cobaltstrike | 016ffbdc7bc393e6d1c51e18d1525a1e558f9537f637fb1ea75cc37799204ab9

Analysis

max time kernel
140s
max time network
148s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
31-03-2024 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

392c778d455e873a4839f7994e52d28e
SHA1

b187e7d3386e68ba83338460bd45a31bd53acb7c
SHA256

016ffbdc7bc393e6d1c51e18d1525a1e558f9537f637fb1ea75cc37799204ab9
SHA512

10904b61373d4eb881e7aa7c5a0ffb811f8b02a2c6b954d7d0fd5bfedaaeb748dd4dbe630c0ae4734b800cfb5e9f6024c2e7c7ee4596db57186b12ebeafb04a8
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lV:RWWBibf56utgpPFotBER/mQ32lUR

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\XnkZdoJ.exe	cobalt_reflective_dll
\Windows\system\oaBNieV.exe	cobalt_reflective_dll
C:\Windows\system\jUHVqyd.exe	cobalt_reflective_dll
\Windows\system\eNcnnnS.exe	cobalt_reflective_dll
C:\Windows\system\vXdJRpK.exe	cobalt_reflective_dll
C:\Windows\system\ZKyzXPP.exe	cobalt_reflective_dll
C:\Windows\system\polQNqs.exe	cobalt_reflective_dll
C:\Windows\system\GMVMfAr.exe	cobalt_reflective_dll
C:\Windows\system\sbiVOLO.exe	cobalt_reflective_dll
C:\Windows\system\MHRRbUo.exe	cobalt_reflective_dll
\Windows\system\DYFSKFQ.exe	cobalt_reflective_dll
C:\Windows\system\pOcYQui.exe	cobalt_reflective_dll
\Windows\system\JWyQqwx.exe	cobalt_reflective_dll
C:\Windows\system\LGvhMtx.exe	cobalt_reflective_dll
C:\Windows\system\cfbwsyZ.exe	cobalt_reflective_dll
\Windows\system\yCzzVos.exe	cobalt_reflective_dll
C:\Windows\system\UeOTrAc.exe	cobalt_reflective_dll
C:\Windows\system\kiLMYDO.exe	cobalt_reflective_dll
\Windows\system\KYKZOin.exe	cobalt_reflective_dll
C:\Windows\system\lGjXbJR.exe	cobalt_reflective_dll
C:\Windows\system\sJLrvOm.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\XnkZdoJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\oaBNieV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\jUHVqyd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\eNcnnnS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\vXdJRpK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ZKyzXPP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\polQNqs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\GMVMfAr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\sbiVOLO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\MHRRbUo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\DYFSKFQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\pOcYQui.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\JWyQqwx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\LGvhMtx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\cfbwsyZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\yCzzVos.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\UeOTrAc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\kiLMYDO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\KYKZOin.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\lGjXbJR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\sJLrvOm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2528-1-0x000000013FEF0000-0x0000000140241000-memory.dmp	UPX
\Windows\system\XnkZdoJ.exe	UPX
\Windows\system\oaBNieV.exe	UPX
C:\Windows\system\jUHVqyd.exe	UPX
behavioral1/memory/3060-45-0x000000013FC50000-0x000000013FFA1000-memory.dmp	UPX
behavioral1/memory/2160-51-0x000000013FC40000-0x000000013FF91000-memory.dmp	UPX
\Windows\system\eNcnnnS.exe	UPX
behavioral1/memory/2712-59-0x000000013FCC0000-0x0000000140011000-memory.dmp	UPX
behavioral1/memory/2576-56-0x000000013FB80000-0x000000013FED1000-memory.dmp	UPX
behavioral1/memory/1580-60-0x000000013FB20000-0x000000013FE71000-memory.dmp	UPX
behavioral1/memory/1944-64-0x000000013FE30000-0x0000000140181000-memory.dmp	UPX
behavioral1/memory/2716-66-0x000000013F410000-0x000000013F761000-memory.dmp	UPX
C:\Windows\system\vXdJRpK.exe	UPX
behavioral1/memory/2444-69-0x000000013F520000-0x000000013F871000-memory.dmp	UPX
behavioral1/memory/2116-68-0x000000013F720000-0x000000013FA71000-memory.dmp	UPX
behavioral1/memory/2652-50-0x000000013F190000-0x000000013F4E1000-memory.dmp	UPX
C:\Windows\system\ZKyzXPP.exe	UPX
C:\Windows\system\polQNqs.exe	UPX
C:\Windows\system\GMVMfAr.exe	UPX
C:\Windows\system\sbiVOLO.exe	UPX
C:\Windows\system\MHRRbUo.exe	UPX
\Windows\system\DYFSKFQ.exe	UPX
behavioral1/memory/1268-76-0x000000013FAE0000-0x000000013FE31000-memory.dmp	UPX
C:\Windows\system\pOcYQui.exe	UPX
behavioral1/memory/1508-83-0x000000013FC80000-0x000000013FFD1000-memory.dmp	UPX
\Windows\system\JWyQqwx.exe	UPX
behavioral1/memory/2828-89-0x000000013FCD0000-0x0000000140021000-memory.dmp	UPX
C:\Windows\system\LGvhMtx.exe	UPX
behavioral1/memory/1436-96-0x000000013F140000-0x000000013F491000-memory.dmp	UPX
behavioral1/memory/2528-100-0x000000013FEF0000-0x0000000140241000-memory.dmp	UPX
C:\Windows\system\cfbwsyZ.exe	UPX
behavioral1/memory/1180-104-0x000000013FFB0000-0x0000000140301000-memory.dmp	UPX
\Windows\system\yCzzVos.exe	UPX
behavioral1/memory/2528-110-0x00000000023D0000-0x0000000002721000-memory.dmp	UPX
behavioral1/memory/2020-112-0x000000013FB10000-0x000000013FE61000-memory.dmp	UPX
behavioral1/memory/1068-118-0x000000013F200000-0x000000013F551000-memory.dmp	UPX
C:\Windows\system\UeOTrAc.exe	UPX
C:\Windows\system\kiLMYDO.exe	UPX
behavioral1/memory/2768-126-0x000000013F220000-0x000000013F571000-memory.dmp	UPX
\Windows\system\KYKZOin.exe	UPX
behavioral1/memory/1640-133-0x000000013F410000-0x000000013F761000-memory.dmp	UPX
behavioral1/memory/1984-144-0x000000013F370000-0x000000013F6C1000-memory.dmp	UPX
behavioral1/memory/1084-143-0x000000013FAC0000-0x000000013FE11000-memory.dmp	UPX
C:\Windows\system\lGjXbJR.exe	UPX
C:\Windows\system\sJLrvOm.exe	UPX
behavioral1/memory/2528-147-0x000000013FEF0000-0x0000000140241000-memory.dmp	UPX
behavioral1/memory/2828-157-0x000000013FCD0000-0x0000000140021000-memory.dmp	UPX
behavioral1/memory/1068-166-0x000000013F200000-0x000000013F551000-memory.dmp	UPX
behavioral1/memory/1640-168-0x000000013F410000-0x000000013F761000-memory.dmp	UPX
behavioral1/memory/1084-169-0x000000013FAC0000-0x000000013FE11000-memory.dmp	UPX
behavioral1/memory/1984-170-0x000000013F370000-0x000000013F6C1000-memory.dmp	UPX
behavioral1/memory/2528-173-0x000000013FEF0000-0x0000000140241000-memory.dmp	UPX
behavioral1/memory/3060-222-0x000000013FC50000-0x000000013FFA1000-memory.dmp	UPX
behavioral1/memory/1580-225-0x000000013FB20000-0x000000013FE71000-memory.dmp	UPX
behavioral1/memory/2652-229-0x000000013F190000-0x000000013F4E1000-memory.dmp	UPX
behavioral1/memory/1944-227-0x000000013FE30000-0x0000000140181000-memory.dmp	UPX
behavioral1/memory/2160-233-0x000000013FC40000-0x000000013FF91000-memory.dmp	UPX
behavioral1/memory/2576-234-0x000000013FB80000-0x000000013FED1000-memory.dmp	UPX
behavioral1/memory/2712-232-0x000000013FCC0000-0x0000000140011000-memory.dmp	UPX
behavioral1/memory/2716-236-0x000000013F410000-0x000000013F761000-memory.dmp	UPX
behavioral1/memory/2116-238-0x000000013F720000-0x000000013FA71000-memory.dmp	UPX
behavioral1/memory/2444-240-0x000000013F520000-0x000000013F871000-memory.dmp	UPX
behavioral1/memory/1268-245-0x000000013FAE0000-0x000000013FE31000-memory.dmp	UPX
behavioral1/memory/1508-247-0x000000013FC80000-0x000000013FFD1000-memory.dmp	UPX

XMRig Miner payload 50 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/3060-45-0x000000013FC50000-0x000000013FFA1000-memory.dmp	xmrig
behavioral1/memory/2528-46-0x00000000023D0000-0x0000000002721000-memory.dmp	xmrig
behavioral1/memory/2160-51-0x000000013FC40000-0x000000013FF91000-memory.dmp	xmrig
behavioral1/memory/2528-52-0x00000000023D0000-0x0000000002721000-memory.dmp	xmrig
behavioral1/memory/2712-59-0x000000013FCC0000-0x0000000140011000-memory.dmp	xmrig
behavioral1/memory/2576-56-0x000000013FB80000-0x000000013FED1000-memory.dmp	xmrig
behavioral1/memory/1580-60-0x000000013FB20000-0x000000013FE71000-memory.dmp	xmrig
behavioral1/memory/1944-64-0x000000013FE30000-0x0000000140181000-memory.dmp	xmrig
behavioral1/memory/2716-66-0x000000013F410000-0x000000013F761000-memory.dmp	xmrig
behavioral1/memory/2444-69-0x000000013F520000-0x000000013F871000-memory.dmp	xmrig
behavioral1/memory/2116-68-0x000000013F720000-0x000000013FA71000-memory.dmp	xmrig
behavioral1/memory/2652-50-0x000000013F190000-0x000000013F4E1000-memory.dmp	xmrig
behavioral1/memory/1268-76-0x000000013FAE0000-0x000000013FE31000-memory.dmp	xmrig
behavioral1/memory/1508-83-0x000000013FC80000-0x000000013FFD1000-memory.dmp	xmrig
behavioral1/memory/2828-89-0x000000013FCD0000-0x0000000140021000-memory.dmp	xmrig
behavioral1/memory/1436-96-0x000000013F140000-0x000000013F491000-memory.dmp	xmrig
behavioral1/memory/2528-100-0x000000013FEF0000-0x0000000140241000-memory.dmp	xmrig
behavioral1/memory/2528-103-0x00000000023D0000-0x0000000002721000-memory.dmp	xmrig
behavioral1/memory/1180-104-0x000000013FFB0000-0x0000000140301000-memory.dmp	xmrig
behavioral1/memory/2020-112-0x000000013FB10000-0x000000013FE61000-memory.dmp	xmrig
behavioral1/memory/1068-118-0x000000013F200000-0x000000013F551000-memory.dmp	xmrig
behavioral1/memory/2528-119-0x000000013F200000-0x000000013F551000-memory.dmp	xmrig
behavioral1/memory/2768-126-0x000000013F220000-0x000000013F571000-memory.dmp	xmrig
behavioral1/memory/1640-133-0x000000013F410000-0x000000013F761000-memory.dmp	xmrig
behavioral1/memory/1984-144-0x000000013F370000-0x000000013F6C1000-memory.dmp	xmrig
behavioral1/memory/2528-145-0x000000013FAC0000-0x000000013FE11000-memory.dmp	xmrig
behavioral1/memory/2528-147-0x000000013FEF0000-0x0000000140241000-memory.dmp	xmrig
behavioral1/memory/2828-157-0x000000013FCD0000-0x0000000140021000-memory.dmp	xmrig
behavioral1/memory/1068-166-0x000000013F200000-0x000000013F551000-memory.dmp	xmrig
behavioral1/memory/1640-168-0x000000013F410000-0x000000013F761000-memory.dmp	xmrig
behavioral1/memory/1084-169-0x000000013FAC0000-0x000000013FE11000-memory.dmp	xmrig
behavioral1/memory/1984-170-0x000000013F370000-0x000000013F6C1000-memory.dmp	xmrig
behavioral1/memory/2528-173-0x000000013FEF0000-0x0000000140241000-memory.dmp	xmrig
behavioral1/memory/2528-188-0x000000013F220000-0x000000013F571000-memory.dmp	xmrig
behavioral1/memory/2528-197-0x000000013F410000-0x000000013F761000-memory.dmp	xmrig
behavioral1/memory/3060-222-0x000000013FC50000-0x000000013FFA1000-memory.dmp	xmrig
behavioral1/memory/1580-225-0x000000013FB20000-0x000000013FE71000-memory.dmp	xmrig
behavioral1/memory/2652-229-0x000000013F190000-0x000000013F4E1000-memory.dmp	xmrig
behavioral1/memory/1944-227-0x000000013FE30000-0x0000000140181000-memory.dmp	xmrig
behavioral1/memory/2160-233-0x000000013FC40000-0x000000013FF91000-memory.dmp	xmrig
behavioral1/memory/2576-234-0x000000013FB80000-0x000000013FED1000-memory.dmp	xmrig
behavioral1/memory/2712-232-0x000000013FCC0000-0x0000000140011000-memory.dmp	xmrig
behavioral1/memory/2716-236-0x000000013F410000-0x000000013F761000-memory.dmp	xmrig
behavioral1/memory/2116-238-0x000000013F720000-0x000000013FA71000-memory.dmp	xmrig
behavioral1/memory/2444-240-0x000000013F520000-0x000000013F871000-memory.dmp	xmrig
behavioral1/memory/1268-245-0x000000013FAE0000-0x000000013FE31000-memory.dmp	xmrig
behavioral1/memory/1508-247-0x000000013FC80000-0x000000013FFD1000-memory.dmp	xmrig
behavioral1/memory/2828-249-0x000000013FCD0000-0x0000000140021000-memory.dmp	xmrig
behavioral1/memory/1436-251-0x000000013F140000-0x000000013F491000-memory.dmp	xmrig
behavioral1/memory/1180-253-0x000000013FFB0000-0x0000000140301000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

XnkZdoJ.exeMHRRbUo.exesbiVOLO.exeGMVMfAr.exejUHVqyd.exepolQNqs.exeoaBNieV.exeZKyzXPP.exeeNcnnnS.exevXdJRpK.exeDYFSKFQ.exepOcYQui.exeJWyQqwx.exeLGvhMtx.execfbwsyZ.exeyCzzVos.exeUeOTrAc.exekiLMYDO.exeKYKZOin.exesJLrvOm.exelGjXbJR.exe

pid	process
1580	XnkZdoJ.exe
3060	MHRRbUo.exe
1944	sbiVOLO.exe
2652	GMVMfAr.exe
2160	jUHVqyd.exe
2576	polQNqs.exe
2716	oaBNieV.exe
2712	ZKyzXPP.exe
2116	eNcnnnS.exe
2444	vXdJRpK.exe
1268	DYFSKFQ.exe
1508	pOcYQui.exe
2828	JWyQqwx.exe
1436	LGvhMtx.exe
1180	cfbwsyZ.exe
2020	yCzzVos.exe
1068	UeOTrAc.exe
2768	kiLMYDO.exe
1640	KYKZOin.exe
1084	sJLrvOm.exe
1984	lGjXbJR.exe

Loads dropped DLL 21 IoCs

Processes:

2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe

pid	process
2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2528-1-0x000000013FEF0000-0x0000000140241000-memory.dmp	upx
\Windows\system\XnkZdoJ.exe	upx
\Windows\system\oaBNieV.exe	upx
C:\Windows\system\jUHVqyd.exe	upx
behavioral1/memory/3060-45-0x000000013FC50000-0x000000013FFA1000-memory.dmp	upx
behavioral1/memory/2160-51-0x000000013FC40000-0x000000013FF91000-memory.dmp	upx
\Windows\system\eNcnnnS.exe	upx
behavioral1/memory/2712-59-0x000000013FCC0000-0x0000000140011000-memory.dmp	upx
behavioral1/memory/2576-56-0x000000013FB80000-0x000000013FED1000-memory.dmp	upx
behavioral1/memory/1580-60-0x000000013FB20000-0x000000013FE71000-memory.dmp	upx
behavioral1/memory/1944-64-0x000000013FE30000-0x0000000140181000-memory.dmp	upx
behavioral1/memory/2716-66-0x000000013F410000-0x000000013F761000-memory.dmp	upx
C:\Windows\system\vXdJRpK.exe	upx
behavioral1/memory/2444-69-0x000000013F520000-0x000000013F871000-memory.dmp	upx
behavioral1/memory/2116-68-0x000000013F720000-0x000000013FA71000-memory.dmp	upx
behavioral1/memory/2652-50-0x000000013F190000-0x000000013F4E1000-memory.dmp	upx
C:\Windows\system\ZKyzXPP.exe	upx
C:\Windows\system\polQNqs.exe	upx
C:\Windows\system\GMVMfAr.exe	upx
C:\Windows\system\sbiVOLO.exe	upx
C:\Windows\system\MHRRbUo.exe	upx
\Windows\system\DYFSKFQ.exe	upx
behavioral1/memory/1268-76-0x000000013FAE0000-0x000000013FE31000-memory.dmp	upx
C:\Windows\system\pOcYQui.exe	upx
behavioral1/memory/1508-83-0x000000013FC80000-0x000000013FFD1000-memory.dmp	upx
\Windows\system\JWyQqwx.exe	upx
behavioral1/memory/2828-89-0x000000013FCD0000-0x0000000140021000-memory.dmp	upx
C:\Windows\system\LGvhMtx.exe	upx
behavioral1/memory/1436-96-0x000000013F140000-0x000000013F491000-memory.dmp	upx
behavioral1/memory/2528-100-0x000000013FEF0000-0x0000000140241000-memory.dmp	upx
C:\Windows\system\cfbwsyZ.exe	upx
behavioral1/memory/1180-104-0x000000013FFB0000-0x0000000140301000-memory.dmp	upx
\Windows\system\yCzzVos.exe	upx
behavioral1/memory/2528-110-0x00000000023D0000-0x0000000002721000-memory.dmp	upx
behavioral1/memory/2020-112-0x000000013FB10000-0x000000013FE61000-memory.dmp	upx
behavioral1/memory/1068-118-0x000000013F200000-0x000000013F551000-memory.dmp	upx
C:\Windows\system\UeOTrAc.exe	upx
C:\Windows\system\kiLMYDO.exe	upx
behavioral1/memory/2768-126-0x000000013F220000-0x000000013F571000-memory.dmp	upx
\Windows\system\KYKZOin.exe	upx
behavioral1/memory/1640-133-0x000000013F410000-0x000000013F761000-memory.dmp	upx
behavioral1/memory/1984-144-0x000000013F370000-0x000000013F6C1000-memory.dmp	upx
behavioral1/memory/1084-143-0x000000013FAC0000-0x000000013FE11000-memory.dmp	upx
C:\Windows\system\lGjXbJR.exe	upx
C:\Windows\system\sJLrvOm.exe	upx
behavioral1/memory/2528-147-0x000000013FEF0000-0x0000000140241000-memory.dmp	upx
behavioral1/memory/2828-157-0x000000013FCD0000-0x0000000140021000-memory.dmp	upx
behavioral1/memory/1068-166-0x000000013F200000-0x000000013F551000-memory.dmp	upx
behavioral1/memory/1640-168-0x000000013F410000-0x000000013F761000-memory.dmp	upx
behavioral1/memory/1084-169-0x000000013FAC0000-0x000000013FE11000-memory.dmp	upx
behavioral1/memory/1984-170-0x000000013F370000-0x000000013F6C1000-memory.dmp	upx
behavioral1/memory/2528-173-0x000000013FEF0000-0x0000000140241000-memory.dmp	upx
behavioral1/memory/3060-222-0x000000013FC50000-0x000000013FFA1000-memory.dmp	upx
behavioral1/memory/1580-225-0x000000013FB20000-0x000000013FE71000-memory.dmp	upx
behavioral1/memory/2652-229-0x000000013F190000-0x000000013F4E1000-memory.dmp	upx
behavioral1/memory/1944-227-0x000000013FE30000-0x0000000140181000-memory.dmp	upx
behavioral1/memory/2160-233-0x000000013FC40000-0x000000013FF91000-memory.dmp	upx
behavioral1/memory/2576-234-0x000000013FB80000-0x000000013FED1000-memory.dmp	upx
behavioral1/memory/2712-232-0x000000013FCC0000-0x0000000140011000-memory.dmp	upx
behavioral1/memory/2716-236-0x000000013F410000-0x000000013F761000-memory.dmp	upx
behavioral1/memory/2116-238-0x000000013F720000-0x000000013FA71000-memory.dmp	upx
behavioral1/memory/2444-240-0x000000013F520000-0x000000013F871000-memory.dmp	upx
behavioral1/memory/1268-245-0x000000013FAE0000-0x000000013FE31000-memory.dmp	upx
behavioral1/memory/1508-247-0x000000013FC80000-0x000000013FFD1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\LGvhMtx.exe	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DYFSKFQ.exe	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pOcYQui.exe	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JWyQqwx.exe	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UeOTrAc.exe	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kiLMYDO.exe	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KYKZOin.exe	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sJLrvOm.exe	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lGjXbJR.exe	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZKyzXPP.exe	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vXdJRpK.exe	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GMVMfAr.exe	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cfbwsyZ.exe	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yCzzVos.exe	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MHRRbUo.exe	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jUHVqyd.exe	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\polQNqs.exe	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oaBNieV.exe	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eNcnnnS.exe	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XnkZdoJ.exe	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sbiVOLO.exe	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2528 wrote to memory of 1580	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	XnkZdoJ.exe
PID 2528 wrote to memory of 1580	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	XnkZdoJ.exe
PID 2528 wrote to memory of 1580	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	XnkZdoJ.exe
PID 2528 wrote to memory of 3060	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	MHRRbUo.exe
PID 2528 wrote to memory of 3060	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	MHRRbUo.exe
PID 2528 wrote to memory of 3060	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	MHRRbUo.exe
PID 2528 wrote to memory of 2160	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	jUHVqyd.exe
PID 2528 wrote to memory of 2160	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	jUHVqyd.exe
PID 2528 wrote to memory of 2160	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	jUHVqyd.exe
PID 2528 wrote to memory of 1944	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	sbiVOLO.exe
PID 2528 wrote to memory of 1944	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	sbiVOLO.exe
PID 2528 wrote to memory of 1944	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	sbiVOLO.exe
PID 2528 wrote to memory of 2576	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	polQNqs.exe
PID 2528 wrote to memory of 2576	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	polQNqs.exe
PID 2528 wrote to memory of 2576	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	polQNqs.exe
PID 2528 wrote to memory of 2652	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	GMVMfAr.exe
PID 2528 wrote to memory of 2652	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	GMVMfAr.exe
PID 2528 wrote to memory of 2652	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	GMVMfAr.exe
PID 2528 wrote to memory of 2716	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	oaBNieV.exe
PID 2528 wrote to memory of 2716	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	oaBNieV.exe
PID 2528 wrote to memory of 2716	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	oaBNieV.exe
PID 2528 wrote to memory of 2712	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	ZKyzXPP.exe
PID 2528 wrote to memory of 2712	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	ZKyzXPP.exe
PID 2528 wrote to memory of 2712	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	ZKyzXPP.exe
PID 2528 wrote to memory of 2116	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	eNcnnnS.exe
PID 2528 wrote to memory of 2116	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	eNcnnnS.exe
PID 2528 wrote to memory of 2116	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	eNcnnnS.exe
PID 2528 wrote to memory of 2444	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	vXdJRpK.exe
PID 2528 wrote to memory of 2444	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	vXdJRpK.exe
PID 2528 wrote to memory of 2444	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	vXdJRpK.exe
PID 2528 wrote to memory of 1268	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	DYFSKFQ.exe
PID 2528 wrote to memory of 1268	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	DYFSKFQ.exe
PID 2528 wrote to memory of 1268	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	DYFSKFQ.exe
PID 2528 wrote to memory of 1508	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	pOcYQui.exe
PID 2528 wrote to memory of 1508	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	pOcYQui.exe
PID 2528 wrote to memory of 1508	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	pOcYQui.exe
PID 2528 wrote to memory of 2828	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	JWyQqwx.exe
PID 2528 wrote to memory of 2828	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	JWyQqwx.exe
PID 2528 wrote to memory of 2828	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	JWyQqwx.exe
PID 2528 wrote to memory of 1436	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	LGvhMtx.exe
PID 2528 wrote to memory of 1436	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	LGvhMtx.exe
PID 2528 wrote to memory of 1436	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	LGvhMtx.exe
PID 2528 wrote to memory of 1180	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	cfbwsyZ.exe
PID 2528 wrote to memory of 1180	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	cfbwsyZ.exe
PID 2528 wrote to memory of 1180	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	cfbwsyZ.exe
PID 2528 wrote to memory of 2020	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	yCzzVos.exe
PID 2528 wrote to memory of 2020	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	yCzzVos.exe
PID 2528 wrote to memory of 2020	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	yCzzVos.exe
PID 2528 wrote to memory of 1068	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	UeOTrAc.exe
PID 2528 wrote to memory of 1068	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	UeOTrAc.exe
PID 2528 wrote to memory of 1068	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	UeOTrAc.exe
PID 2528 wrote to memory of 2768	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	kiLMYDO.exe
PID 2528 wrote to memory of 2768	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	kiLMYDO.exe
PID 2528 wrote to memory of 2768	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	kiLMYDO.exe
PID 2528 wrote to memory of 1640	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	KYKZOin.exe
PID 2528 wrote to memory of 1640	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	KYKZOin.exe
PID 2528 wrote to memory of 1640	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	KYKZOin.exe
PID 2528 wrote to memory of 1084	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	sJLrvOm.exe
PID 2528 wrote to memory of 1084	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	sJLrvOm.exe
PID 2528 wrote to memory of 1084	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	sJLrvOm.exe
PID 2528 wrote to memory of 1984	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	lGjXbJR.exe
PID 2528 wrote to memory of 1984	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	lGjXbJR.exe
PID 2528 wrote to memory of 1984	2528	2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe	lGjXbJR.exe

C:\Users\Admin\AppData\Local\Temp\2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-31_392c778d455e873a4839f7994e52d28e_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\System\XnkZdoJ.exe
  C:\Windows\System\XnkZdoJ.exe
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\System\MHRRbUo.exe
  C:\Windows\System\MHRRbUo.exe
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\System\jUHVqyd.exe
  C:\Windows\System\jUHVqyd.exe
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\System\sbiVOLO.exe
  C:\Windows\System\sbiVOLO.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System\polQNqs.exe
  C:\Windows\System\polQNqs.exe
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\System\GMVMfAr.exe
  C:\Windows\System\GMVMfAr.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\oaBNieV.exe
  C:\Windows\System\oaBNieV.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System\ZKyzXPP.exe
  C:\Windows\System\ZKyzXPP.exe
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\System\eNcnnnS.exe
  C:\Windows\System\eNcnnnS.exe
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Windows\System\vXdJRpK.exe
  C:\Windows\System\vXdJRpK.exe
  2⤵
  - Executes dropped EXE
  PID:2444
- C:\Windows\System\DYFSKFQ.exe
  C:\Windows\System\DYFSKFQ.exe
  2⤵
  - Executes dropped EXE
  PID:1268
- C:\Windows\System\pOcYQui.exe
  C:\Windows\System\pOcYQui.exe
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\System\JWyQqwx.exe
  C:\Windows\System\JWyQqwx.exe
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\System\LGvhMtx.exe
  C:\Windows\System\LGvhMtx.exe
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\System\cfbwsyZ.exe
  C:\Windows\System\cfbwsyZ.exe
  2⤵
  - Executes dropped EXE
  PID:1180
- C:\Windows\System\yCzzVos.exe
  C:\Windows\System\yCzzVos.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\System\UeOTrAc.exe
  C:\Windows\System\UeOTrAc.exe
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\System\kiLMYDO.exe
  C:\Windows\System\kiLMYDO.exe
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\System\KYKZOin.exe
  C:\Windows\System\KYKZOin.exe
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\System\sJLrvOm.exe
  C:\Windows\System\sJLrvOm.exe
  2⤵
  - Executes dropped EXE
  PID:1084
- C:\Windows\System\lGjXbJR.exe
  C:\Windows\System\lGjXbJR.exe
  2⤵
  - Executes dropped EXE
  PID:1984

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\GMVMfAr.exe

Filesize
5.2MB

MD5
f286c9bb6ffa10202a9f3a5ab975c8fe

SHA1
9be567271c5a888682173d787609d6931754e894

SHA256
b5463fa2f90bb06aac7dfe9eacc87555081f92cbaa82d40a898833c36ca04a6a

SHA512
7e4020781f11cde9d37162b23ea0aab6b62f553f07e8e31c29bcc30cebb64c129c35401cfa1282402173d9559b97333cc5dd68cd7e6a02d333fc972a1d463202

Download Submit
C:\Windows\system\LGvhMtx.exe

Filesize
5.2MB

MD5
da4e9ebb5878a99d93cbec96bf402158

SHA1
e0b5810b0c44b164f763035ab51dfda1aa516e99

SHA256
89aa7c6d349657aa73cd8b40c42e4b198ef67fe73fba142a0088b1dc6488bfa5

SHA512
223b384534b90101022b7f6a652df026b929b60265145f1e3e715e9bf6e426bdf0731d82495476eb24ffe1184c29eca81a5dc0c98c02def0718b1788e05f5816

Download Submit
C:\Windows\system\MHRRbUo.exe

Filesize
5.2MB

MD5
d18727ba5fa2835fb96dcf16d2a1142f

SHA1
ff7e3c808fb370b03199a655968aef5dd679732a

SHA256
db9d61db307897878c8a23b7bf29c2bf557892baded7652c96a133d12b20ef63

SHA512
18578b51796a59e4f4300d6088e8eca1600c405b659916ad43c777bea027425c26d45b8015e8a30714c24caef968d769147a8aa4810824f98b1dae65ca5ad7bb

Download Submit
C:\Windows\system\UeOTrAc.exe

Filesize
5.2MB

MD5
ce491bc1894e0d640e564e8335658296

SHA1
e468a87caf7049077627f17360826c970458c450

SHA256
ddfe539904c7e44b0346586b15d8434c6afd91f3312c85921c5c98480eabb009

SHA512
8ba74d0f8f883fd79adebf6f2659a6ea3adcab4065c9c60e3ca99fdb3ebb916763fad9e51ec6ac17151162990f66f10c45c0f60fa14c1fb97fd8235c9c376690

Download Submit
C:\Windows\system\ZKyzXPP.exe

Filesize
5.2MB

MD5
caaebbc21da4a22b8eae745fb8a4d812

SHA1
998c83cd2d41c36770951659a8efbe3cdbc4fe4b

SHA256
f799227e253771582e32c98a080051265464fb49539acc7a414382a7acb056a4

SHA512
0c1278b9d14d8fb93aec9f9d1006a3e6e53a1d1d21c985cd37bdb81c8845d157524bec9fbae0adb7954317785727279f74622594c356c2f945d0b16d0fd54fa5

Download Submit
C:\Windows\system\cfbwsyZ.exe

Filesize
5.2MB

MD5
b9723019dc303e969cde433a58bfd331

SHA1
12137b70d75bda290092fe48565fcfd2de29b127

SHA256
d41f2018f5fd4b6d4f130357cf692b9cb8340b3bf43d9118f40d9b781728fd04

SHA512
c2e1b36aa5aa0a17086ddeb234a2b114e858b23b4b35f68b8a0a67c17250bdd21f964d480661b3f4056679e6e2f1ce8f875f84e0cd17ffccb1a71c9782e80ef1

Download Submit
C:\Windows\system\jUHVqyd.exe

Filesize
5.2MB

MD5
a11c8a77a0c87a04cd280230c4ab3e0a

SHA1
75946ce3a440212a509f237b426629656061fc5d

SHA256
f7948fdd1fd649a65824728ba83ca6e826339246976ae45799ed967eec3863d1

SHA512
289f35bc397f83bfb7cb8a5d9ff53b69a8959dc71560c9b1621819d5bc3d5a3e5f06f0ba28dfda6d77ec5415294aa53b1d350ec30dea78b557c231527d858311

Download Submit
C:\Windows\system\kiLMYDO.exe

Filesize
5.2MB

MD5
3626814250f5878b5e3bc442a68535c6

SHA1
a1cb214faff4572023babbcffbe4588f20ff0f3b

SHA256
d1fdbd987cc9a9c9c64c53251d07cfe45b22bb5ba72e49be7b7046a3121d6a15

SHA512
d5d2a6370e368ee1eeb361d53d36b423fcb4d18e1af843d21eb39e6ec2c561f6c29be2aae46dec74db452b17d5b7f0a4b1debc4c2beae22d202ce3f65831af29

Download Submit
C:\Windows\system\lGjXbJR.exe

Filesize
5.2MB

MD5
92b64ff861434d29d661f60e4402d796

SHA1
5decb931da4e7aaf9a997b4abaa9892f151425b4

SHA256
75046760f8eb9e7b8469fad72724caf434f5c6aa363cd5d403058ad3f26feae3

SHA512
ef0a04eb020e790fab8f8ac863de599cc91554c21377f9190385e9156889b5985f70022519c8e7c536ad573ed9d96b650cdae05f1e6f822c7b85bda29ebf385f

Download Submit
C:\Windows\system\pOcYQui.exe

Filesize
5.2MB

MD5
513f0742ebe2413a9f3643b80f45895e

SHA1
1eee13d755f9ca0cb4e9322d48a389dd4072ffbe

SHA256
272091c597eca50ee492d29eab0e5eef3a33bac200c36bcd7047091969f263c8

SHA512
760d74848d57329544f8952b49ce38f255cd7f247544a9959dbe3bd8280b826f840ddd8de75315c650e3e107acf0977e75f869bab0a588a81d89007d13f789ec

Download Submit
C:\Windows\system\polQNqs.exe

Filesize
5.2MB

MD5
5df61e0d448202b2f22b1fa7f6f9cdfc

SHA1
c5430760eb5d1fae3c9639741b2cfaae2b67f4f3

SHA256
5f2cd2c88829357b4aa883492ef0d0eaaeb7cf5fe2000666d0bb73e412e47f94

SHA512
68dda89dd357410326678bd88ce1bdc955cc866ff57b282aa57fe3dd522715c5ce546c1fc0707e826d489a20c07191a63fa3ac01b372f49fefe13a77d42351cc

Download Submit
C:\Windows\system\sJLrvOm.exe

Filesize
5.2MB

MD5
2710cc330fef3db109bc6702039266f2

SHA1
e07a9a3ec3fa1197dfe6436f9a5d7e764dbb1ec6

SHA256
f05e6562be0036de217243b5da7b17b4f5804fa9f641a57919ddff46ee461dfe

SHA512
644ead6a4ba4e78af3e1dead93babe5a7f0d4c04054fcdf4d080a30a5a5c523b31bf511029775131c72f14c60ba74dc2479d24eb72b773166a8fb12545d25246

Download Submit
C:\Windows\system\sbiVOLO.exe

Filesize
5.2MB

MD5
d7781d8fc80812cec58aa6ddc9769980

SHA1
0395deaaf4de7240ce4a75c205e12dc2ce8542b5

SHA256
ed32887446e3fea4e67a271ce3c6c9295982ea6da57bc0e504f75c24f235622e

SHA512
48f2a7fc7732e582570d499edc4888f77708231e94ea7aa971ab1a34e242f7ac50408d9d23360cadc8592d5524916eb33b361ac959162a302737fe5f8382e563

Download Submit
C:\Windows\system\vXdJRpK.exe

Filesize
5.2MB

MD5
58e46199d08f6d48f8ccb8e5c401ba95

SHA1
e0250975fbe06fcf961a482e9107337c4486872f

SHA256
eda55f79403ade2feb029d0bf9ae26c4ea276a6a4b3224d1ee01f9152ed6fba4

SHA512
cea64e2a8b0cb95af8e72f86afd06cc14dd81a84aa472b691c32731d340c204124a4bf238bcbdd137c9ab9ed5af71a5dbb208a1d99a28ab7083a75e4084a00cd

Download Submit
\Windows\system\DYFSKFQ.exe

Filesize
5.2MB

MD5
5b633636f5853756944c09f2790ff07e

SHA1
093122475ee8c5d7d0a2fca228729e47e57037c9

SHA256
f9bcd0e797e153cddf4831770430185c7e24bce5b77138c16c7ee8d6aa28173b

SHA512
d5bb8e21902177bd9355589fa2a76ad40bf3fc57498dde3fb07b071570b02bb8cf79cff66d897518034c01154fe58d6f8b0890f4baceccba6dd27b38934e09e5

Download Submit
\Windows\system\JWyQqwx.exe

Filesize
5.2MB

MD5
03bc4f6317e51b1bb39f7b1db7e9a6a9

SHA1
6d49057df0e845480715f89696eaeef48952a627

SHA256
faae54cfe2a28a0eba4919654ca0ab168eb2a786f2cf771bcc007b2405df43ef

SHA512
5dce8c733e32086c56c9760734e648dc1a357532cbf76966872e69abc4b8b7ce02a519e6bbe5dfaa95bcce25802e7f77def7e378e5f89e374581abf43b6a4273

Download Submit
\Windows\system\KYKZOin.exe

Filesize
5.2MB

MD5
e8ca004b92b8b938a47f192db63a934a

SHA1
5666bd0175e285080f8d8bb751281fd4eedfc50c

SHA256
d9785d9ccd8bc323221ea4a567b6162199b53051040d26b3f1e0089ab4dce544

SHA512
255f69493142019228757d437217bbc82c438a7c1d16c04f0613242402425f62bec8543f3c034feafab6119701e9adca4d245870395d3ecc23d6b9b65ec32c28

Download Submit
\Windows\system\XnkZdoJ.exe

Filesize
5.2MB

MD5
58a8d157c935da5352fd5932ae54cfe4

SHA1
2513db2c41f612fb2c246e28fe9b8c56329dcd09

SHA256
40b340488741540be6f7fdda35dc1c4e9e705394bc136bdcb4168de9509f5687

SHA512
17978e23577c14d024eec4314ffa62c5ca1d0e66de02c0214e4a5819895b68bb7c6353e125a0b4ba881bdf83870cc8f85420cfaf6456b116872123f52cd709b4

Download Submit
\Windows\system\eNcnnnS.exe

Filesize
5.2MB

MD5
77a3c3956a01043a7e7dd2dbce33ac9a

SHA1
0e98af32ff7633b37edb50703ad52ae7b3bbcb6a

SHA256
42b4f27be5643b6a9c6e324bee0496617b80c464e2bfacfdd039a7a9be33ec63

SHA512
d5dfae780867642723f9c358a3a9d8b7814052f169b1b0e16f3fda4b7486ee3ff829ab6eb542cfc0c0965922568da932ccff7eb3ece2457dd3671cca9ae02859

Download Submit
\Windows\system\oaBNieV.exe

Filesize
5.2MB

MD5
c8d346e91096cd70998adca4651e3d82

SHA1
f34c7b2301190b52af2afd82ab0f72e6078dba93

SHA256
bd212e7e1999f705d5950510cf89fd8c03999267646dabc927a911e0b756b5f2

SHA512
753b67fb44703f7dc37812514ee52912655e1bcd46e0c15d19627b57d7ae14f9dac302359bce712a660c2d7cded2ef07482a46da845f394a8630b3f7cb831bfe

Download Submit
\Windows\system\yCzzVos.exe

Filesize
5.2MB

MD5
d4f0c4e1fa86d841a9ef3c0855b4c464

SHA1
e90cf70087bca376274c607ac4a17783ea6cf039

SHA256
3a879cecac514b8bf30a88102f098ab32add4c873dbd3020a16a9d1cd1551d6b

SHA512
ddf84a68ebe0719ba969df481dbfaa938ed860c6e0936a4c3f33f736ff5b2cdc3352549e009ad06d0c285f36b0363d0136f2aad149694f7be4013f244ccb8de1

Download Submit
memory/1068-166-0x000000013F200000-0x000000013F551000-memory.dmp

Filesize
3.3MB

Download
memory/1068-118-0x000000013F200000-0x000000013F551000-memory.dmp

Filesize
3.3MB

Download
memory/1084-143-0x000000013FAC0000-0x000000013FE11000-memory.dmp

Filesize
3.3MB

Download
memory/1084-169-0x000000013FAC0000-0x000000013FE11000-memory.dmp

Filesize
3.3MB

Download
memory/1180-104-0x000000013FFB0000-0x0000000140301000-memory.dmp

Filesize
3.3MB

Download
memory/1180-253-0x000000013FFB0000-0x0000000140301000-memory.dmp

Filesize
3.3MB

Download
memory/1268-76-0x000000013FAE0000-0x000000013FE31000-memory.dmp

Filesize
3.3MB

Download
memory/1268-245-0x000000013FAE0000-0x000000013FE31000-memory.dmp

Filesize
3.3MB

Download
memory/1436-96-0x000000013F140000-0x000000013F491000-memory.dmp

Filesize
3.3MB

Download
memory/1436-251-0x000000013F140000-0x000000013F491000-memory.dmp

Filesize
3.3MB

Download
memory/1508-83-0x000000013FC80000-0x000000013FFD1000-memory.dmp

Filesize
3.3MB

Download
memory/1508-247-0x000000013FC80000-0x000000013FFD1000-memory.dmp

Filesize
3.3MB

Download
memory/1580-225-0x000000013FB20000-0x000000013FE71000-memory.dmp

Filesize
3.3MB

Download
memory/1580-60-0x000000013FB20000-0x000000013FE71000-memory.dmp

Filesize
3.3MB

Download
memory/1640-133-0x000000013F410000-0x000000013F761000-memory.dmp

Filesize
3.3MB

Download
memory/1640-168-0x000000013F410000-0x000000013F761000-memory.dmp

Filesize
3.3MB

Download
memory/1944-227-0x000000013FE30000-0x0000000140181000-memory.dmp

Filesize
3.3MB

Download
memory/1944-64-0x000000013FE30000-0x0000000140181000-memory.dmp

Filesize
3.3MB

Download
memory/1984-170-0x000000013F370000-0x000000013F6C1000-memory.dmp

Filesize
3.3MB

Download
memory/1984-144-0x000000013F370000-0x000000013F6C1000-memory.dmp

Filesize
3.3MB

Download
memory/2020-112-0x000000013FB10000-0x000000013FE61000-memory.dmp

Filesize
3.3MB

Download
memory/2116-68-0x000000013F720000-0x000000013FA71000-memory.dmp

Filesize
3.3MB

Download
memory/2116-238-0x000000013F720000-0x000000013FA71000-memory.dmp

Filesize
3.3MB

Download
memory/2160-233-0x000000013FC40000-0x000000013FF91000-memory.dmp

Filesize
3.3MB

Download
memory/2160-51-0x000000013FC40000-0x000000013FF91000-memory.dmp

Filesize
3.3MB

Download
memory/2444-240-0x000000013F520000-0x000000013F871000-memory.dmp

Filesize
3.3MB

Download
memory/2444-69-0x000000013F520000-0x000000013F871000-memory.dmp

Filesize
3.3MB

Download
memory/2528-52-0x00000000023D0000-0x0000000002721000-memory.dmp

Filesize
3.3MB

Download
memory/2528-147-0x000000013FEF0000-0x0000000140241000-memory.dmp

Filesize
3.3MB

Download
memory/2528-74-0x000000013FAE0000-0x000000013FE31000-memory.dmp

Filesize
3.3MB

Download
memory/2528-124-0x000000013F220000-0x000000013F571000-memory.dmp

Filesize
3.3MB

Download
memory/2528-111-0x000000013FB10000-0x000000013FE61000-memory.dmp

Filesize
3.3MB

Download
memory/2528-0-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2528-40-0x00000000023D0000-0x0000000002721000-memory.dmp

Filesize
3.3MB

Download
memory/2528-132-0x000000013F410000-0x000000013F761000-memory.dmp

Filesize
3.3MB

Download
memory/2528-7-0x000000013FB20000-0x000000013FE71000-memory.dmp

Filesize
3.3MB

Download
memory/2528-82-0x00000000023D0000-0x0000000002721000-memory.dmp

Filesize
3.3MB

Download
memory/2528-46-0x00000000023D0000-0x0000000002721000-memory.dmp

Filesize
3.3MB

Download
memory/2528-100-0x000000013FEF0000-0x0000000140241000-memory.dmp

Filesize
3.3MB

Download
memory/2528-119-0x000000013F200000-0x000000013F551000-memory.dmp

Filesize
3.3MB

Download
memory/2528-146-0x000000013F370000-0x000000013F6C1000-memory.dmp

Filesize
3.3MB

Download
memory/2528-145-0x000000013FAC0000-0x000000013FE11000-memory.dmp

Filesize
3.3MB

Download
memory/2528-47-0x000000013FB80000-0x000000013FED1000-memory.dmp

Filesize
3.3MB

Download
memory/2528-95-0x000000013F140000-0x000000013F491000-memory.dmp

Filesize
3.3MB

Download
memory/2528-163-0x000000013F140000-0x000000013F491000-memory.dmp

Filesize
3.3MB

Download
memory/2528-48-0x000000013F190000-0x000000013F4E1000-memory.dmp

Filesize
3.3MB

Download
memory/2528-103-0x00000000023D0000-0x0000000002721000-memory.dmp

Filesize
3.3MB

Download
memory/2528-1-0x000000013FEF0000-0x0000000140241000-memory.dmp

Filesize
3.3MB

Download
memory/2528-49-0x000000013F410000-0x000000013F761000-memory.dmp

Filesize
3.3MB

Download
memory/2528-171-0x00000000023D0000-0x0000000002721000-memory.dmp

Filesize
3.3MB

Download
memory/2528-172-0x000000013FB10000-0x000000013FE61000-memory.dmp

Filesize
3.3MB

Download
memory/2528-173-0x000000013FEF0000-0x0000000140241000-memory.dmp

Filesize
3.3MB

Download
memory/2528-182-0x000000013F200000-0x000000013F551000-memory.dmp

Filesize
3.3MB

Download
memory/2528-188-0x000000013F220000-0x000000013F571000-memory.dmp

Filesize
3.3MB

Download
memory/2528-197-0x000000013F410000-0x000000013F761000-memory.dmp

Filesize
3.3MB

Download
memory/2528-204-0x000000013FAC0000-0x000000013FE11000-memory.dmp

Filesize
3.3MB

Download
memory/2528-110-0x00000000023D0000-0x0000000002721000-memory.dmp

Filesize
3.3MB

Download
memory/2576-234-0x000000013FB80000-0x000000013FED1000-memory.dmp

Filesize
3.3MB

Download
memory/2576-56-0x000000013FB80000-0x000000013FED1000-memory.dmp

Filesize
3.3MB

Download
memory/2652-229-0x000000013F190000-0x000000013F4E1000-memory.dmp

Filesize
3.3MB

Download
memory/2652-50-0x000000013F190000-0x000000013F4E1000-memory.dmp

Filesize
3.3MB

Download
memory/2712-59-0x000000013FCC0000-0x0000000140011000-memory.dmp

Filesize
3.3MB

Download
memory/2712-232-0x000000013FCC0000-0x0000000140011000-memory.dmp

Filesize
3.3MB

Download
memory/2716-236-0x000000013F410000-0x000000013F761000-memory.dmp

Filesize
3.3MB

Download
memory/2716-66-0x000000013F410000-0x000000013F761000-memory.dmp

Filesize
3.3MB

Download
memory/2768-126-0x000000013F220000-0x000000013F571000-memory.dmp

Filesize
3.3MB

Download
memory/2828-157-0x000000013FCD0000-0x0000000140021000-memory.dmp

Filesize
3.3MB

Download
memory/2828-89-0x000000013FCD0000-0x0000000140021000-memory.dmp

Filesize
3.3MB

Download
memory/2828-249-0x000000013FCD0000-0x0000000140021000-memory.dmp

Filesize
3.3MB

Download
memory/3060-222-0x000000013FC50000-0x000000013FFA1000-memory.dmp

Filesize
3.3MB

Download
memory/3060-45-0x000000013FC50000-0x000000013FFA1000-memory.dmp

Filesize
3.3MB

Download