cobaltstrike | bcd5d71d1793a073dfe7d870bf5cba657ea82d5076346f5e1afa64f54512b5af

Analysis

max time kernel
140s
max time network
147s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
20-05-2024 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

26c7c01d881e5043932b5f8eda89971b
SHA1

0ef328fbb328730c56b31f39f5bfd2272029aeb9
SHA256

bcd5d71d1793a073dfe7d870bf5cba657ea82d5076346f5e1afa64f54512b5af
SHA512

60852d342f1acf9ccd53af1574376ffd3330e56051b16924cf5fa225264454a47abfeb728036d22e11540e666fcd4194b7a5e100522bfd316d69fd4549ca3856
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lW:RWWBibf56utgpPFotBER/mQ32lUK

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\YHsnymK.exe	cobalt_reflective_dll
C:\Windows\system\eaBvCXz.exe	cobalt_reflective_dll
C:\Windows\system\zDlYhyj.exe	cobalt_reflective_dll
\Windows\system\BqPSZZj.exe	cobalt_reflective_dll
C:\Windows\system\GxOJBNY.exe	cobalt_reflective_dll
C:\Windows\system\RFIJdMh.exe	cobalt_reflective_dll
\Windows\system\eDKtdgf.exe	cobalt_reflective_dll
\Windows\system\zUiPrXr.exe	cobalt_reflective_dll
C:\Windows\system\xosoISu.exe	cobalt_reflective_dll
C:\Windows\system\wHQNMLC.exe	cobalt_reflective_dll
C:\Windows\system\xpdUgjA.exe	cobalt_reflective_dll
C:\Windows\system\opijzrt.exe	cobalt_reflective_dll
C:\Windows\system\vdrQvsN.exe	cobalt_reflective_dll
C:\Windows\system\xntVeBk.exe	cobalt_reflective_dll
\Windows\system\PiUlOwD.exe	cobalt_reflective_dll
\Windows\system\OEzWFgR.exe	cobalt_reflective_dll
C:\Windows\system\jwLaXZV.exe	cobalt_reflective_dll
C:\Windows\system\kqaUUyd.exe	cobalt_reflective_dll
C:\Windows\system\TbYXDnH.exe	cobalt_reflective_dll
C:\Windows\system\EqIdqIU.exe	cobalt_reflective_dll
C:\Windows\system\uLumOYy.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\YHsnymK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\eaBvCXz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\zDlYhyj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\BqPSZZj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\GxOJBNY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\RFIJdMh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\eDKtdgf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\zUiPrXr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\xosoISu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\wHQNMLC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\xpdUgjA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\opijzrt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\vdrQvsN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\xntVeBk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\PiUlOwD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\OEzWFgR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\jwLaXZV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\kqaUUyd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\TbYXDnH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\EqIdqIU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\uLumOYy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1620-0-0x000000013FB90000-0x000000013FEE1000-memory.dmp	UPX
\Windows\system\YHsnymK.exe	UPX
C:\Windows\system\eaBvCXz.exe	UPX
C:\Windows\system\zDlYhyj.exe	UPX
behavioral1/memory/3044-13-0x000000013F740000-0x000000013FA91000-memory.dmp	UPX
behavioral1/memory/2568-12-0x000000013F830000-0x000000013FB81000-memory.dmp	UPX
\Windows\system\BqPSZZj.exe	UPX
C:\Windows\system\GxOJBNY.exe	UPX
behavioral1/memory/2788-36-0x000000013F810000-0x000000013FB61000-memory.dmp	UPX
behavioral1/memory/2588-34-0x000000013F710000-0x000000013FA61000-memory.dmp	UPX
behavioral1/memory/2620-33-0x000000013F9E0000-0x000000013FD31000-memory.dmp	UPX
C:\Windows\system\RFIJdMh.exe	UPX
behavioral1/memory/2688-42-0x000000013F340000-0x000000013F691000-memory.dmp	UPX
\Windows\system\eDKtdgf.exe	UPX
behavioral1/memory/2516-51-0x000000013FFD0000-0x0000000140321000-memory.dmp	UPX
behavioral1/memory/2124-66-0x000000013FF20000-0x0000000140271000-memory.dmp	UPX
\Windows\system\zUiPrXr.exe	UPX
C:\Windows\system\xosoISu.exe	UPX
C:\Windows\system\wHQNMLC.exe	UPX
C:\Windows\system\xpdUgjA.exe	UPX
behavioral1/memory/2412-102-0x000000013FDD0000-0x0000000140121000-memory.dmp	UPX
C:\Windows\system\opijzrt.exe	UPX
C:\Windows\system\vdrQvsN.exe	UPX
C:\Windows\system\xntVeBk.exe	UPX
\Windows\system\PiUlOwD.exe	UPX
\Windows\system\OEzWFgR.exe	UPX
behavioral1/memory/2500-76-0x000000013FCE0000-0x0000000140031000-memory.dmp	UPX
C:\Windows\system\jwLaXZV.exe	UPX
C:\Windows\system\kqaUUyd.exe	UPX
C:\Windows\system\TbYXDnH.exe	UPX
behavioral1/memory/2308-95-0x000000013F0E0000-0x000000013F431000-memory.dmp	UPX
C:\Windows\system\EqIdqIU.exe	UPX
behavioral1/memory/1620-56-0x000000013FB90000-0x000000013FEE1000-memory.dmp	UPX
C:\Windows\system\uLumOYy.exe	UPX
behavioral1/memory/3044-129-0x000000013F740000-0x000000013FA91000-memory.dmp	UPX
behavioral1/memory/2568-128-0x000000013F830000-0x000000013FB81000-memory.dmp	UPX
behavioral1/memory/1620-135-0x000000013FB90000-0x000000013FEE1000-memory.dmp	UPX
behavioral1/memory/2688-141-0x000000013F340000-0x000000013F691000-memory.dmp	UPX
behavioral1/memory/2788-140-0x000000013F810000-0x000000013FB61000-memory.dmp	UPX
behavioral1/memory/2412-144-0x000000013FDD0000-0x0000000140121000-memory.dmp	UPX
behavioral1/memory/2396-148-0x000000013F0F0000-0x000000013F441000-memory.dmp	UPX
behavioral1/memory/2156-156-0x000000013F350000-0x000000013F6A1000-memory.dmp	UPX
behavioral1/memory/2264-155-0x000000013FB00000-0x000000013FE51000-memory.dmp	UPX
behavioral1/memory/396-153-0x000000013FFD0000-0x0000000140321000-memory.dmp	UPX
behavioral1/memory/1800-152-0x000000013F450000-0x000000013F7A1000-memory.dmp	UPX
behavioral1/memory/2652-151-0x000000013F670000-0x000000013F9C1000-memory.dmp	UPX
behavioral1/memory/2664-150-0x000000013F8E0000-0x000000013FC31000-memory.dmp	UPX
behavioral1/memory/2868-146-0x000000013FD20000-0x0000000140071000-memory.dmp	UPX
behavioral1/memory/2500-145-0x000000013FCE0000-0x0000000140031000-memory.dmp	UPX
behavioral1/memory/2124-143-0x000000013FF20000-0x0000000140271000-memory.dmp	UPX
behavioral1/memory/1588-154-0x000000013F420000-0x000000013F771000-memory.dmp	UPX
behavioral1/memory/2440-149-0x000000013F640000-0x000000013F991000-memory.dmp	UPX
behavioral1/memory/2516-142-0x000000013FFD0000-0x0000000140321000-memory.dmp	UPX
behavioral1/memory/1620-157-0x000000013FB90000-0x000000013FEE1000-memory.dmp	UPX
behavioral1/memory/3044-202-0x000000013F740000-0x000000013FA91000-memory.dmp	UPX
behavioral1/memory/2568-204-0x000000013F830000-0x000000013FB81000-memory.dmp	UPX
behavioral1/memory/2620-206-0x000000013F9E0000-0x000000013FD31000-memory.dmp	UPX
behavioral1/memory/2588-208-0x000000013F710000-0x000000013FA61000-memory.dmp	UPX
behavioral1/memory/2688-210-0x000000013F340000-0x000000013F691000-memory.dmp	UPX
behavioral1/memory/2788-220-0x000000013F810000-0x000000013FB61000-memory.dmp	UPX
behavioral1/memory/2516-231-0x000000013FFD0000-0x0000000140321000-memory.dmp	UPX
behavioral1/memory/2124-233-0x000000013FF20000-0x0000000140271000-memory.dmp	UPX
behavioral1/memory/2500-237-0x000000013FCE0000-0x0000000140031000-memory.dmp	UPX
behavioral1/memory/2308-236-0x000000013F0E0000-0x000000013F431000-memory.dmp	UPX

XMRig Miner payload 36 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2588-34-0x000000013F710000-0x000000013FA61000-memory.dmp	xmrig
behavioral1/memory/2620-33-0x000000013F9E0000-0x000000013FD31000-memory.dmp	xmrig
behavioral1/memory/2516-51-0x000000013FFD0000-0x0000000140321000-memory.dmp	xmrig
behavioral1/memory/2308-95-0x000000013F0E0000-0x000000013F431000-memory.dmp	xmrig
behavioral1/memory/1620-56-0x000000013FB90000-0x000000013FEE1000-memory.dmp	xmrig
behavioral1/memory/3044-129-0x000000013F740000-0x000000013FA91000-memory.dmp	xmrig
behavioral1/memory/2568-128-0x000000013F830000-0x000000013FB81000-memory.dmp	xmrig
behavioral1/memory/1620-135-0x000000013FB90000-0x000000013FEE1000-memory.dmp	xmrig
behavioral1/memory/2688-141-0x000000013F340000-0x000000013F691000-memory.dmp	xmrig
behavioral1/memory/2788-140-0x000000013F810000-0x000000013FB61000-memory.dmp	xmrig
behavioral1/memory/2412-144-0x000000013FDD0000-0x0000000140121000-memory.dmp	xmrig
behavioral1/memory/2396-148-0x000000013F0F0000-0x000000013F441000-memory.dmp	xmrig
behavioral1/memory/2156-156-0x000000013F350000-0x000000013F6A1000-memory.dmp	xmrig
behavioral1/memory/2264-155-0x000000013FB00000-0x000000013FE51000-memory.dmp	xmrig
behavioral1/memory/396-153-0x000000013FFD0000-0x0000000140321000-memory.dmp	xmrig
behavioral1/memory/1800-152-0x000000013F450000-0x000000013F7A1000-memory.dmp	xmrig
behavioral1/memory/2652-151-0x000000013F670000-0x000000013F9C1000-memory.dmp	xmrig
behavioral1/memory/2664-150-0x000000013F8E0000-0x000000013FC31000-memory.dmp	xmrig
behavioral1/memory/2868-146-0x000000013FD20000-0x0000000140071000-memory.dmp	xmrig
behavioral1/memory/2500-145-0x000000013FCE0000-0x0000000140031000-memory.dmp	xmrig
behavioral1/memory/2124-143-0x000000013FF20000-0x0000000140271000-memory.dmp	xmrig
behavioral1/memory/1588-154-0x000000013F420000-0x000000013F771000-memory.dmp	xmrig
behavioral1/memory/2440-149-0x000000013F640000-0x000000013F991000-memory.dmp	xmrig
behavioral1/memory/2516-142-0x000000013FFD0000-0x0000000140321000-memory.dmp	xmrig
behavioral1/memory/1620-157-0x000000013FB90000-0x000000013FEE1000-memory.dmp	xmrig
behavioral1/memory/3044-202-0x000000013F740000-0x000000013FA91000-memory.dmp	xmrig
behavioral1/memory/2568-204-0x000000013F830000-0x000000013FB81000-memory.dmp	xmrig
behavioral1/memory/2620-206-0x000000013F9E0000-0x000000013FD31000-memory.dmp	xmrig
behavioral1/memory/2588-208-0x000000013F710000-0x000000013FA61000-memory.dmp	xmrig
behavioral1/memory/2688-210-0x000000013F340000-0x000000013F691000-memory.dmp	xmrig
behavioral1/memory/2788-220-0x000000013F810000-0x000000013FB61000-memory.dmp	xmrig
behavioral1/memory/2516-231-0x000000013FFD0000-0x0000000140321000-memory.dmp	xmrig
behavioral1/memory/2124-233-0x000000013FF20000-0x0000000140271000-memory.dmp	xmrig
behavioral1/memory/2500-237-0x000000013FCE0000-0x0000000140031000-memory.dmp	xmrig
behavioral1/memory/2308-236-0x000000013F0E0000-0x000000013F431000-memory.dmp	xmrig
behavioral1/memory/2412-241-0x000000013FDD0000-0x0000000140121000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

YHsnymK.exeeaBvCXz.exezDlYhyj.exeBqPSZZj.exeGxOJBNY.exeRFIJdMh.exeeDKtdgf.exeuLumOYy.exekqaUUyd.exexosoISu.exeEqIdqIU.exexntVeBk.exevdrQvsN.exeopijzrt.exeTbYXDnH.exezUiPrXr.exejwLaXZV.exeOEzWFgR.exePiUlOwD.exewHQNMLC.exexpdUgjA.exe

pid	process
2568	YHsnymK.exe
3044	eaBvCXz.exe
2588	zDlYhyj.exe
2620	BqPSZZj.exe
2788	GxOJBNY.exe
2688	RFIJdMh.exe
2516	eDKtdgf.exe
2124	uLumOYy.exe
2500	kqaUUyd.exe
2308	xosoISu.exe
2412	EqIdqIU.exe
2440	xntVeBk.exe
2652	vdrQvsN.exe
396	opijzrt.exe
2868	TbYXDnH.exe
2396	zUiPrXr.exe
2264	jwLaXZV.exe
2664	OEzWFgR.exe
1800	PiUlOwD.exe
1588	wHQNMLC.exe
2156	xpdUgjA.exe

Loads dropped DLL 21 IoCs

Processes:

2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe

pid	process
1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1620-0-0x000000013FB90000-0x000000013FEE1000-memory.dmp	upx
\Windows\system\YHsnymK.exe	upx
C:\Windows\system\eaBvCXz.exe	upx
C:\Windows\system\zDlYhyj.exe	upx
behavioral1/memory/3044-13-0x000000013F740000-0x000000013FA91000-memory.dmp	upx
behavioral1/memory/2568-12-0x000000013F830000-0x000000013FB81000-memory.dmp	upx
\Windows\system\BqPSZZj.exe	upx
C:\Windows\system\GxOJBNY.exe	upx
behavioral1/memory/2788-36-0x000000013F810000-0x000000013FB61000-memory.dmp	upx
behavioral1/memory/2588-34-0x000000013F710000-0x000000013FA61000-memory.dmp	upx
behavioral1/memory/2620-33-0x000000013F9E0000-0x000000013FD31000-memory.dmp	upx
C:\Windows\system\RFIJdMh.exe	upx
behavioral1/memory/2688-42-0x000000013F340000-0x000000013F691000-memory.dmp	upx
\Windows\system\eDKtdgf.exe	upx
behavioral1/memory/2516-51-0x000000013FFD0000-0x0000000140321000-memory.dmp	upx
behavioral1/memory/2124-66-0x000000013FF20000-0x0000000140271000-memory.dmp	upx
\Windows\system\zUiPrXr.exe	upx
C:\Windows\system\xosoISu.exe	upx
C:\Windows\system\wHQNMLC.exe	upx
C:\Windows\system\xpdUgjA.exe	upx
behavioral1/memory/2412-102-0x000000013FDD0000-0x0000000140121000-memory.dmp	upx
C:\Windows\system\opijzrt.exe	upx
C:\Windows\system\vdrQvsN.exe	upx
C:\Windows\system\xntVeBk.exe	upx
\Windows\system\PiUlOwD.exe	upx
\Windows\system\OEzWFgR.exe	upx
behavioral1/memory/2500-76-0x000000013FCE0000-0x0000000140031000-memory.dmp	upx
C:\Windows\system\jwLaXZV.exe	upx
C:\Windows\system\kqaUUyd.exe	upx
C:\Windows\system\TbYXDnH.exe	upx
behavioral1/memory/2308-95-0x000000013F0E0000-0x000000013F431000-memory.dmp	upx
C:\Windows\system\EqIdqIU.exe	upx
behavioral1/memory/1620-56-0x000000013FB90000-0x000000013FEE1000-memory.dmp	upx
C:\Windows\system\uLumOYy.exe	upx
behavioral1/memory/3044-129-0x000000013F740000-0x000000013FA91000-memory.dmp	upx
behavioral1/memory/2568-128-0x000000013F830000-0x000000013FB81000-memory.dmp	upx
behavioral1/memory/1620-135-0x000000013FB90000-0x000000013FEE1000-memory.dmp	upx
behavioral1/memory/2688-141-0x000000013F340000-0x000000013F691000-memory.dmp	upx
behavioral1/memory/2788-140-0x000000013F810000-0x000000013FB61000-memory.dmp	upx
behavioral1/memory/2412-144-0x000000013FDD0000-0x0000000140121000-memory.dmp	upx
behavioral1/memory/2396-148-0x000000013F0F0000-0x000000013F441000-memory.dmp	upx
behavioral1/memory/2156-156-0x000000013F350000-0x000000013F6A1000-memory.dmp	upx
behavioral1/memory/2264-155-0x000000013FB00000-0x000000013FE51000-memory.dmp	upx
behavioral1/memory/396-153-0x000000013FFD0000-0x0000000140321000-memory.dmp	upx
behavioral1/memory/1800-152-0x000000013F450000-0x000000013F7A1000-memory.dmp	upx
behavioral1/memory/2652-151-0x000000013F670000-0x000000013F9C1000-memory.dmp	upx
behavioral1/memory/2664-150-0x000000013F8E0000-0x000000013FC31000-memory.dmp	upx
behavioral1/memory/2868-146-0x000000013FD20000-0x0000000140071000-memory.dmp	upx
behavioral1/memory/2500-145-0x000000013FCE0000-0x0000000140031000-memory.dmp	upx
behavioral1/memory/2124-143-0x000000013FF20000-0x0000000140271000-memory.dmp	upx
behavioral1/memory/1588-154-0x000000013F420000-0x000000013F771000-memory.dmp	upx
behavioral1/memory/2440-149-0x000000013F640000-0x000000013F991000-memory.dmp	upx
behavioral1/memory/2516-142-0x000000013FFD0000-0x0000000140321000-memory.dmp	upx
behavioral1/memory/1620-157-0x000000013FB90000-0x000000013FEE1000-memory.dmp	upx
behavioral1/memory/3044-202-0x000000013F740000-0x000000013FA91000-memory.dmp	upx
behavioral1/memory/2568-204-0x000000013F830000-0x000000013FB81000-memory.dmp	upx
behavioral1/memory/2620-206-0x000000013F9E0000-0x000000013FD31000-memory.dmp	upx
behavioral1/memory/2588-208-0x000000013F710000-0x000000013FA61000-memory.dmp	upx
behavioral1/memory/2688-210-0x000000013F340000-0x000000013F691000-memory.dmp	upx
behavioral1/memory/2788-220-0x000000013F810000-0x000000013FB61000-memory.dmp	upx
behavioral1/memory/2516-231-0x000000013FFD0000-0x0000000140321000-memory.dmp	upx
behavioral1/memory/2124-233-0x000000013FF20000-0x0000000140271000-memory.dmp	upx
behavioral1/memory/2500-237-0x000000013FCE0000-0x0000000140031000-memory.dmp	upx
behavioral1/memory/2308-236-0x000000013F0E0000-0x000000013F431000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\uLumOYy.exe	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TbYXDnH.exe	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zUiPrXr.exe	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xpdUgjA.exe	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eaBvCXz.exe	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BqPSZZj.exe	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kqaUUyd.exe	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xosoISu.exe	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xntVeBk.exe	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PiUlOwD.exe	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\opijzrt.exe	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YHsnymK.exe	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zDlYhyj.exe	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GxOJBNY.exe	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RFIJdMh.exe	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eDKtdgf.exe	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EqIdqIU.exe	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wHQNMLC.exe	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OEzWFgR.exe	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vdrQvsN.exe	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jwLaXZV.exe	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 1620 wrote to memory of 2568	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	YHsnymK.exe
PID 1620 wrote to memory of 2568	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	YHsnymK.exe
PID 1620 wrote to memory of 2568	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	YHsnymK.exe
PID 1620 wrote to memory of 3044	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	eaBvCXz.exe
PID 1620 wrote to memory of 3044	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	eaBvCXz.exe
PID 1620 wrote to memory of 3044	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	eaBvCXz.exe
PID 1620 wrote to memory of 2588	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	zDlYhyj.exe
PID 1620 wrote to memory of 2588	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	zDlYhyj.exe
PID 1620 wrote to memory of 2588	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	zDlYhyj.exe
PID 1620 wrote to memory of 2620	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	BqPSZZj.exe
PID 1620 wrote to memory of 2620	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	BqPSZZj.exe
PID 1620 wrote to memory of 2620	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	BqPSZZj.exe
PID 1620 wrote to memory of 2788	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	GxOJBNY.exe
PID 1620 wrote to memory of 2788	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	GxOJBNY.exe
PID 1620 wrote to memory of 2788	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	GxOJBNY.exe
PID 1620 wrote to memory of 2688	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	RFIJdMh.exe
PID 1620 wrote to memory of 2688	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	RFIJdMh.exe
PID 1620 wrote to memory of 2688	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	RFIJdMh.exe
PID 1620 wrote to memory of 2516	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	eDKtdgf.exe
PID 1620 wrote to memory of 2516	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	eDKtdgf.exe
PID 1620 wrote to memory of 2516	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	eDKtdgf.exe
PID 1620 wrote to memory of 2124	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	uLumOYy.exe
PID 1620 wrote to memory of 2124	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	uLumOYy.exe
PID 1620 wrote to memory of 2124	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	uLumOYy.exe
PID 1620 wrote to memory of 2412	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	EqIdqIU.exe
PID 1620 wrote to memory of 2412	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	EqIdqIU.exe
PID 1620 wrote to memory of 2412	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	EqIdqIU.exe
PID 1620 wrote to memory of 2500	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	kqaUUyd.exe
PID 1620 wrote to memory of 2500	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	kqaUUyd.exe
PID 1620 wrote to memory of 2500	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	kqaUUyd.exe
PID 1620 wrote to memory of 2868	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	TbYXDnH.exe
PID 1620 wrote to memory of 2868	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	TbYXDnH.exe
PID 1620 wrote to memory of 2868	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	TbYXDnH.exe
PID 1620 wrote to memory of 2308	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	xosoISu.exe
PID 1620 wrote to memory of 2308	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	xosoISu.exe
PID 1620 wrote to memory of 2308	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	xosoISu.exe
PID 1620 wrote to memory of 2396	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	zUiPrXr.exe
PID 1620 wrote to memory of 2396	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	zUiPrXr.exe
PID 1620 wrote to memory of 2396	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	zUiPrXr.exe
PID 1620 wrote to memory of 2440	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	xntVeBk.exe
PID 1620 wrote to memory of 2440	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	xntVeBk.exe
PID 1620 wrote to memory of 2440	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	xntVeBk.exe
PID 1620 wrote to memory of 2664	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	OEzWFgR.exe
PID 1620 wrote to memory of 2664	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	OEzWFgR.exe
PID 1620 wrote to memory of 2664	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	OEzWFgR.exe
PID 1620 wrote to memory of 2652	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	vdrQvsN.exe
PID 1620 wrote to memory of 2652	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	vdrQvsN.exe
PID 1620 wrote to memory of 2652	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	vdrQvsN.exe
PID 1620 wrote to memory of 1800	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	PiUlOwD.exe
PID 1620 wrote to memory of 1800	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	PiUlOwD.exe
PID 1620 wrote to memory of 1800	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	PiUlOwD.exe
PID 1620 wrote to memory of 396	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	opijzrt.exe
PID 1620 wrote to memory of 396	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	opijzrt.exe
PID 1620 wrote to memory of 396	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	opijzrt.exe
PID 1620 wrote to memory of 1588	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	wHQNMLC.exe
PID 1620 wrote to memory of 1588	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	wHQNMLC.exe
PID 1620 wrote to memory of 1588	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	wHQNMLC.exe
PID 1620 wrote to memory of 2264	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	jwLaXZV.exe
PID 1620 wrote to memory of 2264	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	jwLaXZV.exe
PID 1620 wrote to memory of 2264	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	jwLaXZV.exe
PID 1620 wrote to memory of 2156	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	xpdUgjA.exe
PID 1620 wrote to memory of 2156	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	xpdUgjA.exe
PID 1620 wrote to memory of 2156	1620	2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe	xpdUgjA.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-20_26c7c01d881e5043932b5f8eda89971b_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\System\YHsnymK.exe
C:\Windows\System\YHsnymK.exe
2⤵
- Executes dropped EXE
PID:2568

C:\Windows\System\eaBvCXz.exe
C:\Windows\System\eaBvCXz.exe
2⤵
- Executes dropped EXE
PID:3044

C:\Windows\System\zDlYhyj.exe
C:\Windows\System\zDlYhyj.exe
2⤵
- Executes dropped EXE
PID:2588

C:\Windows\System\BqPSZZj.exe
C:\Windows\System\BqPSZZj.exe
2⤵
- Executes dropped EXE
PID:2620

C:\Windows\System\GxOJBNY.exe
C:\Windows\System\GxOJBNY.exe
2⤵
- Executes dropped EXE
PID:2788

C:\Windows\System\RFIJdMh.exe
C:\Windows\System\RFIJdMh.exe
2⤵
- Executes dropped EXE
PID:2688

C:\Windows\System\eDKtdgf.exe
C:\Windows\System\eDKtdgf.exe
2⤵
- Executes dropped EXE
PID:2516

C:\Windows\System\uLumOYy.exe
C:\Windows\System\uLumOYy.exe
2⤵
- Executes dropped EXE
PID:2124

C:\Windows\System\EqIdqIU.exe
C:\Windows\System\EqIdqIU.exe
2⤵
- Executes dropped EXE
PID:2412

C:\Windows\System\kqaUUyd.exe
C:\Windows\System\kqaUUyd.exe
2⤵
- Executes dropped EXE
PID:2500

C:\Windows\System\TbYXDnH.exe
C:\Windows\System\TbYXDnH.exe
2⤵
- Executes dropped EXE
PID:2868

C:\Windows\System\xosoISu.exe
C:\Windows\System\xosoISu.exe
2⤵
- Executes dropped EXE
PID:2308

C:\Windows\System\zUiPrXr.exe
C:\Windows\System\zUiPrXr.exe
2⤵
- Executes dropped EXE
PID:2396

C:\Windows\System\xntVeBk.exe
C:\Windows\System\xntVeBk.exe
2⤵
- Executes dropped EXE
PID:2440

C:\Windows\System\OEzWFgR.exe
C:\Windows\System\OEzWFgR.exe
2⤵
- Executes dropped EXE
PID:2664

C:\Windows\System\vdrQvsN.exe
C:\Windows\System\vdrQvsN.exe
2⤵
- Executes dropped EXE
PID:2652

C:\Windows\System\PiUlOwD.exe
C:\Windows\System\PiUlOwD.exe
2⤵
- Executes dropped EXE
PID:1800

C:\Windows\System\opijzrt.exe
C:\Windows\System\opijzrt.exe
2⤵
- Executes dropped EXE
PID:396

C:\Windows\System\wHQNMLC.exe
C:\Windows\System\wHQNMLC.exe
2⤵
- Executes dropped EXE
PID:1588

C:\Windows\System\jwLaXZV.exe
C:\Windows\System\jwLaXZV.exe
2⤵
- Executes dropped EXE
PID:2264

C:\Windows\System\xpdUgjA.exe
C:\Windows\System\xpdUgjA.exe
2⤵
- Executes dropped EXE
PID:2156

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\EqIdqIU.exe

Filesize
5.2MB

MD5
d8d8b706065cd16c589adce0076246fa

SHA1
ee9a6b940ef52d885f66167d296abad9db78a8ec

SHA256
9413312738782a8a14f00d8292855ec0b834dd9ef0c7f133c85acb6c5f626a78

SHA512
c66876a44540310d7479946b415953b30dd9859328b9476ebc0e75ecc44b46c8c4010ab78bda7895b42576455048e19cd326359958ce531bbb80de2962e8ea5d

Download Submit
C:\Windows\system\GxOJBNY.exe

Filesize
5.2MB

MD5
e22bc7bc167eb9b700b76b5ae06f3010

SHA1
4201bc1b46ff296cf849c6102f8c9748a6637d6d

SHA256
be709705c87f306aa7eb936f580d5659bb2d90f6f956a4d9c71b36e7f00a3cb1

SHA512
e29a207b3d60a2c12a50aeffba7449e96944185a57b761b6849ef097d8979e184092e91b09d4005da958c4188c0cc85b0636bf4e1ebd8c07092daffb39dc4439

Download Submit
C:\Windows\system\RFIJdMh.exe

Filesize
5.2MB

MD5
16b56d5c410d900d164b40bcbe519d24

SHA1
d98ccde0b68d7cf1203cc4f6fc967233cb7fd398

SHA256
3169c3f5fcadb7e36cdd96290ebc188e3f8b158bd5f9ee93e1e8e2287f08d135

SHA512
07855ec9d7bcdcdcd176db25ed8d66adbba77f2ad63396c71efb0a26fb9ccf2fad06d58f5d72cef88d80e4af8a439fbb0422721ad14bed70e43b7bedeadac116

Download Submit
C:\Windows\system\TbYXDnH.exe

Filesize
5.2MB

MD5
26d133006c2a6d0af6b25085a7200591

SHA1
3d7d0b3af439d3547a7fafd1310ea973c583710c

SHA256
ad007174c5345dc7b818b2ef8bbcdc105146409b6764332365e960dacd2372c6

SHA512
b68160b73c74f4e83d14c6c9158c3e9256f91e4dac3ac1b3fff9cda4f94d214951c1a16af2c77b55b9539dfdec80a77b52ec8fa2f9ade0de239740e1b4455b29

Download Submit
C:\Windows\system\eaBvCXz.exe

Filesize
5.2MB

MD5
1b15c97e32831c8017a604f6a9ab001f

SHA1
ab134176f0bd4af76f6ea27b03e3cbe4d3345636

SHA256
2c9473b7e6647230cf9f9dd7c6a3abb0db91441a7a4efa81a928f95628ee3a92

SHA512
f265736417fa8b7a085d7974d7276c75a3a944713f7bf448e7f7be89708b02b73cd84ec214c3827f98894ae80ec8dcc7cf54022b3dfa4b20edfbdef0d63afbb4

Download Submit
C:\Windows\system\jwLaXZV.exe

Filesize
5.2MB

MD5
3448eecb64d33685006bb9b1f4bf7503

SHA1
8298b984ffedd9f2d657ee033307497d2b8464ad

SHA256
1e13c63cdf48d904afcbb2cda659002e647364505ec53b1048b6b706086ae75b

SHA512
1574c2dc4bf3eeb31064c3d1949f4a7539038ac59278436aad8f9d6c0293f476666a441ab4472f108d0231d24f57bf9794b7830a3eed381bb32871c6c73ea315

Download Submit
C:\Windows\system\kqaUUyd.exe

Filesize
5.2MB

MD5
1f61746a81c8c7d78558d3a93d81ef35

SHA1
0b2279878ab9c8eb4a94ca066104bc27b4cb148b

SHA256
e104819e946cd411446ecb0cd011f659b293b4fa64060651303b5cdee73757e7

SHA512
89490e25c000e3ed23f773838a71113ab74a77705ad258b8cff2d587dfa14c7bf244116719df91500984cf0c619913fcbc910b36849e1dcd3b0f416daad30a49

Download Submit
C:\Windows\system\opijzrt.exe

Filesize
5.2MB

MD5
d36f862ca555737050dd9b4f93e97458

SHA1
4fe024b04dfa589383e1eb483500eda239559921

SHA256
242f8975af9e9cc772ee812ed9cec2832d9a683166be17b2782f5ec26dfa4eaf

SHA512
fe0320777602c9ad4a27ea4156ad8b42c1820ceb8c335d1f061b0089d047ba1da6f1f0900b8e2c4a13643b4e2ffcff8b6d2d8b5f980407084a1815c8a68841b7

Download Submit
C:\Windows\system\uLumOYy.exe

Filesize
5.2MB

MD5
25512d2b661eedf2f3a2691f6d7eeed8

SHA1
804787a78d0bef244b5d2fcd6557935e33c232cd

SHA256
41dd3d5526472e7938c9923cb09b5daff45d5c48bb6ff5f03916ad0cb6ab5a24

SHA512
20c36a754f4fb48d3566730d7f7021589b168639d67d8595c8161bee061cb1a274ea01f05bb06a321a230d88207f286448a3b74e922a0ee1e5f4885c53a29fd8

Download Submit
C:\Windows\system\vdrQvsN.exe

Filesize
5.2MB

MD5
19f22c4b0d8765123e34f5b743cdf6f1

SHA1
e4114d5a4583e3dd69b372e82aedfe9c3527ee76

SHA256
a5c93c3d62ba74968e6c7e472b2ba020eb85b30af9aeee5340ef332a2e38394a

SHA512
dea1153b60c51a585a730641e47946286ae7d0daa3c402a2fb56e249932b13fad8968f0c2315bbfc992bdec3b0949a67ca3c5b15a2fbcb6c13808723a2b09d00

Download Submit
C:\Windows\system\wHQNMLC.exe

Filesize
5.2MB

MD5
7d6c7757d13a54e8150da775fbd9f189

SHA1
52ff2722bdb8ac2d1b6167ff3d1b79d8e28afd5f

SHA256
0ca42b27738d94d7421cb17494816a802c9254b4df4f5e8ae539cc4480d73221

SHA512
6937b4824380c0a385ccc6b9223aae828dbd453caf118abc74a45c716508292455551bf26a825af8a826708fc39103350f59649deaa99a5a95249f011fdbe502

Download Submit
C:\Windows\system\xntVeBk.exe

Filesize
5.2MB

MD5
ebf03068de9aa0a9c93f342a57a5e00d

SHA1
db7b3c7c6b25a50a7c02b625c9b56de661c32f72

SHA256
12d517447146c50a9dab21acf3458bd376c667a4834b9677c23d24f8eba2e848

SHA512
c856eb8d2776629921828941bdce8cd0d352253424180c1e3882fe60b127047d32243db559d0d9dee37cec1945195798e87697f50da3c833a23774e3feb3ca00

Download Submit
C:\Windows\system\xosoISu.exe

Filesize
5.2MB

MD5
bd7b77772af82791efb6ec809b2f8175

SHA1
937e06f4bb89a45dcf4889d59486015bf369b6fd

SHA256
c63c78083d5c0b217105dabd95c516607f0cff5c8f4addaa5d65cf637ad69e5f

SHA512
a38c52ebcba209e64627190300311e9f7b305a427574ac376b63289bede5fd5065636fd463ff0520ef398963f49c648610f9647705e88cb11b29dd2e93cc18ad

Download Submit
C:\Windows\system\xpdUgjA.exe

Filesize
5.2MB

MD5
37b2ccd395d942d3d72e0fab749a1f33

SHA1
e64b77cda38d6583443233d0483a2e1a4207c305

SHA256
e4a0d5c2fceb22679e5d76943fad0a8b043eeadd9130f86277a044bb86ce3ffb

SHA512
9c467cd8ef695a5faf6477e01717b428480ef2206a44ca3cf9e029dafeb906fbf2ce0aee9c2cda690aba3a1574e801d1a4b173ab881b8832b1b6eb3ec63b1748

Download Submit
C:\Windows\system\zDlYhyj.exe

Filesize
5.2MB

MD5
71df652231a83aa462baef10514a2e48

SHA1
2913d68de5ef8bcd1d98ce95000f95aab1ae991c

SHA256
54d4ff79132dcecf74652065da8c9cd843e526e0998effd5e428589581db0673

SHA512
3345660b3bd62d5265704bd4152a78bf8c88a866d44bd2d9a66677b6af8c6dedda3786b553a448a04e585f744998fc31e6d124d3c0e9f46b2cb3201b468dc57d

Download Submit
\Windows\system\BqPSZZj.exe

Filesize
5.2MB

MD5
dd7f62168b1940e02bd75ddaba3d7c5f

SHA1
0dc7a5feb8dbf2b9da26ba574a45ff9d94e5f151

SHA256
e43ae9552f3ab2b302c3be605428080beddb6d95e70edfaefb21cce8226c8618

SHA512
4c822b3dfe988b641d39831b9881a87c445c37ff0c97981cec326d9bb59878d1e57798362f4d5da8f30fd2c4f2fc59ee33bce6cf579ec9c935c7b8a40c37fb8b

Download Submit
\Windows\system\OEzWFgR.exe

Filesize
5.2MB

MD5
89b998288e29c603c1cb9f8fa377fe84

SHA1
7655f96968408fa9792acf5ef680342c699f2654

SHA256
6c17338ffa3f1916f96601eb8f212902eb51718dea13f0db3be06f4e555926b8

SHA512
08970bdfcfd893a9ef973863f106236c11eb5b4bc94fd69a1d4c79cc44beaab1875fbfb94a125983b449a39cdf841c475290fc383eccd15b86d8f171e32a8c75

Download Submit
\Windows\system\PiUlOwD.exe

Filesize
5.2MB

MD5
6a5f958d2536a869114c2380821fe6b0

SHA1
8b6ce36c3a02ccd8364d38866707b333293ba933

SHA256
2af8a2d5ad59b76bf2652b252c3f10386348a6746005e0af134103fae3ef1ea5

SHA512
e63c1960fa51fbe1456f8a61a69b857aee37b3f087d860df3b3bd20c9c512c042eeddb8cb56ce6150ea6598841a16c2c15be63976b1c287939ea01697cedee22

Download Submit
\Windows\system\YHsnymK.exe

Filesize
5.2MB

MD5
7b9d0ec56b01f904b5b84db583efbf1b

SHA1
920cc3e76354eed85c0c04e9c50080021d01f37c

SHA256
8c0aa7cb4fbd0732cf3267d05674284a08df3fbd3d526c95aec1b4b46e387a1d

SHA512
9f7c4f17fbfc0aefbb77c5e0f694f776770a6bfd10bb62cf7b1af97805f4bba619d587663e6ca326d9f7bc9ef1210b085eb91d89797a204c835d1f26ab6540af

Download Submit
\Windows\system\eDKtdgf.exe

Filesize
5.2MB

MD5
3c8e1cb898efda9979d650b998c7a164

SHA1
42b4396531149a1eeb618f2c0068c896ebc94837

SHA256
3d22986320e92844507de9bca5467dae932263fd2ff49cb229942224268e7332

SHA512
d3efabb994447abcbe9551976f374510d3fe84138d7a6f839d87a0c73c7554b227b9973a9d39b2f5def37b315f4d146faefdaf119f795575cbda16cc6d8cc1a5

Download Submit
\Windows\system\zUiPrXr.exe

Filesize
5.2MB

MD5
70a31e53f0074eaef631e5d34dc3fc81

SHA1
5fdf316dc0e0a5a0d3f7a9a59c1ff56993b4ef0d

SHA256
0966aaf080554da387034f90e72a014d410bb9c70860aa9f691b9a508a126eca

SHA512
c2711e1295652da21862867d1028f1fac796ff3ce8450051d7616b50e23888dc5e3dfad9a872da380c1242f6178f8a3df75149c205a5757dec4e4f416b383a10

Download Submit
memory/396-153-0x000000013FFD0000-0x0000000140321000-memory.dmp

Filesize
3.3MB

Download
memory/1588-154-0x000000013F420000-0x000000013F771000-memory.dmp

Filesize
3.3MB

Download
memory/1620-123-0x000000013F450000-0x000000013F7A1000-memory.dmp

Filesize
3.3MB

Download
memory/1620-31-0x00000000021F0000-0x0000000002541000-memory.dmp

Filesize
3.3MB

Download
memory/1620-117-0x000000013F830000-0x000000013FB81000-memory.dmp

Filesize
3.3MB

Download
memory/1620-122-0x000000013F640000-0x000000013F991000-memory.dmp

Filesize
3.3MB

Download
memory/1620-25-0x000000013F710000-0x000000013FA61000-memory.dmp

Filesize
3.3MB

Download
memory/1620-135-0x000000013FB90000-0x000000013FEE1000-memory.dmp

Filesize
3.3MB

Download
memory/1620-134-0x000000013F710000-0x000000013FA61000-memory.dmp

Filesize
3.3MB

Download
memory/1620-0-0x000000013FB90000-0x000000013FEE1000-memory.dmp

Filesize
3.3MB

Download
memory/1620-49-0x000000013FFD0000-0x0000000140321000-memory.dmp

Filesize
3.3MB

Download
memory/1620-14-0x000000013F740000-0x000000013FA91000-memory.dmp

Filesize
3.3MB

Download
memory/1620-1-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/1620-41-0x000000013F340000-0x000000013F691000-memory.dmp

Filesize
3.3MB

Download
memory/1620-56-0x000000013FB90000-0x000000013FEE1000-memory.dmp

Filesize
3.3MB

Download
memory/1620-157-0x000000013FB90000-0x000000013FEE1000-memory.dmp

Filesize
3.3MB

Download
memory/1620-121-0x000000013F0F0000-0x000000013F441000-memory.dmp

Filesize
3.3MB

Download
memory/1620-120-0x00000000021F0000-0x0000000002541000-memory.dmp

Filesize
3.3MB

Download
memory/1620-116-0x000000013FFD0000-0x0000000140321000-memory.dmp

Filesize
3.3MB

Download
memory/1620-29-0x000000013F810000-0x000000013FB61000-memory.dmp

Filesize
3.3MB

Download
memory/1620-11-0x000000013F830000-0x000000013FB81000-memory.dmp

Filesize
3.3MB

Download
memory/1800-152-0x000000013F450000-0x000000013F7A1000-memory.dmp

Filesize
3.3MB

Download
memory/2124-66-0x000000013FF20000-0x0000000140271000-memory.dmp

Filesize
3.3MB

Download
memory/2124-233-0x000000013FF20000-0x0000000140271000-memory.dmp

Filesize
3.3MB

Download
memory/2124-143-0x000000013FF20000-0x0000000140271000-memory.dmp

Filesize
3.3MB

Download
memory/2156-156-0x000000013F350000-0x000000013F6A1000-memory.dmp

Filesize
3.3MB

Download
memory/2264-155-0x000000013FB00000-0x000000013FE51000-memory.dmp

Filesize
3.3MB

Download
memory/2308-95-0x000000013F0E0000-0x000000013F431000-memory.dmp

Filesize
3.3MB

Download
memory/2308-236-0x000000013F0E0000-0x000000013F431000-memory.dmp

Filesize
3.3MB

Download
memory/2396-148-0x000000013F0F0000-0x000000013F441000-memory.dmp

Filesize
3.3MB

Download
memory/2412-144-0x000000013FDD0000-0x0000000140121000-memory.dmp

Filesize
3.3MB

Download
memory/2412-102-0x000000013FDD0000-0x0000000140121000-memory.dmp

Filesize
3.3MB

Download
memory/2412-241-0x000000013FDD0000-0x0000000140121000-memory.dmp

Filesize
3.3MB

Download
memory/2440-149-0x000000013F640000-0x000000013F991000-memory.dmp

Filesize
3.3MB

Download
memory/2500-145-0x000000013FCE0000-0x0000000140031000-memory.dmp

Filesize
3.3MB

Download
memory/2500-237-0x000000013FCE0000-0x0000000140031000-memory.dmp

Filesize
3.3MB

Download
memory/2500-76-0x000000013FCE0000-0x0000000140031000-memory.dmp

Filesize
3.3MB

Download
memory/2516-51-0x000000013FFD0000-0x0000000140321000-memory.dmp

Filesize
3.3MB

Download
memory/2516-231-0x000000013FFD0000-0x0000000140321000-memory.dmp

Filesize
3.3MB

Download
memory/2516-142-0x000000013FFD0000-0x0000000140321000-memory.dmp

Filesize
3.3MB

Download
memory/2568-128-0x000000013F830000-0x000000013FB81000-memory.dmp

Filesize
3.3MB

Download
memory/2568-204-0x000000013F830000-0x000000013FB81000-memory.dmp

Filesize
3.3MB

Download
memory/2568-12-0x000000013F830000-0x000000013FB81000-memory.dmp

Filesize
3.3MB

Download
memory/2588-34-0x000000013F710000-0x000000013FA61000-memory.dmp

Filesize
3.3MB

Download
memory/2588-208-0x000000013F710000-0x000000013FA61000-memory.dmp

Filesize
3.3MB

Download
memory/2620-33-0x000000013F9E0000-0x000000013FD31000-memory.dmp

Filesize
3.3MB

Download
memory/2620-206-0x000000013F9E0000-0x000000013FD31000-memory.dmp

Filesize
3.3MB

Download
memory/2652-151-0x000000013F670000-0x000000013F9C1000-memory.dmp

Filesize
3.3MB

Download
memory/2664-150-0x000000013F8E0000-0x000000013FC31000-memory.dmp

Filesize
3.3MB

Download
memory/2688-210-0x000000013F340000-0x000000013F691000-memory.dmp

Filesize
3.3MB

Download
memory/2688-42-0x000000013F340000-0x000000013F691000-memory.dmp

Filesize
3.3MB

Download
memory/2688-141-0x000000013F340000-0x000000013F691000-memory.dmp

Filesize
3.3MB

Download
memory/2788-220-0x000000013F810000-0x000000013FB61000-memory.dmp

Filesize
3.3MB

Download
memory/2788-140-0x000000013F810000-0x000000013FB61000-memory.dmp

Filesize
3.3MB

Download
memory/2788-36-0x000000013F810000-0x000000013FB61000-memory.dmp

Filesize
3.3MB

Download
memory/2868-146-0x000000013FD20000-0x0000000140071000-memory.dmp

Filesize
3.3MB

Download
memory/3044-202-0x000000013F740000-0x000000013FA91000-memory.dmp

Filesize
3.3MB

Download
memory/3044-129-0x000000013F740000-0x000000013FA91000-memory.dmp

Filesize
3.3MB

Download
memory/3044-13-0x000000013F740000-0x000000013FA91000-memory.dmp

Filesize
3.3MB

Download