cobaltstrike | 2a092b192af095fa53e51ad416c99ca1b27942b1a5dc36c008c658ab21fca3d3

Analysis

max time kernel
25s
max time network
19s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-05-2024 11:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-03_2727ef7ac0d547bf00abbca3d11f5814_cobalt-strike_cobaltstrike_poet-rat.exe
Size

6.0MB
MD5

2727ef7ac0d547bf00abbca3d11f5814
SHA1

12ec21661822b6dbac0eeb7314a3386e2083fb4c
SHA256

2a092b192af095fa53e51ad416c99ca1b27942b1a5dc36c008c658ab21fca3d3
SHA512

eab8e35283b1d68118b6d110b3266d15cb72e318849a53f38119c94a8d4aa7da42d3e09a9d459c1f4acce31b91df25f0f453b040d32e392a1cfc8f6daf6727b6
SSDEEP

98304:EniLf9FdfE0pZB156utgpPFotBER/mQ32lUE:eOl56utgpPF8u/7E

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 4 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000b000000014e3d-3.dat	cobalt_reflective_dll
behavioral1/files/0x002e000000015364-8.dat	cobalt_reflective_dll
behavioral1/files/0x002c0000000155d4-10.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015a98-36.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 4 IoCs

resource	yara_rule
behavioral1/files/0x000b000000014e3d-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x002e000000015364-8.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x002c0000000155d4-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015a98-36.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 15 IoCs

resource	yara_rule
behavioral1/memory/1712-0-0x000000013F590000-0x000000013F8E4000-memory.dmp	UPX
behavioral1/files/0x000b000000014e3d-3.dat	UPX
behavioral1/files/0x002e000000015364-8.dat	UPX
behavioral1/files/0x002c0000000155d4-10.dat	UPX
behavioral1/memory/3004-22-0x000000013FCF0000-0x0000000140044000-memory.dmp	UPX
behavioral1/memory/2632-27-0x000000013FBF0000-0x000000013FF44000-memory.dmp	UPX
behavioral1/memory/2864-30-0x000000013F210000-0x000000013F564000-memory.dmp	UPX
behavioral1/files/0x0007000000015a98-36.dat	UPX
behavioral1/files/0x0007000000015c23-41.dat	UPX
behavioral1/memory/2608-42-0x000000013F070000-0x000000013F3C4000-memory.dmp	UPX
behavioral1/memory/2540-40-0x000000013F6F0000-0x000000013FA44000-memory.dmp	UPX
behavioral1/files/0x00050000000192c9-152.dat	UPX
behavioral1/files/0x000600000001704f-77.dat	UPX
behavioral1/files/0x00050000000192f4-169.dat	UPX
behavioral1/files/0x0006000000018d06-168.dat	UPX

XMRig Miner payload 15 IoCs

miner

resource	yara_rule
behavioral1/memory/1712-0-0x000000013F590000-0x000000013F8E4000-memory.dmp	xmrig
behavioral1/files/0x000b000000014e3d-3.dat	xmrig
behavioral1/files/0x002e000000015364-8.dat	xmrig
behavioral1/files/0x002c0000000155d4-10.dat	xmrig
behavioral1/memory/3004-22-0x000000013FCF0000-0x0000000140044000-memory.dmp	xmrig
behavioral1/memory/2632-27-0x000000013FBF0000-0x000000013FF44000-memory.dmp	xmrig
behavioral1/memory/2864-30-0x000000013F210000-0x000000013F564000-memory.dmp	xmrig
behavioral1/files/0x0007000000015a98-36.dat	xmrig
behavioral1/files/0x0007000000015c23-41.dat	xmrig
behavioral1/memory/2608-42-0x000000013F070000-0x000000013F3C4000-memory.dmp	xmrig
behavioral1/memory/2540-40-0x000000013F6F0000-0x000000013FA44000-memory.dmp	xmrig
behavioral1/files/0x00050000000192c9-152.dat	xmrig
behavioral1/files/0x000600000001704f-77.dat	xmrig
behavioral1/files/0x00050000000192f4-169.dat	xmrig
behavioral1/files/0x0006000000018d06-168.dat	xmrig

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1712-0-0x000000013F590000-0x000000013F8E4000-memory.dmp	upx
behavioral1/files/0x000b000000014e3d-3.dat	upx
behavioral1/files/0x002e000000015364-8.dat	upx
behavioral1/files/0x002c0000000155d4-10.dat	upx
behavioral1/memory/3004-22-0x000000013FCF0000-0x0000000140044000-memory.dmp	upx
behavioral1/memory/2632-27-0x000000013FBF0000-0x000000013FF44000-memory.dmp	upx
behavioral1/memory/2864-30-0x000000013F210000-0x000000013F564000-memory.dmp	upx
behavioral1/files/0x0007000000015a98-36.dat	upx
behavioral1/files/0x0007000000015c23-41.dat	upx
behavioral1/memory/2608-42-0x000000013F070000-0x000000013F3C4000-memory.dmp	upx
behavioral1/memory/2540-40-0x000000013F6F0000-0x000000013FA44000-memory.dmp	upx
behavioral1/files/0x00050000000192c9-152.dat	upx
behavioral1/files/0x000600000001704f-77.dat	upx
behavioral1/files/0x00050000000192f4-169.dat	upx
behavioral1/files/0x0006000000018d06-168.dat	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System\DtPfLbF.exe	2024-05-03_2727ef7ac0d547bf00abbca3d11f5814_cobalt-strike_cobaltstrike_poet-rat.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-03_2727ef7ac0d547bf00abbca3d11f5814_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-03_2727ef7ac0d547bf00abbca3d11f5814_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
PID:1712
- C:\Windows\System\DtPfLbF.exe
  C:\Windows\System\DtPfLbF.exe
  2⤵
  PID:2836
- C:\Windows\System\RSULwiC.exe
  C:\Windows\System\RSULwiC.exe
  2⤵
  PID:3004
- C:\Windows\System\QHNAZId.exe
  C:\Windows\System\QHNAZId.exe
  2⤵
  PID:2632
- C:\Windows\System\uwjyKCg.exe
  C:\Windows\System\uwjyKCg.exe
  2⤵
  PID:2864
- C:\Windows\System\rwPeSDb.exe
  C:\Windows\System\rwPeSDb.exe
  2⤵
  PID:2268
- C:\Windows\System\vVwsFuM.exe
  C:\Windows\System\vVwsFuM.exe
  2⤵
  PID:1764
- C:\Windows\System\WnRdkLZ.exe
  C:\Windows\System\WnRdkLZ.exe
  2⤵
  PID:2196
- C:\Windows\System\VTiNDfu.exe
  C:\Windows\System\VTiNDfu.exe
  2⤵
  PID:1772
- C:\Windows\System\qnDWZNP.exe
  C:\Windows\System\qnDWZNP.exe
  2⤵
  PID:2064
- C:\Windows\System\VKUgEnp.exe
  C:\Windows\System\VKUgEnp.exe
  2⤵
  PID:1172
- C:\Windows\System\REmQGjo.exe
  C:\Windows\System\REmQGjo.exe
  2⤵
  PID:3016
- C:\Windows\System\jLwDmDc.exe
  C:\Windows\System\jLwDmDc.exe
  2⤵
  PID:1116
- C:\Windows\System\yrzCBuq.exe
  C:\Windows\System\yrzCBuq.exe
  2⤵
  PID:2652
- C:\Windows\System\ZlDBoJa.exe
  C:\Windows\System\ZlDBoJa.exe
  2⤵
  PID:1840
- C:\Windows\System\AlVHZgO.exe
  C:\Windows\System\AlVHZgO.exe
  2⤵
  PID:3384
- C:\Windows\System\kItRClz.exe
  C:\Windows\System\kItRClz.exe
  2⤵
  PID:3400
- C:\Windows\System\trxUGOV.exe
  C:\Windows\System\trxUGOV.exe
  2⤵
  PID:3416
- C:\Windows\System\evduOsE.exe
  C:\Windows\System\evduOsE.exe
  2⤵
  PID:3432
- C:\Windows\System\TBUDbOB.exe
  C:\Windows\System\TBUDbOB.exe
  2⤵
  PID:3448
- C:\Windows\System\pXALxLz.exe
  C:\Windows\System\pXALxLz.exe
  2⤵
  PID:3464
- C:\Windows\System\KMiwxbS.exe
  C:\Windows\System\KMiwxbS.exe
  2⤵
  PID:3480
- C:\Windows\System\uzFZjZL.exe
  C:\Windows\System\uzFZjZL.exe
  2⤵
  PID:3500
- C:\Windows\System\gCegEQV.exe
  C:\Windows\System\gCegEQV.exe
  2⤵
  PID:3692
- C:\Windows\System\EYEczbL.exe
  C:\Windows\System\EYEczbL.exe
  2⤵
  PID:3736
- C:\Windows\System\ljZeiON.exe
  C:\Windows\System\ljZeiON.exe
  2⤵
  PID:3812
- C:\Windows\System\TcaPIOV.exe
  C:\Windows\System\TcaPIOV.exe
  2⤵
  PID:3856
- C:\Windows\System\usUJvKV.exe
  C:\Windows\System\usUJvKV.exe
  2⤵
  PID:3876
- C:\Windows\System\nYmACbj.exe
  C:\Windows\System\nYmACbj.exe
  2⤵
  PID:3896
- C:\Windows\System\CQAVToK.exe
  C:\Windows\System\CQAVToK.exe
  2⤵
  PID:3912
- C:\Windows\System\TgmRcYG.exe
  C:\Windows\System\TgmRcYG.exe
  2⤵
  PID:3932
- C:\Windows\System\AvOhskX.exe
  C:\Windows\System\AvOhskX.exe
  2⤵
  PID:3948
- C:\Windows\System\IZtIbss.exe
  C:\Windows\System\IZtIbss.exe
  2⤵
  PID:3964
- C:\Windows\System\TAcEJMV.exe
  C:\Windows\System\TAcEJMV.exe
  2⤵
  PID:3980
- C:\Windows\System\fGucDDQ.exe
  C:\Windows\System\fGucDDQ.exe
  2⤵
  PID:4004
- C:\Windows\System\ybpKFnu.exe
  C:\Windows\System\ybpKFnu.exe
  2⤵
  PID:4020
- C:\Windows\System\lEvcqLo.exe
  C:\Windows\System\lEvcqLo.exe
  2⤵
  PID:4040
- C:\Windows\System\ItEXBBw.exe
  C:\Windows\System\ItEXBBw.exe
  2⤵
  PID:4060
- C:\Windows\System\rXlYfJR.exe
  C:\Windows\System\rXlYfJR.exe
  2⤵
  PID:4080
- C:\Windows\System\YuRjerE.exe
  C:\Windows\System\YuRjerE.exe
  2⤵
  PID:840
- C:\Windows\System\Jrrlufg.exe
  C:\Windows\System\Jrrlufg.exe
  2⤵
  PID:2892
- C:\Windows\System\QNsROls.exe
  C:\Windows\System\QNsROls.exe
  2⤵
  PID:3104
- C:\Windows\System\BfsvXyo.exe
  C:\Windows\System\BfsvXyo.exe
  2⤵
  PID:2212
- C:\Windows\System\tJXktKn.exe
  C:\Windows\System\tJXktKn.exe
  2⤵
  PID:2900
- C:\Windows\System\pltGLTy.exe
  C:\Windows\System\pltGLTy.exe
  2⤵
  PID:3108
- C:\Windows\System\mpNUhau.exe
  C:\Windows\System\mpNUhau.exe
  2⤵
  PID:3172
- C:\Windows\System\DTCjpDV.exe
  C:\Windows\System\DTCjpDV.exe
  2⤵
  PID:3240
- C:\Windows\System\cKKxoQf.exe
  C:\Windows\System\cKKxoQf.exe
  2⤵
  PID:3312
- C:\Windows\System\FbbxntT.exe
  C:\Windows\System\FbbxntT.exe
  2⤵
  PID:3348
- C:\Windows\System\cOlfTbO.exe
  C:\Windows\System\cOlfTbO.exe
  2⤵
  PID:1628
- C:\Windows\System\OJPLYmt.exe
  C:\Windows\System\OJPLYmt.exe
  2⤵
  PID:636
- C:\Windows\System\MQmyPWa.exe
  C:\Windows\System\MQmyPWa.exe
  2⤵
  PID:3472
- C:\Windows\System\LxfMlKS.exe
  C:\Windows\System\LxfMlKS.exe
  2⤵
  PID:2396
- C:\Windows\System\sKbiYwV.exe
  C:\Windows\System\sKbiYwV.exe
  2⤵
  PID:3152
- C:\Windows\System\lRDvaPl.exe
  C:\Windows\System\lRDvaPl.exe
  2⤵
  PID:3228
- C:\Windows\System\xcuFGZU.exe
  C:\Windows\System\xcuFGZU.exe
  2⤵
  PID:3300
- C:\Windows\System\kHXznVT.exe
  C:\Windows\System\kHXznVT.exe
  2⤵
  PID:3516
- C:\Windows\System\kYyEzHA.exe
  C:\Windows\System\kYyEzHA.exe
  2⤵
  PID:3528
- C:\Windows\System\aqWVcge.exe
  C:\Windows\System\aqWVcge.exe
  2⤵
  PID:3544
- C:\Windows\System\OIcXRhM.exe
  C:\Windows\System\OIcXRhM.exe
  2⤵
  PID:3560
- C:\Windows\System\UVbZvMj.exe
  C:\Windows\System\UVbZvMj.exe
  2⤵
  PID:3396
- C:\Windows\System\alOcFbE.exe
  C:\Windows\System\alOcFbE.exe
  2⤵
  PID:3456
- C:\Windows\System\ynrWCCR.exe
  C:\Windows\System\ynrWCCR.exe
  2⤵
  PID:3492
- C:\Windows\System\NipAZXi.exe
  C:\Windows\System\NipAZXi.exe
  2⤵
  PID:324
- C:\Windows\System\VFZRUPD.exe
  C:\Windows\System\VFZRUPD.exe
  2⤵
  PID:616
- C:\Windows\System\zAdEFrR.exe
  C:\Windows\System\zAdEFrR.exe
  2⤵
  PID:3572
- C:\Windows\System\tSTVmCR.exe
  C:\Windows\System\tSTVmCR.exe
  2⤵
  PID:1976
- C:\Windows\System\qOfgZzm.exe
  C:\Windows\System\qOfgZzm.exe
  2⤵
  PID:2792
- C:\Windows\System\rBlPNoC.exe
  C:\Windows\System\rBlPNoC.exe
  2⤵
  PID:3496
- C:\Windows\System\JeQoZCM.exe
  C:\Windows\System\JeQoZCM.exe
  2⤵
  PID:3596
- C:\Windows\System\paqUbqf.exe
  C:\Windows\System\paqUbqf.exe
  2⤵
  PID:3612
- C:\Windows\System\MqyxWLT.exe
  C:\Windows\System\MqyxWLT.exe
  2⤵
  PID:3628
- C:\Windows\System\vWITICx.exe
  C:\Windows\System\vWITICx.exe
  2⤵
  PID:3904
- C:\Windows\System\gogFDbq.exe
  C:\Windows\System\gogFDbq.exe
  2⤵
  PID:1968
- C:\Windows\System\Fkpabdr.exe
  C:\Windows\System\Fkpabdr.exe
  2⤵
  PID:3520
- C:\Windows\System\mAuzvwD.exe
  C:\Windows\System\mAuzvwD.exe
  2⤵
  PID:2052
- C:\Windows\System\gLFRtyq.exe
  C:\Windows\System\gLFRtyq.exe
  2⤵
  PID:3564
- C:\Windows\System\JChqULM.exe
  C:\Windows\System\JChqULM.exe
  2⤵
  PID:2676
- C:\Windows\System\NSFlAUU.exe
  C:\Windows\System\NSFlAUU.exe
  2⤵
  PID:2656
- C:\Windows\System\tptBrOy.exe
  C:\Windows\System\tptBrOy.exe
  2⤵
  PID:1996
- C:\Windows\System\nXDPkRk.exe
  C:\Windows\System\nXDPkRk.exe
  2⤵
  PID:468
- C:\Windows\System\kllNtZH.exe
  C:\Windows\System\kllNtZH.exe
  2⤵
  PID:2440
- C:\Windows\System\IrLilhY.exe
  C:\Windows\System\IrLilhY.exe
  2⤵
  PID:2516
- C:\Windows\System\UjwamdR.exe
  C:\Windows\System\UjwamdR.exe
  2⤵
  PID:3028
- C:\Windows\System\GXevFKP.exe
  C:\Windows\System\GXevFKP.exe
  2⤵
  PID:3684
- C:\Windows\System\PvqlBnH.exe
  C:\Windows\System\PvqlBnH.exe
  2⤵
  PID:1040
- C:\Windows\System\oWqFbIm.exe
  C:\Windows\System\oWqFbIm.exe
  2⤵
  PID:3732
- C:\Windows\System\AKuQaWG.exe
  C:\Windows\System\AKuQaWG.exe
  2⤵
  PID:1948
- C:\Windows\System\kMSOVoJ.exe
  C:\Windows\System\kMSOVoJ.exe
  2⤵
  PID:2244
- C:\Windows\System\MtaZJCE.exe
  C:\Windows\System\MtaZJCE.exe
  2⤵
  PID:3140
- C:\Windows\System\LqdhqzC.exe
  C:\Windows\System\LqdhqzC.exe
  2⤵
  PID:1828
- C:\Windows\System\KOpANLN.exe
  C:\Windows\System\KOpANLN.exe
  2⤵
  PID:3460
- C:\Windows\System\cgvDaBs.exe
  C:\Windows\System\cgvDaBs.exe
  2⤵
  PID:916
- C:\Windows\System\XZZcIlu.exe
  C:\Windows\System\XZZcIlu.exe
  2⤵
  PID:3332
- C:\Windows\System\TYeSzDP.exe
  C:\Windows\System\TYeSzDP.exe
  2⤵
  PID:3364
- C:\Windows\System\Gxxehmj.exe
  C:\Windows\System\Gxxehmj.exe
  2⤵
  PID:2596
- C:\Windows\System\hGrmHBb.exe
  C:\Windows\System\hGrmHBb.exe
  2⤵
  PID:1796
- C:\Windows\System\xBBmzoG.exe
  C:\Windows\System\xBBmzoG.exe
  2⤵
  PID:2736
- C:\Windows\System\SBGoObN.exe
  C:\Windows\System\SBGoObN.exe
  2⤵
  PID:2624
- C:\Windows\System\HaMnAud.exe
  C:\Windows\System\HaMnAud.exe
  2⤵
  PID:3708
- C:\Windows\System\GamqeId.exe
  C:\Windows\System\GamqeId.exe
  2⤵
  PID:964
- C:\Windows\System\TGoWotB.exe
  C:\Windows\System\TGoWotB.exe
  2⤵
  PID:3672
- C:\Windows\System\aqlNQPL.exe
  C:\Windows\System\aqlNQPL.exe
  2⤵
  PID:3960
- C:\Windows\System\CKagEdA.exe
  C:\Windows\System\CKagEdA.exe
  2⤵
  PID:2572
- C:\Windows\System\pJeXyrb.exe
  C:\Windows\System\pJeXyrb.exe
  2⤵
  PID:3632
- C:\Windows\System\xuDyUbs.exe
  C:\Windows\System\xuDyUbs.exe
  2⤵
  PID:1684
- C:\Windows\System\ROfWKuG.exe
  C:\Windows\System\ROfWKuG.exe
  2⤵
  PID:2732
- C:\Windows\System\tJvxdiw.exe
  C:\Windows\System\tJvxdiw.exe
  2⤵
  PID:2800
- C:\Windows\System\RTFzRuj.exe
  C:\Windows\System\RTFzRuj.exe
  2⤵
  PID:2492
- C:\Windows\System\dePuCWa.exe
  C:\Windows\System\dePuCWa.exe
  2⤵
  PID:3540
- C:\Windows\System\IjlxzxM.exe
  C:\Windows\System\IjlxzxM.exe
  2⤵
  PID:2556
- C:\Windows\System\HMWWljV.exe
  C:\Windows\System\HMWWljV.exe
  2⤵
  PID:4116
- C:\Windows\System\JibsVPe.exe
  C:\Windows\System\JibsVPe.exe
  2⤵
  PID:4148
- C:\Windows\System\LzArwpD.exe
  C:\Windows\System\LzArwpD.exe
  2⤵
  PID:4184
- C:\Windows\System\uKPoRHo.exe
  C:\Windows\System\uKPoRHo.exe
  2⤵
  PID:4200
- C:\Windows\System\XvWZosF.exe
  C:\Windows\System\XvWZosF.exe
  2⤵
  PID:4216
- C:\Windows\System\SCjUlql.exe
  C:\Windows\System\SCjUlql.exe
  2⤵
  PID:4288
- C:\Windows\System\VMcnxUm.exe
  C:\Windows\System\VMcnxUm.exe
  2⤵
  PID:4304
- C:\Windows\System\AtheZzq.exe
  C:\Windows\System\AtheZzq.exe
  2⤵
  PID:4320
- C:\Windows\System\HtTNMMs.exe
  C:\Windows\System\HtTNMMs.exe
  2⤵
  PID:4340
- C:\Windows\System\qwwkADZ.exe
  C:\Windows\System\qwwkADZ.exe
  2⤵
  PID:4356
- C:\Windows\System\DkyfjQH.exe
  C:\Windows\System\DkyfjQH.exe
  2⤵
  PID:4372
- C:\Windows\System\BAhjqGH.exe
  C:\Windows\System\BAhjqGH.exe
  2⤵
  PID:4388
- C:\Windows\System\BjgbsgT.exe
  C:\Windows\System\BjgbsgT.exe
  2⤵
  PID:4404
- C:\Windows\System\kyXUgzY.exe
  C:\Windows\System\kyXUgzY.exe
  2⤵
  PID:4420
- C:\Windows\System\wwbQCcT.exe
  C:\Windows\System\wwbQCcT.exe
  2⤵
  PID:4436
- C:\Windows\System\ZLxPyoG.exe
  C:\Windows\System\ZLxPyoG.exe
  2⤵
  PID:4452
- C:\Windows\System\cIZBjRv.exe
  C:\Windows\System\cIZBjRv.exe
  2⤵
  PID:4468
- C:\Windows\System\ncheQhG.exe
  C:\Windows\System\ncheQhG.exe
  2⤵
  PID:4484
- C:\Windows\System\mQXXHGk.exe
  C:\Windows\System\mQXXHGk.exe
  2⤵
  PID:4500
- C:\Windows\System\TkwcaFh.exe
  C:\Windows\System\TkwcaFh.exe
  2⤵
  PID:4516
- C:\Windows\System\sHfceKL.exe
  C:\Windows\System\sHfceKL.exe
  2⤵
  PID:4532
- C:\Windows\System\nOPAMaQ.exe
  C:\Windows\System\nOPAMaQ.exe
  2⤵
  PID:4548
- C:\Windows\System\bNeQcXY.exe
  C:\Windows\System\bNeQcXY.exe
  2⤵
  PID:4564
- C:\Windows\System\oHUPaJI.exe
  C:\Windows\System\oHUPaJI.exe
  2⤵
  PID:4580
- C:\Windows\System\YXxTwfj.exe
  C:\Windows\System\YXxTwfj.exe
  2⤵
  PID:4596
- C:\Windows\System\ppjsdMt.exe
  C:\Windows\System\ppjsdMt.exe
  2⤵
  PID:4616
- C:\Windows\System\YJGpEih.exe
  C:\Windows\System\YJGpEih.exe
  2⤵
  PID:4632
- C:\Windows\System\RKOsnqQ.exe
  C:\Windows\System\RKOsnqQ.exe
  2⤵
  PID:4648
- C:\Windows\System\hVAEgJE.exe
  C:\Windows\System\hVAEgJE.exe
  2⤵
  PID:4664
- C:\Windows\System\qjHokpX.exe
  C:\Windows\System\qjHokpX.exe
  2⤵
  PID:4680
- C:\Windows\System\IZndHBY.exe
  C:\Windows\System\IZndHBY.exe
  2⤵
  PID:4696
- C:\Windows\System\bYCfbQA.exe
  C:\Windows\System\bYCfbQA.exe
  2⤵
  PID:4712
- C:\Windows\System\NzEvTqM.exe
  C:\Windows\System\NzEvTqM.exe
  2⤵
  PID:4728
- C:\Windows\System\xSPgmaK.exe
  C:\Windows\System\xSPgmaK.exe
  2⤵
  PID:4744
- C:\Windows\System\uEKXeAc.exe
  C:\Windows\System\uEKXeAc.exe
  2⤵
  PID:4760
- C:\Windows\System\qqbbrEM.exe
  C:\Windows\System\qqbbrEM.exe
  2⤵
  PID:4776
- C:\Windows\System\hMDHHtU.exe
  C:\Windows\System\hMDHHtU.exe
  2⤵
  PID:4792
- C:\Windows\System\hHVUBPD.exe
  C:\Windows\System\hHVUBPD.exe
  2⤵
  PID:4808
- C:\Windows\System\rwbFkDJ.exe
  C:\Windows\System\rwbFkDJ.exe
  2⤵
  PID:4824
- C:\Windows\System\jeXpnxr.exe
  C:\Windows\System\jeXpnxr.exe
  2⤵
  PID:4840
- C:\Windows\System\xuwwBBR.exe
  C:\Windows\System\xuwwBBR.exe
  2⤵
  PID:4856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\QHNAZId.exe

Filesize
6.0MB

MD5
734a19edfc725d6836c74ca0d99404cc

SHA1
afc01c6d5bbb9a287d9ef2f6bb367ae1378f5f10

SHA256
102cdf5b09af47be1130020e7320decfc83e3166019e024181af78884d3f7d03

SHA512
5369de023fb3c9e353400167d3f011a6efd15e308e43e7abf60a10919572669271d7d4982939602805709034671de1c0ce9f3cbb1cfda48d4b4ae3db2dabced9

Download Submit
C:\Windows\system\cjYMJXD.exe

Filesize
5.3MB

MD5
c43e33711c7fd979e5018337dc4759bf

SHA1
98f05fb56607a0d2438d5d9b94c06a1eae3e96ac

SHA256
126daf25908e88143514f383d004ce80b96a520a9b5233b68d78178b8f9a609b

SHA512
f9e132fb246a90dc4ad197509164e90710292162fcce9825f6eacf3bbb4c1b8395fb24464ad3014a07705a4627803d42659c488d866adc2bd32f342def8382ff

Download Submit
C:\Windows\system\crMLlGQ.exe

Filesize
4.1MB

MD5
fa2c9c310306c95ab69c3edf3356312c

SHA1
6613006a445f8b4856d81aa963af680fc41cbffa

SHA256
66c4feb547bcc358840350b4c615e9aac55430523c68edc5d532c016cef24e8a

SHA512
f53b3a55711f0343f8770b701427cc56215d2b94d86a8d546a678e383a873b35ce4aff7b58f304b5156fd0e38b281a136492f2cfbe1bd7c20116f9abfcd155d9

Download Submit
C:\Windows\system\dHqACUM.exe

Filesize
5.8MB

MD5
f378c9ecce1c348b02bedb108e24b948

SHA1
d8a2e60291ecd64b698442ca3d761960122dc1bb

SHA256
f45f8b2e103a0ed699e92188e47748e3ffd7e181336066f41f642d73e73ad53b

SHA512
1c72f0ea9a1e686712fb76a98226698fba2d7be93ab5e0984b82cac243d61146b68bf9f7c44fa000b16d9dc4ca022306360e36f39fa92cec8e496ef60ebd821e

Download Submit
C:\Windows\system\erGDjHd.exe

Filesize
4.5MB

MD5
b839893f9efcf0af421cb25de21cc707

SHA1
e2bf1c85e48fc6c7ee632f27e28ddc9cfd9ed53d

SHA256
d920d54982ededf037a1027fd96dcb24d59e08d182a7eb278e48cb45e917ba95

SHA512
3ef02cf27503205ab47182915756281ab2c64a6c8c012b65890cb329124ceeb7dd8039b81a544a49c941ec9091b486281c362332fd76ebbea9b56055238e414d

Download Submit
C:\Windows\system\nTfbwVX.exe

Filesize
6.0MB

MD5
ca9d46ca5870dc8e6329ccb56f2ced6d

SHA1
6601b9cf6a9a2f68881cf99bf407be54d5c53f67

SHA256
a1dd11ed259884de7f77d2c7864088932a3c969d2f38d40657d4e0b54308d3b1

SHA512
c381108b042d65e7a916ab5ef320f1205df987c42165af6bba60e7bf6a46ddc33a637029301601da162991f07c070406284fe520571c017c22f7a278d999d114

Download Submit
\Windows\system\DtPfLbF.exe

Filesize
6.0MB

MD5
57cd10fd0ac114386901b6456e82285c

SHA1
a8344c823b64ed29943701b262f59c1cfdf8a9cc

SHA256
7c3258a10d86843ae22f09dd0fa7ce9dc3871cd8f46a36c0bb59a094318c859e

SHA512
d8c44e2dd25bb7add6e5a9b0b21a82088ad2d42ecef94d1204b4c4ca3e98d80ba96adc139c6adf26f73594074b2a3baeb14a58b66ee42ef38c846ab863406606

Download Submit
\Windows\system\ODdrWKG.exe

Filesize
4.2MB

MD5
cdaf807c4c120df0e3be3910960ad189

SHA1
c3e1330c7d933a54f90894e748c33211211cc17b

SHA256
f9c54137ba4fd1233be8f87248309b02d148819e667308dc91fb35bd72d91110

SHA512
65910679f5289944fd6dde462fc1c2b831f355235ca97d9e42e430248fa72cc72b75e781627c8deb78ead5dbef72b7ba8cdc5bd73dfc0f395e6062805640f6fb

Download Submit
\Windows\system\RSULwiC.exe

Filesize
6.0MB

MD5
38e332b6f16f00f71f5a3cc6d687c827

SHA1
0edc8d8a2cabd7c12347da0cf966c7b6cd51de62

SHA256
f8ff44cebe7720aa4db4331fb0eb7f8cd8f8338cbd4684c7e1e87c0e9728e21d

SHA512
f864c312e349c76f47a96bfed5f261bac2f6ba79ae28465138e8732785b5c220389aa4e10b4472211003ff447c08fc5ebe81c37d17827df13a6451256efbd970

Download Submit
memory/1712-28-0x000000013F210000-0x000000013F564000-memory.dmp

Filesize
3.3MB

Download
memory/1712-0-0x000000013F590000-0x000000013F8E4000-memory.dmp

Filesize
3.3MB

Download
memory/1712-7-0x000000013FCD0000-0x0000000140024000-memory.dmp

Filesize
3.3MB

Download
memory/1712-1-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2540-40-0x000000013F6F0000-0x000000013FA44000-memory.dmp

Filesize
3.3MB

Download
memory/2608-42-0x000000013F070000-0x000000013F3C4000-memory.dmp

Filesize
3.3MB

Download
memory/2632-27-0x000000013FBF0000-0x000000013FF44000-memory.dmp

Filesize
3.3MB

Download
memory/2864-30-0x000000013F210000-0x000000013F564000-memory.dmp

Filesize
3.3MB

Download
memory/3004-22-0x000000013FCF0000-0x0000000140044000-memory.dmp

Filesize
3.3MB

Download