cobaltstrike | 9d68e22de91f42af030db75e111ad608a7afe88107431cd6c1158382e975473a

Analysis

max time kernel
144s
max time network
148s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

c783f8da2c0185459f11317a4ef1848c
SHA1

55820b053aa2af38399700042b6460b11acd979e
SHA256

9d68e22de91f42af030db75e111ad608a7afe88107431cd6c1158382e975473a
SHA512

766d537e649897db4a4203bfa3b165c2683d1fbf82213feb12c6e6b3e069a7e9020972eaf33393f986d9d1e51c396a8a7c036ea388c5f4dec75d87193dd5be46
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lA:RWWBibf56utgpPFotBER/mQ32lUs

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\fTylfxk.exe	cobalt_reflective_dll
\Windows\system\pYLDGGS.exe	cobalt_reflective_dll
C:\Windows\system\VJbjlGu.exe	cobalt_reflective_dll
C:\Windows\system\IcvOsLL.exe	cobalt_reflective_dll
C:\Windows\system\NkdGRIU.exe	cobalt_reflective_dll
C:\Windows\system\xBoxoYD.exe	cobalt_reflective_dll
C:\Windows\system\goNrisV.exe	cobalt_reflective_dll
C:\Windows\system\kRAlTkh.exe	cobalt_reflective_dll
C:\Windows\system\UdwMaqs.exe	cobalt_reflective_dll
C:\Windows\system\ZSHuVmd.exe	cobalt_reflective_dll
\Windows\system\TWjVPSD.exe	cobalt_reflective_dll
C:\Windows\system\BksRsts.exe	cobalt_reflective_dll
C:\Windows\system\jXVkUnR.exe	cobalt_reflective_dll
C:\Windows\system\csupAYW.exe	cobalt_reflective_dll
C:\Windows\system\YdkfoDX.exe	cobalt_reflective_dll
C:\Windows\system\JFtdwWw.exe	cobalt_reflective_dll
C:\Windows\system\hCqykSY.exe	cobalt_reflective_dll
C:\Windows\system\GXkxAtq.exe	cobalt_reflective_dll
C:\Windows\system\ofpBoYG.exe	cobalt_reflective_dll
C:\Windows\system\zEdOJfl.exe	cobalt_reflective_dll
C:\Windows\system\hwHUPYG.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\fTylfxk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\pYLDGGS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\VJbjlGu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\IcvOsLL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\NkdGRIU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\xBoxoYD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\goNrisV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\kRAlTkh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\UdwMaqs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ZSHuVmd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\TWjVPSD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\BksRsts.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\jXVkUnR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\csupAYW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\YdkfoDX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\JFtdwWw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\hCqykSY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\GXkxAtq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ofpBoYG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\zEdOJfl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\hwHUPYG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1736-0-0x000000013FAE0000-0x000000013FE31000-memory.dmp	UPX
\Windows\system\fTylfxk.exe	UPX
behavioral1/memory/1736-6-0x00000000022A0000-0x00000000025F1000-memory.dmp	UPX
\Windows\system\pYLDGGS.exe	UPX
behavioral1/memory/2112-15-0x000000013F5B0000-0x000000013F901000-memory.dmp	UPX
behavioral1/memory/2340-12-0x000000013F880000-0x000000013FBD1000-memory.dmp	UPX
C:\Windows\system\VJbjlGu.exe	UPX
behavioral1/memory/1600-22-0x000000013F1C0000-0x000000013F511000-memory.dmp	UPX
behavioral1/memory/2992-29-0x000000013F910000-0x000000013FC61000-memory.dmp	UPX
C:\Windows\system\IcvOsLL.exe	UPX
behavioral1/memory/1636-40-0x000000013FDD0000-0x0000000140121000-memory.dmp	UPX
C:\Windows\system\NkdGRIU.exe	UPX
C:\Windows\system\xBoxoYD.exe	UPX
behavioral1/memory/2676-54-0x000000013F620000-0x000000013F971000-memory.dmp	UPX
C:\Windows\system\goNrisV.exe	UPX
behavioral1/memory/2648-56-0x000000013FC60000-0x000000013FFB1000-memory.dmp	UPX
C:\Windows\system\kRAlTkh.exe	UPX
behavioral1/memory/2236-68-0x000000013F670000-0x000000013F9C1000-memory.dmp	UPX
behavioral1/memory/2528-76-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	UPX
behavioral1/memory/2684-85-0x000000013FD10000-0x0000000140061000-memory.dmp	UPX
C:\Windows\system\UdwMaqs.exe	UPX
C:\Windows\system\ZSHuVmd.exe	UPX
\Windows\system\TWjVPSD.exe	UPX
C:\Windows\system\BksRsts.exe	UPX
C:\Windows\system\jXVkUnR.exe	UPX
C:\Windows\system\csupAYW.exe	UPX
C:\Windows\system\YdkfoDX.exe	UPX
C:\Windows\system\JFtdwWw.exe	UPX
behavioral1/memory/2792-105-0x000000013F500000-0x000000013F851000-memory.dmp	UPX
behavioral1/memory/1636-104-0x000000013FDD0000-0x0000000140121000-memory.dmp	UPX
behavioral1/memory/2984-93-0x000000013FF20000-0x0000000140271000-memory.dmp	UPX
behavioral1/memory/2992-91-0x000000013F910000-0x000000013FC61000-memory.dmp	UPX
behavioral1/memory/1292-100-0x000000013F560000-0x000000013F8B1000-memory.dmp	UPX
C:\Windows\system\hCqykSY.exe	UPX
behavioral1/memory/1600-83-0x000000013F1C0000-0x000000013F511000-memory.dmp	UPX
behavioral1/memory/2112-75-0x000000013F5B0000-0x000000013F901000-memory.dmp	UPX
behavioral1/memory/2340-74-0x000000013F880000-0x000000013FBD1000-memory.dmp	UPX
C:\Windows\system\GXkxAtq.exe	UPX
C:\Windows\system\ofpBoYG.exe	UPX
behavioral1/memory/2544-63-0x000000013F700000-0x000000013FA51000-memory.dmp	UPX
behavioral1/memory/1736-62-0x000000013FAE0000-0x000000013FE31000-memory.dmp	UPX
C:\Windows\system\zEdOJfl.exe	UPX
behavioral1/memory/2792-42-0x000000013F500000-0x000000013F851000-memory.dmp	UPX
behavioral1/memory/2648-139-0x000000013FC60000-0x000000013FFB1000-memory.dmp	UPX
C:\Windows\system\hwHUPYG.exe	UPX
behavioral1/memory/2236-150-0x000000013F670000-0x000000013F9C1000-memory.dmp	UPX
behavioral1/memory/2528-151-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	UPX
behavioral1/memory/1736-140-0x000000013FAE0000-0x000000013FE31000-memory.dmp	UPX
behavioral1/memory/2184-159-0x000000013F500000-0x000000013F851000-memory.dmp	UPX
behavioral1/memory/1876-158-0x000000013F110000-0x000000013F461000-memory.dmp	UPX
behavioral1/memory/1972-161-0x000000013F6B0000-0x000000013FA01000-memory.dmp	UPX
behavioral1/memory/1340-160-0x000000013FB30000-0x000000013FE81000-memory.dmp	UPX
behavioral1/memory/1008-157-0x000000013FDA0000-0x00000001400F1000-memory.dmp	UPX
behavioral1/memory/1952-156-0x000000013FD90000-0x00000001400E1000-memory.dmp	UPX
behavioral1/memory/856-155-0x000000013F440000-0x000000013F791000-memory.dmp	UPX
behavioral1/memory/1292-154-0x000000013F560000-0x000000013F8B1000-memory.dmp	UPX
behavioral1/memory/2984-153-0x000000013FF20000-0x0000000140271000-memory.dmp	UPX
behavioral1/memory/2684-152-0x000000013FD10000-0x0000000140061000-memory.dmp	UPX
behavioral1/memory/1736-163-0x000000013FAE0000-0x000000013FE31000-memory.dmp	UPX
behavioral1/memory/2340-215-0x000000013F880000-0x000000013FBD1000-memory.dmp	UPX
behavioral1/memory/2112-217-0x000000013F5B0000-0x000000013F901000-memory.dmp	UPX
behavioral1/memory/1600-219-0x000000013F1C0000-0x000000013F511000-memory.dmp	UPX
behavioral1/memory/2992-221-0x000000013F910000-0x000000013FC61000-memory.dmp	UPX
behavioral1/memory/2792-223-0x000000013F500000-0x000000013F851000-memory.dmp	UPX

XMRig Miner payload 40 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2676-54-0x000000013F620000-0x000000013F971000-memory.dmp	xmrig
behavioral1/memory/2792-105-0x000000013F500000-0x000000013F851000-memory.dmp	xmrig
behavioral1/memory/1636-104-0x000000013FDD0000-0x0000000140121000-memory.dmp	xmrig
behavioral1/memory/2992-91-0x000000013F910000-0x000000013FC61000-memory.dmp	xmrig
behavioral1/memory/1600-83-0x000000013F1C0000-0x000000013F511000-memory.dmp	xmrig
behavioral1/memory/2112-75-0x000000013F5B0000-0x000000013F901000-memory.dmp	xmrig
behavioral1/memory/2340-74-0x000000013F880000-0x000000013FBD1000-memory.dmp	xmrig
behavioral1/memory/2544-63-0x000000013F700000-0x000000013FA51000-memory.dmp	xmrig
behavioral1/memory/1736-62-0x000000013FAE0000-0x000000013FE31000-memory.dmp	xmrig
behavioral1/memory/2648-139-0x000000013FC60000-0x000000013FFB1000-memory.dmp	xmrig
behavioral1/memory/2236-150-0x000000013F670000-0x000000013F9C1000-memory.dmp	xmrig
behavioral1/memory/2528-151-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	xmrig
behavioral1/memory/1736-140-0x000000013FAE0000-0x000000013FE31000-memory.dmp	xmrig
behavioral1/memory/2184-159-0x000000013F500000-0x000000013F851000-memory.dmp	xmrig
behavioral1/memory/1876-158-0x000000013F110000-0x000000013F461000-memory.dmp	xmrig
behavioral1/memory/1972-161-0x000000013F6B0000-0x000000013FA01000-memory.dmp	xmrig
behavioral1/memory/1340-160-0x000000013FB30000-0x000000013FE81000-memory.dmp	xmrig
behavioral1/memory/1008-157-0x000000013FDA0000-0x00000001400F1000-memory.dmp	xmrig
behavioral1/memory/1952-156-0x000000013FD90000-0x00000001400E1000-memory.dmp	xmrig
behavioral1/memory/856-155-0x000000013F440000-0x000000013F791000-memory.dmp	xmrig
behavioral1/memory/1292-154-0x000000013F560000-0x000000013F8B1000-memory.dmp	xmrig
behavioral1/memory/2984-153-0x000000013FF20000-0x0000000140271000-memory.dmp	xmrig
behavioral1/memory/2684-152-0x000000013FD10000-0x0000000140061000-memory.dmp	xmrig
behavioral1/memory/1736-163-0x000000013FAE0000-0x000000013FE31000-memory.dmp	xmrig
behavioral1/memory/1736-172-0x000000013FF20000-0x0000000140271000-memory.dmp	xmrig
behavioral1/memory/1736-187-0x000000013F440000-0x000000013F791000-memory.dmp	xmrig
behavioral1/memory/2340-215-0x000000013F880000-0x000000013FBD1000-memory.dmp	xmrig
behavioral1/memory/2112-217-0x000000013F5B0000-0x000000013F901000-memory.dmp	xmrig
behavioral1/memory/1600-219-0x000000013F1C0000-0x000000013F511000-memory.dmp	xmrig
behavioral1/memory/2992-221-0x000000013F910000-0x000000013FC61000-memory.dmp	xmrig
behavioral1/memory/2792-223-0x000000013F500000-0x000000013F851000-memory.dmp	xmrig
behavioral1/memory/2676-227-0x000000013F620000-0x000000013F971000-memory.dmp	xmrig
behavioral1/memory/1636-226-0x000000013FDD0000-0x0000000140121000-memory.dmp	xmrig
behavioral1/memory/2544-229-0x000000013F700000-0x000000013FA51000-memory.dmp	xmrig
behavioral1/memory/2648-231-0x000000013FC60000-0x000000013FFB1000-memory.dmp	xmrig
behavioral1/memory/2236-233-0x000000013F670000-0x000000013F9C1000-memory.dmp	xmrig
behavioral1/memory/2528-246-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	xmrig
behavioral1/memory/2684-248-0x000000013FD10000-0x0000000140061000-memory.dmp	xmrig
behavioral1/memory/2984-250-0x000000013FF20000-0x0000000140271000-memory.dmp	xmrig
behavioral1/memory/1292-252-0x000000013F560000-0x000000013F8B1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

fTylfxk.exepYLDGGS.exeVJbjlGu.exehwHUPYG.exexBoxoYD.exeIcvOsLL.exeNkdGRIU.exegoNrisV.exezEdOJfl.exekRAlTkh.exeofpBoYG.exeGXkxAtq.exeUdwMaqs.exehCqykSY.exeJFtdwWw.exeYdkfoDX.exejXVkUnR.execsupAYW.exeBksRsts.exeZSHuVmd.exeTWjVPSD.exe

pid	process
2340	fTylfxk.exe
2112	pYLDGGS.exe
1600	VJbjlGu.exe
2992	hwHUPYG.exe
1636	xBoxoYD.exe
2792	IcvOsLL.exe
2676	NkdGRIU.exe
2648	goNrisV.exe
2544	zEdOJfl.exe
2236	kRAlTkh.exe
2528	ofpBoYG.exe
2684	GXkxAtq.exe
2984	UdwMaqs.exe
1292	hCqykSY.exe
856	JFtdwWw.exe
1952	YdkfoDX.exe
1008	jXVkUnR.exe
1876	csupAYW.exe
2184	BksRsts.exe
1340	ZSHuVmd.exe
1972	TWjVPSD.exe

Loads dropped DLL 21 IoCs

Processes:

2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe

pid	process
1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1736-0-0x000000013FAE0000-0x000000013FE31000-memory.dmp	upx
\Windows\system\fTylfxk.exe	upx
behavioral1/memory/1736-6-0x00000000022A0000-0x00000000025F1000-memory.dmp	upx
\Windows\system\pYLDGGS.exe	upx
behavioral1/memory/2112-15-0x000000013F5B0000-0x000000013F901000-memory.dmp	upx
behavioral1/memory/2340-12-0x000000013F880000-0x000000013FBD1000-memory.dmp	upx
C:\Windows\system\VJbjlGu.exe	upx
behavioral1/memory/1600-22-0x000000013F1C0000-0x000000013F511000-memory.dmp	upx
behavioral1/memory/2992-29-0x000000013F910000-0x000000013FC61000-memory.dmp	upx
C:\Windows\system\IcvOsLL.exe	upx
behavioral1/memory/1636-40-0x000000013FDD0000-0x0000000140121000-memory.dmp	upx
C:\Windows\system\NkdGRIU.exe	upx
C:\Windows\system\xBoxoYD.exe	upx
behavioral1/memory/2676-54-0x000000013F620000-0x000000013F971000-memory.dmp	upx
C:\Windows\system\goNrisV.exe	upx
behavioral1/memory/2648-56-0x000000013FC60000-0x000000013FFB1000-memory.dmp	upx
C:\Windows\system\kRAlTkh.exe	upx
behavioral1/memory/2236-68-0x000000013F670000-0x000000013F9C1000-memory.dmp	upx
behavioral1/memory/2528-76-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	upx
behavioral1/memory/2684-85-0x000000013FD10000-0x0000000140061000-memory.dmp	upx
C:\Windows\system\UdwMaqs.exe	upx
C:\Windows\system\ZSHuVmd.exe	upx
\Windows\system\TWjVPSD.exe	upx
C:\Windows\system\BksRsts.exe	upx
C:\Windows\system\jXVkUnR.exe	upx
C:\Windows\system\csupAYW.exe	upx
C:\Windows\system\YdkfoDX.exe	upx
C:\Windows\system\JFtdwWw.exe	upx
behavioral1/memory/2792-105-0x000000013F500000-0x000000013F851000-memory.dmp	upx
behavioral1/memory/1636-104-0x000000013FDD0000-0x0000000140121000-memory.dmp	upx
behavioral1/memory/2984-93-0x000000013FF20000-0x0000000140271000-memory.dmp	upx
behavioral1/memory/2992-91-0x000000013F910000-0x000000013FC61000-memory.dmp	upx
behavioral1/memory/1292-100-0x000000013F560000-0x000000013F8B1000-memory.dmp	upx
C:\Windows\system\hCqykSY.exe	upx
behavioral1/memory/1600-83-0x000000013F1C0000-0x000000013F511000-memory.dmp	upx
behavioral1/memory/2112-75-0x000000013F5B0000-0x000000013F901000-memory.dmp	upx
behavioral1/memory/2340-74-0x000000013F880000-0x000000013FBD1000-memory.dmp	upx
C:\Windows\system\GXkxAtq.exe	upx
C:\Windows\system\ofpBoYG.exe	upx
behavioral1/memory/2544-63-0x000000013F700000-0x000000013FA51000-memory.dmp	upx
behavioral1/memory/1736-62-0x000000013FAE0000-0x000000013FE31000-memory.dmp	upx
C:\Windows\system\zEdOJfl.exe	upx
behavioral1/memory/2792-42-0x000000013F500000-0x000000013F851000-memory.dmp	upx
behavioral1/memory/2648-139-0x000000013FC60000-0x000000013FFB1000-memory.dmp	upx
C:\Windows\system\hwHUPYG.exe	upx
behavioral1/memory/2236-150-0x000000013F670000-0x000000013F9C1000-memory.dmp	upx
behavioral1/memory/2528-151-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	upx
behavioral1/memory/1736-140-0x000000013FAE0000-0x000000013FE31000-memory.dmp	upx
behavioral1/memory/2184-159-0x000000013F500000-0x000000013F851000-memory.dmp	upx
behavioral1/memory/1876-158-0x000000013F110000-0x000000013F461000-memory.dmp	upx
behavioral1/memory/1972-161-0x000000013F6B0000-0x000000013FA01000-memory.dmp	upx
behavioral1/memory/1340-160-0x000000013FB30000-0x000000013FE81000-memory.dmp	upx
behavioral1/memory/1008-157-0x000000013FDA0000-0x00000001400F1000-memory.dmp	upx
behavioral1/memory/1952-156-0x000000013FD90000-0x00000001400E1000-memory.dmp	upx
behavioral1/memory/856-155-0x000000013F440000-0x000000013F791000-memory.dmp	upx
behavioral1/memory/1292-154-0x000000013F560000-0x000000013F8B1000-memory.dmp	upx
behavioral1/memory/2984-153-0x000000013FF20000-0x0000000140271000-memory.dmp	upx
behavioral1/memory/2684-152-0x000000013FD10000-0x0000000140061000-memory.dmp	upx
behavioral1/memory/1736-163-0x000000013FAE0000-0x000000013FE31000-memory.dmp	upx
behavioral1/memory/2340-215-0x000000013F880000-0x000000013FBD1000-memory.dmp	upx
behavioral1/memory/2112-217-0x000000013F5B0000-0x000000013F901000-memory.dmp	upx
behavioral1/memory/1600-219-0x000000013F1C0000-0x000000013F511000-memory.dmp	upx
behavioral1/memory/2992-221-0x000000013F910000-0x000000013FC61000-memory.dmp	upx
behavioral1/memory/2792-223-0x000000013F500000-0x000000013F851000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\UdwMaqs.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hCqykSY.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JFtdwWw.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pYLDGGS.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VJbjlGu.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hwHUPYG.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NkdGRIU.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GXkxAtq.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YdkfoDX.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jXVkUnR.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BksRsts.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TWjVPSD.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fTylfxk.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kRAlTkh.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xBoxoYD.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IcvOsLL.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ofpBoYG.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\csupAYW.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZSHuVmd.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\goNrisV.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zEdOJfl.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 1736 wrote to memory of 2340	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	fTylfxk.exe
PID 1736 wrote to memory of 2340	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	fTylfxk.exe
PID 1736 wrote to memory of 2340	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	fTylfxk.exe
PID 1736 wrote to memory of 2112	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	pYLDGGS.exe
PID 1736 wrote to memory of 2112	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	pYLDGGS.exe
PID 1736 wrote to memory of 2112	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	pYLDGGS.exe
PID 1736 wrote to memory of 1600	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	VJbjlGu.exe
PID 1736 wrote to memory of 1600	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	VJbjlGu.exe
PID 1736 wrote to memory of 1600	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	VJbjlGu.exe
PID 1736 wrote to memory of 2992	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	hwHUPYG.exe
PID 1736 wrote to memory of 2992	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	hwHUPYG.exe
PID 1736 wrote to memory of 2992	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	hwHUPYG.exe
PID 1736 wrote to memory of 1636	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	xBoxoYD.exe
PID 1736 wrote to memory of 1636	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	xBoxoYD.exe
PID 1736 wrote to memory of 1636	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	xBoxoYD.exe
PID 1736 wrote to memory of 2792	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	IcvOsLL.exe
PID 1736 wrote to memory of 2792	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	IcvOsLL.exe
PID 1736 wrote to memory of 2792	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	IcvOsLL.exe
PID 1736 wrote to memory of 2648	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	goNrisV.exe
PID 1736 wrote to memory of 2648	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	goNrisV.exe
PID 1736 wrote to memory of 2648	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	goNrisV.exe
PID 1736 wrote to memory of 2676	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	NkdGRIU.exe
PID 1736 wrote to memory of 2676	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	NkdGRIU.exe
PID 1736 wrote to memory of 2676	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	NkdGRIU.exe
PID 1736 wrote to memory of 2544	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	zEdOJfl.exe
PID 1736 wrote to memory of 2544	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	zEdOJfl.exe
PID 1736 wrote to memory of 2544	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	zEdOJfl.exe
PID 1736 wrote to memory of 2236	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	kRAlTkh.exe
PID 1736 wrote to memory of 2236	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	kRAlTkh.exe
PID 1736 wrote to memory of 2236	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	kRAlTkh.exe
PID 1736 wrote to memory of 2528	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	ofpBoYG.exe
PID 1736 wrote to memory of 2528	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	ofpBoYG.exe
PID 1736 wrote to memory of 2528	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	ofpBoYG.exe
PID 1736 wrote to memory of 2684	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	GXkxAtq.exe
PID 1736 wrote to memory of 2684	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	GXkxAtq.exe
PID 1736 wrote to memory of 2684	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	GXkxAtq.exe
PID 1736 wrote to memory of 2984	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	UdwMaqs.exe
PID 1736 wrote to memory of 2984	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	UdwMaqs.exe
PID 1736 wrote to memory of 2984	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	UdwMaqs.exe
PID 1736 wrote to memory of 1292	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	hCqykSY.exe
PID 1736 wrote to memory of 1292	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	hCqykSY.exe
PID 1736 wrote to memory of 1292	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	hCqykSY.exe
PID 1736 wrote to memory of 856	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	JFtdwWw.exe
PID 1736 wrote to memory of 856	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	JFtdwWw.exe
PID 1736 wrote to memory of 856	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	JFtdwWw.exe
PID 1736 wrote to memory of 1952	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	YdkfoDX.exe
PID 1736 wrote to memory of 1952	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	YdkfoDX.exe
PID 1736 wrote to memory of 1952	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	YdkfoDX.exe
PID 1736 wrote to memory of 1008	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	jXVkUnR.exe
PID 1736 wrote to memory of 1008	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	jXVkUnR.exe
PID 1736 wrote to memory of 1008	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	jXVkUnR.exe
PID 1736 wrote to memory of 1876	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	csupAYW.exe
PID 1736 wrote to memory of 1876	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	csupAYW.exe
PID 1736 wrote to memory of 1876	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	csupAYW.exe
PID 1736 wrote to memory of 2184	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	BksRsts.exe
PID 1736 wrote to memory of 2184	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	BksRsts.exe
PID 1736 wrote to memory of 2184	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	BksRsts.exe
PID 1736 wrote to memory of 1340	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	ZSHuVmd.exe
PID 1736 wrote to memory of 1340	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	ZSHuVmd.exe
PID 1736 wrote to memory of 1340	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	ZSHuVmd.exe
PID 1736 wrote to memory of 1972	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	TWjVPSD.exe
PID 1736 wrote to memory of 1972	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	TWjVPSD.exe
PID 1736 wrote to memory of 1972	1736	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	TWjVPSD.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\System\fTylfxk.exe
C:\Windows\System\fTylfxk.exe
2⤵
- Executes dropped EXE
PID:2340

C:\Windows\System\pYLDGGS.exe
C:\Windows\System\pYLDGGS.exe
2⤵
- Executes dropped EXE
PID:2112

C:\Windows\System\VJbjlGu.exe
C:\Windows\System\VJbjlGu.exe
2⤵
- Executes dropped EXE
PID:1600

C:\Windows\System\hwHUPYG.exe
C:\Windows\System\hwHUPYG.exe
2⤵
- Executes dropped EXE
PID:2992

C:\Windows\System\xBoxoYD.exe
C:\Windows\System\xBoxoYD.exe
2⤵
- Executes dropped EXE
PID:1636

C:\Windows\System\IcvOsLL.exe
C:\Windows\System\IcvOsLL.exe
2⤵
- Executes dropped EXE
PID:2792

C:\Windows\System\goNrisV.exe
C:\Windows\System\goNrisV.exe
2⤵
- Executes dropped EXE
PID:2648

C:\Windows\System\NkdGRIU.exe
C:\Windows\System\NkdGRIU.exe
2⤵
- Executes dropped EXE
PID:2676

C:\Windows\System\zEdOJfl.exe
C:\Windows\System\zEdOJfl.exe
2⤵
- Executes dropped EXE
PID:2544

C:\Windows\System\kRAlTkh.exe
C:\Windows\System\kRAlTkh.exe
2⤵
- Executes dropped EXE
PID:2236

C:\Windows\System\ofpBoYG.exe
C:\Windows\System\ofpBoYG.exe
2⤵
- Executes dropped EXE
PID:2528

C:\Windows\System\GXkxAtq.exe
C:\Windows\System\GXkxAtq.exe
2⤵
- Executes dropped EXE
PID:2684

C:\Windows\System\UdwMaqs.exe
C:\Windows\System\UdwMaqs.exe
2⤵
- Executes dropped EXE
PID:2984

C:\Windows\System\hCqykSY.exe
C:\Windows\System\hCqykSY.exe
2⤵
- Executes dropped EXE
PID:1292

C:\Windows\System\JFtdwWw.exe
C:\Windows\System\JFtdwWw.exe
2⤵
- Executes dropped EXE
PID:856

C:\Windows\System\YdkfoDX.exe
C:\Windows\System\YdkfoDX.exe
2⤵
- Executes dropped EXE
PID:1952

C:\Windows\System\jXVkUnR.exe
C:\Windows\System\jXVkUnR.exe
2⤵
- Executes dropped EXE
PID:1008

C:\Windows\System\csupAYW.exe
C:\Windows\System\csupAYW.exe
2⤵
- Executes dropped EXE
PID:1876

C:\Windows\System\BksRsts.exe
C:\Windows\System\BksRsts.exe
2⤵
- Executes dropped EXE
PID:2184

C:\Windows\System\ZSHuVmd.exe
C:\Windows\System\ZSHuVmd.exe
2⤵
- Executes dropped EXE
PID:1340

C:\Windows\System\TWjVPSD.exe
C:\Windows\System\TWjVPSD.exe
2⤵
- Executes dropped EXE
PID:1972

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BksRsts.exe
Filesize
5.2MB

MD5
1471d91c1779873aaf334e7705585703

SHA1
9e98c74cd4985432b440f3ac6fb0b7fa72a5fbed

SHA256
b7c05323bcdd60d5b53400d08ab52f2b947419118b76d64e269b772b48e4f1b6

SHA512
b274985abe4724836381ce76d4eded961f07a83f7016ee87e8288e512505c3a5914ecaea301fa8d57751cc4561c11888eafa1820a5328d53f292b574962639eb

Download Submit
C:\Windows\system\GXkxAtq.exe
Filesize
5.2MB

MD5
143d82960889d0c0e094523c93f8a29e

SHA1
b2bd684ed5b50c8dfe21b439f8afdcf4201544b9

SHA256
ea7557ee8f39314345cb37d94b1d2b41d3680ac662f79c41efcb425cda351ebb

SHA512
159e676a253113475cacc497efb2c8393b1e0f223b0073efd4f0753bd040eae43e909c1ffa8949a7eea4a01c2150e1c79bc2352a3be0ff76a4baf9127e863196

Download Submit
C:\Windows\system\IcvOsLL.exe
Filesize
5.2MB

MD5
10d1b51883a5dc8262ad5f6bbbe892d6

SHA1
dd14e98d56a6a5fb01427b98930d4a7d48a1ef12

SHA256
5bac7ba3023981f5ba6b4e3f6c39caed039ea1c042241d80883318af4265e941

SHA512
b5aeed41ba14fa83f39fe89b1c992a4f955023fc376c85996cee5e04615aed3640329ee24be9d7f87bfa156fce0941fa4e8cc33c99b559776048e1cb35047469

Download Submit
C:\Windows\system\JFtdwWw.exe
Filesize
5.2MB

MD5
9f02885f21d9485589092ee3267648ee

SHA1
2b1cbc6104d9ea71d3a54275e86e5e050d46168b

SHA256
9bb79e30b92da979e023d63238ee863363c6e97c29c221c64617e720ca0047e8

SHA512
dd2eb88f3626bd57eb3e924737c5bc9f9cbab27437ffffcaa723db22fa6e91e33fa5ee575f336a10ebf222d6b76c88a5bb1db9d25851813e7d01967372141589

Download Submit
C:\Windows\system\NkdGRIU.exe
Filesize
5.2MB

MD5
106ba4e4d5e4717e8d6803966fec3650

SHA1
6cd88a46e7f906dd832e8544f18ec432306037fa

SHA256
0602480b05f0ddedc1acad2687993ec77509b43f039396839053c390d7504c6c

SHA512
2d6a0735f68094ce19f3d5ae1b4901df90395e3ea19a23053a84f91f089ffdbe5630fad0328a861bc4cc50def9909c7270395273c72e2cf8dc856a7d2d99ad75

Download Submit
C:\Windows\system\UdwMaqs.exe
Filesize
5.2MB

MD5
680c798d229c6d2a2027f1a187dbf2c1

SHA1
8ed779a83fe0b3a7d1b1e856124feb58b69e1605

SHA256
ade0a182a9fc7248890d5dad87d5529da57a5191c11a1ce0c111a514f7d02ac4

SHA512
9307cb7532568286de18fbc70b71e7797df68433bcc2ffc67fe6d644f7c8f17ba97e7f16d2073bad4321843122090df0fde2a424b8068e7cef067e8ca2db7537

Download Submit
C:\Windows\system\VJbjlGu.exe
Filesize
5.2MB

MD5
cab326a0752721388557ae834b50d6e6

SHA1
e20d5cf0b1c3dc17b91fac89f6e4f239ccee1a8a

SHA256
d4fb0a7c46142cd09e88bcd942cf7c1006c40060c78fec5730a424189d136016

SHA512
f168c11f3cbe40727b016af034cdf53b68f8f1f6e29b89d8caf36d60040717cae55243d84d323750244047830beec12e9931f1d7a70726c106127bc23d3451c5

Download Submit
C:\Windows\system\YdkfoDX.exe
Filesize
5.2MB

MD5
8650bcc6469762d6378dc27c8368cfdb

SHA1
30a56e75f7f663e1ea264d6d43d4f356787a146c

SHA256
3b94d034aa93cff283838d5a5afcc9e07ba105603d5ce46912dcedee22414331

SHA512
edae04a88e2cb4a8ff17284789a50d1688ecd672f79fcfd71da3341a19b47c93b3e4b20e93714142ca0893251191487631b3991c22cc1d9d47ec775496f34e0c

Download Submit
C:\Windows\system\ZSHuVmd.exe
Filesize
5.2MB

MD5
89bc63d26b945701333e7dcdb8eafc60

SHA1
1ca6d2131c9c235f300dcf5a9c1c5fd943eef99e

SHA256
e8501dd3cfe47178ad8b85b1e84d3f8a8a624dfe85db6a374c3e347aab83f973

SHA512
a2e5224f25e0c7e551ac7b94cdff71ebcbc4f4c1d27bf0a1880957cb4214d1944fad00018c1db70e74b43f38c5f1a597146a71c897cb994a3a3c6f4ef52f59b6

Download Submit
C:\Windows\system\csupAYW.exe
Filesize
5.2MB

MD5
1fe42373993db169203f8dbda4214443

SHA1
1bc9bbd18aa297c2e2e9582ee47121ab54e29ff1

SHA256
006fe168089ebfa6936c46942ad90f74ae336b5abac0c1c2de431d6ae7d7b76e

SHA512
05ff0ade7556a6b1efca279276b8acaaa162c0b774f5522140798c83baf18cd4812a5d5dfb683c4382e9bd76599e8d4a639dbf345b960282b1ada836d7699489

Download Submit
C:\Windows\system\goNrisV.exe
Filesize
5.2MB

MD5
2065ca03a9a4572c878674e572150dbb

SHA1
c960d49ef1a1d92e54e138a5b1baf4b35441a14e

SHA256
686eb5d7c902b71c0556730bb4b4c26c3799436dca1d27e4d9e8e5a4778e1149

SHA512
f92dc413b49db970a0926ee8223965199663e00a5f08a709e7b9031ac906c1ff31602047d5bea4febdd40adc49f758c7c0cb74fedb92df799e3ec355514d6e70

Download Submit
C:\Windows\system\hCqykSY.exe
Filesize
5.2MB

MD5
c61fda51628c0e27751e1c015a63bb16

SHA1
40b604ca230a351325d8917356585d5995a39287

SHA256
deb94a4d4e45382184a4767f7a18ee413e9b241121d4a18ffa649cc4b854f777

SHA512
3dc537fb8540cc8b12db636397ad8b6b0118c89842dbf34914a8aa388c7612928a0821a206a1f7ebc72d22767ec29f8a98d918e69279efdf49edc7dd437b4d9f

Download Submit
C:\Windows\system\hwHUPYG.exe
Filesize
5.2MB

MD5
a0d2879a80724ba09ad14eebc3d54ce9

SHA1
9d3dead1aededeb3582cd2d1d0876e421778ada2

SHA256
5aa9480e43571382a230039f6d8e8039c0f8d1edc43a2dfdd31670a8ce36c479

SHA512
bfd4e0e41bfa6f56d72aa5c1e797de189c4b19147acdb3036398419a4967f1de9118b53cd9bbeabc5e18a98fc2eb0118ea89a3f8e0d0aca1c4e82d4028f2ff9e

Download Submit
C:\Windows\system\jXVkUnR.exe
Filesize
5.2MB

MD5
1b4575c94df0111482c2239798dea09c

SHA1
7fd2b192b0a5a94a94022de28b7f99cdf278ad90

SHA256
2cf54ca5f002a691070848088e1eb998a463e195b5df6edee5ad2554f519eab8

SHA512
50bc5cb10d9a8e13ef28b598fccc357c96004de7b48204c292ba87fb1f99d75b64cc265067f7ec31747e9f87e3f7882961a81ccab1c233059981aeb7ccedb443

Download Submit
C:\Windows\system\kRAlTkh.exe
Filesize
5.2MB

MD5
cd3767ee0f8468a50c3e83205aa2a30d

SHA1
b6a266a6d1f1c0461755a26deffac1c788b79942

SHA256
4b441e3181587bd7b77ecd8d7ce51681ad600772875e868603520d1c34d11a00

SHA512
9fd46070aea69a6def32773b38658f574647366b84e934085a01f26a89ab76f929c2e0166bb5ab46ebc21bc17b3ce993697618c5dda7724890ace38d237d2b9a

Download Submit
C:\Windows\system\ofpBoYG.exe
Filesize
5.2MB

MD5
22f33f2fc579477421df7d9ba90fc01f

SHA1
82de1d99854d5c839ecb85be1214bcaa0ce3c3dd

SHA256
457383c80988358ba87e2aaf7c4a6fb41c8520d093c8703e74b205f7fd9a99fa

SHA512
ff21a3e13815dae57246fc98b7f8766f245dd0d21ef55590cc98ffb16c207d2c719a33e5fa2c16575b05836e0be82ff5905f794e41084c5b0988c42517a3c592

Download Submit
C:\Windows\system\xBoxoYD.exe
Filesize
5.2MB

MD5
ac866a3506d6b4ca18e4d116bb94205e

SHA1
f2b08901557bbe7e756408233557daa19f811c41

SHA256
bf7399c14b715321913ee7c81d96fc7e41c927f05135c26b7f2b7df56dfba8b1

SHA512
d2050635cedf21f9320fa87d340fad1d4a81f006fa58832626ea95668848ab7fb81fce9d95244ca265773bff37aabc94751e10d6a66c50b2eed2e1c37e6f7b72

Download Submit
C:\Windows\system\zEdOJfl.exe
Filesize
5.2MB

MD5
4f7f828c39a69158aaa81348578bd944

SHA1
5b1aea6ca8b5e6aec88ea77177f49e531c40c7a8

SHA256
168669b1c946978ba9f3e0fed6400a7e916cc5816462307c38d0ffd3d464ca24

SHA512
81fd18ede0fc25f9b76a48e1f25a6a8494678675ef094012d12a12d95bff6bbe994fad44359758c1d2d912ca463c72d75b35dbbf83b39f03a40cb93c640ea8a3

Download Submit
\Windows\system\TWjVPSD.exe
Filesize
5.2MB

MD5
71ff6a9ac38fbf7642bc60fe5adf4177

SHA1
c9b510b0092c736c92b4980d5556e563a6bc4d62

SHA256
bbdde8139d86db33a5ae5dcf2d1d12af1550d9759150250ba0418e3ce4856128

SHA512
326fa6a802e01630c088b667956eada435c80b1bc553dcce05853dcb8c8e3e036cb1723422b1ba7151f06a752cf8902281a0425f675ac07e132812299aa50cf2

Download Submit
\Windows\system\fTylfxk.exe
Filesize
5.2MB

MD5
13d8936bac7073b08c05dfb01e0f20cc

SHA1
8b9a74737879f955040550351ba722a79203261c

SHA256
03eeb55ee595d20094f1a036d6008661928b4a5a540e4af3c6d2ae166bcba0cd

SHA512
c1aeff95aae832d7cc839180bd91c727be4c30f09f1b31d35fc762282bbe99826be189d328675bfea5667b20a93d104b8afe6f8d7b074a0ff177f5dd1a538f42

Download Submit
\Windows\system\pYLDGGS.exe
Filesize
5.2MB

MD5
2fe73be978fbbfe5e754159b486590a6

SHA1
ae9688c8578c22d690ac58f4cdb8062141edd373

SHA256
118c1033cfba6e6571165da4264dcfed58a333554e14549486a3567dea535ea2

SHA512
185924c6e19bdfcc91530eb9b692a8287005d1fe1c35e10502d027e0f9b5cafa4fd01cc5d1d3ca76b3d7b8219ddc70c6e11c95d2684f034f46e61363902f48a9

Download Submit
memory/856-155-0x000000013F440000-0x000000013F791000-memory.dmp

Filesize
3.3MB

Download
memory/1008-157-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Filesize
3.3MB

Download
memory/1292-100-0x000000013F560000-0x000000013F8B1000-memory.dmp

Filesize
3.3MB

Download
memory/1292-154-0x000000013F560000-0x000000013F8B1000-memory.dmp

Filesize
3.3MB

Download
memory/1292-252-0x000000013F560000-0x000000013F8B1000-memory.dmp

Filesize
3.3MB

Download
memory/1340-160-0x000000013FB30000-0x000000013FE81000-memory.dmp

Filesize
3.3MB

Download
memory/1600-22-0x000000013F1C0000-0x000000013F511000-memory.dmp

Filesize
3.3MB

Download
memory/1600-83-0x000000013F1C0000-0x000000013F511000-memory.dmp

Filesize
3.3MB

Download
memory/1600-219-0x000000013F1C0000-0x000000013F511000-memory.dmp

Filesize
3.3MB

Download
memory/1636-226-0x000000013FDD0000-0x0000000140121000-memory.dmp

Filesize
3.3MB

Download
memory/1636-104-0x000000013FDD0000-0x0000000140121000-memory.dmp

Filesize
3.3MB

Download
memory/1636-40-0x000000013FDD0000-0x0000000140121000-memory.dmp

Filesize
3.3MB

Download
memory/1736-84-0x00000000022A0000-0x00000000025F1000-memory.dmp

Filesize
3.3MB

Download
memory/1736-162-0x00000000022A0000-0x00000000025F1000-memory.dmp

Filesize
3.3MB

Download
memory/1736-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/1736-6-0x00000000022A0000-0x00000000025F1000-memory.dmp

Filesize
3.3MB

Download
memory/1736-187-0x000000013F440000-0x000000013F791000-memory.dmp

Filesize
3.3MB

Download
memory/1736-92-0x000000013FF20000-0x0000000140271000-memory.dmp

Filesize
3.3MB

Download
memory/1736-186-0x000000013F560000-0x000000013F8B1000-memory.dmp

Filesize
3.3MB

Download
memory/1736-172-0x000000013FF20000-0x0000000140271000-memory.dmp

Filesize
3.3MB

Download
memory/1736-99-0x000000013F560000-0x000000013F8B1000-memory.dmp

Filesize
3.3MB

Download
memory/1736-163-0x000000013FAE0000-0x000000013FE31000-memory.dmp

Filesize
3.3MB

Download
memory/1736-0-0x000000013FAE0000-0x000000013FE31000-memory.dmp

Filesize
3.3MB

Download
memory/1736-140-0x000000013FAE0000-0x000000013FE31000-memory.dmp

Filesize
3.3MB

Download
memory/1736-14-0x000000013F5B0000-0x000000013F901000-memory.dmp

Filesize
3.3MB

Download
memory/1736-106-0x000000013F440000-0x000000013F791000-memory.dmp

Filesize
3.3MB

Download
memory/1736-53-0x000000013F620000-0x000000013F971000-memory.dmp

Filesize
3.3MB

Download
memory/1736-21-0x000000013F1C0000-0x000000013F511000-memory.dmp

Filesize
3.3MB

Download
memory/1736-28-0x00000000022A0000-0x00000000025F1000-memory.dmp

Filesize
3.3MB

Download
memory/1736-62-0x000000013FAE0000-0x000000013FE31000-memory.dmp

Filesize
3.3MB

Download
memory/1736-41-0x000000013F500000-0x000000013F851000-memory.dmp

Filesize
3.3MB

Download
memory/1736-34-0x00000000022A0000-0x00000000025F1000-memory.dmp

Filesize
3.3MB

Download
memory/1876-158-0x000000013F110000-0x000000013F461000-memory.dmp

Filesize
3.3MB

Download
memory/1952-156-0x000000013FD90000-0x00000001400E1000-memory.dmp

Filesize
3.3MB

Download
memory/1972-161-0x000000013F6B0000-0x000000013FA01000-memory.dmp

Filesize
3.3MB

Download
memory/2112-15-0x000000013F5B0000-0x000000013F901000-memory.dmp

Filesize
3.3MB

Download
memory/2112-217-0x000000013F5B0000-0x000000013F901000-memory.dmp

Filesize
3.3MB

Download
memory/2112-75-0x000000013F5B0000-0x000000013F901000-memory.dmp

Filesize
3.3MB

Download
memory/2184-159-0x000000013F500000-0x000000013F851000-memory.dmp

Filesize
3.3MB

Download
memory/2236-233-0x000000013F670000-0x000000013F9C1000-memory.dmp

Filesize
3.3MB

Download
memory/2236-68-0x000000013F670000-0x000000013F9C1000-memory.dmp

Filesize
3.3MB

Download
memory/2236-150-0x000000013F670000-0x000000013F9C1000-memory.dmp

Filesize
3.3MB

Download
memory/2340-74-0x000000013F880000-0x000000013FBD1000-memory.dmp

Filesize
3.3MB

Download
memory/2340-12-0x000000013F880000-0x000000013FBD1000-memory.dmp

Filesize
3.3MB

Download
memory/2340-215-0x000000013F880000-0x000000013FBD1000-memory.dmp

Filesize
3.3MB

Download
memory/2528-246-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

Filesize
3.3MB

Download
memory/2528-76-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

Filesize
3.3MB

Download
memory/2528-151-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

Filesize
3.3MB

Download
memory/2544-229-0x000000013F700000-0x000000013FA51000-memory.dmp

Filesize
3.3MB

Download
memory/2544-63-0x000000013F700000-0x000000013FA51000-memory.dmp

Filesize
3.3MB

Download
memory/2648-139-0x000000013FC60000-0x000000013FFB1000-memory.dmp

Filesize
3.3MB

Download
memory/2648-231-0x000000013FC60000-0x000000013FFB1000-memory.dmp

Filesize
3.3MB

Download
memory/2648-56-0x000000013FC60000-0x000000013FFB1000-memory.dmp

Filesize
3.3MB

Download
memory/2676-54-0x000000013F620000-0x000000013F971000-memory.dmp

Filesize
3.3MB

Download
memory/2676-227-0x000000013F620000-0x000000013F971000-memory.dmp

Filesize
3.3MB

Download
memory/2684-85-0x000000013FD10000-0x0000000140061000-memory.dmp

Filesize
3.3MB

Download
memory/2684-152-0x000000013FD10000-0x0000000140061000-memory.dmp

Filesize
3.3MB

Download
memory/2684-248-0x000000013FD10000-0x0000000140061000-memory.dmp

Filesize
3.3MB

Download
memory/2792-223-0x000000013F500000-0x000000013F851000-memory.dmp

Filesize
3.3MB

Download
memory/2792-42-0x000000013F500000-0x000000013F851000-memory.dmp

Filesize
3.3MB

Download
memory/2792-105-0x000000013F500000-0x000000013F851000-memory.dmp

Filesize
3.3MB

Download
memory/2984-93-0x000000013FF20000-0x0000000140271000-memory.dmp

Filesize
3.3MB

Download
memory/2984-153-0x000000013FF20000-0x0000000140271000-memory.dmp

Filesize
3.3MB

Download
memory/2984-250-0x000000013FF20000-0x0000000140271000-memory.dmp

Filesize
3.3MB

Download
memory/2992-221-0x000000013F910000-0x000000013FC61000-memory.dmp

Filesize
3.3MB

Download
memory/2992-91-0x000000013F910000-0x000000013FC61000-memory.dmp

Filesize
3.3MB

Download
memory/2992-29-0x000000013F910000-0x000000013FC61000-memory.dmp

Filesize
3.3MB

Download