134c5b038e631e5c9d790c55bf9435a590428f0941a0ec899d6bb60c6d19d25

Download Submit
C:\Windows\system\UVbQMTH.exe
Filesize
5.9MB

MD5
a48d4c556633e8d523b874a8afcecae5

SHA1
5e334a4d4ec6924dd428a31e702a697b1f59da3d

SHA256
4eef397d740268f63bc89a03390a891cf69afcd5eee5942bf1cf73ed127edd14

SHA512
2bdb7d5aceee6e38789603429b2aca7dc590595730f6f1eed97733f9f3d6032a9154460709b8a88d1cd6c4a3c43bb7d30fc3af7b5b8268a0b3fec7e2ee1a28e1

Download Submit
C:\Windows\system\VHWQGKz.exe
Filesize
5.9MB

MD5
0fc3a1e257ae4a68da236ba75a389cfc

SHA1
e3e96963475669b056127881f909f3692eca6d92

SHA256
22dd346bb43dd312bdcc0df278bcc2a25f8846b3057594063856ea13de206c84

SHA512
1543dd53bf299b7acca93a094770c3d0e9dfa3973229e5d880fd092cbb105b21e8d84bcd9c3db9ac9fb6c7c7a13e7a462a7a3f3aa2a44779ccf60519f88042be

Download Submit
C:\Windows\system\VrzpcBw.exe
Filesize
5.9MB

MD5
adc57abc7c9a5970f6a659f47b32d061

SHA1
a33c9835dc7f534943f3c5af4694136c1d1a2019

SHA256
d17dcaedffb8704c973aa928511e9b6ab8a728bf2b61ede5a08fba07680f3d15

SHA512
f08dee4dd4c73de6bb1646886f4a948a1df4ba7329980b807ea9e22d66605072a8ea0d3342f2fadc0f46a754f7a8718400963c30c3c1efd0ba9d9e00bc13005e

Download Submit
C:\Windows\system\cQpbjOJ.exe
Filesize
5.9MB

MD5
5cf665bc239add1776dc78d5a2380da7

SHA1
6b450089c370e345a9e74753d3f13114c071e6be

SHA256
1c6ebb351ca028a2a684a5935c65d69c5dc00e3112b2bca4b2dda76e0d149c31

SHA512
63e801fdf831ccd51a7aa7123e57dc0ad79bced8d904a302c819ff773200d6f6088537b8f40b22cd63e9e353b826dc9acb829bc1d17aff75635dc85a71ba42a6

Download Submit
C:\Windows\system\dxXohBr.exe
Filesize
5.9MB

MD5
f10df114df7e3c07dd4bf0f67b7a92a2

SHA1
433b7bbbb92b5f21ec29d8c494b4b59eeddd91c7

SHA256
fbdc798db61370338d8781e82b2f0ef0d601c3acd8b90c5ade24b236ba71a639

SHA512
fdbdf0b93a21103eaa2fc1c497019371727df5a14981ce164973584cae489fc09a13f46b751de00c94937c1978661ee7721d2cd370af126d3f3738e804df8fc1

Download Submit
C:\Windows\system\lPTOHtB.exe
Filesize
5.9MB

MD5
595e0569d34de97e5ea3f91b470b69f9

SHA1
ffea928c988da8b03bde916c3b46e5a24d78281f

SHA256
60082c062d863def687b886f0512ebcf7ab03aa2edb7097d8e73a332afd3346f

SHA512
fa9452187326be0e261f12c13e5057d519d1ea684650f8fb89482a58380af37acfa86192167dfaa0a2301922707a5434d0584dbebe63990718b06b3191482b43

Download Submit
C:\Windows\system\nBKXHkG.exe
Filesize
5.9MB

MD5
dbad85186b73a2a0b631b1478dccd865

SHA1
118a41695761577356fc323700cc9e2bf0123bc6

SHA256
bf5a1b3c21c603c4c1665686f63010314775c209f4d87ee79fe0cb204cc9f929

SHA512
772ca5bacf8fe68d43c718e351ac987c7bf235dd58b958dcc19f7033c83f574267ac06e57229552a4e91299fe24a689c8b540809921a3bbb1cc1d40d97f8192c

Download Submit
C:\Windows\system\polKHmg.exe
Filesize
5.9MB

MD5
fde7b789faac952332ee16f42720823c

SHA1
59e6b10ff34851e1529cc9dedb0e8a554389a933

SHA256
6bec7f2cff02645d3a90762568929039c682c0e3da77717085ea438a4e4893f5

SHA512
cc2c81a8a6b4bafd1a72b814eb12b02b91e2e3b0c968d37c0d01d7bf10b2b5852a3b472111c9ed9822925e365423f6a38c9e4ea4c6a1201fa0c52cb5a3c24ca4

Download Submit
C:\Windows\system\yfWjVhp.exe
Filesize
5.9MB

MD5
1e49830887807f02b3ee158a08226933

SHA1
96af347fe91a9c192f75f335dd2fba87f77da3ce

SHA256
5c1aeb529ffff5350a6a7902bd07d2f6b24f6fc5cf0edf56d998d93c00512c50

SHA512
881a0ee60f5078b1d8596c64d09a7bc6530a759dc78a10f38e2f27b65472e9cdd26f8c6e8f4e029fb9be5ed9bb3f3ace4d48167c88d6a154dc9cb4c6623879c4

Download Submit
\Windows\system\JEZeIDw.exe
Filesize
5.9MB

MD5
9559fb7e0bbf93a0f567ae04f606c414

SHA1
3a5023249595006cbca8ed447b702c29809417a2

SHA256
1ab0bad298ecc55d7b1dfa965f43ddec694041acd46e0e0b19200c1f97fd8fe2

SHA512
dd43f2e61a8c4c211e070aaf24f91877a07496ce1e60319a7865ae9210433e9170e503dad9d3d1a493c76507e4ba78ac6f3eb61c8c8f74cf09f31ff49e227018

Download Submit
\Windows\system\SIqqxaN.exe
Filesize
5.9MB

MD5
dc5eba02ca2d56afdc407704f0af11da

SHA1
c7898aa0dbc9002c58d809a7fb79cdb20b65eb79

SHA256
2f0716e62b9b91a6e6e5198e3fcadbd7c01b912687a33e23be34ca87f4d2c92b

SHA512
4c0e3fe3417567f10007178c0a03a9e67199ba8a6654774db2dd87bf080489b431f05ba298a564660e782a8d608e37c6556dc104d7f26af1e037193401d4cea9

Download Submit
\Windows\system\btHvsop.exe
Filesize
5.9MB

MD5
d77fd490984271aa73a09b7de299dee7

SHA1
dec3751e981116fa85ffffadce0554e3c3d4b76c

SHA256
ee3f86e717d31ea9e1f35634e66d8378746b777031661af382207cbb42d43138

SHA512
1141aadfeddb833e77c7780d558aca03bbf4ea84514f931c1cb874746f35936387ca8442937749a14dd43ab6c75652a7948a34556dd7c103c4f8f3aefce5b141

Download Submit
\Windows\system\lHSrNvh.exe
Filesize
5.9MB

MD5
f51d70a6358f7bf2baa5600fff0e4abc

SHA1
d6dfe205c61c582739f7db5dbabbb7ead0053cac

SHA256
c216eb5eb6a10a42c5aec5fae1e1c9800a185f8b7d3f89c8c234d02e51926142

SHA512
f222511b5776d002484b787db6aa11e64a4a715e036a6d46d9eeb5f3c46c5d45173c913ec8a42b8dcd66f7386f63173485598aa5593084a307475a4b09623a4b

Download Submit
memory/620-20-0x000000013F240000-0x000000013F594000-memory.dmp

Filesize
3.3MB

Download
memory/620-8-0x000000013F660000-0x000000013F9B4000-memory.dmp

Filesize
3.3MB

Download
memory/620-83-0x000000013F1E0000-0x000000013F534000-memory.dmp

Filesize
3.3MB

Download
memory/620-138-0x000000013F1E0000-0x000000013F534000-memory.dmp

Filesize
3.3MB

Download
memory/620-112-0x000000013F0B0000-0x000000013F404000-memory.dmp

Filesize
3.3MB

Download
memory/620-137-0x0000000002430000-0x0000000002784000-memory.dmp

Filesize
3.3MB

Download
memory/620-40-0x0000000002430000-0x0000000002784000-memory.dmp

Filesize
3.3MB

Download
memory/620-92-0x0000000002430000-0x0000000002784000-memory.dmp

Filesize
3.3MB

Download
memory/620-91-0x0000000002430000-0x0000000002784000-memory.dmp

Filesize
3.3MB

Download
memory/620-0-0x000000013FD00000-0x0000000140054000-memory.dmp

Filesize
3.3MB

Download
memory/620-89-0x000000013F360000-0x000000013F6B4000-memory.dmp

Filesize
3.3MB

Download
memory/620-28-0x0000000002430000-0x0000000002784000-memory.dmp

Filesize
3.3MB

Download
memory/620-35-0x000000013F8C0000-0x000000013FC14000-memory.dmp

Filesize
3.3MB

Download
memory/620-1-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/620-55-0x0000000002430000-0x0000000002784000-memory.dmp

Filesize
3.3MB

Download
memory/620-62-0x000000013FD00000-0x0000000140054000-memory.dmp

Filesize
3.3MB

Download
memory/620-69-0x000000013F660000-0x000000013F9B4000-memory.dmp

Filesize
3.3MB

Download
memory/620-14-0x0000000002430000-0x0000000002784000-memory.dmp

Filesize
3.3MB

Download
memory/1304-104-0x000000013F360000-0x000000013F6B4000-memory.dmp

Filesize
3.3MB

Download
memory/1304-150-0x000000013F360000-0x000000013F6B4000-memory.dmp

Filesize
3.3MB

Download
memory/2232-152-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2232-15-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2232-79-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2468-36-0x000000013F8C0000-0x000000013FC14000-memory.dmp

Filesize
3.3MB

Download
memory/2468-142-0x000000013F8C0000-0x000000013FC14000-memory.dmp

Filesize
3.3MB

Download
memory/2484-48-0x000000013FB70000-0x000000013FEC4000-memory.dmp

Filesize
3.3MB

Download
memory/2484-143-0x000000013FB70000-0x000000013FEC4000-memory.dmp

Filesize
3.3MB

Download
memory/2496-144-0x000000013FCE0000-0x0000000140034000-memory.dmp

Filesize
3.3MB

Download
memory/2496-49-0x000000013FCE0000-0x0000000140034000-memory.dmp

Filesize
3.3MB

Download
memory/2504-63-0x000000013F620000-0x000000013F974000-memory.dmp

Filesize
3.3MB

Download
memory/2504-146-0x000000013F620000-0x000000013F974000-memory.dmp

Filesize
3.3MB

Download
memory/2520-88-0x000000013FF20000-0x0000000140274000-memory.dmp

Filesize
3.3MB

Download
memory/2520-149-0x000000013FF20000-0x0000000140274000-memory.dmp

Filesize
3.3MB

Download
memory/2636-108-0x000000013FD40000-0x0000000140094000-memory.dmp

Filesize
3.3MB

Download
memory/2636-151-0x000000013FD40000-0x0000000140094000-memory.dmp

Filesize
3.3MB

Download
memory/2656-145-0x000000013FE10000-0x0000000140164000-memory.dmp

Filesize
3.3MB

Download
memory/2656-56-0x000000013FE10000-0x0000000140164000-memory.dmp

Filesize
3.3MB

Download
memory/2668-140-0x000000013FF10000-0x0000000140264000-memory.dmp

Filesize
3.3MB

Download
memory/2668-29-0x000000013FF10000-0x0000000140264000-memory.dmp

Filesize
3.3MB

Download
memory/2672-141-0x000000013F240000-0x000000013F594000-memory.dmp

Filesize
3.3MB

Download
memory/2672-90-0x000000013F240000-0x000000013F594000-memory.dmp

Filesize
3.3MB

Download
memory/2672-21-0x000000013F240000-0x000000013F594000-memory.dmp

Filesize
3.3MB

Download
memory/2744-139-0x000000013F660000-0x000000013F9B4000-memory.dmp

Filesize
3.3MB

Download
memory/2744-9-0x000000013F660000-0x000000013F9B4000-memory.dmp

Filesize
3.3MB

Download
memory/2952-147-0x000000013F0D0000-0x000000013F424000-memory.dmp

Filesize
3.3MB

Download
memory/2952-70-0x000000013F0D0000-0x000000013F424000-memory.dmp

Filesize
3.3MB

Download
memory/2960-148-0x000000013F1E0000-0x000000013F534000-memory.dmp

Filesize
3.3MB

Download
memory/2960-87-0x000000013F1E0000-0x000000013F534000-memory.dmp

Filesize
3.3MB

Download