cobaltstrike | 2355ab65e1a76372836c79b496d853b0917d72b3c0de88f398b8169df1bbaa21

Analysis

max time kernel
143s
max time network
147s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

d529a922da360715e2a3480e1dd5ee1f
SHA1

95bc2e5bbb29af2ca79e09842fa4172573b4f7dc
SHA256

2355ab65e1a76372836c79b496d853b0917d72b3c0de88f398b8169df1bbaa21
SHA512

0daeeccc94bd83169186a025b8c469329d6170d7ab0c585f203ae809d3e65937305111182c2735c269bd51e35bcea88eec3d6d29c7fec6fabfe41f8c174dec91
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lc:RWWBibf56utgpPFotBER/mQ32lUg

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\WNRqlPO.exe	cobalt_reflective_dll
\Windows\system\KYkhBRh.exe	cobalt_reflective_dll
C:\Windows\system\OvUItPy.exe	cobalt_reflective_dll
C:\Windows\system\SdxHlIl.exe	cobalt_reflective_dll
\Windows\system\szTcBmg.exe	cobalt_reflective_dll
C:\Windows\system\yOesuKK.exe	cobalt_reflective_dll
C:\Windows\system\uTvUOoB.exe	cobalt_reflective_dll
\Windows\system\ysMaEyx.exe	cobalt_reflective_dll
\Windows\system\wsBThxe.exe	cobalt_reflective_dll
\Windows\system\gXJmmXA.exe	cobalt_reflective_dll
\Windows\system\zGuOUGp.exe	cobalt_reflective_dll
C:\Windows\system\ZJvzFkv.exe	cobalt_reflective_dll
\Windows\system\enaxVtW.exe	cobalt_reflective_dll
\Windows\system\VKunmyU.exe	cobalt_reflective_dll
C:\Windows\system\keaSlcW.exe	cobalt_reflective_dll
C:\Windows\system\xksALMM.exe	cobalt_reflective_dll
C:\Windows\system\nBGAPaI.exe	cobalt_reflective_dll
\Windows\system\hDLUbUv.exe	cobalt_reflective_dll
C:\Windows\system\bmeLtta.exe	cobalt_reflective_dll
C:\Windows\system\unyBbDh.exe	cobalt_reflective_dll
C:\Windows\system\WDXJLoO.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\WNRqlPO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\KYkhBRh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\OvUItPy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\SdxHlIl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\szTcBmg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\yOesuKK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\uTvUOoB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\ysMaEyx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\wsBThxe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\gXJmmXA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\zGuOUGp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ZJvzFkv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\enaxVtW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\VKunmyU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\keaSlcW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\xksALMM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\nBGAPaI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\hDLUbUv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\bmeLtta.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\unyBbDh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\WDXJLoO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1276-0-0x000000013F3E0000-0x000000013F731000-memory.dmp	UPX
\Windows\system\WNRqlPO.exe	UPX
behavioral1/memory/2296-8-0x000000013F370000-0x000000013F6C1000-memory.dmp	UPX
\Windows\system\KYkhBRh.exe	UPX
behavioral1/memory/1152-15-0x000000013FF70000-0x00000001402C1000-memory.dmp	UPX
C:\Windows\system\OvUItPy.exe	UPX
C:\Windows\system\SdxHlIl.exe	UPX
behavioral1/memory/2748-27-0x000000013F2D0000-0x000000013F621000-memory.dmp	UPX
behavioral1/memory/2252-24-0x000000013F4A0000-0x000000013F7F1000-memory.dmp	UPX
\Windows\system\szTcBmg.exe	UPX
C:\Windows\system\yOesuKK.exe	UPX
behavioral1/memory/2888-37-0x000000013F4E0000-0x000000013F831000-memory.dmp	UPX
behavioral1/memory/2548-42-0x000000013FB40000-0x000000013FE91000-memory.dmp	UPX
behavioral1/memory/1276-41-0x000000013F3E0000-0x000000013F731000-memory.dmp	UPX
C:\Windows\system\uTvUOoB.exe	UPX
behavioral1/memory/2960-48-0x000000013F580000-0x000000013F8D1000-memory.dmp	UPX
\Windows\system\ysMaEyx.exe	UPX
behavioral1/memory/2296-55-0x000000013F370000-0x000000013F6C1000-memory.dmp	UPX
behavioral1/memory/2568-57-0x000000013FA90000-0x000000013FDE1000-memory.dmp	UPX
\Windows\system\wsBThxe.exe	UPX
behavioral1/memory/2744-65-0x000000013FC60000-0x000000013FFB1000-memory.dmp	UPX
behavioral1/memory/1152-61-0x000000013FF70000-0x00000001402C1000-memory.dmp	UPX
\Windows\system\gXJmmXA.exe	UPX
behavioral1/memory/2384-73-0x000000013F170000-0x000000013F4C1000-memory.dmp	UPX
\Windows\system\zGuOUGp.exe	UPX
C:\Windows\system\ZJvzFkv.exe	UPX
behavioral1/memory/2888-81-0x000000013F4E0000-0x000000013F831000-memory.dmp	UPX
\Windows\system\enaxVtW.exe	UPX
behavioral1/memory/2844-98-0x000000013FF90000-0x00000001402E1000-memory.dmp	UPX
behavioral1/memory/2960-97-0x000000013F580000-0x000000013F8D1000-memory.dmp	UPX
behavioral1/memory/2748-75-0x000000013F2D0000-0x000000013F621000-memory.dmp	UPX
behavioral1/memory/2792-89-0x000000013F890000-0x000000013FBE1000-memory.dmp	UPX
behavioral1/memory/1884-85-0x000000013F070000-0x000000013F3C1000-memory.dmp	UPX
\Windows\system\VKunmyU.exe	UPX
behavioral1/memory/304-105-0x000000013F2E0000-0x000000013F631000-memory.dmp	UPX
C:\Windows\system\keaSlcW.exe	UPX
C:\Windows\system\xksALMM.exe	UPX
C:\Windows\system\nBGAPaI.exe	UPX
\Windows\system\hDLUbUv.exe	UPX
C:\Windows\system\bmeLtta.exe	UPX
C:\Windows\system\unyBbDh.exe	UPX
C:\Windows\system\WDXJLoO.exe	UPX
behavioral1/memory/2744-136-0x000000013FC60000-0x000000013FFB1000-memory.dmp	UPX
behavioral1/memory/1276-144-0x000000013F3E0000-0x000000013F731000-memory.dmp	UPX
behavioral1/memory/2792-157-0x000000013F890000-0x000000013FBE1000-memory.dmp	UPX
behavioral1/memory/304-159-0x000000013F2E0000-0x000000013F631000-memory.dmp	UPX
behavioral1/memory/1348-163-0x000000013F7B0000-0x000000013FB01000-memory.dmp	UPX
behavioral1/memory/2572-166-0x000000013F510000-0x000000013F861000-memory.dmp	UPX
behavioral1/memory/2404-164-0x000000013F780000-0x000000013FAD1000-memory.dmp	UPX
behavioral1/memory/1988-162-0x000000013F3C0000-0x000000013F711000-memory.dmp	UPX
behavioral1/memory/2008-161-0x000000013FBF0000-0x000000013FF41000-memory.dmp	UPX
behavioral1/memory/2428-160-0x000000013F430000-0x000000013F781000-memory.dmp	UPX
behavioral1/memory/2488-165-0x000000013F200000-0x000000013F551000-memory.dmp	UPX
behavioral1/memory/1276-167-0x000000013F3E0000-0x000000013F731000-memory.dmp	UPX
behavioral1/memory/2296-216-0x000000013F370000-0x000000013F6C1000-memory.dmp	UPX
behavioral1/memory/1152-218-0x000000013FF70000-0x00000001402C1000-memory.dmp	UPX
behavioral1/memory/2252-220-0x000000013F4A0000-0x000000013F7F1000-memory.dmp	UPX
behavioral1/memory/2748-222-0x000000013F2D0000-0x000000013F621000-memory.dmp	UPX
behavioral1/memory/2888-226-0x000000013F4E0000-0x000000013F831000-memory.dmp	UPX
behavioral1/memory/2548-228-0x000000013FB40000-0x000000013FE91000-memory.dmp	UPX
behavioral1/memory/2960-230-0x000000013F580000-0x000000013F8D1000-memory.dmp	UPX
behavioral1/memory/2568-232-0x000000013FA90000-0x000000013FDE1000-memory.dmp	UPX
behavioral1/memory/2744-238-0x000000013FC60000-0x000000013FFB1000-memory.dmp	UPX
behavioral1/memory/2384-240-0x000000013F170000-0x000000013F4C1000-memory.dmp	UPX

XMRig Miner payload 45 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2252-24-0x000000013F4A0000-0x000000013F7F1000-memory.dmp	xmrig
behavioral1/memory/2548-42-0x000000013FB40000-0x000000013FE91000-memory.dmp	xmrig
behavioral1/memory/1276-41-0x000000013F3E0000-0x000000013F731000-memory.dmp	xmrig
behavioral1/memory/2296-55-0x000000013F370000-0x000000013F6C1000-memory.dmp	xmrig
behavioral1/memory/2568-57-0x000000013FA90000-0x000000013FDE1000-memory.dmp	xmrig
behavioral1/memory/1276-56-0x000000013FA90000-0x000000013FDE1000-memory.dmp	xmrig
behavioral1/memory/1276-63-0x000000013FC60000-0x000000013FFB1000-memory.dmp	xmrig
behavioral1/memory/1152-61-0x000000013FF70000-0x00000001402C1000-memory.dmp	xmrig
behavioral1/memory/2384-73-0x000000013F170000-0x000000013F4C1000-memory.dmp	xmrig
behavioral1/memory/2888-81-0x000000013F4E0000-0x000000013F831000-memory.dmp	xmrig
behavioral1/memory/2844-98-0x000000013FF90000-0x00000001402E1000-memory.dmp	xmrig
behavioral1/memory/2960-97-0x000000013F580000-0x000000013F8D1000-memory.dmp	xmrig
behavioral1/memory/1276-78-0x000000013F070000-0x000000013F3C1000-memory.dmp	xmrig
behavioral1/memory/2748-75-0x000000013F2D0000-0x000000013F621000-memory.dmp	xmrig
behavioral1/memory/1884-85-0x000000013F070000-0x000000013F3C1000-memory.dmp	xmrig
behavioral1/memory/1276-103-0x000000013FA90000-0x000000013FDE1000-memory.dmp	xmrig
behavioral1/memory/1276-104-0x0000000002300000-0x0000000002651000-memory.dmp	xmrig
behavioral1/memory/1276-108-0x000000013FC60000-0x000000013FFB1000-memory.dmp	xmrig
behavioral1/memory/2744-136-0x000000013FC60000-0x000000013FFB1000-memory.dmp	xmrig
behavioral1/memory/1276-144-0x000000013F3E0000-0x000000013F731000-memory.dmp	xmrig
behavioral1/memory/1276-154-0x000000013F070000-0x000000013F3C1000-memory.dmp	xmrig
behavioral1/memory/2792-157-0x000000013F890000-0x000000013FBE1000-memory.dmp	xmrig
behavioral1/memory/304-159-0x000000013F2E0000-0x000000013F631000-memory.dmp	xmrig
behavioral1/memory/1348-163-0x000000013F7B0000-0x000000013FB01000-memory.dmp	xmrig
behavioral1/memory/2572-166-0x000000013F510000-0x000000013F861000-memory.dmp	xmrig
behavioral1/memory/2404-164-0x000000013F780000-0x000000013FAD1000-memory.dmp	xmrig
behavioral1/memory/1988-162-0x000000013F3C0000-0x000000013F711000-memory.dmp	xmrig
behavioral1/memory/2008-161-0x000000013FBF0000-0x000000013FF41000-memory.dmp	xmrig
behavioral1/memory/2428-160-0x000000013F430000-0x000000013F781000-memory.dmp	xmrig
behavioral1/memory/2488-165-0x000000013F200000-0x000000013F551000-memory.dmp	xmrig
behavioral1/memory/1276-167-0x000000013F3E0000-0x000000013F731000-memory.dmp	xmrig
behavioral1/memory/2296-216-0x000000013F370000-0x000000013F6C1000-memory.dmp	xmrig
behavioral1/memory/1152-218-0x000000013FF70000-0x00000001402C1000-memory.dmp	xmrig
behavioral1/memory/2252-220-0x000000013F4A0000-0x000000013F7F1000-memory.dmp	xmrig
behavioral1/memory/2748-222-0x000000013F2D0000-0x000000013F621000-memory.dmp	xmrig
behavioral1/memory/2888-226-0x000000013F4E0000-0x000000013F831000-memory.dmp	xmrig
behavioral1/memory/2548-228-0x000000013FB40000-0x000000013FE91000-memory.dmp	xmrig
behavioral1/memory/2960-230-0x000000013F580000-0x000000013F8D1000-memory.dmp	xmrig
behavioral1/memory/2568-232-0x000000013FA90000-0x000000013FDE1000-memory.dmp	xmrig
behavioral1/memory/2744-238-0x000000013FC60000-0x000000013FFB1000-memory.dmp	xmrig
behavioral1/memory/2384-240-0x000000013F170000-0x000000013F4C1000-memory.dmp	xmrig
behavioral1/memory/1884-242-0x000000013F070000-0x000000013F3C1000-memory.dmp	xmrig
behavioral1/memory/2792-244-0x000000013F890000-0x000000013FBE1000-memory.dmp	xmrig
behavioral1/memory/2844-246-0x000000013FF90000-0x00000001402E1000-memory.dmp	xmrig
behavioral1/memory/304-256-0x000000013F2E0000-0x000000013F631000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

WNRqlPO.exeKYkhBRh.exeOvUItPy.exeSdxHlIl.exeszTcBmg.exeyOesuKK.exeuTvUOoB.exeysMaEyx.exewsBThxe.exegXJmmXA.exezGuOUGp.exeZJvzFkv.exeenaxVtW.exeVKunmyU.exekeaSlcW.exeWDXJLoO.exexksALMM.exeunyBbDh.exebmeLtta.exenBGAPaI.exehDLUbUv.exe

pid	process
2296	WNRqlPO.exe
1152	KYkhBRh.exe
2252	OvUItPy.exe
2748	SdxHlIl.exe
2888	szTcBmg.exe
2548	yOesuKK.exe
2960	uTvUOoB.exe
2568	ysMaEyx.exe
2744	wsBThxe.exe
2384	gXJmmXA.exe
1884	zGuOUGp.exe
2792	ZJvzFkv.exe
2844	enaxVtW.exe
304	VKunmyU.exe
2428	keaSlcW.exe
2008	WDXJLoO.exe
1988	xksALMM.exe
1348	unyBbDh.exe
2404	bmeLtta.exe
2488	nBGAPaI.exe
2572	hDLUbUv.exe

Loads dropped DLL 21 IoCs

Processes:

2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe

pid	process
1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1276-0-0x000000013F3E0000-0x000000013F731000-memory.dmp	upx
\Windows\system\WNRqlPO.exe	upx
behavioral1/memory/2296-8-0x000000013F370000-0x000000013F6C1000-memory.dmp	upx
\Windows\system\KYkhBRh.exe	upx
behavioral1/memory/1152-15-0x000000013FF70000-0x00000001402C1000-memory.dmp	upx
C:\Windows\system\OvUItPy.exe	upx
C:\Windows\system\SdxHlIl.exe	upx
behavioral1/memory/2748-27-0x000000013F2D0000-0x000000013F621000-memory.dmp	upx
behavioral1/memory/2252-24-0x000000013F4A0000-0x000000013F7F1000-memory.dmp	upx
\Windows\system\szTcBmg.exe	upx
C:\Windows\system\yOesuKK.exe	upx
behavioral1/memory/2888-37-0x000000013F4E0000-0x000000013F831000-memory.dmp	upx
behavioral1/memory/2548-42-0x000000013FB40000-0x000000013FE91000-memory.dmp	upx
behavioral1/memory/1276-41-0x000000013F3E0000-0x000000013F731000-memory.dmp	upx
C:\Windows\system\uTvUOoB.exe	upx
behavioral1/memory/2960-48-0x000000013F580000-0x000000013F8D1000-memory.dmp	upx
\Windows\system\ysMaEyx.exe	upx
behavioral1/memory/2296-55-0x000000013F370000-0x000000013F6C1000-memory.dmp	upx
behavioral1/memory/2568-57-0x000000013FA90000-0x000000013FDE1000-memory.dmp	upx
\Windows\system\wsBThxe.exe	upx
behavioral1/memory/2744-65-0x000000013FC60000-0x000000013FFB1000-memory.dmp	upx
behavioral1/memory/1152-61-0x000000013FF70000-0x00000001402C1000-memory.dmp	upx
\Windows\system\gXJmmXA.exe	upx
behavioral1/memory/2384-73-0x000000013F170000-0x000000013F4C1000-memory.dmp	upx
\Windows\system\zGuOUGp.exe	upx
C:\Windows\system\ZJvzFkv.exe	upx
behavioral1/memory/2888-81-0x000000013F4E0000-0x000000013F831000-memory.dmp	upx
\Windows\system\enaxVtW.exe	upx
behavioral1/memory/2844-98-0x000000013FF90000-0x00000001402E1000-memory.dmp	upx
behavioral1/memory/2960-97-0x000000013F580000-0x000000013F8D1000-memory.dmp	upx
behavioral1/memory/2748-75-0x000000013F2D0000-0x000000013F621000-memory.dmp	upx
behavioral1/memory/2792-89-0x000000013F890000-0x000000013FBE1000-memory.dmp	upx
behavioral1/memory/1884-85-0x000000013F070000-0x000000013F3C1000-memory.dmp	upx
\Windows\system\VKunmyU.exe	upx
behavioral1/memory/304-105-0x000000013F2E0000-0x000000013F631000-memory.dmp	upx
C:\Windows\system\keaSlcW.exe	upx
C:\Windows\system\xksALMM.exe	upx
C:\Windows\system\nBGAPaI.exe	upx
\Windows\system\hDLUbUv.exe	upx
C:\Windows\system\bmeLtta.exe	upx
C:\Windows\system\unyBbDh.exe	upx
C:\Windows\system\WDXJLoO.exe	upx
behavioral1/memory/2744-136-0x000000013FC60000-0x000000013FFB1000-memory.dmp	upx
behavioral1/memory/1276-144-0x000000013F3E0000-0x000000013F731000-memory.dmp	upx
behavioral1/memory/2792-157-0x000000013F890000-0x000000013FBE1000-memory.dmp	upx
behavioral1/memory/304-159-0x000000013F2E0000-0x000000013F631000-memory.dmp	upx
behavioral1/memory/1348-163-0x000000013F7B0000-0x000000013FB01000-memory.dmp	upx
behavioral1/memory/2572-166-0x000000013F510000-0x000000013F861000-memory.dmp	upx
behavioral1/memory/2404-164-0x000000013F780000-0x000000013FAD1000-memory.dmp	upx
behavioral1/memory/1988-162-0x000000013F3C0000-0x000000013F711000-memory.dmp	upx
behavioral1/memory/2008-161-0x000000013FBF0000-0x000000013FF41000-memory.dmp	upx
behavioral1/memory/2428-160-0x000000013F430000-0x000000013F781000-memory.dmp	upx
behavioral1/memory/2488-165-0x000000013F200000-0x000000013F551000-memory.dmp	upx
behavioral1/memory/1276-167-0x000000013F3E0000-0x000000013F731000-memory.dmp	upx
behavioral1/memory/2296-216-0x000000013F370000-0x000000013F6C1000-memory.dmp	upx
behavioral1/memory/1152-218-0x000000013FF70000-0x00000001402C1000-memory.dmp	upx
behavioral1/memory/2252-220-0x000000013F4A0000-0x000000013F7F1000-memory.dmp	upx
behavioral1/memory/2748-222-0x000000013F2D0000-0x000000013F621000-memory.dmp	upx
behavioral1/memory/2888-226-0x000000013F4E0000-0x000000013F831000-memory.dmp	upx
behavioral1/memory/2548-228-0x000000013FB40000-0x000000013FE91000-memory.dmp	upx
behavioral1/memory/2960-230-0x000000013F580000-0x000000013F8D1000-memory.dmp	upx
behavioral1/memory/2568-232-0x000000013FA90000-0x000000013FDE1000-memory.dmp	upx
behavioral1/memory/2744-238-0x000000013FC60000-0x000000013FFB1000-memory.dmp	upx
behavioral1/memory/2384-240-0x000000013F170000-0x000000013F4C1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\WNRqlPO.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KYkhBRh.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uTvUOoB.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bmeLtta.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xksALMM.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OvUItPy.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SdxHlIl.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wsBThxe.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gXJmmXA.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZJvzFkv.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\enaxVtW.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WDXJLoO.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nBGAPaI.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hDLUbUv.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ysMaEyx.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zGuOUGp.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VKunmyU.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\keaSlcW.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\szTcBmg.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yOesuKK.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\unyBbDh.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 1276 wrote to memory of 2296	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	WNRqlPO.exe
PID 1276 wrote to memory of 2296	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	WNRqlPO.exe
PID 1276 wrote to memory of 2296	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	WNRqlPO.exe
PID 1276 wrote to memory of 1152	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	KYkhBRh.exe
PID 1276 wrote to memory of 1152	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	KYkhBRh.exe
PID 1276 wrote to memory of 1152	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	KYkhBRh.exe
PID 1276 wrote to memory of 2252	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	OvUItPy.exe
PID 1276 wrote to memory of 2252	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	OvUItPy.exe
PID 1276 wrote to memory of 2252	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	OvUItPy.exe
PID 1276 wrote to memory of 2748	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	SdxHlIl.exe
PID 1276 wrote to memory of 2748	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	SdxHlIl.exe
PID 1276 wrote to memory of 2748	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	SdxHlIl.exe
PID 1276 wrote to memory of 2888	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	szTcBmg.exe
PID 1276 wrote to memory of 2888	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	szTcBmg.exe
PID 1276 wrote to memory of 2888	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	szTcBmg.exe
PID 1276 wrote to memory of 2548	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	yOesuKK.exe
PID 1276 wrote to memory of 2548	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	yOesuKK.exe
PID 1276 wrote to memory of 2548	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	yOesuKK.exe
PID 1276 wrote to memory of 2960	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	uTvUOoB.exe
PID 1276 wrote to memory of 2960	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	uTvUOoB.exe
PID 1276 wrote to memory of 2960	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	uTvUOoB.exe
PID 1276 wrote to memory of 2568	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	ysMaEyx.exe
PID 1276 wrote to memory of 2568	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	ysMaEyx.exe
PID 1276 wrote to memory of 2568	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	ysMaEyx.exe
PID 1276 wrote to memory of 2744	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	wsBThxe.exe
PID 1276 wrote to memory of 2744	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	wsBThxe.exe
PID 1276 wrote to memory of 2744	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	wsBThxe.exe
PID 1276 wrote to memory of 2384	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	gXJmmXA.exe
PID 1276 wrote to memory of 2384	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	gXJmmXA.exe
PID 1276 wrote to memory of 2384	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	gXJmmXA.exe
PID 1276 wrote to memory of 1884	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	zGuOUGp.exe
PID 1276 wrote to memory of 1884	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	zGuOUGp.exe
PID 1276 wrote to memory of 1884	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	zGuOUGp.exe
PID 1276 wrote to memory of 2792	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	ZJvzFkv.exe
PID 1276 wrote to memory of 2792	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	ZJvzFkv.exe
PID 1276 wrote to memory of 2792	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	ZJvzFkv.exe
PID 1276 wrote to memory of 2844	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	enaxVtW.exe
PID 1276 wrote to memory of 2844	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	enaxVtW.exe
PID 1276 wrote to memory of 2844	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	enaxVtW.exe
PID 1276 wrote to memory of 304	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	VKunmyU.exe
PID 1276 wrote to memory of 304	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	VKunmyU.exe
PID 1276 wrote to memory of 304	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	VKunmyU.exe
PID 1276 wrote to memory of 2428	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	keaSlcW.exe
PID 1276 wrote to memory of 2428	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	keaSlcW.exe
PID 1276 wrote to memory of 2428	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	keaSlcW.exe
PID 1276 wrote to memory of 2008	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	WDXJLoO.exe
PID 1276 wrote to memory of 2008	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	WDXJLoO.exe
PID 1276 wrote to memory of 2008	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	WDXJLoO.exe
PID 1276 wrote to memory of 1988	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	xksALMM.exe
PID 1276 wrote to memory of 1988	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	xksALMM.exe
PID 1276 wrote to memory of 1988	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	xksALMM.exe
PID 1276 wrote to memory of 1348	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	unyBbDh.exe
PID 1276 wrote to memory of 1348	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	unyBbDh.exe
PID 1276 wrote to memory of 1348	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	unyBbDh.exe
PID 1276 wrote to memory of 2404	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	bmeLtta.exe
PID 1276 wrote to memory of 2404	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	bmeLtta.exe
PID 1276 wrote to memory of 2404	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	bmeLtta.exe
PID 1276 wrote to memory of 2488	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	nBGAPaI.exe
PID 1276 wrote to memory of 2488	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	nBGAPaI.exe
PID 1276 wrote to memory of 2488	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	nBGAPaI.exe
PID 1276 wrote to memory of 2572	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	hDLUbUv.exe
PID 1276 wrote to memory of 2572	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	hDLUbUv.exe
PID 1276 wrote to memory of 2572	1276	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	hDLUbUv.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\System\WNRqlPO.exe
C:\Windows\System\WNRqlPO.exe
2⤵
- Executes dropped EXE
PID:2296

C:\Windows\System\KYkhBRh.exe
C:\Windows\System\KYkhBRh.exe
2⤵
- Executes dropped EXE
PID:1152

C:\Windows\System\OvUItPy.exe
C:\Windows\System\OvUItPy.exe
2⤵
- Executes dropped EXE
PID:2252

C:\Windows\System\SdxHlIl.exe
C:\Windows\System\SdxHlIl.exe
2⤵
- Executes dropped EXE
PID:2748

C:\Windows\System\szTcBmg.exe
C:\Windows\System\szTcBmg.exe
2⤵
- Executes dropped EXE
PID:2888

C:\Windows\System\yOesuKK.exe
C:\Windows\System\yOesuKK.exe
2⤵
- Executes dropped EXE
PID:2548

C:\Windows\System\uTvUOoB.exe
C:\Windows\System\uTvUOoB.exe
2⤵
- Executes dropped EXE
PID:2960

C:\Windows\System\ysMaEyx.exe
C:\Windows\System\ysMaEyx.exe
2⤵
- Executes dropped EXE
PID:2568

C:\Windows\System\wsBThxe.exe
C:\Windows\System\wsBThxe.exe
2⤵
- Executes dropped EXE
PID:2744

C:\Windows\System\gXJmmXA.exe
C:\Windows\System\gXJmmXA.exe
2⤵
- Executes dropped EXE
PID:2384

C:\Windows\System\zGuOUGp.exe
C:\Windows\System\zGuOUGp.exe
2⤵
- Executes dropped EXE
PID:1884

C:\Windows\System\ZJvzFkv.exe
C:\Windows\System\ZJvzFkv.exe
2⤵
- Executes dropped EXE
PID:2792

C:\Windows\System\enaxVtW.exe
C:\Windows\System\enaxVtW.exe
2⤵
- Executes dropped EXE
PID:2844

C:\Windows\System\VKunmyU.exe
C:\Windows\System\VKunmyU.exe
2⤵
- Executes dropped EXE
PID:304

C:\Windows\System\keaSlcW.exe
C:\Windows\System\keaSlcW.exe
2⤵
- Executes dropped EXE
PID:2428

C:\Windows\System\WDXJLoO.exe
C:\Windows\System\WDXJLoO.exe
2⤵
- Executes dropped EXE
PID:2008

C:\Windows\System\xksALMM.exe
C:\Windows\System\xksALMM.exe
2⤵
- Executes dropped EXE
PID:1988

C:\Windows\System\unyBbDh.exe
C:\Windows\System\unyBbDh.exe
2⤵
- Executes dropped EXE
PID:1348

C:\Windows\System\bmeLtta.exe
C:\Windows\System\bmeLtta.exe
2⤵
- Executes dropped EXE
PID:2404

C:\Windows\System\nBGAPaI.exe
C:\Windows\System\nBGAPaI.exe
2⤵
- Executes dropped EXE
PID:2488

C:\Windows\System\hDLUbUv.exe
C:\Windows\System\hDLUbUv.exe
2⤵
- Executes dropped EXE
PID:2572

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\OvUItPy.exe
Filesize
5.2MB

MD5
b009bde7f0843594910ceac4fa0273ef

SHA1
403b7ae92525b211da422758255bb16d5e246966

SHA256
ef877abb0cfc5783e7973ecca0a7bbe476c32efb51531c0c0f5d8562e63a865e

SHA512
98ff110f6820320220276bb1d2ce4bc52f157a5215d45fa4d39dacd8e9dcd51e9a86a91b848751e660916135588ca31993fb681186c36d56e83b38196f53c216

Download Submit
C:\Windows\system\SdxHlIl.exe
Filesize
5.2MB

MD5
d48410dc2ef74d1cf2af7d3430d59b31

SHA1
3c5b19e9221235427a8299bbb766ba0575ecdd13

SHA256
5fbe1c5573fb2b835bd2f9699b1147f3c5ebe65d8af2c40d43b1e28c4c12fbc7

SHA512
eea4bd09ba8a2fdcad0aa0e84a8a08c5181288c64b6de43efb53b8215fac84b827368794891f5f96cce86a0c6bf8d1887f5c55e98087a69a2cb3131baf7d9fad

Download Submit
C:\Windows\system\WDXJLoO.exe
Filesize
5.2MB

MD5
7938f8cf2b4bf0f98df9c197f9a77977

SHA1
e852d14f7d640be3849cda344134bed6ceb56154

SHA256
6be185f88818894761f29cf2928bcd0464ab36f6ab0568f0dd0d8f3f64e6a1dc

SHA512
668925747662f8534fe21afbbb205660fa22d522e00c1d1aa40288a5fc0cb62d2527f62c33bf672040a9879bf6ebc22f9b484596df99fa7220e5b49304985d34

Download Submit
C:\Windows\system\ZJvzFkv.exe
Filesize
5.2MB

MD5
271db826713922a6a3eca5fd647eb2a9

SHA1
ccde55a4b80d280cb7ba98eb012aef60b7998b38

SHA256
bbf985b4094252c455c23e22071df3b598c559f6476dc9f52372869475aa22f8

SHA512
4a86381aec81021ba81904034c1fe0ae564ec9639d469f27d5d0dbcdb5994a196914cd2df8b70242620e0689678b166275365ef7339e347cd14216e93285b2f6

Download Submit
C:\Windows\system\bmeLtta.exe
Filesize
5.2MB

MD5
3f32310772ea8911f68713eac4a5e9f7

SHA1
78cc39fc77f4464d24cd73779be98b5c75c46c67

SHA256
9495588069b73ab9ea8c6e94a5347f1bb1e3ac1157ce7772dedd71f8b6f3c97c

SHA512
c264b78ef2c37849b2e269d077580f44f284a23b491b6e34077209ab2556e60376b5f904a8518be262adf19c013833ceca7d981ed03c3bbffffbac0b0484ab75

Download Submit
C:\Windows\system\keaSlcW.exe
Filesize
5.2MB

MD5
e538ebf8f741e47b42f9994afea3713a

SHA1
3fbed39123986af033128fa2ab63a75f972383e3

SHA256
308b9b447c351660334a913ac3fdca2f2ecc430a2e1728b50c53763008667552

SHA512
5821aba31c8a411112aecfc209e3b37bcb2d3fa3d24b6acdaa0886f294662e29498745a757de31960c8175784b91f709ab0a9de4c8c1e757cef9a81e0c7f7788

Download Submit
C:\Windows\system\nBGAPaI.exe
Filesize
5.2MB

MD5
69cac823d0f3dd87ecb6f5a9c9b0c8c5

SHA1
e3bf4f2ecc7f64b4d0fd0a13f61bf23b1dceb339

SHA256
f545fe7d0f0d39841db45f9c517611fa637e6114b98dc2cdf02da2526f400001

SHA512
2409a9a26c44f0ec48ee66ce91c7e425fad45d0814667246f7fd759aded66e614912605df6810de5de9c02f1ed6fe3a298400cef5aa4771797ea666f8a3a5d39

Download Submit
C:\Windows\system\uTvUOoB.exe
Filesize
5.2MB

MD5
048b131d3561b82d77c8c63cc5206a42

SHA1
5b0e8ef11e6f4f2a2dfa7bbe294d71a5ebf7c678

SHA256
97f28ea16e8cc01c2bf64d3d40331f84d7a05e092bb6c14c789a9610f191a395

SHA512
51e93f985432580c63df7e540bd2bb7d84a2ee278313d77ee80d3fb02b1987655caaff377b6b35fb228e5fbe1d1685405bef46bfade14608ccfe6399416f20bf

Download Submit
C:\Windows\system\unyBbDh.exe
Filesize
5.2MB

MD5
4774d41a422ae071635353eee2610d8b

SHA1
24a778f661ae2a0b9acf6d895ac0745ae835f265

SHA256
7608ca3eb4c57874a3dbd0b784edb5255c36054a077b963343d65d9f77334abc

SHA512
25cf8088ae505194a70eab8bfcc895c247c7f67a24707759aeb0bc050000f34bbe5a3f2d69189e10b7ae33cea26a5cb30b952b5ad93b17d22ed7945f3f11534f

Download Submit
C:\Windows\system\xksALMM.exe
Filesize
5.2MB

MD5
8ca40862b302150a35c742209bedce9d

SHA1
0f4eee2915e19d59f172406313ad66a43dacc905

SHA256
051fd385b2aa301cf1da4da89c5689a8e1016e7a348f710e9f01f36cb008e35c

SHA512
1fc143f7696200def839d403573de1ef3a65f3ab0fd21aa1c22ee1f64a801041ebec4e5a8cfac0a5211fa7a140212c23eb7f2c4e3e0a6093ed58d5425bf302f0

Download Submit
C:\Windows\system\yOesuKK.exe
Filesize
5.2MB

MD5
537894e22d5944845d0ea231031d307b

SHA1
8c4bf9ca2861b9cb1e21c749fb019dd7d03aa280

SHA256
06424ac5c213f3bb67e2e4268fad5ddd2fedcb534d8193645c55fe5b504d4b9f

SHA512
782926c75dc960be122962f14a72385ecdb7bd6a761834e250f9d308278f094e2bf7dbe0e899e81a1384a90c36d5c6509fecab74595f0f773971baf4a114e8d1

Download Submit
\Windows\system\KYkhBRh.exe
Filesize
5.2MB

MD5
da01901a821cfe0d792e7f392c8696ba

SHA1
c8a3d35f68437da98679b43308f125c5d0366224

SHA256
03085085e43b5660ab3dab00ffb01ce468ee6fa1d0565006faf2b4b4b495b608

SHA512
fbc14f9dcca5336522ebbadae05e588ab5e3dd7b6b668d4fb2960e63f6c20785a1645dfb355f0c3578bde16d735eb73aab0ee5eefbb595935296192388e95fc4

Download Submit
\Windows\system\VKunmyU.exe
Filesize
5.2MB

MD5
ecfeec138418794134840e5ce957389e

SHA1
528394c100f24f38aa405098acc722dd131ef909

SHA256
e7d663aa96ffa15c7c04f623f057ecbfd995b592b5f3d8c04bfa400a7bfb0869

SHA512
a9af804dd02fd7b7ebe1c2ddfe6e2e01e43f9e6e5da56698065130341eabce32fdb4f2bfb77d60c051f7359f193a6368814a627994614324f472a09eccef39d3

Download Submit
\Windows\system\WNRqlPO.exe
Filesize
5.2MB

MD5
016cf232e8afab08d4d5a1f743512193

SHA1
e3eec014eb063e89928041a4bf3d1870c84b2d83

SHA256
9c8d7083354b9f8d9b438ff7bdbd3c304ac449f8bd6c04f8ba4e5a42ef43812b

SHA512
c71068dc9948fde4789964d4c3563927318a797112611a0c938fa1ac95af1534202bd0649cb8d7bfe355d96c71d77e08a60eb2c9160df408156cd6622d822a51

Download Submit
\Windows\system\enaxVtW.exe
Filesize
5.2MB

MD5
0217b245f2558d37f27871510f8fad61

SHA1
21511c0f25c7edc0e851cdde2fdb64b8e1b14a1b

SHA256
2873ae9209561bddec2add57a37becf807c75e423454f82ba27df5479e09f11e

SHA512
1e491d12efb07bb12b054b080e7482a47699dacf928a881329181c89008ecba60e965d9fb04ab7e70deadcf46b0bb7619e798bd5d19670617a5e3211159dffd1

Download Submit
\Windows\system\gXJmmXA.exe
Filesize
5.2MB

MD5
102014c1463586713f930af56d2d2554

SHA1
73ea921bca10786eb2fc90fb9fa3048f0176fc57

SHA256
9e23f71c74656858d53b23d34ce5b2dd9b56cb68b4edc65ee38896e75254ca79

SHA512
2a14686846e4b4c7363245f515cc373db3360163454b758a3a9fef00cea6095d91377fcb89e6d8ce88ac6091ab80c6d641500f5f64a60dbf125d961926269d34

Download Submit
\Windows\system\hDLUbUv.exe
Filesize
5.2MB

MD5
3b6bd14e89668828e23f57c6c7c44ea0

SHA1
43ccc05b5ce6e48688df1b0fa3703b5d78f18260

SHA256
c92c79bd65ece1c7dde3db959c5365ce6d0af0b67d1a17cf37c7f0613071429a

SHA512
a311fe1d87c49064dfd581b2909204a07a467af816d808be5b83d313a5239e5158e5228196b8f89f499e89f0dece232fe34b9d73a705aeef6c309cadc1991808

Download Submit
\Windows\system\szTcBmg.exe
Filesize
5.2MB

MD5
acb70365dad17c1a45cb772513f78bf1

SHA1
24baf7c4cd8c70709a60381ab2b764a1b0d5c7de

SHA256
8dbf13aa79f703eda6b4cfe97f66e97f874bf869322b28f86309e579c8a1d4ef

SHA512
3a5757e3a2e722fac6fbcd6994418d928e4766c58d26a7b2513629995795d6ddda74aa80cee87923d5bf4d19e3c5e37b445af9837aac36322d99da393ac352b1

Download Submit
\Windows\system\wsBThxe.exe
Filesize
5.2MB

MD5
4c131d7249d123d1933b2ad4dba67d89

SHA1
36b65f61186fd251c6f43d8fe5768ed108368c93

SHA256
0a0aa4017d0daa5d0091bccd0bf491022413c3c7f5738587203851a9f7b14ea3

SHA512
d99bef90b373742bc629deb45c71ee44330deccbdce959a439345714a024abd8f598ceefb5e255303b9d3d8620028a006263c5e72515839f5c5b68b03ee38f26

Download Submit
\Windows\system\ysMaEyx.exe
Filesize
5.2MB

MD5
2a8dca248336814ff55baddcfea4692d

SHA1
865c8d5f3d3d3c4983791d76d3f3255ddcec3e67

SHA256
4c6bb87044d4942d949447a7b03d203bfb1b6cd26255e611ffbf80de571d42c8

SHA512
e4c5c8bd09baf1ae65a3e5ae6315323d1bbf449bb2c62d91970117c67948b159d00802c834e8bd22c98f1f1bd20206cd5a2e2a2721f7b9ba414b0aef1c8e0d7c

Download Submit
\Windows\system\zGuOUGp.exe
Filesize
5.2MB

MD5
7c709f3282d8ebcdd0a82d73066dabee

SHA1
27391a2335982c0b4eb6a57b12900a0461347f2e

SHA256
c6009063e81161662bb4967cce1a7fcd1d4f8c279b9f14474c31d9e938a46fce

SHA512
9166691f197036ff3b72bdb3b459748755c2fd6e689ffc982562b22b580bdaeb1d9859aa4d10666c933aa3291cd7f8d8564223c5119126e2362cae2af0a2f59c

Download Submit
memory/304-256-0x000000013F2E0000-0x000000013F631000-memory.dmp

Filesize
3.3MB

Download
memory/304-159-0x000000013F2E0000-0x000000013F631000-memory.dmp

Filesize
3.3MB

Download
memory/304-105-0x000000013F2E0000-0x000000013F631000-memory.dmp

Filesize
3.3MB

Download
memory/1152-61-0x000000013FF70000-0x00000001402C1000-memory.dmp

Filesize
3.3MB

Download
memory/1152-15-0x000000013FF70000-0x00000001402C1000-memory.dmp

Filesize
3.3MB

Download
memory/1152-218-0x000000013FF70000-0x00000001402C1000-memory.dmp

Filesize
3.3MB

Download
memory/1276-189-0x0000000002300000-0x0000000002651000-memory.dmp

Filesize
3.3MB

Download
memory/1276-63-0x000000013FC60000-0x000000013FFB1000-memory.dmp

Filesize
3.3MB

Download
memory/1276-60-0x000000013FF70000-0x00000001402C1000-memory.dmp

Filesize
3.3MB

Download
memory/1276-108-0x000000013FC60000-0x000000013FFB1000-memory.dmp

Filesize
3.3MB

Download
memory/1276-111-0x0000000002300000-0x0000000002651000-memory.dmp

Filesize
3.3MB

Download
memory/1276-72-0x0000000002300000-0x0000000002651000-memory.dmp

Filesize
3.3MB

Download
memory/1276-56-0x000000013FA90000-0x000000013FDE1000-memory.dmp

Filesize
3.3MB

Download
memory/1276-144-0x000000013F3E0000-0x000000013F731000-memory.dmp

Filesize
3.3MB

Download
memory/1276-88-0x000000013FB40000-0x000000013FE91000-memory.dmp

Filesize
3.3MB

Download
memory/1276-154-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/1276-47-0x0000000002300000-0x0000000002651000-memory.dmp

Filesize
3.3MB

Download
memory/1276-41-0x000000013F3E0000-0x000000013F731000-memory.dmp

Filesize
3.3MB

Download
memory/1276-0-0x000000013F3E0000-0x000000013F731000-memory.dmp

Filesize
3.3MB

Download
memory/1276-96-0x0000000002300000-0x0000000002651000-memory.dmp

Filesize
3.3MB

Download
memory/1276-78-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/1276-167-0x000000013F3E0000-0x000000013F731000-memory.dmp

Filesize
3.3MB

Download
memory/1276-30-0x0000000002300000-0x0000000002651000-memory.dmp

Filesize
3.3MB

Download
memory/1276-86-0x000000013F890000-0x000000013FBE1000-memory.dmp

Filesize
3.3MB

Download
memory/1276-26-0x0000000002300000-0x0000000002651000-memory.dmp

Filesize
3.3MB

Download
memory/1276-13-0x000000013FF70000-0x00000001402C1000-memory.dmp

Filesize
3.3MB

Download
memory/1276-103-0x000000013FA90000-0x000000013FDE1000-memory.dmp

Filesize
3.3MB

Download
memory/1276-1-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/1276-104-0x0000000002300000-0x0000000002651000-memory.dmp

Filesize
3.3MB

Download
memory/1348-163-0x000000013F7B0000-0x000000013FB01000-memory.dmp

Filesize
3.3MB

Download
memory/1884-242-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/1884-85-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/1988-162-0x000000013F3C0000-0x000000013F711000-memory.dmp

Filesize
3.3MB

Download
memory/2008-161-0x000000013FBF0000-0x000000013FF41000-memory.dmp

Filesize
3.3MB

Download
memory/2252-220-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

Filesize
3.3MB

Download
memory/2252-24-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

Filesize
3.3MB

Download
memory/2296-55-0x000000013F370000-0x000000013F6C1000-memory.dmp

Filesize
3.3MB

Download
memory/2296-8-0x000000013F370000-0x000000013F6C1000-memory.dmp

Filesize
3.3MB

Download
memory/2296-216-0x000000013F370000-0x000000013F6C1000-memory.dmp

Filesize
3.3MB

Download
memory/2384-73-0x000000013F170000-0x000000013F4C1000-memory.dmp

Filesize
3.3MB

Download
memory/2384-240-0x000000013F170000-0x000000013F4C1000-memory.dmp

Filesize
3.3MB

Download
memory/2404-164-0x000000013F780000-0x000000013FAD1000-memory.dmp

Filesize
3.3MB

Download
memory/2428-160-0x000000013F430000-0x000000013F781000-memory.dmp

Filesize
3.3MB

Download
memory/2488-165-0x000000013F200000-0x000000013F551000-memory.dmp

Filesize
3.3MB

Download
memory/2548-228-0x000000013FB40000-0x000000013FE91000-memory.dmp

Filesize
3.3MB

Download
memory/2548-42-0x000000013FB40000-0x000000013FE91000-memory.dmp

Filesize
3.3MB

Download
memory/2568-232-0x000000013FA90000-0x000000013FDE1000-memory.dmp

Filesize
3.3MB

Download
memory/2568-57-0x000000013FA90000-0x000000013FDE1000-memory.dmp

Filesize
3.3MB

Download
memory/2572-166-0x000000013F510000-0x000000013F861000-memory.dmp

Filesize
3.3MB

Download
memory/2744-65-0x000000013FC60000-0x000000013FFB1000-memory.dmp

Filesize
3.3MB

Download
memory/2744-238-0x000000013FC60000-0x000000013FFB1000-memory.dmp

Filesize
3.3MB

Download
memory/2744-136-0x000000013FC60000-0x000000013FFB1000-memory.dmp

Filesize
3.3MB

Download
memory/2748-222-0x000000013F2D0000-0x000000013F621000-memory.dmp

Filesize
3.3MB

Download
memory/2748-27-0x000000013F2D0000-0x000000013F621000-memory.dmp

Filesize
3.3MB

Download
memory/2748-75-0x000000013F2D0000-0x000000013F621000-memory.dmp

Filesize
3.3MB

Download
memory/2792-157-0x000000013F890000-0x000000013FBE1000-memory.dmp

Filesize
3.3MB

Download
memory/2792-244-0x000000013F890000-0x000000013FBE1000-memory.dmp

Filesize
3.3MB

Download
memory/2792-89-0x000000013F890000-0x000000013FBE1000-memory.dmp

Filesize
3.3MB

Download
memory/2844-98-0x000000013FF90000-0x00000001402E1000-memory.dmp

Filesize
3.3MB

Download
memory/2844-246-0x000000013FF90000-0x00000001402E1000-memory.dmp

Filesize
3.3MB

Download
memory/2888-226-0x000000013F4E0000-0x000000013F831000-memory.dmp

Filesize
3.3MB

Download
memory/2888-37-0x000000013F4E0000-0x000000013F831000-memory.dmp

Filesize
3.3MB

Download
memory/2888-81-0x000000013F4E0000-0x000000013F831000-memory.dmp

Filesize
3.3MB

Download
memory/2960-230-0x000000013F580000-0x000000013F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/2960-48-0x000000013F580000-0x000000013F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/2960-97-0x000000013F580000-0x000000013F8D1000-memory.dmp

Filesize
3.3MB

Download