cobaltstrike | e6a01fcc8309bc070ad9ae44c8256794770588170d7ba9c431c3c94f833949d5

Analysis

max time kernel
140s
max time network
148s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
16-04-2024 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

4c6de339cac051a6638b0ecbc1271746
SHA1

f9d3a6cab59636be26a904896c62a7a570dc8104
SHA256

e6a01fcc8309bc070ad9ae44c8256794770588170d7ba9c431c3c94f833949d5
SHA512

443de7dea64d54d1b95c810e07c6effec823d74adb56ca40d6a9fe9c240783993bc7cbdac34c5ea5ba08bcdb0df5f6c4a63d3960feb03c730486f10159cd28a3
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lA:RWWBibf56utgpPFotBER/mQ32lUk

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\system\gTLlpjw.exe	cobalt_reflective_dll
\Windows\system\laswWAV.exe	cobalt_reflective_dll
C:\Windows\system\bqyfqiA.exe	cobalt_reflective_dll
\Windows\system\nXFZbpw.exe	cobalt_reflective_dll
\Windows\system\OGoVFQR.exe	cobalt_reflective_dll
\Windows\system\CveheVo.exe	cobalt_reflective_dll
C:\Windows\system\woeIXFp.exe	cobalt_reflective_dll
\Windows\system\StGlsmV.exe	cobalt_reflective_dll
\Windows\system\PWqjyMY.exe	cobalt_reflective_dll
\Windows\system\QIUjyOd.exe	cobalt_reflective_dll
C:\Windows\system\FtIyflr.exe	cobalt_reflective_dll
\Windows\system\qisqlNI.exe	cobalt_reflective_dll
\Windows\system\VzUNejh.exe	cobalt_reflective_dll
C:\Windows\system\TFUjvzM.exe	cobalt_reflective_dll
C:\Windows\system\NmLUGPT.exe	cobalt_reflective_dll
C:\Windows\system\XBEvuRA.exe	cobalt_reflective_dll
\Windows\system\izYoshc.exe	cobalt_reflective_dll
\Windows\system\fDTLZgL.exe	cobalt_reflective_dll
\Windows\system\wbhReUn.exe	cobalt_reflective_dll
C:\Windows\system\UCFlDRH.exe	cobalt_reflective_dll
C:\Windows\system\alFaaaH.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\system\gTLlpjw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\laswWAV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\bqyfqiA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\nXFZbpw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\OGoVFQR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\CveheVo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\woeIXFp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\StGlsmV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\PWqjyMY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\QIUjyOd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\FtIyflr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\qisqlNI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\VzUNejh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\TFUjvzM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\NmLUGPT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\XBEvuRA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\izYoshc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\fDTLZgL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\wbhReUn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\UCFlDRH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\alFaaaH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 63 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2792-0-0x000000013F2F0000-0x000000013F641000-memory.dmp	UPX
C:\Windows\system\gTLlpjw.exe	UPX
\Windows\system\laswWAV.exe	UPX
C:\Windows\system\bqyfqiA.exe	UPX
behavioral1/memory/768-12-0x000000013FA80000-0x000000013FDD1000-memory.dmp	UPX
behavioral1/memory/2148-26-0x000000013F880000-0x000000013FBD1000-memory.dmp	UPX
behavioral1/memory/1712-20-0x000000013FB50000-0x000000013FEA1000-memory.dmp	UPX
\Windows\system\nXFZbpw.exe	UPX
behavioral1/memory/2984-27-0x000000013F6B0000-0x000000013FA01000-memory.dmp	UPX
\Windows\system\OGoVFQR.exe	UPX
behavioral1/memory/2628-36-0x000000013F1E0000-0x000000013F531000-memory.dmp	UPX
\Windows\system\CveheVo.exe	UPX
C:\Windows\system\woeIXFp.exe	UPX
behavioral1/memory/2992-51-0x000000013F200000-0x000000013F551000-memory.dmp	UPX
\Windows\system\StGlsmV.exe	UPX
behavioral1/memory/2680-55-0x000000013FB50000-0x000000013FEA1000-memory.dmp	UPX
behavioral1/memory/2292-57-0x000000013FB30000-0x000000013FE81000-memory.dmp	UPX
\Windows\system\PWqjyMY.exe	UPX
behavioral1/memory/2504-64-0x000000013F4D0000-0x000000013F821000-memory.dmp	UPX
\Windows\system\QIUjyOd.exe	UPX
C:\Windows\system\FtIyflr.exe	UPX
behavioral1/memory/2912-76-0x000000013F400000-0x000000013F751000-memory.dmp	UPX
behavioral1/memory/2696-81-0x000000013FA40000-0x000000013FD91000-memory.dmp	UPX
\Windows\system\qisqlNI.exe	UPX
\Windows\system\VzUNejh.exe	UPX
behavioral1/memory/768-94-0x000000013FA80000-0x000000013FDD1000-memory.dmp	UPX
behavioral1/memory/2776-93-0x000000013FD00000-0x0000000140051000-memory.dmp	UPX
behavioral1/memory/2792-89-0x000000013F2F0000-0x000000013F641000-memory.dmp	UPX
behavioral1/memory/1712-86-0x000000013FB50000-0x000000013FEA1000-memory.dmp	UPX
behavioral1/memory/2500-85-0x000000013FC80000-0x000000013FFD1000-memory.dmp	UPX
C:\Windows\system\TFUjvzM.exe	UPX
behavioral1/memory/2148-101-0x000000013F880000-0x000000013FBD1000-memory.dmp	UPX
behavioral1/memory/612-103-0x000000013FE40000-0x0000000140191000-memory.dmp	UPX
C:\Windows\system\NmLUGPT.exe	UPX
behavioral1/memory/1928-112-0x000000013F070000-0x000000013F3C1000-memory.dmp	UPX
C:\Windows\system\XBEvuRA.exe	UPX
behavioral1/memory/2992-120-0x000000013F200000-0x000000013F551000-memory.dmp	UPX
behavioral1/memory/2628-118-0x000000013F1E0000-0x000000013F531000-memory.dmp	UPX
behavioral1/memory/1788-122-0x000000013F9A0000-0x000000013FCF1000-memory.dmp	UPX
\Windows\system\izYoshc.exe	UPX
\Windows\system\fDTLZgL.exe	UPX
\Windows\system\wbhReUn.exe	UPX
C:\Windows\system\UCFlDRH.exe	UPX
behavioral1/memory/1432-149-0x000000013FBE0000-0x000000013FF31000-memory.dmp	UPX
behavioral1/memory/2168-150-0x000000013F8D0000-0x000000013FC21000-memory.dmp	UPX
behavioral1/memory/2164-152-0x000000013FFF0000-0x0000000140341000-memory.dmp	UPX
behavioral1/memory/1548-155-0x000000013F070000-0x000000013F3C1000-memory.dmp	UPX
behavioral1/memory/1872-139-0x000000013F700000-0x000000013FA51000-memory.dmp	UPX
C:\Windows\system\alFaaaH.exe	UPX
behavioral1/memory/2792-156-0x000000013F2F0000-0x000000013F641000-memory.dmp	UPX
behavioral1/memory/2776-169-0x000000013FD00000-0x0000000140051000-memory.dmp	UPX
behavioral1/memory/1872-173-0x000000013F700000-0x000000013FA51000-memory.dmp	UPX
behavioral1/memory/2792-178-0x000000013F2F0000-0x000000013F641000-memory.dmp	UPX
behavioral1/memory/768-227-0x000000013FA80000-0x000000013FDD1000-memory.dmp	UPX
behavioral1/memory/1712-229-0x000000013FB50000-0x000000013FEA1000-memory.dmp	UPX
behavioral1/memory/2148-232-0x000000013F880000-0x000000013FBD1000-memory.dmp	UPX
behavioral1/memory/2984-233-0x000000013F6B0000-0x000000013FA01000-memory.dmp	UPX
behavioral1/memory/2628-235-0x000000013F1E0000-0x000000013F531000-memory.dmp	UPX
behavioral1/memory/2680-242-0x000000013FB50000-0x000000013FEA1000-memory.dmp	UPX
behavioral1/memory/2992-244-0x000000013F200000-0x000000013F551000-memory.dmp	UPX
behavioral1/memory/2292-246-0x000000013FB30000-0x000000013FE81000-memory.dmp	UPX
behavioral1/memory/2504-248-0x000000013F4D0000-0x000000013F821000-memory.dmp	UPX
behavioral1/memory/2696-251-0x000000013FA40000-0x000000013FD91000-memory.dmp	UPX

XMRig Miner payload 46 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/768-12-0x000000013FA80000-0x000000013FDD1000-memory.dmp	xmrig
behavioral1/memory/2148-26-0x000000013F880000-0x000000013FBD1000-memory.dmp	xmrig
behavioral1/memory/2984-27-0x000000013F6B0000-0x000000013FA01000-memory.dmp	xmrig
behavioral1/memory/2792-28-0x000000013FB50000-0x000000013FEA1000-memory.dmp	xmrig
behavioral1/memory/2628-36-0x000000013F1E0000-0x000000013F531000-memory.dmp	xmrig
behavioral1/memory/2992-51-0x000000013F200000-0x000000013F551000-memory.dmp	xmrig
behavioral1/memory/2680-55-0x000000013FB50000-0x000000013FEA1000-memory.dmp	xmrig
behavioral1/memory/2292-57-0x000000013FB30000-0x000000013FE81000-memory.dmp	xmrig
behavioral1/memory/2504-64-0x000000013F4D0000-0x000000013F821000-memory.dmp	xmrig
behavioral1/memory/2912-76-0x000000013F400000-0x000000013F751000-memory.dmp	xmrig
behavioral1/memory/2696-81-0x000000013FA40000-0x000000013FD91000-memory.dmp	xmrig
behavioral1/memory/768-94-0x000000013FA80000-0x000000013FDD1000-memory.dmp	xmrig
behavioral1/memory/2776-93-0x000000013FD00000-0x0000000140051000-memory.dmp	xmrig
behavioral1/memory/2792-89-0x000000013F2F0000-0x000000013F641000-memory.dmp	xmrig
behavioral1/memory/1712-86-0x000000013FB50000-0x000000013FEA1000-memory.dmp	xmrig
behavioral1/memory/2500-85-0x000000013FC80000-0x000000013FFD1000-memory.dmp	xmrig
behavioral1/memory/2148-101-0x000000013F880000-0x000000013FBD1000-memory.dmp	xmrig
behavioral1/memory/612-103-0x000000013FE40000-0x0000000140191000-memory.dmp	xmrig
behavioral1/memory/1928-112-0x000000013F070000-0x000000013F3C1000-memory.dmp	xmrig
behavioral1/memory/2992-120-0x000000013F200000-0x000000013F551000-memory.dmp	xmrig
behavioral1/memory/2628-118-0x000000013F1E0000-0x000000013F531000-memory.dmp	xmrig
behavioral1/memory/2792-121-0x000000013F9A0000-0x000000013FCF1000-memory.dmp	xmrig
behavioral1/memory/1788-122-0x000000013F9A0000-0x000000013FCF1000-memory.dmp	xmrig
behavioral1/memory/1432-149-0x000000013FBE0000-0x000000013FF31000-memory.dmp	xmrig
behavioral1/memory/2168-150-0x000000013F8D0000-0x000000013FC21000-memory.dmp	xmrig
behavioral1/memory/2792-151-0x000000013FFF0000-0x0000000140341000-memory.dmp	xmrig
behavioral1/memory/2164-152-0x000000013FFF0000-0x0000000140341000-memory.dmp	xmrig
behavioral1/memory/2792-153-0x000000013F8D0000-0x000000013FC21000-memory.dmp	xmrig
behavioral1/memory/1548-155-0x000000013F070000-0x000000013F3C1000-memory.dmp	xmrig
behavioral1/memory/1872-139-0x000000013F700000-0x000000013FA51000-memory.dmp	xmrig
behavioral1/memory/2792-102-0x000000013FE40000-0x0000000140191000-memory.dmp	xmrig
behavioral1/memory/2792-156-0x000000013F2F0000-0x000000013F641000-memory.dmp	xmrig
behavioral1/memory/2776-169-0x000000013FD00000-0x0000000140051000-memory.dmp	xmrig
behavioral1/memory/1872-173-0x000000013F700000-0x000000013FA51000-memory.dmp	xmrig
behavioral1/memory/2792-178-0x000000013F2F0000-0x000000013F641000-memory.dmp	xmrig
behavioral1/memory/2792-203-0x000000013F8D0000-0x000000013FC21000-memory.dmp	xmrig
behavioral1/memory/768-227-0x000000013FA80000-0x000000013FDD1000-memory.dmp	xmrig
behavioral1/memory/1712-229-0x000000013FB50000-0x000000013FEA1000-memory.dmp	xmrig
behavioral1/memory/2148-232-0x000000013F880000-0x000000013FBD1000-memory.dmp	xmrig
behavioral1/memory/2984-233-0x000000013F6B0000-0x000000013FA01000-memory.dmp	xmrig
behavioral1/memory/2628-235-0x000000013F1E0000-0x000000013F531000-memory.dmp	xmrig
behavioral1/memory/2680-242-0x000000013FB50000-0x000000013FEA1000-memory.dmp	xmrig
behavioral1/memory/2992-244-0x000000013F200000-0x000000013F551000-memory.dmp	xmrig
behavioral1/memory/2292-246-0x000000013FB30000-0x000000013FE81000-memory.dmp	xmrig
behavioral1/memory/2504-248-0x000000013F4D0000-0x000000013F821000-memory.dmp	xmrig
behavioral1/memory/2696-251-0x000000013FA40000-0x000000013FD91000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

gTLlpjw.exebqyfqiA.exelaswWAV.exenXFZbpw.exeOGoVFQR.exeCveheVo.exewoeIXFp.exeStGlsmV.exePWqjyMY.exeQIUjyOd.exeFtIyflr.exeqisqlNI.exeVzUNejh.exeTFUjvzM.exeNmLUGPT.exeXBEvuRA.exealFaaaH.exefDTLZgL.exeizYoshc.exeUCFlDRH.exewbhReUn.exe

pid	process
768	gTLlpjw.exe
1712	bqyfqiA.exe
2148	laswWAV.exe
2984	nXFZbpw.exe
2628	OGoVFQR.exe
2680	CveheVo.exe
2992	woeIXFp.exe
2292	StGlsmV.exe
2504	PWqjyMY.exe
2696	QIUjyOd.exe
2912	FtIyflr.exe
2500	qisqlNI.exe
2776	VzUNejh.exe
612	TFUjvzM.exe
1928	NmLUGPT.exe
1788	XBEvuRA.exe
1872	alFaaaH.exe
2164	fDTLZgL.exe
1432	izYoshc.exe
2168	UCFlDRH.exe
1548	wbhReUn.exe

Loads dropped DLL 21 IoCs

Processes:

2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe

pid	process
2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe

UPX packed file 63 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2792-0-0x000000013F2F0000-0x000000013F641000-memory.dmp	upx
C:\Windows\system\gTLlpjw.exe	upx
\Windows\system\laswWAV.exe	upx
C:\Windows\system\bqyfqiA.exe	upx
behavioral1/memory/768-12-0x000000013FA80000-0x000000013FDD1000-memory.dmp	upx
behavioral1/memory/2148-26-0x000000013F880000-0x000000013FBD1000-memory.dmp	upx
behavioral1/memory/1712-20-0x000000013FB50000-0x000000013FEA1000-memory.dmp	upx
\Windows\system\nXFZbpw.exe	upx
behavioral1/memory/2984-27-0x000000013F6B0000-0x000000013FA01000-memory.dmp	upx
\Windows\system\OGoVFQR.exe	upx
behavioral1/memory/2628-36-0x000000013F1E0000-0x000000013F531000-memory.dmp	upx
\Windows\system\CveheVo.exe	upx
C:\Windows\system\woeIXFp.exe	upx
behavioral1/memory/2992-51-0x000000013F200000-0x000000013F551000-memory.dmp	upx
\Windows\system\StGlsmV.exe	upx
behavioral1/memory/2680-55-0x000000013FB50000-0x000000013FEA1000-memory.dmp	upx
behavioral1/memory/2292-57-0x000000013FB30000-0x000000013FE81000-memory.dmp	upx
\Windows\system\PWqjyMY.exe	upx
behavioral1/memory/2504-64-0x000000013F4D0000-0x000000013F821000-memory.dmp	upx
\Windows\system\QIUjyOd.exe	upx
C:\Windows\system\FtIyflr.exe	upx
behavioral1/memory/2912-76-0x000000013F400000-0x000000013F751000-memory.dmp	upx
behavioral1/memory/2696-81-0x000000013FA40000-0x000000013FD91000-memory.dmp	upx
\Windows\system\qisqlNI.exe	upx
\Windows\system\VzUNejh.exe	upx
behavioral1/memory/768-94-0x000000013FA80000-0x000000013FDD1000-memory.dmp	upx
behavioral1/memory/2776-93-0x000000013FD00000-0x0000000140051000-memory.dmp	upx
behavioral1/memory/2792-89-0x000000013F2F0000-0x000000013F641000-memory.dmp	upx
behavioral1/memory/1712-86-0x000000013FB50000-0x000000013FEA1000-memory.dmp	upx
behavioral1/memory/2500-85-0x000000013FC80000-0x000000013FFD1000-memory.dmp	upx
C:\Windows\system\TFUjvzM.exe	upx
behavioral1/memory/2148-101-0x000000013F880000-0x000000013FBD1000-memory.dmp	upx
behavioral1/memory/612-103-0x000000013FE40000-0x0000000140191000-memory.dmp	upx
C:\Windows\system\NmLUGPT.exe	upx
behavioral1/memory/1928-112-0x000000013F070000-0x000000013F3C1000-memory.dmp	upx
C:\Windows\system\XBEvuRA.exe	upx
behavioral1/memory/2992-120-0x000000013F200000-0x000000013F551000-memory.dmp	upx
behavioral1/memory/2628-118-0x000000013F1E0000-0x000000013F531000-memory.dmp	upx
behavioral1/memory/1788-122-0x000000013F9A0000-0x000000013FCF1000-memory.dmp	upx
\Windows\system\izYoshc.exe	upx
\Windows\system\fDTLZgL.exe	upx
\Windows\system\wbhReUn.exe	upx
C:\Windows\system\UCFlDRH.exe	upx
behavioral1/memory/1432-149-0x000000013FBE0000-0x000000013FF31000-memory.dmp	upx
behavioral1/memory/2168-150-0x000000013F8D0000-0x000000013FC21000-memory.dmp	upx
behavioral1/memory/2164-152-0x000000013FFF0000-0x0000000140341000-memory.dmp	upx
behavioral1/memory/1548-155-0x000000013F070000-0x000000013F3C1000-memory.dmp	upx
behavioral1/memory/1872-139-0x000000013F700000-0x000000013FA51000-memory.dmp	upx
C:\Windows\system\alFaaaH.exe	upx
behavioral1/memory/2792-156-0x000000013F2F0000-0x000000013F641000-memory.dmp	upx
behavioral1/memory/2776-169-0x000000013FD00000-0x0000000140051000-memory.dmp	upx
behavioral1/memory/1872-173-0x000000013F700000-0x000000013FA51000-memory.dmp	upx
behavioral1/memory/2792-178-0x000000013F2F0000-0x000000013F641000-memory.dmp	upx
behavioral1/memory/768-227-0x000000013FA80000-0x000000013FDD1000-memory.dmp	upx
behavioral1/memory/1712-229-0x000000013FB50000-0x000000013FEA1000-memory.dmp	upx
behavioral1/memory/2148-232-0x000000013F880000-0x000000013FBD1000-memory.dmp	upx
behavioral1/memory/2984-233-0x000000013F6B0000-0x000000013FA01000-memory.dmp	upx
behavioral1/memory/2628-235-0x000000013F1E0000-0x000000013F531000-memory.dmp	upx
behavioral1/memory/2680-242-0x000000013FB50000-0x000000013FEA1000-memory.dmp	upx
behavioral1/memory/2992-244-0x000000013F200000-0x000000013F551000-memory.dmp	upx
behavioral1/memory/2292-246-0x000000013FB30000-0x000000013FE81000-memory.dmp	upx
behavioral1/memory/2504-248-0x000000013F4D0000-0x000000013F821000-memory.dmp	upx
behavioral1/memory/2696-251-0x000000013FA40000-0x000000013FD91000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\NmLUGPT.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\izYoshc.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\alFaaaH.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wbhReUn.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\woeIXFp.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\StGlsmV.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PWqjyMY.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QIUjyOd.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qisqlNI.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bqyfqiA.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\laswWAV.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CveheVo.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VzUNejh.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UCFlDRH.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FtIyflr.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TFUjvzM.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XBEvuRA.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fDTLZgL.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gTLlpjw.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nXFZbpw.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OGoVFQR.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2792 wrote to memory of 768	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	gTLlpjw.exe
PID 2792 wrote to memory of 768	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	gTLlpjw.exe
PID 2792 wrote to memory of 768	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	gTLlpjw.exe
PID 2792 wrote to memory of 1712	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	bqyfqiA.exe
PID 2792 wrote to memory of 1712	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	bqyfqiA.exe
PID 2792 wrote to memory of 1712	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	bqyfqiA.exe
PID 2792 wrote to memory of 2148	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	laswWAV.exe
PID 2792 wrote to memory of 2148	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	laswWAV.exe
PID 2792 wrote to memory of 2148	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	laswWAV.exe
PID 2792 wrote to memory of 2984	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	nXFZbpw.exe
PID 2792 wrote to memory of 2984	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	nXFZbpw.exe
PID 2792 wrote to memory of 2984	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	nXFZbpw.exe
PID 2792 wrote to memory of 2628	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	OGoVFQR.exe
PID 2792 wrote to memory of 2628	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	OGoVFQR.exe
PID 2792 wrote to memory of 2628	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	OGoVFQR.exe
PID 2792 wrote to memory of 2680	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	CveheVo.exe
PID 2792 wrote to memory of 2680	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	CveheVo.exe
PID 2792 wrote to memory of 2680	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	CveheVo.exe
PID 2792 wrote to memory of 2992	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	woeIXFp.exe
PID 2792 wrote to memory of 2992	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	woeIXFp.exe
PID 2792 wrote to memory of 2992	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	woeIXFp.exe
PID 2792 wrote to memory of 2292	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	StGlsmV.exe
PID 2792 wrote to memory of 2292	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	StGlsmV.exe
PID 2792 wrote to memory of 2292	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	StGlsmV.exe
PID 2792 wrote to memory of 2504	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	PWqjyMY.exe
PID 2792 wrote to memory of 2504	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	PWqjyMY.exe
PID 2792 wrote to memory of 2504	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	PWqjyMY.exe
PID 2792 wrote to memory of 2696	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	QIUjyOd.exe
PID 2792 wrote to memory of 2696	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	QIUjyOd.exe
PID 2792 wrote to memory of 2696	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	QIUjyOd.exe
PID 2792 wrote to memory of 2912	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	FtIyflr.exe
PID 2792 wrote to memory of 2912	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	FtIyflr.exe
PID 2792 wrote to memory of 2912	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	FtIyflr.exe
PID 2792 wrote to memory of 2500	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	qisqlNI.exe
PID 2792 wrote to memory of 2500	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	qisqlNI.exe
PID 2792 wrote to memory of 2500	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	qisqlNI.exe
PID 2792 wrote to memory of 2776	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	VzUNejh.exe
PID 2792 wrote to memory of 2776	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	VzUNejh.exe
PID 2792 wrote to memory of 2776	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	VzUNejh.exe
PID 2792 wrote to memory of 612	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	TFUjvzM.exe
PID 2792 wrote to memory of 612	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	TFUjvzM.exe
PID 2792 wrote to memory of 612	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	TFUjvzM.exe
PID 2792 wrote to memory of 1928	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	NmLUGPT.exe
PID 2792 wrote to memory of 1928	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	NmLUGPT.exe
PID 2792 wrote to memory of 1928	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	NmLUGPT.exe
PID 2792 wrote to memory of 1788	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	XBEvuRA.exe
PID 2792 wrote to memory of 1788	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	XBEvuRA.exe
PID 2792 wrote to memory of 1788	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	XBEvuRA.exe
PID 2792 wrote to memory of 1872	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	alFaaaH.exe
PID 2792 wrote to memory of 1872	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	alFaaaH.exe
PID 2792 wrote to memory of 1872	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	alFaaaH.exe
PID 2792 wrote to memory of 2164	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	fDTLZgL.exe
PID 2792 wrote to memory of 2164	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	fDTLZgL.exe
PID 2792 wrote to memory of 2164	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	fDTLZgL.exe
PID 2792 wrote to memory of 1432	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	izYoshc.exe
PID 2792 wrote to memory of 1432	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	izYoshc.exe
PID 2792 wrote to memory of 1432	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	izYoshc.exe
PID 2792 wrote to memory of 2168	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	UCFlDRH.exe
PID 2792 wrote to memory of 2168	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	UCFlDRH.exe
PID 2792 wrote to memory of 2168	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	UCFlDRH.exe
PID 2792 wrote to memory of 1548	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	wbhReUn.exe
PID 2792 wrote to memory of 1548	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	wbhReUn.exe
PID 2792 wrote to memory of 1548	2792	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	wbhReUn.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\System\gTLlpjw.exe
C:\Windows\System\gTLlpjw.exe
2⤵
- Executes dropped EXE
PID:768

C:\Windows\System\bqyfqiA.exe
C:\Windows\System\bqyfqiA.exe
2⤵
- Executes dropped EXE
PID:1712

C:\Windows\System\laswWAV.exe
C:\Windows\System\laswWAV.exe
2⤵
- Executes dropped EXE
PID:2148

C:\Windows\System\nXFZbpw.exe
C:\Windows\System\nXFZbpw.exe
2⤵
- Executes dropped EXE
PID:2984

C:\Windows\System\OGoVFQR.exe
C:\Windows\System\OGoVFQR.exe
2⤵
- Executes dropped EXE
PID:2628

C:\Windows\System\CveheVo.exe
C:\Windows\System\CveheVo.exe
2⤵
- Executes dropped EXE
PID:2680

C:\Windows\System\woeIXFp.exe
C:\Windows\System\woeIXFp.exe
2⤵
- Executes dropped EXE
PID:2992

C:\Windows\System\StGlsmV.exe
C:\Windows\System\StGlsmV.exe
2⤵
- Executes dropped EXE
PID:2292

C:\Windows\System\PWqjyMY.exe
C:\Windows\System\PWqjyMY.exe
2⤵
- Executes dropped EXE
PID:2504

C:\Windows\System\QIUjyOd.exe
C:\Windows\System\QIUjyOd.exe
2⤵
- Executes dropped EXE
PID:2696

C:\Windows\System\FtIyflr.exe
C:\Windows\System\FtIyflr.exe
2⤵
- Executes dropped EXE
PID:2912

C:\Windows\System\qisqlNI.exe
C:\Windows\System\qisqlNI.exe
2⤵
- Executes dropped EXE
PID:2500

C:\Windows\System\VzUNejh.exe
C:\Windows\System\VzUNejh.exe
2⤵
- Executes dropped EXE
PID:2776

C:\Windows\System\TFUjvzM.exe
C:\Windows\System\TFUjvzM.exe
2⤵
- Executes dropped EXE
PID:612

C:\Windows\System\NmLUGPT.exe
C:\Windows\System\NmLUGPT.exe
2⤵
- Executes dropped EXE
PID:1928

C:\Windows\System\XBEvuRA.exe
C:\Windows\System\XBEvuRA.exe
2⤵
- Executes dropped EXE
PID:1788

C:\Windows\System\alFaaaH.exe
C:\Windows\System\alFaaaH.exe
2⤵
- Executes dropped EXE
PID:1872

C:\Windows\System\fDTLZgL.exe
C:\Windows\System\fDTLZgL.exe
2⤵
- Executes dropped EXE
PID:2164

C:\Windows\System\izYoshc.exe
C:\Windows\System\izYoshc.exe
2⤵
- Executes dropped EXE
PID:1432

C:\Windows\System\UCFlDRH.exe
C:\Windows\System\UCFlDRH.exe
2⤵
- Executes dropped EXE
PID:2168

C:\Windows\System\wbhReUn.exe
C:\Windows\System\wbhReUn.exe
2⤵
- Executes dropped EXE
PID:1548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\FtIyflr.exe
Filesize
5.2MB

MD5
aea9388358bb9312940efcff03c705c1

SHA1
cffd8219cc89f690a595e3b60da05bcf99b8e06b

SHA256
b25b921399d3aefa5ff5058e36e1d5146165bfa54ff3fccfd8da7286b069413b

SHA512
805c04c916bae025b4ea911f8eb872a596c16cf1b54848473c5f1215730476e6b523171584ca1de6c7c40ddfb7754514be17411c34ad7f5fbc1ef3d14bfff1ba

Download Submit
C:\Windows\system\NmLUGPT.exe
Filesize
5.2MB

MD5
1c91225b7489598bdbd76eb4987e7609

SHA1
6179366c6dbbdacc5fd1fad951573710cdc53c86

SHA256
d4750e9a5541d008e65726e3d9f652bc03f8d870483e3c4c5a576ae9feb93241

SHA512
da6e85a8ae98973a59982e8e8efb062dc84cb41a41238177905cfef41936d20757aefeedeeea7061745ab5237f8020957145f8e4c393eaedd68830ab8b364aa3

Download Submit
C:\Windows\system\TFUjvzM.exe
Filesize
5.2MB

MD5
7a9e5454e444b9ae5bebf366b20fa1f9

SHA1
22112eae504e8e8d221cfc8222aaf8ba79f7e692

SHA256
ef661567a34b8501fe5547d32a36d4576a35080d99474334c053443fdc55cc30

SHA512
aaedf742f34dba14fc162740c9912f047bb83c015075579d395821e6a67444d81a27bbc542f617f424d1ab5d78822dd1ca87f29366a129aaffaa848e8d4ca439

Download Submit
C:\Windows\system\UCFlDRH.exe
Filesize
5.2MB

MD5
dbffac92aa2112edbf4ab9c342a08b45

SHA1
e42b461a5461aeed215f5bfb24c35c65253d15b5

SHA256
33673a49a6d6df5cf3ff95986f420c0f6d30ada24cc53a7ae7c5faa0e4d5fa86

SHA512
8ed74f2ccb697a5edf4889a3cb233ac67f207180e634db52b7ccb9c212e4d17a1875dbb4f701b6bfe403124fe78c0759c55d625ecde8f8a91219fbc6fcf6a4eb

Download Submit
C:\Windows\system\XBEvuRA.exe
Filesize
5.2MB

MD5
4122cb19e929653ad97fdb4c96c8330b

SHA1
b086d6411cb032ef369c467a61d8d6414c54da84

SHA256
bc548a124446ce4f78a5ce8f6d17f991587f70adbf9d0de87b5c223c5bad42b5

SHA512
62cb5521ef2047a53c02a8073e01e7665d493251d7e6fbafcdadf256d70a560c9c5fd8f7d476a02660b51a374312f119d679e49f4cd62b6040250a33241ee139

Download Submit
C:\Windows\system\alFaaaH.exe
Filesize
5.2MB

MD5
4ba7544db94620b6e8d14f16816644f5

SHA1
e909c6657429a2daa9de5abdce23d4e2e8d978f0

SHA256
10dbc0d4dfcc60cda9d3c82028d89638a45c21b0fc94e9baac3992d562ac4d4d

SHA512
680dedcb39e89ba4423df50ea022d35be76d2f46bc07e14c2b6c49cc25543e2bd1b856410ede56a1f77774789feb2733b9f13f971a9c2b794b71c408993476b3

Download Submit
C:\Windows\system\bqyfqiA.exe
Filesize
5.2MB

MD5
28429eacc4535811e6e18fbdd50bab71

SHA1
07bf4f2a3c64a43eaceb89ad25331109bf1f0fd0

SHA256
4935b34c08789ac66d698f60ce15cfa35bac50990d4d5af4b9d3df0b16b46ba2

SHA512
9cbf5ada0a96df5c9d9ab0f9beb1858e3ba9587a298f3b0bb995d9e3bfe922e0edbc862339413c32bd342a70e209a5ea045f3ff2de317b0d0026ceb662e8b864

Download Submit
C:\Windows\system\gTLlpjw.exe
Filesize
5.2MB

MD5
0ff6156f49e83327f39ae031c91f5c21

SHA1
01c1d7b531e491a692df366527d832686c806cd3

SHA256
8e2832d537a53622598a091d9c804e330e8eef71c2b130cba41a2171d8fb28a8

SHA512
0f8b269661901b049af3536f2f68d944670728103a08a4bb2c0859ac8351940c0c6a4a635973f1543051b36a7f5f9921aab1fcf52a857b754e89f19b472badca

Download Submit
C:\Windows\system\woeIXFp.exe
Filesize
5.2MB

MD5
4153668c735ae085624ea7fe099a2369

SHA1
7aaaf520fdced6117604a3f5235bb29b57f0bab6

SHA256
53ea8b8d765ebe2b46632307f8124522a294c2641d2f13b779cfd345230a7db6

SHA512
36a5c27bf313c592f504e03db1a37b9002c67230ea2c367c07337e5f9761f4698f66e91ad7900d31281f04365449e885f83431c3263822fc39c3d376c297bb0c

Download Submit
\Windows\system\CveheVo.exe
Filesize
5.2MB

MD5
82a92011dca8e2c015c378d80b4c2816

SHA1
533322cf88d690376d3d69201ac69460ca631b5d

SHA256
0f430f6b5e2f4ce1390b2510fd97a51ca9448ad3a94d90e3dd033b2da458cdba

SHA512
173704bf3d9b6fe25433db2b820a2d27c0cd29bfe3c95bc5d73c7a6110067b638ef5738deac0204a705c638741a4c9541cd8a9873e5331bb929130bd8e04e680

Download Submit
\Windows\system\OGoVFQR.exe
Filesize
5.2MB

MD5
4fa0d323c1b836f21597726ceea23f82

SHA1
04094bd2bfdc534f09fbc8801249e820e865917d

SHA256
54ee07d7b30acca968328d0e8572fbc720ecb40586916e2cd63c53d9c6dfc9df

SHA512
c7bc774382f7aba939c977e73d1a88216ca2b96f52128c7915443e375c2e61a0ddb9333a52799f06bcbe94df23702309383537c77748272ecf0b0a089ec715b1

Download Submit
\Windows\system\PWqjyMY.exe
Filesize
5.2MB

MD5
f721eb75187213c7281ceae46788e58b

SHA1
ffe5f6e770f0757df52d326d66ff82e7b475ba6b

SHA256
ca0d734c20090278b67fde5c2196b19523402deb9a53dddffc38e25858831ed1

SHA512
d9f06f8227d674e1799054917352a6824d561deaa8d173f4db7bf869905fb45ab4678882ba66e471404e5c33b187132099fd9936bc3bdc65b642a9c519724714

Download Submit
\Windows\system\QIUjyOd.exe
Filesize
5.2MB

MD5
e5c2900ead6d4cc64dcea999b57d85f4

SHA1
35e1eec81a75cadf41c928304c7b94aa69adc30d

SHA256
42a46fc2d6ac3badc09165a60bcd27529d9696ed3a4626f19ff89e3bba2eef5d

SHA512
b02085e4860c9630211ff2e4b15d885fe147465b961f13c5fb19e6914455ad9b8a825a3d3456fbdac25c9a31ab9d1852d5ca20dbdc44464eb9a8d2dea30a28dc

Download Submit
\Windows\system\StGlsmV.exe
Filesize
5.2MB

MD5
d741ca34d170983f8170eda9bbf75e75

SHA1
af41ae1861b34d1dc34dc24f17491c7c452e5ef8

SHA256
63ddef5f23082d782feb9a153945bc6d1356056ff043bf994c2b62d8a3e6a860

SHA512
2758253444f651970a738573e32e4b249c0ad8d1ed31d548f0fb865e48942c8cca6de7a8bbbf61439819ddf8055cec8a6d994ac5c1adcb899998a0336952b2f5

Download Submit
\Windows\system\VzUNejh.exe
Filesize
5.2MB

MD5
3493f2ae92e8c1321cab0a8cbaf54ad2

SHA1
1cfa91ebf23e56b2a2efd023701ebbb405b37316

SHA256
90bec5098179e6da0b7f7eb9494d8330b39d783665ee183e927e0c12e0ea1844

SHA512
72c10920ed30b31130ab6771481d7c590cfc3762d79e5bcc55c33597afd2f208245221a7a1c48e4815c499d56279445d0a3b93696872a6fb45018a4408c7cab6

Download Submit
\Windows\system\fDTLZgL.exe
Filesize
5.2MB

MD5
4efbd3d8432add0f6f00c65ec3332828

SHA1
7f4671a64dd4262aae72f1c4389f4117829cd2c2

SHA256
d5ef32d9b35f685645393cbe5549472c032bfac982b5ae5850a4ded69541884c

SHA512
cc395ed7903619d86495ac1402e4d1e40605395053b49e560282579f94fd161b455f7199f2be3fc7fb439bab00723b838a5399d128ff4b5242ec2158444a5a3c

Download Submit
\Windows\system\izYoshc.exe
Filesize
5.2MB

MD5
90039da449960643dc6493438315968a

SHA1
03b977825052f0efea1e5e12994c019080ed0a43

SHA256
70303a62f1158605971d935e440d2d3317bc4975589117212dccb504f9ebef29

SHA512
b2621ab254776cfaec6c3688895c9367feb4a44f63591b471501e744a4427c1fd4c48c7daf4c7449ba7cb4a49a6370a6f518022bf1b95d01a7e6a20f40a30d37

Download Submit
\Windows\system\laswWAV.exe
Filesize
5.2MB

MD5
e70100075496fe38a7620a26a34cac61

SHA1
8157b56aba3d3d8a353de5a508e9f6e063c240c9

SHA256
9d8b9b5fb1723b58edb13b1503c209cdf4f3a87c5aec1c845d9486e8867393b4

SHA512
9399d13ba64c36b2e7bc1b1683afa5c2c754b4b752eaf9b73214171a956d537addbbeabc4f76ef9eef94464127d4a300147cd4381b425dc3350326da4c4f7df4

Download Submit
\Windows\system\nXFZbpw.exe
Filesize
5.2MB

MD5
8ee18ac38e66333dcf1c995fa8ca1a94

SHA1
dc3cc1b2eadd3d82210e6968a1ba82e0c9be5b6a

SHA256
933ec4f1913b8f69b60053eb42f3898d8e3c10f6f4439d8770575379c6f67471

SHA512
7a9ebddc956a5efe17e8114cb286c268762f3424cc1d36f594aca4e08afb0821cea85be2b163dd33d113ca66a4b52b052a48bcead43858c1591f24c757d0120a

Download Submit
\Windows\system\qisqlNI.exe
Filesize
5.2MB

MD5
cc67efa877bab9e2037b763264e6bbef

SHA1
869093a99f92b65b8e3b1e48dc2b16dc2911ba48

SHA256
9487f7d48158fb819ac9e932d2cb98aca607a7c8e18ae63281ee3c1701938a53

SHA512
030875589189c2a513b77ce8931107403aa602137ae2c78644999034450318ce41be32f3741a7e8548718bd0454797b0e50948dd3a22e35bd845017eeaaae640

Download Submit
\Windows\system\wbhReUn.exe
Filesize
5.2MB

MD5
e213ec08b966aea58d455e7550a5368f

SHA1
9b3440e316bd744fe5beafa2d86b18cf3c906d4d

SHA256
d76822ba81fc8462ae72386813c24353cb53ee4d2063526dfcbfcfabc5577cae

SHA512
e11e5eaa602e7b5d4a65397f59ecc517d77443b91673490468a49e6a870005fd930a3a5c6ec990da6be623fbc487cbb5728f15e20b55e148206264cdfb00aa95

Download Submit
memory/612-103-0x000000013FE40000-0x0000000140191000-memory.dmp

Filesize
3.3MB

Download
memory/768-227-0x000000013FA80000-0x000000013FDD1000-memory.dmp

Filesize
3.3MB

Download
memory/768-94-0x000000013FA80000-0x000000013FDD1000-memory.dmp

Filesize
3.3MB

Download
memory/768-12-0x000000013FA80000-0x000000013FDD1000-memory.dmp

Filesize
3.3MB

Download
memory/1432-149-0x000000013FBE0000-0x000000013FF31000-memory.dmp

Filesize
3.3MB

Download
memory/1548-155-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/1712-229-0x000000013FB50000-0x000000013FEA1000-memory.dmp

Filesize
3.3MB

Download
memory/1712-20-0x000000013FB50000-0x000000013FEA1000-memory.dmp

Filesize
3.3MB

Download
memory/1712-86-0x000000013FB50000-0x000000013FEA1000-memory.dmp

Filesize
3.3MB

Download
memory/1788-122-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

Filesize
3.3MB

Download
memory/1872-139-0x000000013F700000-0x000000013FA51000-memory.dmp

Filesize
3.3MB

Download
memory/1872-173-0x000000013F700000-0x000000013FA51000-memory.dmp

Filesize
3.3MB

Download
memory/1928-112-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/2148-101-0x000000013F880000-0x000000013FBD1000-memory.dmp

Filesize
3.3MB

Download
memory/2148-26-0x000000013F880000-0x000000013FBD1000-memory.dmp

Filesize
3.3MB

Download
memory/2148-232-0x000000013F880000-0x000000013FBD1000-memory.dmp

Filesize
3.3MB

Download
memory/2164-152-0x000000013FFF0000-0x0000000140341000-memory.dmp

Filesize
3.3MB

Download
memory/2168-150-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Filesize
3.3MB

Download
memory/2292-246-0x000000013FB30000-0x000000013FE81000-memory.dmp

Filesize
3.3MB

Download
memory/2292-57-0x000000013FB30000-0x000000013FE81000-memory.dmp

Filesize
3.3MB

Download
memory/2500-85-0x000000013FC80000-0x000000013FFD1000-memory.dmp

Filesize
3.3MB

Download
memory/2504-64-0x000000013F4D0000-0x000000013F821000-memory.dmp

Filesize
3.3MB

Download
memory/2504-248-0x000000013F4D0000-0x000000013F821000-memory.dmp

Filesize
3.3MB

Download
memory/2628-235-0x000000013F1E0000-0x000000013F531000-memory.dmp

Filesize
3.3MB

Download
memory/2628-118-0x000000013F1E0000-0x000000013F531000-memory.dmp

Filesize
3.3MB

Download
memory/2628-36-0x000000013F1E0000-0x000000013F531000-memory.dmp

Filesize
3.3MB

Download
memory/2680-55-0x000000013FB50000-0x000000013FEA1000-memory.dmp

Filesize
3.3MB

Download
memory/2680-242-0x000000013FB50000-0x000000013FEA1000-memory.dmp

Filesize
3.3MB

Download
memory/2696-251-0x000000013FA40000-0x000000013FD91000-memory.dmp

Filesize
3.3MB

Download
memory/2696-81-0x000000013FA40000-0x000000013FD91000-memory.dmp

Filesize
3.3MB

Download
memory/2776-93-0x000000013FD00000-0x0000000140051000-memory.dmp

Filesize
3.3MB

Download
memory/2776-169-0x000000013FD00000-0x0000000140051000-memory.dmp

Filesize
3.3MB

Download
memory/2792-0-0x000000013F2F0000-0x000000013F641000-memory.dmp

Filesize
3.3MB

Download
memory/2792-156-0x000000013F2F0000-0x000000013F641000-memory.dmp

Filesize
3.3MB

Download
memory/2792-95-0x000000013FD00000-0x0000000140051000-memory.dmp

Filesize
3.3MB

Download
memory/2792-110-0x0000000002240000-0x0000000002591000-memory.dmp

Filesize
3.3MB

Download
memory/2792-84-0x000000013FC80000-0x000000013FFD1000-memory.dmp

Filesize
3.3MB

Download
memory/2792-83-0x0000000002240000-0x0000000002591000-memory.dmp

Filesize
3.3MB

Download
memory/2792-111-0x0000000002240000-0x0000000002591000-memory.dmp

Filesize
3.3MB

Download
memory/2792-1-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2792-75-0x000000013FA40000-0x000000013FD91000-memory.dmp

Filesize
3.3MB

Download
memory/2792-63-0x0000000002240000-0x0000000002591000-memory.dmp

Filesize
3.3MB

Download
memory/2792-151-0x000000013FFF0000-0x0000000140341000-memory.dmp

Filesize
3.3MB

Download
memory/2792-41-0x000000013FB50000-0x000000013FEA1000-memory.dmp

Filesize
3.3MB

Download
memory/2792-153-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Filesize
3.3MB

Download
memory/2792-154-0x0000000002240000-0x0000000002591000-memory.dmp

Filesize
3.3MB

Download
memory/2792-56-0x0000000002240000-0x0000000002591000-memory.dmp

Filesize
3.3MB

Download
memory/2792-109-0x000000013F6B0000-0x000000013FA01000-memory.dmp

Filesize
3.3MB

Download
memory/2792-134-0x000000013F700000-0x000000013FA51000-memory.dmp

Filesize
3.3MB

Download
memory/2792-54-0x000000013FB30000-0x000000013FE81000-memory.dmp

Filesize
3.3MB

Download
memory/2792-102-0x000000013FE40000-0x0000000140191000-memory.dmp

Filesize
3.3MB

Download
memory/2792-121-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

Filesize
3.3MB

Download
memory/2792-119-0x000000013FB50000-0x000000013FEA1000-memory.dmp

Filesize
3.3MB

Download
memory/2792-89-0x000000013F2F0000-0x000000013F641000-memory.dmp

Filesize
3.3MB

Download
memory/2792-178-0x000000013F2F0000-0x000000013F641000-memory.dmp

Filesize
3.3MB

Download
memory/2792-180-0x000000013FE40000-0x0000000140191000-memory.dmp

Filesize
3.3MB

Download
memory/2792-200-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

Filesize
3.3MB

Download
memory/2792-202-0x000000013FFF0000-0x0000000140341000-memory.dmp

Filesize
3.3MB

Download
memory/2792-203-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Filesize
3.3MB

Download
memory/2792-34-0x0000000002240000-0x0000000002591000-memory.dmp

Filesize
3.3MB

Download
memory/2792-7-0x000000013FA80000-0x000000013FDD1000-memory.dmp

Filesize
3.3MB

Download
memory/2792-29-0x000000013F6B0000-0x000000013FA01000-memory.dmp

Filesize
3.3MB

Download
memory/2792-28-0x000000013FB50000-0x000000013FEA1000-memory.dmp

Filesize
3.3MB

Download
memory/2912-76-0x000000013F400000-0x000000013F751000-memory.dmp

Filesize
3.3MB

Download
memory/2984-233-0x000000013F6B0000-0x000000013FA01000-memory.dmp

Filesize
3.3MB

Download
memory/2984-27-0x000000013F6B0000-0x000000013FA01000-memory.dmp

Filesize
3.3MB

Download
memory/2992-51-0x000000013F200000-0x000000013F551000-memory.dmp

Filesize
3.3MB

Download
memory/2992-244-0x000000013F200000-0x000000013F551000-memory.dmp

Filesize
3.3MB

Download
memory/2992-120-0x000000013F200000-0x000000013F551000-memory.dmp

Filesize
3.3MB

Download