cobaltstrike | 574c6d3b5cea7d2f0af6791479beebcc6c60a97612406194cda323e1db57b886

Analysis

max time kernel
145s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
Size

6.0MB
MD5

1bd1993d453a7559ac5d323965f0aefe
SHA1

e30df4d0a2c59e59058b4295e628b71073a09530
SHA256

574c6d3b5cea7d2f0af6791479beebcc6c60a97612406194cda323e1db57b886
SHA512

10a8462641322b258a81659130e95060a696c87bf31a8e76195ce3b64447a665f0f8c4ec586d18114a6279b179ae040a420b57c8bc75e3fdf5c19949ca863fa1
SSDEEP

98304:demTLkNdfE0pZ3656utgpPFotBER/mQ32lUp:E+v56utgpPF8u/7p

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\JBsMXJq.exe	cobalt_reflective_dll
\Windows\system\weBPefw.exe	cobalt_reflective_dll
C:\Windows\system\tfsBVHO.exe	cobalt_reflective_dll
\Windows\system\DUdAUNy.exe	cobalt_reflective_dll
\Windows\system\oHeGEvK.exe	cobalt_reflective_dll
\Windows\system\DZgMZkZ.exe	cobalt_reflective_dll
C:\Windows\system\ClQmGsE.exe	cobalt_reflective_dll
\Windows\system\vpTZSLw.exe	cobalt_reflective_dll
C:\Windows\system\dnBNtfF.exe	cobalt_reflective_dll
C:\Windows\system\DXJwIpX.exe	cobalt_reflective_dll
C:\Windows\system\vbabzhr.exe	cobalt_reflective_dll
C:\Windows\system\ZYSwpbB.exe	cobalt_reflective_dll
C:\Windows\system\bCMiSNl.exe	cobalt_reflective_dll
C:\Windows\system\UXhFlEp.exe	cobalt_reflective_dll
C:\Windows\system\kiNChYr.exe	cobalt_reflective_dll
C:\Windows\system\GurIhnW.exe	cobalt_reflective_dll
C:\Windows\system\jeYwyzn.exe	cobalt_reflective_dll
C:\Windows\system\ZXsVozg.exe	cobalt_reflective_dll
C:\Windows\system\XeEhKuy.exe	cobalt_reflective_dll
C:\Windows\system\LiTQqji.exe	cobalt_reflective_dll
C:\Windows\system\jxPKwbv.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\JBsMXJq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\weBPefw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\tfsBVHO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\DUdAUNy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\oHeGEvK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\DZgMZkZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ClQmGsE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\vpTZSLw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\dnBNtfF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\DXJwIpX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\vbabzhr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ZYSwpbB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\bCMiSNl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\UXhFlEp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\kiNChYr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\GurIhnW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\jeYwyzn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ZXsVozg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\XeEhKuy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\LiTQqji.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\jxPKwbv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 59 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2980-1-0x000000013F8E0000-0x000000013FC34000-memory.dmp	UPX
\Windows\system\JBsMXJq.exe	UPX
behavioral1/memory/2980-6-0x000000013F200000-0x000000013F554000-memory.dmp	UPX
\Windows\system\weBPefw.exe	UPX
behavioral1/memory/2796-13-0x000000013FFF0000-0x0000000140344000-memory.dmp	UPX
C:\Windows\system\tfsBVHO.exe	UPX
\Windows\system\DUdAUNy.exe	UPX
\Windows\system\oHeGEvK.exe	UPX
\Windows\system\DZgMZkZ.exe	UPX
behavioral1/memory/2364-90-0x000000013FF10000-0x0000000140264000-memory.dmp	UPX
behavioral1/memory/3036-96-0x000000013F9E0000-0x000000013FD34000-memory.dmp	UPX
C:\Windows\system\ClQmGsE.exe	UPX
\Windows\system\vpTZSLw.exe	UPX
C:\Windows\system\dnBNtfF.exe	UPX
C:\Windows\system\DXJwIpX.exe	UPX
C:\Windows\system\vbabzhr.exe	UPX
C:\Windows\system\ZYSwpbB.exe	UPX
behavioral1/memory/2796-133-0x000000013FFF0000-0x0000000140344000-memory.dmp	UPX
C:\Windows\system\bCMiSNl.exe	UPX
behavioral1/memory/2564-89-0x000000013F270000-0x000000013F5C4000-memory.dmp	UPX
C:\Windows\system\UXhFlEp.exe	UPX
C:\Windows\system\kiNChYr.exe	UPX
behavioral1/memory/2760-85-0x000000013FA40000-0x000000013FD94000-memory.dmp	UPX
behavioral1/memory/2764-84-0x000000013FA60000-0x000000013FDB4000-memory.dmp	UPX
behavioral1/memory/2664-83-0x000000013F3F0000-0x000000013F744000-memory.dmp	UPX
C:\Windows\system\GurIhnW.exe	UPX
behavioral1/memory/1804-95-0x000000013F200000-0x000000013F554000-memory.dmp	UPX
C:\Windows\system\jeYwyzn.exe	UPX
C:\Windows\system\ZXsVozg.exe	UPX
behavioral1/memory/2980-75-0x000000013F8E0000-0x000000013FC34000-memory.dmp	UPX
behavioral1/memory/1820-134-0x000000013FBE0000-0x000000013FF34000-memory.dmp	UPX
behavioral1/memory/3016-74-0x000000013F790000-0x000000013FAE4000-memory.dmp	UPX
behavioral1/memory/2524-71-0x000000013F830000-0x000000013FB84000-memory.dmp	UPX
behavioral1/memory/2752-60-0x000000013FDD0000-0x0000000140124000-memory.dmp	UPX
C:\Windows\system\XeEhKuy.exe	UPX
C:\Windows\system\LiTQqji.exe	UPX
behavioral1/memory/1820-28-0x000000013FBE0000-0x000000013FF34000-memory.dmp	UPX
behavioral1/memory/2924-42-0x000000013FF60000-0x00000001402B4000-memory.dmp	UPX
behavioral1/memory/2740-39-0x000000013F160000-0x000000013F4B4000-memory.dmp	UPX
C:\Windows\system\jxPKwbv.exe	UPX
behavioral1/memory/2752-136-0x000000013FDD0000-0x0000000140124000-memory.dmp	UPX
behavioral1/memory/2524-137-0x000000013F830000-0x000000013FB84000-memory.dmp	UPX
behavioral1/memory/3016-139-0x000000013F790000-0x000000013FAE4000-memory.dmp	UPX
behavioral1/memory/2364-140-0x000000013FF10000-0x0000000140264000-memory.dmp	UPX
behavioral1/memory/3036-141-0x000000013F9E0000-0x000000013FD34000-memory.dmp	UPX
behavioral1/memory/1804-142-0x000000013F200000-0x000000013F554000-memory.dmp	UPX
behavioral1/memory/2796-143-0x000000013FFF0000-0x0000000140344000-memory.dmp	UPX
behavioral1/memory/2740-144-0x000000013F160000-0x000000013F4B4000-memory.dmp	UPX
behavioral1/memory/2924-146-0x000000013FF60000-0x00000001402B4000-memory.dmp	UPX
behavioral1/memory/1820-145-0x000000013FBE0000-0x000000013FF34000-memory.dmp	UPX
behavioral1/memory/2752-147-0x000000013FDD0000-0x0000000140124000-memory.dmp	UPX
behavioral1/memory/2524-148-0x000000013F830000-0x000000013FB84000-memory.dmp	UPX
behavioral1/memory/3016-149-0x000000013F790000-0x000000013FAE4000-memory.dmp	UPX
behavioral1/memory/2564-150-0x000000013F270000-0x000000013F5C4000-memory.dmp	UPX
behavioral1/memory/2760-151-0x000000013FA40000-0x000000013FD94000-memory.dmp	UPX
behavioral1/memory/2664-152-0x000000013F3F0000-0x000000013F744000-memory.dmp	UPX
behavioral1/memory/3036-153-0x000000013F9E0000-0x000000013FD34000-memory.dmp	UPX
behavioral1/memory/2764-154-0x000000013FA60000-0x000000013FDB4000-memory.dmp	UPX
behavioral1/memory/2364-155-0x000000013FF10000-0x0000000140264000-memory.dmp	UPX

XMRig Miner payload 62 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2980-1-0x000000013F8E0000-0x000000013FC34000-memory.dmp	xmrig
\Windows\system\JBsMXJq.exe	xmrig
behavioral1/memory/2980-6-0x000000013F200000-0x000000013F554000-memory.dmp	xmrig
\Windows\system\weBPefw.exe	xmrig
behavioral1/memory/2796-13-0x000000013FFF0000-0x0000000140344000-memory.dmp	xmrig
C:\Windows\system\tfsBVHO.exe	xmrig
\Windows\system\DUdAUNy.exe	xmrig
\Windows\system\oHeGEvK.exe	xmrig
\Windows\system\DZgMZkZ.exe	xmrig
behavioral1/memory/2364-90-0x000000013FF10000-0x0000000140264000-memory.dmp	xmrig
behavioral1/memory/3036-96-0x000000013F9E0000-0x000000013FD34000-memory.dmp	xmrig
C:\Windows\system\ClQmGsE.exe	xmrig
\Windows\system\vpTZSLw.exe	xmrig
C:\Windows\system\dnBNtfF.exe	xmrig
C:\Windows\system\DXJwIpX.exe	xmrig
C:\Windows\system\vbabzhr.exe	xmrig
C:\Windows\system\ZYSwpbB.exe	xmrig
behavioral1/memory/2796-133-0x000000013FFF0000-0x0000000140344000-memory.dmp	xmrig
C:\Windows\system\bCMiSNl.exe	xmrig
behavioral1/memory/2564-89-0x000000013F270000-0x000000013F5C4000-memory.dmp	xmrig
C:\Windows\system\UXhFlEp.exe	xmrig
C:\Windows\system\kiNChYr.exe	xmrig
behavioral1/memory/2760-85-0x000000013FA40000-0x000000013FD94000-memory.dmp	xmrig
behavioral1/memory/2764-84-0x000000013FA60000-0x000000013FDB4000-memory.dmp	xmrig
behavioral1/memory/2664-83-0x000000013F3F0000-0x000000013F744000-memory.dmp	xmrig
C:\Windows\system\GurIhnW.exe	xmrig
behavioral1/memory/1804-95-0x000000013F200000-0x000000013F554000-memory.dmp	xmrig
C:\Windows\system\jeYwyzn.exe	xmrig
C:\Windows\system\ZXsVozg.exe	xmrig
behavioral1/memory/2980-75-0x000000013F8E0000-0x000000013FC34000-memory.dmp	xmrig
behavioral1/memory/1820-134-0x000000013FBE0000-0x000000013FF34000-memory.dmp	xmrig
behavioral1/memory/3016-74-0x000000013F790000-0x000000013FAE4000-memory.dmp	xmrig
behavioral1/memory/2980-72-0x0000000002510000-0x0000000002864000-memory.dmp	xmrig
behavioral1/memory/2524-71-0x000000013F830000-0x000000013FB84000-memory.dmp	xmrig
behavioral1/memory/2752-60-0x000000013FDD0000-0x0000000140124000-memory.dmp	xmrig
C:\Windows\system\XeEhKuy.exe	xmrig
C:\Windows\system\LiTQqji.exe	xmrig
behavioral1/memory/1820-28-0x000000013FBE0000-0x000000013FF34000-memory.dmp	xmrig
behavioral1/memory/2980-44-0x000000013FDD0000-0x0000000140124000-memory.dmp	xmrig
behavioral1/memory/2924-42-0x000000013FF60000-0x00000001402B4000-memory.dmp	xmrig
behavioral1/memory/2740-39-0x000000013F160000-0x000000013F4B4000-memory.dmp	xmrig
behavioral1/memory/2980-31-0x000000013F160000-0x000000013F4B4000-memory.dmp	xmrig
C:\Windows\system\jxPKwbv.exe	xmrig
behavioral1/memory/2752-136-0x000000013FDD0000-0x0000000140124000-memory.dmp	xmrig
behavioral1/memory/2524-137-0x000000013F830000-0x000000013FB84000-memory.dmp	xmrig
behavioral1/memory/3016-139-0x000000013F790000-0x000000013FAE4000-memory.dmp	xmrig
behavioral1/memory/2364-140-0x000000013FF10000-0x0000000140264000-memory.dmp	xmrig
behavioral1/memory/3036-141-0x000000013F9E0000-0x000000013FD34000-memory.dmp	xmrig
behavioral1/memory/1804-142-0x000000013F200000-0x000000013F554000-memory.dmp	xmrig
behavioral1/memory/2796-143-0x000000013FFF0000-0x0000000140344000-memory.dmp	xmrig
behavioral1/memory/2740-144-0x000000013F160000-0x000000013F4B4000-memory.dmp	xmrig
behavioral1/memory/2924-146-0x000000013FF60000-0x00000001402B4000-memory.dmp	xmrig
behavioral1/memory/1820-145-0x000000013FBE0000-0x000000013FF34000-memory.dmp	xmrig
behavioral1/memory/2752-147-0x000000013FDD0000-0x0000000140124000-memory.dmp	xmrig
behavioral1/memory/2524-148-0x000000013F830000-0x000000013FB84000-memory.dmp	xmrig
behavioral1/memory/3016-149-0x000000013F790000-0x000000013FAE4000-memory.dmp	xmrig
behavioral1/memory/2564-150-0x000000013F270000-0x000000013F5C4000-memory.dmp	xmrig
behavioral1/memory/2760-151-0x000000013FA40000-0x000000013FD94000-memory.dmp	xmrig
behavioral1/memory/2664-152-0x000000013F3F0000-0x000000013F744000-memory.dmp	xmrig
behavioral1/memory/3036-153-0x000000013F9E0000-0x000000013FD34000-memory.dmp	xmrig
behavioral1/memory/2764-154-0x000000013FA60000-0x000000013FDB4000-memory.dmp	xmrig
behavioral1/memory/2364-155-0x000000013FF10000-0x0000000140264000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

JBsMXJq.exeweBPefw.exetfsBVHO.exejxPKwbv.exeLiTQqji.exeXeEhKuy.exeoHeGEvK.exeDUdAUNy.exeZXsVozg.exeGurIhnW.exeDZgMZkZ.exekiNChYr.exeUXhFlEp.exejeYwyzn.exebCMiSNl.exeZYSwpbB.exevbabzhr.exeDXJwIpX.exednBNtfF.exeClQmGsE.exevpTZSLw.exe

pid	process
1804	JBsMXJq.exe
2796	weBPefw.exe
1820	tfsBVHO.exe
2740	jxPKwbv.exe
2924	LiTQqji.exe
2752	XeEhKuy.exe
2524	oHeGEvK.exe
3016	DUdAUNy.exe
2664	ZXsVozg.exe
2764	GurIhnW.exe
2760	DZgMZkZ.exe
2564	kiNChYr.exe
2364	UXhFlEp.exe
3036	jeYwyzn.exe
2828	bCMiSNl.exe
2160	ZYSwpbB.exe
1976	vbabzhr.exe
2424	DXJwIpX.exe
1316	dnBNtfF.exe
2808	ClQmGsE.exe
2864	vpTZSLw.exe

Loads dropped DLL 21 IoCs

Processes:

2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe

pid	process
2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2980-1-0x000000013F8E0000-0x000000013FC34000-memory.dmp	upx
\Windows\system\JBsMXJq.exe	upx
behavioral1/memory/2980-6-0x000000013F200000-0x000000013F554000-memory.dmp	upx
\Windows\system\weBPefw.exe	upx
behavioral1/memory/2796-13-0x000000013FFF0000-0x0000000140344000-memory.dmp	upx
C:\Windows\system\tfsBVHO.exe	upx
\Windows\system\DUdAUNy.exe	upx
\Windows\system\oHeGEvK.exe	upx
\Windows\system\DZgMZkZ.exe	upx
behavioral1/memory/2364-90-0x000000013FF10000-0x0000000140264000-memory.dmp	upx
behavioral1/memory/3036-96-0x000000013F9E0000-0x000000013FD34000-memory.dmp	upx
C:\Windows\system\ClQmGsE.exe	upx
\Windows\system\vpTZSLw.exe	upx
C:\Windows\system\dnBNtfF.exe	upx
C:\Windows\system\DXJwIpX.exe	upx
C:\Windows\system\vbabzhr.exe	upx
C:\Windows\system\ZYSwpbB.exe	upx
behavioral1/memory/2796-133-0x000000013FFF0000-0x0000000140344000-memory.dmp	upx
C:\Windows\system\bCMiSNl.exe	upx
behavioral1/memory/2564-89-0x000000013F270000-0x000000013F5C4000-memory.dmp	upx
C:\Windows\system\UXhFlEp.exe	upx
C:\Windows\system\kiNChYr.exe	upx
behavioral1/memory/2760-85-0x000000013FA40000-0x000000013FD94000-memory.dmp	upx
behavioral1/memory/2764-84-0x000000013FA60000-0x000000013FDB4000-memory.dmp	upx
behavioral1/memory/2664-83-0x000000013F3F0000-0x000000013F744000-memory.dmp	upx
C:\Windows\system\GurIhnW.exe	upx
behavioral1/memory/1804-95-0x000000013F200000-0x000000013F554000-memory.dmp	upx
C:\Windows\system\jeYwyzn.exe	upx
C:\Windows\system\ZXsVozg.exe	upx
behavioral1/memory/2980-75-0x000000013F8E0000-0x000000013FC34000-memory.dmp	upx
behavioral1/memory/1820-134-0x000000013FBE0000-0x000000013FF34000-memory.dmp	upx
behavioral1/memory/3016-74-0x000000013F790000-0x000000013FAE4000-memory.dmp	upx
behavioral1/memory/2524-71-0x000000013F830000-0x000000013FB84000-memory.dmp	upx
behavioral1/memory/2752-60-0x000000013FDD0000-0x0000000140124000-memory.dmp	upx
C:\Windows\system\XeEhKuy.exe	upx
C:\Windows\system\LiTQqji.exe	upx
behavioral1/memory/1820-28-0x000000013FBE0000-0x000000013FF34000-memory.dmp	upx
behavioral1/memory/2924-42-0x000000013FF60000-0x00000001402B4000-memory.dmp	upx
behavioral1/memory/2740-39-0x000000013F160000-0x000000013F4B4000-memory.dmp	upx
C:\Windows\system\jxPKwbv.exe	upx
behavioral1/memory/2752-136-0x000000013FDD0000-0x0000000140124000-memory.dmp	upx
behavioral1/memory/2524-137-0x000000013F830000-0x000000013FB84000-memory.dmp	upx
behavioral1/memory/3016-139-0x000000013F790000-0x000000013FAE4000-memory.dmp	upx
behavioral1/memory/2364-140-0x000000013FF10000-0x0000000140264000-memory.dmp	upx
behavioral1/memory/3036-141-0x000000013F9E0000-0x000000013FD34000-memory.dmp	upx
behavioral1/memory/1804-142-0x000000013F200000-0x000000013F554000-memory.dmp	upx
behavioral1/memory/2796-143-0x000000013FFF0000-0x0000000140344000-memory.dmp	upx
behavioral1/memory/2740-144-0x000000013F160000-0x000000013F4B4000-memory.dmp	upx
behavioral1/memory/2924-146-0x000000013FF60000-0x00000001402B4000-memory.dmp	upx
behavioral1/memory/1820-145-0x000000013FBE0000-0x000000013FF34000-memory.dmp	upx
behavioral1/memory/2752-147-0x000000013FDD0000-0x0000000140124000-memory.dmp	upx
behavioral1/memory/2524-148-0x000000013F830000-0x000000013FB84000-memory.dmp	upx
behavioral1/memory/3016-149-0x000000013F790000-0x000000013FAE4000-memory.dmp	upx
behavioral1/memory/2564-150-0x000000013F270000-0x000000013F5C4000-memory.dmp	upx
behavioral1/memory/2760-151-0x000000013FA40000-0x000000013FD94000-memory.dmp	upx
behavioral1/memory/2664-152-0x000000013F3F0000-0x000000013F744000-memory.dmp	upx
behavioral1/memory/3036-153-0x000000013F9E0000-0x000000013FD34000-memory.dmp	upx
behavioral1/memory/2764-154-0x000000013FA60000-0x000000013FDB4000-memory.dmp	upx
behavioral1/memory/2364-155-0x000000013FF10000-0x0000000140264000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\vpTZSLw.exe	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LiTQqji.exe	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UXhFlEp.exe	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DXJwIpX.exe	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dnBNtfF.exe	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DUdAUNy.exe	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vbabzhr.exe	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ClQmGsE.exe	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JBsMXJq.exe	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\weBPefw.exe	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jxPKwbv.exe	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oHeGEvK.exe	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GurIhnW.exe	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jeYwyzn.exe	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bCMiSNl.exe	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kiNChYr.exe	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZYSwpbB.exe	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tfsBVHO.exe	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZXsVozg.exe	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XeEhKuy.exe	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DZgMZkZ.exe	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2980 wrote to memory of 1804	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	JBsMXJq.exe
PID 2980 wrote to memory of 1804	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	JBsMXJq.exe
PID 2980 wrote to memory of 1804	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	JBsMXJq.exe
PID 2980 wrote to memory of 2796	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	weBPefw.exe
PID 2980 wrote to memory of 2796	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	weBPefw.exe
PID 2980 wrote to memory of 2796	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	weBPefw.exe
PID 2980 wrote to memory of 1820	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	tfsBVHO.exe
PID 2980 wrote to memory of 1820	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	tfsBVHO.exe
PID 2980 wrote to memory of 1820	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	tfsBVHO.exe
PID 2980 wrote to memory of 2740	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	jxPKwbv.exe
PID 2980 wrote to memory of 2740	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	jxPKwbv.exe
PID 2980 wrote to memory of 2740	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	jxPKwbv.exe
PID 2980 wrote to memory of 2664	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	ZXsVozg.exe
PID 2980 wrote to memory of 2664	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	ZXsVozg.exe
PID 2980 wrote to memory of 2664	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	ZXsVozg.exe
PID 2980 wrote to memory of 2924	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	LiTQqji.exe
PID 2980 wrote to memory of 2924	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	LiTQqji.exe
PID 2980 wrote to memory of 2924	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	LiTQqji.exe
PID 2980 wrote to memory of 2764	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	GurIhnW.exe
PID 2980 wrote to memory of 2764	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	GurIhnW.exe
PID 2980 wrote to memory of 2764	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	GurIhnW.exe
PID 2980 wrote to memory of 2752	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	XeEhKuy.exe
PID 2980 wrote to memory of 2752	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	XeEhKuy.exe
PID 2980 wrote to memory of 2752	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	XeEhKuy.exe
PID 2980 wrote to memory of 2760	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	DZgMZkZ.exe
PID 2980 wrote to memory of 2760	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	DZgMZkZ.exe
PID 2980 wrote to memory of 2760	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	DZgMZkZ.exe
PID 2980 wrote to memory of 2524	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	oHeGEvK.exe
PID 2980 wrote to memory of 2524	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	oHeGEvK.exe
PID 2980 wrote to memory of 2524	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	oHeGEvK.exe
PID 2980 wrote to memory of 2564	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	kiNChYr.exe
PID 2980 wrote to memory of 2564	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	kiNChYr.exe
PID 2980 wrote to memory of 2564	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	kiNChYr.exe
PID 2980 wrote to memory of 3016	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	DUdAUNy.exe
PID 2980 wrote to memory of 3016	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	DUdAUNy.exe
PID 2980 wrote to memory of 3016	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	DUdAUNy.exe
PID 2980 wrote to memory of 2364	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	UXhFlEp.exe
PID 2980 wrote to memory of 2364	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	UXhFlEp.exe
PID 2980 wrote to memory of 2364	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	UXhFlEp.exe
PID 2980 wrote to memory of 3036	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	jeYwyzn.exe
PID 2980 wrote to memory of 3036	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	jeYwyzn.exe
PID 2980 wrote to memory of 3036	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	jeYwyzn.exe
PID 2980 wrote to memory of 2828	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	bCMiSNl.exe
PID 2980 wrote to memory of 2828	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	bCMiSNl.exe
PID 2980 wrote to memory of 2828	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	bCMiSNl.exe
PID 2980 wrote to memory of 2160	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	ZYSwpbB.exe
PID 2980 wrote to memory of 2160	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	ZYSwpbB.exe
PID 2980 wrote to memory of 2160	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	ZYSwpbB.exe
PID 2980 wrote to memory of 1976	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	vbabzhr.exe
PID 2980 wrote to memory of 1976	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	vbabzhr.exe
PID 2980 wrote to memory of 1976	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	vbabzhr.exe
PID 2980 wrote to memory of 2424	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	DXJwIpX.exe
PID 2980 wrote to memory of 2424	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	DXJwIpX.exe
PID 2980 wrote to memory of 2424	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	DXJwIpX.exe
PID 2980 wrote to memory of 1316	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	dnBNtfF.exe
PID 2980 wrote to memory of 1316	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	dnBNtfF.exe
PID 2980 wrote to memory of 1316	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	dnBNtfF.exe
PID 2980 wrote to memory of 2808	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	ClQmGsE.exe
PID 2980 wrote to memory of 2808	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	ClQmGsE.exe
PID 2980 wrote to memory of 2808	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	ClQmGsE.exe
PID 2980 wrote to memory of 2864	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	vpTZSLw.exe
PID 2980 wrote to memory of 2864	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	vpTZSLw.exe
PID 2980 wrote to memory of 2864	2980	2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe	vpTZSLw.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_1bd1993d453a7559ac5d323965f0aefe_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\System\JBsMXJq.exe
C:\Windows\System\JBsMXJq.exe
2⤵
- Executes dropped EXE
PID:1804

C:\Windows\System\weBPefw.exe
C:\Windows\System\weBPefw.exe
2⤵
- Executes dropped EXE
PID:2796

C:\Windows\System\tfsBVHO.exe
C:\Windows\System\tfsBVHO.exe
2⤵
- Executes dropped EXE
PID:1820

C:\Windows\System\jxPKwbv.exe
C:\Windows\System\jxPKwbv.exe
2⤵
- Executes dropped EXE
PID:2740

C:\Windows\System\ZXsVozg.exe
C:\Windows\System\ZXsVozg.exe
2⤵
- Executes dropped EXE
PID:2664

C:\Windows\System\LiTQqji.exe
C:\Windows\System\LiTQqji.exe
2⤵
- Executes dropped EXE
PID:2924

C:\Windows\System\GurIhnW.exe
C:\Windows\System\GurIhnW.exe
2⤵
- Executes dropped EXE
PID:2764

C:\Windows\System\XeEhKuy.exe
C:\Windows\System\XeEhKuy.exe
2⤵
- Executes dropped EXE
PID:2752

C:\Windows\System\DZgMZkZ.exe
C:\Windows\System\DZgMZkZ.exe
2⤵
- Executes dropped EXE
PID:2760

C:\Windows\System\oHeGEvK.exe
C:\Windows\System\oHeGEvK.exe
2⤵
- Executes dropped EXE
PID:2524

C:\Windows\System\kiNChYr.exe
C:\Windows\System\kiNChYr.exe
2⤵
- Executes dropped EXE
PID:2564

C:\Windows\System\DUdAUNy.exe
C:\Windows\System\DUdAUNy.exe
2⤵
- Executes dropped EXE
PID:3016

C:\Windows\System\UXhFlEp.exe
C:\Windows\System\UXhFlEp.exe
2⤵
- Executes dropped EXE
PID:2364

C:\Windows\System\jeYwyzn.exe
C:\Windows\System\jeYwyzn.exe
2⤵
- Executes dropped EXE
PID:3036

C:\Windows\System\bCMiSNl.exe
C:\Windows\System\bCMiSNl.exe
2⤵
- Executes dropped EXE
PID:2828

C:\Windows\System\ZYSwpbB.exe
C:\Windows\System\ZYSwpbB.exe
2⤵
- Executes dropped EXE
PID:2160

C:\Windows\System\vbabzhr.exe
C:\Windows\System\vbabzhr.exe
2⤵
- Executes dropped EXE
PID:1976

C:\Windows\System\DXJwIpX.exe
C:\Windows\System\DXJwIpX.exe
2⤵
- Executes dropped EXE
PID:2424

C:\Windows\System\dnBNtfF.exe
C:\Windows\System\dnBNtfF.exe
2⤵
- Executes dropped EXE
PID:1316

C:\Windows\System\ClQmGsE.exe
C:\Windows\System\ClQmGsE.exe
2⤵
- Executes dropped EXE
PID:2808

C:\Windows\System\vpTZSLw.exe
C:\Windows\System\vpTZSLw.exe
2⤵
- Executes dropped EXE
PID:2864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\ClQmGsE.exe
Filesize
6.0MB

MD5
e801b40953c90007f5c298617e7c0625

SHA1
87575e93a20bfd0a0e8ab1a88afdf7faaada3296

SHA256
67f5d39f0fd37933b0e3f3b857e69eb8e8e3ea78a2f083bbfbe3a665af20cdfd

SHA512
5c1ca1c8b59f08e0750dcbe8974ed9226944a1715c2292ccce5b36283acc5dea4422dec1256347a1c5a896dda310c00fed34542b2d319b8f731f426df60ad23b

Download Submit
C:\Windows\system\DXJwIpX.exe
Filesize
6.0MB

MD5
b4c5ce069128e6480aa0ee2ea4b3fbe6

SHA1
c5130477d9259528e2cad83ae7846f0d6f247c6d

SHA256
1e735a473c1d3319677e035f8f3d5b4426f9fdbab11f58a2691a8c036b886a35

SHA512
0ec94e5d4a232085cbb943c06908d0e2538f12f0365bc777f50d8b445354e97c3d383795e6a19fe83b9c856d30e06d98c653bb9b9231f85c1d97c14e4f127079

Download Submit
C:\Windows\system\GurIhnW.exe
Filesize
6.0MB

MD5
065cec3bffd8445705f1e2fcd312375a

SHA1
225c61bf4c3a3bcc9f5433ac52a209a12b983fac

SHA256
d162938b235eb8efdb23c92c1042abd9b697dd05c86ba160c7601c7872b4eb3c

SHA512
1610aa2d74812667e72c52ab8e90228e299f0f22dda250c6b20a8655a78860cb3639ab552429eae888aea4fa1cdd4563627e5fc1240ae6fc57d10c85ec99e03c

Download Submit
C:\Windows\system\LiTQqji.exe
Filesize
6.0MB

MD5
195ee38d5cdc53e820ae2a9140d85bbc

SHA1
244b158f2e5b7080ed4f0cf6372a241050a87975

SHA256
932def180bee5b5d68bc3f86ea662a1e688dfa869a148eb3a62eced07b1a8102

SHA512
27d6c2845f218bc626908a002f13144e6027a839ad43c3bdf735af40274fc09fcf1aac46f350039b925935f5f698bbb6f3de1a75395e9240440521f3c746b55a

Download Submit
C:\Windows\system\UXhFlEp.exe
Filesize
6.0MB

MD5
fb6154def2bcb2c2ba779d36b2c2f122

SHA1
34d9e3f195cc8852cc969e9417363a1a18777654

SHA256
94fdede08b66835c2c408c3e7a3cc3c9415efa82ac1d7018a99f6fb77b5345d3

SHA512
ce774aed0878a1ff783935e5ac00b7c7f5835e081ddf1367b179ba024a96268d6bc848b8bd23db330b0006e33d7246c27c639bc432e67b936da80c702f73f4b3

Download Submit
C:\Windows\system\XeEhKuy.exe
Filesize
6.0MB

MD5
791235084d7334f73271c16e3edb1960

SHA1
adcc1bb958adeb8a830ebaa738ba6f9c8cead64d

SHA256
65c868dbb82e2e1f8b6fe74cf27f549a7188431b50156bc2f5d4c8df8b4b3c11

SHA512
8e55a58a1257af1aab1e7dba8b6ba5953c2fb43850208b6adc8b721e46d465596faa7c14aca331cd6836fffa7a27e63fa1b5515838749d958d48798c6aa1f4df

Download Submit
C:\Windows\system\ZXsVozg.exe
Filesize
6.0MB

MD5
7fd827efa1a2ee2a01ee91aa9325cf21

SHA1
8c3951cc4bfd7708a064ffb3f659e5c6283c3388

SHA256
ae5ad264df5bc257a426667d1d955ba02d10df44e68e7d5c0f8381724d32ac4c

SHA512
a1d29bdbd4d0c193824c9944e7350d843560a12981d296ff27f987553cc92426c487da672b3ce0977287e82509b80072cb47702eefa0db88332ad69920c51169

Download Submit
C:\Windows\system\ZYSwpbB.exe
Filesize
6.0MB

MD5
8bd497b3692337c3c027a93df248cf08

SHA1
46032d7e7811660147ed6950d606de1ec78137e7

SHA256
df34956b9d033b963ed7448099e88d41799d570683b710bd4bcda5436752b271

SHA512
42c71fb54af8729178f8270a6fb0858e526e90f55680500cab4299d1be242214f82405628b61819e75970ad5c779006b3ea43c828c4dfe425c099f369ac7599f

Download Submit
C:\Windows\system\bCMiSNl.exe
Filesize
6.0MB

MD5
0d5f23b56094e0f603d6eaf921ec8963

SHA1
b203b838b4b3fe180773327e4d12c94382015584

SHA256
5599301faee2e244af6a2050383bd838ba2f8a8eeddd2b37eea3a3add3baa3ef

SHA512
f2cb06f77a9b3a3d2ca10df29f9afc3185bac8207d36be8dc14f33e91dfaee5b3d2979a385d1cab6afa73ea12bd4b3ddf5acd5efa64e1fb807a6c1526f9ffb37

Download Submit
C:\Windows\system\dnBNtfF.exe
Filesize
6.0MB

MD5
26b23c49194564ca97c1ba76f0d32266

SHA1
ffe1783d58879a89f3db56d77d66a519ea26a892

SHA256
2ae8e439824afe07775fefe2d4343df85644fe5fabfb3f858b7c9826bc87747b

SHA512
90c04266c8e9f0cc2b5637527112eeae30c28cbaffd2fc9b99b89e4b3c1711c4e536b5707ad1dfc9f424f769d2a4891471d87b264e4bd52b2b8cdacba5ecb6f5

Download Submit
C:\Windows\system\jeYwyzn.exe
Filesize
6.0MB

MD5
a857ded2a03808bb194f8ed6503e798e

SHA1
f0b978d83b6b542c9dd025c67ae4e6167b759c7b

SHA256
8245e86b4f029c2ceb7ce7d3451cb89a1e8b0c719231eb10b4e00e637a3407e1

SHA512
3edd82f9719f304767ec59ef7b72df812bd85a8e70fd76c2b82a378aef60d4ac04f8da1234ba9f44653d7aadd8ca23204030292da65a8f3b591ac44531f4eb66

Download Submit
C:\Windows\system\jxPKwbv.exe
Filesize
6.0MB

MD5
30167ee2c745459b897a30a6aa510220

SHA1
12c3a13f740c4f4365319aadff74b2114c9c1bf3

SHA256
c64f4247f57204db4ab1f0c9452f2623d02e808c5845e4d487d9b6168a74c2de

SHA512
d16f073b1dbaddfb5d585adfc9f96abb0739b0e1e6d747f32e9a011bba6914211595d53d3c43ebff437ce96226e65d5d82af07f86bc5b3e55827c9ca4b64a033

Download Submit
C:\Windows\system\kiNChYr.exe
Filesize
6.0MB

MD5
86140b382f0aefbfbfe5fb850d039a27

SHA1
2745309a1bd470a034bcc57e05dd5f2a895e78d0

SHA256
af4b4b78c5415acbb6f328361e6cbf458382d9bbb1a53d427cbf47d44df4690c

SHA512
35a228d7bd3ce363a8c9853d7d4e4e7edddcf90b671c8fabe0be6d710a7767c3a1a90510ff2e2fa08cba2deb69a43b47a1c362daa0bda01085c6b0305f6e89eb

Download Submit
C:\Windows\system\tfsBVHO.exe
Filesize
6.0MB

MD5
15041ddd90f7d4996a58d06008559b28

SHA1
6b00b123b08022d48984735bb4719e8a028527f7

SHA256
551352ba5aa6656e34b2736ca3adb5c942b0dc0fea935e87b9c50e008f1998f4

SHA512
ee3aeba903b47552301fcb522563b47f5f804316486d2f9534bf38b22d63ca13b359044ec6bd989e5b5347760b98f079c9123316f2c41d2f04237912960decce

Download Submit
C:\Windows\system\vbabzhr.exe
Filesize
6.0MB

MD5
2e9b343d5414062b81531cdd2e8e4969

SHA1
ff77410c0a65cbed232708301ec005baf821a89f

SHA256
ca6138e00796417df5aad9fce83e58a1a5e84035aee96047155ec2ef4765a360

SHA512
f82126ace0ea0e1529ba35fd93bb5dbd8becd5dd2c12e9f6f65602fd8aade21012e812dd352c79f49877ce350e999e50324f288dafc410ca5a4b9132a808a675

Download Submit
\Windows\system\DUdAUNy.exe
Filesize
6.0MB

MD5
92f5bed7829f960563ba3fbda1d0b30a

SHA1
9ce11e9b8365840f934d79579c20367603ac3283

SHA256
acebe3c1295782520d8148c8c2625b0af01954a84e9db6a56e38e4006326defc

SHA512
f4a98d6bb6484b750728c238b8b0342bb43c5db5cf2d231cbaf7672565eb0dc3e14b81ae54f952e0ac126c1eca97e1a1af457d29f8fede30e184da81da7b4dba

Download Submit
\Windows\system\DZgMZkZ.exe
Filesize
6.0MB

MD5
0b8035b181be66b2473299bbf3076e8a

SHA1
c51e867e3cbf21c6b01bed6f81e9a8aa08b09bfc

SHA256
816bca5d91da3f3e281f7c68885c2ecad8aa11269a6b888ca3cb51b4524fafda

SHA512
48011866073391218004da09b69e9967787aa247b4d0c28aaab7c14bfe238d60d5c4cd7cebdf2194d4b78e7a5ef3d8347c6313e3f90ef87dcc6cbecafd8aae8c

Download Submit
\Windows\system\JBsMXJq.exe
Filesize
6.0MB

MD5
64541a32c54ce0456932e151e07267ae

SHA1
72b8409454364d63ccec11a0a5b941d55c290f64

SHA256
d5805621d88ce8c5ee3609d5cb282114604f72a82ef1e36196166fce3bdb2cba

SHA512
31c57d4e78e0fbeff3720f483dfd32d35218241cb43f45cb26da8c9a5e8edcd515189cf749fb51f3d84d56e12684870c42e86a211e25063d0debf3ef8967336a

Download Submit
\Windows\system\oHeGEvK.exe
Filesize
6.0MB

MD5
6fa958ecdbe456273ea3fc74c7fa3f58

SHA1
5e36677690d5f2f0579c0362e25edda51825660f

SHA256
e36fd7a2492581fbb2a53f012d6d882ff7a381ceabde356ca73fa678ee2131c8

SHA512
c7bd6da575cbbaf6552430b7d5d54d8381dbd1d85ee8eeba1946b0b487c07e7c8306a05744f1656481b9dabde9330a9055307f2270105665656a6f148a19bc60

Download Submit
\Windows\system\vpTZSLw.exe
Filesize
6.0MB

MD5
e51cb437b335d721f8064dd6b64ad5f1

SHA1
f9592d0f7a950bbbf25407bc09f0aaf3db215cfb

SHA256
587bc4c1ff652da434e73b607b18c3ca1352453c1917808362833ecf24b15349

SHA512
687fb8344d3320983ef1b2126eb4310ba48687f0bd5738f321186a6af36f50c32e9515f6f4d514d0118941dd328584c1ab6d857d474d55ef5f79dfe0481b6772

Download Submit
\Windows\system\weBPefw.exe
Filesize
6.0MB

MD5
92d8bbd00a2d89b46e552ac4ffda124e

SHA1
12d3d2411bf5cfb6dc53c537afc7d8ebb0fb7ee5

SHA256
e3515a2dba41957e150133f6b816c3fe65acbbbc9686ac9d482d540f4b37c6a7

SHA512
b3c8f921d7845a4fc408b91dea43b76931c7cbe8937fa945209b18a4cc9e58d1934a1f62fa3855c7aa4d478812939cfcff607f6eec39936fbf11798269594286

Download Submit
memory/1804-142-0x000000013F200000-0x000000013F554000-memory.dmp

Filesize
3.3MB

Download
memory/1804-95-0x000000013F200000-0x000000013F554000-memory.dmp

Filesize
3.3MB

Download
memory/1820-145-0x000000013FBE0000-0x000000013FF34000-memory.dmp

Filesize
3.3MB

Download
memory/1820-134-0x000000013FBE0000-0x000000013FF34000-memory.dmp

Filesize
3.3MB

Download
memory/1820-28-0x000000013FBE0000-0x000000013FF34000-memory.dmp

Filesize
3.3MB

Download
memory/2364-90-0x000000013FF10000-0x0000000140264000-memory.dmp

Filesize
3.3MB

Download
memory/2364-155-0x000000013FF10000-0x0000000140264000-memory.dmp

Filesize
3.3MB

Download
memory/2364-140-0x000000013FF10000-0x0000000140264000-memory.dmp

Filesize
3.3MB

Download
memory/2524-71-0x000000013F830000-0x000000013FB84000-memory.dmp

Filesize
3.3MB

Download
memory/2524-137-0x000000013F830000-0x000000013FB84000-memory.dmp

Filesize
3.3MB

Download
memory/2524-148-0x000000013F830000-0x000000013FB84000-memory.dmp

Filesize
3.3MB

Download
memory/2564-89-0x000000013F270000-0x000000013F5C4000-memory.dmp

Filesize
3.3MB

Download
memory/2564-150-0x000000013F270000-0x000000013F5C4000-memory.dmp

Filesize
3.3MB

Download
memory/2664-83-0x000000013F3F0000-0x000000013F744000-memory.dmp

Filesize
3.3MB

Download
memory/2664-152-0x000000013F3F0000-0x000000013F744000-memory.dmp

Filesize
3.3MB

Download
memory/2740-144-0x000000013F160000-0x000000013F4B4000-memory.dmp

Filesize
3.3MB

Download
memory/2740-39-0x000000013F160000-0x000000013F4B4000-memory.dmp

Filesize
3.3MB

Download
memory/2752-136-0x000000013FDD0000-0x0000000140124000-memory.dmp

Filesize
3.3MB

Download
memory/2752-60-0x000000013FDD0000-0x0000000140124000-memory.dmp

Filesize
3.3MB

Download
memory/2752-147-0x000000013FDD0000-0x0000000140124000-memory.dmp

Filesize
3.3MB

Download
memory/2760-85-0x000000013FA40000-0x000000013FD94000-memory.dmp

Filesize
3.3MB

Download
memory/2760-151-0x000000013FA40000-0x000000013FD94000-memory.dmp

Filesize
3.3MB

Download
memory/2764-84-0x000000013FA60000-0x000000013FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/2764-154-0x000000013FA60000-0x000000013FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/2796-13-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/2796-133-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/2796-143-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/2924-42-0x000000013FF60000-0x00000001402B4000-memory.dmp

Filesize
3.3MB

Download
memory/2924-146-0x000000013FF60000-0x00000001402B4000-memory.dmp

Filesize
3.3MB

Download
memory/2980-72-0x0000000002510000-0x0000000002864000-memory.dmp

Filesize
3.3MB

Download
memory/2980-48-0x000000013F3F0000-0x000000013F744000-memory.dmp

Filesize
3.3MB

Download
memory/2980-44-0x000000013FDD0000-0x0000000140124000-memory.dmp

Filesize
3.3MB

Download
memory/2980-50-0x000000013FF60000-0x00000001402B4000-memory.dmp

Filesize
3.3MB

Download
memory/2980-0-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2980-138-0x0000000002510000-0x0000000002864000-memory.dmp

Filesize
3.3MB

Download
memory/2980-59-0x0000000002510000-0x0000000002864000-memory.dmp

Filesize
3.3MB

Download
memory/2980-6-0x000000013F200000-0x000000013F554000-memory.dmp

Filesize
3.3MB

Download
memory/2980-67-0x0000000002510000-0x0000000002864000-memory.dmp

Filesize
3.3MB

Download
memory/2980-70-0x000000013FF10000-0x0000000140264000-memory.dmp

Filesize
3.3MB

Download
memory/2980-1-0x000000013F8E0000-0x000000013FC34000-memory.dmp

Filesize
3.3MB

Download
memory/2980-16-0x0000000002510000-0x0000000002864000-memory.dmp

Filesize
3.3MB

Download
memory/2980-75-0x000000013F8E0000-0x000000013FC34000-memory.dmp

Filesize
3.3MB

Download
memory/2980-102-0x000000013FC80000-0x000000013FFD4000-memory.dmp

Filesize
3.3MB

Download
memory/2980-54-0x0000000002510000-0x0000000002864000-memory.dmp

Filesize
3.3MB

Download
memory/2980-31-0x000000013F160000-0x000000013F4B4000-memory.dmp

Filesize
3.3MB

Download
memory/3016-149-0x000000013F790000-0x000000013FAE4000-memory.dmp

Filesize
3.3MB

Download
memory/3016-74-0x000000013F790000-0x000000013FAE4000-memory.dmp

Filesize
3.3MB

Download
memory/3016-139-0x000000013F790000-0x000000013FAE4000-memory.dmp

Filesize
3.3MB

Download
memory/3036-96-0x000000013F9E0000-0x000000013FD34000-memory.dmp

Filesize
3.3MB

Download
memory/3036-153-0x000000013F9E0000-0x000000013FD34000-memory.dmp

Filesize
3.3MB

Download
memory/3036-141-0x000000013F9E0000-0x000000013FD34000-memory.dmp

Filesize
3.3MB

Download