cobaltstrike | eb0fcabf990a1728a83da8a32cf22e9c7cb806d6a289ce92fede9e6847d5e3a9

Analysis

max time kernel
142s
max time network
147s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-04-2024 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

d0642307143408f7450e396cfdf78876
SHA1

4aff75165cb3069bc98823ce3695ad7399af49a0
SHA256

eb0fcabf990a1728a83da8a32cf22e9c7cb806d6a289ce92fede9e6847d5e3a9
SHA512

af3d9162085e6645116087cd26f55f9bf490cd791bccfb3edee6b11f2ebed03c7f850794c9068584c22d35ca47d7d31f8873be175e81cbd02d42f0c9c4e0042e
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lu:RWWBibf56utgpPFotBER/mQ32lUq

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\system\mmHBMYu.exe	cobalt_reflective_dll
\Windows\system\XwjMwJL.exe	cobalt_reflective_dll
C:\Windows\system\UhDfkfx.exe	cobalt_reflective_dll
\Windows\system\HbQCsGe.exe	cobalt_reflective_dll
\Windows\system\MFkUwKb.exe	cobalt_reflective_dll
\Windows\system\VaExthU.exe	cobalt_reflective_dll
C:\Windows\system\QBQVUxp.exe	cobalt_reflective_dll
\Windows\system\FeWOCPn.exe	cobalt_reflective_dll
\Windows\system\ApJNRvF.exe	cobalt_reflective_dll
C:\Windows\system\ERZeAPz.exe	cobalt_reflective_dll
\Windows\system\VVoYXzt.exe	cobalt_reflective_dll
C:\Windows\system\wakpTNw.exe	cobalt_reflective_dll
C:\Windows\system\PFlmact.exe	cobalt_reflective_dll
\Windows\system\jtQvCjM.exe	cobalt_reflective_dll
\Windows\system\FyNjtUL.exe	cobalt_reflective_dll
\Windows\system\NbLNDRH.exe	cobalt_reflective_dll
\Windows\system\pIKBRON.exe	cobalt_reflective_dll
C:\Windows\system\cxItjcp.exe	cobalt_reflective_dll
C:\Windows\system\BnGgnrP.exe	cobalt_reflective_dll
C:\Windows\system\GiUzRHb.exe	cobalt_reflective_dll
C:\Windows\system\WSOCury.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\system\mmHBMYu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\XwjMwJL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\UhDfkfx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\HbQCsGe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\MFkUwKb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\VaExthU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\QBQVUxp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\FeWOCPn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\ApJNRvF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ERZeAPz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\VVoYXzt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\wakpTNw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\PFlmact.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\jtQvCjM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\FyNjtUL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\NbLNDRH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\pIKBRON.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\cxItjcp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\BnGgnrP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\GiUzRHb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\WSOCury.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2972-0-0x000000013F210000-0x000000013F561000-memory.dmp	UPX
C:\Windows\system\mmHBMYu.exe	UPX
\Windows\system\XwjMwJL.exe	UPX
C:\Windows\system\UhDfkfx.exe	UPX
behavioral1/memory/1636-19-0x000000013F170000-0x000000013F4C1000-memory.dmp	UPX
behavioral1/memory/2136-21-0x000000013FA20000-0x000000013FD71000-memory.dmp	UPX
behavioral1/memory/1908-25-0x000000013F7B0000-0x000000013FB01000-memory.dmp	UPX
\Windows\system\HbQCsGe.exe	UPX
\Windows\system\MFkUwKb.exe	UPX
\Windows\system\VaExthU.exe	UPX
C:\Windows\system\QBQVUxp.exe	UPX
behavioral1/memory/2584-44-0x000000013F550000-0x000000013F8A1000-memory.dmp	UPX
behavioral1/memory/2568-45-0x000000013F790000-0x000000013FAE1000-memory.dmp	UPX
\Windows\system\FeWOCPn.exe	UPX
behavioral1/memory/2552-54-0x000000013F460000-0x000000013F7B1000-memory.dmp	UPX
behavioral1/memory/2572-55-0x000000013FE10000-0x0000000140161000-memory.dmp	UPX
behavioral1/memory/1660-30-0x000000013FAD0000-0x000000013FE21000-memory.dmp	UPX
\Windows\system\ApJNRvF.exe	UPX
behavioral1/memory/2440-62-0x000000013F730000-0x000000013FA81000-memory.dmp	UPX
C:\Windows\system\ERZeAPz.exe	UPX
behavioral1/memory/2492-69-0x000000013FB90000-0x000000013FEE1000-memory.dmp	UPX
\Windows\system\VVoYXzt.exe	UPX
behavioral1/memory/2956-76-0x000000013FCB0000-0x0000000140001000-memory.dmp	UPX
C:\Windows\system\wakpTNw.exe	UPX
C:\Windows\system\PFlmact.exe	UPX
\Windows\system\jtQvCjM.exe	UPX
\Windows\system\FyNjtUL.exe	UPX
\Windows\system\NbLNDRH.exe	UPX
behavioral1/memory/2764-124-0x000000013F5E0000-0x000000013F931000-memory.dmp	UPX
behavioral1/memory/2804-133-0x000000013FAA0000-0x000000013FDF1000-memory.dmp	UPX
behavioral1/memory/3036-134-0x000000013F480000-0x000000013F7D1000-memory.dmp	UPX
behavioral1/memory/2828-135-0x000000013F590000-0x000000013F8E1000-memory.dmp	UPX
behavioral1/memory/2416-136-0x000000013FB40000-0x000000013FE91000-memory.dmp	UPX
behavioral1/memory/1888-137-0x000000013F850000-0x000000013FBA1000-memory.dmp	UPX
behavioral1/memory/1704-138-0x000000013F550000-0x000000013F8A1000-memory.dmp	UPX
\Windows\system\pIKBRON.exe	UPX
behavioral1/memory/2972-142-0x000000013F210000-0x000000013F561000-memory.dmp	UPX
behavioral1/memory/1660-143-0x000000013FAD0000-0x000000013FE21000-memory.dmp	UPX
behavioral1/memory/2508-145-0x000000013F8A0000-0x000000013FBF1000-memory.dmp	UPX
behavioral1/memory/404-140-0x000000013F340000-0x000000013F691000-memory.dmp	UPX
behavioral1/memory/1884-118-0x000000013F240000-0x000000013F591000-memory.dmp	UPX
C:\Windows\system\cxItjcp.exe	UPX
C:\Windows\system\BnGgnrP.exe	UPX
C:\Windows\system\GiUzRHb.exe	UPX
C:\Windows\system\WSOCury.exe	UPX
behavioral1/memory/2584-146-0x000000013F550000-0x000000013F8A1000-memory.dmp	UPX
behavioral1/memory/2972-147-0x000000013F210000-0x000000013F561000-memory.dmp	UPX
behavioral1/memory/2440-156-0x000000013F730000-0x000000013FA81000-memory.dmp	UPX
behavioral1/memory/2956-158-0x000000013FCB0000-0x0000000140001000-memory.dmp	UPX
behavioral1/memory/2508-168-0x000000013F8A0000-0x000000013FBF1000-memory.dmp	UPX
behavioral1/memory/2972-170-0x000000013F210000-0x000000013F561000-memory.dmp	UPX
behavioral1/memory/1908-226-0x000000013F7B0000-0x000000013FB01000-memory.dmp	UPX
behavioral1/memory/2136-225-0x000000013FA20000-0x000000013FD71000-memory.dmp	UPX
behavioral1/memory/1636-224-0x000000013F170000-0x000000013F4C1000-memory.dmp	UPX
behavioral1/memory/1660-230-0x000000013FAD0000-0x000000013FE21000-memory.dmp	UPX
behavioral1/memory/2584-233-0x000000013F550000-0x000000013F8A1000-memory.dmp	UPX
behavioral1/memory/2568-232-0x000000013F790000-0x000000013FAE1000-memory.dmp	UPX
behavioral1/memory/2552-234-0x000000013F460000-0x000000013F7B1000-memory.dmp	UPX
behavioral1/memory/2572-236-0x000000013FE10000-0x0000000140161000-memory.dmp	UPX
behavioral1/memory/2440-238-0x000000013F730000-0x000000013FA81000-memory.dmp	UPX
behavioral1/memory/2492-240-0x000000013FB90000-0x000000013FEE1000-memory.dmp	UPX
behavioral1/memory/2956-252-0x000000013FCB0000-0x0000000140001000-memory.dmp	UPX
behavioral1/memory/1884-254-0x000000013F240000-0x000000013F591000-memory.dmp	UPX
behavioral1/memory/2804-263-0x000000013FAA0000-0x000000013FDF1000-memory.dmp	UPX

XMRig Miner payload 52 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1636-19-0x000000013F170000-0x000000013F4C1000-memory.dmp	xmrig
behavioral1/memory/2136-21-0x000000013FA20000-0x000000013FD71000-memory.dmp	xmrig
behavioral1/memory/1908-25-0x000000013F7B0000-0x000000013FB01000-memory.dmp	xmrig
behavioral1/memory/2584-44-0x000000013F550000-0x000000013F8A1000-memory.dmp	xmrig
behavioral1/memory/2568-45-0x000000013F790000-0x000000013FAE1000-memory.dmp	xmrig
behavioral1/memory/2552-54-0x000000013F460000-0x000000013F7B1000-memory.dmp	xmrig
behavioral1/memory/2572-55-0x000000013FE10000-0x0000000140161000-memory.dmp	xmrig
behavioral1/memory/2972-56-0x000000013FE10000-0x0000000140161000-memory.dmp	xmrig
behavioral1/memory/2440-62-0x000000013F730000-0x000000013FA81000-memory.dmp	xmrig
behavioral1/memory/2492-69-0x000000013FB90000-0x000000013FEE1000-memory.dmp	xmrig
behavioral1/memory/2956-76-0x000000013FCB0000-0x0000000140001000-memory.dmp	xmrig
behavioral1/memory/2764-124-0x000000013F5E0000-0x000000013F931000-memory.dmp	xmrig
behavioral1/memory/2804-133-0x000000013FAA0000-0x000000013FDF1000-memory.dmp	xmrig
behavioral1/memory/3036-134-0x000000013F480000-0x000000013F7D1000-memory.dmp	xmrig
behavioral1/memory/2828-135-0x000000013F590000-0x000000013F8E1000-memory.dmp	xmrig
behavioral1/memory/2416-136-0x000000013FB40000-0x000000013FE91000-memory.dmp	xmrig
behavioral1/memory/1888-137-0x000000013F850000-0x000000013FBA1000-memory.dmp	xmrig
behavioral1/memory/1704-138-0x000000013F550000-0x000000013F8A1000-memory.dmp	xmrig
behavioral1/memory/2972-142-0x000000013F210000-0x000000013F561000-memory.dmp	xmrig
behavioral1/memory/1660-143-0x000000013FAD0000-0x000000013FE21000-memory.dmp	xmrig
behavioral1/memory/2508-145-0x000000013F8A0000-0x000000013FBF1000-memory.dmp	xmrig
behavioral1/memory/404-140-0x000000013F340000-0x000000013F691000-memory.dmp	xmrig
behavioral1/memory/2972-139-0x000000013F5E0000-0x000000013F931000-memory.dmp	xmrig
behavioral1/memory/2972-125-0x000000013FAA0000-0x000000013FDF1000-memory.dmp	xmrig
behavioral1/memory/1884-118-0x000000013F240000-0x000000013F591000-memory.dmp	xmrig
behavioral1/memory/2584-146-0x000000013F550000-0x000000013F8A1000-memory.dmp	xmrig
behavioral1/memory/2972-147-0x000000013F210000-0x000000013F561000-memory.dmp	xmrig
behavioral1/memory/2440-156-0x000000013F730000-0x000000013FA81000-memory.dmp	xmrig
behavioral1/memory/2956-158-0x000000013FCB0000-0x0000000140001000-memory.dmp	xmrig
behavioral1/memory/2508-168-0x000000013F8A0000-0x000000013FBF1000-memory.dmp	xmrig
behavioral1/memory/2972-170-0x000000013F210000-0x000000013F561000-memory.dmp	xmrig
behavioral1/memory/1908-226-0x000000013F7B0000-0x000000013FB01000-memory.dmp	xmrig
behavioral1/memory/2136-225-0x000000013FA20000-0x000000013FD71000-memory.dmp	xmrig
behavioral1/memory/1636-224-0x000000013F170000-0x000000013F4C1000-memory.dmp	xmrig
behavioral1/memory/1660-230-0x000000013FAD0000-0x000000013FE21000-memory.dmp	xmrig
behavioral1/memory/2584-233-0x000000013F550000-0x000000013F8A1000-memory.dmp	xmrig
behavioral1/memory/2568-232-0x000000013F790000-0x000000013FAE1000-memory.dmp	xmrig
behavioral1/memory/2552-234-0x000000013F460000-0x000000013F7B1000-memory.dmp	xmrig
behavioral1/memory/2572-236-0x000000013FE10000-0x0000000140161000-memory.dmp	xmrig
behavioral1/memory/2440-238-0x000000013F730000-0x000000013FA81000-memory.dmp	xmrig
behavioral1/memory/2492-240-0x000000013FB90000-0x000000013FEE1000-memory.dmp	xmrig
behavioral1/memory/2956-252-0x000000013FCB0000-0x0000000140001000-memory.dmp	xmrig
behavioral1/memory/1884-254-0x000000013F240000-0x000000013F591000-memory.dmp	xmrig
behavioral1/memory/2804-263-0x000000013FAA0000-0x000000013FDF1000-memory.dmp	xmrig
behavioral1/memory/2416-266-0x000000013FB40000-0x000000013FE91000-memory.dmp	xmrig
behavioral1/memory/1888-268-0x000000013F850000-0x000000013FBA1000-memory.dmp	xmrig
behavioral1/memory/1704-267-0x000000013F550000-0x000000013F8A1000-memory.dmp	xmrig
behavioral1/memory/2828-264-0x000000013F590000-0x000000013F8E1000-memory.dmp	xmrig
behavioral1/memory/3036-261-0x000000013F480000-0x000000013F7D1000-memory.dmp	xmrig
behavioral1/memory/2764-260-0x000000013F5E0000-0x000000013F931000-memory.dmp	xmrig
behavioral1/memory/404-270-0x000000013F340000-0x000000013F691000-memory.dmp	xmrig
behavioral1/memory/2508-272-0x000000013F8A0000-0x000000013FBF1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

mmHBMYu.exeUhDfkfx.exeXwjMwJL.exeHbQCsGe.exeMFkUwKb.exeQBQVUxp.exeVaExthU.exeFeWOCPn.exeApJNRvF.exeERZeAPz.exeVVoYXzt.exewakpTNw.exePFlmact.exeWSOCury.exeGiUzRHb.exeBnGgnrP.execxItjcp.exejtQvCjM.exeNbLNDRH.exeFyNjtUL.exepIKBRON.exe

pid	process
1636	mmHBMYu.exe
2136	UhDfkfx.exe
1908	XwjMwJL.exe
1660	HbQCsGe.exe
2584	MFkUwKb.exe
2568	QBQVUxp.exe
2552	VaExthU.exe
2572	FeWOCPn.exe
2440	ApJNRvF.exe
2492	ERZeAPz.exe
2956	VVoYXzt.exe
1884	wakpTNw.exe
2764	PFlmact.exe
2804	WSOCury.exe
3036	GiUzRHb.exe
2828	BnGgnrP.exe
2416	cxItjcp.exe
1888	jtQvCjM.exe
404	NbLNDRH.exe
1704	FyNjtUL.exe
2508	pIKBRON.exe

Loads dropped DLL 21 IoCs

Processes:

2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe

pid	process
2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2972-0-0x000000013F210000-0x000000013F561000-memory.dmp	upx
C:\Windows\system\mmHBMYu.exe	upx
\Windows\system\XwjMwJL.exe	upx
C:\Windows\system\UhDfkfx.exe	upx
behavioral1/memory/1636-19-0x000000013F170000-0x000000013F4C1000-memory.dmp	upx
behavioral1/memory/2136-21-0x000000013FA20000-0x000000013FD71000-memory.dmp	upx
behavioral1/memory/1908-25-0x000000013F7B0000-0x000000013FB01000-memory.dmp	upx
\Windows\system\HbQCsGe.exe	upx
\Windows\system\MFkUwKb.exe	upx
\Windows\system\VaExthU.exe	upx
C:\Windows\system\QBQVUxp.exe	upx
behavioral1/memory/2584-44-0x000000013F550000-0x000000013F8A1000-memory.dmp	upx
behavioral1/memory/2568-45-0x000000013F790000-0x000000013FAE1000-memory.dmp	upx
\Windows\system\FeWOCPn.exe	upx
behavioral1/memory/2552-54-0x000000013F460000-0x000000013F7B1000-memory.dmp	upx
behavioral1/memory/2572-55-0x000000013FE10000-0x0000000140161000-memory.dmp	upx
behavioral1/memory/1660-30-0x000000013FAD0000-0x000000013FE21000-memory.dmp	upx
\Windows\system\ApJNRvF.exe	upx
behavioral1/memory/2440-62-0x000000013F730000-0x000000013FA81000-memory.dmp	upx
C:\Windows\system\ERZeAPz.exe	upx
behavioral1/memory/2492-69-0x000000013FB90000-0x000000013FEE1000-memory.dmp	upx
\Windows\system\VVoYXzt.exe	upx
behavioral1/memory/2956-76-0x000000013FCB0000-0x0000000140001000-memory.dmp	upx
C:\Windows\system\wakpTNw.exe	upx
C:\Windows\system\PFlmact.exe	upx
\Windows\system\jtQvCjM.exe	upx
\Windows\system\FyNjtUL.exe	upx
\Windows\system\NbLNDRH.exe	upx
behavioral1/memory/2764-124-0x000000013F5E0000-0x000000013F931000-memory.dmp	upx
behavioral1/memory/2804-133-0x000000013FAA0000-0x000000013FDF1000-memory.dmp	upx
behavioral1/memory/3036-134-0x000000013F480000-0x000000013F7D1000-memory.dmp	upx
behavioral1/memory/2828-135-0x000000013F590000-0x000000013F8E1000-memory.dmp	upx
behavioral1/memory/2416-136-0x000000013FB40000-0x000000013FE91000-memory.dmp	upx
behavioral1/memory/1888-137-0x000000013F850000-0x000000013FBA1000-memory.dmp	upx
behavioral1/memory/1704-138-0x000000013F550000-0x000000013F8A1000-memory.dmp	upx
\Windows\system\pIKBRON.exe	upx
behavioral1/memory/2972-142-0x000000013F210000-0x000000013F561000-memory.dmp	upx
behavioral1/memory/1660-143-0x000000013FAD0000-0x000000013FE21000-memory.dmp	upx
behavioral1/memory/2508-145-0x000000013F8A0000-0x000000013FBF1000-memory.dmp	upx
behavioral1/memory/404-140-0x000000013F340000-0x000000013F691000-memory.dmp	upx
behavioral1/memory/1884-118-0x000000013F240000-0x000000013F591000-memory.dmp	upx
C:\Windows\system\cxItjcp.exe	upx
C:\Windows\system\BnGgnrP.exe	upx
C:\Windows\system\GiUzRHb.exe	upx
C:\Windows\system\WSOCury.exe	upx
behavioral1/memory/2584-146-0x000000013F550000-0x000000013F8A1000-memory.dmp	upx
behavioral1/memory/2972-147-0x000000013F210000-0x000000013F561000-memory.dmp	upx
behavioral1/memory/2440-156-0x000000013F730000-0x000000013FA81000-memory.dmp	upx
behavioral1/memory/2956-158-0x000000013FCB0000-0x0000000140001000-memory.dmp	upx
behavioral1/memory/2508-168-0x000000013F8A0000-0x000000013FBF1000-memory.dmp	upx
behavioral1/memory/2972-170-0x000000013F210000-0x000000013F561000-memory.dmp	upx
behavioral1/memory/1908-226-0x000000013F7B0000-0x000000013FB01000-memory.dmp	upx
behavioral1/memory/2136-225-0x000000013FA20000-0x000000013FD71000-memory.dmp	upx
behavioral1/memory/1636-224-0x000000013F170000-0x000000013F4C1000-memory.dmp	upx
behavioral1/memory/1660-230-0x000000013FAD0000-0x000000013FE21000-memory.dmp	upx
behavioral1/memory/2584-233-0x000000013F550000-0x000000013F8A1000-memory.dmp	upx
behavioral1/memory/2568-232-0x000000013F790000-0x000000013FAE1000-memory.dmp	upx
behavioral1/memory/2552-234-0x000000013F460000-0x000000013F7B1000-memory.dmp	upx
behavioral1/memory/2572-236-0x000000013FE10000-0x0000000140161000-memory.dmp	upx
behavioral1/memory/2440-238-0x000000013F730000-0x000000013FA81000-memory.dmp	upx
behavioral1/memory/2492-240-0x000000013FB90000-0x000000013FEE1000-memory.dmp	upx
behavioral1/memory/2956-252-0x000000013FCB0000-0x0000000140001000-memory.dmp	upx
behavioral1/memory/1884-254-0x000000013F240000-0x000000013F591000-memory.dmp	upx
behavioral1/memory/2804-263-0x000000013FAA0000-0x000000013FDF1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\wakpTNw.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cxItjcp.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pIKBRON.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XwjMwJL.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HbQCsGe.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ApJNRvF.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NbLNDRH.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mmHBMYu.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UhDfkfx.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PFlmact.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ERZeAPz.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VVoYXzt.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WSOCury.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BnGgnrP.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GiUzRHb.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MFkUwKb.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VaExthU.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FeWOCPn.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FyNjtUL.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jtQvCjM.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QBQVUxp.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2972 wrote to memory of 1636	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	mmHBMYu.exe
PID 2972 wrote to memory of 1636	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	mmHBMYu.exe
PID 2972 wrote to memory of 1636	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	mmHBMYu.exe
PID 2972 wrote to memory of 2136	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	UhDfkfx.exe
PID 2972 wrote to memory of 2136	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	UhDfkfx.exe
PID 2972 wrote to memory of 2136	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	UhDfkfx.exe
PID 2972 wrote to memory of 1908	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	XwjMwJL.exe
PID 2972 wrote to memory of 1908	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	XwjMwJL.exe
PID 2972 wrote to memory of 1908	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	XwjMwJL.exe
PID 2972 wrote to memory of 1660	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	HbQCsGe.exe
PID 2972 wrote to memory of 1660	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	HbQCsGe.exe
PID 2972 wrote to memory of 1660	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	HbQCsGe.exe
PID 2972 wrote to memory of 2584	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	MFkUwKb.exe
PID 2972 wrote to memory of 2584	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	MFkUwKb.exe
PID 2972 wrote to memory of 2584	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	MFkUwKb.exe
PID 2972 wrote to memory of 2568	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	QBQVUxp.exe
PID 2972 wrote to memory of 2568	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	QBQVUxp.exe
PID 2972 wrote to memory of 2568	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	QBQVUxp.exe
PID 2972 wrote to memory of 2552	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	VaExthU.exe
PID 2972 wrote to memory of 2552	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	VaExthU.exe
PID 2972 wrote to memory of 2552	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	VaExthU.exe
PID 2972 wrote to memory of 2572	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	FeWOCPn.exe
PID 2972 wrote to memory of 2572	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	FeWOCPn.exe
PID 2972 wrote to memory of 2572	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	FeWOCPn.exe
PID 2972 wrote to memory of 2440	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	ApJNRvF.exe
PID 2972 wrote to memory of 2440	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	ApJNRvF.exe
PID 2972 wrote to memory of 2440	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	ApJNRvF.exe
PID 2972 wrote to memory of 2492	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	ERZeAPz.exe
PID 2972 wrote to memory of 2492	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	ERZeAPz.exe
PID 2972 wrote to memory of 2492	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	ERZeAPz.exe
PID 2972 wrote to memory of 2956	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	VVoYXzt.exe
PID 2972 wrote to memory of 2956	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	VVoYXzt.exe
PID 2972 wrote to memory of 2956	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	VVoYXzt.exe
PID 2972 wrote to memory of 1884	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	wakpTNw.exe
PID 2972 wrote to memory of 1884	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	wakpTNw.exe
PID 2972 wrote to memory of 1884	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	wakpTNw.exe
PID 2972 wrote to memory of 2764	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	PFlmact.exe
PID 2972 wrote to memory of 2764	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	PFlmact.exe
PID 2972 wrote to memory of 2764	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	PFlmact.exe
PID 2972 wrote to memory of 2804	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	WSOCury.exe
PID 2972 wrote to memory of 2804	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	WSOCury.exe
PID 2972 wrote to memory of 2804	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	WSOCury.exe
PID 2972 wrote to memory of 2828	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	BnGgnrP.exe
PID 2972 wrote to memory of 2828	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	BnGgnrP.exe
PID 2972 wrote to memory of 2828	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	BnGgnrP.exe
PID 2972 wrote to memory of 3036	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	GiUzRHb.exe
PID 2972 wrote to memory of 3036	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	GiUzRHb.exe
PID 2972 wrote to memory of 3036	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	GiUzRHb.exe
PID 2972 wrote to memory of 404	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	NbLNDRH.exe
PID 2972 wrote to memory of 404	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	NbLNDRH.exe
PID 2972 wrote to memory of 404	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	NbLNDRH.exe
PID 2972 wrote to memory of 2416	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	cxItjcp.exe
PID 2972 wrote to memory of 2416	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	cxItjcp.exe
PID 2972 wrote to memory of 2416	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	cxItjcp.exe
PID 2972 wrote to memory of 1704	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	FyNjtUL.exe
PID 2972 wrote to memory of 1704	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	FyNjtUL.exe
PID 2972 wrote to memory of 1704	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	FyNjtUL.exe
PID 2972 wrote to memory of 1888	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	jtQvCjM.exe
PID 2972 wrote to memory of 1888	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	jtQvCjM.exe
PID 2972 wrote to memory of 1888	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	jtQvCjM.exe
PID 2972 wrote to memory of 2508	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	pIKBRON.exe
PID 2972 wrote to memory of 2508	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	pIKBRON.exe
PID 2972 wrote to memory of 2508	2972	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	pIKBRON.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\System\mmHBMYu.exe
C:\Windows\System\mmHBMYu.exe
2⤵
- Executes dropped EXE
PID:1636

C:\Windows\System\UhDfkfx.exe
C:\Windows\System\UhDfkfx.exe
2⤵
- Executes dropped EXE
PID:2136

C:\Windows\System\XwjMwJL.exe
C:\Windows\System\XwjMwJL.exe
2⤵
- Executes dropped EXE
PID:1908

C:\Windows\System\HbQCsGe.exe
C:\Windows\System\HbQCsGe.exe
2⤵
- Executes dropped EXE
PID:1660

C:\Windows\System\MFkUwKb.exe
C:\Windows\System\MFkUwKb.exe
2⤵
- Executes dropped EXE
PID:2584

C:\Windows\System\QBQVUxp.exe
C:\Windows\System\QBQVUxp.exe
2⤵
- Executes dropped EXE
PID:2568

C:\Windows\System\VaExthU.exe
C:\Windows\System\VaExthU.exe
2⤵
- Executes dropped EXE
PID:2552

C:\Windows\System\FeWOCPn.exe
C:\Windows\System\FeWOCPn.exe
2⤵
- Executes dropped EXE
PID:2572

C:\Windows\System\ApJNRvF.exe
C:\Windows\System\ApJNRvF.exe
2⤵
- Executes dropped EXE
PID:2440

C:\Windows\System\ERZeAPz.exe
C:\Windows\System\ERZeAPz.exe
2⤵
- Executes dropped EXE
PID:2492

C:\Windows\System\VVoYXzt.exe
C:\Windows\System\VVoYXzt.exe
2⤵
- Executes dropped EXE
PID:2956

C:\Windows\System\wakpTNw.exe
C:\Windows\System\wakpTNw.exe
2⤵
- Executes dropped EXE
PID:1884

C:\Windows\System\PFlmact.exe
C:\Windows\System\PFlmact.exe
2⤵
- Executes dropped EXE
PID:2764

C:\Windows\System\WSOCury.exe
C:\Windows\System\WSOCury.exe
2⤵
- Executes dropped EXE
PID:2804

C:\Windows\System\BnGgnrP.exe
C:\Windows\System\BnGgnrP.exe
2⤵
- Executes dropped EXE
PID:2828

C:\Windows\System\GiUzRHb.exe
C:\Windows\System\GiUzRHb.exe
2⤵
- Executes dropped EXE
PID:3036

C:\Windows\System\NbLNDRH.exe
C:\Windows\System\NbLNDRH.exe
2⤵
- Executes dropped EXE
PID:404

C:\Windows\System\cxItjcp.exe
C:\Windows\System\cxItjcp.exe
2⤵
- Executes dropped EXE
PID:2416

C:\Windows\System\FyNjtUL.exe
C:\Windows\System\FyNjtUL.exe
2⤵
- Executes dropped EXE
PID:1704

C:\Windows\System\jtQvCjM.exe
C:\Windows\System\jtQvCjM.exe
2⤵
- Executes dropped EXE
PID:1888

C:\Windows\System\pIKBRON.exe
C:\Windows\System\pIKBRON.exe
2⤵
- Executes dropped EXE
PID:2508

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BnGgnrP.exe
Filesize
5.2MB

MD5
f779413ad9322daadd11cc0e9581313b

SHA1
e3e40bdd2becbc0368fc0e731e14124efa9f021c

SHA256
1281a028ff55b5175e995f86365f95ccb8ddf03dde8659d7ad95549ca9ac5ebe

SHA512
cec19e11a7c9e3c69c0e6d15982a016c201ef348e9729cfb42861c98c0cd22d4ee6575ccbd6a5fff60ee8934b2d0716cefdd7b209543162fb8fd846dbcfdf349

Download Submit
C:\Windows\system\ERZeAPz.exe
Filesize
5.2MB

MD5
ec90b8063c8394948822e7f18a8f6b9a

SHA1
5fd71e7a504eec38054be4e94aa69eef1a8de944

SHA256
4dff362fb68cc9055b12e80ddbf97fc6118aa2b6b24097eaa8651af4798fcfed

SHA512
710d9e206c74d2e70d03353ee283e776306f8f48bd19c47f8a73be9165c6ceb8ea057c3b61a8e3657b7e57a8871515307c577410673b996bb40e9a19d3853f53

Download Submit
C:\Windows\system\GiUzRHb.exe
Filesize
5.2MB

MD5
6f0155efc8cb50bf5c5e62115da99b28

SHA1
0ce82aede4df873b1515e0aa6f10da9e7ff3331d

SHA256
327eb227c7e4c36b36af6ee22b7775ff3b79a8d78a53571bdfc053ae623254e4

SHA512
096e427efe4fced67d2391d46071033da66c1c539914aacec8dad10e83b2253e888150fb31b7e621ac7e6226eb011de2b2d893c70ccd9736b4e88d47b72f3508

Download Submit
C:\Windows\system\PFlmact.exe
Filesize
5.2MB

MD5
8090c596c05d51f03cdd474740993b96

SHA1
8eae9a09cd66e1e1b9f259679d6f5cf17d4863d9

SHA256
1970c18ad69425283c393be710c0664751ec7e9d8347bdbbd106ea57a1e8518c

SHA512
9e5e42873eb34b1892c9a7b1abaa0d9b1f4649ea798c8886a27eecbf5ed3ebad83f3dc9e7821910c0256832b5d5568a6b4a0d1997c692b334849aa84200dfd45

Download Submit
C:\Windows\system\QBQVUxp.exe
Filesize
5.2MB

MD5
c7f7ec71e60324efcfe0bada95b44870

SHA1
caeb6f86529a32900c683bb2f127d52ff99b1757

SHA256
d5edf528a009f4aea33a30d32b301d60452a8faa1df996af96456cb2fb5cc54c

SHA512
0d632adc4fd9725f0ad082ac65b7ae1a5ec2037b5ae2ed2fd78613472e9ae93ae227ca44675da6e5e13f37b39216858ee10c8ecdb8605b6bedbe26c78f37154d

Download Submit
C:\Windows\system\UhDfkfx.exe
Filesize
5.2MB

MD5
9d2e9728ab9bd023f0fed86ae6c28057

SHA1
a2feda4f41067f1fff9d1680d326e8134171f9a4

SHA256
6833c6609fd2482d6179c8816c5b419664a33367b1ce5268b46d2f5a50c0b290

SHA512
928c43039e92d3316e27f25560ce147cbf440c69bbbbe40d160f2c41ede09774d08a707837352982ef0095334edc9e38945ede10bd5954f014947cffe43328e1

Download Submit
C:\Windows\system\WSOCury.exe
Filesize
5.2MB

MD5
7fc35bbaac80ce3b0bc68b689dc3ef69

SHA1
0dacc1f1b0d1faa81e46cbab6f4aaa909d1fb902

SHA256
6f43562d6aaca9b066cfbf5dc32d831e72b8f435a58ab7825065b74edb1b8a13

SHA512
afa0248a8fa28a707a792bfe5c430f2dead37057af9cec03a6cf33e9d4d71051fd165c7b502aa4351302061cb5f67df3f33798a37d3b57832ebf7f4bb7c12272

Download Submit
C:\Windows\system\cxItjcp.exe
Filesize
5.2MB

MD5
3d3cdd5006d736680058efff86608db7

SHA1
2480b7fec832f8aa72fe5161f6c3d3c1d249ebe1

SHA256
d96eaf7406e61a14824da8eb0fccdc270e9ea5126cd8d043fc1d1f274303d304

SHA512
0f874b358e5f5a4c93b9d3b611586f79de3e91c38a76a57a4a8ecabd0ad9aa22a322e644eebb9db744146aaba2f1dfe794ace4f2c3b9480c5888790134105be8

Download Submit
C:\Windows\system\mmHBMYu.exe
Filesize
5.2MB

MD5
544adc8c71bf623a5aed477f49a0b78c

SHA1
fa0bd9531ee821ce2448d56b0a90d8bbd4d6ec6c

SHA256
425fde56af954e48940cb546ac1bb8fdcd8f57f7d8db75c460e05dee2adcdd61

SHA512
8e624369f5a16ff4ff15d85fa83fd0ed794511ef19ae9d4fd537bfbe03588587648ff3ccb53c7d8f3afd2a7420ac447237b648b840ed909b3059817cb1fe41c6

Download Submit
C:\Windows\system\wakpTNw.exe
Filesize
5.2MB

MD5
9d8428118b082aac352a57912ffa174e

SHA1
a60f6a3a2d905f708f0bcfc5375da8cb2c85dba1

SHA256
713408d3ea42863e95c67190036312be80dda18cc2dca8e3cf100edd4e2c2800

SHA512
b76c2383e8f6c8897f6128473148552bcbbf900503a447179a06db9e8e33fb04db3abe8d418215a65d6da14b9ec2703dbf540cdda1874dcbfcc3daeaf1a98234

Download Submit
\Windows\system\ApJNRvF.exe
Filesize
5.2MB

MD5
91836af9fcf6ddd3f38e21ac834ae803

SHA1
97013055600e689cc253956b36935c040d7f4f07

SHA256
7ea8cbc2883da47a09dc44cfe23d73971a05aa21030e69315bc4066801181a89

SHA512
42354c0f2375956b00968bd4dadd65b2d110d7f74a9b37864736254c9713426dc1a153e5700036ceb744b42fb39f95e1032b788e537058594fef241c6cc86aa4

Download Submit
\Windows\system\FeWOCPn.exe
Filesize
5.2MB

MD5
a69cb16f2176bc63708992e452fcd299

SHA1
f4ea97142b98479edf6a655fe131b50988f1e648

SHA256
54aa4672b500c847456e763bb9c83fd4f1b418fcdf3fdef330afc9e7c532416c

SHA512
8c29d5a65182176dca7df79cc86b62877bcc1fccc104836de7eebf77b6e1d76b7b6a33fe5740bce8ae5b12bb0a4e7be065babf9cbf99ab795e063bb2517ef386

Download Submit
\Windows\system\FyNjtUL.exe
Filesize
5.2MB

MD5
423d2e18d3a13a8c840db1fc42708cd5

SHA1
36bc84fafe8390a2eda3cacb83458a454582599c

SHA256
54bfe5b8676b26375e05c03c1874157eea52ea7c6399f5cf7fcc5fe1d19bb642

SHA512
79135410630b6ade28c5e6b57aa23a262a7f46ec0a18e5872285742cd897b730800d2499455d5dd84cc3839ee5943917ac0836f514a49a554727b6181d5c790e

Download Submit
\Windows\system\HbQCsGe.exe
Filesize
5.2MB

MD5
4717c793534d4b322e1b5d2e7836a466

SHA1
b444a078d92edc954a5794a65f1cf00b767bb910

SHA256
a1755915955b6d4bac7265b3c9d5b0139a67652b7e5cc38e55a8419481cf0e3c

SHA512
d127f5836878bd4d303183dc8458909523d37184bf09e8b763bd204eacdd30283431c0ed0b8fa5c03832a91bfe820d7c84f1b6bca26516684ab3d68f13e77c0b

Download Submit
\Windows\system\MFkUwKb.exe
Filesize
5.2MB

MD5
683daafa53dc669809fc9e7a02409ee0

SHA1
e33db65c2fc7c7dc2e649879dc2313461ea8b17c

SHA256
ecee3531cdf71ee7b369e9ba33bc7820d32a73f9f40f1111a3dded8d63e31777

SHA512
d0737e7c92f89129131df3da61a03df7401b3dc8eae85f08c276f4e4a3790b94e72a3e8b629974ae1abe29396eec062781df0926ff99599653db4cd3810fb5ad

Download Submit
\Windows\system\NbLNDRH.exe
Filesize
5.2MB

MD5
f22417f5296ee815598a913810815fee

SHA1
7102ca9d59718d088504302719bea350f70b62d2

SHA256
166d2417daa7b29e011d22ff5399fa3eedad1444e99308e2f8a55653d48410b1

SHA512
291b1044cef753680cc8e1fc3b7ab97468e9044532fca2e83adc0b74dac3290d6b4888bdbbbfb38c4cbdea5834da3f9c6f6446064faf1b8b3b0ab7766f4065b8

Download Submit
\Windows\system\VVoYXzt.exe
Filesize
5.2MB

MD5
ee4519ba2f24915dcdf43820f0f7bfec

SHA1
42cb40835011219ab665a128d28fa717226ab309

SHA256
a904dd19b7cff9c98f86451dcf0d9613d85bdfe04c2bc56581b2f3a102f57896

SHA512
5d42973f0c6ffd30de3974abea5fb0fa78fe02bbd2b60c7d8e9caf7031db3be57f3554a437026d2ae8158396ec01d97eaf934171291feca318496286429c2e58

Download Submit
\Windows\system\VaExthU.exe
Filesize
5.2MB

MD5
0dce4bc500f1f22920161e57c9c2a439

SHA1
3edd03d0b552bd9a4f53d9cf40f783e9b7b52b76

SHA256
223d707ea63feca25997276db73b84407bb34663be0b336b312c4e7b8e40ce06

SHA512
f1b12ec6baca9637e4275e8f01c1163a6ef5379cd1fe225ef01a9b403a15baecb0ba31d4fbafda7351f2a159357943478d5e32a74d60c6ff846d0c63be5ced2b

Download Submit
\Windows\system\XwjMwJL.exe
Filesize
5.2MB

MD5
6a608ea05197aa00b648057d452f6c70

SHA1
104750583184cb46f5f0fd04e464cf5e8abdbff6

SHA256
d60ffacee07e534ec9f1d6238d485bf8ba4ab1dd43b31fcce8529b17ef89abd7

SHA512
e72237a7940ea278bb0da7c6bdc63d8fec1a5fb0973b43ad8f5dfd5251511445f05a351009594a69ea7f7cf435ffbd5034250c07e72f39898cf7809aa9807044

Download Submit
\Windows\system\jtQvCjM.exe
Filesize
5.2MB

MD5
68670db836e3bb4c8f559c2cac659295

SHA1
c0159dd397ed80fe76e934c831aba84b1ea3a0d4

SHA256
278d55281124d0969cebd15714096de525e5ebf39583710677b6ebac9e27f84e

SHA512
88124e149fb2cb337faf06eee26470c01633ec7b5ff84f7355ae65ce4a92bad9cbee99fe287aa55093c3448ab295177d24280cd84886ff1826ff7f86bc5f2fa2

Download Submit
\Windows\system\pIKBRON.exe
Filesize
5.2MB

MD5
2f0f1e0081efe4859dae4f05413a9e8e

SHA1
719b5fadf6d98152638b380626c112d19fb3b697

SHA256
88ba54d81ffe601b807eab3c70c73967aeec721f79fc35006bbb7454a3c0d50e

SHA512
6db42fd515ae9a5cd8ace0ae15b6147cdcd489913a3f7d869affb3dfce9dbd51b14140c5b31748b0b88a57bdd95f7233e6baaa93c7d564186cd513a263599318

Download Submit
memory/404-140-0x000000013F340000-0x000000013F691000-memory.dmp

Filesize
3.3MB

Download
memory/404-270-0x000000013F340000-0x000000013F691000-memory.dmp

Filesize
3.3MB

Download
memory/1636-224-0x000000013F170000-0x000000013F4C1000-memory.dmp

Filesize
3.3MB

Download
memory/1636-19-0x000000013F170000-0x000000013F4C1000-memory.dmp

Filesize
3.3MB

Download
memory/1660-30-0x000000013FAD0000-0x000000013FE21000-memory.dmp

Filesize
3.3MB

Download
memory/1660-143-0x000000013FAD0000-0x000000013FE21000-memory.dmp

Filesize
3.3MB

Download
memory/1660-230-0x000000013FAD0000-0x000000013FE21000-memory.dmp

Filesize
3.3MB

Download
memory/1704-267-0x000000013F550000-0x000000013F8A1000-memory.dmp

Filesize
3.3MB

Download
memory/1704-138-0x000000013F550000-0x000000013F8A1000-memory.dmp

Filesize
3.3MB

Download
memory/1884-254-0x000000013F240000-0x000000013F591000-memory.dmp

Filesize
3.3MB

Download
memory/1884-118-0x000000013F240000-0x000000013F591000-memory.dmp

Filesize
3.3MB

Download
memory/1888-268-0x000000013F850000-0x000000013FBA1000-memory.dmp

Filesize
3.3MB

Download
memory/1888-137-0x000000013F850000-0x000000013FBA1000-memory.dmp

Filesize
3.3MB

Download
memory/1908-25-0x000000013F7B0000-0x000000013FB01000-memory.dmp

Filesize
3.3MB

Download
memory/1908-226-0x000000013F7B0000-0x000000013FB01000-memory.dmp

Filesize
3.3MB

Download
memory/2136-21-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download
memory/2136-225-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download
memory/2416-136-0x000000013FB40000-0x000000013FE91000-memory.dmp

Filesize
3.3MB

Download
memory/2416-266-0x000000013FB40000-0x000000013FE91000-memory.dmp

Filesize
3.3MB

Download
memory/2440-238-0x000000013F730000-0x000000013FA81000-memory.dmp

Filesize
3.3MB

Download
memory/2440-62-0x000000013F730000-0x000000013FA81000-memory.dmp

Filesize
3.3MB

Download
memory/2440-156-0x000000013F730000-0x000000013FA81000-memory.dmp

Filesize
3.3MB

Download
memory/2492-240-0x000000013FB90000-0x000000013FEE1000-memory.dmp

Filesize
3.3MB

Download
memory/2492-69-0x000000013FB90000-0x000000013FEE1000-memory.dmp

Filesize
3.3MB

Download
memory/2508-168-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

Filesize
3.3MB

Download
memory/2508-272-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

Filesize
3.3MB

Download
memory/2508-145-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

Filesize
3.3MB

Download
memory/2552-234-0x000000013F460000-0x000000013F7B1000-memory.dmp

Filesize
3.3MB

Download
memory/2552-54-0x000000013F460000-0x000000013F7B1000-memory.dmp

Filesize
3.3MB

Download
memory/2568-45-0x000000013F790000-0x000000013FAE1000-memory.dmp

Filesize
3.3MB

Download
memory/2568-232-0x000000013F790000-0x000000013FAE1000-memory.dmp

Filesize
3.3MB

Download
memory/2572-236-0x000000013FE10000-0x0000000140161000-memory.dmp

Filesize
3.3MB

Download
memory/2572-55-0x000000013FE10000-0x0000000140161000-memory.dmp

Filesize
3.3MB

Download
memory/2584-146-0x000000013F550000-0x000000013F8A1000-memory.dmp

Filesize
3.3MB

Download
memory/2584-233-0x000000013F550000-0x000000013F8A1000-memory.dmp

Filesize
3.3MB

Download
memory/2584-44-0x000000013F550000-0x000000013F8A1000-memory.dmp

Filesize
3.3MB

Download
memory/2764-124-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/2764-260-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/2804-263-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

Filesize
3.3MB

Download
memory/2804-133-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

Filesize
3.3MB

Download
memory/2828-135-0x000000013F590000-0x000000013F8E1000-memory.dmp

Filesize
3.3MB

Download
memory/2828-264-0x000000013F590000-0x000000013F8E1000-memory.dmp

Filesize
3.3MB

Download
memory/2956-76-0x000000013FCB0000-0x0000000140001000-memory.dmp

Filesize
3.3MB

Download
memory/2956-252-0x000000013FCB0000-0x0000000140001000-memory.dmp

Filesize
3.3MB

Download
memory/2956-158-0x000000013FCB0000-0x0000000140001000-memory.dmp

Filesize
3.3MB

Download
memory/2972-127-0x00000000023D0000-0x0000000002721000-memory.dmp

Filesize
3.3MB

Download
memory/2972-75-0x000000013FCB0000-0x0000000140001000-memory.dmp

Filesize
3.3MB

Download
memory/2972-170-0x000000013F210000-0x000000013F561000-memory.dmp

Filesize
3.3MB

Download
memory/2972-192-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

Filesize
3.3MB

Download
memory/2972-142-0x000000013F210000-0x000000013F561000-memory.dmp

Filesize
3.3MB

Download
memory/2972-0-0x000000013F210000-0x000000013F561000-memory.dmp

Filesize
3.3MB

Download
memory/2972-1-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2972-132-0x000000013F850000-0x000000013FBA1000-memory.dmp

Filesize
3.3MB

Download
memory/2972-131-0x00000000023D0000-0x0000000002721000-memory.dmp

Filesize
3.3MB

Download
memory/2972-93-0x00000000023D0000-0x0000000002721000-memory.dmp

Filesize
3.3MB

Download
memory/2972-125-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

Filesize
3.3MB

Download
memory/2972-126-0x000000013F590000-0x000000013F8E1000-memory.dmp

Filesize
3.3MB

Download
memory/2972-139-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/2972-169-0x000000013F730000-0x000000013FA81000-memory.dmp

Filesize
3.3MB

Download
memory/2972-130-0x00000000023D0000-0x0000000002721000-memory.dmp

Filesize
3.3MB

Download
memory/2972-68-0x000000013FB90000-0x000000013FEE1000-memory.dmp

Filesize
3.3MB

Download
memory/2972-56-0x000000013FE10000-0x0000000140161000-memory.dmp

Filesize
3.3MB

Download
memory/2972-48-0x00000000023D0000-0x0000000002721000-memory.dmp

Filesize
3.3MB

Download
memory/2972-47-0x000000013FAD0000-0x000000013FE21000-memory.dmp

Filesize
3.3MB

Download
memory/2972-46-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download
memory/2972-147-0x000000013F210000-0x000000013F561000-memory.dmp

Filesize
3.3MB

Download
memory/2972-12-0x00000000023D0000-0x0000000002721000-memory.dmp

Filesize
3.3MB

Download
memory/2972-20-0x000000013F7B0000-0x000000013FB01000-memory.dmp

Filesize
3.3MB

Download
memory/3036-261-0x000000013F480000-0x000000013F7D1000-memory.dmp

Filesize
3.3MB

Download
memory/3036-134-0x000000013F480000-0x000000013F7D1000-memory.dmp

Filesize
3.3MB

Download