cobaltstrike | befd9fd4b5ab31fbb2e44b81e4e572e175248986774c0fa39690247a483d1bf5

Analysis

max time kernel
143s
max time network
147s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

6e682e34f143277fe3713e35ef2e3ecd
SHA1

faa6a87870e78aec58f76cbaf5bfdc23aa4f9d90
SHA256

befd9fd4b5ab31fbb2e44b81e4e572e175248986774c0fa39690247a483d1bf5
SHA512

84a3b5c352eb29c778946824528c904637a3ec7d163e44932244d1d1868c098d95b85f1b4277e4a9ae22b7624616d425ec1a204c582e1e82a6cdf6efd9cc2515
SSDEEP

98304:demTLkNdfE0pZ3656utgpPFotBER/mQ32lU0:E+v56utgpPF8u/70

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\wsmpGrN.exe	cobalt_reflective_dll
C:\Windows\system\NQtAsnt.exe	cobalt_reflective_dll
C:\Windows\system\vQExJxh.exe	cobalt_reflective_dll
C:\Windows\system\vkJtyix.exe	cobalt_reflective_dll
C:\Windows\system\dBSAeZo.exe	cobalt_reflective_dll
\Windows\system\uwpWhtf.exe	cobalt_reflective_dll
C:\Windows\system\PdHGStY.exe	cobalt_reflective_dll
C:\Windows\system\mLUSWfS.exe	cobalt_reflective_dll
C:\Windows\system\MsgcqkO.exe	cobalt_reflective_dll
C:\Windows\system\onJqdnC.exe	cobalt_reflective_dll
C:\Windows\system\iHMwaHO.exe	cobalt_reflective_dll
C:\Windows\system\apjWENs.exe	cobalt_reflective_dll
C:\Windows\system\thAkaaX.exe	cobalt_reflective_dll
C:\Windows\system\UVcSERV.exe	cobalt_reflective_dll
C:\Windows\system\ofPpxjE.exe	cobalt_reflective_dll
C:\Windows\system\WPDZXyU.exe	cobalt_reflective_dll
C:\Windows\system\VHtPTFR.exe	cobalt_reflective_dll
C:\Windows\system\GNHLmlS.exe	cobalt_reflective_dll
C:\Windows\system\OqiDiUE.exe	cobalt_reflective_dll
C:\Windows\system\PyMShgZ.exe	cobalt_reflective_dll
C:\Windows\system\PdpgaCO.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\wsmpGrN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\NQtAsnt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\vQExJxh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\vkJtyix.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\dBSAeZo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\uwpWhtf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\PdHGStY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\mLUSWfS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\MsgcqkO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\onJqdnC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\iHMwaHO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\apjWENs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\thAkaaX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\UVcSERV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ofPpxjE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\WPDZXyU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\VHtPTFR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\GNHLmlS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\OqiDiUE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\PyMShgZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\PdpgaCO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 61 IoCs

Processes:

resource	yara_rule
\Windows\system\wsmpGrN.exe	UPX
behavioral1/memory/1888-2-0x000000013F730000-0x000000013FA84000-memory.dmp	UPX
C:\Windows\system\NQtAsnt.exe	UPX
behavioral1/memory/2540-15-0x000000013F810000-0x000000013FB64000-memory.dmp	UPX
behavioral1/memory/2500-13-0x000000013F780000-0x000000013FAD4000-memory.dmp	UPX
C:\Windows\system\vQExJxh.exe	UPX
behavioral1/memory/2596-22-0x000000013F340000-0x000000013F694000-memory.dmp	UPX
C:\Windows\system\vkJtyix.exe	UPX
behavioral1/memory/2400-28-0x000000013FE90000-0x00000001401E4000-memory.dmp	UPX
C:\Windows\system\dBSAeZo.exe	UPX
behavioral1/memory/2528-62-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	UPX
\Windows\system\uwpWhtf.exe	UPX
behavioral1/memory/2064-68-0x000000013FD70000-0x00000001400C4000-memory.dmp	UPX
behavioral1/memory/1680-75-0x000000013F260000-0x000000013F5B4000-memory.dmp	UPX
behavioral1/memory/2780-81-0x000000013F0F0000-0x000000013F444000-memory.dmp	UPX
behavioral1/memory/2452-96-0x000000013F280000-0x000000013F5D4000-memory.dmp	UPX
C:\Windows\system\PdHGStY.exe	UPX
C:\Windows\system\mLUSWfS.exe	UPX
C:\Windows\system\MsgcqkO.exe	UPX
C:\Windows\system\onJqdnC.exe	UPX
C:\Windows\system\iHMwaHO.exe	UPX
C:\Windows\system\apjWENs.exe	UPX
C:\Windows\system\thAkaaX.exe	UPX
C:\Windows\system\UVcSERV.exe	UPX
behavioral1/memory/2820-90-0x000000013F4E0000-0x000000013F834000-memory.dmp	UPX
behavioral1/memory/2508-88-0x000000013FEB0000-0x0000000140204000-memory.dmp	UPX
C:\Windows\system\ofPpxjE.exe	UPX
behavioral1/memory/2760-83-0x000000013FAF0000-0x000000013FE44000-memory.dmp	UPX
behavioral1/memory/2400-80-0x000000013FE90000-0x00000001401E4000-memory.dmp	UPX
C:\Windows\system\WPDZXyU.exe	UPX
behavioral1/memory/2596-73-0x000000013F340000-0x000000013F694000-memory.dmp	UPX
C:\Windows\system\VHtPTFR.exe	UPX
behavioral1/memory/2404-61-0x000000013F7C0000-0x000000013FB14000-memory.dmp	UPX
C:\Windows\system\GNHLmlS.exe	UPX
behavioral1/memory/2444-57-0x000000013F960000-0x000000013FCB4000-memory.dmp	UPX
behavioral1/memory/1888-56-0x000000013F730000-0x000000013FA84000-memory.dmp	UPX
C:\Windows\system\OqiDiUE.exe	UPX
behavioral1/memory/2780-44-0x000000013F0F0000-0x000000013F444000-memory.dmp	UPX
behavioral1/memory/2508-36-0x000000013FEB0000-0x0000000140204000-memory.dmp	UPX
C:\Windows\system\PyMShgZ.exe	UPX
behavioral1/memory/2528-137-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	UPX
C:\Windows\system\PdpgaCO.exe	UPX
behavioral1/memory/2064-139-0x000000013FD70000-0x00000001400C4000-memory.dmp	UPX
behavioral1/memory/1680-141-0x000000013F260000-0x000000013F5B4000-memory.dmp	UPX
behavioral1/memory/2760-143-0x000000013FAF0000-0x000000013FE44000-memory.dmp	UPX
behavioral1/memory/2820-145-0x000000013F4E0000-0x000000013F834000-memory.dmp	UPX
behavioral1/memory/2452-147-0x000000013F280000-0x000000013F5D4000-memory.dmp	UPX
behavioral1/memory/2500-148-0x000000013F780000-0x000000013FAD4000-memory.dmp	UPX
behavioral1/memory/2540-149-0x000000013F810000-0x000000013FB64000-memory.dmp	UPX
behavioral1/memory/2596-150-0x000000013F340000-0x000000013F694000-memory.dmp	UPX
behavioral1/memory/2508-152-0x000000013FEB0000-0x0000000140204000-memory.dmp	UPX
behavioral1/memory/2400-151-0x000000013FE90000-0x00000001401E4000-memory.dmp	UPX
behavioral1/memory/2404-154-0x000000013F7C0000-0x000000013FB14000-memory.dmp	UPX
behavioral1/memory/2780-153-0x000000013F0F0000-0x000000013F444000-memory.dmp	UPX
behavioral1/memory/2444-155-0x000000013F960000-0x000000013FCB4000-memory.dmp	UPX
behavioral1/memory/1680-156-0x000000013F260000-0x000000013F5B4000-memory.dmp	UPX
behavioral1/memory/2820-158-0x000000013F4E0000-0x000000013F834000-memory.dmp	UPX
behavioral1/memory/2528-157-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	UPX
behavioral1/memory/2760-160-0x000000013FAF0000-0x000000013FE44000-memory.dmp	UPX
behavioral1/memory/2064-161-0x000000013FD70000-0x00000001400C4000-memory.dmp	UPX
behavioral1/memory/2452-159-0x000000013F280000-0x000000013F5D4000-memory.dmp	UPX

XMRig Miner payload 62 IoCs

miner

Processes:

resource	yara_rule
\Windows\system\wsmpGrN.exe	xmrig
behavioral1/memory/1888-2-0x000000013F730000-0x000000013FA84000-memory.dmp	xmrig
C:\Windows\system\NQtAsnt.exe	xmrig
behavioral1/memory/2540-15-0x000000013F810000-0x000000013FB64000-memory.dmp	xmrig
behavioral1/memory/2500-13-0x000000013F780000-0x000000013FAD4000-memory.dmp	xmrig
C:\Windows\system\vQExJxh.exe	xmrig
behavioral1/memory/2596-22-0x000000013F340000-0x000000013F694000-memory.dmp	xmrig
C:\Windows\system\vkJtyix.exe	xmrig
behavioral1/memory/2400-28-0x000000013FE90000-0x00000001401E4000-memory.dmp	xmrig
C:\Windows\system\dBSAeZo.exe	xmrig
behavioral1/memory/2528-62-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	xmrig
\Windows\system\uwpWhtf.exe	xmrig
behavioral1/memory/2064-68-0x000000013FD70000-0x00000001400C4000-memory.dmp	xmrig
behavioral1/memory/1680-75-0x000000013F260000-0x000000013F5B4000-memory.dmp	xmrig
behavioral1/memory/2780-81-0x000000013F0F0000-0x000000013F444000-memory.dmp	xmrig
behavioral1/memory/2452-96-0x000000013F280000-0x000000013F5D4000-memory.dmp	xmrig
C:\Windows\system\PdHGStY.exe	xmrig
C:\Windows\system\mLUSWfS.exe	xmrig
C:\Windows\system\MsgcqkO.exe	xmrig
C:\Windows\system\onJqdnC.exe	xmrig
C:\Windows\system\iHMwaHO.exe	xmrig
C:\Windows\system\apjWENs.exe	xmrig
C:\Windows\system\thAkaaX.exe	xmrig
C:\Windows\system\UVcSERV.exe	xmrig
behavioral1/memory/2820-90-0x000000013F4E0000-0x000000013F834000-memory.dmp	xmrig
behavioral1/memory/2508-88-0x000000013FEB0000-0x0000000140204000-memory.dmp	xmrig
C:\Windows\system\ofPpxjE.exe	xmrig
behavioral1/memory/2760-83-0x000000013FAF0000-0x000000013FE44000-memory.dmp	xmrig
behavioral1/memory/1888-82-0x000000013FAF0000-0x000000013FE44000-memory.dmp	xmrig
behavioral1/memory/2400-80-0x000000013FE90000-0x00000001401E4000-memory.dmp	xmrig
C:\Windows\system\WPDZXyU.exe	xmrig
behavioral1/memory/2596-73-0x000000013F340000-0x000000013F694000-memory.dmp	xmrig
C:\Windows\system\VHtPTFR.exe	xmrig
behavioral1/memory/2404-61-0x000000013F7C0000-0x000000013FB14000-memory.dmp	xmrig
C:\Windows\system\GNHLmlS.exe	xmrig
behavioral1/memory/2444-57-0x000000013F960000-0x000000013FCB4000-memory.dmp	xmrig
behavioral1/memory/1888-56-0x000000013F730000-0x000000013FA84000-memory.dmp	xmrig
C:\Windows\system\OqiDiUE.exe	xmrig
behavioral1/memory/2780-44-0x000000013F0F0000-0x000000013F444000-memory.dmp	xmrig
behavioral1/memory/2508-36-0x000000013FEB0000-0x0000000140204000-memory.dmp	xmrig
C:\Windows\system\PyMShgZ.exe	xmrig
behavioral1/memory/2528-137-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	xmrig
C:\Windows\system\PdpgaCO.exe	xmrig
behavioral1/memory/2064-139-0x000000013FD70000-0x00000001400C4000-memory.dmp	xmrig
behavioral1/memory/1680-141-0x000000013F260000-0x000000013F5B4000-memory.dmp	xmrig
behavioral1/memory/2760-143-0x000000013FAF0000-0x000000013FE44000-memory.dmp	xmrig
behavioral1/memory/2820-145-0x000000013F4E0000-0x000000013F834000-memory.dmp	xmrig
behavioral1/memory/2452-147-0x000000013F280000-0x000000013F5D4000-memory.dmp	xmrig
behavioral1/memory/2500-148-0x000000013F780000-0x000000013FAD4000-memory.dmp	xmrig
behavioral1/memory/2540-149-0x000000013F810000-0x000000013FB64000-memory.dmp	xmrig
behavioral1/memory/2596-150-0x000000013F340000-0x000000013F694000-memory.dmp	xmrig
behavioral1/memory/2508-152-0x000000013FEB0000-0x0000000140204000-memory.dmp	xmrig
behavioral1/memory/2400-151-0x000000013FE90000-0x00000001401E4000-memory.dmp	xmrig
behavioral1/memory/2404-154-0x000000013F7C0000-0x000000013FB14000-memory.dmp	xmrig
behavioral1/memory/2780-153-0x000000013F0F0000-0x000000013F444000-memory.dmp	xmrig
behavioral1/memory/2444-155-0x000000013F960000-0x000000013FCB4000-memory.dmp	xmrig
behavioral1/memory/1680-156-0x000000013F260000-0x000000013F5B4000-memory.dmp	xmrig
behavioral1/memory/2820-158-0x000000013F4E0000-0x000000013F834000-memory.dmp	xmrig
behavioral1/memory/2528-157-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	xmrig
behavioral1/memory/2760-160-0x000000013FAF0000-0x000000013FE44000-memory.dmp	xmrig
behavioral1/memory/2064-161-0x000000013FD70000-0x00000001400C4000-memory.dmp	xmrig
behavioral1/memory/2452-159-0x000000013F280000-0x000000013F5D4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

wsmpGrN.exeNQtAsnt.exevQExJxh.exevkJtyix.exePdpgaCO.exePyMShgZ.exeOqiDiUE.exeGNHLmlS.exedBSAeZo.exeuwpWhtf.exeVHtPTFR.exeWPDZXyU.exeofPpxjE.exeUVcSERV.exethAkaaX.exeapjWENs.exeiHMwaHO.exeonJqdnC.exeMsgcqkO.exePdHGStY.exemLUSWfS.exe

pid	process
2500	wsmpGrN.exe
2540	NQtAsnt.exe
2596	vQExJxh.exe
2400	vkJtyix.exe
2508	PdpgaCO.exe
2780	PyMShgZ.exe
2444	OqiDiUE.exe
2528	GNHLmlS.exe
2404	dBSAeZo.exe
2064	uwpWhtf.exe
1680	VHtPTFR.exe
2760	WPDZXyU.exe
2820	ofPpxjE.exe
2452	UVcSERV.exe
1628	thAkaaX.exe
1552	apjWENs.exe
1516	iHMwaHO.exe
2572	onJqdnC.exe
892	MsgcqkO.exe
1588	PdHGStY.exe
2672	mLUSWfS.exe

Loads dropped DLL 21 IoCs

Processes:

2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe

pid	process
1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe

UPX packed file 61 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\system\wsmpGrN.exe	upx
behavioral1/memory/1888-2-0x000000013F730000-0x000000013FA84000-memory.dmp	upx
C:\Windows\system\NQtAsnt.exe	upx
behavioral1/memory/2540-15-0x000000013F810000-0x000000013FB64000-memory.dmp	upx
behavioral1/memory/2500-13-0x000000013F780000-0x000000013FAD4000-memory.dmp	upx
C:\Windows\system\vQExJxh.exe	upx
behavioral1/memory/2596-22-0x000000013F340000-0x000000013F694000-memory.dmp	upx
C:\Windows\system\vkJtyix.exe	upx
behavioral1/memory/2400-28-0x000000013FE90000-0x00000001401E4000-memory.dmp	upx
C:\Windows\system\dBSAeZo.exe	upx
behavioral1/memory/2528-62-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	upx
\Windows\system\uwpWhtf.exe	upx
behavioral1/memory/2064-68-0x000000013FD70000-0x00000001400C4000-memory.dmp	upx
behavioral1/memory/1680-75-0x000000013F260000-0x000000013F5B4000-memory.dmp	upx
behavioral1/memory/2780-81-0x000000013F0F0000-0x000000013F444000-memory.dmp	upx
behavioral1/memory/2452-96-0x000000013F280000-0x000000013F5D4000-memory.dmp	upx
C:\Windows\system\PdHGStY.exe	upx
C:\Windows\system\mLUSWfS.exe	upx
C:\Windows\system\MsgcqkO.exe	upx
C:\Windows\system\onJqdnC.exe	upx
C:\Windows\system\iHMwaHO.exe	upx
C:\Windows\system\apjWENs.exe	upx
C:\Windows\system\thAkaaX.exe	upx
C:\Windows\system\UVcSERV.exe	upx
behavioral1/memory/2820-90-0x000000013F4E0000-0x000000013F834000-memory.dmp	upx
behavioral1/memory/2508-88-0x000000013FEB0000-0x0000000140204000-memory.dmp	upx
C:\Windows\system\ofPpxjE.exe	upx
behavioral1/memory/2760-83-0x000000013FAF0000-0x000000013FE44000-memory.dmp	upx
behavioral1/memory/2400-80-0x000000013FE90000-0x00000001401E4000-memory.dmp	upx
C:\Windows\system\WPDZXyU.exe	upx
behavioral1/memory/2596-73-0x000000013F340000-0x000000013F694000-memory.dmp	upx
C:\Windows\system\VHtPTFR.exe	upx
behavioral1/memory/2404-61-0x000000013F7C0000-0x000000013FB14000-memory.dmp	upx
C:\Windows\system\GNHLmlS.exe	upx
behavioral1/memory/2444-57-0x000000013F960000-0x000000013FCB4000-memory.dmp	upx
behavioral1/memory/1888-56-0x000000013F730000-0x000000013FA84000-memory.dmp	upx
C:\Windows\system\OqiDiUE.exe	upx
behavioral1/memory/2780-44-0x000000013F0F0000-0x000000013F444000-memory.dmp	upx
behavioral1/memory/2508-36-0x000000013FEB0000-0x0000000140204000-memory.dmp	upx
C:\Windows\system\PyMShgZ.exe	upx
behavioral1/memory/2528-137-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	upx
C:\Windows\system\PdpgaCO.exe	upx
behavioral1/memory/2064-139-0x000000013FD70000-0x00000001400C4000-memory.dmp	upx
behavioral1/memory/1680-141-0x000000013F260000-0x000000013F5B4000-memory.dmp	upx
behavioral1/memory/2760-143-0x000000013FAF0000-0x000000013FE44000-memory.dmp	upx
behavioral1/memory/2820-145-0x000000013F4E0000-0x000000013F834000-memory.dmp	upx
behavioral1/memory/2452-147-0x000000013F280000-0x000000013F5D4000-memory.dmp	upx
behavioral1/memory/2500-148-0x000000013F780000-0x000000013FAD4000-memory.dmp	upx
behavioral1/memory/2540-149-0x000000013F810000-0x000000013FB64000-memory.dmp	upx
behavioral1/memory/2596-150-0x000000013F340000-0x000000013F694000-memory.dmp	upx
behavioral1/memory/2508-152-0x000000013FEB0000-0x0000000140204000-memory.dmp	upx
behavioral1/memory/2400-151-0x000000013FE90000-0x00000001401E4000-memory.dmp	upx
behavioral1/memory/2404-154-0x000000013F7C0000-0x000000013FB14000-memory.dmp	upx
behavioral1/memory/2780-153-0x000000013F0F0000-0x000000013F444000-memory.dmp	upx
behavioral1/memory/2444-155-0x000000013F960000-0x000000013FCB4000-memory.dmp	upx
behavioral1/memory/1680-156-0x000000013F260000-0x000000013F5B4000-memory.dmp	upx
behavioral1/memory/2820-158-0x000000013F4E0000-0x000000013F834000-memory.dmp	upx
behavioral1/memory/2528-157-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	upx
behavioral1/memory/2760-160-0x000000013FAF0000-0x000000013FE44000-memory.dmp	upx
behavioral1/memory/2064-161-0x000000013FD70000-0x00000001400C4000-memory.dmp	upx
behavioral1/memory/2452-159-0x000000013F280000-0x000000013F5D4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\vkJtyix.exe	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WPDZXyU.exe	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UVcSERV.exe	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\thAkaaX.exe	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iHMwaHO.exe	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\onJqdnC.exe	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wsmpGrN.exe	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PyMShgZ.exe	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GNHLmlS.exe	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VHtPTFR.exe	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ofPpxjE.exe	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\apjWENs.exe	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PdHGStY.exe	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PdpgaCO.exe	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OqiDiUE.exe	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NQtAsnt.exe	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vQExJxh.exe	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dBSAeZo.exe	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uwpWhtf.exe	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MsgcqkO.exe	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mLUSWfS.exe	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 1888 wrote to memory of 2500	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	wsmpGrN.exe
PID 1888 wrote to memory of 2500	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	wsmpGrN.exe
PID 1888 wrote to memory of 2500	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	wsmpGrN.exe
PID 1888 wrote to memory of 2540	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	NQtAsnt.exe
PID 1888 wrote to memory of 2540	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	NQtAsnt.exe
PID 1888 wrote to memory of 2540	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	NQtAsnt.exe
PID 1888 wrote to memory of 2596	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	vQExJxh.exe
PID 1888 wrote to memory of 2596	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	vQExJxh.exe
PID 1888 wrote to memory of 2596	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	vQExJxh.exe
PID 1888 wrote to memory of 2400	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	vkJtyix.exe
PID 1888 wrote to memory of 2400	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	vkJtyix.exe
PID 1888 wrote to memory of 2400	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	vkJtyix.exe
PID 1888 wrote to memory of 2508	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	PdpgaCO.exe
PID 1888 wrote to memory of 2508	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	PdpgaCO.exe
PID 1888 wrote to memory of 2508	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	PdpgaCO.exe
PID 1888 wrote to memory of 2780	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	PyMShgZ.exe
PID 1888 wrote to memory of 2780	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	PyMShgZ.exe
PID 1888 wrote to memory of 2780	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	PyMShgZ.exe
PID 1888 wrote to memory of 2528	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	GNHLmlS.exe
PID 1888 wrote to memory of 2528	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	GNHLmlS.exe
PID 1888 wrote to memory of 2528	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	GNHLmlS.exe
PID 1888 wrote to memory of 2444	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	OqiDiUE.exe
PID 1888 wrote to memory of 2444	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	OqiDiUE.exe
PID 1888 wrote to memory of 2444	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	OqiDiUE.exe
PID 1888 wrote to memory of 2404	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	dBSAeZo.exe
PID 1888 wrote to memory of 2404	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	dBSAeZo.exe
PID 1888 wrote to memory of 2404	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	dBSAeZo.exe
PID 1888 wrote to memory of 2064	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	uwpWhtf.exe
PID 1888 wrote to memory of 2064	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	uwpWhtf.exe
PID 1888 wrote to memory of 2064	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	uwpWhtf.exe
PID 1888 wrote to memory of 1680	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	VHtPTFR.exe
PID 1888 wrote to memory of 1680	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	VHtPTFR.exe
PID 1888 wrote to memory of 1680	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	VHtPTFR.exe
PID 1888 wrote to memory of 2760	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	WPDZXyU.exe
PID 1888 wrote to memory of 2760	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	WPDZXyU.exe
PID 1888 wrote to memory of 2760	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	WPDZXyU.exe
PID 1888 wrote to memory of 2820	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	ofPpxjE.exe
PID 1888 wrote to memory of 2820	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	ofPpxjE.exe
PID 1888 wrote to memory of 2820	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	ofPpxjE.exe
PID 1888 wrote to memory of 2452	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	UVcSERV.exe
PID 1888 wrote to memory of 2452	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	UVcSERV.exe
PID 1888 wrote to memory of 2452	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	UVcSERV.exe
PID 1888 wrote to memory of 1628	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	thAkaaX.exe
PID 1888 wrote to memory of 1628	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	thAkaaX.exe
PID 1888 wrote to memory of 1628	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	thAkaaX.exe
PID 1888 wrote to memory of 1552	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	apjWENs.exe
PID 1888 wrote to memory of 1552	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	apjWENs.exe
PID 1888 wrote to memory of 1552	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	apjWENs.exe
PID 1888 wrote to memory of 1516	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	iHMwaHO.exe
PID 1888 wrote to memory of 1516	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	iHMwaHO.exe
PID 1888 wrote to memory of 1516	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	iHMwaHO.exe
PID 1888 wrote to memory of 2572	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	onJqdnC.exe
PID 1888 wrote to memory of 2572	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	onJqdnC.exe
PID 1888 wrote to memory of 2572	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	onJqdnC.exe
PID 1888 wrote to memory of 892	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	MsgcqkO.exe
PID 1888 wrote to memory of 892	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	MsgcqkO.exe
PID 1888 wrote to memory of 892	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	MsgcqkO.exe
PID 1888 wrote to memory of 1588	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	PdHGStY.exe
PID 1888 wrote to memory of 1588	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	PdHGStY.exe
PID 1888 wrote to memory of 1588	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	PdHGStY.exe
PID 1888 wrote to memory of 2672	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	mLUSWfS.exe
PID 1888 wrote to memory of 2672	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	mLUSWfS.exe
PID 1888 wrote to memory of 2672	1888	2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe	mLUSWfS.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_6e682e34f143277fe3713e35ef2e3ecd_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\System\wsmpGrN.exe
C:\Windows\System\wsmpGrN.exe
2⤵
- Executes dropped EXE
PID:2500

C:\Windows\System\NQtAsnt.exe
C:\Windows\System\NQtAsnt.exe
2⤵
- Executes dropped EXE
PID:2540

C:\Windows\System\vQExJxh.exe
C:\Windows\System\vQExJxh.exe
2⤵
- Executes dropped EXE
PID:2596

C:\Windows\System\vkJtyix.exe
C:\Windows\System\vkJtyix.exe
2⤵
- Executes dropped EXE
PID:2400

C:\Windows\System\PdpgaCO.exe
C:\Windows\System\PdpgaCO.exe
2⤵
- Executes dropped EXE
PID:2508

C:\Windows\System\PyMShgZ.exe
C:\Windows\System\PyMShgZ.exe
2⤵
- Executes dropped EXE
PID:2780

C:\Windows\System\GNHLmlS.exe
C:\Windows\System\GNHLmlS.exe
2⤵
- Executes dropped EXE
PID:2528

C:\Windows\System\OqiDiUE.exe
C:\Windows\System\OqiDiUE.exe
2⤵
- Executes dropped EXE
PID:2444

C:\Windows\System\dBSAeZo.exe
C:\Windows\System\dBSAeZo.exe
2⤵
- Executes dropped EXE
PID:2404

C:\Windows\System\uwpWhtf.exe
C:\Windows\System\uwpWhtf.exe
2⤵
- Executes dropped EXE
PID:2064

C:\Windows\System\VHtPTFR.exe
C:\Windows\System\VHtPTFR.exe
2⤵
- Executes dropped EXE
PID:1680

C:\Windows\System\WPDZXyU.exe
C:\Windows\System\WPDZXyU.exe
2⤵
- Executes dropped EXE
PID:2760

C:\Windows\System\ofPpxjE.exe
C:\Windows\System\ofPpxjE.exe
2⤵
- Executes dropped EXE
PID:2820

C:\Windows\System\UVcSERV.exe
C:\Windows\System\UVcSERV.exe
2⤵
- Executes dropped EXE
PID:2452

C:\Windows\System\thAkaaX.exe
C:\Windows\System\thAkaaX.exe
2⤵
- Executes dropped EXE
PID:1628

C:\Windows\System\apjWENs.exe
C:\Windows\System\apjWENs.exe
2⤵
- Executes dropped EXE
PID:1552

C:\Windows\System\iHMwaHO.exe
C:\Windows\System\iHMwaHO.exe
2⤵
- Executes dropped EXE
PID:1516

C:\Windows\System\onJqdnC.exe
C:\Windows\System\onJqdnC.exe
2⤵
- Executes dropped EXE
PID:2572

C:\Windows\System\MsgcqkO.exe
C:\Windows\System\MsgcqkO.exe
2⤵
- Executes dropped EXE
PID:892

C:\Windows\System\PdHGStY.exe
C:\Windows\System\PdHGStY.exe
2⤵
- Executes dropped EXE
PID:1588

C:\Windows\System\mLUSWfS.exe
C:\Windows\System\mLUSWfS.exe
2⤵
- Executes dropped EXE
PID:2672

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\GNHLmlS.exe
Filesize
6.0MB

MD5
16bbcc25245d545e1c3127a15c74d5eb

SHA1
f3bf160a1ba19d0638d96ede266bd08a91fa414c

SHA256
ab872c94a1042ed201676f80f4e61e4a5bd237a39f41a166ddd9cd2d66176689

SHA512
e6b08fa1189adb39145113be0671f4c0f1c4317cc4083d9a02ba9db152a1dab41fef643075304ced800eeba7eba0199e6c2299e69d102534df7adfb3d910b19c

Download Submit
C:\Windows\system\MsgcqkO.exe
Filesize
6.0MB

MD5
3d756865740637cca55cf2dd4a23da35

SHA1
5bb2659b30dbe89d7189a3a790012ece6ef347ba

SHA256
401dfa05fe5b12d8f317cbc0c93d133a8ba8e0f2efd7b712123ad66bc1ebfcd7

SHA512
f013a9115c2ad5162a3fec6271201a43d5868373e09be32daf0d2118fc115e5d4a55cf6b221178b9cc9c8bb9c5c8fcf6931634ad4d54c1af081fbb92d28d488f

Download Submit
C:\Windows\system\NQtAsnt.exe
Filesize
5.9MB

MD5
4860a977c272cc4b8011a6135ab72a8d

SHA1
b08a9feccf6fe9c5c34103c7b755b4d87014eb83

SHA256
e06975f8bfb882d0123bfd739f6604529107f768e3df5efc5ec3912945c1a6ac

SHA512
bfeb10aba5a54fa5a9bd4568287be866c65fd7777b5111b3f7ae267916a3093e002069f02a046904f64674cfef51c83fe3b73de6ac6bd61ab3035a576c4b286b

Download Submit
C:\Windows\system\OqiDiUE.exe
Filesize
6.0MB

MD5
bb2394c0afe4ee260a54fffbb87741bf

SHA1
854aec1b1426e2bc3fb5ba4e791c36f36d2a6d9d

SHA256
904fa277a312db5c41b1b2ff71f4189b473b4f44ac5c3afd9ee3e7d6b6ce9045

SHA512
93367a15cc1996a61a848c2838f5284b347fe439c5c9b3b2bb4de07eab301c5b6857ea3749656df9135f7150ae91ed1d68edc20233d920f29c17c576e100ba3c

Download Submit
C:\Windows\system\PdHGStY.exe
Filesize
6.0MB

MD5
2f63838f967a37a90303694f5e599135

SHA1
1b8c0bf9645fd6e21aeb8ff3419ce2f36e9e03a6

SHA256
bf6176c7c5d518b7525ca5b3cf60bf301d2067d51f966466a750be5b40183cc2

SHA512
270fa98ec43e189b750ed4a2465fd6abdaa3b8eb897e23ab5acfcc7eed8c01de12e0ff85ce77cf9c2949abf1518a04fbb670168ff367056926da4d6330dfb117

Download Submit
C:\Windows\system\PdpgaCO.exe
Filesize
6.0MB

MD5
9cf7d60af4d00eb2018012f031fc9885

SHA1
3b59787a7fcfa3885078eae83e9bd4035773014c

SHA256
bc448a77a5a61b931ee5aa270b6ba0e2aef27ec75a7162fcd37696785ff67a7e

SHA512
6ab0cfa58f2b63e472ca31548a34c9f518a50f8b9800e9d882d5c5c2a8f5351842f1b653a079923f114088aa8aae835688b9b37fff7218e6f94b69fc6d8c306f

Download Submit
C:\Windows\system\PyMShgZ.exe
Filesize
6.0MB

MD5
3fe70613a5477c5aa35f97e5bdd0322a

SHA1
d726c368e43d1f3e15c58c01aa10c0be40b2019d

SHA256
141a86c4a2efc13669fced375e51108dbd4a3c3da5a971e4de42b99a44a6fb74

SHA512
ef230c3544edb96c72520cd291a80e1e12cfd8d4e6593e84d515b9e6ad3261d51e435d64cdac819fc8261cf8c8461501dd24009951265dd87c88e593c25c9cbd

Download Submit
C:\Windows\system\UVcSERV.exe
Filesize
6.0MB

MD5
5d94bfd89eeded6077c234b6f48bb1f5

SHA1
482008beeef9ca42a3cd74c569afba6f0933e3fe

SHA256
6864e6e2e7ba92ef6f468abf2ee85e813b63c0f305b647453a30e5ace4168466

SHA512
e7e055bc14548c2a4098f25a05df8ef171bcd4e37dd94d0132a99e26f0b50355661c50a2d6b90e9b36057671e6424ef52ba5f20f3c945c08f652653b0876997b

Download Submit
C:\Windows\system\VHtPTFR.exe
Filesize
6.0MB

MD5
817bc40c8d65c402508e6af7f07e20e2

SHA1
46c5004f3249fa3249b61cd604c7b3e644348a48

SHA256
8e1abf0303d724ef962766c07be13b8bf1d0f36853d2eedb5122865460a8c187

SHA512
4cbeae0ebb1fba4e43a4c84100f44ec13b28dbb38ee0e26fc7354dddfdd315a3653811f5c90c46db509befbad1d173671ea1b3cb6a7da74759160cff2ff29977

Download Submit
C:\Windows\system\WPDZXyU.exe
Filesize
6.0MB

MD5
32c32b84873c739afb65f673e4de9f7c

SHA1
060473665bbbd6909f8e42367dea6a119c4e36ff

SHA256
741e7e67eae60af38cf126573fa7c4fd42e0102a6f50e633335341253b2be0d1

SHA512
b664e1d693ee17a100cfe9f54fc3047e46dfe31c47d9d11927a8e4fd5903b7f2d42b204c1ff59077071102688b8922cab401e066e9c1f24e49256a8948c5f8dc

Download Submit
C:\Windows\system\apjWENs.exe
Filesize
6.0MB

MD5
1a6edd65e28dbb71579a466d68283b74

SHA1
f980400e23a912c81351214121c98be3fb5dd58c

SHA256
c16db621989cbd8b83dd7d2f9ba8b17449bea580ed5701141d4c98e6e5dc30f3

SHA512
ab44a8e7693169cc4a68af565c8b0348b95d2787effa828891ba72af09035512210c5e7305d81d770dce1ca89fc78c0a33a336f782c53359e3a6b539d6a8e41c

Download Submit
C:\Windows\system\dBSAeZo.exe
Filesize
6.0MB

MD5
9660c44f38f02b0dda5301bc35c73ec3

SHA1
461bed22b0cad0862697f59b00a9e7713a26f89b

SHA256
60333373e7dd3d28074516028d0eee1843be103f4262d2d58035b9f2b4a8ec5f

SHA512
e2c35817ad452d448654938ab4505c7ddfbe4bec766a4dc339d20656dcfc90d0048950cdbba34466fbce3fcb07d8377c5a923ebef9492ac7d0926ba4230d33cb

Download Submit
C:\Windows\system\iHMwaHO.exe
Filesize
6.0MB

MD5
fda07e6cddc84c5f96d7525fc815e504

SHA1
43e51c6921e1cf19eb44e6252b7fc727042d16d1

SHA256
ea50cb7377fc4d53dd6f554cc0b0a4e05bbf06357616d165b49d232b6a7cbf1e

SHA512
4b49148d3d3e5429d104fbe7082e7ea3ecff172301403534f07d1c83331c3a9cd8f078106fd72397a3657daba14bf0619811708e87bea62b70f193bfa9c3bd31

Download Submit
C:\Windows\system\mLUSWfS.exe
Filesize
6.0MB

MD5
3280e7b03e84091819d95c673a2bd661

SHA1
2a5a043a47a3a0fa3784461603cd4b875da19f90

SHA256
e9d999cba577fef1a4204c1425b1eadc982290abc31b892feb2c67d8f321cea5

SHA512
fe4f2fe1fe0d8116586898c3ad29dbb2346fd8f378b04639f48bebc6f99101993639111caa587a6055b16620f50b8357dbc8fb9eb4e8130d58598e1f60238438

Download Submit
C:\Windows\system\ofPpxjE.exe
Filesize
6.0MB

MD5
6c387282b006b379ffda003bdc9a9bcf

SHA1
3c0c6b79ebec262d549b26d4aafd6ced059a67a9

SHA256
56119d59f6d52241164e4e36ecc87ec9279defd68be35ea43157a1850c4ef226

SHA512
7d4ff058811f36b8b58cbb1613756ce51231c39489c501dcc64ee14a2beef744be906595751f3a4f156655e851dd74153367d60ec3e92a599ad5d0960d98a876

Download Submit
C:\Windows\system\onJqdnC.exe
Filesize
6.0MB

MD5
0c83972ce359e782de2b38b26381eaaf

SHA1
8102a5722b7bbe9e39843d820f5d1edbcbe4801b

SHA256
1ab4d552224d4f6f018f2c3e903a8a8a7c02dcd048fd1206b2db80a19ebe6786

SHA512
37b214241b88a2c0379b326bde32d379884fc139cda1ae7cab968cc031258e0fde0e478049e8fd766bfebf08bead36d0f6a9203c419fbcd450cc96a0fbfd3216

Download Submit
C:\Windows\system\thAkaaX.exe
Filesize
6.0MB

MD5
83a32cb93a43242956f41ebaa839b084

SHA1
06428eeb1bcbad342cd1fe4c7fbba52e35102266

SHA256
298259415f682aef7bde40d61c814b45299d152b9ffc693e4165ec3761321753

SHA512
99823861ed92178574cdb105a8e3b1d39567deb9c924bdf366ca0fc21535c0b825113cfcb9526cf0736e530c392967160e1d4a9524d7afe018e89768251c9e7b

Download Submit
C:\Windows\system\vQExJxh.exe
Filesize
5.9MB

MD5
ec96b810be7ad5129df50c9264cba69f

SHA1
d2c27c4b60a98205f49c70d03ad34179a9dc1689

SHA256
fd28f6d96ecb4b481054d60cc2bc6fbf3704d7fcd35c710d0e56a75d8ab5e4e5

SHA512
29f9d9e707be991b44d76a84addc6bc4480a5566da89bca1da9bc112311b17496c42e347e8195361ded0fcc1623a5920811612eeeba44ce75b3e442bb23d73cc

Download Submit
C:\Windows\system\vkJtyix.exe
Filesize
6.0MB

MD5
8fa75635ee2d1d72c56f8ead272b745a

SHA1
c531783b12e28a9760ad6916ac8f27f7b3bff636

SHA256
c8b7f7471404bd793e63424b140021beca54803ea0b36f1d5ee9fc8589572e08

SHA512
988f93cbd7a68938cc3b8f476bcc24ec78463a6b86a0436d8eaf332b520f598d04b107aaf7577ffb2be685ef0380d351c1a03d0c834172894e0f23ec9bca6ecc

Download Submit
\Windows\system\uwpWhtf.exe
Filesize
6.0MB

MD5
bf437829d24581298c7c8fc4817c6f77

SHA1
4ed687c24b00ecf227fde2ecc34841caf0fef592

SHA256
03c104cdfe155445539d31c929eecd6f0328f600962e90edb9d48eb2deb1eedf

SHA512
5eaffefab79c0398f3362745dc1a7110bb095e0bca170f71280709bfa83ff2b9094343a2eb62c805cb38318bf0999495880a4d5b162bcb2edc6a5c706569c91c

Download Submit
\Windows\system\wsmpGrN.exe
Filesize
5.9MB

MD5
05f8658d3445280e8029c6fd959e2af9

SHA1
802e92b109bf2e39d84180a7c8572f927da5a60f

SHA256
67d27111120b751392a49f16ce439766add3dca4a9f064d2dba6f7a41486fa29

SHA512
10fb89763aefcc58fc1eba72c42bcc5bc90a209e1712e7e08d1c518896117bdc6f0919a1d1ce3dbe803b2c33ebfbe16f013c8415acd101fb8932e28bdce01a21

Download Submit
memory/1680-75-0x000000013F260000-0x000000013F5B4000-memory.dmp

Filesize
3.3MB

Download
memory/1680-141-0x000000013F260000-0x000000013F5B4000-memory.dmp

Filesize
3.3MB

Download
memory/1680-156-0x000000013F260000-0x000000013F5B4000-memory.dmp

Filesize
3.3MB

Download
memory/1888-66-0x000000013FD70000-0x00000001400C4000-memory.dmp

Filesize
3.3MB

Download
memory/1888-27-0x000000013FE90000-0x00000001401E4000-memory.dmp

Filesize
3.3MB

Download
memory/1888-53-0x0000000002340000-0x0000000002694000-memory.dmp

Filesize
3.3MB

Download
memory/1888-2-0x000000013F730000-0x000000013FA84000-memory.dmp

Filesize
3.3MB

Download
memory/1888-146-0x000000013F280000-0x000000013F5D4000-memory.dmp

Filesize
3.3MB

Download
memory/1888-89-0x0000000002340000-0x0000000002694000-memory.dmp

Filesize
3.3MB

Download
memory/1888-144-0x0000000002340000-0x0000000002694000-memory.dmp

Filesize
3.3MB

Download
memory/1888-34-0x000000013FEB0000-0x0000000140204000-memory.dmp

Filesize
3.3MB

Download
memory/1888-142-0x000000013FAF0000-0x000000013FE44000-memory.dmp

Filesize
3.3MB

Download
memory/1888-82-0x000000013FAF0000-0x000000013FE44000-memory.dmp

Filesize
3.3MB

Download
memory/1888-140-0x000000013F260000-0x000000013F5B4000-memory.dmp

Filesize
3.3MB

Download
memory/1888-56-0x000000013F730000-0x000000013FA84000-memory.dmp

Filesize
3.3MB

Download
memory/1888-74-0x000000013F260000-0x000000013F5B4000-memory.dmp

Filesize
3.3MB

Download
memory/1888-138-0x000000013FD70000-0x00000001400C4000-memory.dmp

Filesize
3.3MB

Download
memory/1888-95-0x000000013F280000-0x000000013F5D4000-memory.dmp

Filesize
3.3MB

Download
memory/1888-0-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/1888-51-0x0000000002340000-0x0000000002694000-memory.dmp

Filesize
3.3MB

Download
memory/1888-20-0x000000013F340000-0x000000013F694000-memory.dmp

Filesize
3.3MB

Download
memory/1888-6-0x0000000002340000-0x0000000002694000-memory.dmp

Filesize
3.3MB

Download
memory/2064-139-0x000000013FD70000-0x00000001400C4000-memory.dmp

Filesize
3.3MB

Download
memory/2064-68-0x000000013FD70000-0x00000001400C4000-memory.dmp

Filesize
3.3MB

Download
memory/2064-161-0x000000013FD70000-0x00000001400C4000-memory.dmp

Filesize
3.3MB

Download
memory/2400-28-0x000000013FE90000-0x00000001401E4000-memory.dmp

Filesize
3.3MB

Download
memory/2400-151-0x000000013FE90000-0x00000001401E4000-memory.dmp

Filesize
3.3MB

Download
memory/2400-80-0x000000013FE90000-0x00000001401E4000-memory.dmp

Filesize
3.3MB

Download
memory/2404-61-0x000000013F7C0000-0x000000013FB14000-memory.dmp

Filesize
3.3MB

Download
memory/2404-154-0x000000013F7C0000-0x000000013FB14000-memory.dmp

Filesize
3.3MB

Download
memory/2444-155-0x000000013F960000-0x000000013FCB4000-memory.dmp

Filesize
3.3MB

Download
memory/2444-57-0x000000013F960000-0x000000013FCB4000-memory.dmp

Filesize
3.3MB

Download
memory/2452-159-0x000000013F280000-0x000000013F5D4000-memory.dmp

Filesize
3.3MB

Download
memory/2452-96-0x000000013F280000-0x000000013F5D4000-memory.dmp

Filesize
3.3MB

Download
memory/2452-147-0x000000013F280000-0x000000013F5D4000-memory.dmp

Filesize
3.3MB

Download
memory/2500-13-0x000000013F780000-0x000000013FAD4000-memory.dmp

Filesize
3.3MB

Download
memory/2500-148-0x000000013F780000-0x000000013FAD4000-memory.dmp

Filesize
3.3MB

Download
memory/2508-36-0x000000013FEB0000-0x0000000140204000-memory.dmp

Filesize
3.3MB

Download
memory/2508-152-0x000000013FEB0000-0x0000000140204000-memory.dmp

Filesize
3.3MB

Download
memory/2508-88-0x000000013FEB0000-0x0000000140204000-memory.dmp

Filesize
3.3MB

Download
memory/2528-62-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

Filesize
3.3MB

Download
memory/2528-157-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

Filesize
3.3MB

Download
memory/2528-137-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

Filesize
3.3MB

Download
memory/2540-15-0x000000013F810000-0x000000013FB64000-memory.dmp

Filesize
3.3MB

Download
memory/2540-149-0x000000013F810000-0x000000013FB64000-memory.dmp

Filesize
3.3MB

Download
memory/2596-73-0x000000013F340000-0x000000013F694000-memory.dmp

Filesize
3.3MB

Download
memory/2596-150-0x000000013F340000-0x000000013F694000-memory.dmp

Filesize
3.3MB

Download
memory/2596-22-0x000000013F340000-0x000000013F694000-memory.dmp

Filesize
3.3MB

Download
memory/2760-143-0x000000013FAF0000-0x000000013FE44000-memory.dmp

Filesize
3.3MB

Download
memory/2760-83-0x000000013FAF0000-0x000000013FE44000-memory.dmp

Filesize
3.3MB

Download
memory/2760-160-0x000000013FAF0000-0x000000013FE44000-memory.dmp

Filesize
3.3MB

Download
memory/2780-153-0x000000013F0F0000-0x000000013F444000-memory.dmp

Filesize
3.3MB

Download
memory/2780-81-0x000000013F0F0000-0x000000013F444000-memory.dmp

Filesize
3.3MB

Download
memory/2780-44-0x000000013F0F0000-0x000000013F444000-memory.dmp

Filesize
3.3MB

Download
memory/2820-90-0x000000013F4E0000-0x000000013F834000-memory.dmp

Filesize
3.3MB

Download
memory/2820-145-0x000000013F4E0000-0x000000013F834000-memory.dmp

Filesize
3.3MB

Download
memory/2820-158-0x000000013F4E0000-0x000000013F834000-memory.dmp

Filesize
3.3MB

Download