cobaltstrike | 5705022d3bf360d3c0067f4450ed5c0bba4324294cc018498057c4ec8855b27a

Analysis

max time kernel
140s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-05-2024 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

b67ee9c9e52b20b357a7b8a046b258c0
SHA1

c239963813ffbfe8ebbc08f3172424207acbfd63
SHA256

5705022d3bf360d3c0067f4450ed5c0bba4324294cc018498057c4ec8855b27a
SHA512

32f3c6d9b0a68bfdd6c4dba41a064f16b3cad3a66bfa1396f55265dc855e65ece2556a1872bbf0f62b29cee7648f69ee939744cb7e47307954a5afcc7152b3dc
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l/:RWWBibf56utgpPFotBER/mQ32lUr

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\VmoyYoE.exe	cobalt_reflective_dll
\Windows\system\hszsWzm.exe	cobalt_reflective_dll
C:\Windows\system\XuBonfg.exe	cobalt_reflective_dll
C:\Windows\system\KDSwHZn.exe	cobalt_reflective_dll
C:\Windows\system\wQXHlXE.exe	cobalt_reflective_dll
C:\Windows\system\Uewjkay.exe	cobalt_reflective_dll
\Windows\system\blHCjAM.exe	cobalt_reflective_dll
\Windows\system\xIdeIiR.exe	cobalt_reflective_dll
\Windows\system\JBuEjSS.exe	cobalt_reflective_dll
\Windows\system\nXfgepZ.exe	cobalt_reflective_dll
\Windows\system\EYWkbvT.exe	cobalt_reflective_dll
\Windows\system\cdToeHZ.exe	cobalt_reflective_dll
C:\Windows\system\hKXHoCH.exe	cobalt_reflective_dll
C:\Windows\system\BSxRZlA.exe	cobalt_reflective_dll
C:\Windows\system\QhaARjd.exe	cobalt_reflective_dll
\Windows\system\ifVMgie.exe	cobalt_reflective_dll
C:\Windows\system\PHxkXjJ.exe	cobalt_reflective_dll
C:\Windows\system\otJZwBo.exe	cobalt_reflective_dll
\Windows\system\ZkuNyUQ.exe	cobalt_reflective_dll
C:\Windows\system\RRThOmw.exe	cobalt_reflective_dll
C:\Windows\system\dYNosbX.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\VmoyYoE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\hszsWzm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\XuBonfg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\KDSwHZn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\wQXHlXE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\Uewjkay.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\blHCjAM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\xIdeIiR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\JBuEjSS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\nXfgepZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\EYWkbvT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\cdToeHZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\hKXHoCH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\BSxRZlA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\QhaARjd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\ifVMgie.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\PHxkXjJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\otJZwBo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\ZkuNyUQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\RRThOmw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\dYNosbX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1720-0-0x000000013F5E0000-0x000000013F931000-memory.dmp	UPX
\Windows\system\VmoyYoE.exe	UPX
behavioral1/memory/848-8-0x000000013F680000-0x000000013F9D1000-memory.dmp	UPX
\Windows\system\hszsWzm.exe	UPX
behavioral1/memory/2640-14-0x000000013FC20000-0x000000013FF71000-memory.dmp	UPX
C:\Windows\system\XuBonfg.exe	UPX
C:\Windows\system\KDSwHZn.exe	UPX
behavioral1/memory/2644-28-0x000000013F030000-0x000000013F381000-memory.dmp	UPX
behavioral1/memory/2568-27-0x000000013F700000-0x000000013FA51000-memory.dmp	UPX
C:\Windows\system\wQXHlXE.exe	UPX
behavioral1/memory/2616-35-0x000000013FE10000-0x0000000140161000-memory.dmp	UPX
C:\Windows\system\Uewjkay.exe	UPX
behavioral1/memory/2760-42-0x000000013F100000-0x000000013F451000-memory.dmp	UPX
\Windows\system\blHCjAM.exe	UPX
behavioral1/memory/2632-52-0x000000013FFC0000-0x0000000140311000-memory.dmp	UPX
behavioral1/memory/1720-49-0x000000013F5E0000-0x000000013F931000-memory.dmp	UPX
\Windows\system\xIdeIiR.exe	UPX
behavioral1/memory/2468-59-0x000000013F620000-0x000000013F971000-memory.dmp	UPX
\Windows\system\JBuEjSS.exe	UPX
\Windows\system\nXfgepZ.exe	UPX
\Windows\system\EYWkbvT.exe	UPX
\Windows\system\cdToeHZ.exe	UPX
behavioral1/memory/2580-81-0x000000013F430000-0x000000013F781000-memory.dmp	UPX
behavioral1/memory/2900-85-0x000000013FDB0000-0x0000000140101000-memory.dmp	UPX
behavioral1/memory/2568-97-0x000000013F700000-0x000000013FA51000-memory.dmp	UPX
behavioral1/memory/2708-96-0x000000013F5E0000-0x000000013F931000-memory.dmp	UPX
behavioral1/memory/2908-94-0x000000013FC80000-0x000000013FFD1000-memory.dmp	UPX
behavioral1/memory/2640-93-0x000000013FC20000-0x000000013FF71000-memory.dmp	UPX
C:\Windows\system\hKXHoCH.exe	UPX
behavioral1/memory/1108-86-0x000000013F0A0000-0x000000013F3F1000-memory.dmp	UPX
behavioral1/memory/848-70-0x000000013F680000-0x000000013F9D1000-memory.dmp	UPX
behavioral1/memory/1428-104-0x000000013F650000-0x000000013F9A1000-memory.dmp	UPX
C:\Windows\system\BSxRZlA.exe	UPX
C:\Windows\system\QhaARjd.exe	UPX
\Windows\system\ifVMgie.exe	UPX
behavioral1/memory/2616-115-0x000000013FE10000-0x0000000140161000-memory.dmp	UPX
C:\Windows\system\PHxkXjJ.exe	UPX
C:\Windows\system\otJZwBo.exe	UPX
\Windows\system\ZkuNyUQ.exe	UPX
C:\Windows\system\RRThOmw.exe	UPX
C:\Windows\system\dYNosbX.exe	UPX
behavioral1/memory/2760-142-0x000000013F100000-0x000000013F451000-memory.dmp	UPX
behavioral1/memory/1720-143-0x000000013F5E0000-0x000000013F931000-memory.dmp	UPX
behavioral1/memory/2900-153-0x000000013FDB0000-0x0000000140101000-memory.dmp	UPX
behavioral1/memory/2580-152-0x000000013F430000-0x000000013F781000-memory.dmp	UPX
behavioral1/memory/472-160-0x000000013FBB0000-0x000000013FF01000-memory.dmp	UPX
behavioral1/memory/1652-159-0x000000013F1C0000-0x000000013F511000-memory.dmp	UPX
behavioral1/memory/2012-165-0x000000013F850000-0x000000013FBA1000-memory.dmp	UPX
behavioral1/memory/2732-164-0x000000013F190000-0x000000013F4E1000-memory.dmp	UPX
behavioral1/memory/560-163-0x000000013FDE0000-0x0000000140131000-memory.dmp	UPX
behavioral1/memory/2432-161-0x000000013FB60000-0x000000013FEB1000-memory.dmp	UPX
behavioral1/memory/1984-162-0x000000013FD10000-0x0000000140061000-memory.dmp	UPX
behavioral1/memory/1720-167-0x000000013F5E0000-0x000000013F931000-memory.dmp	UPX
behavioral1/memory/848-213-0x000000013F680000-0x000000013F9D1000-memory.dmp	UPX
behavioral1/memory/2640-215-0x000000013FC20000-0x000000013FF71000-memory.dmp	UPX
behavioral1/memory/2644-218-0x000000013F030000-0x000000013F381000-memory.dmp	UPX
behavioral1/memory/2568-219-0x000000013F700000-0x000000013FA51000-memory.dmp	UPX
behavioral1/memory/2616-226-0x000000013FE10000-0x0000000140161000-memory.dmp	UPX
behavioral1/memory/2760-228-0x000000013F100000-0x000000013F451000-memory.dmp	UPX
behavioral1/memory/2632-230-0x000000013FFC0000-0x0000000140311000-memory.dmp	UPX
behavioral1/memory/2468-232-0x000000013F620000-0x000000013F971000-memory.dmp	UPX
behavioral1/memory/2580-234-0x000000013F430000-0x000000013F781000-memory.dmp	UPX
behavioral1/memory/2900-238-0x000000013FDB0000-0x0000000140101000-memory.dmp	UPX
behavioral1/memory/1108-237-0x000000013F0A0000-0x000000013F3F1000-memory.dmp	UPX

XMRig Miner payload 41 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2644-28-0x000000013F030000-0x000000013F381000-memory.dmp	xmrig
behavioral1/memory/2632-52-0x000000013FFC0000-0x0000000140311000-memory.dmp	xmrig
behavioral1/memory/1720-49-0x000000013F5E0000-0x000000013F931000-memory.dmp	xmrig
behavioral1/memory/2468-59-0x000000013F620000-0x000000013F971000-memory.dmp	xmrig
behavioral1/memory/1720-82-0x000000013FDB0000-0x0000000140101000-memory.dmp	xmrig
behavioral1/memory/2580-81-0x000000013F430000-0x000000013F781000-memory.dmp	xmrig
behavioral1/memory/1720-78-0x0000000002400000-0x0000000002751000-memory.dmp	xmrig
behavioral1/memory/2568-97-0x000000013F700000-0x000000013FA51000-memory.dmp	xmrig
behavioral1/memory/2708-96-0x000000013F5E0000-0x000000013F931000-memory.dmp	xmrig
behavioral1/memory/2908-94-0x000000013FC80000-0x000000013FFD1000-memory.dmp	xmrig
behavioral1/memory/2640-93-0x000000013FC20000-0x000000013FF71000-memory.dmp	xmrig
behavioral1/memory/1108-86-0x000000013F0A0000-0x000000013F3F1000-memory.dmp	xmrig
behavioral1/memory/848-70-0x000000013F680000-0x000000013F9D1000-memory.dmp	xmrig
behavioral1/memory/1428-104-0x000000013F650000-0x000000013F9A1000-memory.dmp	xmrig
behavioral1/memory/2616-115-0x000000013FE10000-0x0000000140161000-memory.dmp	xmrig
behavioral1/memory/2760-142-0x000000013F100000-0x000000013F451000-memory.dmp	xmrig
behavioral1/memory/1720-143-0x000000013F5E0000-0x000000013F931000-memory.dmp	xmrig
behavioral1/memory/2900-153-0x000000013FDB0000-0x0000000140101000-memory.dmp	xmrig
behavioral1/memory/2580-152-0x000000013F430000-0x000000013F781000-memory.dmp	xmrig
behavioral1/memory/472-160-0x000000013FBB0000-0x000000013FF01000-memory.dmp	xmrig
behavioral1/memory/1652-159-0x000000013F1C0000-0x000000013F511000-memory.dmp	xmrig
behavioral1/memory/2012-165-0x000000013F850000-0x000000013FBA1000-memory.dmp	xmrig
behavioral1/memory/2732-164-0x000000013F190000-0x000000013F4E1000-memory.dmp	xmrig
behavioral1/memory/560-163-0x000000013FDE0000-0x0000000140131000-memory.dmp	xmrig
behavioral1/memory/2432-161-0x000000013FB60000-0x000000013FEB1000-memory.dmp	xmrig
behavioral1/memory/1984-162-0x000000013FD10000-0x0000000140061000-memory.dmp	xmrig
behavioral1/memory/1720-167-0x000000013F5E0000-0x000000013F931000-memory.dmp	xmrig
behavioral1/memory/848-213-0x000000013F680000-0x000000013F9D1000-memory.dmp	xmrig
behavioral1/memory/2640-215-0x000000013FC20000-0x000000013FF71000-memory.dmp	xmrig
behavioral1/memory/2644-218-0x000000013F030000-0x000000013F381000-memory.dmp	xmrig
behavioral1/memory/2568-219-0x000000013F700000-0x000000013FA51000-memory.dmp	xmrig
behavioral1/memory/2616-226-0x000000013FE10000-0x0000000140161000-memory.dmp	xmrig
behavioral1/memory/2760-228-0x000000013F100000-0x000000013F451000-memory.dmp	xmrig
behavioral1/memory/2632-230-0x000000013FFC0000-0x0000000140311000-memory.dmp	xmrig
behavioral1/memory/2468-232-0x000000013F620000-0x000000013F971000-memory.dmp	xmrig
behavioral1/memory/2580-234-0x000000013F430000-0x000000013F781000-memory.dmp	xmrig
behavioral1/memory/2900-238-0x000000013FDB0000-0x0000000140101000-memory.dmp	xmrig
behavioral1/memory/1108-237-0x000000013F0A0000-0x000000013F3F1000-memory.dmp	xmrig
behavioral1/memory/2908-240-0x000000013FC80000-0x000000013FFD1000-memory.dmp	xmrig
behavioral1/memory/2708-242-0x000000013F5E0000-0x000000013F931000-memory.dmp	xmrig
behavioral1/memory/1428-244-0x000000013F650000-0x000000013F9A1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

VmoyYoE.exehszsWzm.exeXuBonfg.exeKDSwHZn.exewQXHlXE.exeUewjkay.exeblHCjAM.exexIdeIiR.exeJBuEjSS.exeEYWkbvT.exenXfgepZ.exehKXHoCH.execdToeHZ.exeBSxRZlA.exeQhaARjd.exeifVMgie.exePHxkXjJ.exeotJZwBo.exedYNosbX.exeRRThOmw.exeZkuNyUQ.exe

pid	process
848	VmoyYoE.exe
2640	hszsWzm.exe
2568	XuBonfg.exe
2644	KDSwHZn.exe
2616	wQXHlXE.exe
2760	Uewjkay.exe
2632	blHCjAM.exe
2468	xIdeIiR.exe
2580	JBuEjSS.exe
2900	EYWkbvT.exe
1108	nXfgepZ.exe
2908	hKXHoCH.exe
2708	cdToeHZ.exe
1428	BSxRZlA.exe
1652	QhaARjd.exe
472	ifVMgie.exe
2432	PHxkXjJ.exe
1984	otJZwBo.exe
560	dYNosbX.exe
2732	RRThOmw.exe
2012	ZkuNyUQ.exe

Loads dropped DLL 21 IoCs

Processes:

2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe

pid	process
1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1720-0-0x000000013F5E0000-0x000000013F931000-memory.dmp	upx
\Windows\system\VmoyYoE.exe	upx
behavioral1/memory/848-8-0x000000013F680000-0x000000013F9D1000-memory.dmp	upx
\Windows\system\hszsWzm.exe	upx
behavioral1/memory/2640-14-0x000000013FC20000-0x000000013FF71000-memory.dmp	upx
C:\Windows\system\XuBonfg.exe	upx
C:\Windows\system\KDSwHZn.exe	upx
behavioral1/memory/2644-28-0x000000013F030000-0x000000013F381000-memory.dmp	upx
behavioral1/memory/2568-27-0x000000013F700000-0x000000013FA51000-memory.dmp	upx
C:\Windows\system\wQXHlXE.exe	upx
behavioral1/memory/2616-35-0x000000013FE10000-0x0000000140161000-memory.dmp	upx
C:\Windows\system\Uewjkay.exe	upx
behavioral1/memory/2760-42-0x000000013F100000-0x000000013F451000-memory.dmp	upx
\Windows\system\blHCjAM.exe	upx
behavioral1/memory/2632-52-0x000000013FFC0000-0x0000000140311000-memory.dmp	upx
behavioral1/memory/1720-49-0x000000013F5E0000-0x000000013F931000-memory.dmp	upx
\Windows\system\xIdeIiR.exe	upx
behavioral1/memory/2468-59-0x000000013F620000-0x000000013F971000-memory.dmp	upx
\Windows\system\JBuEjSS.exe	upx
\Windows\system\nXfgepZ.exe	upx
\Windows\system\EYWkbvT.exe	upx
\Windows\system\cdToeHZ.exe	upx
behavioral1/memory/2580-81-0x000000013F430000-0x000000013F781000-memory.dmp	upx
behavioral1/memory/2900-85-0x000000013FDB0000-0x0000000140101000-memory.dmp	upx
behavioral1/memory/2568-97-0x000000013F700000-0x000000013FA51000-memory.dmp	upx
behavioral1/memory/2708-96-0x000000013F5E0000-0x000000013F931000-memory.dmp	upx
behavioral1/memory/2908-94-0x000000013FC80000-0x000000013FFD1000-memory.dmp	upx
behavioral1/memory/2640-93-0x000000013FC20000-0x000000013FF71000-memory.dmp	upx
C:\Windows\system\hKXHoCH.exe	upx
behavioral1/memory/1108-86-0x000000013F0A0000-0x000000013F3F1000-memory.dmp	upx
behavioral1/memory/848-70-0x000000013F680000-0x000000013F9D1000-memory.dmp	upx
behavioral1/memory/1428-104-0x000000013F650000-0x000000013F9A1000-memory.dmp	upx
C:\Windows\system\BSxRZlA.exe	upx
C:\Windows\system\QhaARjd.exe	upx
\Windows\system\ifVMgie.exe	upx
behavioral1/memory/2616-115-0x000000013FE10000-0x0000000140161000-memory.dmp	upx
C:\Windows\system\PHxkXjJ.exe	upx
C:\Windows\system\otJZwBo.exe	upx
\Windows\system\ZkuNyUQ.exe	upx
C:\Windows\system\RRThOmw.exe	upx
C:\Windows\system\dYNosbX.exe	upx
behavioral1/memory/2760-142-0x000000013F100000-0x000000013F451000-memory.dmp	upx
behavioral1/memory/1720-143-0x000000013F5E0000-0x000000013F931000-memory.dmp	upx
behavioral1/memory/2900-153-0x000000013FDB0000-0x0000000140101000-memory.dmp	upx
behavioral1/memory/2580-152-0x000000013F430000-0x000000013F781000-memory.dmp	upx
behavioral1/memory/472-160-0x000000013FBB0000-0x000000013FF01000-memory.dmp	upx
behavioral1/memory/1652-159-0x000000013F1C0000-0x000000013F511000-memory.dmp	upx
behavioral1/memory/2012-165-0x000000013F850000-0x000000013FBA1000-memory.dmp	upx
behavioral1/memory/2732-164-0x000000013F190000-0x000000013F4E1000-memory.dmp	upx
behavioral1/memory/560-163-0x000000013FDE0000-0x0000000140131000-memory.dmp	upx
behavioral1/memory/2432-161-0x000000013FB60000-0x000000013FEB1000-memory.dmp	upx
behavioral1/memory/1984-162-0x000000013FD10000-0x0000000140061000-memory.dmp	upx
behavioral1/memory/1720-167-0x000000013F5E0000-0x000000013F931000-memory.dmp	upx
behavioral1/memory/848-213-0x000000013F680000-0x000000013F9D1000-memory.dmp	upx
behavioral1/memory/2640-215-0x000000013FC20000-0x000000013FF71000-memory.dmp	upx
behavioral1/memory/2644-218-0x000000013F030000-0x000000013F381000-memory.dmp	upx
behavioral1/memory/2568-219-0x000000013F700000-0x000000013FA51000-memory.dmp	upx
behavioral1/memory/2616-226-0x000000013FE10000-0x0000000140161000-memory.dmp	upx
behavioral1/memory/2760-228-0x000000013F100000-0x000000013F451000-memory.dmp	upx
behavioral1/memory/2632-230-0x000000013FFC0000-0x0000000140311000-memory.dmp	upx
behavioral1/memory/2468-232-0x000000013F620000-0x000000013F971000-memory.dmp	upx
behavioral1/memory/2580-234-0x000000013F430000-0x000000013F781000-memory.dmp	upx
behavioral1/memory/2900-238-0x000000013FDB0000-0x0000000140101000-memory.dmp	upx
behavioral1/memory/1108-237-0x000000013F0A0000-0x000000013F3F1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\PHxkXjJ.exe	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dYNosbX.exe	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RRThOmw.exe	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JBuEjSS.exe	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BSxRZlA.exe	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hKXHoCH.exe	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\otJZwBo.exe	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VmoyYoE.exe	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XuBonfg.exe	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xIdeIiR.exe	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nXfgepZ.exe	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cdToeHZ.exe	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QhaARjd.exe	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZkuNyUQ.exe	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wQXHlXE.exe	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\Uewjkay.exe	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\blHCjAM.exe	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EYWkbvT.exe	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ifVMgie.exe	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hszsWzm.exe	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KDSwHZn.exe	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 1720 wrote to memory of 848	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	VmoyYoE.exe
PID 1720 wrote to memory of 848	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	VmoyYoE.exe
PID 1720 wrote to memory of 848	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	VmoyYoE.exe
PID 1720 wrote to memory of 2640	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	hszsWzm.exe
PID 1720 wrote to memory of 2640	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	hszsWzm.exe
PID 1720 wrote to memory of 2640	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	hszsWzm.exe
PID 1720 wrote to memory of 2568	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	XuBonfg.exe
PID 1720 wrote to memory of 2568	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	XuBonfg.exe
PID 1720 wrote to memory of 2568	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	XuBonfg.exe
PID 1720 wrote to memory of 2644	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	KDSwHZn.exe
PID 1720 wrote to memory of 2644	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	KDSwHZn.exe
PID 1720 wrote to memory of 2644	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	KDSwHZn.exe
PID 1720 wrote to memory of 2616	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	wQXHlXE.exe
PID 1720 wrote to memory of 2616	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	wQXHlXE.exe
PID 1720 wrote to memory of 2616	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	wQXHlXE.exe
PID 1720 wrote to memory of 2760	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	Uewjkay.exe
PID 1720 wrote to memory of 2760	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	Uewjkay.exe
PID 1720 wrote to memory of 2760	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	Uewjkay.exe
PID 1720 wrote to memory of 2632	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	blHCjAM.exe
PID 1720 wrote to memory of 2632	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	blHCjAM.exe
PID 1720 wrote to memory of 2632	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	blHCjAM.exe
PID 1720 wrote to memory of 2468	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	xIdeIiR.exe
PID 1720 wrote to memory of 2468	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	xIdeIiR.exe
PID 1720 wrote to memory of 2468	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	xIdeIiR.exe
PID 1720 wrote to memory of 2580	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	JBuEjSS.exe
PID 1720 wrote to memory of 2580	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	JBuEjSS.exe
PID 1720 wrote to memory of 2580	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	JBuEjSS.exe
PID 1720 wrote to memory of 2900	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	EYWkbvT.exe
PID 1720 wrote to memory of 2900	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	EYWkbvT.exe
PID 1720 wrote to memory of 2900	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	EYWkbvT.exe
PID 1720 wrote to memory of 2908	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	hKXHoCH.exe
PID 1720 wrote to memory of 2908	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	hKXHoCH.exe
PID 1720 wrote to memory of 2908	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	hKXHoCH.exe
PID 1720 wrote to memory of 1108	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	nXfgepZ.exe
PID 1720 wrote to memory of 1108	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	nXfgepZ.exe
PID 1720 wrote to memory of 1108	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	nXfgepZ.exe
PID 1720 wrote to memory of 2708	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	cdToeHZ.exe
PID 1720 wrote to memory of 2708	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	cdToeHZ.exe
PID 1720 wrote to memory of 2708	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	cdToeHZ.exe
PID 1720 wrote to memory of 1428	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	BSxRZlA.exe
PID 1720 wrote to memory of 1428	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	BSxRZlA.exe
PID 1720 wrote to memory of 1428	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	BSxRZlA.exe
PID 1720 wrote to memory of 1652	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	QhaARjd.exe
PID 1720 wrote to memory of 1652	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	QhaARjd.exe
PID 1720 wrote to memory of 1652	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	QhaARjd.exe
PID 1720 wrote to memory of 472	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	ifVMgie.exe
PID 1720 wrote to memory of 472	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	ifVMgie.exe
PID 1720 wrote to memory of 472	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	ifVMgie.exe
PID 1720 wrote to memory of 2432	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	PHxkXjJ.exe
PID 1720 wrote to memory of 2432	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	PHxkXjJ.exe
PID 1720 wrote to memory of 2432	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	PHxkXjJ.exe
PID 1720 wrote to memory of 1984	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	otJZwBo.exe
PID 1720 wrote to memory of 1984	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	otJZwBo.exe
PID 1720 wrote to memory of 1984	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	otJZwBo.exe
PID 1720 wrote to memory of 560	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	dYNosbX.exe
PID 1720 wrote to memory of 560	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	dYNosbX.exe
PID 1720 wrote to memory of 560	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	dYNosbX.exe
PID 1720 wrote to memory of 2732	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	RRThOmw.exe
PID 1720 wrote to memory of 2732	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	RRThOmw.exe
PID 1720 wrote to memory of 2732	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	RRThOmw.exe
PID 1720 wrote to memory of 2012	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	ZkuNyUQ.exe
PID 1720 wrote to memory of 2012	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	ZkuNyUQ.exe
PID 1720 wrote to memory of 2012	1720	2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe	ZkuNyUQ.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-20_b67ee9c9e52b20b357a7b8a046b258c0_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\System\VmoyYoE.exe
C:\Windows\System\VmoyYoE.exe
2⤵
- Executes dropped EXE
PID:848

C:\Windows\System\hszsWzm.exe
C:\Windows\System\hszsWzm.exe
2⤵
- Executes dropped EXE
PID:2640

C:\Windows\System\XuBonfg.exe
C:\Windows\System\XuBonfg.exe
2⤵
- Executes dropped EXE
PID:2568

C:\Windows\System\KDSwHZn.exe
C:\Windows\System\KDSwHZn.exe
2⤵
- Executes dropped EXE
PID:2644

C:\Windows\System\wQXHlXE.exe
C:\Windows\System\wQXHlXE.exe
2⤵
- Executes dropped EXE
PID:2616

C:\Windows\System\Uewjkay.exe
C:\Windows\System\Uewjkay.exe
2⤵
- Executes dropped EXE
PID:2760

C:\Windows\System\blHCjAM.exe
C:\Windows\System\blHCjAM.exe
2⤵
- Executes dropped EXE
PID:2632

C:\Windows\System\xIdeIiR.exe
C:\Windows\System\xIdeIiR.exe
2⤵
- Executes dropped EXE
PID:2468

C:\Windows\System\JBuEjSS.exe
C:\Windows\System\JBuEjSS.exe
2⤵
- Executes dropped EXE
PID:2580

C:\Windows\System\EYWkbvT.exe
C:\Windows\System\EYWkbvT.exe
2⤵
- Executes dropped EXE
PID:2900

C:\Windows\System\hKXHoCH.exe
C:\Windows\System\hKXHoCH.exe
2⤵
- Executes dropped EXE
PID:2908

C:\Windows\System\nXfgepZ.exe
C:\Windows\System\nXfgepZ.exe
2⤵
- Executes dropped EXE
PID:1108

C:\Windows\System\cdToeHZ.exe
C:\Windows\System\cdToeHZ.exe
2⤵
- Executes dropped EXE
PID:2708

C:\Windows\System\BSxRZlA.exe
C:\Windows\System\BSxRZlA.exe
2⤵
- Executes dropped EXE
PID:1428

C:\Windows\System\QhaARjd.exe
C:\Windows\System\QhaARjd.exe
2⤵
- Executes dropped EXE
PID:1652

C:\Windows\System\ifVMgie.exe
C:\Windows\System\ifVMgie.exe
2⤵
- Executes dropped EXE
PID:472

C:\Windows\System\PHxkXjJ.exe
C:\Windows\System\PHxkXjJ.exe
2⤵
- Executes dropped EXE
PID:2432

C:\Windows\System\otJZwBo.exe
C:\Windows\System\otJZwBo.exe
2⤵
- Executes dropped EXE
PID:1984

C:\Windows\System\dYNosbX.exe
C:\Windows\System\dYNosbX.exe
2⤵
- Executes dropped EXE
PID:560

C:\Windows\System\RRThOmw.exe
C:\Windows\System\RRThOmw.exe
2⤵
- Executes dropped EXE
PID:2732

C:\Windows\System\ZkuNyUQ.exe
C:\Windows\System\ZkuNyUQ.exe
2⤵
- Executes dropped EXE
PID:2012

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BSxRZlA.exe

Filesize
5.2MB

MD5
8192b88de95461773e345e8cae521566

SHA1
debfe3b5171056dbfa0d1800bc9605802878a9f7

SHA256
7edf149975515bd27414dfbe3766e02fc70ab67b72a17591fcd4b5da125bd124

SHA512
672410901aeb1a6961e17cd470c5099fa245b6c6d024e1175630acbed3c52b72b058fe4902858fe00fd963651d8786870f9f1ed52b3eaded25c89a353c03771f

Download Submit
C:\Windows\system\KDSwHZn.exe

Filesize
5.2MB

MD5
659bc8c715b9447210bc0212048331f2

SHA1
0152b261711de6b0bab7d1e9adf3198bc77fab0a

SHA256
95c976dd3544fdef6a7eee5615cc5540165c43bfdbb5dde757e08606a1ba58c9

SHA512
c6f10da711153beb67af65921653824ceb71c30fe2b78d4be6164ddaff3f08ecfbb8d4e773f70a8af2f93131f145970efcf4dc9d6ede7ccf3c87c150da383d90

Download Submit
C:\Windows\system\PHxkXjJ.exe

Filesize
5.2MB

MD5
77022a9445cf58fc879d3b94d221b867

SHA1
bd83df18d71ace0aa0d014e6817278bf101af76e

SHA256
1ca46cc9197a461260e85cfef62fb494a28f7c9df3cb0ec282f2fcfd3c863a83

SHA512
e95c8ff8e74c56bb7f7482e2f338a792b02ad81edcfe53c99a13f946a6e0cdb6b38016ef949a87bc4dd2943a8bde7ebd14e9577135aa606e49b76cdacd85036b

Download Submit
C:\Windows\system\QhaARjd.exe

Filesize
5.2MB

MD5
b9b162eb12ccb651190cdcc5ba0d704d

SHA1
b875a2107309a4e5e1f27d694840a87a3836bc33

SHA256
54348aa2b75202be2cf255d3d7ad36efb57cbe7eb80624671374d30f4ce8f3e1

SHA512
7ddd268c56a5bf03d9b05bd953530f1beccc80315870930bf0ccdc22a84d28f6f4b2fddaf52644aeae9bfa7aaf0ca58893cd0c985d76651df4bddfecd304eba3

Download Submit
C:\Windows\system\RRThOmw.exe

Filesize
5.2MB

MD5
e6f09e1e14806c827b3220a8590af73a

SHA1
02aafc61d5a7c2c2f769eb15f1260e36afe69917

SHA256
78bb2246ea97650d638c904bdf13f3f2e3976fe7515e93e41bb985a9dd2985ea

SHA512
4fd01838609d258b4e340579057bc4c07d86a7e512740023b382163698a8b00a86dff12eb8b8e569350bdff6f200122eb680a90daeb37469e61335cd383bb16a

Download Submit
C:\Windows\system\Uewjkay.exe

Filesize
5.2MB

MD5
6466506e38c643e09e07c50ad8a14a0f

SHA1
a3221f729bf46724684bfe5e164c1bdf780a6e3f

SHA256
34a8de4e16c0e0047f964aecacd600983ce0663b9f036f641c515707a06d9266

SHA512
207b4c98e0a56d519abd8835dc55ff9368884705d8f342e9b0c8f5fd87b7be197524840bdd3719ccd8bf6efe4816144c717528d81f575525fb5a9fb476acf0ea

Download Submit
C:\Windows\system\XuBonfg.exe

Filesize
5.2MB

MD5
15bcdf449c495c7df67771447951df68

SHA1
ffac62cae0d75b940dbcdfb8b8089673dba3bb6e

SHA256
10fb461a39437220906f64059c173ff928f2949478dbbca5ede0405f38c2f6dd

SHA512
780d189d4e255aef7c34a4e2a7cf40abb37dfce9f2758730249a46cd445a3d79712e571bac4fe3c6641fa3bfe29b664d2c66eca04ab5b7e0e0dfcdb1692e7bd7

Download Submit
C:\Windows\system\dYNosbX.exe

Filesize
5.2MB

MD5
1a4db1b9db59c29bf541f4bd01ec25a2

SHA1
459eebc149b139af2676a89d9e8906971488fb25

SHA256
460f6c571b12f284b6b736def24355aea331f63b6cdebea704dbacd125a976e4

SHA512
cc3baa1bf3333893cbcadbc7605c961a7e890681053b1eb83416e2bc089e0ba351c51c2725876f812e604c6cac7f07d6cd911e078ff4a47a0bc13268c338f79b

Download Submit
C:\Windows\system\hKXHoCH.exe

Filesize
5.2MB

MD5
cab245efaf89354687c69cba44e93ef3

SHA1
0319498005790a1952d83844d157f29413af7d1d

SHA256
c0d03239c88167ef341f3bf983b2f494b50d632c798041fa0b6a42c15ea1a4c4

SHA512
250900238bce5be68f22e593a8f92e6ae2031364500c91abdeb5a3c9d742a3d5fa19ef1db7df1661ce9457bbf44888a36ca19c12e81753908c3fbe0117cf2279

Download Submit
C:\Windows\system\otJZwBo.exe

Filesize
5.2MB

MD5
079329715e88313e3150da43f73651e0

SHA1
ed5c054acd896d0aabca8fe6e272dfa12c763de3

SHA256
80997c5403b6cfbc0276b3085ada7961fcfe880a5746c33a700cdf752f63153c

SHA512
4c7fe3aacce634a00e7531fd763fa1d3542945012b3bc32d52c6b9075aa5673d809a17d0148513e3daabc05adbca2c2f7ec1959ec14c6ec1e0cd9ae9c4a9e85e

Download Submit
C:\Windows\system\wQXHlXE.exe

Filesize
5.2MB

MD5
50623b3d4c46c91519cccfd51e11997a

SHA1
b0795f5de4449142d2782810be3d9677ec389f64

SHA256
8d45a6a2051faf0191d8186c8a851d8376dbf9e36ec6b3b410cb99e9bd820345

SHA512
ed376e36199f0b9ce2110f5eab30fcacb74d5a1076ff0deb6f5bacaebfe370e1027cf55f6744e821642a3fc4545c7c63f82fbd460874cfbcd75b4eb86c625b25

Download Submit
\Windows\system\EYWkbvT.exe

Filesize
5.2MB

MD5
497c9e37466ce9b1b5b9b9274323feba

SHA1
47025f0dc267d31ddfe056eeb02a9cbf641e3792

SHA256
84a1a5d1f1118f3c96d7ae5b41c4a1a9b54d3d7f1bbb1c3e845fc9f1e0a39017

SHA512
364a51b768f656f1c55995a71b6204c19c9da027e927f9774a5a77cf223a323ffe90c58d68c85289fb8b0c2f7f4f1b074e32b2b37336597688bb5d0e3c91fee1

Download Submit
\Windows\system\JBuEjSS.exe

Filesize
5.2MB

MD5
28e99390b52bf26983d2a7e013d6db3a

SHA1
ba605502974f9edec0d02039ac4955214a37ca1f

SHA256
a08f58be25b5b602c49ad7c74e08e62eb8c42c85ec8240b6ef3aea9c6c76bc18

SHA512
75c5fdfa6bf2267bd30f7857b90cd6e41178b84795ba21afa1dfb957fbe8b3fb365be5f20c22e08bddd86ce3007fd36864b47d1b901c65d15272bb841b049186

Download Submit
\Windows\system\VmoyYoE.exe

Filesize
5.2MB

MD5
105b59e560ef6e60fab7ae63ae35e26c

SHA1
d5dcaa5cee0a880bae11768e942709c6dc5e02a2

SHA256
4906abfaa4516a8e9245fdb5616c8b305d243eb0ce81fd159fa9898d22063f6a

SHA512
6cdf3d2094bcc953d684ed85ccc2a17c265ff6a5257a3c3a1106337f4fe5385e35171049866ac51f96634bddaca07ba1f7666119af7e327db7bffe99e935e7d9

Download Submit
\Windows\system\ZkuNyUQ.exe

Filesize
5.2MB

MD5
f10b29ec1abc38caa5e195e6a98bb01b

SHA1
8d4c9d79856f5d85954d29eea67d8b6d107e246f

SHA256
53d34dba0f7c25d834b69f0548b3add246fc59abdb100f057e419b0ec94a26f4

SHA512
020871188669e631fa14904085c17679a81cccd3032d4289eb0fb81b2f39239647fdb592caac8e07a9a0425915c82217a1ac653fab8390f3ca3276153c39eb42

Download Submit
\Windows\system\blHCjAM.exe

Filesize
5.2MB

MD5
d8afeecd567fba45aa63b38de18e2781

SHA1
ddd76d1e70cee0c42bbe2ed8998e49e2ed01ca1b

SHA256
64c19009a06eadae79657fd4552b9f3b6eb27da0dff01df4a44dc1a47789d9ea

SHA512
a987ccc928276e5c9f0443cb0390340e197c54b737a1e30d74e33a4532878ae85b80eb464617f72e6721b7d847e6ce0793bcca3bc487fffedf4fc42e4d7efde0

Download Submit
\Windows\system\cdToeHZ.exe

Filesize
5.2MB

MD5
af800fed761579bc409664ffeb2e9549

SHA1
4565c7fed582a0c1de63c86562ea443094f2fa84

SHA256
beb256ce8fb1292cf72192502eb41f423672558a2190c0923d71528c6962a028

SHA512
f60d515558cd2a7905a454ecb607b312b0c702ce45024c8dc5d2d4d114e37555e3fe4bc63ad3d31353f6468be4868f0dee20ae3cbf75624281108ceb1aba12f6

Download Submit
\Windows\system\hszsWzm.exe

Filesize
5.2MB

MD5
6d6886b065d2c4c7058e3b2b0bc9fb51

SHA1
6f75a6ab1657c91b180e4577be03f28b25c92ed3

SHA256
30aacb4ed9e4a1bb17f2cae6a2974a4a68227aa2a074f0c57f122ee82bff64d8

SHA512
0058d0c5e255273454fb45ee67fa81190af209c67fee50001b304328416082041a2bf0705c9f22929cdff9676750c237ff0be5c76aa93295539fc0e0168fa816

Download Submit
\Windows\system\ifVMgie.exe

Filesize
5.2MB

MD5
470cd4ecd0746805dbd474ba80e5eaa0

SHA1
b97277e70500613109c7978b44eb4c768d1ff9f5

SHA256
704c70119a93b946cba97c25fe056ea3a831840377dc03d16ddb743c2d985cd3

SHA512
087a3c3119b2c27b6ab7215995d0797db0d610067738b02010eeb4501c865c059f8bb667b75d05394ef037fa452f4a69466e2245afbecc44a6199695474c21ed

Download Submit
\Windows\system\nXfgepZ.exe

Filesize
5.2MB

MD5
f5ddaf730bf97e033f212affe310da3b

SHA1
50bba397741b7cba3a7040f7094f578c6ee76caf

SHA256
ad2161d4232677636b6de73c5ccf41cdf69decc8d345bd1ac2eae19d23297bd2

SHA512
63291bda2b653889b579156872e8f7af4b7e4b45875d59e4e2bb85ae1edf13d22026fa6043bf3e78cecd936316c1d6319f41266aaf47266c0ef7c14bff51043b

Download Submit
\Windows\system\xIdeIiR.exe

Filesize
5.2MB

MD5
121f6561c01b580eae9952eb66f7e5bc

SHA1
48b873c3bb2b34daa126548aa580d7206e315199

SHA256
ea60d94d45db7829c2a33778a30692c041b1657a5b935d08fac18c0a5fb0ce8d

SHA512
99bc329ad921945278fda9cdd2e2006688553a8e0717e84078c9e865288fe2218e154263502e834120261469809d7429362975096169efe8e8683223538f2436

Download Submit
memory/472-160-0x000000013FBB0000-0x000000013FF01000-memory.dmp

Filesize
3.3MB

Download
memory/560-163-0x000000013FDE0000-0x0000000140131000-memory.dmp

Filesize
3.3MB

Download
memory/848-8-0x000000013F680000-0x000000013F9D1000-memory.dmp

Filesize
3.3MB

Download
memory/848-70-0x000000013F680000-0x000000013F9D1000-memory.dmp

Filesize
3.3MB

Download
memory/848-213-0x000000013F680000-0x000000013F9D1000-memory.dmp

Filesize
3.3MB

Download
memory/1108-86-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

Filesize
3.3MB

Download
memory/1108-237-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

Filesize
3.3MB

Download
memory/1428-244-0x000000013F650000-0x000000013F9A1000-memory.dmp

Filesize
3.3MB

Download
memory/1428-104-0x000000013F650000-0x000000013F9A1000-memory.dmp

Filesize
3.3MB

Download
memory/1652-159-0x000000013F1C0000-0x000000013F511000-memory.dmp

Filesize
3.3MB

Download
memory/1720-51-0x0000000002400000-0x0000000002751000-memory.dmp

Filesize
3.3MB

Download
memory/1720-143-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/1720-78-0x0000000002400000-0x0000000002751000-memory.dmp

Filesize
3.3MB

Download
memory/1720-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/1720-12-0x000000013FC20000-0x000000013FF71000-memory.dmp

Filesize
3.3MB

Download
memory/1720-189-0x000000013F1C0000-0x000000013F511000-memory.dmp

Filesize
3.3MB

Download
memory/1720-167-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/1720-166-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

Filesize
3.3MB

Download
memory/1720-91-0x0000000002400000-0x0000000002751000-memory.dmp

Filesize
3.3MB

Download
memory/1720-82-0x000000013FDB0000-0x0000000140101000-memory.dmp

Filesize
3.3MB

Download
memory/1720-88-0x000000013FC20000-0x000000013FF71000-memory.dmp

Filesize
3.3MB

Download
memory/1720-87-0x000000013FC80000-0x000000013FFD1000-memory.dmp

Filesize
3.3MB

Download
memory/1720-29-0x000000013F030000-0x000000013F381000-memory.dmp

Filesize
3.3MB

Download
memory/1720-58-0x0000000002400000-0x0000000002751000-memory.dmp

Filesize
3.3MB

Download
memory/1720-49-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/1720-103-0x0000000002400000-0x0000000002751000-memory.dmp

Filesize
3.3MB

Download
memory/1720-0-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/1720-158-0x0000000002400000-0x0000000002751000-memory.dmp

Filesize
3.3MB

Download
memory/1720-47-0x000000013FFC0000-0x0000000140311000-memory.dmp

Filesize
3.3MB

Download
memory/1720-116-0x000000013F1C0000-0x000000013F511000-memory.dmp

Filesize
3.3MB

Download
memory/1720-141-0x000000013F100000-0x000000013F451000-memory.dmp

Filesize
3.3MB

Download
memory/1720-24-0x0000000002400000-0x0000000002751000-memory.dmp

Filesize
3.3MB

Download
memory/1720-40-0x000000013F100000-0x000000013F451000-memory.dmp

Filesize
3.3MB

Download
memory/1720-34-0x000000013FE10000-0x0000000140161000-memory.dmp

Filesize
3.3MB

Download
memory/1984-162-0x000000013FD10000-0x0000000140061000-memory.dmp

Filesize
3.3MB

Download
memory/2012-165-0x000000013F850000-0x000000013FBA1000-memory.dmp

Filesize
3.3MB

Download
memory/2432-161-0x000000013FB60000-0x000000013FEB1000-memory.dmp

Filesize
3.3MB

Download
memory/2468-232-0x000000013F620000-0x000000013F971000-memory.dmp

Filesize
3.3MB

Download
memory/2468-59-0x000000013F620000-0x000000013F971000-memory.dmp

Filesize
3.3MB

Download
memory/2568-27-0x000000013F700000-0x000000013FA51000-memory.dmp

Filesize
3.3MB

Download
memory/2568-97-0x000000013F700000-0x000000013FA51000-memory.dmp

Filesize
3.3MB

Download
memory/2568-219-0x000000013F700000-0x000000013FA51000-memory.dmp

Filesize
3.3MB

Download
memory/2580-234-0x000000013F430000-0x000000013F781000-memory.dmp

Filesize
3.3MB

Download
memory/2580-152-0x000000013F430000-0x000000013F781000-memory.dmp

Filesize
3.3MB

Download
memory/2580-81-0x000000013F430000-0x000000013F781000-memory.dmp

Filesize
3.3MB

Download
memory/2616-35-0x000000013FE10000-0x0000000140161000-memory.dmp

Filesize
3.3MB

Download
memory/2616-226-0x000000013FE10000-0x0000000140161000-memory.dmp

Filesize
3.3MB

Download
memory/2616-115-0x000000013FE10000-0x0000000140161000-memory.dmp

Filesize
3.3MB

Download
memory/2632-230-0x000000013FFC0000-0x0000000140311000-memory.dmp

Filesize
3.3MB

Download
memory/2632-52-0x000000013FFC0000-0x0000000140311000-memory.dmp

Filesize
3.3MB

Download
memory/2640-14-0x000000013FC20000-0x000000013FF71000-memory.dmp

Filesize
3.3MB

Download
memory/2640-215-0x000000013FC20000-0x000000013FF71000-memory.dmp

Filesize
3.3MB

Download
memory/2640-93-0x000000013FC20000-0x000000013FF71000-memory.dmp

Filesize
3.3MB

Download
memory/2644-218-0x000000013F030000-0x000000013F381000-memory.dmp

Filesize
3.3MB

Download
memory/2644-28-0x000000013F030000-0x000000013F381000-memory.dmp

Filesize
3.3MB

Download
memory/2708-242-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/2708-96-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/2732-164-0x000000013F190000-0x000000013F4E1000-memory.dmp

Filesize
3.3MB

Download
memory/2760-228-0x000000013F100000-0x000000013F451000-memory.dmp

Filesize
3.3MB

Download
memory/2760-142-0x000000013F100000-0x000000013F451000-memory.dmp

Filesize
3.3MB

Download
memory/2760-42-0x000000013F100000-0x000000013F451000-memory.dmp

Filesize
3.3MB

Download
memory/2900-153-0x000000013FDB0000-0x0000000140101000-memory.dmp

Filesize
3.3MB

Download
memory/2900-238-0x000000013FDB0000-0x0000000140101000-memory.dmp

Filesize
3.3MB

Download
memory/2900-85-0x000000013FDB0000-0x0000000140101000-memory.dmp

Filesize
3.3MB

Download
memory/2908-240-0x000000013FC80000-0x000000013FFD1000-memory.dmp

Filesize
3.3MB

Download
memory/2908-94-0x000000013FC80000-0x000000013FFD1000-memory.dmp

Filesize
3.3MB

Download