cobaltstrike | c20a39335678b75ed7eb6162ebaf5847ad442a138e2decc13ca783d3bd3db001

Analysis

max time kernel
145s
max time network
148s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

0d2928c7641b504e667e7904d77fd96f
SHA1

f9aaaad245d6f6c560c55197f210d038f7976273
SHA256

c20a39335678b75ed7eb6162ebaf5847ad442a138e2decc13ca783d3bd3db001
SHA512

5405530b7cf1e4b9d7feea30051a54fb55c2f2b9c77cea2a149b3d378859ae33f2d4e937786016cccd230d0ad647a89b52d2c5bbdbdd9ce0339b8babe8b5940a
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lx:RWWBibf56utgpPFotBER/mQ32lUN

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\system\zBmxPaA.exe	cobalt_reflective_dll
C:\Windows\system\UupgWyP.exe	cobalt_reflective_dll
\Windows\system\djucQIh.exe	cobalt_reflective_dll
C:\Windows\system\hhNepVu.exe	cobalt_reflective_dll
C:\Windows\system\KgCHolt.exe	cobalt_reflective_dll
C:\Windows\system\oZITlej.exe	cobalt_reflective_dll
\Windows\system\KipzvhQ.exe	cobalt_reflective_dll
C:\Windows\system\qLmnWog.exe	cobalt_reflective_dll
C:\Windows\system\HiRBqfF.exe	cobalt_reflective_dll
\Windows\system\ttDMRkM.exe	cobalt_reflective_dll
\Windows\system\jtpSjpc.exe	cobalt_reflective_dll
C:\Windows\system\JqCuMXD.exe	cobalt_reflective_dll
\Windows\system\ENfnzqX.exe	cobalt_reflective_dll
\Windows\system\LijBzNT.exe	cobalt_reflective_dll
C:\Windows\system\uZlQmoF.exe	cobalt_reflective_dll
C:\Windows\system\PVSKMxE.exe	cobalt_reflective_dll
C:\Windows\system\erTKiWF.exe	cobalt_reflective_dll
C:\Windows\system\RojLtok.exe	cobalt_reflective_dll
C:\Windows\system\LtwZYxc.exe	cobalt_reflective_dll
\Windows\system\GfMLSZG.exe	cobalt_reflective_dll
C:\Windows\system\OpHwmhV.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\system\zBmxPaA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\UupgWyP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\djucQIh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\hhNepVu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\KgCHolt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\oZITlej.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\KipzvhQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\qLmnWog.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\HiRBqfF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\ttDMRkM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\jtpSjpc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\JqCuMXD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\ENfnzqX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\LijBzNT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\uZlQmoF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\PVSKMxE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\erTKiWF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\RojLtok.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\LtwZYxc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\GfMLSZG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\OpHwmhV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2028-0-0x000000013F510000-0x000000013F861000-memory.dmp	UPX
C:\Windows\system\zBmxPaA.exe	UPX
C:\Windows\system\UupgWyP.exe	UPX
\Windows\system\djucQIh.exe	UPX
behavioral1/memory/2680-35-0x000000013F320000-0x000000013F671000-memory.dmp	UPX
behavioral1/memory/3008-33-0x000000013F250000-0x000000013F5A1000-memory.dmp	UPX
behavioral1/memory/2116-31-0x000000013F330000-0x000000013F681000-memory.dmp	UPX
behavioral1/memory/2760-30-0x000000013FD60000-0x00000001400B1000-memory.dmp	UPX
C:\Windows\system\hhNepVu.exe	UPX
C:\Windows\system\KgCHolt.exe	UPX
C:\Windows\system\oZITlej.exe	UPX
behavioral1/memory/3060-15-0x000000013F280000-0x000000013F5D1000-memory.dmp	UPX
\Windows\system\KipzvhQ.exe	UPX
behavioral1/memory/2584-42-0x000000013FA80000-0x000000013FDD1000-memory.dmp	UPX
C:\Windows\system\qLmnWog.exe	UPX
behavioral1/memory/2540-63-0x000000013FFC0000-0x0000000140311000-memory.dmp	UPX
C:\Windows\system\HiRBqfF.exe	UPX
behavioral1/memory/2524-61-0x000000013F570000-0x000000013F8C1000-memory.dmp	UPX
behavioral1/memory/3060-58-0x000000013F280000-0x000000013F5D1000-memory.dmp	UPX
behavioral1/memory/2484-57-0x000000013FE10000-0x0000000140161000-memory.dmp	UPX
behavioral1/memory/2028-56-0x000000013F510000-0x000000013F861000-memory.dmp	UPX
\Windows\system\ttDMRkM.exe	UPX
behavioral1/memory/2760-70-0x000000013FD60000-0x00000001400B1000-memory.dmp	UPX
behavioral1/memory/2116-72-0x000000013F330000-0x000000013F681000-memory.dmp	UPX
behavioral1/memory/2680-74-0x000000013F320000-0x000000013F671000-memory.dmp	UPX
behavioral1/memory/1404-76-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	UPX
behavioral1/memory/3008-73-0x000000013F250000-0x000000013F5A1000-memory.dmp	UPX
\Windows\system\jtpSjpc.exe	UPX
behavioral1/memory/2584-80-0x000000013FA80000-0x000000013FDD1000-memory.dmp	UPX
behavioral1/memory/2196-85-0x000000013FCE0000-0x0000000140031000-memory.dmp	UPX
C:\Windows\system\JqCuMXD.exe	UPX
\Windows\system\ENfnzqX.exe	UPX
\Windows\system\LijBzNT.exe	UPX
C:\Windows\system\uZlQmoF.exe	UPX
C:\Windows\system\PVSKMxE.exe	UPX
C:\Windows\system\erTKiWF.exe	UPX
C:\Windows\system\RojLtok.exe	UPX
C:\Windows\system\LtwZYxc.exe	UPX
\Windows\system\GfMLSZG.exe	UPX
behavioral1/memory/1376-110-0x000000013F6E0000-0x000000013FA31000-memory.dmp	UPX
behavioral1/memory/2540-109-0x000000013FFC0000-0x0000000140311000-memory.dmp	UPX
C:\Windows\system\OpHwmhV.exe	UPX
behavioral1/memory/1704-107-0x000000013F130000-0x000000013F481000-memory.dmp	UPX
behavioral1/memory/2524-105-0x000000013F570000-0x000000013F8C1000-memory.dmp	UPX
behavioral1/memory/2484-103-0x000000013FE10000-0x0000000140161000-memory.dmp	UPX
behavioral1/memory/1424-95-0x000000013F930000-0x000000013FC81000-memory.dmp	UPX
behavioral1/memory/2028-142-0x000000013F510000-0x000000013F861000-memory.dmp	UPX
behavioral1/memory/1376-157-0x000000013F6E0000-0x000000013FA31000-memory.dmp	UPX
behavioral1/memory/1600-160-0x000000013F770000-0x000000013FAC1000-memory.dmp	UPX
behavioral1/memory/2036-165-0x000000013FBE0000-0x000000013FF31000-memory.dmp	UPX
behavioral1/memory/2040-164-0x000000013F6E0000-0x000000013FA31000-memory.dmp	UPX
behavioral1/memory/2408-163-0x000000013F620000-0x000000013F971000-memory.dmp	UPX
behavioral1/memory/1572-162-0x000000013FA40000-0x000000013FD91000-memory.dmp	UPX
behavioral1/memory/2168-159-0x000000013F140000-0x000000013F491000-memory.dmp	UPX
behavioral1/memory/1704-158-0x000000013F130000-0x000000013F481000-memory.dmp	UPX
behavioral1/memory/1564-161-0x000000013FC40000-0x000000013FF91000-memory.dmp	UPX
behavioral1/memory/2028-166-0x000000013F510000-0x000000013F861000-memory.dmp	UPX
behavioral1/memory/3060-212-0x000000013F280000-0x000000013F5D1000-memory.dmp	UPX
behavioral1/memory/3008-220-0x000000013F250000-0x000000013F5A1000-memory.dmp	UPX
behavioral1/memory/2680-222-0x000000013F320000-0x000000013F671000-memory.dmp	UPX
behavioral1/memory/2116-226-0x000000013F330000-0x000000013F681000-memory.dmp	UPX
behavioral1/memory/2760-225-0x000000013FD60000-0x00000001400B1000-memory.dmp	UPX
behavioral1/memory/2584-228-0x000000013FA80000-0x000000013FDD1000-memory.dmp	UPX
behavioral1/memory/2484-230-0x000000013FE10000-0x0000000140161000-memory.dmp	UPX

XMRig Miner payload 44 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2680-35-0x000000013F320000-0x000000013F671000-memory.dmp	xmrig
behavioral1/memory/2028-39-0x000000013FA80000-0x000000013FDD1000-memory.dmp	xmrig
behavioral1/memory/3060-58-0x000000013F280000-0x000000013F5D1000-memory.dmp	xmrig
behavioral1/memory/2028-56-0x000000013F510000-0x000000013F861000-memory.dmp	xmrig
behavioral1/memory/2760-70-0x000000013FD60000-0x00000001400B1000-memory.dmp	xmrig
behavioral1/memory/2116-72-0x000000013F330000-0x000000013F681000-memory.dmp	xmrig
behavioral1/memory/2680-74-0x000000013F320000-0x000000013F671000-memory.dmp	xmrig
behavioral1/memory/2028-75-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	xmrig
behavioral1/memory/1404-76-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	xmrig
behavioral1/memory/3008-73-0x000000013F250000-0x000000013F5A1000-memory.dmp	xmrig
behavioral1/memory/2584-80-0x000000013FA80000-0x000000013FDD1000-memory.dmp	xmrig
behavioral1/memory/2196-85-0x000000013FCE0000-0x0000000140031000-memory.dmp	xmrig
behavioral1/memory/2028-82-0x000000013FCE0000-0x0000000140031000-memory.dmp	xmrig
behavioral1/memory/2540-109-0x000000013FFC0000-0x0000000140311000-memory.dmp	xmrig
behavioral1/memory/2524-105-0x000000013F570000-0x000000013F8C1000-memory.dmp	xmrig
behavioral1/memory/2484-103-0x000000013FE10000-0x0000000140161000-memory.dmp	xmrig
behavioral1/memory/2028-100-0x0000000002460000-0x00000000027B1000-memory.dmp	xmrig
behavioral1/memory/1424-95-0x000000013F930000-0x000000013FC81000-memory.dmp	xmrig
behavioral1/memory/2028-142-0x000000013F510000-0x000000013F861000-memory.dmp	xmrig
behavioral1/memory/2028-153-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	xmrig
behavioral1/memory/1376-157-0x000000013F6E0000-0x000000013FA31000-memory.dmp	xmrig
behavioral1/memory/1600-160-0x000000013F770000-0x000000013FAC1000-memory.dmp	xmrig
behavioral1/memory/2036-165-0x000000013FBE0000-0x000000013FF31000-memory.dmp	xmrig
behavioral1/memory/2040-164-0x000000013F6E0000-0x000000013FA31000-memory.dmp	xmrig
behavioral1/memory/2408-163-0x000000013F620000-0x000000013F971000-memory.dmp	xmrig
behavioral1/memory/1572-162-0x000000013FA40000-0x000000013FD91000-memory.dmp	xmrig
behavioral1/memory/2168-159-0x000000013F140000-0x000000013F491000-memory.dmp	xmrig
behavioral1/memory/1704-158-0x000000013F130000-0x000000013F481000-memory.dmp	xmrig
behavioral1/memory/1564-161-0x000000013FC40000-0x000000013FF91000-memory.dmp	xmrig
behavioral1/memory/2028-166-0x000000013F510000-0x000000013F861000-memory.dmp	xmrig
behavioral1/memory/3060-212-0x000000013F280000-0x000000013F5D1000-memory.dmp	xmrig
behavioral1/memory/3008-220-0x000000013F250000-0x000000013F5A1000-memory.dmp	xmrig
behavioral1/memory/2680-222-0x000000013F320000-0x000000013F671000-memory.dmp	xmrig
behavioral1/memory/2116-226-0x000000013F330000-0x000000013F681000-memory.dmp	xmrig
behavioral1/memory/2760-225-0x000000013FD60000-0x00000001400B1000-memory.dmp	xmrig
behavioral1/memory/2584-228-0x000000013FA80000-0x000000013FDD1000-memory.dmp	xmrig
behavioral1/memory/2484-230-0x000000013FE10000-0x0000000140161000-memory.dmp	xmrig
behavioral1/memory/2540-236-0x000000013FFC0000-0x0000000140311000-memory.dmp	xmrig
behavioral1/memory/2524-235-0x000000013F570000-0x000000013F8C1000-memory.dmp	xmrig
behavioral1/memory/1404-239-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	xmrig
behavioral1/memory/2196-241-0x000000013FCE0000-0x0000000140031000-memory.dmp	xmrig
behavioral1/memory/1424-243-0x000000013F930000-0x000000013FC81000-memory.dmp	xmrig
behavioral1/memory/1704-254-0x000000013F130000-0x000000013F481000-memory.dmp	xmrig
behavioral1/memory/1376-264-0x000000013F6E0000-0x000000013FA31000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

zBmxPaA.exeUupgWyP.exeoZITlej.exeKgCHolt.exehhNepVu.exedjucQIh.exeKipzvhQ.exeqLmnWog.exeHiRBqfF.exettDMRkM.exejtpSjpc.exeJqCuMXD.exeENfnzqX.exeOpHwmhV.exeuZlQmoF.exeLijBzNT.exeerTKiWF.exePVSKMxE.exeRojLtok.exeLtwZYxc.exeGfMLSZG.exe

pid	process
3060	zBmxPaA.exe
2760	UupgWyP.exe
2116	oZITlej.exe
3008	KgCHolt.exe
2680	hhNepVu.exe
2584	djucQIh.exe
2484	KipzvhQ.exe
2524	qLmnWog.exe
2540	HiRBqfF.exe
1404	ttDMRkM.exe
2196	jtpSjpc.exe
1424	JqCuMXD.exe
1704	ENfnzqX.exe
1376	OpHwmhV.exe
2168	uZlQmoF.exe
1600	LijBzNT.exe
1564	erTKiWF.exe
1572	PVSKMxE.exe
2408	RojLtok.exe
2040	LtwZYxc.exe
2036	GfMLSZG.exe

Loads dropped DLL 21 IoCs

Processes:

2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe

pid	process
2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2028-0-0x000000013F510000-0x000000013F861000-memory.dmp	upx
C:\Windows\system\zBmxPaA.exe	upx
C:\Windows\system\UupgWyP.exe	upx
\Windows\system\djucQIh.exe	upx
behavioral1/memory/2680-35-0x000000013F320000-0x000000013F671000-memory.dmp	upx
behavioral1/memory/3008-33-0x000000013F250000-0x000000013F5A1000-memory.dmp	upx
behavioral1/memory/2116-31-0x000000013F330000-0x000000013F681000-memory.dmp	upx
behavioral1/memory/2760-30-0x000000013FD60000-0x00000001400B1000-memory.dmp	upx
C:\Windows\system\hhNepVu.exe	upx
C:\Windows\system\KgCHolt.exe	upx
C:\Windows\system\oZITlej.exe	upx
behavioral1/memory/3060-15-0x000000013F280000-0x000000013F5D1000-memory.dmp	upx
\Windows\system\KipzvhQ.exe	upx
behavioral1/memory/2584-42-0x000000013FA80000-0x000000013FDD1000-memory.dmp	upx
C:\Windows\system\qLmnWog.exe	upx
behavioral1/memory/2540-63-0x000000013FFC0000-0x0000000140311000-memory.dmp	upx
C:\Windows\system\HiRBqfF.exe	upx
behavioral1/memory/2524-61-0x000000013F570000-0x000000013F8C1000-memory.dmp	upx
behavioral1/memory/3060-58-0x000000013F280000-0x000000013F5D1000-memory.dmp	upx
behavioral1/memory/2484-57-0x000000013FE10000-0x0000000140161000-memory.dmp	upx
behavioral1/memory/2028-56-0x000000013F510000-0x000000013F861000-memory.dmp	upx
\Windows\system\ttDMRkM.exe	upx
behavioral1/memory/2760-70-0x000000013FD60000-0x00000001400B1000-memory.dmp	upx
behavioral1/memory/2116-72-0x000000013F330000-0x000000013F681000-memory.dmp	upx
behavioral1/memory/2680-74-0x000000013F320000-0x000000013F671000-memory.dmp	upx
behavioral1/memory/1404-76-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	upx
behavioral1/memory/3008-73-0x000000013F250000-0x000000013F5A1000-memory.dmp	upx
\Windows\system\jtpSjpc.exe	upx
behavioral1/memory/2584-80-0x000000013FA80000-0x000000013FDD1000-memory.dmp	upx
behavioral1/memory/2196-85-0x000000013FCE0000-0x0000000140031000-memory.dmp	upx
C:\Windows\system\JqCuMXD.exe	upx
\Windows\system\ENfnzqX.exe	upx
\Windows\system\LijBzNT.exe	upx
C:\Windows\system\uZlQmoF.exe	upx
C:\Windows\system\PVSKMxE.exe	upx
C:\Windows\system\erTKiWF.exe	upx
C:\Windows\system\RojLtok.exe	upx
C:\Windows\system\LtwZYxc.exe	upx
\Windows\system\GfMLSZG.exe	upx
behavioral1/memory/1376-110-0x000000013F6E0000-0x000000013FA31000-memory.dmp	upx
behavioral1/memory/2540-109-0x000000013FFC0000-0x0000000140311000-memory.dmp	upx
C:\Windows\system\OpHwmhV.exe	upx
behavioral1/memory/1704-107-0x000000013F130000-0x000000013F481000-memory.dmp	upx
behavioral1/memory/2524-105-0x000000013F570000-0x000000013F8C1000-memory.dmp	upx
behavioral1/memory/2484-103-0x000000013FE10000-0x0000000140161000-memory.dmp	upx
behavioral1/memory/1424-95-0x000000013F930000-0x000000013FC81000-memory.dmp	upx
behavioral1/memory/2028-142-0x000000013F510000-0x000000013F861000-memory.dmp	upx
behavioral1/memory/1376-157-0x000000013F6E0000-0x000000013FA31000-memory.dmp	upx
behavioral1/memory/1600-160-0x000000013F770000-0x000000013FAC1000-memory.dmp	upx
behavioral1/memory/2036-165-0x000000013FBE0000-0x000000013FF31000-memory.dmp	upx
behavioral1/memory/2040-164-0x000000013F6E0000-0x000000013FA31000-memory.dmp	upx
behavioral1/memory/2408-163-0x000000013F620000-0x000000013F971000-memory.dmp	upx
behavioral1/memory/1572-162-0x000000013FA40000-0x000000013FD91000-memory.dmp	upx
behavioral1/memory/2168-159-0x000000013F140000-0x000000013F491000-memory.dmp	upx
behavioral1/memory/1704-158-0x000000013F130000-0x000000013F481000-memory.dmp	upx
behavioral1/memory/1564-161-0x000000013FC40000-0x000000013FF91000-memory.dmp	upx
behavioral1/memory/2028-166-0x000000013F510000-0x000000013F861000-memory.dmp	upx
behavioral1/memory/3060-212-0x000000013F280000-0x000000013F5D1000-memory.dmp	upx
behavioral1/memory/3008-220-0x000000013F250000-0x000000013F5A1000-memory.dmp	upx
behavioral1/memory/2680-222-0x000000013F320000-0x000000013F671000-memory.dmp	upx
behavioral1/memory/2116-226-0x000000013F330000-0x000000013F681000-memory.dmp	upx
behavioral1/memory/2760-225-0x000000013FD60000-0x00000001400B1000-memory.dmp	upx
behavioral1/memory/2584-228-0x000000013FA80000-0x000000013FDD1000-memory.dmp	upx
behavioral1/memory/2484-230-0x000000013FE10000-0x0000000140161000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\KgCHolt.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KipzvhQ.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JqCuMXD.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OpHwmhV.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\erTKiWF.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zBmxPaA.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oZITlej.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\djucQIh.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uZlQmoF.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ttDMRkM.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ENfnzqX.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LtwZYxc.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PVSKMxE.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RojLtok.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UupgWyP.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hhNepVu.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qLmnWog.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HiRBqfF.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jtpSjpc.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LijBzNT.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GfMLSZG.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2028 wrote to memory of 3060	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	zBmxPaA.exe
PID 2028 wrote to memory of 3060	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	zBmxPaA.exe
PID 2028 wrote to memory of 3060	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	zBmxPaA.exe
PID 2028 wrote to memory of 2760	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	UupgWyP.exe
PID 2028 wrote to memory of 2760	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	UupgWyP.exe
PID 2028 wrote to memory of 2760	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	UupgWyP.exe
PID 2028 wrote to memory of 3008	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	KgCHolt.exe
PID 2028 wrote to memory of 3008	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	KgCHolt.exe
PID 2028 wrote to memory of 3008	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	KgCHolt.exe
PID 2028 wrote to memory of 2116	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	oZITlej.exe
PID 2028 wrote to memory of 2116	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	oZITlej.exe
PID 2028 wrote to memory of 2116	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	oZITlej.exe
PID 2028 wrote to memory of 2680	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	hhNepVu.exe
PID 2028 wrote to memory of 2680	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	hhNepVu.exe
PID 2028 wrote to memory of 2680	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	hhNepVu.exe
PID 2028 wrote to memory of 2584	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	djucQIh.exe
PID 2028 wrote to memory of 2584	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	djucQIh.exe
PID 2028 wrote to memory of 2584	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	djucQIh.exe
PID 2028 wrote to memory of 2524	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	qLmnWog.exe
PID 2028 wrote to memory of 2524	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	qLmnWog.exe
PID 2028 wrote to memory of 2524	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	qLmnWog.exe
PID 2028 wrote to memory of 2484	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	KipzvhQ.exe
PID 2028 wrote to memory of 2484	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	KipzvhQ.exe
PID 2028 wrote to memory of 2484	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	KipzvhQ.exe
PID 2028 wrote to memory of 2540	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	HiRBqfF.exe
PID 2028 wrote to memory of 2540	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	HiRBqfF.exe
PID 2028 wrote to memory of 2540	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	HiRBqfF.exe
PID 2028 wrote to memory of 1404	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	ttDMRkM.exe
PID 2028 wrote to memory of 1404	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	ttDMRkM.exe
PID 2028 wrote to memory of 1404	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	ttDMRkM.exe
PID 2028 wrote to memory of 2196	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	jtpSjpc.exe
PID 2028 wrote to memory of 2196	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	jtpSjpc.exe
PID 2028 wrote to memory of 2196	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	jtpSjpc.exe
PID 2028 wrote to memory of 1424	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	JqCuMXD.exe
PID 2028 wrote to memory of 1424	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	JqCuMXD.exe
PID 2028 wrote to memory of 1424	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	JqCuMXD.exe
PID 2028 wrote to memory of 1376	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	OpHwmhV.exe
PID 2028 wrote to memory of 1376	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	OpHwmhV.exe
PID 2028 wrote to memory of 1376	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	OpHwmhV.exe
PID 2028 wrote to memory of 1704	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	ENfnzqX.exe
PID 2028 wrote to memory of 1704	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	ENfnzqX.exe
PID 2028 wrote to memory of 1704	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	ENfnzqX.exe
PID 2028 wrote to memory of 2168	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	uZlQmoF.exe
PID 2028 wrote to memory of 2168	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	uZlQmoF.exe
PID 2028 wrote to memory of 2168	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	uZlQmoF.exe
PID 2028 wrote to memory of 1600	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	LijBzNT.exe
PID 2028 wrote to memory of 1600	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	LijBzNT.exe
PID 2028 wrote to memory of 1600	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	LijBzNT.exe
PID 2028 wrote to memory of 1564	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	erTKiWF.exe
PID 2028 wrote to memory of 1564	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	erTKiWF.exe
PID 2028 wrote to memory of 1564	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	erTKiWF.exe
PID 2028 wrote to memory of 1572	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	PVSKMxE.exe
PID 2028 wrote to memory of 1572	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	PVSKMxE.exe
PID 2028 wrote to memory of 1572	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	PVSKMxE.exe
PID 2028 wrote to memory of 2408	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	RojLtok.exe
PID 2028 wrote to memory of 2408	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	RojLtok.exe
PID 2028 wrote to memory of 2408	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	RojLtok.exe
PID 2028 wrote to memory of 2040	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	LtwZYxc.exe
PID 2028 wrote to memory of 2040	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	LtwZYxc.exe
PID 2028 wrote to memory of 2040	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	LtwZYxc.exe
PID 2028 wrote to memory of 2036	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	GfMLSZG.exe
PID 2028 wrote to memory of 2036	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	GfMLSZG.exe
PID 2028 wrote to memory of 2036	2028	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	GfMLSZG.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\System\zBmxPaA.exe
C:\Windows\System\zBmxPaA.exe
2⤵
- Executes dropped EXE
PID:3060

C:\Windows\System\UupgWyP.exe
C:\Windows\System\UupgWyP.exe
2⤵
- Executes dropped EXE
PID:2760

C:\Windows\System\KgCHolt.exe
C:\Windows\System\KgCHolt.exe
2⤵
- Executes dropped EXE
PID:3008

C:\Windows\System\oZITlej.exe
C:\Windows\System\oZITlej.exe
2⤵
- Executes dropped EXE
PID:2116

C:\Windows\System\hhNepVu.exe
C:\Windows\System\hhNepVu.exe
2⤵
- Executes dropped EXE
PID:2680

C:\Windows\System\djucQIh.exe
C:\Windows\System\djucQIh.exe
2⤵
- Executes dropped EXE
PID:2584

C:\Windows\System\qLmnWog.exe
C:\Windows\System\qLmnWog.exe
2⤵
- Executes dropped EXE
PID:2524

C:\Windows\System\KipzvhQ.exe
C:\Windows\System\KipzvhQ.exe
2⤵
- Executes dropped EXE
PID:2484

C:\Windows\System\HiRBqfF.exe
C:\Windows\System\HiRBqfF.exe
2⤵
- Executes dropped EXE
PID:2540

C:\Windows\System\ttDMRkM.exe
C:\Windows\System\ttDMRkM.exe
2⤵
- Executes dropped EXE
PID:1404

C:\Windows\System\jtpSjpc.exe
C:\Windows\System\jtpSjpc.exe
2⤵
- Executes dropped EXE
PID:2196

C:\Windows\System\JqCuMXD.exe
C:\Windows\System\JqCuMXD.exe
2⤵
- Executes dropped EXE
PID:1424

C:\Windows\System\OpHwmhV.exe
C:\Windows\System\OpHwmhV.exe
2⤵
- Executes dropped EXE
PID:1376

C:\Windows\System\ENfnzqX.exe
C:\Windows\System\ENfnzqX.exe
2⤵
- Executes dropped EXE
PID:1704

C:\Windows\System\uZlQmoF.exe
C:\Windows\System\uZlQmoF.exe
2⤵
- Executes dropped EXE
PID:2168

C:\Windows\System\LijBzNT.exe
C:\Windows\System\LijBzNT.exe
2⤵
- Executes dropped EXE
PID:1600

C:\Windows\System\erTKiWF.exe
C:\Windows\System\erTKiWF.exe
2⤵
- Executes dropped EXE
PID:1564

C:\Windows\System\PVSKMxE.exe
C:\Windows\System\PVSKMxE.exe
2⤵
- Executes dropped EXE
PID:1572

C:\Windows\System\RojLtok.exe
C:\Windows\System\RojLtok.exe
2⤵
- Executes dropped EXE
PID:2408

C:\Windows\System\LtwZYxc.exe
C:\Windows\System\LtwZYxc.exe
2⤵
- Executes dropped EXE
PID:2040

C:\Windows\System\GfMLSZG.exe
C:\Windows\System\GfMLSZG.exe
2⤵
- Executes dropped EXE
PID:2036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\HiRBqfF.exe
Filesize
5.2MB

MD5
354245b77cc000eb06b46933f6711360

SHA1
5e0301fccdb65f05146e9c85faf30f957845ff63

SHA256
30a3d27888fff8b4b8eadac01da1f4e445d52cc6cf3e85fbb65cf3824f32501c

SHA512
31620251bdb17d4a16464b07c2978318c8fa1924a1bf8a33a57c6852cae969072c15b17a6e23f1ea131371450464241573ca4501c54d8791cbf6b7403ee70cfd

Download Submit
C:\Windows\system\JqCuMXD.exe
Filesize
5.2MB

MD5
a70d79a8b863896c9fb8c6a08f48d394

SHA1
1cc9956d95a1e85a81ed71fe4b9067873ab66a46

SHA256
ee0aa086152cd0d7a982aaec624e097d2c414786ab7f127b93e7fa93df7491cc

SHA512
bf38af475e8caa8e772ec58751d93c3d907215dba26d8157059c78404ef0f04717e568420b37d53b421059fb98c1a61025203320c9defaee9a79ab48906896a4

Download Submit
C:\Windows\system\KgCHolt.exe
Filesize
5.2MB

MD5
80053fa385babf4c7bfd059dca5e45f4

SHA1
58843e4ae97a1a35c9465e87f1cab66b7bbeedd2

SHA256
c4169389f30bdc095aef2a99d069f7386ca213fc2922b4ef594f581c290696f7

SHA512
80d53c023ecf897b267d0425c0fc0e595d108a67b66fa9273f9a9282ccf51e4a8915f5daeefa87b5737934da9097975ac13557000eb0e1167861c67e2ca63062

Download Submit
C:\Windows\system\LtwZYxc.exe
Filesize
5.2MB

MD5
0786b3ab7f6825e84f88da2882b8fd2c

SHA1
2c70996791505ad876405236b166638c6e9172e6

SHA256
b874c3302d34123112d749c924d62115258ab84ea417d4479e642bfe99d75476

SHA512
f5d91f3ff4e9ffd960736bf6342a51dc75948bcf2d5bcf1a9f54243d986b43956d22e75b60d14dc652bec4a089775072bb6bbc9e133a0d886002d4eb57b51107

Download Submit
C:\Windows\system\OpHwmhV.exe
Filesize
5.2MB

MD5
f8e573d314f307813a59d671110a44e2

SHA1
62c115716b30dd9698d578b25e586260a5e87599

SHA256
812227fe51fcd893f5ead053eded85db6fa8e85524e0faec7b0688efee4c9725

SHA512
719d45dae2e1d6583f67c8677c0d46765cbf5ef032be29909254e3154df73e4777c57a2eca35597d9f10f0c611d9f8da057d3e82ab6df3ef94e6b376dd7f7429

Download Submit
C:\Windows\system\PVSKMxE.exe
Filesize
5.2MB

MD5
76afe462113a936232500a39e14d1d3c

SHA1
a4f8daa7d965210ec1af9c44830db2300018a2a0

SHA256
9a463d57704cf3eb718ab2a5f42741b6a180a46b9a916b03678869875a94049a

SHA512
756f11d71ff247fa5e1294c8000b4ab1e01f2c836b32932b85898523ae06e1829bf2d9bdae244041931535fcaf34f81bf0bb184be3f68f869a3929376c508f94

Download Submit
C:\Windows\system\RojLtok.exe
Filesize
5.2MB

MD5
196b6973525442f9b14b5da56dcd204f

SHA1
f1eea16ef57ec38891cd20eb40210195ec1203ba

SHA256
5744949b145eb845888f5e8c771bd206f16895bad4328a1849f6dc589d8302d7

SHA512
3a1b998e41e1bb77dcd269a0776ae37e7b751be422c84f3c7f01373bc407263b3a54e9faa801e9f510a0a7b283071e933a7cb357c6fdcd4cb759d3651f658d95

Download Submit
C:\Windows\system\UupgWyP.exe
Filesize
5.2MB

MD5
01f43475c722920964b88ba935a727a4

SHA1
75923c888198b85fde42f8a71be19555c71a40ad

SHA256
2e1fd98cd80a3358e3d2c97b4cfaa8eaa22bd9166812057dceda4c33b18951c7

SHA512
934bfbbbdc67db746163ac64c93d1b10fcdc22dee38396f8e052bab57e148d2a465820534bdc8a3fc6524d8273df228d06641a73f7f2e60583c5f8549eb39801

Download Submit
C:\Windows\system\erTKiWF.exe
Filesize
5.2MB

MD5
8b88bd89d34692fd3005a1e722fbf303

SHA1
ac5a33e052eae80a02a4f22f6a517612bac6270b

SHA256
d7242d04a6ee96480c40dc9c7f26474bfe7c0cbe2d134490f14fa89ebc8b824c

SHA512
ca720a52186c7a3426f7d402a4778c33b87ad75b30246b1ce4754c86b1995f482f691dad0ee146e887e46e8feb1a7306cc020dc71448342599aa03f9fe4e8f92

Download Submit
C:\Windows\system\hhNepVu.exe
Filesize
5.2MB

MD5
a12cbba3c9be7808e08aceadfc0f3a73

SHA1
e143a8a763b681b605df1678c508a9b0dcb03f47

SHA256
22592a6a15567ff5193f8d0b2eca9d10b60244d01824e0d482bea1561e96d9c4

SHA512
081690c3acb32dd10c0c5ad7d25c473ce01f1bfd024ab3a138126ac1dc81df97a84bb53106e9662f2a5c29dff7109dd42a5a2c9b7f1c56e42ffade334bc66233

Download Submit
C:\Windows\system\oZITlej.exe
Filesize
5.2MB

MD5
3e1f063ff2bf25cf4fc9cfaa8a0a4f34

SHA1
e551221c6b213e527bff03292ebe0076ca3614c0

SHA256
56d3b8e131bfe5f017c8bc235598fdd00dd7ed62b567f3d24588280c31a46f60

SHA512
ad5780cc588cd9d823c7c80d4e5be079c0b656677d62a2c7a9a779878e5b99b63dd000764d38668ea6bdef673467c64bdecde19168a40cb9a75222d119d21fea

Download Submit
C:\Windows\system\qLmnWog.exe
Filesize
5.2MB

MD5
fb468bb27f7609c9e2d52a7219f7b23c

SHA1
d90cb4eaeac9cc2343d0fe74916fa410f709cd23

SHA256
c7d7f1d05141d5c3c1ba41ca408efafc33f7607efa9ece8800357c2def8f8b47

SHA512
71eefbeb6a3461c320635f9c2852320278364d0b92a58b0af1c58ccd9d8a63afb2987971e5d6705eccd8b7cb8b249dc388678c8ed8a93e1bc378ea94f7695f41

Download Submit
C:\Windows\system\uZlQmoF.exe
Filesize
5.2MB

MD5
6cb19382e0a972b8e6cfe1cb9346e885

SHA1
cac97fdf416944fed569bdd11a4ba54c54b1910e

SHA256
ba6516a283c72b52166cc1d36074200a5cf662228cf48fa97b67099c72e3f362

SHA512
5f1f992a0c83231d4e32b2659c6b1efb3fa864c9e4317aea9805b102fa0fe2140feca0faedadf958be109647f6152904d638b2fadd2fac31d611ae1e802c992c

Download Submit
C:\Windows\system\zBmxPaA.exe
Filesize
5.2MB

MD5
0561742375e6e9b7cd205777ff784151

SHA1
8ea3c0dbcc61983dda308b333a48c80f2e979cf7

SHA256
09644c22fab14f25e1319a7a96caabf1161ff6ae7a55dd607bdcc4a54b94aba9

SHA512
b84ce1610a655080b4c2385f8913f97bf4ee782243b3e1ab6897e3850d211541aceba7f91b3c21bdbaacbd26191eaa46a9c7dc9cefebcea21297bd33dff4867a

Download Submit
\Windows\system\ENfnzqX.exe
Filesize
5.2MB

MD5
2b7a12c58af0829adb55a3aecfb5fca7

SHA1
9fd709667514096a058c7a732924fb4ea62b2bf9

SHA256
09f1ab75cca6ee71b6694b6dffff1cd80e25ed62e1d21c76fc9ed36f751270fc

SHA512
b1a93f69f80d6ae71b4ad7cd4b831d5ee43d899bc60e923b55c9067b4ebc220c6be9c5bcc97424ab839058ca81c509655dd07993c8e378df7f9025d3197322a2

Download Submit
\Windows\system\GfMLSZG.exe
Filesize
5.2MB

MD5
363e7a5fdeed2c66d1dd689d3ea1eda2

SHA1
9af316a646f11165e6e3cc976dbe750836a05f4a

SHA256
9ec47927c19f6b382016cbc3ad91e7a50c9a083caf280f00b27e2cb234cbf586

SHA512
5f0c6ab33c1762d2b5eefbe301da2130661f070627ba172a0b27c9e1f779086c22af1f61b475f6090bc39c5a06eb00201fb08868fa30bd54484389540d676276

Download Submit
\Windows\system\KipzvhQ.exe
Filesize
5.2MB

MD5
a94917bd462ffe6a3250ac260304436e

SHA1
a9ba9610f5e944cd5fc956be45de6dd68eaa1516

SHA256
9df01da5684c730de2e21dbe580c1cf5d375c8216cebb1e55cbbc5b8eb390302

SHA512
31c5e1475ec6ad3edd6b5ef7088a07946d1b61cc4d633da099cd6dd37126809978f6d11fe999bea4ec122cc73812887db7d6a8b7239068910a5384130cb9c101

Download Submit
\Windows\system\LijBzNT.exe
Filesize
5.2MB

MD5
dc6954b6eb474f82d9bd8098f425fc64

SHA1
fffa1e8b3fc4e41e9284ce99ebaf363cdf71086a

SHA256
f68bbd3eac34ca40e08c428cd64b639fdd27fe3526157737322410393a166d4a

SHA512
14e4338c93bb6b5375fba6428a9857fcaca1bd44c08bff8153d5712ff6517e15f75b4ec4e720c8085c350014341585f884cb8324667731020e7a7b4a4da49a0c

Download Submit
\Windows\system\djucQIh.exe
Filesize
5.2MB

MD5
aab92121b5eb07ee8dd53773e64e607c

SHA1
7aacd03fc04e31505277c800573dc5baa174ab91

SHA256
55ad4dd5015d93b1c086d2e4da76a853e6f97245da28f6839200d3d5127ba069

SHA512
c8f101f56ef73446b593c2ae075fb1d91a25f2100bc9ab8ede2922b69a51b139536f4fcf78f2b4cd00594e99b2c31c3fcfc23ea2a62c6215ab7f99efc619d982

Download Submit
\Windows\system\jtpSjpc.exe
Filesize
5.2MB

MD5
45926a209b5ae5d7a53e186da03f7b1c

SHA1
f291c30a3752c00ec71c40ffd4b47a8167daddb6

SHA256
c59a28f4029d1511e5ac2e1c4fc9a773d98f80f885cd6095c287a1bb25948874

SHA512
0e908b92b3f2966026f01e178acfe11c55419cde966f23cb5e1ebe31afed388c0f1fe45d88b03f8875630d3008d33850a0bc3ac48b281d914340417fc9da0384

Download Submit
\Windows\system\ttDMRkM.exe
Filesize
5.2MB

MD5
234b72863ff27fedaa42562a106eb4ed

SHA1
161702a7286928f1f47d275204108ed734704183

SHA256
33215be73c344b86714a5e8a264018cfeca7cacacf307ece03f33d1604913f44

SHA512
91dc96ce74cb32fd96fb4047b32e2044c7683e34a33744a79fd1f7e38691ded27191deb08f53c00c7389f006b9d254e0a56f967a87361dec16945de5a5cc00ea

Download Submit
memory/1376-110-0x000000013F6E0000-0x000000013FA31000-memory.dmp

Filesize
3.3MB

Download
memory/1376-157-0x000000013F6E0000-0x000000013FA31000-memory.dmp

Filesize
3.3MB

Download
memory/1376-264-0x000000013F6E0000-0x000000013FA31000-memory.dmp

Filesize
3.3MB

Download
memory/1404-76-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

Filesize
3.3MB

Download
memory/1404-239-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

Filesize
3.3MB

Download
memory/1424-95-0x000000013F930000-0x000000013FC81000-memory.dmp

Filesize
3.3MB

Download
memory/1424-243-0x000000013F930000-0x000000013FC81000-memory.dmp

Filesize
3.3MB

Download
memory/1564-161-0x000000013FC40000-0x000000013FF91000-memory.dmp

Filesize
3.3MB

Download
memory/1572-162-0x000000013FA40000-0x000000013FD91000-memory.dmp

Filesize
3.3MB

Download
memory/1600-160-0x000000013F770000-0x000000013FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/1704-254-0x000000013F130000-0x000000013F481000-memory.dmp

Filesize
3.3MB

Download
memory/1704-158-0x000000013F130000-0x000000013F481000-memory.dmp

Filesize
3.3MB

Download
memory/1704-107-0x000000013F130000-0x000000013F481000-memory.dmp

Filesize
3.3MB

Download
memory/2028-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2028-142-0x000000013F510000-0x000000013F861000-memory.dmp

Filesize
3.3MB

Download
memory/2028-75-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

Filesize
3.3MB

Download
memory/2028-153-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

Filesize
3.3MB

Download
memory/2028-100-0x0000000002460000-0x00000000027B1000-memory.dmp

Filesize
3.3MB

Download
memory/2028-84-0x000000013FE10000-0x0000000140161000-memory.dmp

Filesize
3.3MB

Download
memory/2028-82-0x000000013FCE0000-0x0000000140031000-memory.dmp

Filesize
3.3MB

Download
memory/2028-55-0x000000013FFC0000-0x0000000140311000-memory.dmp

Filesize
3.3MB

Download
memory/2028-56-0x000000013F510000-0x000000013F861000-memory.dmp

Filesize
3.3MB

Download
memory/2028-91-0x000000013F930000-0x000000013FC81000-memory.dmp

Filesize
3.3MB

Download
memory/2028-166-0x000000013F510000-0x000000013F861000-memory.dmp

Filesize
3.3MB

Download
memory/2028-10-0x0000000002460000-0x00000000027B1000-memory.dmp

Filesize
3.3MB

Download
memory/2028-176-0x0000000002460000-0x00000000027B1000-memory.dmp

Filesize
3.3MB

Download
memory/2028-23-0x000000013FD60000-0x00000001400B1000-memory.dmp

Filesize
3.3MB

Download
memory/2028-24-0x0000000002460000-0x00000000027B1000-memory.dmp

Filesize
3.3MB

Download
memory/2028-25-0x0000000002460000-0x00000000027B1000-memory.dmp

Filesize
3.3MB

Download
memory/2028-39-0x000000013FA80000-0x000000013FDD1000-memory.dmp

Filesize
3.3MB

Download
memory/2028-19-0x0000000002460000-0x00000000027B1000-memory.dmp

Filesize
3.3MB

Download
memory/2028-0-0x000000013F510000-0x000000013F861000-memory.dmp

Filesize
3.3MB

Download
memory/2036-165-0x000000013FBE0000-0x000000013FF31000-memory.dmp

Filesize
3.3MB

Download
memory/2040-164-0x000000013F6E0000-0x000000013FA31000-memory.dmp

Filesize
3.3MB

Download
memory/2116-226-0x000000013F330000-0x000000013F681000-memory.dmp

Filesize
3.3MB

Download
memory/2116-31-0x000000013F330000-0x000000013F681000-memory.dmp

Filesize
3.3MB

Download
memory/2116-72-0x000000013F330000-0x000000013F681000-memory.dmp

Filesize
3.3MB

Download
memory/2168-159-0x000000013F140000-0x000000013F491000-memory.dmp

Filesize
3.3MB

Download
memory/2196-85-0x000000013FCE0000-0x0000000140031000-memory.dmp

Filesize
3.3MB

Download
memory/2196-241-0x000000013FCE0000-0x0000000140031000-memory.dmp

Filesize
3.3MB

Download
memory/2408-163-0x000000013F620000-0x000000013F971000-memory.dmp

Filesize
3.3MB

Download
memory/2484-230-0x000000013FE10000-0x0000000140161000-memory.dmp

Filesize
3.3MB

Download
memory/2484-57-0x000000013FE10000-0x0000000140161000-memory.dmp

Filesize
3.3MB

Download
memory/2484-103-0x000000013FE10000-0x0000000140161000-memory.dmp

Filesize
3.3MB

Download
memory/2524-235-0x000000013F570000-0x000000013F8C1000-memory.dmp

Filesize
3.3MB

Download
memory/2524-105-0x000000013F570000-0x000000013F8C1000-memory.dmp

Filesize
3.3MB

Download
memory/2524-61-0x000000013F570000-0x000000013F8C1000-memory.dmp

Filesize
3.3MB

Download
memory/2540-236-0x000000013FFC0000-0x0000000140311000-memory.dmp

Filesize
3.3MB

Download
memory/2540-63-0x000000013FFC0000-0x0000000140311000-memory.dmp

Filesize
3.3MB

Download
memory/2540-109-0x000000013FFC0000-0x0000000140311000-memory.dmp

Filesize
3.3MB

Download
memory/2584-42-0x000000013FA80000-0x000000013FDD1000-memory.dmp

Filesize
3.3MB

Download
memory/2584-80-0x000000013FA80000-0x000000013FDD1000-memory.dmp

Filesize
3.3MB

Download
memory/2584-228-0x000000013FA80000-0x000000013FDD1000-memory.dmp

Filesize
3.3MB

Download
memory/2680-222-0x000000013F320000-0x000000013F671000-memory.dmp

Filesize
3.3MB

Download
memory/2680-35-0x000000013F320000-0x000000013F671000-memory.dmp

Filesize
3.3MB

Download
memory/2680-74-0x000000013F320000-0x000000013F671000-memory.dmp

Filesize
3.3MB

Download
memory/2760-225-0x000000013FD60000-0x00000001400B1000-memory.dmp

Filesize
3.3MB

Download
memory/2760-70-0x000000013FD60000-0x00000001400B1000-memory.dmp

Filesize
3.3MB

Download
memory/2760-30-0x000000013FD60000-0x00000001400B1000-memory.dmp

Filesize
3.3MB

Download
memory/3008-220-0x000000013F250000-0x000000013F5A1000-memory.dmp

Filesize
3.3MB

Download
memory/3008-33-0x000000013F250000-0x000000013F5A1000-memory.dmp

Filesize
3.3MB

Download
memory/3008-73-0x000000013F250000-0x000000013F5A1000-memory.dmp

Filesize
3.3MB

Download
memory/3060-15-0x000000013F280000-0x000000013F5D1000-memory.dmp

Filesize
3.3MB

Download
memory/3060-58-0x000000013F280000-0x000000013F5D1000-memory.dmp

Filesize
3.3MB

Download
memory/3060-212-0x000000013F280000-0x000000013F5D1000-memory.dmp

Filesize
3.3MB

Download