cobaltstrike | 9230620af9c49243e4b65b6f5236eab6ff944b77210ec9ffbca145a4ef3491ac

Analysis

max time kernel
140s
max time network
146s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
16-04-2024 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

77b1999d1643baee6b5913926db65f9e
SHA1

71ee6fa13708e5bc44742d491cb07a3f3d13052f
SHA256

9230620af9c49243e4b65b6f5236eab6ff944b77210ec9ffbca145a4ef3491ac
SHA512

dcb32f51e16f7b73dc59dda3498332319bf44373da7da01b5d3109a94b60d115c9229651700790c6a142643e87077b82764ef826fb5225515db5feeceeff4539
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lY:RWWBibf56utgpPFotBER/mQ32lUk

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\eIIhGPF.exe	cobalt_reflective_dll
\Windows\system\ptgnzKp.exe	cobalt_reflective_dll
\Windows\system\aAAhhrz.exe	cobalt_reflective_dll
\Windows\system\WVEcIJB.exe	cobalt_reflective_dll
\Windows\system\HQgnjqp.exe	cobalt_reflective_dll
\Windows\system\eqCfrwq.exe	cobalt_reflective_dll
C:\Windows\system\ejqxurK.exe	cobalt_reflective_dll
C:\Windows\system\UAUCMUg.exe	cobalt_reflective_dll
\Windows\system\lhbUGkH.exe	cobalt_reflective_dll
C:\Windows\system\JqTigfT.exe	cobalt_reflective_dll
C:\Windows\system\zajOBCB.exe	cobalt_reflective_dll
C:\Windows\system\oqLtPzH.exe	cobalt_reflective_dll
C:\Windows\system\AGSpWwE.exe	cobalt_reflective_dll
C:\Windows\system\SEiFGuB.exe	cobalt_reflective_dll
C:\Windows\system\gLyavWZ.exe	cobalt_reflective_dll
\Windows\system\WkyBicn.exe	cobalt_reflective_dll
\Windows\system\kRsbuNo.exe	cobalt_reflective_dll
\Windows\system\nOexpjE.exe	cobalt_reflective_dll
C:\Windows\system\nLNWScA.exe	cobalt_reflective_dll
C:\Windows\system\YrFSuru.exe	cobalt_reflective_dll
C:\Windows\system\wjpwhPi.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\eIIhGPF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\ptgnzKp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\aAAhhrz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\WVEcIJB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\HQgnjqp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\eqCfrwq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ejqxurK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\UAUCMUg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\lhbUGkH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\JqTigfT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\zajOBCB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\oqLtPzH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\AGSpWwE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\SEiFGuB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\gLyavWZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\WkyBicn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\kRsbuNo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\nOexpjE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\nLNWScA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\YrFSuru.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\wjpwhPi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2088-1-0x000000013FB40000-0x000000013FE91000-memory.dmp	UPX
\Windows\system\eIIhGPF.exe	UPX
\Windows\system\ptgnzKp.exe	UPX
\Windows\system\aAAhhrz.exe	UPX
\Windows\system\WVEcIJB.exe	UPX
behavioral1/memory/2024-37-0x000000013F810000-0x000000013FB61000-memory.dmp	UPX
behavioral1/memory/2536-44-0x000000013FD40000-0x0000000140091000-memory.dmp	UPX
\Windows\system\HQgnjqp.exe	UPX
behavioral1/memory/2584-51-0x000000013F050000-0x000000013F3A1000-memory.dmp	UPX
\Windows\system\eqCfrwq.exe	UPX
behavioral1/memory/2736-54-0x000000013F730000-0x000000013FA81000-memory.dmp	UPX
behavioral1/memory/2468-58-0x000000013FAE0000-0x000000013FE31000-memory.dmp	UPX
C:\Windows\system\ejqxurK.exe	UPX
behavioral1/memory/2640-64-0x000000013F6E0000-0x000000013FA31000-memory.dmp	UPX
behavioral1/memory/1744-68-0x000000013F530000-0x000000013F881000-memory.dmp	UPX
behavioral1/memory/2492-70-0x000000013F540000-0x000000013F891000-memory.dmp	UPX
C:\Windows\system\UAUCMUg.exe	UPX
\Windows\system\lhbUGkH.exe	UPX
behavioral1/memory/2180-78-0x000000013FB20000-0x000000013FE71000-memory.dmp	UPX
behavioral1/memory/2944-19-0x000000013F8E0000-0x000000013FC31000-memory.dmp	UPX
C:\Windows\system\JqTigfT.exe	UPX
behavioral1/memory/1600-14-0x000000013FEB0000-0x0000000140201000-memory.dmp	UPX
C:\Windows\system\zajOBCB.exe	UPX
C:\Windows\system\oqLtPzH.exe	UPX
behavioral1/memory/1748-85-0x000000013FAC0000-0x000000013FE11000-memory.dmp	UPX
C:\Windows\system\AGSpWwE.exe	UPX
behavioral1/memory/3008-92-0x000000013F850000-0x000000013FBA1000-memory.dmp	UPX
C:\Windows\system\SEiFGuB.exe	UPX
C:\Windows\system\gLyavWZ.exe	UPX
\Windows\system\WkyBicn.exe	UPX
\Windows\system\kRsbuNo.exe	UPX
\Windows\system\nOexpjE.exe	UPX
behavioral1/memory/1916-136-0x000000013FD10000-0x0000000140061000-memory.dmp	UPX
C:\Windows\system\nLNWScA.exe	UPX
behavioral1/memory/2788-140-0x000000013F870000-0x000000013FBC1000-memory.dmp	UPX
behavioral1/memory/2532-141-0x000000013F8A0000-0x000000013FBF1000-memory.dmp	UPX
behavioral1/memory/2980-142-0x000000013F480000-0x000000013F7D1000-memory.dmp	UPX
behavioral1/memory/2976-143-0x000000013F4B0000-0x000000013F801000-memory.dmp	UPX
behavioral1/memory/2496-144-0x000000013F4F0000-0x000000013F841000-memory.dmp	UPX
C:\Windows\system\YrFSuru.exe	UPX
C:\Windows\system\wjpwhPi.exe	UPX
behavioral1/memory/2712-112-0x000000013F880000-0x000000013FBD1000-memory.dmp	UPX
behavioral1/memory/2700-101-0x000000013FBD0000-0x000000013FF21000-memory.dmp	UPX
behavioral1/memory/2088-145-0x000000013FB40000-0x000000013FE91000-memory.dmp	UPX
behavioral1/memory/1600-146-0x000000013FEB0000-0x0000000140201000-memory.dmp	UPX
behavioral1/memory/2468-148-0x000000013FAE0000-0x000000013FE31000-memory.dmp	UPX
behavioral1/memory/2088-149-0x000000013FB40000-0x000000013FE91000-memory.dmp	UPX
behavioral1/memory/2180-160-0x000000013FB20000-0x000000013FE71000-memory.dmp	UPX
behavioral1/memory/3008-162-0x000000013F850000-0x000000013FBA1000-memory.dmp	UPX
behavioral1/memory/2712-164-0x000000013F880000-0x000000013FBD1000-memory.dmp	UPX
behavioral1/memory/2088-171-0x000000013FB40000-0x000000013FE91000-memory.dmp	UPX
behavioral1/memory/2024-233-0x000000013F810000-0x000000013FB61000-memory.dmp	UPX
behavioral1/memory/1600-232-0x000000013FEB0000-0x0000000140201000-memory.dmp	UPX
behavioral1/memory/2536-235-0x000000013FD40000-0x0000000140091000-memory.dmp	UPX
behavioral1/memory/2736-240-0x000000013F730000-0x000000013FA81000-memory.dmp	UPX
behavioral1/memory/2640-241-0x000000013F6E0000-0x000000013FA31000-memory.dmp	UPX
behavioral1/memory/2584-239-0x000000013F050000-0x000000013F3A1000-memory.dmp	UPX
behavioral1/memory/2944-231-0x000000013F8E0000-0x000000013FC31000-memory.dmp	UPX
behavioral1/memory/1744-243-0x000000013F530000-0x000000013F881000-memory.dmp	UPX
behavioral1/memory/2468-245-0x000000013FAE0000-0x000000013FE31000-memory.dmp	UPX
behavioral1/memory/2492-247-0x000000013F540000-0x000000013F891000-memory.dmp	UPX
behavioral1/memory/2180-249-0x000000013FB20000-0x000000013FE71000-memory.dmp	UPX
behavioral1/memory/1748-251-0x000000013FAC0000-0x000000013FE11000-memory.dmp	UPX
behavioral1/memory/3008-253-0x000000013F850000-0x000000013FBA1000-memory.dmp	UPX

XMRig Miner payload 48 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2024-37-0x000000013F810000-0x000000013FB61000-memory.dmp	xmrig
behavioral1/memory/2536-44-0x000000013FD40000-0x0000000140091000-memory.dmp	xmrig
behavioral1/memory/2584-51-0x000000013F050000-0x000000013F3A1000-memory.dmp	xmrig
behavioral1/memory/2736-54-0x000000013F730000-0x000000013FA81000-memory.dmp	xmrig
behavioral1/memory/2468-58-0x000000013FAE0000-0x000000013FE31000-memory.dmp	xmrig
behavioral1/memory/2640-64-0x000000013F6E0000-0x000000013FA31000-memory.dmp	xmrig
behavioral1/memory/1744-68-0x000000013F530000-0x000000013F881000-memory.dmp	xmrig
behavioral1/memory/2492-70-0x000000013F540000-0x000000013F891000-memory.dmp	xmrig
behavioral1/memory/2180-78-0x000000013FB20000-0x000000013FE71000-memory.dmp	xmrig
behavioral1/memory/2944-19-0x000000013F8E0000-0x000000013FC31000-memory.dmp	xmrig
behavioral1/memory/1600-14-0x000000013FEB0000-0x0000000140201000-memory.dmp	xmrig
behavioral1/memory/1748-85-0x000000013FAC0000-0x000000013FE11000-memory.dmp	xmrig
behavioral1/memory/3008-92-0x000000013F850000-0x000000013FBA1000-memory.dmp	xmrig
behavioral1/memory/1916-136-0x000000013FD10000-0x0000000140061000-memory.dmp	xmrig
behavioral1/memory/2788-140-0x000000013F870000-0x000000013FBC1000-memory.dmp	xmrig
behavioral1/memory/2532-141-0x000000013F8A0000-0x000000013FBF1000-memory.dmp	xmrig
behavioral1/memory/2980-142-0x000000013F480000-0x000000013F7D1000-memory.dmp	xmrig
behavioral1/memory/2976-143-0x000000013F4B0000-0x000000013F801000-memory.dmp	xmrig
behavioral1/memory/2496-144-0x000000013F4F0000-0x000000013F841000-memory.dmp	xmrig
behavioral1/memory/2712-112-0x000000013F880000-0x000000013FBD1000-memory.dmp	xmrig
behavioral1/memory/2700-101-0x000000013FBD0000-0x000000013FF21000-memory.dmp	xmrig
behavioral1/memory/2088-145-0x000000013FB40000-0x000000013FE91000-memory.dmp	xmrig
behavioral1/memory/1600-146-0x000000013FEB0000-0x0000000140201000-memory.dmp	xmrig
behavioral1/memory/2468-148-0x000000013FAE0000-0x000000013FE31000-memory.dmp	xmrig
behavioral1/memory/2088-149-0x000000013FB40000-0x000000013FE91000-memory.dmp	xmrig
behavioral1/memory/2180-160-0x000000013FB20000-0x000000013FE71000-memory.dmp	xmrig
behavioral1/memory/3008-162-0x000000013F850000-0x000000013FBA1000-memory.dmp	xmrig
behavioral1/memory/2712-164-0x000000013F880000-0x000000013FBD1000-memory.dmp	xmrig
behavioral1/memory/2088-171-0x000000013FB40000-0x000000013FE91000-memory.dmp	xmrig
behavioral1/memory/2024-233-0x000000013F810000-0x000000013FB61000-memory.dmp	xmrig
behavioral1/memory/1600-232-0x000000013FEB0000-0x0000000140201000-memory.dmp	xmrig
behavioral1/memory/2536-235-0x000000013FD40000-0x0000000140091000-memory.dmp	xmrig
behavioral1/memory/2736-240-0x000000013F730000-0x000000013FA81000-memory.dmp	xmrig
behavioral1/memory/2640-241-0x000000013F6E0000-0x000000013FA31000-memory.dmp	xmrig
behavioral1/memory/2584-239-0x000000013F050000-0x000000013F3A1000-memory.dmp	xmrig
behavioral1/memory/2944-231-0x000000013F8E0000-0x000000013FC31000-memory.dmp	xmrig
behavioral1/memory/1744-243-0x000000013F530000-0x000000013F881000-memory.dmp	xmrig
behavioral1/memory/2468-245-0x000000013FAE0000-0x000000013FE31000-memory.dmp	xmrig
behavioral1/memory/2492-247-0x000000013F540000-0x000000013F891000-memory.dmp	xmrig
behavioral1/memory/2180-249-0x000000013FB20000-0x000000013FE71000-memory.dmp	xmrig
behavioral1/memory/1748-251-0x000000013FAC0000-0x000000013FE11000-memory.dmp	xmrig
behavioral1/memory/3008-253-0x000000013F850000-0x000000013FBA1000-memory.dmp	xmrig
behavioral1/memory/2700-255-0x000000013FBD0000-0x000000013FF21000-memory.dmp	xmrig
behavioral1/memory/2712-258-0x000000013F880000-0x000000013FBD1000-memory.dmp	xmrig
behavioral1/memory/2496-259-0x000000013F4F0000-0x000000013F841000-memory.dmp	xmrig
behavioral1/memory/2532-268-0x000000013F8A0000-0x000000013FBF1000-memory.dmp	xmrig
behavioral1/memory/2788-266-0x000000013F870000-0x000000013FBC1000-memory.dmp	xmrig
behavioral1/memory/2980-270-0x000000013F480000-0x000000013F7D1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

eIIhGPF.exezajOBCB.exeJqTigfT.exeejqxurK.exeptgnzKp.exeWVEcIJB.exeaAAhhrz.exeHQgnjqp.exeeqCfrwq.exeUAUCMUg.exelhbUGkH.exeoqLtPzH.exeAGSpWwE.exeSEiFGuB.exegLyavWZ.exeWkyBicn.exewjpwhPi.exekRsbuNo.exeYrFSuru.exenOexpjE.exenLNWScA.exe

pid	process
1600	eIIhGPF.exe
2944	zajOBCB.exe
2024	JqTigfT.exe
2536	ejqxurK.exe
2584	ptgnzKp.exe
2640	WVEcIJB.exe
2736	aAAhhrz.exe
1744	HQgnjqp.exe
2468	eqCfrwq.exe
2492	UAUCMUg.exe
2180	lhbUGkH.exe
1748	oqLtPzH.exe
3008	AGSpWwE.exe
2700	SEiFGuB.exe
2712	gLyavWZ.exe
1916	WkyBicn.exe
2496	wjpwhPi.exe
2788	kRsbuNo.exe
2532	YrFSuru.exe
2980	nOexpjE.exe
2976	nLNWScA.exe

Loads dropped DLL 21 IoCs

Processes:

2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe

pid	process
2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2088-1-0x000000013FB40000-0x000000013FE91000-memory.dmp	upx
\Windows\system\eIIhGPF.exe	upx
\Windows\system\ptgnzKp.exe	upx
\Windows\system\aAAhhrz.exe	upx
\Windows\system\WVEcIJB.exe	upx
behavioral1/memory/2024-37-0x000000013F810000-0x000000013FB61000-memory.dmp	upx
behavioral1/memory/2536-44-0x000000013FD40000-0x0000000140091000-memory.dmp	upx
\Windows\system\HQgnjqp.exe	upx
behavioral1/memory/2584-51-0x000000013F050000-0x000000013F3A1000-memory.dmp	upx
\Windows\system\eqCfrwq.exe	upx
behavioral1/memory/2736-54-0x000000013F730000-0x000000013FA81000-memory.dmp	upx
behavioral1/memory/2468-58-0x000000013FAE0000-0x000000013FE31000-memory.dmp	upx
C:\Windows\system\ejqxurK.exe	upx
behavioral1/memory/2640-64-0x000000013F6E0000-0x000000013FA31000-memory.dmp	upx
behavioral1/memory/1744-68-0x000000013F530000-0x000000013F881000-memory.dmp	upx
behavioral1/memory/2492-70-0x000000013F540000-0x000000013F891000-memory.dmp	upx
C:\Windows\system\UAUCMUg.exe	upx
\Windows\system\lhbUGkH.exe	upx
behavioral1/memory/2180-78-0x000000013FB20000-0x000000013FE71000-memory.dmp	upx
behavioral1/memory/2944-19-0x000000013F8E0000-0x000000013FC31000-memory.dmp	upx
C:\Windows\system\JqTigfT.exe	upx
behavioral1/memory/1600-14-0x000000013FEB0000-0x0000000140201000-memory.dmp	upx
C:\Windows\system\zajOBCB.exe	upx
C:\Windows\system\oqLtPzH.exe	upx
behavioral1/memory/1748-85-0x000000013FAC0000-0x000000013FE11000-memory.dmp	upx
C:\Windows\system\AGSpWwE.exe	upx
behavioral1/memory/3008-92-0x000000013F850000-0x000000013FBA1000-memory.dmp	upx
C:\Windows\system\SEiFGuB.exe	upx
C:\Windows\system\gLyavWZ.exe	upx
\Windows\system\WkyBicn.exe	upx
\Windows\system\kRsbuNo.exe	upx
\Windows\system\nOexpjE.exe	upx
behavioral1/memory/1916-136-0x000000013FD10000-0x0000000140061000-memory.dmp	upx
C:\Windows\system\nLNWScA.exe	upx
behavioral1/memory/2788-140-0x000000013F870000-0x000000013FBC1000-memory.dmp	upx
behavioral1/memory/2532-141-0x000000013F8A0000-0x000000013FBF1000-memory.dmp	upx
behavioral1/memory/2980-142-0x000000013F480000-0x000000013F7D1000-memory.dmp	upx
behavioral1/memory/2976-143-0x000000013F4B0000-0x000000013F801000-memory.dmp	upx
behavioral1/memory/2496-144-0x000000013F4F0000-0x000000013F841000-memory.dmp	upx
C:\Windows\system\YrFSuru.exe	upx
C:\Windows\system\wjpwhPi.exe	upx
behavioral1/memory/2712-112-0x000000013F880000-0x000000013FBD1000-memory.dmp	upx
behavioral1/memory/2700-101-0x000000013FBD0000-0x000000013FF21000-memory.dmp	upx
behavioral1/memory/2088-145-0x000000013FB40000-0x000000013FE91000-memory.dmp	upx
behavioral1/memory/1600-146-0x000000013FEB0000-0x0000000140201000-memory.dmp	upx
behavioral1/memory/2468-148-0x000000013FAE0000-0x000000013FE31000-memory.dmp	upx
behavioral1/memory/2088-149-0x000000013FB40000-0x000000013FE91000-memory.dmp	upx
behavioral1/memory/2180-160-0x000000013FB20000-0x000000013FE71000-memory.dmp	upx
behavioral1/memory/3008-162-0x000000013F850000-0x000000013FBA1000-memory.dmp	upx
behavioral1/memory/2712-164-0x000000013F880000-0x000000013FBD1000-memory.dmp	upx
behavioral1/memory/2088-171-0x000000013FB40000-0x000000013FE91000-memory.dmp	upx
behavioral1/memory/2024-233-0x000000013F810000-0x000000013FB61000-memory.dmp	upx
behavioral1/memory/1600-232-0x000000013FEB0000-0x0000000140201000-memory.dmp	upx
behavioral1/memory/2536-235-0x000000013FD40000-0x0000000140091000-memory.dmp	upx
behavioral1/memory/2736-240-0x000000013F730000-0x000000013FA81000-memory.dmp	upx
behavioral1/memory/2640-241-0x000000013F6E0000-0x000000013FA31000-memory.dmp	upx
behavioral1/memory/2584-239-0x000000013F050000-0x000000013F3A1000-memory.dmp	upx
behavioral1/memory/2944-231-0x000000013F8E0000-0x000000013FC31000-memory.dmp	upx
behavioral1/memory/1744-243-0x000000013F530000-0x000000013F881000-memory.dmp	upx
behavioral1/memory/2468-245-0x000000013FAE0000-0x000000013FE31000-memory.dmp	upx
behavioral1/memory/2492-247-0x000000013F540000-0x000000013F891000-memory.dmp	upx
behavioral1/memory/2180-249-0x000000013FB20000-0x000000013FE71000-memory.dmp	upx
behavioral1/memory/1748-251-0x000000013FAC0000-0x000000013FE11000-memory.dmp	upx
behavioral1/memory/3008-253-0x000000013F850000-0x000000013FBA1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\kRsbuNo.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eIIhGPF.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zajOBCB.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JqTigfT.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ejqxurK.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aAAhhrz.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eqCfrwq.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oqLtPzH.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WVEcIJB.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UAUCMUg.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gLyavWZ.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WkyBicn.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nLNWScA.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lhbUGkH.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SEiFGuB.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YrFSuru.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ptgnzKp.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HQgnjqp.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AGSpWwE.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wjpwhPi.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nOexpjE.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2088 wrote to memory of 1600	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	eIIhGPF.exe
PID 2088 wrote to memory of 1600	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	eIIhGPF.exe
PID 2088 wrote to memory of 1600	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	eIIhGPF.exe
PID 2088 wrote to memory of 2944	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	zajOBCB.exe
PID 2088 wrote to memory of 2944	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	zajOBCB.exe
PID 2088 wrote to memory of 2944	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	zajOBCB.exe
PID 2088 wrote to memory of 2024	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	JqTigfT.exe
PID 2088 wrote to memory of 2024	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	JqTigfT.exe
PID 2088 wrote to memory of 2024	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	JqTigfT.exe
PID 2088 wrote to memory of 2536	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	ejqxurK.exe
PID 2088 wrote to memory of 2536	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	ejqxurK.exe
PID 2088 wrote to memory of 2536	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	ejqxurK.exe
PID 2088 wrote to memory of 2584	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	ptgnzKp.exe
PID 2088 wrote to memory of 2584	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	ptgnzKp.exe
PID 2088 wrote to memory of 2584	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	ptgnzKp.exe
PID 2088 wrote to memory of 2640	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	WVEcIJB.exe
PID 2088 wrote to memory of 2640	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	WVEcIJB.exe
PID 2088 wrote to memory of 2640	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	WVEcIJB.exe
PID 2088 wrote to memory of 2736	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	aAAhhrz.exe
PID 2088 wrote to memory of 2736	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	aAAhhrz.exe
PID 2088 wrote to memory of 2736	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	aAAhhrz.exe
PID 2088 wrote to memory of 1744	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	HQgnjqp.exe
PID 2088 wrote to memory of 1744	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	HQgnjqp.exe
PID 2088 wrote to memory of 1744	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	HQgnjqp.exe
PID 2088 wrote to memory of 2468	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	eqCfrwq.exe
PID 2088 wrote to memory of 2468	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	eqCfrwq.exe
PID 2088 wrote to memory of 2468	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	eqCfrwq.exe
PID 2088 wrote to memory of 2492	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	UAUCMUg.exe
PID 2088 wrote to memory of 2492	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	UAUCMUg.exe
PID 2088 wrote to memory of 2492	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	UAUCMUg.exe
PID 2088 wrote to memory of 2180	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	lhbUGkH.exe
PID 2088 wrote to memory of 2180	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	lhbUGkH.exe
PID 2088 wrote to memory of 2180	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	lhbUGkH.exe
PID 2088 wrote to memory of 1748	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	oqLtPzH.exe
PID 2088 wrote to memory of 1748	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	oqLtPzH.exe
PID 2088 wrote to memory of 1748	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	oqLtPzH.exe
PID 2088 wrote to memory of 3008	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	AGSpWwE.exe
PID 2088 wrote to memory of 3008	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	AGSpWwE.exe
PID 2088 wrote to memory of 3008	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	AGSpWwE.exe
PID 2088 wrote to memory of 2700	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	SEiFGuB.exe
PID 2088 wrote to memory of 2700	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	SEiFGuB.exe
PID 2088 wrote to memory of 2700	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	SEiFGuB.exe
PID 2088 wrote to memory of 2712	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	gLyavWZ.exe
PID 2088 wrote to memory of 2712	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	gLyavWZ.exe
PID 2088 wrote to memory of 2712	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	gLyavWZ.exe
PID 2088 wrote to memory of 1916	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	WkyBicn.exe
PID 2088 wrote to memory of 1916	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	WkyBicn.exe
PID 2088 wrote to memory of 1916	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	WkyBicn.exe
PID 2088 wrote to memory of 2496	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	wjpwhPi.exe
PID 2088 wrote to memory of 2496	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	wjpwhPi.exe
PID 2088 wrote to memory of 2496	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	wjpwhPi.exe
PID 2088 wrote to memory of 2532	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	YrFSuru.exe
PID 2088 wrote to memory of 2532	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	YrFSuru.exe
PID 2088 wrote to memory of 2532	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	YrFSuru.exe
PID 2088 wrote to memory of 2788	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	kRsbuNo.exe
PID 2088 wrote to memory of 2788	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	kRsbuNo.exe
PID 2088 wrote to memory of 2788	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	kRsbuNo.exe
PID 2088 wrote to memory of 2976	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	nLNWScA.exe
PID 2088 wrote to memory of 2976	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	nLNWScA.exe
PID 2088 wrote to memory of 2976	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	nLNWScA.exe
PID 2088 wrote to memory of 2980	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	nOexpjE.exe
PID 2088 wrote to memory of 2980	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	nOexpjE.exe
PID 2088 wrote to memory of 2980	2088	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	nOexpjE.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\System\eIIhGPF.exe
C:\Windows\System\eIIhGPF.exe
2⤵
- Executes dropped EXE
PID:1600

C:\Windows\System\zajOBCB.exe
C:\Windows\System\zajOBCB.exe
2⤵
- Executes dropped EXE
PID:2944

C:\Windows\System\JqTigfT.exe
C:\Windows\System\JqTigfT.exe
2⤵
- Executes dropped EXE
PID:2024

C:\Windows\System\ejqxurK.exe
C:\Windows\System\ejqxurK.exe
2⤵
- Executes dropped EXE
PID:2536

C:\Windows\System\ptgnzKp.exe
C:\Windows\System\ptgnzKp.exe
2⤵
- Executes dropped EXE
PID:2584

C:\Windows\System\WVEcIJB.exe
C:\Windows\System\WVEcIJB.exe
2⤵
- Executes dropped EXE
PID:2640

C:\Windows\System\aAAhhrz.exe
C:\Windows\System\aAAhhrz.exe
2⤵
- Executes dropped EXE
PID:2736

C:\Windows\System\HQgnjqp.exe
C:\Windows\System\HQgnjqp.exe
2⤵
- Executes dropped EXE
PID:1744

C:\Windows\System\eqCfrwq.exe
C:\Windows\System\eqCfrwq.exe
2⤵
- Executes dropped EXE
PID:2468

C:\Windows\System\UAUCMUg.exe
C:\Windows\System\UAUCMUg.exe
2⤵
- Executes dropped EXE
PID:2492

C:\Windows\System\lhbUGkH.exe
C:\Windows\System\lhbUGkH.exe
2⤵
- Executes dropped EXE
PID:2180

C:\Windows\System\oqLtPzH.exe
C:\Windows\System\oqLtPzH.exe
2⤵
- Executes dropped EXE
PID:1748

C:\Windows\System\AGSpWwE.exe
C:\Windows\System\AGSpWwE.exe
2⤵
- Executes dropped EXE
PID:3008

C:\Windows\System\SEiFGuB.exe
C:\Windows\System\SEiFGuB.exe
2⤵
- Executes dropped EXE
PID:2700

C:\Windows\System\gLyavWZ.exe
C:\Windows\System\gLyavWZ.exe
2⤵
- Executes dropped EXE
PID:2712

C:\Windows\System\WkyBicn.exe
C:\Windows\System\WkyBicn.exe
2⤵
- Executes dropped EXE
PID:1916

C:\Windows\System\wjpwhPi.exe
C:\Windows\System\wjpwhPi.exe
2⤵
- Executes dropped EXE
PID:2496

C:\Windows\System\YrFSuru.exe
C:\Windows\System\YrFSuru.exe
2⤵
- Executes dropped EXE
PID:2532

C:\Windows\System\kRsbuNo.exe
C:\Windows\System\kRsbuNo.exe
2⤵
- Executes dropped EXE
PID:2788

C:\Windows\System\nLNWScA.exe
C:\Windows\System\nLNWScA.exe
2⤵
- Executes dropped EXE
PID:2976

C:\Windows\System\nOexpjE.exe
C:\Windows\System\nOexpjE.exe
2⤵
- Executes dropped EXE
PID:2980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AGSpWwE.exe
Filesize
5.2MB

MD5
0656b6f873e4fb60ae4b33f4616b25bf

SHA1
9d647f46b135c005577c9cca654a7a8ebf161b2b

SHA256
7f239b005592fd5382969bb27eed332c0be49b76ed2fb36199d1fabd82562a29

SHA512
93c60ae059ab21f5b26d881c6d0ca4a760c31e18408bb95593d3825715bb6eacde5f9c137566a5462c8d9d95ee84d468ad707ec2e22644851d61d9d83381b4fa

Download Submit
C:\Windows\system\JqTigfT.exe
Filesize
5.2MB

MD5
11bb2ce361bb3d9efeac7d86fbbfe7b7

SHA1
36e2668054490b87cebc08d77f02c235f2ebebab

SHA256
9f8e5d0cdfba4b0d42a15779a35683da42410a90a28bb4c543b232522ab7ef9f

SHA512
38d12efd22b2206d590f6905e0df8b9cbddfc001a6f5b77078ee956c8a2535d252c7661296b1ba73c6ad10304205daeb9bef8fe3ce0118d5c198a7098314f19c

Download Submit
C:\Windows\system\SEiFGuB.exe
Filesize
5.2MB

MD5
ef2bf6b71569171085e25ae54c4fe655

SHA1
2d63a16ac564a47c59f11d2822b6502af0205a56

SHA256
09cef3fb4ba14e1f519d7e21df5e52ebc438e87b84704b34bfb8c7c948f2902f

SHA512
48425c40cf387e9fbc7921f22aab5e4d4f3067a8c7dfe0208ee8f8263fa46c5cb254e1ba23fb1aa9a0fd74bc55be4e12a86e5dae1bed25ea0504ea902a792810

Download Submit
C:\Windows\system\UAUCMUg.exe
Filesize
5.2MB

MD5
73731bf1b617531dba82b73c90e877d3

SHA1
39cfe6737af6f6e5d195a953630d66f8f8b0e6d7

SHA256
490f1566c366b09e8188bdf510d39bd577319ac01040f509e85c71d8322f1456

SHA512
323a6b5256c394b9452105d771415f5a6ba0ab64a6d829964dc3dd17693e95366177e9c794909522552dab2ef67b5bc5ba6c26471eb1db33088f0ab5aba673e5

Download Submit
C:\Windows\system\YrFSuru.exe
Filesize
5.2MB

MD5
d25d7ac022cd3d00dcc0b3f0c770d3a1

SHA1
ba12a0ded57f258007de83077e064e7c8a1d2cf0

SHA256
ac7432c86b8702d49247e2b8030b4a720a737fbf552c3e4f1373508f5b58240d

SHA512
97f8b94f49ff59c95cede83e5a39060864ef7684a68d7cf0b56dbb2f8309100b842fd807a5a1461de463c78c0320e26699950029a486c9c652b7e7051c940487

Download Submit
C:\Windows\system\ejqxurK.exe
Filesize
5.2MB

MD5
46eaff968cfcf5601c94915d21e776bc

SHA1
bfa31141ad6827a866836465c7dfd8ba10ed0737

SHA256
77547769b40bd24ef36331ce367d0f6263c0ed414cd5450200dc7aa25b3ec46f

SHA512
60805fd44bd942cf6984ad9cb975275bf5a3063b8f4fd870f9707ba250d5c7495b618b12fda19c663bc7be213b5f4541964ee83f084176ed03315e2f11d0ac39

Download Submit
C:\Windows\system\gLyavWZ.exe
Filesize
5.2MB

MD5
92cf9fd352fe24fa94e4ff2a7771788f

SHA1
64a34fccbda61d12dc934a8512c010e7b26b90c6

SHA256
f7c6d55cc6fe8f703f6e07689aff4c96ec3f0afe57f473a860af20471be6b2c6

SHA512
d869e200f65eabff5fb175dedce212b077abc87da96e25a700785c1874a9da65286d57d6359f83f677076edd1226ee011a47222ddf350ca7cd0c2b492990fcb5

Download Submit
C:\Windows\system\nLNWScA.exe
Filesize
5.2MB

MD5
9b8ad09e3f9ce22774bfa72799f53411

SHA1
0e9d8495189289bd5a5d9c83f72914baf35f219c

SHA256
42fcb75b659a1888918b3b42f7e5fe7db3620765a36a573acab73cc6b0f33e20

SHA512
19b5e383c1cf7bb56e5bead04c21002f1a391482808abe1de7cca6dfcd9362b33f933bbf4fe75c07cd2f51dc8bdd4e3f69af61c6cb3d709527fdf85672a96468

Download Submit
C:\Windows\system\oqLtPzH.exe
Filesize
5.2MB

MD5
fd71d636306501661136bb19b246dbd8

SHA1
eb9dc0658e670a4c5ba5a7908a7023bcfc9d27e0

SHA256
204118325f31c764b12170b6db033670a4382c0e0380806bb596bddf6267e803

SHA512
d9774a9de52daff11968c96203dfc8034868867687dbe7b3fb0e8fb05a79de6ddda13ac9c076550a1ea2c186536f28ba2bee9cf0315ba3df0ccf3dc1ac9a498d

Download Submit
C:\Windows\system\wjpwhPi.exe
Filesize
5.2MB

MD5
e2cf5b817e0678bbfc9e9c8adfe19d52

SHA1
bf1a14967024154cbbb774fd87ff1d18a49a9c30

SHA256
3ef07b7b631fd2dd2f6bf786d1ea2cc0530c6016885f00520eb77a7871722cf0

SHA512
80582403030115b1e88318df30586e46b6bdad9c40c35660b98072285d7546d7661a6e9f1eee3bf3ef0db80decb58d7fd2623609f0472dbee116572c2c32afa8

Download Submit
C:\Windows\system\zajOBCB.exe
Filesize
5.2MB

MD5
9b34a873c51ebe5f55f67ed9575b4575

SHA1
99d029d5f6bcc9ed5d8c13b921bbb44141f89bcc

SHA256
942c4619dfe51d0764ca9c721af8e5fbcef5ad4b3abcba8ac6009c312f0e779e

SHA512
c64f5d90218ea5100b0b1a4d64c258c638d992915429d8a8f854d8ec221955d0f98411c2e3d6017610cfdddf436325ba96b8c508698a6c2624c2de2110c723fc

Download Submit
\Windows\system\HQgnjqp.exe
Filesize
5.2MB

MD5
a6a6b81f47d6ca745a43b78283878076

SHA1
b077f1f4b681156b55951aed6d705ec39a475621

SHA256
5c5a4d550e438106a8cb1d71f1727b34c5b6699eafa47102ff494dbe0915f3ec

SHA512
6087e652aac5da00d39538c42d7bd519d305391630b07e961218abdd7df3ac16b81e709cea412c3fa82b2a43a1a97aeaa76f91d10562df0fac820498c5aa7a32

Download Submit
\Windows\system\WVEcIJB.exe
Filesize
5.2MB

MD5
67baf252c57a062f6ecbccbfa857a9be

SHA1
1631cd5bd847a898968b2944cf474b0aefa12c96

SHA256
e82b58ae49a85adb27460fd52c9fde52fcc337e08cd12e8864b7836c1a18fabc

SHA512
e448d1ec14f910a29f99dc9c46643e38521c7e3cd68a7acd556ff74e64918df2ae6152ae34b36e03cda2620c5ef7e260ed8c7c2319738643b9ef4533cc1a2f42

Download Submit
\Windows\system\WkyBicn.exe
Filesize
5.2MB

MD5
6bacd9a15d67aac16b3d4387110300ba

SHA1
3af20044e4ea2166e1c7b5f437d11ac287577365

SHA256
e44e15c71ac8d3050ecf86772a723fff4f773a40efa8b5ecc0e9157f4d2300de

SHA512
01108ee58a0574ed2fc5106e0365e26ac15c777c46844d0590a8efec930aab36c456b40feef7228c42857856538c5b85f2e6955b1a20b1b9a92f09395e4cf787

Download Submit
\Windows\system\aAAhhrz.exe
Filesize
5.2MB

MD5
99e2f2c984b1c28c548cd62f9c2bdf7f

SHA1
a3f475af61a715ebd2c6053a44201f64c1c37bf6

SHA256
b38cfebea7ae67b68b18f201ad6b2f039fe3e6e64bef2c7129abebe2445ee6ed

SHA512
2953ea7507b4db45f83501aaa4c58ff0dbd9b8b71edfc078e07b3a2654ab518124cddac975c0bada53c44eab4ccf20b1c81a538e9f51d6f8d8b7f2987ba10ad5

Download Submit
\Windows\system\eIIhGPF.exe
Filesize
5.2MB

MD5
896290198b77d97c49e50bea0c58d3e4

SHA1
34416c6551e81b7c791ee8a20eac6a016f164bdf

SHA256
60e963538cd2fe8848bf5626f3e9b77b01fa0a2c1495c0b09bd825f73d7ed109

SHA512
ac19e262ffd9824becba50a6d8112363c7dbfad00fc2fd745e139bc439f5d5c503d1cc5c7b05b84e4e165962c157058f33f07a4d9c8e6a716de81b71d97f664a

Download Submit
\Windows\system\eqCfrwq.exe
Filesize
5.2MB

MD5
f9b6dc9050a34417c75f4ae7dcc7c942

SHA1
2906df6bd3a3bcc00ec6c08da7b3a643704d70c2

SHA256
335ee6e6756d8480c6ea0e8744bb3ed34ce773748fb07f5423a1ed1996ec411e

SHA512
03e127fc4c5a70a9d838589f067b2d0a04e930fb021acc4d4bdffcf9e40ee3b2e45d20f3d72493257b697a48536eae667e507ada98b4b592ac145f3ddd4e8353

Download Submit
\Windows\system\kRsbuNo.exe
Filesize
5.2MB

MD5
bab56d7d1c4ab4a7b17629728d11876f

SHA1
a63d057ee9f09126e7d824e17d9028cd4f5b9349

SHA256
72ff6ca3cdd8c18d5bee3980cbc5cab7c0c569b06490f678e7d2a66be2486d26

SHA512
3298ee601e6d29d0c33a6da6bf1ce66caffb305cc88a367db9b794a43cb08b4d063d59768300f7d4bfeb3b40c6699947fb6007e064cf3f16ab8f82ef63541885

Download Submit
\Windows\system\lhbUGkH.exe
Filesize
5.2MB

MD5
1e96955fcec499ba043cda4ef4d18f32

SHA1
dafce1bcb9135030406a1ab8c7b74b4b858d3009

SHA256
d9f2323a51493664522a73627e8ee48d7eb0effe18d17bd60117c0e537b96ed5

SHA512
20cde5dd44b1b0073c2c016099b0e1688cd7b504e112878ca6c129bb7d6c513aac17d7d0e186783602a29bba409a6ba830aa3474edb873b13246ff72158d8dbc

Download Submit
\Windows\system\nOexpjE.exe
Filesize
5.2MB

MD5
a5302af22cc636c8a9dc23099ae450ee

SHA1
3592001aed6f42e065f784b61fa603da42c4a421

SHA256
02abd12bc90eda15a202a10d92a1272f6cc51f8f493fa44421e940a16d973b3a

SHA512
95ee49bd3dfc64f20e59d98a39b1e1fdb543f9e9fefccaaa61f1a7bc972c60fefd7cb34b447424080a5f6da8b340f25bfb1e0dc63560a4b77d52a9dc2d24c4bd

Download Submit
\Windows\system\ptgnzKp.exe
Filesize
5.2MB

MD5
46cc978732c03f8a22af287d312aa486

SHA1
3782ebf37816ca7cc39f718ebfc57da535ee80a9

SHA256
35d836e000067b7bb5c86192567423c93bb8e2be5172a8e1df4b5ca5c11ccb2e

SHA512
1e3aa23a9600d96eee9b6672bab3a78773bc71d698b0a948e27d4d5970efed715b579dbb756e8004185542efa068a5c42a5eac84c19c25d82f3821cb8ab50e42

Download Submit
memory/1600-232-0x000000013FEB0000-0x0000000140201000-memory.dmp

Filesize
3.3MB

Download
memory/1600-14-0x000000013FEB0000-0x0000000140201000-memory.dmp

Filesize
3.3MB

Download
memory/1600-146-0x000000013FEB0000-0x0000000140201000-memory.dmp

Filesize
3.3MB

Download
memory/1744-243-0x000000013F530000-0x000000013F881000-memory.dmp

Filesize
3.3MB

Download
memory/1744-68-0x000000013F530000-0x000000013F881000-memory.dmp

Filesize
3.3MB

Download
memory/1748-85-0x000000013FAC0000-0x000000013FE11000-memory.dmp

Filesize
3.3MB

Download
memory/1748-251-0x000000013FAC0000-0x000000013FE11000-memory.dmp

Filesize
3.3MB

Download
memory/1916-136-0x000000013FD10000-0x0000000140061000-memory.dmp

Filesize
3.3MB

Download
memory/2024-233-0x000000013F810000-0x000000013FB61000-memory.dmp

Filesize
3.3MB

Download
memory/2024-37-0x000000013F810000-0x000000013FB61000-memory.dmp

Filesize
3.3MB

Download
memory/2088-69-0x00000000022C0000-0x0000000002611000-memory.dmp

Filesize
3.3MB

Download
memory/2088-145-0x000000013FB40000-0x000000013FE91000-memory.dmp

Filesize
3.3MB

Download
memory/2088-7-0x000000013FEB0000-0x0000000140201000-memory.dmp

Filesize
3.3MB

Download
memory/2088-75-0x00000000022C0000-0x0000000002611000-memory.dmp

Filesize
3.3MB

Download
memory/2088-0-0x0000000000200000-0x0000000000210000-memory.dmp

Filesize
64KB

Download
memory/2088-84-0x00000000022C0000-0x0000000002611000-memory.dmp

Filesize
3.3MB

Download
memory/2088-71-0x000000013F540000-0x000000013F891000-memory.dmp

Filesize
3.3MB

Download
memory/2088-42-0x00000000022C0000-0x0000000002611000-memory.dmp

Filesize
3.3MB

Download
memory/2088-91-0x00000000022C0000-0x0000000002611000-memory.dmp

Filesize
3.3MB

Download
memory/2088-43-0x000000013F050000-0x000000013F3A1000-memory.dmp

Filesize
3.3MB

Download
memory/2088-1-0x000000013FB40000-0x000000013FE91000-memory.dmp

Filesize
3.3MB

Download
memory/2088-66-0x000000013F530000-0x000000013F881000-memory.dmp

Filesize
3.3MB

Download
memory/2088-194-0x000000013F480000-0x000000013F7D1000-memory.dmp

Filesize
3.3MB

Download
memory/2088-60-0x00000000022C0000-0x0000000002611000-memory.dmp

Filesize
3.3MB

Download
memory/2088-129-0x000000013F4F0000-0x000000013F841000-memory.dmp

Filesize
3.3MB

Download
memory/2088-59-0x00000000022C0000-0x0000000002611000-memory.dmp

Filesize
3.3MB

Download
memory/2088-193-0x000000013F4F0000-0x000000013F841000-memory.dmp

Filesize
3.3MB

Download
memory/2088-137-0x00000000022C0000-0x0000000002611000-memory.dmp

Filesize
3.3MB

Download
memory/2088-138-0x000000013F4B0000-0x000000013F801000-memory.dmp

Filesize
3.3MB

Download
memory/2088-171-0x000000013FB40000-0x000000013FE91000-memory.dmp

Filesize
3.3MB

Download
memory/2088-139-0x000000013F480000-0x000000013F7D1000-memory.dmp

Filesize
3.3MB

Download
memory/2088-149-0x000000013FB40000-0x000000013FE91000-memory.dmp

Filesize
3.3MB

Download
memory/2088-147-0x000000013F050000-0x000000013F3A1000-memory.dmp

Filesize
3.3MB

Download
memory/2088-98-0x00000000022C0000-0x0000000002611000-memory.dmp

Filesize
3.3MB

Download
memory/2088-49-0x000000013F730000-0x000000013FA81000-memory.dmp

Filesize
3.3MB

Download
memory/2180-160-0x000000013FB20000-0x000000013FE71000-memory.dmp

Filesize
3.3MB

Download
memory/2180-78-0x000000013FB20000-0x000000013FE71000-memory.dmp

Filesize
3.3MB

Download
memory/2180-249-0x000000013FB20000-0x000000013FE71000-memory.dmp

Filesize
3.3MB

Download
memory/2468-245-0x000000013FAE0000-0x000000013FE31000-memory.dmp

Filesize
3.3MB

Download
memory/2468-58-0x000000013FAE0000-0x000000013FE31000-memory.dmp

Filesize
3.3MB

Download
memory/2468-148-0x000000013FAE0000-0x000000013FE31000-memory.dmp

Filesize
3.3MB

Download
memory/2492-247-0x000000013F540000-0x000000013F891000-memory.dmp

Filesize
3.3MB

Download
memory/2492-70-0x000000013F540000-0x000000013F891000-memory.dmp

Filesize
3.3MB

Download
memory/2496-259-0x000000013F4F0000-0x000000013F841000-memory.dmp

Filesize
3.3MB

Download
memory/2496-144-0x000000013F4F0000-0x000000013F841000-memory.dmp

Filesize
3.3MB

Download
memory/2532-268-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

Filesize
3.3MB

Download
memory/2532-141-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

Filesize
3.3MB

Download
memory/2536-44-0x000000013FD40000-0x0000000140091000-memory.dmp

Filesize
3.3MB

Download
memory/2536-235-0x000000013FD40000-0x0000000140091000-memory.dmp

Filesize
3.3MB

Download
memory/2584-51-0x000000013F050000-0x000000013F3A1000-memory.dmp

Filesize
3.3MB

Download
memory/2584-239-0x000000013F050000-0x000000013F3A1000-memory.dmp

Filesize
3.3MB

Download
memory/2640-64-0x000000013F6E0000-0x000000013FA31000-memory.dmp

Filesize
3.3MB

Download
memory/2640-241-0x000000013F6E0000-0x000000013FA31000-memory.dmp

Filesize
3.3MB

Download
memory/2700-255-0x000000013FBD0000-0x000000013FF21000-memory.dmp

Filesize
3.3MB

Download
memory/2700-101-0x000000013FBD0000-0x000000013FF21000-memory.dmp

Filesize
3.3MB

Download
memory/2712-112-0x000000013F880000-0x000000013FBD1000-memory.dmp

Filesize
3.3MB

Download
memory/2712-258-0x000000013F880000-0x000000013FBD1000-memory.dmp

Filesize
3.3MB

Download
memory/2712-164-0x000000013F880000-0x000000013FBD1000-memory.dmp

Filesize
3.3MB

Download
memory/2736-54-0x000000013F730000-0x000000013FA81000-memory.dmp

Filesize
3.3MB

Download
memory/2736-240-0x000000013F730000-0x000000013FA81000-memory.dmp

Filesize
3.3MB

Download
memory/2788-266-0x000000013F870000-0x000000013FBC1000-memory.dmp

Filesize
3.3MB

Download
memory/2788-140-0x000000013F870000-0x000000013FBC1000-memory.dmp

Filesize
3.3MB

Download
memory/2944-231-0x000000013F8E0000-0x000000013FC31000-memory.dmp

Filesize
3.3MB

Download
memory/2944-19-0x000000013F8E0000-0x000000013FC31000-memory.dmp

Filesize
3.3MB

Download
memory/2976-143-0x000000013F4B0000-0x000000013F801000-memory.dmp

Filesize
3.3MB

Download
memory/2980-270-0x000000013F480000-0x000000013F7D1000-memory.dmp

Filesize
3.3MB

Download
memory/2980-142-0x000000013F480000-0x000000013F7D1000-memory.dmp

Filesize
3.3MB

Download
memory/3008-253-0x000000013F850000-0x000000013FBA1000-memory.dmp

Filesize
3.3MB

Download
memory/3008-92-0x000000013F850000-0x000000013FBA1000-memory.dmp

Filesize
3.3MB

Download
memory/3008-162-0x000000013F850000-0x000000013FBA1000-memory.dmp

Filesize
3.3MB

Download