cobaltstrike | 3f0cdaa48950e83d99e3cd28ab694b5be69d3d9c0bfd8920933d7cc7d97811f1

Analysis

max time kernel
144s
max time network
141s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-04-2024 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

456669f917933c276f299f261e8a9a86
SHA1

7fafde71cadaf9cffbc20a3f5c010a714ab1e43a
SHA256

3f0cdaa48950e83d99e3cd28ab694b5be69d3d9c0bfd8920933d7cc7d97811f1
SHA512

9fb15e77628d1021cdb7207c8fb1decf0cda064e085b44c51818a31e3eb42cae0b2dcd54a46754ab410144f44a72638f7d40d78040b769d843e91939bfafbd7d
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lM:RWWBibf56utgpPFotBER/mQ32lUo

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\bqFllVo.exe	cobalt_reflective_dll
\Windows\system\tJAqFYS.exe	cobalt_reflective_dll
C:\Windows\system\YfoJShp.exe	cobalt_reflective_dll
C:\Windows\system\IxeUtGP.exe	cobalt_reflective_dll
\Windows\system\GEGQclr.exe	cobalt_reflective_dll
C:\Windows\system\JbfDwgY.exe	cobalt_reflective_dll
\Windows\system\EMhGMcF.exe	cobalt_reflective_dll
\Windows\system\zGVMZXA.exe	cobalt_reflective_dll
C:\Windows\system\XKSyCvu.exe	cobalt_reflective_dll
\Windows\system\lyIyeQR.exe	cobalt_reflective_dll
\Windows\system\PRssmTG.exe	cobalt_reflective_dll
C:\Windows\system\rexQrLB.exe	cobalt_reflective_dll
\Windows\system\uEpDoHJ.exe	cobalt_reflective_dll
C:\Windows\system\DUrlfdw.exe	cobalt_reflective_dll
C:\Windows\system\DuhPQCB.exe	cobalt_reflective_dll
C:\Windows\system\JXVAKYy.exe	cobalt_reflective_dll
\Windows\system\RPiHxIi.exe	cobalt_reflective_dll
C:\Windows\system\jGFlmHj.exe	cobalt_reflective_dll
\Windows\system\YbjslJO.exe	cobalt_reflective_dll
C:\Windows\system\mtcYbrI.exe	cobalt_reflective_dll
\Windows\system\LwzPfvj.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\bqFllVo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\tJAqFYS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\YfoJShp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\IxeUtGP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\GEGQclr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\JbfDwgY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\EMhGMcF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\zGVMZXA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\XKSyCvu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\lyIyeQR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\PRssmTG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\rexQrLB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\uEpDoHJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\DUrlfdw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\DuhPQCB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\JXVAKYy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\RPiHxIi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\jGFlmHj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\YbjslJO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\mtcYbrI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\LwzPfvj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2108-0-0x000000013F0B0000-0x000000013F401000-memory.dmp	UPX
\Windows\system\bqFllVo.exe	UPX
behavioral1/memory/2188-7-0x000000013F910000-0x000000013FC61000-memory.dmp	UPX
\Windows\system\tJAqFYS.exe	UPX
C:\Windows\system\YfoJShp.exe	UPX
C:\Windows\system\IxeUtGP.exe	UPX
behavioral1/memory/2536-26-0x000000013F1A0000-0x000000013F4F1000-memory.dmp	UPX
behavioral1/memory/2636-29-0x000000013F9C0000-0x000000013FD11000-memory.dmp	UPX
behavioral1/memory/1572-23-0x000000013F310000-0x000000013F661000-memory.dmp	UPX
\Windows\system\GEGQclr.exe	UPX
C:\Windows\system\JbfDwgY.exe	UPX
behavioral1/memory/2644-34-0x000000013FA80000-0x000000013FDD1000-memory.dmp	UPX
\Windows\system\EMhGMcF.exe	UPX
\Windows\system\zGVMZXA.exe	UPX
C:\Windows\system\XKSyCvu.exe	UPX
\Windows\system\lyIyeQR.exe	UPX
behavioral1/memory/2544-59-0x000000013F580000-0x000000013F8D1000-memory.dmp	UPX
behavioral1/memory/2796-63-0x000000013F380000-0x000000013F6D1000-memory.dmp	UPX
behavioral1/memory/2452-64-0x000000013FD10000-0x0000000140061000-memory.dmp	UPX
behavioral1/memory/2600-53-0x000000013FE20000-0x0000000140171000-memory.dmp	UPX
behavioral1/memory/2404-68-0x000000013F0A0000-0x000000013F3F1000-memory.dmp	UPX
\Windows\system\PRssmTG.exe	UPX
C:\Windows\system\rexQrLB.exe	UPX
\Windows\system\uEpDoHJ.exe	UPX
behavioral1/memory/2108-90-0x000000013F0B0000-0x000000013F401000-memory.dmp	UPX
behavioral1/memory/2188-97-0x000000013F910000-0x000000013FC61000-memory.dmp	UPX
C:\Windows\system\DUrlfdw.exe	UPX
behavioral1/memory/2792-98-0x000000013FE50000-0x00000001401A1000-memory.dmp	UPX
C:\Windows\system\DuhPQCB.exe	UPX
behavioral1/memory/2908-100-0x000000013F120000-0x000000013F471000-memory.dmp	UPX
behavioral1/memory/1572-102-0x000000013F310000-0x000000013F661000-memory.dmp	UPX
behavioral1/memory/2536-103-0x000000013F1A0000-0x000000013F4F1000-memory.dmp	UPX
behavioral1/memory/2940-101-0x000000013F450000-0x000000013F7A1000-memory.dmp	UPX
behavioral1/memory/2388-84-0x000000013F450000-0x000000013F7A1000-memory.dmp	UPX
C:\Windows\system\JXVAKYy.exe	UPX
behavioral1/memory/2152-105-0x000000013FB60000-0x000000013FEB1000-memory.dmp	UPX
\Windows\system\RPiHxIi.exe	UPX
C:\Windows\system\jGFlmHj.exe	UPX
\Windows\system\YbjslJO.exe	UPX
behavioral1/memory/2644-110-0x000000013FA80000-0x000000013FDD1000-memory.dmp	UPX
behavioral1/memory/2600-131-0x000000013FE20000-0x0000000140171000-memory.dmp	UPX
behavioral1/memory/2544-133-0x000000013F580000-0x000000013F8D1000-memory.dmp	UPX
behavioral1/memory/2404-135-0x000000013F0A0000-0x000000013F3F1000-memory.dmp	UPX
behavioral1/memory/2936-136-0x000000013F7C0000-0x000000013FB11000-memory.dmp	UPX
behavioral1/memory/1940-137-0x000000013FE90000-0x00000001401E1000-memory.dmp	UPX
behavioral1/memory/1856-138-0x000000013F850000-0x000000013FBA1000-memory.dmp	UPX
behavioral1/memory/744-139-0x000000013FEC0000-0x0000000140211000-memory.dmp	UPX
C:\Windows\system\mtcYbrI.exe	UPX
behavioral1/memory/1996-144-0x000000013F820000-0x000000013FB71000-memory.dmp	UPX
\Windows\system\LwzPfvj.exe	UPX
behavioral1/memory/372-147-0x000000013F580000-0x000000013F8D1000-memory.dmp	UPX
behavioral1/memory/2108-149-0x000000013F0B0000-0x000000013F401000-memory.dmp	UPX
behavioral1/memory/2908-160-0x000000013F120000-0x000000013F471000-memory.dmp	UPX
behavioral1/memory/2388-161-0x000000013F450000-0x000000013F7A1000-memory.dmp	UPX
behavioral1/memory/2152-162-0x000000013FB60000-0x000000013FEB1000-memory.dmp	UPX
behavioral1/memory/2936-164-0x000000013F7C0000-0x000000013FB11000-memory.dmp	UPX
behavioral1/memory/2940-165-0x000000013F450000-0x000000013F7A1000-memory.dmp	UPX
behavioral1/memory/744-166-0x000000013FEC0000-0x0000000140211000-memory.dmp	UPX
behavioral1/memory/1996-168-0x000000013F820000-0x000000013FB71000-memory.dmp	UPX
behavioral1/memory/372-170-0x000000013F580000-0x000000013F8D1000-memory.dmp	UPX
behavioral1/memory/2108-171-0x000000013F0B0000-0x000000013F401000-memory.dmp	UPX
behavioral1/memory/2188-195-0x000000013F910000-0x000000013FC61000-memory.dmp	UPX
behavioral1/memory/2636-199-0x000000013F9C0000-0x000000013FD11000-memory.dmp	UPX
behavioral1/memory/1572-201-0x000000013F310000-0x000000013F661000-memory.dmp	UPX

XMRig Miner payload 50 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2536-26-0x000000013F1A0000-0x000000013F4F1000-memory.dmp	xmrig
behavioral1/memory/2636-29-0x000000013F9C0000-0x000000013FD11000-memory.dmp	xmrig
behavioral1/memory/1572-23-0x000000013F310000-0x000000013F661000-memory.dmp	xmrig
behavioral1/memory/2108-54-0x00000000023B0000-0x0000000002701000-memory.dmp	xmrig
behavioral1/memory/2544-59-0x000000013F580000-0x000000013F8D1000-memory.dmp	xmrig
behavioral1/memory/2796-63-0x000000013F380000-0x000000013F6D1000-memory.dmp	xmrig
behavioral1/memory/2452-64-0x000000013FD10000-0x0000000140061000-memory.dmp	xmrig
behavioral1/memory/2600-53-0x000000013FE20000-0x0000000140171000-memory.dmp	xmrig
behavioral1/memory/2108-90-0x000000013F0B0000-0x000000013F401000-memory.dmp	xmrig
behavioral1/memory/2188-97-0x000000013F910000-0x000000013FC61000-memory.dmp	xmrig
behavioral1/memory/2792-98-0x000000013FE50000-0x00000001401A1000-memory.dmp	xmrig
behavioral1/memory/1572-102-0x000000013F310000-0x000000013F661000-memory.dmp	xmrig
behavioral1/memory/2536-103-0x000000013F1A0000-0x000000013F4F1000-memory.dmp	xmrig
behavioral1/memory/2644-110-0x000000013FA80000-0x000000013FDD1000-memory.dmp	xmrig
behavioral1/memory/2600-131-0x000000013FE20000-0x0000000140171000-memory.dmp	xmrig
behavioral1/memory/2544-133-0x000000013F580000-0x000000013F8D1000-memory.dmp	xmrig
behavioral1/memory/2404-135-0x000000013F0A0000-0x000000013F3F1000-memory.dmp	xmrig
behavioral1/memory/2936-136-0x000000013F7C0000-0x000000013FB11000-memory.dmp	xmrig
behavioral1/memory/1940-137-0x000000013FE90000-0x00000001401E1000-memory.dmp	xmrig
behavioral1/memory/1856-138-0x000000013F850000-0x000000013FBA1000-memory.dmp	xmrig
behavioral1/memory/744-139-0x000000013FEC0000-0x0000000140211000-memory.dmp	xmrig
behavioral1/memory/2108-149-0x000000013F0B0000-0x000000013F401000-memory.dmp	xmrig
behavioral1/memory/2908-160-0x000000013F120000-0x000000013F471000-memory.dmp	xmrig
behavioral1/memory/2388-161-0x000000013F450000-0x000000013F7A1000-memory.dmp	xmrig
behavioral1/memory/2152-162-0x000000013FB60000-0x000000013FEB1000-memory.dmp	xmrig
behavioral1/memory/2936-164-0x000000013F7C0000-0x000000013FB11000-memory.dmp	xmrig
behavioral1/memory/2940-165-0x000000013F450000-0x000000013F7A1000-memory.dmp	xmrig
behavioral1/memory/744-166-0x000000013FEC0000-0x0000000140211000-memory.dmp	xmrig
behavioral1/memory/1996-168-0x000000013F820000-0x000000013FB71000-memory.dmp	xmrig
behavioral1/memory/372-170-0x000000013F580000-0x000000013F8D1000-memory.dmp	xmrig
behavioral1/memory/2108-171-0x000000013F0B0000-0x000000013F401000-memory.dmp	xmrig
behavioral1/memory/2188-195-0x000000013F910000-0x000000013FC61000-memory.dmp	xmrig
behavioral1/memory/2636-199-0x000000013F9C0000-0x000000013FD11000-memory.dmp	xmrig
behavioral1/memory/1572-201-0x000000013F310000-0x000000013F661000-memory.dmp	xmrig
behavioral1/memory/2536-200-0x000000013F1A0000-0x000000013F4F1000-memory.dmp	xmrig
behavioral1/memory/2644-203-0x000000013FA80000-0x000000013FDD1000-memory.dmp	xmrig
behavioral1/memory/2600-205-0x000000013FE20000-0x0000000140171000-memory.dmp	xmrig
behavioral1/memory/2544-223-0x000000013F580000-0x000000013F8D1000-memory.dmp	xmrig
behavioral1/memory/2404-225-0x000000013F0A0000-0x000000013F3F1000-memory.dmp	xmrig
behavioral1/memory/2388-227-0x000000013F450000-0x000000013F7A1000-memory.dmp	xmrig
behavioral1/memory/2792-229-0x000000013FE50000-0x00000001401A1000-memory.dmp	xmrig
behavioral1/memory/1940-231-0x000000013FE90000-0x00000001401E1000-memory.dmp	xmrig
behavioral1/memory/1856-233-0x000000013F850000-0x000000013FBA1000-memory.dmp	xmrig
behavioral1/memory/2940-235-0x000000013F450000-0x000000013F7A1000-memory.dmp	xmrig
behavioral1/memory/2152-249-0x000000013FB60000-0x000000013FEB1000-memory.dmp	xmrig
behavioral1/memory/2908-250-0x000000013F120000-0x000000013F471000-memory.dmp	xmrig
behavioral1/memory/2936-248-0x000000013F7C0000-0x000000013FB11000-memory.dmp	xmrig
behavioral1/memory/744-254-0x000000013FEC0000-0x0000000140211000-memory.dmp	xmrig
behavioral1/memory/1996-255-0x000000013F820000-0x000000013FB71000-memory.dmp	xmrig
behavioral1/memory/372-256-0x000000013F580000-0x000000013F8D1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

bqFllVo.exetJAqFYS.exeYfoJShp.exeIxeUtGP.exeJbfDwgY.exeGEGQclr.exeEMhGMcF.exeXKSyCvu.exelyIyeQR.exezGVMZXA.exeDUrlfdw.exeJXVAKYy.exeDuhPQCB.exerexQrLB.exePRssmTG.exeuEpDoHJ.exeRPiHxIi.exejGFlmHj.exeYbjslJO.exemtcYbrI.exeLwzPfvj.exe

pid	process
2188	bqFllVo.exe
1572	tJAqFYS.exe
2536	YfoJShp.exe
2636	IxeUtGP.exe
2644	JbfDwgY.exe
2600	GEGQclr.exe
2544	EMhGMcF.exe
2796	XKSyCvu.exe
2452	lyIyeQR.exe
2404	zGVMZXA.exe
2388	DUrlfdw.exe
2792	JXVAKYy.exe
2908	DuhPQCB.exe
2940	rexQrLB.exe
2152	PRssmTG.exe
2936	uEpDoHJ.exe
1940	RPiHxIi.exe
1856	jGFlmHj.exe
744	YbjslJO.exe
1996	mtcYbrI.exe
372	LwzPfvj.exe

Loads dropped DLL 21 IoCs

Processes:

2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe

pid	process
2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2108-0-0x000000013F0B0000-0x000000013F401000-memory.dmp	upx
\Windows\system\bqFllVo.exe	upx
behavioral1/memory/2188-7-0x000000013F910000-0x000000013FC61000-memory.dmp	upx
\Windows\system\tJAqFYS.exe	upx
C:\Windows\system\YfoJShp.exe	upx
C:\Windows\system\IxeUtGP.exe	upx
behavioral1/memory/2536-26-0x000000013F1A0000-0x000000013F4F1000-memory.dmp	upx
behavioral1/memory/2636-29-0x000000013F9C0000-0x000000013FD11000-memory.dmp	upx
behavioral1/memory/1572-23-0x000000013F310000-0x000000013F661000-memory.dmp	upx
\Windows\system\GEGQclr.exe	upx
C:\Windows\system\JbfDwgY.exe	upx
behavioral1/memory/2644-34-0x000000013FA80000-0x000000013FDD1000-memory.dmp	upx
\Windows\system\EMhGMcF.exe	upx
\Windows\system\zGVMZXA.exe	upx
C:\Windows\system\XKSyCvu.exe	upx
\Windows\system\lyIyeQR.exe	upx
behavioral1/memory/2544-59-0x000000013F580000-0x000000013F8D1000-memory.dmp	upx
behavioral1/memory/2796-63-0x000000013F380000-0x000000013F6D1000-memory.dmp	upx
behavioral1/memory/2452-64-0x000000013FD10000-0x0000000140061000-memory.dmp	upx
behavioral1/memory/2600-53-0x000000013FE20000-0x0000000140171000-memory.dmp	upx
behavioral1/memory/2404-68-0x000000013F0A0000-0x000000013F3F1000-memory.dmp	upx
\Windows\system\PRssmTG.exe	upx
C:\Windows\system\rexQrLB.exe	upx
\Windows\system\uEpDoHJ.exe	upx
behavioral1/memory/2108-90-0x000000013F0B0000-0x000000013F401000-memory.dmp	upx
behavioral1/memory/2188-97-0x000000013F910000-0x000000013FC61000-memory.dmp	upx
C:\Windows\system\DUrlfdw.exe	upx
behavioral1/memory/2792-98-0x000000013FE50000-0x00000001401A1000-memory.dmp	upx
C:\Windows\system\DuhPQCB.exe	upx
behavioral1/memory/2908-100-0x000000013F120000-0x000000013F471000-memory.dmp	upx
behavioral1/memory/1572-102-0x000000013F310000-0x000000013F661000-memory.dmp	upx
behavioral1/memory/2536-103-0x000000013F1A0000-0x000000013F4F1000-memory.dmp	upx
behavioral1/memory/2940-101-0x000000013F450000-0x000000013F7A1000-memory.dmp	upx
behavioral1/memory/2388-84-0x000000013F450000-0x000000013F7A1000-memory.dmp	upx
C:\Windows\system\JXVAKYy.exe	upx
behavioral1/memory/2152-105-0x000000013FB60000-0x000000013FEB1000-memory.dmp	upx
\Windows\system\RPiHxIi.exe	upx
C:\Windows\system\jGFlmHj.exe	upx
\Windows\system\YbjslJO.exe	upx
behavioral1/memory/2644-110-0x000000013FA80000-0x000000013FDD1000-memory.dmp	upx
behavioral1/memory/2600-131-0x000000013FE20000-0x0000000140171000-memory.dmp	upx
behavioral1/memory/2544-133-0x000000013F580000-0x000000013F8D1000-memory.dmp	upx
behavioral1/memory/2404-135-0x000000013F0A0000-0x000000013F3F1000-memory.dmp	upx
behavioral1/memory/2936-136-0x000000013F7C0000-0x000000013FB11000-memory.dmp	upx
behavioral1/memory/1940-137-0x000000013FE90000-0x00000001401E1000-memory.dmp	upx
behavioral1/memory/1856-138-0x000000013F850000-0x000000013FBA1000-memory.dmp	upx
behavioral1/memory/744-139-0x000000013FEC0000-0x0000000140211000-memory.dmp	upx
C:\Windows\system\mtcYbrI.exe	upx
behavioral1/memory/1996-144-0x000000013F820000-0x000000013FB71000-memory.dmp	upx
\Windows\system\LwzPfvj.exe	upx
behavioral1/memory/372-147-0x000000013F580000-0x000000013F8D1000-memory.dmp	upx
behavioral1/memory/2108-149-0x000000013F0B0000-0x000000013F401000-memory.dmp	upx
behavioral1/memory/2908-160-0x000000013F120000-0x000000013F471000-memory.dmp	upx
behavioral1/memory/2388-161-0x000000013F450000-0x000000013F7A1000-memory.dmp	upx
behavioral1/memory/2152-162-0x000000013FB60000-0x000000013FEB1000-memory.dmp	upx
behavioral1/memory/2936-164-0x000000013F7C0000-0x000000013FB11000-memory.dmp	upx
behavioral1/memory/2940-165-0x000000013F450000-0x000000013F7A1000-memory.dmp	upx
behavioral1/memory/744-166-0x000000013FEC0000-0x0000000140211000-memory.dmp	upx
behavioral1/memory/1996-168-0x000000013F820000-0x000000013FB71000-memory.dmp	upx
behavioral1/memory/372-170-0x000000013F580000-0x000000013F8D1000-memory.dmp	upx
behavioral1/memory/2108-171-0x000000013F0B0000-0x000000013F401000-memory.dmp	upx
behavioral1/memory/2188-195-0x000000013F910000-0x000000013FC61000-memory.dmp	upx
behavioral1/memory/2636-199-0x000000013F9C0000-0x000000013FD11000-memory.dmp	upx
behavioral1/memory/1572-201-0x000000013F310000-0x000000013F661000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\XKSyCvu.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DUrlfdw.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tJAqFYS.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JbfDwgY.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GEGQclr.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rexQrLB.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RPiHxIi.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mtcYbrI.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jGFlmHj.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bqFllVo.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lyIyeQR.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uEpDoHJ.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PRssmTG.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JXVAKYy.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YbjslJO.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YfoJShp.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EMhGMcF.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zGVMZXA.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IxeUtGP.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DuhPQCB.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LwzPfvj.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2108 wrote to memory of 2188	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	bqFllVo.exe
PID 2108 wrote to memory of 2188	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	bqFllVo.exe
PID 2108 wrote to memory of 2188	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	bqFllVo.exe
PID 2108 wrote to memory of 1572	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	tJAqFYS.exe
PID 2108 wrote to memory of 1572	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	tJAqFYS.exe
PID 2108 wrote to memory of 1572	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	tJAqFYS.exe
PID 2108 wrote to memory of 2536	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	YfoJShp.exe
PID 2108 wrote to memory of 2536	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	YfoJShp.exe
PID 2108 wrote to memory of 2536	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	YfoJShp.exe
PID 2108 wrote to memory of 2636	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	IxeUtGP.exe
PID 2108 wrote to memory of 2636	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	IxeUtGP.exe
PID 2108 wrote to memory of 2636	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	IxeUtGP.exe
PID 2108 wrote to memory of 2644	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	JbfDwgY.exe
PID 2108 wrote to memory of 2644	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	JbfDwgY.exe
PID 2108 wrote to memory of 2644	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	JbfDwgY.exe
PID 2108 wrote to memory of 2600	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	GEGQclr.exe
PID 2108 wrote to memory of 2600	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	GEGQclr.exe
PID 2108 wrote to memory of 2600	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	GEGQclr.exe
PID 2108 wrote to memory of 2796	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	XKSyCvu.exe
PID 2108 wrote to memory of 2796	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	XKSyCvu.exe
PID 2108 wrote to memory of 2796	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	XKSyCvu.exe
PID 2108 wrote to memory of 2544	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	EMhGMcF.exe
PID 2108 wrote to memory of 2544	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	EMhGMcF.exe
PID 2108 wrote to memory of 2544	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	EMhGMcF.exe
PID 2108 wrote to memory of 2452	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	lyIyeQR.exe
PID 2108 wrote to memory of 2452	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	lyIyeQR.exe
PID 2108 wrote to memory of 2452	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	lyIyeQR.exe
PID 2108 wrote to memory of 2404	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	zGVMZXA.exe
PID 2108 wrote to memory of 2404	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	zGVMZXA.exe
PID 2108 wrote to memory of 2404	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	zGVMZXA.exe
PID 2108 wrote to memory of 2908	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	DuhPQCB.exe
PID 2108 wrote to memory of 2908	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	DuhPQCB.exe
PID 2108 wrote to memory of 2908	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	DuhPQCB.exe
PID 2108 wrote to memory of 2388	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	DUrlfdw.exe
PID 2108 wrote to memory of 2388	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	DUrlfdw.exe
PID 2108 wrote to memory of 2388	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	DUrlfdw.exe
PID 2108 wrote to memory of 2152	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	PRssmTG.exe
PID 2108 wrote to memory of 2152	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	PRssmTG.exe
PID 2108 wrote to memory of 2152	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	PRssmTG.exe
PID 2108 wrote to memory of 2792	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	JXVAKYy.exe
PID 2108 wrote to memory of 2792	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	JXVAKYy.exe
PID 2108 wrote to memory of 2792	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	JXVAKYy.exe
PID 2108 wrote to memory of 2936	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	uEpDoHJ.exe
PID 2108 wrote to memory of 2936	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	uEpDoHJ.exe
PID 2108 wrote to memory of 2936	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	uEpDoHJ.exe
PID 2108 wrote to memory of 2940	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	rexQrLB.exe
PID 2108 wrote to memory of 2940	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	rexQrLB.exe
PID 2108 wrote to memory of 2940	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	rexQrLB.exe
PID 2108 wrote to memory of 744	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	YbjslJO.exe
PID 2108 wrote to memory of 744	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	YbjslJO.exe
PID 2108 wrote to memory of 744	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	YbjslJO.exe
PID 2108 wrote to memory of 1940	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	RPiHxIi.exe
PID 2108 wrote to memory of 1940	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	RPiHxIi.exe
PID 2108 wrote to memory of 1940	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	RPiHxIi.exe
PID 2108 wrote to memory of 1996	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	mtcYbrI.exe
PID 2108 wrote to memory of 1996	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	mtcYbrI.exe
PID 2108 wrote to memory of 1996	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	mtcYbrI.exe
PID 2108 wrote to memory of 1856	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	jGFlmHj.exe
PID 2108 wrote to memory of 1856	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	jGFlmHj.exe
PID 2108 wrote to memory of 1856	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	jGFlmHj.exe
PID 2108 wrote to memory of 372	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	LwzPfvj.exe
PID 2108 wrote to memory of 372	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	LwzPfvj.exe
PID 2108 wrote to memory of 372	2108	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	LwzPfvj.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108

C:\Windows\System\bqFllVo.exe
C:\Windows\System\bqFllVo.exe
2⤵
- Executes dropped EXE
PID:2188

C:\Windows\System\tJAqFYS.exe
C:\Windows\System\tJAqFYS.exe
2⤵
- Executes dropped EXE
PID:1572

C:\Windows\System\YfoJShp.exe
C:\Windows\System\YfoJShp.exe
2⤵
- Executes dropped EXE
PID:2536

C:\Windows\System\IxeUtGP.exe
C:\Windows\System\IxeUtGP.exe
2⤵
- Executes dropped EXE
PID:2636

C:\Windows\System\JbfDwgY.exe
C:\Windows\System\JbfDwgY.exe
2⤵
- Executes dropped EXE
PID:2644

C:\Windows\System\GEGQclr.exe
C:\Windows\System\GEGQclr.exe
2⤵
- Executes dropped EXE
PID:2600

C:\Windows\System\XKSyCvu.exe
C:\Windows\System\XKSyCvu.exe
2⤵
- Executes dropped EXE
PID:2796

C:\Windows\System\EMhGMcF.exe
C:\Windows\System\EMhGMcF.exe
2⤵
- Executes dropped EXE
PID:2544

C:\Windows\System\lyIyeQR.exe
C:\Windows\System\lyIyeQR.exe
2⤵
- Executes dropped EXE
PID:2452

C:\Windows\System\zGVMZXA.exe
C:\Windows\System\zGVMZXA.exe
2⤵
- Executes dropped EXE
PID:2404

C:\Windows\System\DuhPQCB.exe
C:\Windows\System\DuhPQCB.exe
2⤵
- Executes dropped EXE
PID:2908

C:\Windows\System\DUrlfdw.exe
C:\Windows\System\DUrlfdw.exe
2⤵
- Executes dropped EXE
PID:2388

C:\Windows\System\PRssmTG.exe
C:\Windows\System\PRssmTG.exe
2⤵
- Executes dropped EXE
PID:2152

C:\Windows\System\JXVAKYy.exe
C:\Windows\System\JXVAKYy.exe
2⤵
- Executes dropped EXE
PID:2792

C:\Windows\System\uEpDoHJ.exe
C:\Windows\System\uEpDoHJ.exe
2⤵
- Executes dropped EXE
PID:2936

C:\Windows\System\rexQrLB.exe
C:\Windows\System\rexQrLB.exe
2⤵
- Executes dropped EXE
PID:2940

C:\Windows\System\YbjslJO.exe
C:\Windows\System\YbjslJO.exe
2⤵
- Executes dropped EXE
PID:744

C:\Windows\System\RPiHxIi.exe
C:\Windows\System\RPiHxIi.exe
2⤵
- Executes dropped EXE
PID:1940

C:\Windows\System\mtcYbrI.exe
C:\Windows\System\mtcYbrI.exe
2⤵
- Executes dropped EXE
PID:1996

C:\Windows\System\jGFlmHj.exe
C:\Windows\System\jGFlmHj.exe
2⤵
- Executes dropped EXE
PID:1856

C:\Windows\System\LwzPfvj.exe
C:\Windows\System\LwzPfvj.exe
2⤵
- Executes dropped EXE
PID:372

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\DUrlfdw.exe
Filesize
5.2MB

MD5
0ae705c759116c6f0c113752527f9d8e

SHA1
4fce255040d1ac6ac1f4e1be0245856fe32735ed

SHA256
b64b75862a28a74aaf8b62a663297babe6dc2fdf2d8bd1d632523bd7c0bf9e75

SHA512
d28fb2b2b13f8032d8a9143023878c4b1fba8ee8df17659aada1f9fdfa2a25fadf0279d8811ea295601955275c0f413c114d9347ca5b1631363d2bce7309c45a

Download Submit
C:\Windows\system\DuhPQCB.exe
Filesize
5.2MB

MD5
c7828704788383542a7d519483791332

SHA1
23d63eda7c59426abe91738e9e366561108378cd

SHA256
aa6522e07869647c2c149d05069374b814108602fe4b873d43d6540c926a161a

SHA512
414005947fcc2cf0cf0ff20e641a600786fbe8d7b5f89b4118bcbc3aeaf2c95db21ebbcb2ed9bea34f652baea847af95232cc0c292230765904d11c401c77dbe

Download Submit
C:\Windows\system\IxeUtGP.exe
Filesize
5.2MB

MD5
27ac3c7e5b0822b3a9a7671a58b30089

SHA1
e26d3ebd40e32d504c102ea605a7dbd8e77af6b1

SHA256
b688436b417d9377fcd388c1a974b9ce34ac766a33a297f66eb3afecc9a629ce

SHA512
7a3de704b0a92b911d6dc5a2e7872c7e835cbf9507125c0966d098fa7fb1217eba00671847e48b79a0df352efa17d6bb8ccc93b873fcdc0b8e9acf0327e6a2fd

Download Submit
C:\Windows\system\JXVAKYy.exe
Filesize
5.2MB

MD5
48d744de1e99f9e8996a6071d4a958bf

SHA1
23984dd245d24c52989d4201602eb174ea6cc0b7

SHA256
413d9bcf3e50111026cc974bbb5c3beb5edbcbb78cc11711d4e71191a529073c

SHA512
479390c7345d16ef02f2ada8e5fce4edc7f2845f527092f00f2787f3a47e5cfb7e91915e06bdbdc3966fa64392f033cac2e9a8da9016665d18a207af8c6e0238

Download Submit
C:\Windows\system\JbfDwgY.exe
Filesize
5.2MB

MD5
7f0379b153b06982f70b8f67f7b9aa3d

SHA1
80340a4aa9e6dfecefdfed7fd83af8ee955a9a7f

SHA256
723332c3b93f165b4228ebe65cc73346a1cae4d0513b8f8b7b379f4f960ccb1a

SHA512
3bb1ed5e12162a5e372f97900335f879a55be41cbadc3fa103f0681b2b73989b2c2430c69a6b10a3e2229d05bc29e271dda56c635dd60cf1e5288cae2a1e0214

Download Submit
C:\Windows\system\XKSyCvu.exe
Filesize
5.2MB

MD5
04e7d91db1044472390a6558d5eb6217

SHA1
dca1b8dbe10a998ec4d83e730970f318783aa99c

SHA256
58413c51175915cadc5563d3ea9f707f1c143a5e40912d655662b5c6a88eac2e

SHA512
3e1c85950ad1294d7fae50f85b6c2d4ba4332d27dca12ac21b7274d79f5ec4dc7c990e068273b9128c67efad49fc4afe028eed73cc50fa017275e396d006cbd4

Download Submit
C:\Windows\system\YfoJShp.exe
Filesize
5.2MB

MD5
722b3264f7cd5c2f9e315ab8f86390ef

SHA1
39b02b9f597337efd9bbabde70af86ffb213bfe0

SHA256
1475e7e753929863e890f6381914eb83bfff9cbf29ae69d21fe9ba7c82429609

SHA512
443f371dbed6e372655117e6b3eec8a7983a65d35dcb0285c2c830254b525d225aef0fb80417c2f425d93867f58b1af709dc20fbe271ede5e005fbeefbedeaf6

Download Submit
C:\Windows\system\jGFlmHj.exe
Filesize
5.2MB

MD5
9a1373c385153435bcaf5815c67c08ee

SHA1
0c520a27afc9f62bfe24c117a7d1744264c9663f

SHA256
e8958b39b352913b8ea9a2dcdc31d0f3179656c187a73e47e3f554a4a7833011

SHA512
4d89cb4969bcf7c74dd6a81a5e14bfacfdc922c148dfdf3658c61ea286d01a9789b389596ff195abd4db5d5c739b2a769e0cf90dc9b23333047cc4d612faf421

Download Submit
C:\Windows\system\mtcYbrI.exe
Filesize
5.2MB

MD5
822f0f1fc3dabc98ca2370fd422e63a3

SHA1
3c0ba0dd9ca6123490bc4d6a035f1b69897111d1

SHA256
4a403e21dd747aca6f361858dc6be66bc416e80182efa28ff930346024ed015e

SHA512
3bbd41b884a429ad490fb4dcbfe6587efa9afe945e6b05337fddcdf189c90d432dd56557fa24382fbc453975abc981dac9297d04fccbbba02d908625e822e8ee

Download Submit
C:\Windows\system\rexQrLB.exe
Filesize
5.2MB

MD5
f0e7db11b2a0b8af5407c0cd58a20783

SHA1
c78da57fa5f3ae7083f123fa7815ffacdfd1c700

SHA256
762b48f64f199af7a0a7a1063ae27ebf29fe2b27f49b4aea195a19e62cc226ee

SHA512
c12f7df10d8376c130e68ee8b4dfd385e12fb04ad2bdbcfe8732549b1f95eed6d4118f443d153bc221416460bfed184f36e35615ac7f6a5373a3c122c7c1d15c

Download Submit
\Windows\system\EMhGMcF.exe
Filesize
5.2MB

MD5
477cb4b1b2bfb3c32bcf088473127455

SHA1
66ef384b95734fed378c8dc6eb61f157ee781f86

SHA256
33c4b8509a1820d0c3a42024ac7c51b6af6d03fae00835073f1324e48d9621bc

SHA512
9a017418a48ecbe8eb200518f81aa36200800734d15ab1dc4e33daaff83d5d1a0de2fd6f2736ac15bd720d5fdec9917102c3e41c07f8d3551dc41b6752a0c19d

Download Submit
\Windows\system\GEGQclr.exe
Filesize
5.2MB

MD5
43ff769e9eb3201e1300027374cdc4fa

SHA1
c8d991ef008552b76e7ad3fabe6d15b731f1eca1

SHA256
fb361522b71d4a621919ff9a8d1c13c5606e25fdd0ee475d9ece7fe2b837bbe7

SHA512
57887621beaaa1ac8e0ca915b14e750b8713670cac1053550a7d1159accf06e9ae73aca8ad2a56a5c687e9112541fc7eef66c173e6119f97ce035dfed36f3b72

Download Submit
\Windows\system\LwzPfvj.exe
Filesize
5.2MB

MD5
90aa5f5a6255023745cd5ee671717f41

SHA1
cbeba1a5c5f5bdbbcdb3fed8460e1c5250840314

SHA256
2111fbc65494bc68c306143e594828519e49ff51153b442fffb79dfa5c960d4c

SHA512
9153be294afbf1fe1da0b9bc29c420b6264cf0d76801df5d8a42048e003a1ceae029f9fbb9a1e9ab9964e9a7531066dd8f68a2cd18bdb88eba7695d14db1c970

Download Submit
\Windows\system\PRssmTG.exe
Filesize
5.2MB

MD5
0c917edc72b0da7e9f37c39665727c58

SHA1
1c3e8037724abb37adb07638296fef0544e71b8f

SHA256
24edfed016179354d87ee27bd439309766a7d6f717aeb1bfe9c2b9583efa044c

SHA512
06222ae9c163edddd5855e7920e3814d62960f890f19777086f62ec8a098daf762909cde1522125eecb1002bfb32a60f6cf4bcb616c4977fc3645607605dc54b

Download Submit
\Windows\system\RPiHxIi.exe
Filesize
5.2MB

MD5
02c04e809be49e70ea67f8f67ac36684

SHA1
4c5d105ee49157e27d91467fa367ebb0a187be4a

SHA256
4ff24c958db80148ad8458ba89e97acc4d5485fb832f724fcb0a6a8139195a6c

SHA512
b954f96d736c1c0771f328c5b0099299046658c69ff3d1b2fae9c302eb949899e0e26b37aab0c036577c869d1219bf573a612e9e40ec10c83ed7df07dfacf836

Download Submit
\Windows\system\YbjslJO.exe
Filesize
5.2MB

MD5
17c75c0e5c22ed0fca30b44ea7b2e3fd

SHA1
15e8636569cfee77f8544952bd5ca28649c08412

SHA256
a68befea62781872ffcb9b167e342113b5bb784fed0f2fda4535d5eaf7caa937

SHA512
2599ecbf20465f7fb9af87e55f71ed8c1f54d514ce593abebdb131c37ae3cba8dfa45c637196afd1a1076f69c97b3cd85cd504491c9e342ad4b7a7f44ee078b6

Download Submit
\Windows\system\bqFllVo.exe
Filesize
5.2MB

MD5
64a980f21eec96e5164894e331f4cd5e

SHA1
f8a8e4580075bac0ff0c9b1ad209753f22a1491c

SHA256
2e513e681c636ae64453ef011a64f1155cf1470d448f6c155bd6c8cbb845e986

SHA512
63027493ba548c9b944016dca4a441e5024cb07effe8a24c3e1166bd659bc32a5c699aac66a754bd72d307e711bebdfb3bad7d9efed816bde92b01a0995c8866

Download Submit
\Windows\system\lyIyeQR.exe
Filesize
5.2MB

MD5
44a9c3b17b968ffacf72aaefddfd5385

SHA1
17de5ea91da3293c7343288d71b6ebde09da4c10

SHA256
425b85e6a0be94d80f6c2276cd801e10a56c690d1836f002100510ffdb4bda6f

SHA512
fcff251d64545b3836917564747f0f9e78defdc962fe10efeb5c962b1e368b6b3956ee9730b1b5a574ea9e27495d7f12fe033b062377091f4846b5148c177595

Download Submit
\Windows\system\tJAqFYS.exe
Filesize
5.2MB

MD5
85cf1b8204409bc208a903204098a87e

SHA1
8409c9737d0a54586f9748b77a0633beba4dce5d

SHA256
68ea0a5c495ed047d000d8e244af3fd2f965d832d1f2e75023c8d8306d78e32e

SHA512
bd376b6dc305afd98dccebd9b3751c0b8ba7502183f8683f26abbca6d19e7cc54495247de412c3ce5a6aa86bf7880be5ce92d6019928ba1d4850d0d93e960650

Download Submit
\Windows\system\uEpDoHJ.exe
Filesize
5.2MB

MD5
b6938bcce1f9074cc52aa6c0939da33d

SHA1
17c4445b74dd1615b6d68b762c1fee3126f698b4

SHA256
fd05b9c058f0881d1a949cde97a8205a4e944d3715d3fdb3627e2df143f658e1

SHA512
9f183bc6acc095993e583ba232d6552abf5dffdedabff3f3a71469fbe1d01eb8e40de5978b427830e31bdd8a84d59492a88b0dfb6a54c29bf6024f454b788d3a

Download Submit
\Windows\system\zGVMZXA.exe
Filesize
5.2MB

MD5
0e1b1e3af641d10a39dfd6dfac2987bc

SHA1
9b70fae0c4f6086554ca7cd0086b400336d0631c

SHA256
15e77b2c87f17916973a2929b7e8aca9368d4cb49af920a83decb527051279d0

SHA512
b6b42ca6d45f9e98fd5fe768cbf0085b034f3c1f0dad7d7cb2706fc0ad1853ab8069b7f974d73a581c1f89ea01247cb261dcc8a1f977c03ab48d57ca7cb965b9

Download Submit
memory/372-170-0x000000013F580000-0x000000013F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/372-256-0x000000013F580000-0x000000013F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/372-147-0x000000013F580000-0x000000013F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/744-166-0x000000013FEC0000-0x0000000140211000-memory.dmp

Filesize
3.3MB

Download
memory/744-139-0x000000013FEC0000-0x0000000140211000-memory.dmp

Filesize
3.3MB

Download
memory/744-254-0x000000013FEC0000-0x0000000140211000-memory.dmp

Filesize
3.3MB

Download
memory/1572-201-0x000000013F310000-0x000000013F661000-memory.dmp

Filesize
3.3MB

Download
memory/1572-23-0x000000013F310000-0x000000013F661000-memory.dmp

Filesize
3.3MB

Download
memory/1572-102-0x000000013F310000-0x000000013F661000-memory.dmp

Filesize
3.3MB

Download
memory/1856-138-0x000000013F850000-0x000000013FBA1000-memory.dmp

Filesize
3.3MB

Download
memory/1856-233-0x000000013F850000-0x000000013FBA1000-memory.dmp

Filesize
3.3MB

Download
memory/1940-137-0x000000013FE90000-0x00000001401E1000-memory.dmp

Filesize
3.3MB

Download
memory/1940-231-0x000000013FE90000-0x00000001401E1000-memory.dmp

Filesize
3.3MB

Download
memory/1996-255-0x000000013F820000-0x000000013FB71000-memory.dmp

Filesize
3.3MB

Download
memory/1996-144-0x000000013F820000-0x000000013FB71000-memory.dmp

Filesize
3.3MB

Download
memory/1996-168-0x000000013F820000-0x000000013FB71000-memory.dmp

Filesize
3.3MB

Download
memory/2108-193-0x00000000023B0000-0x0000000002701000-memory.dmp

Filesize
3.3MB

Download
memory/2108-61-0x00000000023B0000-0x0000000002701000-memory.dmp

Filesize
3.3MB

Download
memory/2108-28-0x00000000023B0000-0x0000000002701000-memory.dmp

Filesize
3.3MB

Download
memory/2108-171-0x000000013F0B0000-0x000000013F401000-memory.dmp

Filesize
3.3MB

Download
memory/2108-56-0x000000013F580000-0x000000013F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/2108-0-0x000000013F0B0000-0x000000013F401000-memory.dmp

Filesize
3.3MB

Download
memory/2108-140-0x000000013FB60000-0x000000013FEB1000-memory.dmp

Filesize
3.3MB

Download
memory/2108-12-0x00000000023B0000-0x0000000002701000-memory.dmp

Filesize
3.3MB

Download
memory/2108-90-0x000000013F0B0000-0x000000013F401000-memory.dmp

Filesize
3.3MB

Download
memory/2108-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2108-149-0x000000013F0B0000-0x000000013F401000-memory.dmp

Filesize
3.3MB

Download
memory/2108-146-0x00000000023B0000-0x0000000002701000-memory.dmp

Filesize
3.3MB

Download
memory/2108-27-0x000000013F9C0000-0x000000013FD11000-memory.dmp

Filesize
3.3MB

Download
memory/2108-54-0x00000000023B0000-0x0000000002701000-memory.dmp

Filesize
3.3MB

Download
memory/2108-142-0x000000013FEC0000-0x0000000140211000-memory.dmp

Filesize
3.3MB

Download
memory/2108-62-0x000000013FE20000-0x0000000140171000-memory.dmp

Filesize
3.3MB

Download
memory/2152-249-0x000000013FB60000-0x000000013FEB1000-memory.dmp

Filesize
3.3MB

Download
memory/2152-162-0x000000013FB60000-0x000000013FEB1000-memory.dmp

Filesize
3.3MB

Download
memory/2152-105-0x000000013FB60000-0x000000013FEB1000-memory.dmp

Filesize
3.3MB

Download
memory/2188-195-0x000000013F910000-0x000000013FC61000-memory.dmp

Filesize
3.3MB

Download
memory/2188-7-0x000000013F910000-0x000000013FC61000-memory.dmp

Filesize
3.3MB

Download
memory/2188-97-0x000000013F910000-0x000000013FC61000-memory.dmp

Filesize
3.3MB

Download
memory/2388-161-0x000000013F450000-0x000000013F7A1000-memory.dmp

Filesize
3.3MB

Download
memory/2388-84-0x000000013F450000-0x000000013F7A1000-memory.dmp

Filesize
3.3MB

Download
memory/2388-227-0x000000013F450000-0x000000013F7A1000-memory.dmp

Filesize
3.3MB

Download
memory/2404-68-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

Filesize
3.3MB

Download
memory/2404-135-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

Filesize
3.3MB

Download
memory/2404-225-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

Filesize
3.3MB

Download
memory/2452-64-0x000000013FD10000-0x0000000140061000-memory.dmp

Filesize
3.3MB

Download
memory/2536-200-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

Filesize
3.3MB

Download
memory/2536-26-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

Filesize
3.3MB

Download
memory/2536-103-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

Filesize
3.3MB

Download
memory/2544-59-0x000000013F580000-0x000000013F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/2544-133-0x000000013F580000-0x000000013F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/2544-223-0x000000013F580000-0x000000013F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/2600-53-0x000000013FE20000-0x0000000140171000-memory.dmp

Filesize
3.3MB

Download
memory/2600-131-0x000000013FE20000-0x0000000140171000-memory.dmp

Filesize
3.3MB

Download
memory/2600-205-0x000000013FE20000-0x0000000140171000-memory.dmp

Filesize
3.3MB

Download
memory/2636-29-0x000000013F9C0000-0x000000013FD11000-memory.dmp

Filesize
3.3MB

Download
memory/2636-199-0x000000013F9C0000-0x000000013FD11000-memory.dmp

Filesize
3.3MB

Download
memory/2644-203-0x000000013FA80000-0x000000013FDD1000-memory.dmp

Filesize
3.3MB

Download
memory/2644-110-0x000000013FA80000-0x000000013FDD1000-memory.dmp

Filesize
3.3MB

Download
memory/2644-34-0x000000013FA80000-0x000000013FDD1000-memory.dmp

Filesize
3.3MB

Download
memory/2792-229-0x000000013FE50000-0x00000001401A1000-memory.dmp

Filesize
3.3MB

Download
memory/2792-98-0x000000013FE50000-0x00000001401A1000-memory.dmp

Filesize
3.3MB

Download
memory/2796-63-0x000000013F380000-0x000000013F6D1000-memory.dmp

Filesize
3.3MB

Download
memory/2908-100-0x000000013F120000-0x000000013F471000-memory.dmp

Filesize
3.3MB

Download
memory/2908-160-0x000000013F120000-0x000000013F471000-memory.dmp

Filesize
3.3MB

Download
memory/2908-250-0x000000013F120000-0x000000013F471000-memory.dmp

Filesize
3.3MB

Download
memory/2936-136-0x000000013F7C0000-0x000000013FB11000-memory.dmp

Filesize
3.3MB

Download
memory/2936-164-0x000000013F7C0000-0x000000013FB11000-memory.dmp

Filesize
3.3MB

Download
memory/2936-248-0x000000013F7C0000-0x000000013FB11000-memory.dmp

Filesize
3.3MB

Download
memory/2940-101-0x000000013F450000-0x000000013F7A1000-memory.dmp

Filesize
3.3MB

Download
memory/2940-235-0x000000013F450000-0x000000013F7A1000-memory.dmp

Filesize
3.3MB

Download
memory/2940-165-0x000000013F450000-0x000000013F7A1000-memory.dmp

Filesize
3.3MB

Download