cobaltstrike | b280ce8371fe4f3667da2c3fb29b7e71ff944330ce4e3547bd3b0eb3bc010f35

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
31-03-2024 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

493e5f16ae4963318897783ba98e535c
SHA1

0ca00c7ccfdc4c8454cb931689b68001a1776aad
SHA256

b280ce8371fe4f3667da2c3fb29b7e71ff944330ce4e3547bd3b0eb3bc010f35
SHA512

70c79c9b2b3b6aedba10bb3afce5260bc74b0a2286ffb8fff08de466d6058965d71eef431b32a9fec4e3a6bba770a0ef61ab9e3ac2433bee6ad148d33cf9a238
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lF:RWWBibf56utgpPFotBER/mQ32lUJ

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\system\vpNpNxI.exe	cobalt_reflective_dll
C:\Windows\system\cWEYTWS.exe	cobalt_reflective_dll
C:\Windows\system\PqBXaCp.exe	cobalt_reflective_dll
\Windows\system\QWGEPco.exe	cobalt_reflective_dll
C:\Windows\system\KNsrGgJ.exe	cobalt_reflective_dll
C:\Windows\system\acxdkFi.exe	cobalt_reflective_dll
C:\Windows\system\BltFpsJ.exe	cobalt_reflective_dll
\Windows\system\cUtDQVn.exe	cobalt_reflective_dll
\Windows\system\DGSgAHK.exe	cobalt_reflective_dll
C:\Windows\system\vjYGFmY.exe	cobalt_reflective_dll
C:\Windows\system\IzacCpu.exe	cobalt_reflective_dll
C:\Windows\system\aAnDjun.exe	cobalt_reflective_dll
C:\Windows\system\KzhONaR.exe	cobalt_reflective_dll
C:\Windows\system\imYmica.exe	cobalt_reflective_dll
C:\Windows\system\wWGKBXn.exe	cobalt_reflective_dll
\Windows\system\CtfpSME.exe	cobalt_reflective_dll
C:\Windows\system\dNAoOkh.exe	cobalt_reflective_dll
C:\Windows\system\lTVwPME.exe	cobalt_reflective_dll
C:\Windows\system\QyEvBUN.exe	cobalt_reflective_dll
C:\Windows\system\UACcAHl.exe	cobalt_reflective_dll
\Windows\system\ozbOmEe.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\system\vpNpNxI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\cWEYTWS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\PqBXaCp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\QWGEPco.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\KNsrGgJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\acxdkFi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\BltFpsJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\cUtDQVn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\DGSgAHK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\vjYGFmY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\IzacCpu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\aAnDjun.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\KzhONaR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\imYmica.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\wWGKBXn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\CtfpSME.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\dNAoOkh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\lTVwPME.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\QyEvBUN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\UACcAHl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\ozbOmEe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3016-21-0x000000013F360000-0x000000013F6B1000-memory.dmp	UPX
C:\Windows\system\vpNpNxI.exe	UPX
behavioral1/memory/2240-16-0x000000013F700000-0x000000013FA51000-memory.dmp	UPX
C:\Windows\system\cWEYTWS.exe	UPX
behavioral1/memory/2676-29-0x000000013FEF0000-0x0000000140241000-memory.dmp	UPX
C:\Windows\system\PqBXaCp.exe	UPX
behavioral1/memory/2364-9-0x000000013F980000-0x000000013FCD1000-memory.dmp	UPX
\Windows\system\QWGEPco.exe	UPX
behavioral1/memory/2304-7-0x000000013F980000-0x000000013FCD1000-memory.dmp	UPX
C:\Windows\system\KNsrGgJ.exe	UPX
C:\Windows\system\acxdkFi.exe	UPX
behavioral1/memory/2304-0-0x000000013F160000-0x000000013F4B1000-memory.dmp	UPX
C:\Windows\system\BltFpsJ.exe	UPX
\Windows\system\cUtDQVn.exe	UPX
\Windows\system\DGSgAHK.exe	UPX
C:\Windows\system\vjYGFmY.exe	UPX
behavioral1/memory/2548-79-0x000000013F8D0000-0x000000013FC21000-memory.dmp	UPX
behavioral1/memory/2148-82-0x000000013F4A0000-0x000000013F7F1000-memory.dmp	UPX
behavioral1/memory/2564-88-0x000000013F4D0000-0x000000013F821000-memory.dmp	UPX
behavioral1/memory/2416-91-0x000000013F1E0000-0x000000013F531000-memory.dmp	UPX
behavioral1/memory/2920-92-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	UPX
behavioral1/memory/2764-93-0x000000013FBD0000-0x000000013FF21000-memory.dmp	UPX
behavioral1/memory/2396-96-0x000000013F4B0000-0x000000013F801000-memory.dmp	UPX
behavioral1/memory/2972-95-0x000000013F560000-0x000000013F8B1000-memory.dmp	UPX
C:\Windows\system\IzacCpu.exe	UPX
C:\Windows\system\aAnDjun.exe	UPX
C:\Windows\system\KzhONaR.exe	UPX
behavioral1/memory/2816-52-0x000000013F990000-0x000000013FCE1000-memory.dmp	UPX
C:\Windows\system\imYmica.exe	UPX
C:\Windows\system\wWGKBXn.exe	UPX
\Windows\system\CtfpSME.exe	UPX
behavioral1/memory/2364-127-0x000000013F980000-0x000000013FCD1000-memory.dmp	UPX
behavioral1/memory/3016-132-0x000000013F360000-0x000000013F6B1000-memory.dmp	UPX
behavioral1/memory/2676-134-0x000000013FEF0000-0x0000000140241000-memory.dmp	UPX
C:\Windows\system\dNAoOkh.exe	UPX
C:\Windows\system\lTVwPME.exe	UPX
behavioral1/memory/2972-137-0x000000013F560000-0x000000013F8B1000-memory.dmp	UPX
behavioral1/memory/2764-139-0x000000013FBD0000-0x000000013FF21000-memory.dmp	UPX
C:\Windows\system\QyEvBUN.exe	UPX
behavioral1/memory/2396-142-0x000000013F4B0000-0x000000013F801000-memory.dmp	UPX
behavioral1/memory/2564-140-0x000000013F4D0000-0x000000013F821000-memory.dmp	UPX
behavioral1/memory/2476-144-0x000000013F3A0000-0x000000013F6F1000-memory.dmp	UPX
behavioral1/memory/2468-146-0x000000013F5C0000-0x000000013F911000-memory.dmp	UPX
behavioral1/memory/1320-147-0x000000013F710000-0x000000013FA61000-memory.dmp	UPX
C:\Windows\system\UACcAHl.exe	UPX
behavioral1/memory/1892-149-0x000000013F300000-0x000000013F651000-memory.dmp	UPX
behavioral1/memory/1964-151-0x000000013F0E0000-0x000000013F431000-memory.dmp	UPX
behavioral1/memory/2312-152-0x000000013FF50000-0x00000001402A1000-memory.dmp	UPX
behavioral1/memory/2304-102-0x000000013F160000-0x000000013F4B1000-memory.dmp	UPX
\Windows\system\ozbOmEe.exe	UPX
behavioral1/memory/2372-155-0x000000013FFE0000-0x0000000140331000-memory.dmp	UPX
behavioral1/memory/2304-153-0x000000013F160000-0x000000013F4B1000-memory.dmp	UPX
behavioral1/memory/1744-150-0x000000013FAC0000-0x000000013FE11000-memory.dmp	UPX
behavioral1/memory/2304-157-0x000000013F160000-0x000000013F4B1000-memory.dmp	UPX
behavioral1/memory/2468-166-0x000000013F5C0000-0x000000013F911000-memory.dmp	UPX
behavioral1/memory/1964-176-0x000000013F0E0000-0x000000013F431000-memory.dmp	UPX
behavioral1/memory/2312-178-0x000000013FF50000-0x00000001402A1000-memory.dmp	UPX
behavioral1/memory/2372-180-0x000000013FFE0000-0x0000000140331000-memory.dmp	UPX
behavioral1/memory/2304-181-0x000000013F160000-0x000000013F4B1000-memory.dmp	UPX
behavioral1/memory/2364-207-0x000000013F980000-0x000000013FCD1000-memory.dmp	UPX
behavioral1/memory/2240-209-0x000000013F700000-0x000000013FA51000-memory.dmp	UPX
behavioral1/memory/3016-215-0x000000013F360000-0x000000013F6B1000-memory.dmp	UPX
behavioral1/memory/2676-217-0x000000013FEF0000-0x0000000140241000-memory.dmp	UPX
behavioral1/memory/2816-219-0x000000013F990000-0x000000013FCE1000-memory.dmp	UPX

XMRig Miner payload 54 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2240-16-0x000000013F700000-0x000000013FA51000-memory.dmp	xmrig
behavioral1/memory/2364-9-0x000000013F980000-0x000000013FCD1000-memory.dmp	xmrig
behavioral1/memory/2548-79-0x000000013F8D0000-0x000000013FC21000-memory.dmp	xmrig
behavioral1/memory/2148-82-0x000000013F4A0000-0x000000013F7F1000-memory.dmp	xmrig
behavioral1/memory/2304-83-0x000000013FBD0000-0x000000013FF21000-memory.dmp	xmrig
behavioral1/memory/2564-88-0x000000013F4D0000-0x000000013F821000-memory.dmp	xmrig
behavioral1/memory/2304-89-0x0000000002230000-0x0000000002581000-memory.dmp	xmrig
behavioral1/memory/2416-91-0x000000013F1E0000-0x000000013F531000-memory.dmp	xmrig
behavioral1/memory/2920-92-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	xmrig
behavioral1/memory/2764-93-0x000000013FBD0000-0x000000013FF21000-memory.dmp	xmrig
behavioral1/memory/2972-95-0x000000013F560000-0x000000013F8B1000-memory.dmp	xmrig
behavioral1/memory/2816-52-0x000000013F990000-0x000000013FCE1000-memory.dmp	xmrig
behavioral1/memory/2364-127-0x000000013F980000-0x000000013FCD1000-memory.dmp	xmrig
behavioral1/memory/3016-132-0x000000013F360000-0x000000013F6B1000-memory.dmp	xmrig
behavioral1/memory/2676-134-0x000000013FEF0000-0x0000000140241000-memory.dmp	xmrig
behavioral1/memory/2972-137-0x000000013F560000-0x000000013F8B1000-memory.dmp	xmrig
behavioral1/memory/2764-139-0x000000013FBD0000-0x000000013FF21000-memory.dmp	xmrig
behavioral1/memory/2396-142-0x000000013F4B0000-0x000000013F801000-memory.dmp	xmrig
behavioral1/memory/2564-140-0x000000013F4D0000-0x000000013F821000-memory.dmp	xmrig
behavioral1/memory/2476-144-0x000000013F3A0000-0x000000013F6F1000-memory.dmp	xmrig
behavioral1/memory/2468-146-0x000000013F5C0000-0x000000013F911000-memory.dmp	xmrig
behavioral1/memory/1320-147-0x000000013F710000-0x000000013FA61000-memory.dmp	xmrig
behavioral1/memory/1892-149-0x000000013F300000-0x000000013F651000-memory.dmp	xmrig
behavioral1/memory/1964-151-0x000000013F0E0000-0x000000013F431000-memory.dmp	xmrig
behavioral1/memory/2304-102-0x000000013F160000-0x000000013F4B1000-memory.dmp	xmrig
behavioral1/memory/2304-153-0x000000013F160000-0x000000013F4B1000-memory.dmp	xmrig
behavioral1/memory/1744-150-0x000000013FAC0000-0x000000013FE11000-memory.dmp	xmrig
behavioral1/memory/2304-157-0x000000013F160000-0x000000013F4B1000-memory.dmp	xmrig
behavioral1/memory/2468-166-0x000000013F5C0000-0x000000013F911000-memory.dmp	xmrig
behavioral1/memory/1964-176-0x000000013F0E0000-0x000000013F431000-memory.dmp	xmrig
behavioral1/memory/2312-178-0x000000013FF50000-0x00000001402A1000-memory.dmp	xmrig
behavioral1/memory/2372-180-0x000000013FFE0000-0x0000000140331000-memory.dmp	xmrig
behavioral1/memory/2304-181-0x000000013F160000-0x000000013F4B1000-memory.dmp	xmrig
behavioral1/memory/2364-207-0x000000013F980000-0x000000013FCD1000-memory.dmp	xmrig
behavioral1/memory/2240-209-0x000000013F700000-0x000000013FA51000-memory.dmp	xmrig
behavioral1/memory/3016-215-0x000000013F360000-0x000000013F6B1000-memory.dmp	xmrig
behavioral1/memory/2676-217-0x000000013FEF0000-0x0000000140241000-memory.dmp	xmrig
behavioral1/memory/2816-219-0x000000013F990000-0x000000013FCE1000-memory.dmp	xmrig
behavioral1/memory/2548-221-0x000000013F8D0000-0x000000013FC21000-memory.dmp	xmrig
behavioral1/memory/2416-240-0x000000013F1E0000-0x000000013F531000-memory.dmp	xmrig
behavioral1/memory/2148-239-0x000000013F4A0000-0x000000013F7F1000-memory.dmp	xmrig
behavioral1/memory/2920-241-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	xmrig
behavioral1/memory/2972-244-0x000000013F560000-0x000000013F8B1000-memory.dmp	xmrig
behavioral1/memory/2764-247-0x000000013FBD0000-0x000000013FF21000-memory.dmp	xmrig
behavioral1/memory/2564-248-0x000000013F4D0000-0x000000013F821000-memory.dmp	xmrig
behavioral1/memory/2396-251-0x000000013F4B0000-0x000000013F801000-memory.dmp	xmrig
behavioral1/memory/1320-254-0x000000013F710000-0x000000013FA61000-memory.dmp	xmrig
behavioral1/memory/2476-257-0x000000013F3A0000-0x000000013F6F1000-memory.dmp	xmrig
behavioral1/memory/1744-259-0x000000013FAC0000-0x000000013FE11000-memory.dmp	xmrig
behavioral1/memory/1892-258-0x000000013F300000-0x000000013F651000-memory.dmp	xmrig
behavioral1/memory/2468-301-0x000000013F5C0000-0x000000013F911000-memory.dmp	xmrig
behavioral1/memory/2372-304-0x000000013FFE0000-0x0000000140331000-memory.dmp	xmrig
behavioral1/memory/1964-305-0x000000013F0E0000-0x000000013F431000-memory.dmp	xmrig
behavioral1/memory/2312-308-0x000000013FF50000-0x00000001402A1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

KNsrGgJ.exePqBXaCp.exevpNpNxI.execWEYTWS.exeQWGEPco.exeacxdkFi.exeBltFpsJ.execUtDQVn.exeKzhONaR.exeaAnDjun.exeDGSgAHK.exevjYGFmY.exeIzacCpu.exeimYmica.exewWGKBXn.exeUACcAHl.exelTVwPME.exedNAoOkh.exeCtfpSME.exeQyEvBUN.exeozbOmEe.exe

pid	process
2364	KNsrGgJ.exe
2240	PqBXaCp.exe
3016	vpNpNxI.exe
2676	cWEYTWS.exe
2816	QWGEPco.exe
2548	acxdkFi.exe
2148	BltFpsJ.exe
2972	cUtDQVn.exe
2564	KzhONaR.exe
2416	aAnDjun.exe
2920	DGSgAHK.exe
2764	vjYGFmY.exe
2396	IzacCpu.exe
2476	imYmica.exe
2468	wWGKBXn.exe
1320	UACcAHl.exe
1892	lTVwPME.exe
1744	dNAoOkh.exe
1964	CtfpSME.exe
2312	QyEvBUN.exe
2372	ozbOmEe.exe

Loads dropped DLL 21 IoCs

Processes:

2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe

pid	process
2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3016-21-0x000000013F360000-0x000000013F6B1000-memory.dmp	upx
C:\Windows\system\vpNpNxI.exe	upx
behavioral1/memory/2240-16-0x000000013F700000-0x000000013FA51000-memory.dmp	upx
C:\Windows\system\cWEYTWS.exe	upx
behavioral1/memory/2676-29-0x000000013FEF0000-0x0000000140241000-memory.dmp	upx
C:\Windows\system\PqBXaCp.exe	upx
behavioral1/memory/2364-9-0x000000013F980000-0x000000013FCD1000-memory.dmp	upx
\Windows\system\QWGEPco.exe	upx
behavioral1/memory/2304-7-0x000000013F980000-0x000000013FCD1000-memory.dmp	upx
C:\Windows\system\KNsrGgJ.exe	upx
C:\Windows\system\acxdkFi.exe	upx
behavioral1/memory/2304-0-0x000000013F160000-0x000000013F4B1000-memory.dmp	upx
C:\Windows\system\BltFpsJ.exe	upx
\Windows\system\cUtDQVn.exe	upx
\Windows\system\DGSgAHK.exe	upx
C:\Windows\system\vjYGFmY.exe	upx
behavioral1/memory/2548-79-0x000000013F8D0000-0x000000013FC21000-memory.dmp	upx
behavioral1/memory/2148-82-0x000000013F4A0000-0x000000013F7F1000-memory.dmp	upx
behavioral1/memory/2564-88-0x000000013F4D0000-0x000000013F821000-memory.dmp	upx
behavioral1/memory/2416-91-0x000000013F1E0000-0x000000013F531000-memory.dmp	upx
behavioral1/memory/2920-92-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	upx
behavioral1/memory/2764-93-0x000000013FBD0000-0x000000013FF21000-memory.dmp	upx
behavioral1/memory/2396-96-0x000000013F4B0000-0x000000013F801000-memory.dmp	upx
behavioral1/memory/2972-95-0x000000013F560000-0x000000013F8B1000-memory.dmp	upx
C:\Windows\system\IzacCpu.exe	upx
C:\Windows\system\aAnDjun.exe	upx
C:\Windows\system\KzhONaR.exe	upx
behavioral1/memory/2816-52-0x000000013F990000-0x000000013FCE1000-memory.dmp	upx
C:\Windows\system\imYmica.exe	upx
C:\Windows\system\wWGKBXn.exe	upx
\Windows\system\CtfpSME.exe	upx
behavioral1/memory/2364-127-0x000000013F980000-0x000000013FCD1000-memory.dmp	upx
behavioral1/memory/3016-132-0x000000013F360000-0x000000013F6B1000-memory.dmp	upx
behavioral1/memory/2676-134-0x000000013FEF0000-0x0000000140241000-memory.dmp	upx
C:\Windows\system\dNAoOkh.exe	upx
C:\Windows\system\lTVwPME.exe	upx
behavioral1/memory/2972-137-0x000000013F560000-0x000000013F8B1000-memory.dmp	upx
behavioral1/memory/2764-139-0x000000013FBD0000-0x000000013FF21000-memory.dmp	upx
C:\Windows\system\QyEvBUN.exe	upx
behavioral1/memory/2396-142-0x000000013F4B0000-0x000000013F801000-memory.dmp	upx
behavioral1/memory/2564-140-0x000000013F4D0000-0x000000013F821000-memory.dmp	upx
behavioral1/memory/2476-144-0x000000013F3A0000-0x000000013F6F1000-memory.dmp	upx
behavioral1/memory/2468-146-0x000000013F5C0000-0x000000013F911000-memory.dmp	upx
behavioral1/memory/1320-147-0x000000013F710000-0x000000013FA61000-memory.dmp	upx
C:\Windows\system\UACcAHl.exe	upx
behavioral1/memory/1892-149-0x000000013F300000-0x000000013F651000-memory.dmp	upx
behavioral1/memory/1964-151-0x000000013F0E0000-0x000000013F431000-memory.dmp	upx
behavioral1/memory/2312-152-0x000000013FF50000-0x00000001402A1000-memory.dmp	upx
behavioral1/memory/2304-102-0x000000013F160000-0x000000013F4B1000-memory.dmp	upx
\Windows\system\ozbOmEe.exe	upx
behavioral1/memory/2372-155-0x000000013FFE0000-0x0000000140331000-memory.dmp	upx
behavioral1/memory/2304-153-0x000000013F160000-0x000000013F4B1000-memory.dmp	upx
behavioral1/memory/1744-150-0x000000013FAC0000-0x000000013FE11000-memory.dmp	upx
behavioral1/memory/2304-157-0x000000013F160000-0x000000013F4B1000-memory.dmp	upx
behavioral1/memory/2468-166-0x000000013F5C0000-0x000000013F911000-memory.dmp	upx
behavioral1/memory/1964-176-0x000000013F0E0000-0x000000013F431000-memory.dmp	upx
behavioral1/memory/2312-178-0x000000013FF50000-0x00000001402A1000-memory.dmp	upx
behavioral1/memory/2372-180-0x000000013FFE0000-0x0000000140331000-memory.dmp	upx
behavioral1/memory/2304-181-0x000000013F160000-0x000000013F4B1000-memory.dmp	upx
behavioral1/memory/2364-207-0x000000013F980000-0x000000013FCD1000-memory.dmp	upx
behavioral1/memory/2240-209-0x000000013F700000-0x000000013FA51000-memory.dmp	upx
behavioral1/memory/3016-215-0x000000013F360000-0x000000013F6B1000-memory.dmp	upx
behavioral1/memory/2676-217-0x000000013FEF0000-0x0000000140241000-memory.dmp	upx
behavioral1/memory/2816-219-0x000000013F990000-0x000000013FCE1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\QyEvBUN.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dNAoOkh.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ozbOmEe.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cWEYTWS.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\acxdkFi.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cUtDQVn.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UACcAHl.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CtfpSME.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QWGEPco.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vjYGFmY.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KzhONaR.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aAnDjun.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PqBXaCp.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BltFpsJ.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wWGKBXn.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DGSgAHK.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lTVwPME.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KNsrGgJ.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vpNpNxI.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IzacCpu.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\imYmica.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2304 wrote to memory of 2364	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	KNsrGgJ.exe
PID 2304 wrote to memory of 2364	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	KNsrGgJ.exe
PID 2304 wrote to memory of 2364	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	KNsrGgJ.exe
PID 2304 wrote to memory of 2240	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	PqBXaCp.exe
PID 2304 wrote to memory of 2240	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	PqBXaCp.exe
PID 2304 wrote to memory of 2240	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	PqBXaCp.exe
PID 2304 wrote to memory of 3016	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	vpNpNxI.exe
PID 2304 wrote to memory of 3016	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	vpNpNxI.exe
PID 2304 wrote to memory of 3016	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	vpNpNxI.exe
PID 2304 wrote to memory of 2676	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	cWEYTWS.exe
PID 2304 wrote to memory of 2676	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	cWEYTWS.exe
PID 2304 wrote to memory of 2676	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	cWEYTWS.exe
PID 2304 wrote to memory of 2548	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	acxdkFi.exe
PID 2304 wrote to memory of 2548	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	acxdkFi.exe
PID 2304 wrote to memory of 2548	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	acxdkFi.exe
PID 2304 wrote to memory of 2816	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	QWGEPco.exe
PID 2304 wrote to memory of 2816	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	QWGEPco.exe
PID 2304 wrote to memory of 2816	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	QWGEPco.exe
PID 2304 wrote to memory of 2972	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	cUtDQVn.exe
PID 2304 wrote to memory of 2972	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	cUtDQVn.exe
PID 2304 wrote to memory of 2972	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	cUtDQVn.exe
PID 2304 wrote to memory of 2148	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	BltFpsJ.exe
PID 2304 wrote to memory of 2148	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	BltFpsJ.exe
PID 2304 wrote to memory of 2148	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	BltFpsJ.exe
PID 2304 wrote to memory of 2764	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	vjYGFmY.exe
PID 2304 wrote to memory of 2764	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	vjYGFmY.exe
PID 2304 wrote to memory of 2764	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	vjYGFmY.exe
PID 2304 wrote to memory of 2564	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	KzhONaR.exe
PID 2304 wrote to memory of 2564	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	KzhONaR.exe
PID 2304 wrote to memory of 2564	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	KzhONaR.exe
PID 2304 wrote to memory of 2396	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	IzacCpu.exe
PID 2304 wrote to memory of 2396	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	IzacCpu.exe
PID 2304 wrote to memory of 2396	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	IzacCpu.exe
PID 2304 wrote to memory of 2416	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	aAnDjun.exe
PID 2304 wrote to memory of 2416	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	aAnDjun.exe
PID 2304 wrote to memory of 2416	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	aAnDjun.exe
PID 2304 wrote to memory of 2476	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	imYmica.exe
PID 2304 wrote to memory of 2476	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	imYmica.exe
PID 2304 wrote to memory of 2476	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	imYmica.exe
PID 2304 wrote to memory of 2920	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	DGSgAHK.exe
PID 2304 wrote to memory of 2920	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	DGSgAHK.exe
PID 2304 wrote to memory of 2920	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	DGSgAHK.exe
PID 2304 wrote to memory of 2468	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	wWGKBXn.exe
PID 2304 wrote to memory of 2468	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	wWGKBXn.exe
PID 2304 wrote to memory of 2468	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	wWGKBXn.exe
PID 2304 wrote to memory of 1320	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	UACcAHl.exe
PID 2304 wrote to memory of 1320	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	UACcAHl.exe
PID 2304 wrote to memory of 1320	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	UACcAHl.exe
PID 2304 wrote to memory of 1964	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	CtfpSME.exe
PID 2304 wrote to memory of 1964	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	CtfpSME.exe
PID 2304 wrote to memory of 1964	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	CtfpSME.exe
PID 2304 wrote to memory of 1892	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	lTVwPME.exe
PID 2304 wrote to memory of 1892	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	lTVwPME.exe
PID 2304 wrote to memory of 1892	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	lTVwPME.exe
PID 2304 wrote to memory of 2312	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	QyEvBUN.exe
PID 2304 wrote to memory of 2312	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	QyEvBUN.exe
PID 2304 wrote to memory of 2312	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	QyEvBUN.exe
PID 2304 wrote to memory of 1744	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	dNAoOkh.exe
PID 2304 wrote to memory of 1744	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	dNAoOkh.exe
PID 2304 wrote to memory of 1744	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	dNAoOkh.exe
PID 2304 wrote to memory of 2372	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	ozbOmEe.exe
PID 2304 wrote to memory of 2372	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	ozbOmEe.exe
PID 2304 wrote to memory of 2372	2304	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	ozbOmEe.exe

C:\Users\Admin\AppData\Local\Temp\2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\System\KNsrGgJ.exe
  C:\Windows\System\KNsrGgJ.exe
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\System\PqBXaCp.exe
  C:\Windows\System\PqBXaCp.exe
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\System\vpNpNxI.exe
  C:\Windows\System\vpNpNxI.exe
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\System\cWEYTWS.exe
  C:\Windows\System\cWEYTWS.exe
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\System\acxdkFi.exe
  C:\Windows\System\acxdkFi.exe
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\System\QWGEPco.exe
  C:\Windows\System\QWGEPco.exe
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\System\cUtDQVn.exe
  C:\Windows\System\cUtDQVn.exe
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\System\BltFpsJ.exe
  C:\Windows\System\BltFpsJ.exe
  2⤵
  - Executes dropped EXE
  PID:2148
- C:\Windows\System\vjYGFmY.exe
  C:\Windows\System\vjYGFmY.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System\KzhONaR.exe
  C:\Windows\System\KzhONaR.exe
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\System\IzacCpu.exe
  C:\Windows\System\IzacCpu.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System\aAnDjun.exe
  C:\Windows\System\aAnDjun.exe
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\System\imYmica.exe
  C:\Windows\System\imYmica.exe
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Windows\System\DGSgAHK.exe
  C:\Windows\System\DGSgAHK.exe
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\System\wWGKBXn.exe
  C:\Windows\System\wWGKBXn.exe
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\System\UACcAHl.exe
  C:\Windows\System\UACcAHl.exe
  2⤵
  - Executes dropped EXE
  PID:1320
- C:\Windows\System\CtfpSME.exe
  C:\Windows\System\CtfpSME.exe
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\System\lTVwPME.exe
  C:\Windows\System\lTVwPME.exe
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Windows\System\QyEvBUN.exe
  C:\Windows\System\QyEvBUN.exe
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\System\dNAoOkh.exe
  C:\Windows\System\dNAoOkh.exe
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\System\ozbOmEe.exe
  C:\Windows\System\ozbOmEe.exe
  2⤵
  - Executes dropped EXE
  PID:2372

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BltFpsJ.exe

Filesize
5.2MB

MD5
f29df4273f92aa2613a62f884666f51c

SHA1
9572d94d29fb2aa829b7f18d067a6fc3fe2bf4df

SHA256
de79dcc35a6c867fb9b5197a406ad31fc88e7cc51fc908e36b41342839c4f76f

SHA512
5f7cec46f6d56aedfc4444f71ab43118214f1355f6bdb2cbf3023d5adb350173a0114d8ec55ffb9e9ccd90fbd9a1bfe45982ad1d9a6efd252c361b3836e36a4a

Download Submit
C:\Windows\system\IzacCpu.exe

Filesize
5.2MB

MD5
424d929d3741c6466afe8053a06e7221

SHA1
64588ca5b6290a2fdb0fc5c3f2c29ddeea82f697

SHA256
6a610e984b13dfc5eab1b5254c86b47eeb0a9b9c00f80dae2e66972cee9fe00f

SHA512
821716a8bbfb130f1561aa75b07c6cec2acd43993f5053f00b8bc73aeefefeaff1197a6d1484acb544bd6f7abe479a7774ae7ad9d383696ad9f1e177a5289340

Download Submit
C:\Windows\system\KNsrGgJ.exe

Filesize
5.2MB

MD5
c21ba653db051b188b07b22ac54bc6b0

SHA1
62a1afa1dcb9aaed7bc11603e4aae92165606544

SHA256
54233bd2c449614fc3555683125c300289a2ee5bfac2e587999526b17ab033fd

SHA512
4fc08fc9d83aa2d1f6d176c4a76c900d18a9ca9252fe3f81acf392ff0fb2a0ece10f0f8dddbe75915abd06ebccdd2099a3e2693cee06f5e4d048e40b0cd3b817

Download Submit
C:\Windows\system\KzhONaR.exe

Filesize
5.2MB

MD5
9626833a14f59949a45269a08ce5acef

SHA1
7b021b1574809732fee031046be661ceaa9c09b8

SHA256
88d54a24d7537a692d271fc2ba3c7e277ca495501f65d6589b4bdf3381dda0c6

SHA512
cb33319af5b702da79f9dd5b880f959d4b8c8d7267f76ed464c1fc9b7cbf9abd2eca0764b78728f1f8c88f294d59b552417080e3d1f909f0436a5ddb0dde0724

Download Submit
C:\Windows\system\PqBXaCp.exe

Filesize
5.2MB

MD5
df2c65bd607308c2bdb583896a64ff5f

SHA1
7aaf927e4359cda290c8b6475d59358722733b0d

SHA256
113313755504d212d0b0c675bb2c8ae98bcfe53487190d63fc842586523cbd8a

SHA512
6b3ba116811247fd159d7cfb68f0e11a80e3a00fd61ebb933e8b244f5a2ef0cf81aea786c535fa8720a498489002fab2ed4411b8a776e5d8b8f59cc84648571a

Download Submit
C:\Windows\system\QyEvBUN.exe

Filesize
5.2MB

MD5
7065de1a36f33fb2213d63e045572987

SHA1
85fdd3624e0e73ff51e253896c1b6b10f25c4b27

SHA256
c373a9fa55ac37eeabe4295f7a8ea3e5a5aa737c98d5cdec1b01bdb9894485b9

SHA512
f28e2666012a49c88468041878a0edfa1c3fdbd24528f32db1838e461dc07927678f31e9006ca4af76815b0004bceb7b2a68c26e982340e544e0b8b20eece2fd

Download Submit
C:\Windows\system\UACcAHl.exe

Filesize
5.2MB

MD5
ddf5e875412d5e913934ddd92e54c8ad

SHA1
bf3b8023486e2fd275577746f2627a9bf755f4dd

SHA256
fddcc00578728eb035c5258d00f9c6c87d17dac71921abf3eb167a6e2ee1b799

SHA512
04075455597ddbbb9e6855fbaafd53accf39aae5d6422eea93767ce068055cde021929167be99c76ee4e09d189cefbaa414a20c311f70119815dcd767a25431f

Download Submit
C:\Windows\system\aAnDjun.exe

Filesize
5.2MB

MD5
fcd75b51463ad08d9657ffe199ea3f0c

SHA1
1b1910c787aa61b6e889a7108adeb1b78d777549

SHA256
1a33c22de192fa65afbcd63a83beddf02c402e65107be9088b06bd8d55fa5825

SHA512
a77a08814c30eafb4bd5ee82aef6d3e14889ea810b6396f3a7a2d15bce66937c6e2f30d74c4b2059a68c820cc39f764311de66c2051d6a580721e9702582de73

Download Submit
C:\Windows\system\acxdkFi.exe

Filesize
5.2MB

MD5
76d40eb98ba2636e64d48beac0251309

SHA1
632a7202b0f58a2bb74a7fa894f0bd7fef7b78ff

SHA256
c7820d9346d2587f4f26d9fc8e317472f7d2815f23690398b32fd197d5b8db84

SHA512
c583ee591c3c9e65816252b1a9bfe8551047f8c0730f00f82f2f5516a10ce68c33ad9cfd4210187b3f75cc824488223ad24d48777e8de1e4aaa31bc4923d721e

Download Submit
C:\Windows\system\cWEYTWS.exe

Filesize
5.2MB

MD5
3641477ab18338b7fe4e10fe8e361070

SHA1
8e3374d74cebcd553c9017f5cb68ee132bd4a4eb

SHA256
656aeb2a3ca9d67139acd55374ef719a4134ac4964cf8964e43bcc30c145f91b

SHA512
eb77cef6b26867f33981640f900cb91cb10e364b304dbf309256a679b3feaeb57439461cc8868a44e29cf3e37981c37ee54c337c856165717352f9c283133578

Download Submit
C:\Windows\system\dNAoOkh.exe

Filesize
5.2MB

MD5
82b2832ab5fa0b1a1cbde81b70fcdbb9

SHA1
65195181c21a004da7113ba28c98d0df6770118f

SHA256
1a5c764cdcecdeb17336a69fdfd1dc5688bb07536f35d9c6d887c1b3832dbc57

SHA512
99c50e6d254cfae1e4ccfade1a12ba26be35f94f2eb47b03cff2b353a0b5dfa12a586e63567dcc41d3e09f328934c80ea63eb9c090e36fb64284eda078eab0e4

Download Submit
C:\Windows\system\imYmica.exe

Filesize
5.2MB

MD5
51b0316254ae30202fba43b855e49d6a

SHA1
88ccdb4cbcc3c828003b0f8d64d20fdde9710c82

SHA256
63d0128c4b2eae1e9e3c434f831e2a5cca21295325f33d2147db34690ca2ae7f

SHA512
706815cd1c04ad846506998fc706d278cf7abbf1d203fec13262c861ea2d30846fd29decad7dd9765612e17770f1bb38b97c676574517e1da87394c6c4ec870e

Download Submit
C:\Windows\system\lTVwPME.exe

Filesize
5.2MB

MD5
d1913063c771bbc7422558c81391071c

SHA1
3cc031a1d36870f6a7ed0bd46affb043990e7966

SHA256
9057f0c84fd72f3ecf6728e582fa1db5b2ccdea654901c7fd43793f59f80ce88

SHA512
541c24fca5483d9336e44a14c47c2f536200c551cfd78d75e3848ab67212a7ca1e730ed98b67c4b2cd0b1bd7d7c34540ca7ad1a6d2be5c0aa3329b428c733571

Download Submit
C:\Windows\system\vjYGFmY.exe

Filesize
5.2MB

MD5
be551ddb843e692af61bc12af97f7722

SHA1
91fcecc6411304d33fac0357f54b8d5019c547e5

SHA256
c8e5f83cda07e58d70e1e151a336cbd901c257e90be5452b480c7e3e46df6dc8

SHA512
d5a8d90318d8e1fbb2739bb911fb0a28a5b81a4c9b7cf7f485cf05fb7f7d7b968d1237c468de5ac914f63bfc805f59fa44940a9644fc17572a91426322c23bea

Download Submit
C:\Windows\system\vpNpNxI.exe

Filesize
5.2MB

MD5
c082a29b5387c58fbfe4e5b16429da00

SHA1
31f7ff537f47f86481461241c62a04994febf99a

SHA256
2a545474300ebafc42705e365f32c0220a0ef87ef59fd6fdfabd9068ceff1123

SHA512
fc4fded4f5419c5d3530d490ad29e66f886b1d82ec0c853e87862dc65290f41c6deea051e9145f7edd856f16aaa3002c0a467666cd62e4b8d9891fa488c00c6a

Download Submit
C:\Windows\system\wWGKBXn.exe

Filesize
5.2MB

MD5
ead481623369ec41e3ffc875e1421738

SHA1
599f35d394e26fa6a91d13e7db15d4ae13f492ef

SHA256
b4b9832c93a1bff566dbe62d4e054e8f44bb708425fd23f02a75f4717b052b41

SHA512
1420a2d0c3b3e9a0516c2c09b0cf68ec8657358ac87ab964d5227267589e02ca434158ff80f353c9153502fad907f7deeedc42706516ee8fc7b6077c69795724

Download Submit
\Windows\system\CtfpSME.exe

Filesize
5.2MB

MD5
950fb9905e14ca0f0a71d7c7dec68793

SHA1
e74ae4160adcf08a9d3663ff4f0b4d334c284e50

SHA256
3fe4704e5f5062479e3ce16e22b5bec8e1a2b0aa4a09938e96bbf4fc3f880c1d

SHA512
00e04aea2f1a3ad185e99cadf30e0c632e3e7d1077555e09be7008ebbf82cb910fee611be1821f3906496e39730ad74d11f875a186c693b9c4e1073e089f5c47

Download Submit
\Windows\system\DGSgAHK.exe

Filesize
5.2MB

MD5
fea3c452111963259f4662a9a4b5a289

SHA1
afa3525f1f4e7f6ccae7f37308b2b8b6c5f5d3ea

SHA256
d5abb8e76beb6a1f8d3dfe78fc11d09be42ec24c7d1ab5158f45956ad3b8be2b

SHA512
964f4494a9a3c00f55423f9d44146de8b7c246e72456ef4eb92368a5b5d318fe2fa54d76fd8b2f4042a7af40a2694d71d8abe907af4ba595e775c9c76255ff59

Download Submit
\Windows\system\QWGEPco.exe

Filesize
5.2MB

MD5
4e595381b49a991d3ec70f1de27c9756

SHA1
a7c0a8d94afd558ff9f1781cc0ee931961d29e51

SHA256
68d3a5a2910366e09a42b11d37ea7b81b5afb0e8def9b4fcb4fbccdc84761a1c

SHA512
99369d4592b4e39d0cfcfcb102b5f1908b9f9b055e4f3e90d770a1e149646073b77e1efd51577b5bde598d532440b414a248f464bc7bedb91425c4526013656f

Download Submit
\Windows\system\cUtDQVn.exe

Filesize
5.2MB

MD5
0d5682bde52ac521554cc95e77caf6a7

SHA1
87841674c8d92407fba7bf4db60041fcfaa8f13a

SHA256
9cd42a59103ea31d184137195c184a4945e2225d4415b71ae37398c4cf570460

SHA512
eddfe7f1776c7524552e3ea5ce8a9552bb25ec2ecf7d0a6848164779e97b7a0d569aa3d95c8b239fd5b89bab30ede00f6f7361c423719e48786b781db234e5b5

Download Submit
\Windows\system\ozbOmEe.exe

Filesize
5.2MB

MD5
1bf05feec875b027f0946745311c7e8a

SHA1
db0644cb461396f24957e32a3aebcc8545e04b6a

SHA256
585079dbe8b938442ac02fb0d892e88919be5785a5a205a66de82082b2736834

SHA512
b37726519ac90b910ebb3848d24f30085f7b95efb6d3fd781c9b29e1255ef21bb752919a8c90807fa258e28049d60d29dede13173fa7cf65ba44e8256feccb41

Download Submit
memory/1320-147-0x000000013F710000-0x000000013FA61000-memory.dmp

Filesize
3.3MB

Download
memory/1320-254-0x000000013F710000-0x000000013FA61000-memory.dmp

Filesize
3.3MB

Download
memory/1744-150-0x000000013FAC0000-0x000000013FE11000-memory.dmp

Filesize
3.3MB

Download
memory/1744-259-0x000000013FAC0000-0x000000013FE11000-memory.dmp

Filesize
3.3MB

Download
memory/1892-149-0x000000013F300000-0x000000013F651000-memory.dmp

Filesize
3.3MB

Download
memory/1892-258-0x000000013F300000-0x000000013F651000-memory.dmp

Filesize
3.3MB

Download
memory/1964-305-0x000000013F0E0000-0x000000013F431000-memory.dmp

Filesize
3.3MB

Download
memory/1964-176-0x000000013F0E0000-0x000000013F431000-memory.dmp

Filesize
3.3MB

Download
memory/1964-151-0x000000013F0E0000-0x000000013F431000-memory.dmp

Filesize
3.3MB

Download
memory/2148-82-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

Filesize
3.3MB

Download
memory/2148-239-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

Filesize
3.3MB

Download
memory/2240-16-0x000000013F700000-0x000000013FA51000-memory.dmp

Filesize
3.3MB

Download
memory/2240-209-0x000000013F700000-0x000000013FA51000-memory.dmp

Filesize
3.3MB

Download
memory/2304-83-0x000000013FBD0000-0x000000013FF21000-memory.dmp

Filesize
3.3MB

Download
memory/2304-84-0x000000013F4D0000-0x000000013F821000-memory.dmp

Filesize
3.3MB

Download
memory/2304-7-0x000000013F980000-0x000000013FCD1000-memory.dmp

Filesize
3.3MB

Download
memory/2304-90-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

Filesize
3.3MB

Download
memory/2304-80-0x000000013F560000-0x000000013F8B1000-memory.dmp

Filesize
3.3MB

Download
memory/2304-94-0x000000013F990000-0x000000013FCE1000-memory.dmp

Filesize
3.3MB

Download
memory/2304-19-0x0000000002230000-0x0000000002581000-memory.dmp

Filesize
3.3MB

Download
memory/2304-182-0x000000013FEF0000-0x0000000140241000-memory.dmp

Filesize
3.3MB

Download
memory/2304-181-0x000000013F160000-0x000000013F4B1000-memory.dmp

Filesize
3.3MB

Download
memory/2304-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2304-89-0x0000000002230000-0x0000000002581000-memory.dmp

Filesize
3.3MB

Download
memory/2304-161-0x000000013F700000-0x000000013FA51000-memory.dmp

Filesize
3.3MB

Download
memory/2304-28-0x000000013FEF0000-0x0000000140241000-memory.dmp

Filesize
3.3MB

Download
memory/2304-157-0x000000013F160000-0x000000013F4B1000-memory.dmp

Filesize
3.3MB

Download
memory/2304-0-0x000000013F160000-0x000000013F4B1000-memory.dmp

Filesize
3.3MB

Download
memory/2304-87-0x0000000002230000-0x0000000002581000-memory.dmp

Filesize
3.3MB

Download
memory/2304-15-0x000000013F700000-0x000000013FA51000-memory.dmp

Filesize
3.3MB

Download
memory/2304-153-0x000000013F160000-0x000000013F4B1000-memory.dmp

Filesize
3.3MB

Download
memory/2304-86-0x0000000002230000-0x0000000002581000-memory.dmp

Filesize
3.3MB

Download
memory/2304-34-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Filesize
3.3MB

Download
memory/2304-102-0x000000013F160000-0x000000013F4B1000-memory.dmp

Filesize
3.3MB

Download
memory/2304-81-0x0000000002230000-0x0000000002581000-memory.dmp

Filesize
3.3MB

Download
memory/2304-148-0x0000000002230000-0x0000000002581000-memory.dmp

Filesize
3.3MB

Download
memory/2312-308-0x000000013FF50000-0x00000001402A1000-memory.dmp

Filesize
3.3MB

Download
memory/2312-178-0x000000013FF50000-0x00000001402A1000-memory.dmp

Filesize
3.3MB

Download
memory/2312-152-0x000000013FF50000-0x00000001402A1000-memory.dmp

Filesize
3.3MB

Download
memory/2364-127-0x000000013F980000-0x000000013FCD1000-memory.dmp

Filesize
3.3MB

Download
memory/2364-9-0x000000013F980000-0x000000013FCD1000-memory.dmp

Filesize
3.3MB

Download
memory/2364-207-0x000000013F980000-0x000000013FCD1000-memory.dmp

Filesize
3.3MB

Download
memory/2372-304-0x000000013FFE0000-0x0000000140331000-memory.dmp

Filesize
3.3MB

Download
memory/2372-155-0x000000013FFE0000-0x0000000140331000-memory.dmp

Filesize
3.3MB

Download
memory/2372-180-0x000000013FFE0000-0x0000000140331000-memory.dmp

Filesize
3.3MB

Download
memory/2396-251-0x000000013F4B0000-0x000000013F801000-memory.dmp

Filesize
3.3MB

Download
memory/2396-96-0x000000013F4B0000-0x000000013F801000-memory.dmp

Filesize
3.3MB

Download
memory/2396-142-0x000000013F4B0000-0x000000013F801000-memory.dmp

Filesize
3.3MB

Download
memory/2416-240-0x000000013F1E0000-0x000000013F531000-memory.dmp

Filesize
3.3MB

Download
memory/2416-91-0x000000013F1E0000-0x000000013F531000-memory.dmp

Filesize
3.3MB

Download
memory/2468-301-0x000000013F5C0000-0x000000013F911000-memory.dmp

Filesize
3.3MB

Download
memory/2468-146-0x000000013F5C0000-0x000000013F911000-memory.dmp

Filesize
3.3MB

Download
memory/2468-166-0x000000013F5C0000-0x000000013F911000-memory.dmp

Filesize
3.3MB

Download
memory/2476-144-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

Filesize
3.3MB

Download
memory/2476-257-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

Filesize
3.3MB

Download
memory/2548-221-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Filesize
3.3MB

Download
memory/2548-79-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Filesize
3.3MB

Download
memory/2564-248-0x000000013F4D0000-0x000000013F821000-memory.dmp

Filesize
3.3MB

Download
memory/2564-140-0x000000013F4D0000-0x000000013F821000-memory.dmp

Filesize
3.3MB

Download
memory/2564-88-0x000000013F4D0000-0x000000013F821000-memory.dmp

Filesize
3.3MB

Download
memory/2676-217-0x000000013FEF0000-0x0000000140241000-memory.dmp

Filesize
3.3MB

Download
memory/2676-134-0x000000013FEF0000-0x0000000140241000-memory.dmp

Filesize
3.3MB

Download
memory/2676-29-0x000000013FEF0000-0x0000000140241000-memory.dmp

Filesize
3.3MB

Download
memory/2764-139-0x000000013FBD0000-0x000000013FF21000-memory.dmp

Filesize
3.3MB

Download
memory/2764-247-0x000000013FBD0000-0x000000013FF21000-memory.dmp

Filesize
3.3MB

Download
memory/2764-93-0x000000013FBD0000-0x000000013FF21000-memory.dmp

Filesize
3.3MB

Download
memory/2816-219-0x000000013F990000-0x000000013FCE1000-memory.dmp

Filesize
3.3MB

Download
memory/2816-52-0x000000013F990000-0x000000013FCE1000-memory.dmp

Filesize
3.3MB

Download
memory/2920-241-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

Filesize
3.3MB

Download
memory/2920-92-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

Filesize
3.3MB

Download
memory/2972-244-0x000000013F560000-0x000000013F8B1000-memory.dmp

Filesize
3.3MB

Download
memory/2972-137-0x000000013F560000-0x000000013F8B1000-memory.dmp

Filesize
3.3MB

Download
memory/2972-95-0x000000013F560000-0x000000013F8B1000-memory.dmp

Filesize
3.3MB

Download
memory/3016-21-0x000000013F360000-0x000000013F6B1000-memory.dmp

Filesize
3.3MB

Download
memory/3016-215-0x000000013F360000-0x000000013F6B1000-memory.dmp

Filesize
3.3MB

Download
memory/3016-132-0x000000013F360000-0x000000013F6B1000-memory.dmp

Filesize
3.3MB

Download