cobaltstrike | 1eea0162e4eaaeca9de33097851d95244286f45887b3860c0a2b2b2b2c009b75

Analysis

max time kernel
141s
max time network
147s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-04-2024 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

24fa24f74fc275ae0bb7e8a872368d39
SHA1

7bcc09fdc3b6cb3cbe4cccd99c07c4e5a235d830
SHA256

1eea0162e4eaaeca9de33097851d95244286f45887b3860c0a2b2b2b2c009b75
SHA512

97232fff82416a36be61eda147e7d7b303c3af1bb334f9e7fd8464b2a095a0d7d3bf71e80ac1f4f3d17d7e2db3b7e47a5f8dae71a7411d1f5036b02e37746375
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lo:RWWBibf56utgpPFotBER/mQ32lUM

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\pzLvuie.exe	cobalt_reflective_dll
\Windows\system\LatJSgW.exe	cobalt_reflective_dll
C:\Windows\system\ByCTAkl.exe	cobalt_reflective_dll
\Windows\system\xMcfaZT.exe	cobalt_reflective_dll
\Windows\system\QdadHPS.exe	cobalt_reflective_dll
\Windows\system\VaBCZBJ.exe	cobalt_reflective_dll
C:\Windows\system\GVaZsbs.exe	cobalt_reflective_dll
C:\Windows\system\EFzZCEk.exe	cobalt_reflective_dll
\Windows\system\KEYbVSq.exe	cobalt_reflective_dll
\Windows\system\Qzvzedk.exe	cobalt_reflective_dll
\Windows\system\dIQAZmu.exe	cobalt_reflective_dll
C:\Windows\system\NELFjIW.exe	cobalt_reflective_dll
\Windows\system\mHFpDpX.exe	cobalt_reflective_dll
C:\Windows\system\RJRoXhy.exe	cobalt_reflective_dll
C:\Windows\system\rRQFdJK.exe	cobalt_reflective_dll
C:\Windows\system\FZgAHWG.exe	cobalt_reflective_dll
\Windows\system\dWMEHOY.exe	cobalt_reflective_dll
C:\Windows\system\IXpcPOW.exe	cobalt_reflective_dll
\Windows\system\Jlkmwvz.exe	cobalt_reflective_dll
C:\Windows\system\ZVmscdw.exe	cobalt_reflective_dll
\Windows\system\ZuWtRyF.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\pzLvuie.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\LatJSgW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ByCTAkl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\xMcfaZT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\QdadHPS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\VaBCZBJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\GVaZsbs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\EFzZCEk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\KEYbVSq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\Qzvzedk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\dIQAZmu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\NELFjIW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\mHFpDpX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\RJRoXhy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\rRQFdJK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\FZgAHWG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\dWMEHOY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\IXpcPOW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\Jlkmwvz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ZVmscdw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\ZuWtRyF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2412-0-0x000000013FB70000-0x000000013FEC1000-memory.dmp	UPX
\Windows\system\pzLvuie.exe	UPX
\Windows\system\LatJSgW.exe	UPX
behavioral1/memory/1460-15-0x000000013FDA0000-0x00000001400F1000-memory.dmp	UPX
C:\Windows\system\ByCTAkl.exe	UPX
behavioral1/memory/2644-20-0x000000013F1E0000-0x000000013F531000-memory.dmp	UPX
behavioral1/memory/2600-21-0x000000013FA40000-0x000000013FD91000-memory.dmp	UPX
\Windows\system\xMcfaZT.exe	UPX
\Windows\system\QdadHPS.exe	UPX
\Windows\system\VaBCZBJ.exe	UPX
C:\Windows\system\GVaZsbs.exe	UPX
C:\Windows\system\EFzZCEk.exe	UPX
behavioral1/memory/3004-52-0x000000013FB00000-0x000000013FE51000-memory.dmp	UPX
behavioral1/memory/2280-59-0x000000013F7B0000-0x000000013FB01000-memory.dmp	UPX
\Windows\system\KEYbVSq.exe	UPX
behavioral1/memory/2732-67-0x000000013FF90000-0x00000001402E1000-memory.dmp	UPX
behavioral1/memory/2736-68-0x000000013F920000-0x000000013FC71000-memory.dmp	UPX
behavioral1/memory/2480-69-0x000000013FB10000-0x000000013FE61000-memory.dmp	UPX
\Windows\system\Qzvzedk.exe	UPX
behavioral1/memory/2436-77-0x000000013FE60000-0x00000001401B1000-memory.dmp	UPX
behavioral1/memory/2640-71-0x000000013F3C0000-0x000000013F711000-memory.dmp	UPX
\Windows\system\dIQAZmu.exe	UPX
behavioral1/memory/2832-34-0x000000013F0E0000-0x000000013F431000-memory.dmp	UPX
C:\Windows\system\NELFjIW.exe	UPX
behavioral1/memory/2780-85-0x000000013FC60000-0x000000013FFB1000-memory.dmp	UPX
\Windows\system\mHFpDpX.exe	UPX
behavioral1/memory/2648-92-0x000000013FE30000-0x0000000140181000-memory.dmp	UPX
C:\Windows\system\RJRoXhy.exe	UPX
behavioral1/memory/2920-99-0x000000013FF20000-0x0000000140271000-memory.dmp	UPX
C:\Windows\system\rRQFdJK.exe	UPX
behavioral1/memory/1040-106-0x000000013F7C0000-0x000000013FB11000-memory.dmp	UPX
C:\Windows\system\FZgAHWG.exe	UPX
\Windows\system\dWMEHOY.exe	UPX
C:\Windows\system\IXpcPOW.exe	UPX
\Windows\system\Jlkmwvz.exe	UPX
C:\Windows\system\ZVmscdw.exe	UPX
\Windows\system\ZuWtRyF.exe	UPX
behavioral1/memory/2172-123-0x000000013F190000-0x000000013F4E1000-memory.dmp	UPX
behavioral1/memory/1056-140-0x000000013FFD0000-0x0000000140321000-memory.dmp	UPX
behavioral1/memory/2236-143-0x000000013FEE0000-0x0000000140231000-memory.dmp	UPX
behavioral1/memory/828-144-0x000000013F7B0000-0x000000013FB01000-memory.dmp	UPX
behavioral1/memory/1984-145-0x000000013F070000-0x000000013F3C1000-memory.dmp	UPX
behavioral1/memory/1960-149-0x000000013F8E0000-0x000000013FC31000-memory.dmp	UPX
behavioral1/memory/2412-112-0x000000013FB70000-0x000000013FEC1000-memory.dmp	UPX
behavioral1/memory/3004-150-0x000000013FB00000-0x000000013FE51000-memory.dmp	UPX
behavioral1/memory/2412-151-0x000000013FB70000-0x000000013FEC1000-memory.dmp	UPX
behavioral1/memory/2436-162-0x000000013FE60000-0x00000001401B1000-memory.dmp	UPX
behavioral1/memory/2648-164-0x000000013FE30000-0x0000000140181000-memory.dmp	UPX
behavioral1/memory/1040-166-0x000000013F7C0000-0x000000013FB11000-memory.dmp	UPX
behavioral1/memory/1984-170-0x000000013F070000-0x000000013F3C1000-memory.dmp	UPX
behavioral1/memory/2412-173-0x000000013FB70000-0x000000013FEC1000-memory.dmp	UPX
behavioral1/memory/1460-222-0x000000013FDA0000-0x00000001400F1000-memory.dmp	UPX
behavioral1/memory/2644-225-0x000000013F1E0000-0x000000013F531000-memory.dmp	UPX
behavioral1/memory/2600-226-0x000000013FA40000-0x000000013FD91000-memory.dmp	UPX
behavioral1/memory/2832-228-0x000000013F0E0000-0x000000013F431000-memory.dmp	UPX
behavioral1/memory/2280-234-0x000000013F7B0000-0x000000013FB01000-memory.dmp	UPX
behavioral1/memory/2732-238-0x000000013FF90000-0x00000001402E1000-memory.dmp	UPX
behavioral1/memory/2640-241-0x000000013F3C0000-0x000000013F711000-memory.dmp	UPX
behavioral1/memory/2736-240-0x000000013F920000-0x000000013FC71000-memory.dmp	UPX
behavioral1/memory/3004-231-0x000000013FB00000-0x000000013FE51000-memory.dmp	UPX
behavioral1/memory/2480-247-0x000000013FB10000-0x000000013FE61000-memory.dmp	UPX
behavioral1/memory/2436-256-0x000000013FE60000-0x00000001401B1000-memory.dmp	UPX
behavioral1/memory/2780-272-0x000000013FC60000-0x000000013FFB1000-memory.dmp	UPX
behavioral1/memory/2648-278-0x000000013FE30000-0x0000000140181000-memory.dmp	UPX

XMRig Miner payload 46 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1460-15-0x000000013FDA0000-0x00000001400F1000-memory.dmp	xmrig
behavioral1/memory/2644-20-0x000000013F1E0000-0x000000013F531000-memory.dmp	xmrig
behavioral1/memory/2600-21-0x000000013FA40000-0x000000013FD91000-memory.dmp	xmrig
behavioral1/memory/3004-52-0x000000013FB00000-0x000000013FE51000-memory.dmp	xmrig
behavioral1/memory/2280-59-0x000000013F7B0000-0x000000013FB01000-memory.dmp	xmrig
behavioral1/memory/2732-67-0x000000013FF90000-0x00000001402E1000-memory.dmp	xmrig
behavioral1/memory/2736-68-0x000000013F920000-0x000000013FC71000-memory.dmp	xmrig
behavioral1/memory/2480-69-0x000000013FB10000-0x000000013FE61000-memory.dmp	xmrig
behavioral1/memory/2640-71-0x000000013F3C0000-0x000000013F711000-memory.dmp	xmrig
behavioral1/memory/2412-70-0x0000000002250000-0x00000000025A1000-memory.dmp	xmrig
behavioral1/memory/2832-34-0x000000013F0E0000-0x000000013F431000-memory.dmp	xmrig
behavioral1/memory/2780-85-0x000000013FC60000-0x000000013FFB1000-memory.dmp	xmrig
behavioral1/memory/2648-92-0x000000013FE30000-0x0000000140181000-memory.dmp	xmrig
behavioral1/memory/2920-99-0x000000013FF20000-0x0000000140271000-memory.dmp	xmrig
behavioral1/memory/1040-106-0x000000013F7C0000-0x000000013FB11000-memory.dmp	xmrig
behavioral1/memory/2172-123-0x000000013F190000-0x000000013F4E1000-memory.dmp	xmrig
behavioral1/memory/1056-140-0x000000013FFD0000-0x0000000140321000-memory.dmp	xmrig
behavioral1/memory/2236-143-0x000000013FEE0000-0x0000000140231000-memory.dmp	xmrig
behavioral1/memory/828-144-0x000000013F7B0000-0x000000013FB01000-memory.dmp	xmrig
behavioral1/memory/1984-145-0x000000013F070000-0x000000013F3C1000-memory.dmp	xmrig
behavioral1/memory/2412-146-0x000000013FEE0000-0x0000000140231000-memory.dmp	xmrig
behavioral1/memory/2412-148-0x000000013F7B0000-0x000000013FB01000-memory.dmp	xmrig
behavioral1/memory/1960-149-0x000000013F8E0000-0x000000013FC31000-memory.dmp	xmrig
behavioral1/memory/2412-112-0x000000013FB70000-0x000000013FEC1000-memory.dmp	xmrig
behavioral1/memory/3004-150-0x000000013FB00000-0x000000013FE51000-memory.dmp	xmrig
behavioral1/memory/2412-151-0x000000013FB70000-0x000000013FEC1000-memory.dmp	xmrig
behavioral1/memory/2436-162-0x000000013FE60000-0x00000001401B1000-memory.dmp	xmrig
behavioral1/memory/2648-164-0x000000013FE30000-0x0000000140181000-memory.dmp	xmrig
behavioral1/memory/1040-166-0x000000013F7C0000-0x000000013FB11000-memory.dmp	xmrig
behavioral1/memory/1984-170-0x000000013F070000-0x000000013F3C1000-memory.dmp	xmrig
behavioral1/memory/2412-173-0x000000013FB70000-0x000000013FEC1000-memory.dmp	xmrig
behavioral1/memory/1460-222-0x000000013FDA0000-0x00000001400F1000-memory.dmp	xmrig
behavioral1/memory/2644-225-0x000000013F1E0000-0x000000013F531000-memory.dmp	xmrig
behavioral1/memory/2600-226-0x000000013FA40000-0x000000013FD91000-memory.dmp	xmrig
behavioral1/memory/2832-228-0x000000013F0E0000-0x000000013F431000-memory.dmp	xmrig
behavioral1/memory/2280-234-0x000000013F7B0000-0x000000013FB01000-memory.dmp	xmrig
behavioral1/memory/2732-238-0x000000013FF90000-0x00000001402E1000-memory.dmp	xmrig
behavioral1/memory/2640-241-0x000000013F3C0000-0x000000013F711000-memory.dmp	xmrig
behavioral1/memory/2736-240-0x000000013F920000-0x000000013FC71000-memory.dmp	xmrig
behavioral1/memory/3004-231-0x000000013FB00000-0x000000013FE51000-memory.dmp	xmrig
behavioral1/memory/2480-247-0x000000013FB10000-0x000000013FE61000-memory.dmp	xmrig
behavioral1/memory/2436-256-0x000000013FE60000-0x00000001401B1000-memory.dmp	xmrig
behavioral1/memory/2780-272-0x000000013FC60000-0x000000013FFB1000-memory.dmp	xmrig
behavioral1/memory/2648-278-0x000000013FE30000-0x0000000140181000-memory.dmp	xmrig
behavioral1/memory/2920-293-0x000000013FF20000-0x0000000140271000-memory.dmp	xmrig
behavioral1/memory/1040-296-0x000000013F7C0000-0x000000013FB11000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

pzLvuie.exeByCTAkl.exeLatJSgW.exexMcfaZT.exeQdadHPS.exedIQAZmu.exeGVaZsbs.exeVaBCZBJ.exeEFzZCEk.exeKEYbVSq.exeQzvzedk.exeNELFjIW.exemHFpDpX.exeRJRoXhy.exerRQFdJK.exeFZgAHWG.exedWMEHOY.exeZVmscdw.exeIXpcPOW.exeJlkmwvz.exeZuWtRyF.exe

pid	process
1460	pzLvuie.exe
2644	ByCTAkl.exe
2600	LatJSgW.exe
2832	xMcfaZT.exe
3004	QdadHPS.exe
2280	dIQAZmu.exe
2732	GVaZsbs.exe
2640	VaBCZBJ.exe
2736	EFzZCEk.exe
2480	KEYbVSq.exe
2436	Qzvzedk.exe
2780	NELFjIW.exe
2648	mHFpDpX.exe
2920	RJRoXhy.exe
1040	rRQFdJK.exe
2172	FZgAHWG.exe
1056	dWMEHOY.exe
2236	ZVmscdw.exe
828	IXpcPOW.exe
1984	Jlkmwvz.exe
1960	ZuWtRyF.exe

Loads dropped DLL 21 IoCs

Processes:

2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe

pid	process
2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2412-0-0x000000013FB70000-0x000000013FEC1000-memory.dmp	upx
\Windows\system\pzLvuie.exe	upx
\Windows\system\LatJSgW.exe	upx
behavioral1/memory/1460-15-0x000000013FDA0000-0x00000001400F1000-memory.dmp	upx
C:\Windows\system\ByCTAkl.exe	upx
behavioral1/memory/2644-20-0x000000013F1E0000-0x000000013F531000-memory.dmp	upx
behavioral1/memory/2600-21-0x000000013FA40000-0x000000013FD91000-memory.dmp	upx
\Windows\system\xMcfaZT.exe	upx
\Windows\system\QdadHPS.exe	upx
\Windows\system\VaBCZBJ.exe	upx
C:\Windows\system\GVaZsbs.exe	upx
C:\Windows\system\EFzZCEk.exe	upx
behavioral1/memory/3004-52-0x000000013FB00000-0x000000013FE51000-memory.dmp	upx
behavioral1/memory/2280-59-0x000000013F7B0000-0x000000013FB01000-memory.dmp	upx
\Windows\system\KEYbVSq.exe	upx
behavioral1/memory/2732-67-0x000000013FF90000-0x00000001402E1000-memory.dmp	upx
behavioral1/memory/2736-68-0x000000013F920000-0x000000013FC71000-memory.dmp	upx
behavioral1/memory/2480-69-0x000000013FB10000-0x000000013FE61000-memory.dmp	upx
\Windows\system\Qzvzedk.exe	upx
behavioral1/memory/2436-77-0x000000013FE60000-0x00000001401B1000-memory.dmp	upx
behavioral1/memory/2640-71-0x000000013F3C0000-0x000000013F711000-memory.dmp	upx
\Windows\system\dIQAZmu.exe	upx
behavioral1/memory/2832-34-0x000000013F0E0000-0x000000013F431000-memory.dmp	upx
C:\Windows\system\NELFjIW.exe	upx
behavioral1/memory/2780-85-0x000000013FC60000-0x000000013FFB1000-memory.dmp	upx
\Windows\system\mHFpDpX.exe	upx
behavioral1/memory/2648-92-0x000000013FE30000-0x0000000140181000-memory.dmp	upx
C:\Windows\system\RJRoXhy.exe	upx
behavioral1/memory/2920-99-0x000000013FF20000-0x0000000140271000-memory.dmp	upx
C:\Windows\system\rRQFdJK.exe	upx
behavioral1/memory/1040-106-0x000000013F7C0000-0x000000013FB11000-memory.dmp	upx
C:\Windows\system\FZgAHWG.exe	upx
\Windows\system\dWMEHOY.exe	upx
C:\Windows\system\IXpcPOW.exe	upx
\Windows\system\Jlkmwvz.exe	upx
C:\Windows\system\ZVmscdw.exe	upx
\Windows\system\ZuWtRyF.exe	upx
behavioral1/memory/2172-123-0x000000013F190000-0x000000013F4E1000-memory.dmp	upx
behavioral1/memory/1056-140-0x000000013FFD0000-0x0000000140321000-memory.dmp	upx
behavioral1/memory/2236-143-0x000000013FEE0000-0x0000000140231000-memory.dmp	upx
behavioral1/memory/828-144-0x000000013F7B0000-0x000000013FB01000-memory.dmp	upx
behavioral1/memory/1984-145-0x000000013F070000-0x000000013F3C1000-memory.dmp	upx
behavioral1/memory/1960-149-0x000000013F8E0000-0x000000013FC31000-memory.dmp	upx
behavioral1/memory/2412-112-0x000000013FB70000-0x000000013FEC1000-memory.dmp	upx
behavioral1/memory/3004-150-0x000000013FB00000-0x000000013FE51000-memory.dmp	upx
behavioral1/memory/2412-151-0x000000013FB70000-0x000000013FEC1000-memory.dmp	upx
behavioral1/memory/2436-162-0x000000013FE60000-0x00000001401B1000-memory.dmp	upx
behavioral1/memory/2648-164-0x000000013FE30000-0x0000000140181000-memory.dmp	upx
behavioral1/memory/1040-166-0x000000013F7C0000-0x000000013FB11000-memory.dmp	upx
behavioral1/memory/1984-170-0x000000013F070000-0x000000013F3C1000-memory.dmp	upx
behavioral1/memory/2412-173-0x000000013FB70000-0x000000013FEC1000-memory.dmp	upx
behavioral1/memory/1460-222-0x000000013FDA0000-0x00000001400F1000-memory.dmp	upx
behavioral1/memory/2644-225-0x000000013F1E0000-0x000000013F531000-memory.dmp	upx
behavioral1/memory/2600-226-0x000000013FA40000-0x000000013FD91000-memory.dmp	upx
behavioral1/memory/2832-228-0x000000013F0E0000-0x000000013F431000-memory.dmp	upx
behavioral1/memory/2280-234-0x000000013F7B0000-0x000000013FB01000-memory.dmp	upx
behavioral1/memory/2732-238-0x000000013FF90000-0x00000001402E1000-memory.dmp	upx
behavioral1/memory/2640-241-0x000000013F3C0000-0x000000013F711000-memory.dmp	upx
behavioral1/memory/2736-240-0x000000013F920000-0x000000013FC71000-memory.dmp	upx
behavioral1/memory/3004-231-0x000000013FB00000-0x000000013FE51000-memory.dmp	upx
behavioral1/memory/2480-247-0x000000013FB10000-0x000000013FE61000-memory.dmp	upx
behavioral1/memory/2436-256-0x000000013FE60000-0x00000001401B1000-memory.dmp	upx
behavioral1/memory/2780-272-0x000000013FC60000-0x000000013FFB1000-memory.dmp	upx
behavioral1/memory/2648-278-0x000000013FE30000-0x0000000140181000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\ByCTAkl.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NELFjIW.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RJRoXhy.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pzLvuie.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LatJSgW.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QdadHPS.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IXpcPOW.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dIQAZmu.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mHFpDpX.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZVmscdw.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZuWtRyF.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FZgAHWG.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xMcfaZT.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GVaZsbs.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EFzZCEk.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VaBCZBJ.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KEYbVSq.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\Qzvzedk.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rRQFdJK.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dWMEHOY.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\Jlkmwvz.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2412 wrote to memory of 1460	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	pzLvuie.exe
PID 2412 wrote to memory of 1460	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	pzLvuie.exe
PID 2412 wrote to memory of 1460	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	pzLvuie.exe
PID 2412 wrote to memory of 2644	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	ByCTAkl.exe
PID 2412 wrote to memory of 2644	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	ByCTAkl.exe
PID 2412 wrote to memory of 2644	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	ByCTAkl.exe
PID 2412 wrote to memory of 2600	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	LatJSgW.exe
PID 2412 wrote to memory of 2600	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	LatJSgW.exe
PID 2412 wrote to memory of 2600	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	LatJSgW.exe
PID 2412 wrote to memory of 2832	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	xMcfaZT.exe
PID 2412 wrote to memory of 2832	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	xMcfaZT.exe
PID 2412 wrote to memory of 2832	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	xMcfaZT.exe
PID 2412 wrote to memory of 3004	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	QdadHPS.exe
PID 2412 wrote to memory of 3004	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	QdadHPS.exe
PID 2412 wrote to memory of 3004	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	QdadHPS.exe
PID 2412 wrote to memory of 2280	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	dIQAZmu.exe
PID 2412 wrote to memory of 2280	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	dIQAZmu.exe
PID 2412 wrote to memory of 2280	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	dIQAZmu.exe
PID 2412 wrote to memory of 2732	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	GVaZsbs.exe
PID 2412 wrote to memory of 2732	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	GVaZsbs.exe
PID 2412 wrote to memory of 2732	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	GVaZsbs.exe
PID 2412 wrote to memory of 2736	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	EFzZCEk.exe
PID 2412 wrote to memory of 2736	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	EFzZCEk.exe
PID 2412 wrote to memory of 2736	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	EFzZCEk.exe
PID 2412 wrote to memory of 2640	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	VaBCZBJ.exe
PID 2412 wrote to memory of 2640	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	VaBCZBJ.exe
PID 2412 wrote to memory of 2640	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	VaBCZBJ.exe
PID 2412 wrote to memory of 2480	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	KEYbVSq.exe
PID 2412 wrote to memory of 2480	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	KEYbVSq.exe
PID 2412 wrote to memory of 2480	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	KEYbVSq.exe
PID 2412 wrote to memory of 2436	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	Qzvzedk.exe
PID 2412 wrote to memory of 2436	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	Qzvzedk.exe
PID 2412 wrote to memory of 2436	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	Qzvzedk.exe
PID 2412 wrote to memory of 2780	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	NELFjIW.exe
PID 2412 wrote to memory of 2780	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	NELFjIW.exe
PID 2412 wrote to memory of 2780	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	NELFjIW.exe
PID 2412 wrote to memory of 2648	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	mHFpDpX.exe
PID 2412 wrote to memory of 2648	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	mHFpDpX.exe
PID 2412 wrote to memory of 2648	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	mHFpDpX.exe
PID 2412 wrote to memory of 2920	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	RJRoXhy.exe
PID 2412 wrote to memory of 2920	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	RJRoXhy.exe
PID 2412 wrote to memory of 2920	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	RJRoXhy.exe
PID 2412 wrote to memory of 1040	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	rRQFdJK.exe
PID 2412 wrote to memory of 1040	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	rRQFdJK.exe
PID 2412 wrote to memory of 1040	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	rRQFdJK.exe
PID 2412 wrote to memory of 2172	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	FZgAHWG.exe
PID 2412 wrote to memory of 2172	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	FZgAHWG.exe
PID 2412 wrote to memory of 2172	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	FZgAHWG.exe
PID 2412 wrote to memory of 2236	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	ZVmscdw.exe
PID 2412 wrote to memory of 2236	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	ZVmscdw.exe
PID 2412 wrote to memory of 2236	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	ZVmscdw.exe
PID 2412 wrote to memory of 1056	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	dWMEHOY.exe
PID 2412 wrote to memory of 1056	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	dWMEHOY.exe
PID 2412 wrote to memory of 1056	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	dWMEHOY.exe
PID 2412 wrote to memory of 1984	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	Jlkmwvz.exe
PID 2412 wrote to memory of 1984	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	Jlkmwvz.exe
PID 2412 wrote to memory of 1984	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	Jlkmwvz.exe
PID 2412 wrote to memory of 828	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	IXpcPOW.exe
PID 2412 wrote to memory of 828	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	IXpcPOW.exe
PID 2412 wrote to memory of 828	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	IXpcPOW.exe
PID 2412 wrote to memory of 1960	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	ZuWtRyF.exe
PID 2412 wrote to memory of 1960	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	ZuWtRyF.exe
PID 2412 wrote to memory of 1960	2412	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	ZuWtRyF.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\System\pzLvuie.exe
C:\Windows\System\pzLvuie.exe
2⤵
- Executes dropped EXE
PID:1460

C:\Windows\System\ByCTAkl.exe
C:\Windows\System\ByCTAkl.exe
2⤵
- Executes dropped EXE
PID:2644

C:\Windows\System\LatJSgW.exe
C:\Windows\System\LatJSgW.exe
2⤵
- Executes dropped EXE
PID:2600

C:\Windows\System\xMcfaZT.exe
C:\Windows\System\xMcfaZT.exe
2⤵
- Executes dropped EXE
PID:2832

C:\Windows\System\QdadHPS.exe
C:\Windows\System\QdadHPS.exe
2⤵
- Executes dropped EXE
PID:3004

C:\Windows\System\dIQAZmu.exe
C:\Windows\System\dIQAZmu.exe
2⤵
- Executes dropped EXE
PID:2280

C:\Windows\System\GVaZsbs.exe
C:\Windows\System\GVaZsbs.exe
2⤵
- Executes dropped EXE
PID:2732

C:\Windows\System\EFzZCEk.exe
C:\Windows\System\EFzZCEk.exe
2⤵
- Executes dropped EXE
PID:2736

C:\Windows\System\VaBCZBJ.exe
C:\Windows\System\VaBCZBJ.exe
2⤵
- Executes dropped EXE
PID:2640

C:\Windows\System\KEYbVSq.exe
C:\Windows\System\KEYbVSq.exe
2⤵
- Executes dropped EXE
PID:2480

C:\Windows\System\Qzvzedk.exe
C:\Windows\System\Qzvzedk.exe
2⤵
- Executes dropped EXE
PID:2436

C:\Windows\System\NELFjIW.exe
C:\Windows\System\NELFjIW.exe
2⤵
- Executes dropped EXE
PID:2780

C:\Windows\System\mHFpDpX.exe
C:\Windows\System\mHFpDpX.exe
2⤵
- Executes dropped EXE
PID:2648

C:\Windows\System\RJRoXhy.exe
C:\Windows\System\RJRoXhy.exe
2⤵
- Executes dropped EXE
PID:2920

C:\Windows\System\rRQFdJK.exe
C:\Windows\System\rRQFdJK.exe
2⤵
- Executes dropped EXE
PID:1040

C:\Windows\System\FZgAHWG.exe
C:\Windows\System\FZgAHWG.exe
2⤵
- Executes dropped EXE
PID:2172

C:\Windows\System\ZVmscdw.exe
C:\Windows\System\ZVmscdw.exe
2⤵
- Executes dropped EXE
PID:2236

C:\Windows\System\dWMEHOY.exe
C:\Windows\System\dWMEHOY.exe
2⤵
- Executes dropped EXE
PID:1056

C:\Windows\System\Jlkmwvz.exe
C:\Windows\System\Jlkmwvz.exe
2⤵
- Executes dropped EXE
PID:1984

C:\Windows\System\IXpcPOW.exe
C:\Windows\System\IXpcPOW.exe
2⤵
- Executes dropped EXE
PID:828

C:\Windows\System\ZuWtRyF.exe
C:\Windows\System\ZuWtRyF.exe
2⤵
- Executes dropped EXE
PID:1960

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\ByCTAkl.exe
Filesize
5.2MB

MD5
c86b77597bf0990eba06a9487704559c

SHA1
49dad1e4800122a10bae22fef06f62e783c3c71b

SHA256
ddb02f9fc009d983c697f2cc9b2838492b7af7e7a22809cb3972ee06f2f489d6

SHA512
e78b37332eb257487113ed5b74111801f20f7ac22e43764574503231fd9e49fbb288bb6b0a35304f11ad8171c1241e76f4a7daa59296cf6f3bd6a97c38660718

Download Submit
C:\Windows\system\EFzZCEk.exe
Filesize
5.2MB

MD5
d8bf119efc4843cff6b928ec9aa50aae

SHA1
34bfc0a6093fea0a9bb357d94b7e057e70933ba8

SHA256
94e03f4d2e425661370f10fef299f058a51624c1a7ad3b90dbc683c3e9a73dcb

SHA512
bf800e733d81df0cab54992ef75973f56c0e7fcf4144c23a0a48f63b226947f36bdf915e927566c9e0d40f86012beaa9e6a86d566750a0fffcb2199f12de8be2

Download Submit
C:\Windows\system\FZgAHWG.exe
Filesize
5.2MB

MD5
868c28173d64c51b8c9a7959ba978104

SHA1
844cfb1e1a3ece29175c3338dc0afa869f866fba

SHA256
71366bea57024966a16e5d39e76dc4364f9f3ac31a4fc1ac6afba9e09841463b

SHA512
e2e98f5e8c4a9aaa4aa16b171c52327973a482d8126cd2162b73e10e399e6e8990acda05217a1c3e7d88101565b78cc6052c2159d99c4a488db68ec6c24cdc9b

Download Submit
C:\Windows\system\GVaZsbs.exe
Filesize
5.2MB

MD5
bc645f7df46a3a90c90eb9488378ff02

SHA1
9856174115e7fd226b21797ea071366c5e75cf42

SHA256
22d0bb9dc23af674aba7c72352f636fc901bbce7123e5189c0b9449168d769e6

SHA512
cd1fb0cad5807ce69951dd8ed6b8b53c4d750948126195e7cdd2535196cd19596fbd9fe12e8ebea2ca38babe7cf6cea33ddd2892d8cb8662be08a502859ea3a4

Download Submit
C:\Windows\system\IXpcPOW.exe
Filesize
5.2MB

MD5
16b4e32f3076131355d1567cb1da2b20

SHA1
b73055b53f68a5183e598c31d056c79f397b5946

SHA256
e1029210ba637726b17ff21b07f97ad3be7e505d97d1c015f97aac5e6e8af832

SHA512
6c68099b1299a7a4a060e41ece44a9f7f0885ce2088a2c2ff7876b4ea9854082e5a266e96bdc223e2173a83af5fbbf73683d63d25de5df64b2b50a6dd5e5540f

Download Submit
C:\Windows\system\NELFjIW.exe
Filesize
5.2MB

MD5
9ac1e623615eec2be0e61f352946eb92

SHA1
e27534de473430e2aed377f1d61dafb0cecb7ef8

SHA256
72f66bf284833f8141bbb07201405c6bb754698b3f9dc6663e1ec0f73e6b4898

SHA512
4dd61fbb0edb40bcff3e177d52a9bd149507f5d6299699d9da34837183415d28e8c0b27fbe0c00227e43eb9b22514ff80207e01e440cad7cb6da6ca46a538979

Download Submit
C:\Windows\system\RJRoXhy.exe
Filesize
5.2MB

MD5
03c01cf76de5b1e3ed51de9ebf826a02

SHA1
cc1b603c3a638a449a0771b485cf8a2e24e24154

SHA256
6280b26b6ffe791117e83e4e2d8e503164f41f1f4d7bae0ac9b4262041fead38

SHA512
a10a08087b51cec80894dbc0ce333f1f2c81e613d5eae94b5208a3f98dce076a43088372b44386561c8815d02d8d7a9ae698bbdedf62144bae3f93c5a97d31ea

Download Submit
C:\Windows\system\ZVmscdw.exe
Filesize
5.2MB

MD5
b2d38984e7cb3855f1e08b87306fc300

SHA1
25ee3debd8a58d82e5b598a4dadfa62930da08e1

SHA256
b1ec3e98ff30f7a389915fe32e43f1f870a8a0faa9696a3d791f1407a497b746

SHA512
4090799e2c16613d80900c341da813d08fc71b3685b77298f7ad8ebb306c23e77ca05c6614f20f16ffb8ff6cad5c22b0a00a6be4a18558ad2582ab5b1a42d5d1

Download Submit
C:\Windows\system\rRQFdJK.exe
Filesize
5.2MB

MD5
66f3dcccd6b4d514daed10ba486497bb

SHA1
7149a461fc720f0f2ecc5e34ebdbfb60f8d26e2f

SHA256
220fc9259eed1ec9f4114df720feb6adb5e0231bcfb752a75fac1941de5c425f

SHA512
f0f64f73f4b1d06a6f671bea5ebe127e070c4d9607cb3f7bd37e6ef510353a7fc27bccaf255258fab41332c5499b67a6420bad5bd6c366d4818d81273f691c0b

Download Submit
\Windows\system\Jlkmwvz.exe
Filesize
5.2MB

MD5
63a04664cb7d53c9b43951dffcfe062c

SHA1
6a0ff82de9e022f0ee23767b21d37206af9034bb

SHA256
7248d59db3d0835bda374ef3ea8901761701026606e9387f1dd354a3ec4dbf46

SHA512
c0cced20086d8cf1e4883a44c96fed8605c0f6c5e80e8a766dafa44179a6d921f8fd24f7ba33983bd2d0da0fb00040d6462f8ae61050856287237f1f1bfd0a57

Download Submit
\Windows\system\KEYbVSq.exe
Filesize
5.2MB

MD5
6b1c3b87c104e5b161e8c18445454f6a

SHA1
6984af3c583a876802783b65164cce4ac05b5f51

SHA256
fe010633d29733611c1d99e3475d2ea3456cb606573023952d4e5c1395eda15a

SHA512
15e1e4491a7d715ddff9cacb8d320cad60f50e89ef812adf4a759c57b8e405d23d50c3bef2fd0bf2ac01ff9f1569a3f79df968083eeaf6ac19f02fad64ab81fd

Download Submit
\Windows\system\LatJSgW.exe
Filesize
5.2MB

MD5
a8488d246b6c204c947613ceca38d95b

SHA1
7d859b1f0a71ff2d0027e5145aae2b54583cf119

SHA256
67e63862b9a5ea47c043438416d2b3e72539adfe493f15b9e7cc305b1f4d0fb1

SHA512
fe698e95978f4a52d47a2a6fb7ebde8569298bd18b27012277e1968dc19a8bef27e479998f64bcbf44bb70c5640ad83d606055ec700283558a8002477702cb84

Download Submit
\Windows\system\QdadHPS.exe
Filesize
5.2MB

MD5
355b3ead5662d5d2793831c54faef087

SHA1
7c92a0a29635ca03a666c9e593461c04f0704d22

SHA256
064be4d26389d61f87b02c994b8e48b27554ca8a17205650c4da5f49444b3ebd

SHA512
0f78a7a6477d3e2bcd6c202291f19bc23d9d3f75b60562dd55e8a2dc9159c1adb7f980edc28199e15dba17870abad097f3b427e55080406351851f99c6eec34b

Download Submit
\Windows\system\Qzvzedk.exe
Filesize
5.2MB

MD5
f3ad21ab5d0a7fc101a0c9518a3aaa7f

SHA1
32417fb462cce4662b9e3af2193dab5a75c47e13

SHA256
7489d7f0d67ea84c2cae0c2b1cb6979fe91ce42cc5dfd3a6a71b9d3d8172d205

SHA512
6c4ced8ba06df4b7f2a48020a90f5019653b2dc75524a9e543a30e5a3c8259288353d9de3e58372e463202cd112fe008004c0562605e308e50e2d41cca324e31

Download Submit
\Windows\system\VaBCZBJ.exe
Filesize
5.2MB

MD5
6c5fc4c7c457427191afe8d98fa78345

SHA1
91b60aace78134e8452a86621bf48d6c6aec01fc

SHA256
8a57548c0d5c899d004534b5156830122c3f3de8482a595da4cd9d6df9c2a726

SHA512
dd7ef2f7664a9626ed74a2fe250be4a1f26347dd23f0c1215b7e40fa816c79bbe0aa8ac9e101f48806b55bcd85e7f8215a034f1f1e2b08971384aa2a03542e7a

Download Submit
\Windows\system\ZuWtRyF.exe
Filesize
5.2MB

MD5
decd5acf3a03e3719619d300fe189ba4

SHA1
899de9b8ce1eaf09d7613eeb9dd67453a582b476

SHA256
45051642db3aa0f7792dff93f1f71aac2bbb68918ff5acac14b57338b3a9ac2c

SHA512
e461d4d0f70f328408450f6dad16e57c08d7196e2c55bcd5e17bb25598aaacbbfa1dc4533bd65ac933207bce242a7999c7b5a8308f9a8ca2d0bc8339c3eccef5

Download Submit
\Windows\system\dIQAZmu.exe
Filesize
5.2MB

MD5
389813204da25578be9e5f339af961fc

SHA1
63aef6c502c147b5435084f31d62bad4e035d462

SHA256
103ca0c1ad7b77e0e3c81b86b699616e1c11bac865519b8c7d243310b175df6a

SHA512
ee858b14c637f32636b57dca79a60929da432e8372a069d7d9c99dc3f35742f3b319147958bae925265bc6de524f0ab51a49f0dff2a5b14a9863253292c11e70

Download Submit
\Windows\system\dWMEHOY.exe
Filesize
5.2MB

MD5
843fe72283f44a3a959b17f24e0cd048

SHA1
ecd81726ed9c9c0a1a556524768cedf8f880906b

SHA256
16ce8c291681fe19ba8ced7e54cdaf8485fdd805edd3ffabf0ba5b5b7a1712fe

SHA512
868a5c7d51dcd91f19d630ca5ea7070b1a950b7adf3ec52c3d2d52c34d76f81f5a16e3b717e676606c115da82903f6bdcb5b64cb43f984703086fe4027712815

Download Submit
\Windows\system\mHFpDpX.exe
Filesize
5.2MB

MD5
4b0da1055ff544fcc2fe101a8e7277fc

SHA1
fafd3970a889ef332423aa2668ee69f42825a9cd

SHA256
76886c0a7837e77e5e004f304fb78fcfbe74d9e4762a89f00de6cb3fc4deea55

SHA512
78f8f1e48a316ab6bf02fd52007d7f4d35a502894ab25178dd634f9155817e8f0277946082ac0ad542729bed3d93c6fbb386e9f4faa78930f958953a507c3a58

Download Submit
\Windows\system\pzLvuie.exe
Filesize
5.2MB

MD5
0cd5232378c31d2fe0880724fec0dc68

SHA1
45fb71b872de6cf5ff5b24a86c83a6ccf8de38a3

SHA256
1c6db0582e1017353f720b6fa11809a9dfa1e5adc4f8fe7bcded137912abca0f

SHA512
df1056f16f375c0a8adcc1a5eee707e089a1008023d49c7f63b393a9b06b1ca7e73d0a390d57e1c909b8cfe38964f4496cf642da21d4097d01f5c7c2d8d2491f

Download Submit
\Windows\system\xMcfaZT.exe
Filesize
5.2MB

MD5
39b23aad63968b2969434fcae5bf06a3

SHA1
313adc1086541549e5fac0605bce98dbe701936e

SHA256
0c6a50bd1a6c95ad6552f642889a1daf3cc694ea846c0843d48d886bb2a12a40

SHA512
34fba6510dff5cf7552c5fd69e229588ce57d7484f278c1a13844680bdb412cad060572003fe37e4cc3f0dc709cdc4f7acf9970861184a56ce9d20fc49922bff

Download Submit
memory/828-144-0x000000013F7B0000-0x000000013FB01000-memory.dmp

Filesize
3.3MB

Download
memory/1040-106-0x000000013F7C0000-0x000000013FB11000-memory.dmp

Filesize
3.3MB

Download
memory/1040-296-0x000000013F7C0000-0x000000013FB11000-memory.dmp

Filesize
3.3MB

Download
memory/1040-166-0x000000013F7C0000-0x000000013FB11000-memory.dmp

Filesize
3.3MB

Download
memory/1056-140-0x000000013FFD0000-0x0000000140321000-memory.dmp

Filesize
3.3MB

Download
memory/1460-15-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Filesize
3.3MB

Download
memory/1460-222-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Filesize
3.3MB

Download
memory/1960-149-0x000000013F8E0000-0x000000013FC31000-memory.dmp

Filesize
3.3MB

Download
memory/1984-170-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/1984-145-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/2172-123-0x000000013F190000-0x000000013F4E1000-memory.dmp

Filesize
3.3MB

Download
memory/2236-143-0x000000013FEE0000-0x0000000140231000-memory.dmp

Filesize
3.3MB

Download
memory/2280-59-0x000000013F7B0000-0x000000013FB01000-memory.dmp

Filesize
3.3MB

Download
memory/2280-234-0x000000013F7B0000-0x000000013FB01000-memory.dmp

Filesize
3.3MB

Download
memory/2412-105-0x000000013F7C0000-0x000000013FB11000-memory.dmp

Filesize
3.3MB

Download
memory/2412-195-0x000000013F190000-0x000000013F4E1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-1-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2412-91-0x0000000002250000-0x00000000025A1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-151-0x000000013FB70000-0x000000013FEC1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-22-0x000000013F1E0000-0x000000013F531000-memory.dmp

Filesize
3.3MB

Download
memory/2412-98-0x000000013FF20000-0x0000000140271000-memory.dmp

Filesize
3.3MB

Download
memory/2412-209-0x000000013F7B0000-0x000000013FB01000-memory.dmp

Filesize
3.3MB

Download
memory/2412-70-0x0000000002250000-0x00000000025A1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-208-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-0-0x000000013FB70000-0x000000013FEC1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-23-0x0000000002250000-0x00000000025A1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-113-0x0000000002250000-0x00000000025A1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-72-0x0000000002250000-0x00000000025A1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-120-0x000000013F190000-0x000000013F4E1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-84-0x0000000002250000-0x00000000025A1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-207-0x000000013FEE0000-0x0000000140231000-memory.dmp

Filesize
3.3MB

Download
memory/2412-112-0x000000013FB70000-0x000000013FEC1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-66-0x000000013F3C0000-0x000000013F711000-memory.dmp

Filesize
3.3MB

Download
memory/2412-65-0x0000000002250000-0x00000000025A1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-58-0x000000013FF90000-0x00000001402E1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-57-0x000000013F7B0000-0x000000013FB01000-memory.dmp

Filesize
3.3MB

Download
memory/2412-142-0x0000000002250000-0x00000000025A1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-173-0x000000013FB70000-0x000000013FEC1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-28-0x000000013F0E0000-0x000000013F431000-memory.dmp

Filesize
3.3MB

Download
memory/2412-146-0x000000013FEE0000-0x0000000140231000-memory.dmp

Filesize
3.3MB

Download
memory/2412-147-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-148-0x000000013F7B0000-0x000000013FB01000-memory.dmp

Filesize
3.3MB

Download
memory/2412-8-0x0000000002250000-0x00000000025A1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-139-0x000000013FFD0000-0x0000000140321000-memory.dmp

Filesize
3.3MB

Download
memory/2436-162-0x000000013FE60000-0x00000001401B1000-memory.dmp

Filesize
3.3MB

Download
memory/2436-77-0x000000013FE60000-0x00000001401B1000-memory.dmp

Filesize
3.3MB

Download
memory/2436-256-0x000000013FE60000-0x00000001401B1000-memory.dmp

Filesize
3.3MB

Download
memory/2480-69-0x000000013FB10000-0x000000013FE61000-memory.dmp

Filesize
3.3MB

Download
memory/2480-247-0x000000013FB10000-0x000000013FE61000-memory.dmp

Filesize
3.3MB

Download
memory/2600-21-0x000000013FA40000-0x000000013FD91000-memory.dmp

Filesize
3.3MB

Download
memory/2600-226-0x000000013FA40000-0x000000013FD91000-memory.dmp

Filesize
3.3MB

Download
memory/2640-71-0x000000013F3C0000-0x000000013F711000-memory.dmp

Filesize
3.3MB

Download
memory/2640-241-0x000000013F3C0000-0x000000013F711000-memory.dmp

Filesize
3.3MB

Download
memory/2644-20-0x000000013F1E0000-0x000000013F531000-memory.dmp

Filesize
3.3MB

Download
memory/2644-225-0x000000013F1E0000-0x000000013F531000-memory.dmp

Filesize
3.3MB

Download
memory/2648-278-0x000000013FE30000-0x0000000140181000-memory.dmp

Filesize
3.3MB

Download
memory/2648-92-0x000000013FE30000-0x0000000140181000-memory.dmp

Filesize
3.3MB

Download
memory/2648-164-0x000000013FE30000-0x0000000140181000-memory.dmp

Filesize
3.3MB

Download
memory/2732-67-0x000000013FF90000-0x00000001402E1000-memory.dmp

Filesize
3.3MB

Download
memory/2732-238-0x000000013FF90000-0x00000001402E1000-memory.dmp

Filesize
3.3MB

Download
memory/2736-68-0x000000013F920000-0x000000013FC71000-memory.dmp

Filesize
3.3MB

Download
memory/2736-240-0x000000013F920000-0x000000013FC71000-memory.dmp

Filesize
3.3MB

Download
memory/2780-272-0x000000013FC60000-0x000000013FFB1000-memory.dmp

Filesize
3.3MB

Download
memory/2780-85-0x000000013FC60000-0x000000013FFB1000-memory.dmp

Filesize
3.3MB

Download
memory/2832-228-0x000000013F0E0000-0x000000013F431000-memory.dmp

Filesize
3.3MB

Download
memory/2832-34-0x000000013F0E0000-0x000000013F431000-memory.dmp

Filesize
3.3MB

Download
memory/2920-99-0x000000013FF20000-0x0000000140271000-memory.dmp

Filesize
3.3MB

Download
memory/2920-293-0x000000013FF20000-0x0000000140271000-memory.dmp

Filesize
3.3MB

Download
memory/3004-231-0x000000013FB00000-0x000000013FE51000-memory.dmp

Filesize
3.3MB

Download
memory/3004-52-0x000000013FB00000-0x000000013FE51000-memory.dmp

Filesize
3.3MB

Download
memory/3004-150-0x000000013FB00000-0x000000013FE51000-memory.dmp

Filesize
3.3MB

Download