cobaltstrike | 68ec096ed3ebef262ccad229af10d48bd4df27c078201313b8157d028b6336b5

Analysis

max time kernel
141s
max time network
145s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

63be4bb8d339b8fa420874457468b200
SHA1

0bd72110c1f0bb300674e510d2b75ef4744370ac
SHA256

68ec096ed3ebef262ccad229af10d48bd4df27c078201313b8157d028b6336b5
SHA512

4e5e1dfaf4a1dd1898f0b831991d93013e1ccf8d67b129123b8e84894561dfc3b5f874a3b71a4503df6a492ab8f9985e1124d934b2e198e42580f2349e7ecc69
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lS:RWWBibf56utgpPFotBER/mQ32lUe

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\system\vAVFOVy.exe	cobalt_reflective_dll
\Windows\system\fWVRoDY.exe	cobalt_reflective_dll
C:\Windows\system\LibDYLB.exe	cobalt_reflective_dll
C:\Windows\system\bHvpGvN.exe	cobalt_reflective_dll
C:\Windows\system\ZywquQR.exe	cobalt_reflective_dll
C:\Windows\system\CcHLvuV.exe	cobalt_reflective_dll
C:\Windows\system\BFSkzRk.exe	cobalt_reflective_dll
C:\Windows\system\IQadMkD.exe	cobalt_reflective_dll
C:\Windows\system\AoTtiVI.exe	cobalt_reflective_dll
C:\Windows\system\QTqFUnN.exe	cobalt_reflective_dll
C:\Windows\system\UtuEEzt.exe	cobalt_reflective_dll
C:\Windows\system\KpfvtKg.exe	cobalt_reflective_dll
C:\Windows\system\rcKZyhy.exe	cobalt_reflective_dll
C:\Windows\system\UEvMzTp.exe	cobalt_reflective_dll
C:\Windows\system\eElptgb.exe	cobalt_reflective_dll
C:\Windows\system\vxRztkB.exe	cobalt_reflective_dll
C:\Windows\system\pDvZrJt.exe	cobalt_reflective_dll
C:\Windows\system\zVueOMO.exe	cobalt_reflective_dll
C:\Windows\system\txUtUzg.exe	cobalt_reflective_dll
C:\Windows\system\UaPBPgq.exe	cobalt_reflective_dll
C:\Windows\system\ZKKXGOX.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\system\vAVFOVy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\fWVRoDY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\LibDYLB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\bHvpGvN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ZywquQR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\CcHLvuV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\BFSkzRk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\IQadMkD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\AoTtiVI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\QTqFUnN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\UtuEEzt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\KpfvtKg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\rcKZyhy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\UEvMzTp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\eElptgb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\vxRztkB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\pDvZrJt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\zVueOMO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\txUtUzg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\UaPBPgq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ZKKXGOX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2244-0-0x000000013F990000-0x000000013FCE1000-memory.dmp	UPX
C:\Windows\system\vAVFOVy.exe	UPX
\Windows\system\fWVRoDY.exe	UPX
C:\Windows\system\LibDYLB.exe	UPX
C:\Windows\system\bHvpGvN.exe	UPX
C:\Windows\system\ZywquQR.exe	UPX
C:\Windows\system\CcHLvuV.exe	UPX
C:\Windows\system\BFSkzRk.exe	UPX
C:\Windows\system\IQadMkD.exe	UPX
C:\Windows\system\AoTtiVI.exe	UPX
C:\Windows\system\QTqFUnN.exe	UPX
C:\Windows\system\UtuEEzt.exe	UPX
behavioral1/memory/1568-106-0x000000013F230000-0x000000013F581000-memory.dmp	UPX
C:\Windows\system\KpfvtKg.exe	UPX
behavioral1/memory/2632-135-0x000000013F5C0000-0x000000013F911000-memory.dmp	UPX
C:\Windows\system\rcKZyhy.exe	UPX
behavioral1/memory/2560-96-0x000000013FC30000-0x000000013FF81000-memory.dmp	UPX
C:\Windows\system\UEvMzTp.exe	UPX
behavioral1/memory/2008-94-0x000000013F740000-0x000000013FA91000-memory.dmp	UPX
behavioral1/memory/2524-92-0x000000013FFC0000-0x0000000140311000-memory.dmp	UPX
C:\Windows\system\eElptgb.exe	UPX
behavioral1/memory/2636-76-0x000000013FE40000-0x0000000140191000-memory.dmp	UPX
behavioral1/memory/2520-70-0x000000013F470000-0x000000013F7C1000-memory.dmp	UPX
C:\Windows\system\vxRztkB.exe	UPX
behavioral1/memory/2604-63-0x000000013F7A0000-0x000000013FAF1000-memory.dmp	UPX
behavioral1/memory/2244-62-0x000000013F990000-0x000000013FCE1000-memory.dmp	UPX
behavioral1/memory/2984-59-0x000000013F680000-0x000000013F9D1000-memory.dmp	UPX
C:\Windows\system\pDvZrJt.exe	UPX
behavioral1/memory/2632-48-0x000000013F5C0000-0x000000013F911000-memory.dmp	UPX
C:\Windows\system\zVueOMO.exe	UPX
behavioral1/memory/2524-44-0x000000013FFC0000-0x0000000140311000-memory.dmp	UPX
C:\Windows\system\txUtUzg.exe	UPX
behavioral1/memory/2644-36-0x000000013FD50000-0x00000001400A1000-memory.dmp	UPX
behavioral1/memory/2856-35-0x000000013F7A0000-0x000000013FAF1000-memory.dmp	UPX
behavioral1/memory/3048-31-0x000000013F550000-0x000000013F8A1000-memory.dmp	UPX
C:\Windows\system\UaPBPgq.exe	UPX
behavioral1/memory/2080-28-0x000000013F8F0000-0x000000013FC41000-memory.dmp	UPX
behavioral1/memory/1708-27-0x000000013F360000-0x000000013F6B1000-memory.dmp	UPX
C:\Windows\system\ZKKXGOX.exe	UPX
behavioral1/memory/2244-136-0x000000013F990000-0x000000013FCE1000-memory.dmp	UPX
behavioral1/memory/2636-148-0x000000013FE40000-0x0000000140191000-memory.dmp	UPX
behavioral1/memory/2984-147-0x000000013F680000-0x000000013F9D1000-memory.dmp	UPX
behavioral1/memory/1600-153-0x000000013F660000-0x000000013F9B1000-memory.dmp	UPX
behavioral1/memory/1852-157-0x000000013FC80000-0x000000013FFD1000-memory.dmp	UPX
behavioral1/memory/1876-156-0x000000013F240000-0x000000013F591000-memory.dmp	UPX
behavioral1/memory/352-155-0x000000013FA10000-0x000000013FD61000-memory.dmp	UPX
behavioral1/memory/1964-154-0x000000013F080000-0x000000013F3D1000-memory.dmp	UPX
behavioral1/memory/1960-151-0x000000013F3F0000-0x000000013F741000-memory.dmp	UPX
behavioral1/memory/2432-158-0x000000013F930000-0x000000013FC81000-memory.dmp	UPX
behavioral1/memory/2244-160-0x000000013F990000-0x000000013FCE1000-memory.dmp	UPX
behavioral1/memory/1708-206-0x000000013F360000-0x000000013F6B1000-memory.dmp	UPX
behavioral1/memory/2080-208-0x000000013F8F0000-0x000000013FC41000-memory.dmp	UPX
behavioral1/memory/2856-211-0x000000013F7A0000-0x000000013FAF1000-memory.dmp	UPX
behavioral1/memory/3048-212-0x000000013F550000-0x000000013F8A1000-memory.dmp	UPX
behavioral1/memory/2644-214-0x000000013FD50000-0x00000001400A1000-memory.dmp	UPX
behavioral1/memory/2632-216-0x000000013F5C0000-0x000000013F911000-memory.dmp	UPX
behavioral1/memory/2524-218-0x000000013FFC0000-0x0000000140311000-memory.dmp	UPX
behavioral1/memory/2604-220-0x000000013F7A0000-0x000000013FAF1000-memory.dmp	UPX
behavioral1/memory/2520-222-0x000000013F470000-0x000000013F7C1000-memory.dmp	UPX
behavioral1/memory/2984-224-0x000000013F680000-0x000000013F9D1000-memory.dmp	UPX
behavioral1/memory/2636-238-0x000000013FE40000-0x0000000140191000-memory.dmp	UPX
behavioral1/memory/2008-240-0x000000013F740000-0x000000013FA91000-memory.dmp	UPX
behavioral1/memory/2560-242-0x000000013FC30000-0x000000013FF81000-memory.dmp	UPX
behavioral1/memory/1568-244-0x000000013F230000-0x000000013F581000-memory.dmp	UPX

XMRig Miner payload 40 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1568-106-0x000000013F230000-0x000000013F581000-memory.dmp	xmrig
behavioral1/memory/2632-135-0x000000013F5C0000-0x000000013F911000-memory.dmp	xmrig
behavioral1/memory/2244-97-0x000000013F3F0000-0x000000013F741000-memory.dmp	xmrig
behavioral1/memory/2560-96-0x000000013FC30000-0x000000013FF81000-memory.dmp	xmrig
behavioral1/memory/2244-95-0x0000000002400000-0x0000000002751000-memory.dmp	xmrig
behavioral1/memory/2008-94-0x000000013F740000-0x000000013FA91000-memory.dmp	xmrig
behavioral1/memory/2524-92-0x000000013FFC0000-0x0000000140311000-memory.dmp	xmrig
behavioral1/memory/2520-70-0x000000013F470000-0x000000013F7C1000-memory.dmp	xmrig
behavioral1/memory/2604-63-0x000000013F7A0000-0x000000013FAF1000-memory.dmp	xmrig
behavioral1/memory/2244-62-0x000000013F990000-0x000000013FCE1000-memory.dmp	xmrig
behavioral1/memory/2644-36-0x000000013FD50000-0x00000001400A1000-memory.dmp	xmrig
behavioral1/memory/2856-35-0x000000013F7A0000-0x000000013FAF1000-memory.dmp	xmrig
behavioral1/memory/3048-31-0x000000013F550000-0x000000013F8A1000-memory.dmp	xmrig
behavioral1/memory/2080-28-0x000000013F8F0000-0x000000013FC41000-memory.dmp	xmrig
behavioral1/memory/1708-27-0x000000013F360000-0x000000013F6B1000-memory.dmp	xmrig
behavioral1/memory/2244-136-0x000000013F990000-0x000000013FCE1000-memory.dmp	xmrig
behavioral1/memory/2636-148-0x000000013FE40000-0x0000000140191000-memory.dmp	xmrig
behavioral1/memory/2984-147-0x000000013F680000-0x000000013F9D1000-memory.dmp	xmrig
behavioral1/memory/1600-153-0x000000013F660000-0x000000013F9B1000-memory.dmp	xmrig
behavioral1/memory/1852-157-0x000000013FC80000-0x000000013FFD1000-memory.dmp	xmrig
behavioral1/memory/1876-156-0x000000013F240000-0x000000013F591000-memory.dmp	xmrig
behavioral1/memory/352-155-0x000000013FA10000-0x000000013FD61000-memory.dmp	xmrig
behavioral1/memory/1964-154-0x000000013F080000-0x000000013F3D1000-memory.dmp	xmrig
behavioral1/memory/1960-151-0x000000013F3F0000-0x000000013F741000-memory.dmp	xmrig
behavioral1/memory/2432-158-0x000000013F930000-0x000000013FC81000-memory.dmp	xmrig
behavioral1/memory/2244-160-0x000000013F990000-0x000000013FCE1000-memory.dmp	xmrig
behavioral1/memory/1708-206-0x000000013F360000-0x000000013F6B1000-memory.dmp	xmrig
behavioral1/memory/2080-208-0x000000013F8F0000-0x000000013FC41000-memory.dmp	xmrig
behavioral1/memory/2856-211-0x000000013F7A0000-0x000000013FAF1000-memory.dmp	xmrig
behavioral1/memory/3048-212-0x000000013F550000-0x000000013F8A1000-memory.dmp	xmrig
behavioral1/memory/2644-214-0x000000013FD50000-0x00000001400A1000-memory.dmp	xmrig
behavioral1/memory/2632-216-0x000000013F5C0000-0x000000013F911000-memory.dmp	xmrig
behavioral1/memory/2524-218-0x000000013FFC0000-0x0000000140311000-memory.dmp	xmrig
behavioral1/memory/2604-220-0x000000013F7A0000-0x000000013FAF1000-memory.dmp	xmrig
behavioral1/memory/2520-222-0x000000013F470000-0x000000013F7C1000-memory.dmp	xmrig
behavioral1/memory/2984-224-0x000000013F680000-0x000000013F9D1000-memory.dmp	xmrig
behavioral1/memory/2636-238-0x000000013FE40000-0x0000000140191000-memory.dmp	xmrig
behavioral1/memory/2008-240-0x000000013F740000-0x000000013FA91000-memory.dmp	xmrig
behavioral1/memory/2560-242-0x000000013FC30000-0x000000013FF81000-memory.dmp	xmrig
behavioral1/memory/1568-244-0x000000013F230000-0x000000013F581000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

vAVFOVy.exeZKKXGOX.exefWVRoDY.exetxUtUzg.exeUaPBPgq.exeLibDYLB.exezVueOMO.exepDvZrJt.exebHvpGvN.exevxRztkB.exeZywquQR.exeUEvMzTp.exeeElptgb.exercKZyhy.exeCcHLvuV.exeKpfvtKg.exeBFSkzRk.exeUtuEEzt.exeQTqFUnN.exeIQadMkD.exeAoTtiVI.exe

pid	process
1708	vAVFOVy.exe
2080	ZKKXGOX.exe
3048	fWVRoDY.exe
2856	txUtUzg.exe
2644	UaPBPgq.exe
2524	LibDYLB.exe
2632	zVueOMO.exe
2984	pDvZrJt.exe
2604	bHvpGvN.exe
2520	vxRztkB.exe
2636	ZywquQR.exe
2008	UEvMzTp.exe
2560	eElptgb.exe
1568	rcKZyhy.exe
1960	CcHLvuV.exe
1964	KpfvtKg.exe
1600	BFSkzRk.exe
352	UtuEEzt.exe
1876	QTqFUnN.exe
1852	IQadMkD.exe
2432	AoTtiVI.exe

Loads dropped DLL 21 IoCs

Processes:

2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe

pid	process
2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2244-0-0x000000013F990000-0x000000013FCE1000-memory.dmp	upx
C:\Windows\system\vAVFOVy.exe	upx
\Windows\system\fWVRoDY.exe	upx
C:\Windows\system\LibDYLB.exe	upx
C:\Windows\system\bHvpGvN.exe	upx
C:\Windows\system\ZywquQR.exe	upx
C:\Windows\system\CcHLvuV.exe	upx
C:\Windows\system\BFSkzRk.exe	upx
C:\Windows\system\IQadMkD.exe	upx
C:\Windows\system\AoTtiVI.exe	upx
C:\Windows\system\QTqFUnN.exe	upx
C:\Windows\system\UtuEEzt.exe	upx
behavioral1/memory/1568-106-0x000000013F230000-0x000000013F581000-memory.dmp	upx
C:\Windows\system\KpfvtKg.exe	upx
behavioral1/memory/2632-135-0x000000013F5C0000-0x000000013F911000-memory.dmp	upx
C:\Windows\system\rcKZyhy.exe	upx
behavioral1/memory/2560-96-0x000000013FC30000-0x000000013FF81000-memory.dmp	upx
C:\Windows\system\UEvMzTp.exe	upx
behavioral1/memory/2008-94-0x000000013F740000-0x000000013FA91000-memory.dmp	upx
behavioral1/memory/2524-92-0x000000013FFC0000-0x0000000140311000-memory.dmp	upx
C:\Windows\system\eElptgb.exe	upx
behavioral1/memory/2636-76-0x000000013FE40000-0x0000000140191000-memory.dmp	upx
behavioral1/memory/2520-70-0x000000013F470000-0x000000013F7C1000-memory.dmp	upx
C:\Windows\system\vxRztkB.exe	upx
behavioral1/memory/2604-63-0x000000013F7A0000-0x000000013FAF1000-memory.dmp	upx
behavioral1/memory/2244-62-0x000000013F990000-0x000000013FCE1000-memory.dmp	upx
behavioral1/memory/2984-59-0x000000013F680000-0x000000013F9D1000-memory.dmp	upx
C:\Windows\system\pDvZrJt.exe	upx
behavioral1/memory/2632-48-0x000000013F5C0000-0x000000013F911000-memory.dmp	upx
C:\Windows\system\zVueOMO.exe	upx
behavioral1/memory/2524-44-0x000000013FFC0000-0x0000000140311000-memory.dmp	upx
C:\Windows\system\txUtUzg.exe	upx
behavioral1/memory/2644-36-0x000000013FD50000-0x00000001400A1000-memory.dmp	upx
behavioral1/memory/2856-35-0x000000013F7A0000-0x000000013FAF1000-memory.dmp	upx
behavioral1/memory/3048-31-0x000000013F550000-0x000000013F8A1000-memory.dmp	upx
C:\Windows\system\UaPBPgq.exe	upx
behavioral1/memory/2080-28-0x000000013F8F0000-0x000000013FC41000-memory.dmp	upx
behavioral1/memory/1708-27-0x000000013F360000-0x000000013F6B1000-memory.dmp	upx
C:\Windows\system\ZKKXGOX.exe	upx
behavioral1/memory/2244-136-0x000000013F990000-0x000000013FCE1000-memory.dmp	upx
behavioral1/memory/2636-148-0x000000013FE40000-0x0000000140191000-memory.dmp	upx
behavioral1/memory/2984-147-0x000000013F680000-0x000000013F9D1000-memory.dmp	upx
behavioral1/memory/1600-153-0x000000013F660000-0x000000013F9B1000-memory.dmp	upx
behavioral1/memory/1852-157-0x000000013FC80000-0x000000013FFD1000-memory.dmp	upx
behavioral1/memory/1876-156-0x000000013F240000-0x000000013F591000-memory.dmp	upx
behavioral1/memory/352-155-0x000000013FA10000-0x000000013FD61000-memory.dmp	upx
behavioral1/memory/1964-154-0x000000013F080000-0x000000013F3D1000-memory.dmp	upx
behavioral1/memory/1960-151-0x000000013F3F0000-0x000000013F741000-memory.dmp	upx
behavioral1/memory/2432-158-0x000000013F930000-0x000000013FC81000-memory.dmp	upx
behavioral1/memory/2244-160-0x000000013F990000-0x000000013FCE1000-memory.dmp	upx
behavioral1/memory/1708-206-0x000000013F360000-0x000000013F6B1000-memory.dmp	upx
behavioral1/memory/2080-208-0x000000013F8F0000-0x000000013FC41000-memory.dmp	upx
behavioral1/memory/2856-211-0x000000013F7A0000-0x000000013FAF1000-memory.dmp	upx
behavioral1/memory/3048-212-0x000000013F550000-0x000000013F8A1000-memory.dmp	upx
behavioral1/memory/2644-214-0x000000013FD50000-0x00000001400A1000-memory.dmp	upx
behavioral1/memory/2632-216-0x000000013F5C0000-0x000000013F911000-memory.dmp	upx
behavioral1/memory/2524-218-0x000000013FFC0000-0x0000000140311000-memory.dmp	upx
behavioral1/memory/2604-220-0x000000013F7A0000-0x000000013FAF1000-memory.dmp	upx
behavioral1/memory/2520-222-0x000000013F470000-0x000000013F7C1000-memory.dmp	upx
behavioral1/memory/2984-224-0x000000013F680000-0x000000013F9D1000-memory.dmp	upx
behavioral1/memory/2636-238-0x000000013FE40000-0x0000000140191000-memory.dmp	upx
behavioral1/memory/2008-240-0x000000013F740000-0x000000013FA91000-memory.dmp	upx
behavioral1/memory/2560-242-0x000000013FC30000-0x000000013FF81000-memory.dmp	upx
behavioral1/memory/1568-244-0x000000013F230000-0x000000013F581000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\vxRztkB.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BFSkzRk.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KpfvtKg.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AoTtiVI.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vAVFOVy.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fWVRoDY.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UaPBPgq.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pDvZrJt.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UEvMzTp.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QTqFUnN.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZKKXGOX.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\txUtUzg.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LibDYLB.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rcKZyhy.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IQadMkD.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zVueOMO.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bHvpGvN.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZywquQR.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eElptgb.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CcHLvuV.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UtuEEzt.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2244 wrote to memory of 1708	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	vAVFOVy.exe
PID 2244 wrote to memory of 1708	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	vAVFOVy.exe
PID 2244 wrote to memory of 1708	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	vAVFOVy.exe
PID 2244 wrote to memory of 2080	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	ZKKXGOX.exe
PID 2244 wrote to memory of 2080	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	ZKKXGOX.exe
PID 2244 wrote to memory of 2080	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	ZKKXGOX.exe
PID 2244 wrote to memory of 2856	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	txUtUzg.exe
PID 2244 wrote to memory of 2856	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	txUtUzg.exe
PID 2244 wrote to memory of 2856	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	txUtUzg.exe
PID 2244 wrote to memory of 3048	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	fWVRoDY.exe
PID 2244 wrote to memory of 3048	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	fWVRoDY.exe
PID 2244 wrote to memory of 3048	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	fWVRoDY.exe
PID 2244 wrote to memory of 2644	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	UaPBPgq.exe
PID 2244 wrote to memory of 2644	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	UaPBPgq.exe
PID 2244 wrote to memory of 2644	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	UaPBPgq.exe
PID 2244 wrote to memory of 2524	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	LibDYLB.exe
PID 2244 wrote to memory of 2524	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	LibDYLB.exe
PID 2244 wrote to memory of 2524	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	LibDYLB.exe
PID 2244 wrote to memory of 2632	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	zVueOMO.exe
PID 2244 wrote to memory of 2632	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	zVueOMO.exe
PID 2244 wrote to memory of 2632	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	zVueOMO.exe
PID 2244 wrote to memory of 2604	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	bHvpGvN.exe
PID 2244 wrote to memory of 2604	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	bHvpGvN.exe
PID 2244 wrote to memory of 2604	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	bHvpGvN.exe
PID 2244 wrote to memory of 2984	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	pDvZrJt.exe
PID 2244 wrote to memory of 2984	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	pDvZrJt.exe
PID 2244 wrote to memory of 2984	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	pDvZrJt.exe
PID 2244 wrote to memory of 2520	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	vxRztkB.exe
PID 2244 wrote to memory of 2520	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	vxRztkB.exe
PID 2244 wrote to memory of 2520	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	vxRztkB.exe
PID 2244 wrote to memory of 2636	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	ZywquQR.exe
PID 2244 wrote to memory of 2636	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	ZywquQR.exe
PID 2244 wrote to memory of 2636	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	ZywquQR.exe
PID 2244 wrote to memory of 2008	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	UEvMzTp.exe
PID 2244 wrote to memory of 2008	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	UEvMzTp.exe
PID 2244 wrote to memory of 2008	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	UEvMzTp.exe
PID 2244 wrote to memory of 2560	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	eElptgb.exe
PID 2244 wrote to memory of 2560	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	eElptgb.exe
PID 2244 wrote to memory of 2560	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	eElptgb.exe
PID 2244 wrote to memory of 1960	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	CcHLvuV.exe
PID 2244 wrote to memory of 1960	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	CcHLvuV.exe
PID 2244 wrote to memory of 1960	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	CcHLvuV.exe
PID 2244 wrote to memory of 1568	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	rcKZyhy.exe
PID 2244 wrote to memory of 1568	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	rcKZyhy.exe
PID 2244 wrote to memory of 1568	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	rcKZyhy.exe
PID 2244 wrote to memory of 1600	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	BFSkzRk.exe
PID 2244 wrote to memory of 1600	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	BFSkzRk.exe
PID 2244 wrote to memory of 1600	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	BFSkzRk.exe
PID 2244 wrote to memory of 1964	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	KpfvtKg.exe
PID 2244 wrote to memory of 1964	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	KpfvtKg.exe
PID 2244 wrote to memory of 1964	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	KpfvtKg.exe
PID 2244 wrote to memory of 352	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	UtuEEzt.exe
PID 2244 wrote to memory of 352	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	UtuEEzt.exe
PID 2244 wrote to memory of 352	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	UtuEEzt.exe
PID 2244 wrote to memory of 1876	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	QTqFUnN.exe
PID 2244 wrote to memory of 1876	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	QTqFUnN.exe
PID 2244 wrote to memory of 1876	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	QTqFUnN.exe
PID 2244 wrote to memory of 1852	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	IQadMkD.exe
PID 2244 wrote to memory of 1852	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	IQadMkD.exe
PID 2244 wrote to memory of 1852	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	IQadMkD.exe
PID 2244 wrote to memory of 2432	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	AoTtiVI.exe
PID 2244 wrote to memory of 2432	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	AoTtiVI.exe
PID 2244 wrote to memory of 2432	2244	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	AoTtiVI.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\System\vAVFOVy.exe
C:\Windows\System\vAVFOVy.exe
2⤵
- Executes dropped EXE
PID:1708

C:\Windows\System\ZKKXGOX.exe
C:\Windows\System\ZKKXGOX.exe
2⤵
- Executes dropped EXE
PID:2080

C:\Windows\System\txUtUzg.exe
C:\Windows\System\txUtUzg.exe
2⤵
- Executes dropped EXE
PID:2856

C:\Windows\System\fWVRoDY.exe
C:\Windows\System\fWVRoDY.exe
2⤵
- Executes dropped EXE
PID:3048

C:\Windows\System\UaPBPgq.exe
C:\Windows\System\UaPBPgq.exe
2⤵
- Executes dropped EXE
PID:2644

C:\Windows\System\LibDYLB.exe
C:\Windows\System\LibDYLB.exe
2⤵
- Executes dropped EXE
PID:2524

C:\Windows\System\zVueOMO.exe
C:\Windows\System\zVueOMO.exe
2⤵
- Executes dropped EXE
PID:2632

C:\Windows\System\bHvpGvN.exe
C:\Windows\System\bHvpGvN.exe
2⤵
- Executes dropped EXE
PID:2604

C:\Windows\System\pDvZrJt.exe
C:\Windows\System\pDvZrJt.exe
2⤵
- Executes dropped EXE
PID:2984

C:\Windows\System\vxRztkB.exe
C:\Windows\System\vxRztkB.exe
2⤵
- Executes dropped EXE
PID:2520

C:\Windows\System\ZywquQR.exe
C:\Windows\System\ZywquQR.exe
2⤵
- Executes dropped EXE
PID:2636

C:\Windows\System\UEvMzTp.exe
C:\Windows\System\UEvMzTp.exe
2⤵
- Executes dropped EXE
PID:2008

C:\Windows\System\eElptgb.exe
C:\Windows\System\eElptgb.exe
2⤵
- Executes dropped EXE
PID:2560

C:\Windows\System\CcHLvuV.exe
C:\Windows\System\CcHLvuV.exe
2⤵
- Executes dropped EXE
PID:1960

C:\Windows\System\rcKZyhy.exe
C:\Windows\System\rcKZyhy.exe
2⤵
- Executes dropped EXE
PID:1568

C:\Windows\System\BFSkzRk.exe
C:\Windows\System\BFSkzRk.exe
2⤵
- Executes dropped EXE
PID:1600

C:\Windows\System\KpfvtKg.exe
C:\Windows\System\KpfvtKg.exe
2⤵
- Executes dropped EXE
PID:1964

C:\Windows\System\UtuEEzt.exe
C:\Windows\System\UtuEEzt.exe
2⤵
- Executes dropped EXE
PID:352

C:\Windows\System\QTqFUnN.exe
C:\Windows\System\QTqFUnN.exe
2⤵
- Executes dropped EXE
PID:1876

C:\Windows\System\IQadMkD.exe
C:\Windows\System\IQadMkD.exe
2⤵
- Executes dropped EXE
PID:1852

C:\Windows\System\AoTtiVI.exe
C:\Windows\System\AoTtiVI.exe
2⤵
- Executes dropped EXE
PID:2432

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AoTtiVI.exe
Filesize
5.2MB

MD5
e483460e4e0d1d7db33e804414a13e3a

SHA1
90be7e12de7f27d4d525e88b8cb531abd7babd5c

SHA256
de772c29e1d90308a5ae737066d074ce2fbabad22f6e587425a6e0a2f862f89a

SHA512
6869431df5bf3d78ee72911c7c991956bd51fc7730277cd0b68e4708f4c3d054f19415f597cf0234bd27335aa653f8c0dca9ca02e730b0d7f88754d2d016e807

Download Submit
C:\Windows\system\BFSkzRk.exe
Filesize
5.2MB

MD5
719c3e2a395cd81ffbc0af0a9753009c

SHA1
fce49033a1177e445977f811aa5f2af3dd726ab5

SHA256
b9915f857c7623c67f6dcb17fc7c6de49425c2f878bb48f3884eee1d2f20654d

SHA512
476cc6b8c9f1d5ede3009c0b6d7e6217ddde9a1127f00b8d1b17226ab50ef5e416c9777b7a7af5c3f5fae53d1bcf7992e1e80ae8fa8882860014d6cd3d557dfa

Download Submit
C:\Windows\system\CcHLvuV.exe
Filesize
5.2MB

MD5
52dc24916741349b29eef1c82212b41c

SHA1
f2f1ddfb89df2e3b1523e56ef14678ca2f64dabb

SHA256
16481e0b5450123604e3768d8bd97ca9f5f9da09255277ba014dac663c356b78

SHA512
18a4fd5559c5dbd74a2b4e6c07f6d8d58b94e57706bb276448230076998932ead4c88bfa60946073957d8d9b483ff49baceb50753ff082e5e2af07818f052f3e

Download Submit
C:\Windows\system\IQadMkD.exe
Filesize
5.2MB

MD5
210c384e893b7d5e9782fb952d25cabc

SHA1
70c78345418bf5543d6a38f8d9fd7919451eb1ea

SHA256
08e970e54dfb48687103f830bee4266e9487ffb8315cefaa8656cccbdfb67d60

SHA512
89a7bbad0a9c1b0c9e9d4a8efe9e8a5748d1fee0d2c2cb3d84cd25845f15970614c517a1820886db7ec51929031ec0877e7e2545b65d17e2d72e26b20867e937

Download Submit
C:\Windows\system\KpfvtKg.exe
Filesize
5.2MB

MD5
de6ca0aa058899876303b311e3443d1b

SHA1
4c86c37bd2e920b2b1603ca960d116f3f7ce39dd

SHA256
a4f04e66ea8fc7f5a3dfe4d70b9b4204d563d0efd8d7be5edf1987386d8d73fd

SHA512
a69f933aadc529bd354499946b2261398ee9085019d7abc625783ec4150f6a4b565844139320a427024a1595d72f7106bf4ff95c437d022e2e394c09d386c75e

Download Submit
C:\Windows\system\LibDYLB.exe
Filesize
5.2MB

MD5
4815fae977ce6403b380567fe8145c3c

SHA1
6f44b0fc9765aa520e911ad702fc6ada312b69d7

SHA256
a7fc726521a4c167cc03d85c4efc8a5452a7d59fbf8e504c89a909552f8b505e

SHA512
a49d9ab91474ec1479b7110fdf95d16c44d5b50466828ff5ac2fb547a8857197ced7da19dd26d295613e5518587097e9faa8dcabf20c069a00f488cbdaf1e381

Download Submit
C:\Windows\system\QTqFUnN.exe
Filesize
5.2MB

MD5
91661b64a21202af9a9ec99ade052942

SHA1
5504283da4762009039970d3192da18528194a11

SHA256
2808bf3b92d0d4d5d10dc4ae99f4a0c5a7ac4c3876f93e130ddd3a875acbc4ba

SHA512
b82e6201e230533dd6a238bf202556a601d1170d1380e670bca4dcc89f25b332976651c4160b9467220b38e4dc11100bdb17bc247771176f5ff4e463a79637bb

Download Submit
C:\Windows\system\UEvMzTp.exe
Filesize
5.2MB

MD5
963fb79bc378d6516c8d51278e6fdba4

SHA1
f79a7265946892e9d81b700537bc80577e7dc075

SHA256
5a13f704962f2c02c6f3caff9a18ed513817bc730ff9f8c7d72ff5a45d47eed9

SHA512
d1cfa958135f7baa81ed3f6507d3d6ef87aa4e96cbb383585f885ff5b5f8e79d07d71bd8530c7fedf4f6c917732b0b090ae55b638945b9703ddfb495278c5aa4

Download Submit
C:\Windows\system\UaPBPgq.exe
Filesize
5.2MB

MD5
e580da6fe4f4cf719ec634495897ab33

SHA1
d4e3a7e9a411a1fc09588d1cb9c6e0f6d6f16339

SHA256
9a3e7b0ff2f2f7fa5df40e4cd8dcea58371868c2ce8473ce4779ddd37957b17e

SHA512
9d51c390b494066a9002371036c0897d8429c70b0894edc87a2a57885e7b130400101d961aec4bd9e139f57cc57c98e0dc23dc917923d1fef1b72907007a53eb

Download Submit
C:\Windows\system\UtuEEzt.exe
Filesize
5.2MB

MD5
ec845647239ad570628ac1c90dd13529

SHA1
6a8fa6cdc0dc36688d86351ba4442ef93b1f20e2

SHA256
8d26130f9e397119e42766036bc7d14278368e18b2bcb0216fa31c7854c4c6fc

SHA512
a28e81257f2237b1d90e4f69356281a044bbe96508f5c6a2525e6e6919362ccb3d458c8f66aa868aa0ff30081852d747bdf4a4bb78fad0028b234ae69c16621a

Download Submit
C:\Windows\system\ZKKXGOX.exe
Filesize
5.2MB

MD5
75e62b14b1a45998cc11643e3698b67c

SHA1
945e18af6275885c2c5f71ec05be5ba3b0dba93d

SHA256
070ca7372d261e3110e1cea3f1ea5a5b3b218b488b69c83672aec504ff6d3235

SHA512
a8e5bda49532128c1f810f5e6a0b586dd18dd9d1ec31954f0d86203b8c33af87aad1238617b11e254c6bd7b524aa95c037579ef9e343a6274702e56ac6a4b996

Download Submit
C:\Windows\system\ZywquQR.exe
Filesize
5.2MB

MD5
a83e057314e8a21bfb8c11e100d38c58

SHA1
dc673a625a9637eb5c026bb8df5431a30072a0ce

SHA256
32b4405b619cfb1c34552012847eb6cd9cb0d38002033dabd0326fd803356c2f

SHA512
f0b88f8263a8880eadcd9cc0ca594a0ee5154c360373b90dc78aa78e8cab31ac4ea58772b6575db2d0c63c46be53b5ba4f7e962d4f782247777379af4eba07ae

Download Submit
C:\Windows\system\bHvpGvN.exe
Filesize
5.2MB

MD5
3d0d8a4dfa96625d6a21816a988b7aa6

SHA1
b87054f692931e3b3f011f9c49cde68fe78d5b13

SHA256
c94e95299bae9a06d5deebff1bbee58ec35e79e870adabd835d74a09713f51b1

SHA512
64d0fb93a009551fa9380ce2401c0b44b8760ec3dde3e924e70d554337d0cc2c8109437a5fc3087bb586da0aa702043b1b0555d5fddfb39cc4036c62f9b13e45

Download Submit
C:\Windows\system\eElptgb.exe
Filesize
5.2MB

MD5
ecde68ac6be420283a10783f1c8451fb

SHA1
ee3f87af5d11f1dcd2eea56be6e0f98887f7399d

SHA256
092503664e7183eaafe66df0d0a2ac15401a2cb976778907dab1f2f166fdde20

SHA512
46cb0aaf9bf3d3eb6e310688366b00a082bc0d577cb947bd4966f1361740114d61f29b36d05de741488b18f53aff5e4c3fd8430a955bc04c8a4b58c47b9942b8

Download Submit
C:\Windows\system\pDvZrJt.exe
Filesize
5.2MB

MD5
1a1506df46929653d4b08b2afc1dc6e9

SHA1
94c0b0e9c0bc1d5f46fa49e4c29b052055390c52

SHA256
d6637d63e619fc291d6913ea89a568acda0884aaf1ff06e7a6c4c02966b16f36

SHA512
6a2860e7eb4b46477473e370f22ce36fa941dd319d2ab9361b5bb41b27a99f5fdd030095281a027ed0b090b7bff61be62455885917e555d615ddcd80608f4a3c

Download Submit
C:\Windows\system\rcKZyhy.exe
Filesize
5.2MB

MD5
785e9bca35b4bde4781c035d7783e7ca

SHA1
723cf66ec985fb7485f183832fc1f3c37fe14d79

SHA256
bd7e53ab8d6ae6e189d144e3b6b8108a5392cb1795f747c9b54fe1b7526c890e

SHA512
f5b41c941c82bf726f0b935bb670cdfb51d29bd1acdc3b75d8a308514b9825bf0468f1ae948a83b5be04b24956f84500611bda64b65fab1fea5c98c6c565aad8

Download Submit
C:\Windows\system\txUtUzg.exe
Filesize
5.2MB

MD5
f3605b577b4401f20090719b8dfeb59e

SHA1
2633726493d453957c8dc96cec69b14ec9e66bee

SHA256
9423a7485cfd57fca784e5b6bcc57a8288549c94b9862c99fb66d4640472ae0e

SHA512
7d9b42ad6e245f1ba7e761631e210f46370b10f64fce1dca133e2a0fa363fd25a2292ff1b155936ff1e396b16f5f787086524c8c3660be4b299cff6985d97edf

Download Submit
C:\Windows\system\vAVFOVy.exe
Filesize
5.2MB

MD5
e318623d2b41f7e9e7d6b68f1235e52e

SHA1
ec82d46ce12d5a1fec7c0a68ed067861d37a1ff8

SHA256
78a0e52f459ac9d23928ebf29ad3f87c8856c7588b6f5e0c624ae4fafd26fafa

SHA512
5487a5df77260a948806017acc247c4ecb3438912642798f7d107104d4def47e22942a358d39fb5cfd0f80256deff4474c4cf0fafa25e15d17227f264631cc8f

Download Submit
C:\Windows\system\vxRztkB.exe
Filesize
5.2MB

MD5
025b0a5d77f536a1a71729a4cfb3b0a4

SHA1
87fd0e92e4979c43609a43626c65c22a8ca30a93

SHA256
aacfe05b7bb62e8a072907c887202d75e1bb9f9572d8a07dfdfb89e1fc749140

SHA512
2a9f8b24de4925bbd123cad90cd64e71158561632fbe11a7659018ac7137681934eef9e935b4ddf9353d97d87aedb7842d5175184ee48c6934445a2de80550f7

Download Submit
C:\Windows\system\zVueOMO.exe
Filesize
5.2MB

MD5
0190a987faff24582c2173213742157f

SHA1
8c8b556fe9971812052f21eccf870bb54dfc0735

SHA256
8f9bff18795b139047cf1d8c5ff67f78b8c78956a22168f830d4b100b67af169

SHA512
b046bfe8d99effda37f04f89791fd5d478f2e593543d0dee09b15c3766dc36eee433f5e9f12f06d5686a03868a30197ef56c09cf1251e6b7ddcf5963d74b1f20

Download Submit
\Windows\system\fWVRoDY.exe
Filesize
5.2MB

MD5
9aab14f607d6fba2f54ec39110e9217b

SHA1
4f6289c45d4bb6b1964f70fe0cb2d7911000471e

SHA256
41c7e2907701ebf96be0b1c27b4f3212e6bf9fa8b0fd05ed169d404bf3b66e97

SHA512
8dba2ea296bca1d72896e578f15f347e7a80587416ae35f7afadce350ec20e2c18a69da8cc109e829b8a238a9b8c45be8a87a4642c76a3925ac1c288b6471a06

Download Submit
memory/352-155-0x000000013FA10000-0x000000013FD61000-memory.dmp

Filesize
3.3MB

Download
memory/1568-106-0x000000013F230000-0x000000013F581000-memory.dmp

Filesize
3.3MB

Download
memory/1568-244-0x000000013F230000-0x000000013F581000-memory.dmp

Filesize
3.3MB

Download
memory/1600-153-0x000000013F660000-0x000000013F9B1000-memory.dmp

Filesize
3.3MB

Download
memory/1708-206-0x000000013F360000-0x000000013F6B1000-memory.dmp

Filesize
3.3MB

Download
memory/1708-27-0x000000013F360000-0x000000013F6B1000-memory.dmp

Filesize
3.3MB

Download
memory/1852-157-0x000000013FC80000-0x000000013FFD1000-memory.dmp

Filesize
3.3MB

Download
memory/1876-156-0x000000013F240000-0x000000013F591000-memory.dmp

Filesize
3.3MB

Download
memory/1960-151-0x000000013F3F0000-0x000000013F741000-memory.dmp

Filesize
3.3MB

Download
memory/1964-154-0x000000013F080000-0x000000013F3D1000-memory.dmp

Filesize
3.3MB

Download
memory/2008-94-0x000000013F740000-0x000000013FA91000-memory.dmp

Filesize
3.3MB

Download
memory/2008-240-0x000000013F740000-0x000000013FA91000-memory.dmp

Filesize
3.3MB

Download
memory/2080-28-0x000000013F8F0000-0x000000013FC41000-memory.dmp

Filesize
3.3MB

Download
memory/2080-208-0x000000013F8F0000-0x000000013FC41000-memory.dmp

Filesize
3.3MB

Download
memory/2244-97-0x000000013F3F0000-0x000000013F741000-memory.dmp

Filesize
3.3MB

Download
memory/2244-18-0x000000013F360000-0x000000013F6B1000-memory.dmp

Filesize
3.3MB

Download
memory/2244-46-0x000000013F5C0000-0x000000013F911000-memory.dmp

Filesize
3.3MB

Download
memory/2244-55-0x0000000002400000-0x0000000002751000-memory.dmp

Filesize
3.3MB

Download
memory/2244-98-0x000000013F230000-0x000000013F581000-memory.dmp

Filesize
3.3MB

Download
memory/2244-57-0x0000000002400000-0x0000000002751000-memory.dmp

Filesize
3.3MB

Download
memory/2244-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2244-167-0x0000000002400000-0x0000000002751000-memory.dmp

Filesize
3.3MB

Download
memory/2244-34-0x0000000002400000-0x0000000002751000-memory.dmp

Filesize
3.3MB

Download
memory/2244-33-0x000000013FD50000-0x00000001400A1000-memory.dmp

Filesize
3.3MB

Download
memory/2244-93-0x0000000002400000-0x0000000002751000-memory.dmp

Filesize
3.3MB

Download
memory/2244-160-0x000000013F990000-0x000000013FCE1000-memory.dmp

Filesize
3.3MB

Download
memory/2244-29-0x000000013F550000-0x000000013F8A1000-memory.dmp

Filesize
3.3MB

Download
memory/2244-62-0x000000013F990000-0x000000013FCE1000-memory.dmp

Filesize
3.3MB

Download
memory/2244-159-0x000000013FE40000-0x0000000140191000-memory.dmp

Filesize
3.3MB

Download
memory/2244-0-0x000000013F990000-0x000000013FCE1000-memory.dmp

Filesize
3.3MB

Download
memory/2244-95-0x0000000002400000-0x0000000002751000-memory.dmp

Filesize
3.3MB

Download
memory/2244-136-0x000000013F990000-0x000000013FCE1000-memory.dmp

Filesize
3.3MB

Download
memory/2244-75-0x000000013FE40000-0x0000000140191000-memory.dmp

Filesize
3.3MB

Download
memory/2432-158-0x000000013F930000-0x000000013FC81000-memory.dmp

Filesize
3.3MB

Download
memory/2520-70-0x000000013F470000-0x000000013F7C1000-memory.dmp

Filesize
3.3MB

Download
memory/2520-222-0x000000013F470000-0x000000013F7C1000-memory.dmp

Filesize
3.3MB

Download
memory/2524-92-0x000000013FFC0000-0x0000000140311000-memory.dmp

Filesize
3.3MB

Download
memory/2524-218-0x000000013FFC0000-0x0000000140311000-memory.dmp

Filesize
3.3MB

Download
memory/2524-44-0x000000013FFC0000-0x0000000140311000-memory.dmp

Filesize
3.3MB

Download
memory/2560-96-0x000000013FC30000-0x000000013FF81000-memory.dmp

Filesize
3.3MB

Download
memory/2560-242-0x000000013FC30000-0x000000013FF81000-memory.dmp

Filesize
3.3MB

Download
memory/2604-63-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

Filesize
3.3MB

Download
memory/2604-220-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

Filesize
3.3MB

Download
memory/2632-216-0x000000013F5C0000-0x000000013F911000-memory.dmp

Filesize
3.3MB

Download
memory/2632-48-0x000000013F5C0000-0x000000013F911000-memory.dmp

Filesize
3.3MB

Download
memory/2632-135-0x000000013F5C0000-0x000000013F911000-memory.dmp

Filesize
3.3MB

Download
memory/2636-76-0x000000013FE40000-0x0000000140191000-memory.dmp

Filesize
3.3MB

Download
memory/2636-148-0x000000013FE40000-0x0000000140191000-memory.dmp

Filesize
3.3MB

Download
memory/2636-238-0x000000013FE40000-0x0000000140191000-memory.dmp

Filesize
3.3MB

Download
memory/2644-214-0x000000013FD50000-0x00000001400A1000-memory.dmp

Filesize
3.3MB

Download
memory/2644-36-0x000000013FD50000-0x00000001400A1000-memory.dmp

Filesize
3.3MB

Download
memory/2856-211-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

Filesize
3.3MB

Download
memory/2856-35-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

Filesize
3.3MB

Download
memory/2984-147-0x000000013F680000-0x000000013F9D1000-memory.dmp

Filesize
3.3MB

Download
memory/2984-59-0x000000013F680000-0x000000013F9D1000-memory.dmp

Filesize
3.3MB

Download
memory/2984-224-0x000000013F680000-0x000000013F9D1000-memory.dmp

Filesize
3.3MB

Download
memory/3048-212-0x000000013F550000-0x000000013F8A1000-memory.dmp

Filesize
3.3MB

Download
memory/3048-31-0x000000013F550000-0x000000013F8A1000-memory.dmp

Filesize
3.3MB

Download