cobaltstrike | 3e8096daf6cf0fec99d42f15127ff3845962020070f20d3f7267a8d52c849111

Analysis

max time kernel
137s
max time network
150s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
20-04-2024 08:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

deea120a6a98980875ba1be3d3d3add1
SHA1

8a9ebdc69006ec4d87904f48ddb81c79545dda10
SHA256

3e8096daf6cf0fec99d42f15127ff3845962020070f20d3f7267a8d52c849111
SHA512

6ff005f3f76fb137ba574eddd3afe12e52d3e3e40a3ff6cbec605c507e7f0c2e7f42e14b3f5dd009551ff83f7ca95b256e3cbce3ed70a0d12a8a5a712fe07fc5
SSDEEP

98304:demTLkNdfE0pZ3u56utgpPFotBER/mQ32lU4:E+b56utgpPF8u/74

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\wsVBDVK.exe	cobalt_reflective_dll
\Windows\system\lcYkPuM.exe	cobalt_reflective_dll
C:\Windows\system\vRSRAfP.exe	cobalt_reflective_dll
\Windows\system\NlbxcLZ.exe	cobalt_reflective_dll
\Windows\system\QdOLJVe.exe	cobalt_reflective_dll
\Windows\system\UiaBlrQ.exe	cobalt_reflective_dll
C:\Windows\system\IEPExzS.exe	cobalt_reflective_dll
C:\Windows\system\zgxPMiL.exe	cobalt_reflective_dll
C:\Windows\system\yUzRWmq.exe	cobalt_reflective_dll
C:\Windows\system\RiprNsG.exe	cobalt_reflective_dll
\Windows\system\fmxFwWu.exe	cobalt_reflective_dll
C:\Windows\system\nOevnzy.exe	cobalt_reflective_dll
\Windows\system\PNUwlhD.exe	cobalt_reflective_dll
\Windows\system\ALnZEiA.exe	cobalt_reflective_dll
C:\Windows\system\BgHAxUW.exe	cobalt_reflective_dll
\Windows\system\OqXLPSZ.exe	cobalt_reflective_dll
C:\Windows\system\XsgYFiv.exe	cobalt_reflective_dll
C:\Windows\system\bosIasD.exe	cobalt_reflective_dll
C:\Windows\system\fNTLoBB.exe	cobalt_reflective_dll
C:\Windows\system\QLiyiVw.exe	cobalt_reflective_dll
C:\Windows\system\xDzNCel.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\wsVBDVK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\lcYkPuM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\vRSRAfP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\NlbxcLZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\QdOLJVe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\UiaBlrQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\IEPExzS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\zgxPMiL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\yUzRWmq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\RiprNsG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\fmxFwWu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\nOevnzy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\PNUwlhD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\ALnZEiA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\BgHAxUW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\OqXLPSZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\XsgYFiv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\bosIasD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\fNTLoBB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\QLiyiVw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\xDzNCel.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2912-0-0x000000013F050000-0x000000013F3A4000-memory.dmp	UPX
\Windows\system\wsVBDVK.exe	UPX
\Windows\system\lcYkPuM.exe	UPX
behavioral1/memory/3048-25-0x000000013FE10000-0x0000000140164000-memory.dmp	UPX
C:\Windows\system\vRSRAfP.exe	UPX
\Windows\system\NlbxcLZ.exe	UPX
behavioral1/memory/2480-28-0x000000013F8E0000-0x000000013FC34000-memory.dmp	UPX
behavioral1/memory/3000-31-0x000000013F6E0000-0x000000013FA34000-memory.dmp	UPX
behavioral1/memory/2544-27-0x000000013FF80000-0x00000001402D4000-memory.dmp	UPX
behavioral1/memory/2156-35-0x000000013F5E0000-0x000000013F934000-memory.dmp	UPX
\Windows\system\QdOLJVe.exe	UPX
behavioral1/memory/2864-42-0x000000013F480000-0x000000013F7D4000-memory.dmp	UPX
\Windows\system\UiaBlrQ.exe	UPX
behavioral1/memory/2368-53-0x000000013F590000-0x000000013F8E4000-memory.dmp	UPX
C:\Windows\system\IEPExzS.exe	UPX
behavioral1/memory/2636-55-0x000000013F220000-0x000000013F574000-memory.dmp	UPX
C:\Windows\system\zgxPMiL.exe	UPX
C:\Windows\system\yUzRWmq.exe	UPX
behavioral1/memory/1928-62-0x000000013FFC0000-0x0000000140314000-memory.dmp	UPX
C:\Windows\system\RiprNsG.exe	UPX
\Windows\system\fmxFwWu.exe	UPX
C:\Windows\system\nOevnzy.exe	UPX
\Windows\system\PNUwlhD.exe	UPX
\Windows\system\ALnZEiA.exe	UPX
C:\Windows\system\BgHAxUW.exe	UPX
\Windows\system\OqXLPSZ.exe	UPX
behavioral1/memory/1344-125-0x000000013F280000-0x000000013F5D4000-memory.dmp	UPX
behavioral1/memory/2260-129-0x000000013FA60000-0x000000013FDB4000-memory.dmp	UPX
behavioral1/memory/1016-130-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	UPX
behavioral1/memory/808-131-0x000000013F260000-0x000000013F5B4000-memory.dmp	UPX
behavioral1/memory/2100-133-0x000000013F560000-0x000000013F8B4000-memory.dmp	UPX
behavioral1/memory/1556-135-0x000000013FAB0000-0x000000013FE04000-memory.dmp	UPX
behavioral1/memory/1188-137-0x000000013F980000-0x000000013FCD4000-memory.dmp	UPX
behavioral1/memory/2156-139-0x000000013F5E0000-0x000000013F934000-memory.dmp	UPX
C:\Windows\system\XsgYFiv.exe	UPX
behavioral1/memory/2068-140-0x000000013F140000-0x000000013F494000-memory.dmp	UPX
behavioral1/memory/2096-143-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	UPX
C:\Windows\system\bosIasD.exe	UPX
behavioral1/memory/1060-132-0x000000013F390000-0x000000013F6E4000-memory.dmp	UPX
C:\Windows\system\fNTLoBB.exe	UPX
C:\Windows\system\QLiyiVw.exe	UPX
C:\Windows\system\xDzNCel.exe	UPX
behavioral1/memory/2232-86-0x000000013FC50000-0x000000013FFA4000-memory.dmp	UPX
behavioral1/memory/2912-75-0x000000013F050000-0x000000013F3A4000-memory.dmp	UPX
behavioral1/memory/2392-69-0x000000013F0F0000-0x000000013F444000-memory.dmp	UPX
behavioral1/memory/2864-146-0x000000013F480000-0x000000013F7D4000-memory.dmp	UPX
behavioral1/memory/2368-147-0x000000013F590000-0x000000013F8E4000-memory.dmp	UPX
behavioral1/memory/1928-148-0x000000013FFC0000-0x0000000140314000-memory.dmp	UPX
behavioral1/memory/1060-150-0x000000013F390000-0x000000013F6E4000-memory.dmp	UPX
behavioral1/memory/1188-151-0x000000013F980000-0x000000013FCD4000-memory.dmp	UPX
behavioral1/memory/2068-152-0x000000013F140000-0x000000013F494000-memory.dmp	UPX
behavioral1/memory/3048-153-0x000000013FE10000-0x0000000140164000-memory.dmp	UPX
behavioral1/memory/3000-154-0x000000013F6E0000-0x000000013FA34000-memory.dmp	UPX
behavioral1/memory/2480-155-0x000000013F8E0000-0x000000013FC34000-memory.dmp	UPX
behavioral1/memory/2544-156-0x000000013FF80000-0x00000001402D4000-memory.dmp	UPX
behavioral1/memory/2156-157-0x000000013F5E0000-0x000000013F934000-memory.dmp	UPX
behavioral1/memory/2864-158-0x000000013F480000-0x000000013F7D4000-memory.dmp	UPX
behavioral1/memory/2368-160-0x000000013F590000-0x000000013F8E4000-memory.dmp	UPX
behavioral1/memory/2636-159-0x000000013F220000-0x000000013F574000-memory.dmp	UPX
behavioral1/memory/1928-161-0x000000013FFC0000-0x0000000140314000-memory.dmp	UPX
behavioral1/memory/2392-162-0x000000013F0F0000-0x000000013F444000-memory.dmp	UPX
behavioral1/memory/2232-163-0x000000013FC50000-0x000000013FFA4000-memory.dmp	UPX
behavioral1/memory/1556-164-0x000000013FAB0000-0x000000013FE04000-memory.dmp	UPX
behavioral1/memory/1344-165-0x000000013F280000-0x000000013F5D4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2912-0-0x000000013F050000-0x000000013F3A4000-memory.dmp	xmrig
\Windows\system\wsVBDVK.exe	xmrig
behavioral1/memory/2912-7-0x000000013F6E0000-0x000000013FA34000-memory.dmp	xmrig
\Windows\system\lcYkPuM.exe	xmrig
behavioral1/memory/3048-25-0x000000013FE10000-0x0000000140164000-memory.dmp	xmrig
C:\Windows\system\vRSRAfP.exe	xmrig
\Windows\system\NlbxcLZ.exe	xmrig
behavioral1/memory/2480-28-0x000000013F8E0000-0x000000013FC34000-memory.dmp	xmrig
behavioral1/memory/3000-31-0x000000013F6E0000-0x000000013FA34000-memory.dmp	xmrig
behavioral1/memory/2544-27-0x000000013FF80000-0x00000001402D4000-memory.dmp	xmrig
behavioral1/memory/2156-35-0x000000013F5E0000-0x000000013F934000-memory.dmp	xmrig
\Windows\system\QdOLJVe.exe	xmrig
behavioral1/memory/2864-42-0x000000013F480000-0x000000013F7D4000-memory.dmp	xmrig
\Windows\system\UiaBlrQ.exe	xmrig
behavioral1/memory/2368-53-0x000000013F590000-0x000000013F8E4000-memory.dmp	xmrig
C:\Windows\system\IEPExzS.exe	xmrig
behavioral1/memory/2636-55-0x000000013F220000-0x000000013F574000-memory.dmp	xmrig
C:\Windows\system\zgxPMiL.exe	xmrig
C:\Windows\system\yUzRWmq.exe	xmrig
behavioral1/memory/1928-62-0x000000013FFC0000-0x0000000140314000-memory.dmp	xmrig
C:\Windows\system\RiprNsG.exe	xmrig
\Windows\system\fmxFwWu.exe	xmrig
C:\Windows\system\nOevnzy.exe	xmrig
\Windows\system\PNUwlhD.exe	xmrig
\Windows\system\ALnZEiA.exe	xmrig
C:\Windows\system\BgHAxUW.exe	xmrig
\Windows\system\OqXLPSZ.exe	xmrig
behavioral1/memory/1344-125-0x000000013F280000-0x000000013F5D4000-memory.dmp	xmrig
behavioral1/memory/2912-126-0x000000013FA60000-0x000000013FDB4000-memory.dmp	xmrig
behavioral1/memory/2260-129-0x000000013FA60000-0x000000013FDB4000-memory.dmp	xmrig
behavioral1/memory/1016-130-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	xmrig
behavioral1/memory/808-131-0x000000013F260000-0x000000013F5B4000-memory.dmp	xmrig
behavioral1/memory/2100-133-0x000000013F560000-0x000000013F8B4000-memory.dmp	xmrig
behavioral1/memory/2912-136-0x000000013FF80000-0x00000001402D4000-memory.dmp	xmrig
behavioral1/memory/1556-135-0x000000013FAB0000-0x000000013FE04000-memory.dmp	xmrig
behavioral1/memory/1188-137-0x000000013F980000-0x000000013FCD4000-memory.dmp	xmrig
behavioral1/memory/2156-139-0x000000013F5E0000-0x000000013F934000-memory.dmp	xmrig
C:\Windows\system\XsgYFiv.exe	xmrig
behavioral1/memory/2068-140-0x000000013F140000-0x000000013F494000-memory.dmp	xmrig
behavioral1/memory/2096-143-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	xmrig
C:\Windows\system\bosIasD.exe	xmrig
behavioral1/memory/1060-132-0x000000013F390000-0x000000013F6E4000-memory.dmp	xmrig
C:\Windows\system\fNTLoBB.exe	xmrig
C:\Windows\system\QLiyiVw.exe	xmrig
C:\Windows\system\xDzNCel.exe	xmrig
behavioral1/memory/2232-86-0x000000013FC50000-0x000000013FFA4000-memory.dmp	xmrig
behavioral1/memory/2912-75-0x000000013F050000-0x000000013F3A4000-memory.dmp	xmrig
behavioral1/memory/2392-69-0x000000013F0F0000-0x000000013F444000-memory.dmp	xmrig
behavioral1/memory/2864-146-0x000000013F480000-0x000000013F7D4000-memory.dmp	xmrig
behavioral1/memory/2368-147-0x000000013F590000-0x000000013F8E4000-memory.dmp	xmrig
behavioral1/memory/1928-148-0x000000013FFC0000-0x0000000140314000-memory.dmp	xmrig
behavioral1/memory/1060-150-0x000000013F390000-0x000000013F6E4000-memory.dmp	xmrig
behavioral1/memory/1188-151-0x000000013F980000-0x000000013FCD4000-memory.dmp	xmrig
behavioral1/memory/2068-152-0x000000013F140000-0x000000013F494000-memory.dmp	xmrig
behavioral1/memory/3048-153-0x000000013FE10000-0x0000000140164000-memory.dmp	xmrig
behavioral1/memory/3000-154-0x000000013F6E0000-0x000000013FA34000-memory.dmp	xmrig
behavioral1/memory/2480-155-0x000000013F8E0000-0x000000013FC34000-memory.dmp	xmrig
behavioral1/memory/2544-156-0x000000013FF80000-0x00000001402D4000-memory.dmp	xmrig
behavioral1/memory/2156-157-0x000000013F5E0000-0x000000013F934000-memory.dmp	xmrig
behavioral1/memory/2864-158-0x000000013F480000-0x000000013F7D4000-memory.dmp	xmrig
behavioral1/memory/2368-160-0x000000013F590000-0x000000013F8E4000-memory.dmp	xmrig
behavioral1/memory/2636-159-0x000000013F220000-0x000000013F574000-memory.dmp	xmrig
behavioral1/memory/1928-161-0x000000013FFC0000-0x0000000140314000-memory.dmp	xmrig
behavioral1/memory/2392-162-0x000000013F0F0000-0x000000013F444000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

wsVBDVK.exezgxPMiL.exevRSRAfP.exelcYkPuM.exeNlbxcLZ.exeQdOLJVe.exeUiaBlrQ.exeIEPExzS.exeyUzRWmq.exeRiprNsG.exenOevnzy.exefmxFwWu.exeBgHAxUW.exexDzNCel.exeQLiyiVw.exeALnZEiA.exefNTLoBB.exePNUwlhD.exeOqXLPSZ.exebosIasD.exeXsgYFiv.exe

pid	process
3000	wsVBDVK.exe
3048	zgxPMiL.exe
2544	vRSRAfP.exe
2480	lcYkPuM.exe
2156	NlbxcLZ.exe
2864	QdOLJVe.exe
2368	UiaBlrQ.exe
2636	IEPExzS.exe
1928	yUzRWmq.exe
2392	RiprNsG.exe
2232	nOevnzy.exe
1556	fmxFwWu.exe
1344	BgHAxUW.exe
2260	xDzNCel.exe
1016	QLiyiVw.exe
808	ALnZEiA.exe
1060	fNTLoBB.exe
2100	PNUwlhD.exe
1188	OqXLPSZ.exe
2068	bosIasD.exe
2096	XsgYFiv.exe

Loads dropped DLL 21 IoCs

Processes:

2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe

pid	process
2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2912-0-0x000000013F050000-0x000000013F3A4000-memory.dmp	upx
\Windows\system\wsVBDVK.exe	upx
behavioral1/memory/2912-7-0x000000013F6E0000-0x000000013FA34000-memory.dmp	upx
\Windows\system\lcYkPuM.exe	upx
behavioral1/memory/3048-25-0x000000013FE10000-0x0000000140164000-memory.dmp	upx
C:\Windows\system\vRSRAfP.exe	upx
\Windows\system\NlbxcLZ.exe	upx
behavioral1/memory/2480-28-0x000000013F8E0000-0x000000013FC34000-memory.dmp	upx
behavioral1/memory/3000-31-0x000000013F6E0000-0x000000013FA34000-memory.dmp	upx
behavioral1/memory/2544-27-0x000000013FF80000-0x00000001402D4000-memory.dmp	upx
behavioral1/memory/2156-35-0x000000013F5E0000-0x000000013F934000-memory.dmp	upx
\Windows\system\QdOLJVe.exe	upx
behavioral1/memory/2864-42-0x000000013F480000-0x000000013F7D4000-memory.dmp	upx
\Windows\system\UiaBlrQ.exe	upx
behavioral1/memory/2368-53-0x000000013F590000-0x000000013F8E4000-memory.dmp	upx
C:\Windows\system\IEPExzS.exe	upx
behavioral1/memory/2636-55-0x000000013F220000-0x000000013F574000-memory.dmp	upx
C:\Windows\system\zgxPMiL.exe	upx
C:\Windows\system\yUzRWmq.exe	upx
behavioral1/memory/1928-62-0x000000013FFC0000-0x0000000140314000-memory.dmp	upx
C:\Windows\system\RiprNsG.exe	upx
\Windows\system\fmxFwWu.exe	upx
C:\Windows\system\nOevnzy.exe	upx
\Windows\system\PNUwlhD.exe	upx
\Windows\system\ALnZEiA.exe	upx
C:\Windows\system\BgHAxUW.exe	upx
\Windows\system\OqXLPSZ.exe	upx
behavioral1/memory/1344-125-0x000000013F280000-0x000000013F5D4000-memory.dmp	upx
behavioral1/memory/2260-129-0x000000013FA60000-0x000000013FDB4000-memory.dmp	upx
behavioral1/memory/1016-130-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	upx
behavioral1/memory/808-131-0x000000013F260000-0x000000013F5B4000-memory.dmp	upx
behavioral1/memory/2100-133-0x000000013F560000-0x000000013F8B4000-memory.dmp	upx
behavioral1/memory/1556-135-0x000000013FAB0000-0x000000013FE04000-memory.dmp	upx
behavioral1/memory/1188-137-0x000000013F980000-0x000000013FCD4000-memory.dmp	upx
behavioral1/memory/2156-139-0x000000013F5E0000-0x000000013F934000-memory.dmp	upx
C:\Windows\system\XsgYFiv.exe	upx
behavioral1/memory/2068-140-0x000000013F140000-0x000000013F494000-memory.dmp	upx
behavioral1/memory/2096-143-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	upx
C:\Windows\system\bosIasD.exe	upx
behavioral1/memory/1060-132-0x000000013F390000-0x000000013F6E4000-memory.dmp	upx
C:\Windows\system\fNTLoBB.exe	upx
C:\Windows\system\QLiyiVw.exe	upx
C:\Windows\system\xDzNCel.exe	upx
behavioral1/memory/2232-86-0x000000013FC50000-0x000000013FFA4000-memory.dmp	upx
behavioral1/memory/2912-75-0x000000013F050000-0x000000013F3A4000-memory.dmp	upx
behavioral1/memory/2392-69-0x000000013F0F0000-0x000000013F444000-memory.dmp	upx
behavioral1/memory/2864-146-0x000000013F480000-0x000000013F7D4000-memory.dmp	upx
behavioral1/memory/2368-147-0x000000013F590000-0x000000013F8E4000-memory.dmp	upx
behavioral1/memory/1928-148-0x000000013FFC0000-0x0000000140314000-memory.dmp	upx
behavioral1/memory/1060-150-0x000000013F390000-0x000000013F6E4000-memory.dmp	upx
behavioral1/memory/1188-151-0x000000013F980000-0x000000013FCD4000-memory.dmp	upx
behavioral1/memory/2068-152-0x000000013F140000-0x000000013F494000-memory.dmp	upx
behavioral1/memory/3048-153-0x000000013FE10000-0x0000000140164000-memory.dmp	upx
behavioral1/memory/3000-154-0x000000013F6E0000-0x000000013FA34000-memory.dmp	upx
behavioral1/memory/2480-155-0x000000013F8E0000-0x000000013FC34000-memory.dmp	upx
behavioral1/memory/2544-156-0x000000013FF80000-0x00000001402D4000-memory.dmp	upx
behavioral1/memory/2156-157-0x000000013F5E0000-0x000000013F934000-memory.dmp	upx
behavioral1/memory/2864-158-0x000000013F480000-0x000000013F7D4000-memory.dmp	upx
behavioral1/memory/2368-160-0x000000013F590000-0x000000013F8E4000-memory.dmp	upx
behavioral1/memory/2636-159-0x000000013F220000-0x000000013F574000-memory.dmp	upx
behavioral1/memory/1928-161-0x000000013FFC0000-0x0000000140314000-memory.dmp	upx
behavioral1/memory/2392-162-0x000000013F0F0000-0x000000013F444000-memory.dmp	upx
behavioral1/memory/2232-163-0x000000013FC50000-0x000000013FFA4000-memory.dmp	upx
behavioral1/memory/1556-164-0x000000013FAB0000-0x000000013FE04000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\UiaBlrQ.exe	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IEPExzS.exe	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yUzRWmq.exe	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RiprNsG.exe	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vRSRAfP.exe	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fmxFwWu.exe	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BgHAxUW.exe	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xDzNCel.exe	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ALnZEiA.exe	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QdOLJVe.exe	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NlbxcLZ.exe	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nOevnzy.exe	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fNTLoBB.exe	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PNUwlhD.exe	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QLiyiVw.exe	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lcYkPuM.exe	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zgxPMiL.exe	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OqXLPSZ.exe	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bosIasD.exe	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XsgYFiv.exe	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wsVBDVK.exe	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2912 wrote to memory of 3000	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	wsVBDVK.exe
PID 2912 wrote to memory of 3000	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	wsVBDVK.exe
PID 2912 wrote to memory of 3000	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	wsVBDVK.exe
PID 2912 wrote to memory of 3048	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	zgxPMiL.exe
PID 2912 wrote to memory of 3048	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	zgxPMiL.exe
PID 2912 wrote to memory of 3048	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	zgxPMiL.exe
PID 2912 wrote to memory of 2480	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	lcYkPuM.exe
PID 2912 wrote to memory of 2480	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	lcYkPuM.exe
PID 2912 wrote to memory of 2480	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	lcYkPuM.exe
PID 2912 wrote to memory of 2544	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	vRSRAfP.exe
PID 2912 wrote to memory of 2544	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	vRSRAfP.exe
PID 2912 wrote to memory of 2544	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	vRSRAfP.exe
PID 2912 wrote to memory of 2156	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	NlbxcLZ.exe
PID 2912 wrote to memory of 2156	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	NlbxcLZ.exe
PID 2912 wrote to memory of 2156	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	NlbxcLZ.exe
PID 2912 wrote to memory of 2864	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	QdOLJVe.exe
PID 2912 wrote to memory of 2864	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	QdOLJVe.exe
PID 2912 wrote to memory of 2864	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	QdOLJVe.exe
PID 2912 wrote to memory of 2368	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	UiaBlrQ.exe
PID 2912 wrote to memory of 2368	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	UiaBlrQ.exe
PID 2912 wrote to memory of 2368	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	UiaBlrQ.exe
PID 2912 wrote to memory of 2636	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	IEPExzS.exe
PID 2912 wrote to memory of 2636	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	IEPExzS.exe
PID 2912 wrote to memory of 2636	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	IEPExzS.exe
PID 2912 wrote to memory of 1928	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	yUzRWmq.exe
PID 2912 wrote to memory of 1928	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	yUzRWmq.exe
PID 2912 wrote to memory of 1928	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	yUzRWmq.exe
PID 2912 wrote to memory of 2392	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	RiprNsG.exe
PID 2912 wrote to memory of 2392	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	RiprNsG.exe
PID 2912 wrote to memory of 2392	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	RiprNsG.exe
PID 2912 wrote to memory of 1556	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	fmxFwWu.exe
PID 2912 wrote to memory of 1556	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	fmxFwWu.exe
PID 2912 wrote to memory of 1556	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	fmxFwWu.exe
PID 2912 wrote to memory of 2232	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	nOevnzy.exe
PID 2912 wrote to memory of 2232	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	nOevnzy.exe
PID 2912 wrote to memory of 2232	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	nOevnzy.exe
PID 2912 wrote to memory of 1060	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	fNTLoBB.exe
PID 2912 wrote to memory of 1060	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	fNTLoBB.exe
PID 2912 wrote to memory of 1060	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	fNTLoBB.exe
PID 2912 wrote to memory of 1344	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	BgHAxUW.exe
PID 2912 wrote to memory of 1344	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	BgHAxUW.exe
PID 2912 wrote to memory of 1344	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	BgHAxUW.exe
PID 2912 wrote to memory of 2100	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	PNUwlhD.exe
PID 2912 wrote to memory of 2100	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	PNUwlhD.exe
PID 2912 wrote to memory of 2100	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	PNUwlhD.exe
PID 2912 wrote to memory of 2260	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	xDzNCel.exe
PID 2912 wrote to memory of 2260	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	xDzNCel.exe
PID 2912 wrote to memory of 2260	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	xDzNCel.exe
PID 2912 wrote to memory of 1188	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	OqXLPSZ.exe
PID 2912 wrote to memory of 1188	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	OqXLPSZ.exe
PID 2912 wrote to memory of 1188	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	OqXLPSZ.exe
PID 2912 wrote to memory of 1016	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	QLiyiVw.exe
PID 2912 wrote to memory of 1016	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	QLiyiVw.exe
PID 2912 wrote to memory of 1016	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	QLiyiVw.exe
PID 2912 wrote to memory of 2068	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	bosIasD.exe
PID 2912 wrote to memory of 2068	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	bosIasD.exe
PID 2912 wrote to memory of 2068	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	bosIasD.exe
PID 2912 wrote to memory of 808	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	ALnZEiA.exe
PID 2912 wrote to memory of 808	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	ALnZEiA.exe
PID 2912 wrote to memory of 808	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	ALnZEiA.exe
PID 2912 wrote to memory of 2096	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	XsgYFiv.exe
PID 2912 wrote to memory of 2096	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	XsgYFiv.exe
PID 2912 wrote to memory of 2096	2912	2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe	XsgYFiv.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_deea120a6a98980875ba1be3d3d3add1_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\System\wsVBDVK.exe
C:\Windows\System\wsVBDVK.exe
2⤵
- Executes dropped EXE
PID:3000

C:\Windows\System\zgxPMiL.exe
C:\Windows\System\zgxPMiL.exe
2⤵
- Executes dropped EXE
PID:3048

C:\Windows\System\lcYkPuM.exe
C:\Windows\System\lcYkPuM.exe
2⤵
- Executes dropped EXE
PID:2480

C:\Windows\System\vRSRAfP.exe
C:\Windows\System\vRSRAfP.exe
2⤵
- Executes dropped EXE
PID:2544

C:\Windows\System\NlbxcLZ.exe
C:\Windows\System\NlbxcLZ.exe
2⤵
- Executes dropped EXE
PID:2156

C:\Windows\System\QdOLJVe.exe
C:\Windows\System\QdOLJVe.exe
2⤵
- Executes dropped EXE
PID:2864

C:\Windows\System\UiaBlrQ.exe
C:\Windows\System\UiaBlrQ.exe
2⤵
- Executes dropped EXE
PID:2368

C:\Windows\System\IEPExzS.exe
C:\Windows\System\IEPExzS.exe
2⤵
- Executes dropped EXE
PID:2636

C:\Windows\System\yUzRWmq.exe
C:\Windows\System\yUzRWmq.exe
2⤵
- Executes dropped EXE
PID:1928

C:\Windows\System\RiprNsG.exe
C:\Windows\System\RiprNsG.exe
2⤵
- Executes dropped EXE
PID:2392

C:\Windows\System\fmxFwWu.exe
C:\Windows\System\fmxFwWu.exe
2⤵
- Executes dropped EXE
PID:1556

C:\Windows\System\nOevnzy.exe
C:\Windows\System\nOevnzy.exe
2⤵
- Executes dropped EXE
PID:2232

C:\Windows\System\fNTLoBB.exe
C:\Windows\System\fNTLoBB.exe
2⤵
- Executes dropped EXE
PID:1060

C:\Windows\System\BgHAxUW.exe
C:\Windows\System\BgHAxUW.exe
2⤵
- Executes dropped EXE
PID:1344

C:\Windows\System\PNUwlhD.exe
C:\Windows\System\PNUwlhD.exe
2⤵
- Executes dropped EXE
PID:2100

C:\Windows\System\xDzNCel.exe
C:\Windows\System\xDzNCel.exe
2⤵
- Executes dropped EXE
PID:2260

C:\Windows\System\OqXLPSZ.exe
C:\Windows\System\OqXLPSZ.exe
2⤵
- Executes dropped EXE
PID:1188

C:\Windows\System\QLiyiVw.exe
C:\Windows\System\QLiyiVw.exe
2⤵
- Executes dropped EXE
PID:1016

C:\Windows\System\bosIasD.exe
C:\Windows\System\bosIasD.exe
2⤵
- Executes dropped EXE
PID:2068

C:\Windows\System\ALnZEiA.exe
C:\Windows\System\ALnZEiA.exe
2⤵
- Executes dropped EXE
PID:808

C:\Windows\System\XsgYFiv.exe
C:\Windows\System\XsgYFiv.exe
2⤵
- Executes dropped EXE
PID:2096

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BgHAxUW.exe
Filesize
5.9MB

MD5
1e3228feba0d73304a1cdd98339f5ddc

SHA1
e22dcf03bbbd55fafd18236161accdb23e029971

SHA256
18e166499373c0b2a27b3a899c9dd4b9ac227c71dc8246600961a3a639d86ab9

SHA512
7d27f31835e7f5b024f930139071726c492f015f04cfa82094caa90fc196b816c3ee9905111553d7298d33e28f0eb8f648d34659451d3ac22cb44f939cddb79c

Download Submit
C:\Windows\system\IEPExzS.exe
Filesize
5.9MB

MD5
18ea92455bde9a0c0543132ad6704adf

SHA1
929af7d829890c479601f6fe1d6be9df50b2f802

SHA256
9938e6e2d7b6986784693a11c3dc21e1ef88a22d60aa305734f0b84b482eca3f

SHA512
3fda4b0b1f486d91c4eb8941af01ba2df9880d8ae86e1ad432db7d88276d4556ca45f410d2913a480f6f6d8194eb0407210032f733fc291b7097d2302f8d2e97

Download Submit
C:\Windows\system\QLiyiVw.exe
Filesize
5.9MB

MD5
e457731418f9244e2b457122cde3ae24

SHA1
3128bcd72189987b4b1c44e7e24a2a81eb28ddbc

SHA256
3c5d30e5b4d9614e8e1d0ca8e91ed9721af58bd890b21735643e912fd33510bf

SHA512
8f45923c79c4812437190c1b825a7929cf0a1626ded4584b11a903231dcd010f2ad7b78e6adfb3feaea34cdbf14d8ad65125e9b81d36cbb79bc2e095c22fd2bf

Download Submit
C:\Windows\system\RiprNsG.exe
Filesize
5.9MB

MD5
de764b0efbfb3b8dfbbbc4b371430fb4

SHA1
79cac2b3f270c5b132f0111fbcfde24894da1b93

SHA256
ac8beedfac09b8013e714676f191824d1a07651fea6684bd001a4969ce2c1147

SHA512
4532e845af47552d4a44ae49ec1552b8f5a8d8320b037c9fa6bba45cff7c36bea9662ee86cd1f9ed0c67d3a38e09bab9dbd87b5e612df6ff066937e00212bc04

Download Submit
C:\Windows\system\XsgYFiv.exe
Filesize
5.9MB

MD5
92695da9b7b577491eca98c6594b3a64

SHA1
0be3d50921abca197eb20937d51401b927faea0e

SHA256
d61d6cf1e5c6ca199c54949f7bc9db28496c675d553f0fc826d937c0e5d4be49

SHA512
c8fe5ae68b2ff3f074bdbdc76fb8cc8c8aec1af90206b76060e840c70bd7c30c14660725cfe6c5f5dc1757ee38c449db7c6278d8d36fdb47b3e75f4775fe3412

Download Submit
C:\Windows\system\bosIasD.exe
Filesize
5.9MB

MD5
720cfc13e32bb856fd2951f7c87d5d97

SHA1
71dd4abd8b1d262cbdbf922cf0c0ff165e6f88f9

SHA256
444d37def4d9913bcf328dba23a241ea0b8a72fdab7b82b2f224774fdfe5b1ee

SHA512
8fa56f992caa70b2bca5f8d959ab8bbab8411b2780b7cdf23a42d83708bfc5285ce173d0f002e91606e0c3ebdeefad23026e2c8cd53534c93eadde7c99dc772f

Download Submit
C:\Windows\system\fNTLoBB.exe
Filesize
5.9MB

MD5
b752f30a697837aeeb4a616dbf435b40

SHA1
4edda92852724d0093ddd1ba88bb1934ea6fb8f7

SHA256
577c40cdbd4e5655b9e9b7b21a5e4197146359cb1ae66557eb3c0e9db470d115

SHA512
89a423485b426f341a0caa12f605351f4af19c12c0b8141dfc79b321dafba2af511f38ad467c43dc4e9832583eb4021e570ed50e4aabd49a58d562e86a302cba

Download Submit
C:\Windows\system\nOevnzy.exe
Filesize
5.9MB

MD5
57244ca34da5655eee53275ee5e06756

SHA1
bf7b1881cfc40e15f5e201e94a6130d24f65ba07

SHA256
abfe558a30535fbbb6b3b14be1777fadf546b5e70cb9d8b148a8ce639ac670cf

SHA512
2a899a9d86bd004255955452de924709bec3cbbdb6b6ccc2896e4d903dc00821c397a69fa1927e0bb39618084e6bf394ad69ca34cf7ddfb0828dfcd0ddeeb1d5

Download Submit
C:\Windows\system\vRSRAfP.exe
Filesize
5.9MB

MD5
b37176255ad63fda4968a7029faed50c

SHA1
b1e2ab9b2f33107828caf5827b64cdc88b833cab

SHA256
43cd6fb9357afd6abc3af0eed303463a8706f604a37f3ee3777e310e00eb2481

SHA512
0a4de29414cae9b22f9e6fc9cda6ccda3dccba34a08b525f907422b44118f3c7b8745f1adebb784bda16bd83cc5e17e9c0844dbe5610eca72f1a0b034453786e

Download Submit
C:\Windows\system\xDzNCel.exe
Filesize
5.9MB

MD5
9ca0fe9880f5e2f095e15e7472217e71

SHA1
5e3fd6455dd354ea7c1cb450f5d1fb12b91ea016

SHA256
d781a9ca9b983c459de25ecd102972bf733ba906299d77c99b66dfc9850c34d2

SHA512
c39d61b5b0a62bfec418f50b3809d562433bb58edca2321eaac1407be95cd97fb404bff0cdddb41094d184cedad78969749acc6c2e62db93a0752d5e61ca9698

Download Submit
C:\Windows\system\yUzRWmq.exe
Filesize
5.9MB

MD5
249bcf5d1c57b4ce634f822373e23234

SHA1
f87138a1ef8eec08b64860cb888a6809ba46a337

SHA256
7a9af39b05e5938c96c67bb5bd23a3ab1728013271a82e2508ccf3c3af58ebe0

SHA512
fcc07e9362f7ce84d213f8cb42ca6b0e03f943956d6c16beb547519f015a0e09dd73950597eb544090cdc29a4e16fd362b27bfa5b1bd871c1632f401d01611ae

Download Submit
C:\Windows\system\zgxPMiL.exe
Filesize
5.9MB

MD5
71530a98531e832c906c0b25c5616aa5

SHA1
304ecb6d486edbc38af766fdefd492966010c4c3

SHA256
5180efa6bc62622cae33b23040342af8a9e841f70494c71262cc86fdef441570

SHA512
970ef2c3ccbc2c21c7f5b6eb0e432355ecc6a3de190360661888891f3576d26313649155414472cb5cd6cedad456c53a880d750c886a0ae8a2a15a1724686fcd

Download Submit
\Windows\system\ALnZEiA.exe
Filesize
5.9MB

MD5
f44f19f30ff0f3dfdeb9ad57839eab04

SHA1
40592c96fb308fbdf20839951082508a211172b1

SHA256
a0cc66c5acbe3f1bd9c92a2d33b2df727e8a780b4546e701add7ff6fe6791b88

SHA512
5d078ac7b96f1d205f86fe291e89812bfaff3614ac74e390e172311c5e4e691f1aec7f1197ca70450fb4a128311c65f7ce5624c113e101bda9fddcfb7059d587

Download Submit
\Windows\system\NlbxcLZ.exe
Filesize
5.9MB

MD5
6854a9bf374bcd6142cde9b456627bd1

SHA1
9768dd793bb5b1ada9ec45e919f4b8e907b2b56a

SHA256
45308c3b78a08ed02a56aea1163f1ceaf14067589b06545565a3614e7e40e8aa

SHA512
4494425f8e114a38351ccc3d75978d11ebe039939678e23c25e0ccc575c618fd24b9ff2d45dababee37afd3939978174b17fbb919fdcb3a561c80341861d40e9

Download Submit
\Windows\system\OqXLPSZ.exe
Filesize
5.9MB

MD5
a91f8fbf622395be8e3cf74176d8bc75

SHA1
198f5ea361c3b41360fb5cfcb997490741db52eb

SHA256
cbf8a8939a6bcc39a8cc36da65196851653d3c47f9f7790d012ee9ffd47c8c60

SHA512
4e63258dc47b9454fcb5fa0c1ade58cd3b048ab47bd970c153e7ed7adc420a4095df17a33d94ebafe5ed7865f66ce8d19c6ec5c063d3b026b123b96e7c7c44b8

Download Submit
\Windows\system\PNUwlhD.exe
Filesize
5.9MB

MD5
97ae9718c474be23ce53177de8defbf9

SHA1
690aadeab067f79af04bc295c3ecd3fe31e26950

SHA256
3117b86c7eaa9685589428703d4ea999218a5cc1bdf834e0198dbac226f619a1

SHA512
576bbe1495fa87556820c7a81321ac0f377373262c46841eda12261dc9a93215088cd00540ef867362819fb0a3db0778585a7c8b94772ae1f48ecb1758521a6c

Download Submit
\Windows\system\QdOLJVe.exe
Filesize
5.9MB

MD5
75b4a45d13233d934833cb94adf4eecb

SHA1
9b7000c751c55640bdf6cc7f687a98d3e14011a7

SHA256
9d99d992c210aebd61f954d9c36580e106da110afc42eece8c4a6136b41664b3

SHA512
504cc7f7342a443834616549b7aa351b4e3d5d42aa8de5749afaee0b13eb543141886637902df748e15a94056f20bbb0ec86ac70ab07fa40a677520f3b8baeaa

Download Submit
\Windows\system\UiaBlrQ.exe
Filesize
5.9MB

MD5
6a7fa900ed24e81267822de8e489f5e5

SHA1
6f01646ea928539c1dfad4186aa9958df5cbf1e2

SHA256
c4aff19bf220018917e7204d1dd029a44a95bd01edbd39198c1bd7485d8a34d4

SHA512
394a8db38ecf006ec75d7be51ffdab3ddac2a998d8abc944f77ce7b952fd2830c7c26da9a1aef46d4c081cf11004f73c10b33338e25da9ef8959db428e6e6809

Download Submit
\Windows\system\fmxFwWu.exe
Filesize
5.9MB

MD5
5ce160184e8bf1f4e60cc214ef170061

SHA1
cdc4f330e1fb2eb902caf52948301a2a78f258ce

SHA256
353e8be66162faa6030417c9ee15704ec06a1518ea641f9ca673564afe1ccd3e

SHA512
8cbce03acd59cfbe5287247f43d281c8f3906fc29fe69f9e2b37af1a05393881e5888cdd7586f6d8c2aa125c1deb0436bdf88a2042d0557bced3f6195c11aed2

Download Submit
\Windows\system\lcYkPuM.exe
Filesize
5.9MB

MD5
8b508d0b9c48ac7d19e7ac059499e7d2

SHA1
03dc1ed51421fddca8e091212012c8bf2c416e3b

SHA256
3654bc0c06c2c26861be1322487add5c29f8d21b685d9829fd8eb59b0416925c

SHA512
6e413b8051eb16dc92e242eb4980fb8947dc1b1c08c94f10f00dbe7160827afde43a41c73849d909623d87e4aebfcc12bf5d578bd77e25cf1c68decb39c73958

Download Submit
\Windows\system\wsVBDVK.exe
Filesize
5.9MB

MD5
860e72d87eb4771540cc090c3bdf5ec2

SHA1
6a9991cd76340e4bc9e391eb3fd5dcb33f40d1fa

SHA256
195a197e71e58554eb86232b2125de49c23b3aa5ef5b6e81322e0b3b8a522fea

SHA512
caaada752ff86cfdf0c899e719c8f35e1e8dff8268636831c9c952856f761a06b53382efd8294ab5d99d129de5a4ab65cffa2bbab0cbd93309fcdb34400039e6

Download Submit
memory/808-131-0x000000013F260000-0x000000013F5B4000-memory.dmp

Filesize
3.3MB

Download
memory/808-168-0x000000013F260000-0x000000013F5B4000-memory.dmp

Filesize
3.3MB

Download
memory/1016-130-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

Filesize
3.3MB

Download
memory/1016-166-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

Filesize
3.3MB

Download
memory/1060-150-0x000000013F390000-0x000000013F6E4000-memory.dmp

Filesize
3.3MB

Download
memory/1060-132-0x000000013F390000-0x000000013F6E4000-memory.dmp

Filesize
3.3MB

Download
memory/1188-151-0x000000013F980000-0x000000013FCD4000-memory.dmp

Filesize
3.3MB

Download
memory/1188-137-0x000000013F980000-0x000000013FCD4000-memory.dmp

Filesize
3.3MB

Download
memory/1344-125-0x000000013F280000-0x000000013F5D4000-memory.dmp

Filesize
3.3MB

Download
memory/1344-165-0x000000013F280000-0x000000013F5D4000-memory.dmp

Filesize
3.3MB

Download
memory/1556-164-0x000000013FAB0000-0x000000013FE04000-memory.dmp

Filesize
3.3MB

Download
memory/1556-135-0x000000013FAB0000-0x000000013FE04000-memory.dmp

Filesize
3.3MB

Download
memory/1928-161-0x000000013FFC0000-0x0000000140314000-memory.dmp

Filesize
3.3MB

Download
memory/1928-148-0x000000013FFC0000-0x0000000140314000-memory.dmp

Filesize
3.3MB

Download
memory/1928-62-0x000000013FFC0000-0x0000000140314000-memory.dmp

Filesize
3.3MB

Download
memory/2068-152-0x000000013F140000-0x000000013F494000-memory.dmp

Filesize
3.3MB

Download
memory/2068-140-0x000000013F140000-0x000000013F494000-memory.dmp

Filesize
3.3MB

Download
memory/2096-169-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

Filesize
3.3MB

Download
memory/2096-143-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

Filesize
3.3MB

Download
memory/2100-133-0x000000013F560000-0x000000013F8B4000-memory.dmp

Filesize
3.3MB

Download
memory/2156-35-0x000000013F5E0000-0x000000013F934000-memory.dmp

Filesize
3.3MB

Download
memory/2156-157-0x000000013F5E0000-0x000000013F934000-memory.dmp

Filesize
3.3MB

Download
memory/2156-139-0x000000013F5E0000-0x000000013F934000-memory.dmp

Filesize
3.3MB

Download
memory/2232-86-0x000000013FC50000-0x000000013FFA4000-memory.dmp

Filesize
3.3MB

Download
memory/2232-163-0x000000013FC50000-0x000000013FFA4000-memory.dmp

Filesize
3.3MB

Download
memory/2260-129-0x000000013FA60000-0x000000013FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/2260-167-0x000000013FA60000-0x000000013FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/2368-53-0x000000013F590000-0x000000013F8E4000-memory.dmp

Filesize
3.3MB

Download
memory/2368-147-0x000000013F590000-0x000000013F8E4000-memory.dmp

Filesize
3.3MB

Download
memory/2368-160-0x000000013F590000-0x000000013F8E4000-memory.dmp

Filesize
3.3MB

Download
memory/2392-162-0x000000013F0F0000-0x000000013F444000-memory.dmp

Filesize
3.3MB

Download
memory/2392-69-0x000000013F0F0000-0x000000013F444000-memory.dmp

Filesize
3.3MB

Download
memory/2480-155-0x000000013F8E0000-0x000000013FC34000-memory.dmp

Filesize
3.3MB

Download
memory/2480-28-0x000000013F8E0000-0x000000013FC34000-memory.dmp

Filesize
3.3MB

Download
memory/2544-27-0x000000013FF80000-0x00000001402D4000-memory.dmp

Filesize
3.3MB

Download
memory/2544-156-0x000000013FF80000-0x00000001402D4000-memory.dmp

Filesize
3.3MB

Download
memory/2636-55-0x000000013F220000-0x000000013F574000-memory.dmp

Filesize
3.3MB

Download
memory/2636-159-0x000000013F220000-0x000000013F574000-memory.dmp

Filesize
3.3MB

Download
memory/2864-146-0x000000013F480000-0x000000013F7D4000-memory.dmp

Filesize
3.3MB

Download
memory/2864-42-0x000000013F480000-0x000000013F7D4000-memory.dmp

Filesize
3.3MB

Download
memory/2864-158-0x000000013F480000-0x000000013F7D4000-memory.dmp

Filesize
3.3MB

Download
memory/2912-122-0x00000000023D0000-0x0000000002724000-memory.dmp

Filesize
3.3MB

Download
memory/2912-61-0x000000013FFC0000-0x0000000140314000-memory.dmp

Filesize
3.3MB

Download
memory/2912-128-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

Filesize
3.3MB

Download
memory/2912-149-0x000000013FAB0000-0x000000013FE04000-memory.dmp

Filesize
3.3MB

Download
memory/2912-136-0x000000013FF80000-0x00000001402D4000-memory.dmp

Filesize
3.3MB

Download
memory/2912-134-0x000000013FC50000-0x000000013FFA4000-memory.dmp

Filesize
3.3MB

Download
memory/2912-127-0x000000013F980000-0x000000013FCD4000-memory.dmp

Filesize
3.3MB

Download
memory/2912-0-0x000000013F050000-0x000000013F3A4000-memory.dmp

Filesize
3.3MB

Download
memory/2912-7-0x000000013F6E0000-0x000000013FA34000-memory.dmp

Filesize
3.3MB

Download
memory/2912-126-0x000000013FA60000-0x000000013FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/2912-78-0x000000013F6E0000-0x000000013FA34000-memory.dmp

Filesize
3.3MB

Download
memory/2912-123-0x000000013F560000-0x000000013F8B4000-memory.dmp

Filesize
3.3MB

Download
memory/2912-67-0x00000000023D0000-0x0000000002724000-memory.dmp

Filesize
3.3MB

Download
memory/2912-1-0x0000000000180000-0x0000000000190000-memory.dmp

Filesize
64KB

Download
memory/2912-82-0x000000013FAB0000-0x000000013FE04000-memory.dmp

Filesize
3.3MB

Download
memory/2912-54-0x00000000023D0000-0x0000000002724000-memory.dmp

Filesize
3.3MB

Download
memory/2912-75-0x000000013F050000-0x000000013F3A4000-memory.dmp

Filesize
3.3MB

Download
memory/2912-36-0x000000013F5E0000-0x000000013F934000-memory.dmp

Filesize
3.3MB

Download
memory/2912-16-0x000000013FE10000-0x0000000140164000-memory.dmp

Filesize
3.3MB

Download
memory/2912-26-0x000000013FF80000-0x00000001402D4000-memory.dmp

Filesize
3.3MB

Download
memory/3000-31-0x000000013F6E0000-0x000000013FA34000-memory.dmp

Filesize
3.3MB

Download
memory/3000-154-0x000000013F6E0000-0x000000013FA34000-memory.dmp

Filesize
3.3MB

Download
memory/3048-25-0x000000013FE10000-0x0000000140164000-memory.dmp

Filesize
3.3MB

Download
memory/3048-153-0x000000013FE10000-0x0000000140164000-memory.dmp

Filesize
3.3MB

Download