cobaltstrike | 0bfe9cfe6dfefbd8635bfbc68205f6e76936a791f0bfe3cd721d84e874745b6c

Analysis

max time kernel
125s
max time network
140s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
Size

8.3MB
MD5

9692994b50a306dd8b2c1bad47b972c5
SHA1

66618ae1d2bed409353427dc1d778130579edf6a
SHA256

0bfe9cfe6dfefbd8635bfbc68205f6e76936a791f0bfe3cd721d84e874745b6c
SHA512

214db3da293c0480face79a8696af41d0d086cd42807f7a7ea0368d97ee0cfdb63f5bbd252a1776e1a2096c4a5bb56c6944b8f7041d980d567fdaefd4783b0be
SSDEEP

98304:MemTLkNdfE0pZba56utgpPFotBER/mQ32lUT:v+D56utgpPF8u/7T

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\vZbopha.exe	cobalt_reflective_dll
C:\Windows\system\BtQuXOr.exe	cobalt_reflective_dll
\Windows\system\TNxMNUK.exe	cobalt_reflective_dll
C:\Windows\system\gtQufKd.exe	cobalt_reflective_dll
C:\Windows\system\UqvyyKe.exe	cobalt_reflective_dll
C:\Windows\system\lDRlTtg.exe	cobalt_reflective_dll
C:\Windows\system\iWTWCDW.exe	cobalt_reflective_dll
\Windows\system\kypkSlQ.exe	cobalt_reflective_dll
C:\Windows\system\VvAnGnk.exe	cobalt_reflective_dll
\Windows\system\wTbMnHs.exe	cobalt_reflective_dll
C:\Windows\system\qPXrReZ.exe	cobalt_reflective_dll
\Windows\system\sXKFAUX.exe	cobalt_reflective_dll
C:\Windows\system\uSpRlIo.exe	cobalt_reflective_dll
C:\Windows\system\hchBuPv.exe	cobalt_reflective_dll
\Windows\system\GdqiBef.exe	cobalt_reflective_dll
C:\Windows\system\OQLLlpj.exe	cobalt_reflective_dll
C:\Windows\system\ehlbCId.exe	cobalt_reflective_dll
C:\Windows\system\apVCHsx.exe	cobalt_reflective_dll
C:\Windows\system\mDeVZFb.exe	cobalt_reflective_dll
C:\Windows\system\asoUAzR.exe	cobalt_reflective_dll
C:\Windows\system\QRhCpiZ.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\vZbopha.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\BtQuXOr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\TNxMNUK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\gtQufKd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\UqvyyKe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\lDRlTtg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\iWTWCDW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\kypkSlQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\VvAnGnk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\wTbMnHs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\qPXrReZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\sXKFAUX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\uSpRlIo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\hchBuPv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\GdqiBef.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\OQLLlpj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ehlbCId.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\apVCHsx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\mDeVZFb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\asoUAzR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\QRhCpiZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 58 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2772-0-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
\Windows\system\vZbopha.exe	UPX
behavioral1/memory/3004-8-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
C:\Windows\system\BtQuXOr.exe	UPX
\Windows\system\TNxMNUK.exe	UPX
C:\Windows\system\gtQufKd.exe	UPX
C:\Windows\system\UqvyyKe.exe	UPX
behavioral1/memory/2848-36-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2584-40-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2368-39-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
C:\Windows\system\lDRlTtg.exe	UPX
behavioral1/memory/2772-65-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
C:\Windows\system\iWTWCDW.exe	UPX
\Windows\system\kypkSlQ.exe	UPX
C:\Windows\system\VvAnGnk.exe	UPX
\Windows\system\wTbMnHs.exe	UPX
C:\Windows\system\qPXrReZ.exe	UPX
behavioral1/memory/2848-85-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
\Windows\system\sXKFAUX.exe	UPX
C:\Windows\system\uSpRlIo.exe	UPX
C:\Windows\system\hchBuPv.exe	UPX
\Windows\system\GdqiBef.exe	UPX
C:\Windows\system\OQLLlpj.exe	UPX
behavioral1/memory/2424-137-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
C:\Windows\system\ehlbCId.exe	UPX
behavioral1/memory/2356-138-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2384-104-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
C:\Windows\system\apVCHsx.exe	UPX
behavioral1/memory/1428-93-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2584-91-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2368-90-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
C:\Windows\system\mDeVZFb.exe	UPX
behavioral1/memory/2968-76-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2968-140-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/3004-74-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2536-98-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/548-142-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2536-54-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
C:\Windows\system\asoUAzR.exe	UPX
behavioral1/memory/2556-35-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
C:\Windows\system\QRhCpiZ.exe	UPX
behavioral1/memory/2544-24-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/1428-144-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/1816-146-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/3004-148-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2544-149-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2556-150-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2368-151-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2584-152-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2848-153-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2536-154-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2384-155-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2424-156-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2356-157-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2968-158-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/1428-160-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/548-159-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/1816-161-0x0000000140000000-0x0000000140352000-memory.dmp	UPX

XMRig Miner payload 60 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2772-0-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
\Windows\system\vZbopha.exe	xmrig
behavioral1/memory/3004-8-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
C:\Windows\system\BtQuXOr.exe	xmrig
\Windows\system\TNxMNUK.exe	xmrig
C:\Windows\system\gtQufKd.exe	xmrig
C:\Windows\system\UqvyyKe.exe	xmrig
behavioral1/memory/2848-36-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2584-40-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2368-39-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
C:\Windows\system\lDRlTtg.exe	xmrig
behavioral1/memory/2772-65-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
C:\Windows\system\iWTWCDW.exe	xmrig
\Windows\system\kypkSlQ.exe	xmrig
C:\Windows\system\VvAnGnk.exe	xmrig
\Windows\system\wTbMnHs.exe	xmrig
C:\Windows\system\qPXrReZ.exe	xmrig
behavioral1/memory/2848-85-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
\Windows\system\sXKFAUX.exe	xmrig
C:\Windows\system\uSpRlIo.exe	xmrig
C:\Windows\system\hchBuPv.exe	xmrig
\Windows\system\GdqiBef.exe	xmrig
C:\Windows\system\OQLLlpj.exe	xmrig
behavioral1/memory/2424-137-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
C:\Windows\system\ehlbCId.exe	xmrig
behavioral1/memory/2356-138-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2384-104-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
C:\Windows\system\apVCHsx.exe	xmrig
behavioral1/memory/1428-93-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2584-91-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2368-90-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
C:\Windows\system\mDeVZFb.exe	xmrig
behavioral1/memory/2968-76-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2968-140-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/3004-74-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2536-98-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2772-95-0x00000000025B0000-0x0000000002902000-memory.dmp	xmrig
behavioral1/memory/548-142-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2536-54-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2772-143-0x00000000025B0000-0x0000000002902000-memory.dmp	xmrig
C:\Windows\system\asoUAzR.exe	xmrig
behavioral1/memory/2556-35-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
C:\Windows\system\QRhCpiZ.exe	xmrig
behavioral1/memory/2544-24-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/1428-144-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/1816-146-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/3004-148-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2544-149-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2556-150-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2368-151-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2584-152-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2848-153-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2536-154-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2384-155-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2424-156-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2356-157-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2968-158-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/1428-160-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/548-159-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/1816-161-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

vZbopha.exeBtQuXOr.exeTNxMNUK.exegtQufKd.exeQRhCpiZ.exeUqvyyKe.exeasoUAzR.exeiWTWCDW.exelDRlTtg.exekypkSlQ.exewTbMnHs.exeVvAnGnk.exemDeVZFb.exeqPXrReZ.exeehlbCId.exeapVCHsx.exeOQLLlpj.exesXKFAUX.exehchBuPv.exeuSpRlIo.exeGdqiBef.exe

pid	process
3004	vZbopha.exe
2544	BtQuXOr.exe
2556	TNxMNUK.exe
2848	gtQufKd.exe
2368	QRhCpiZ.exe
2584	UqvyyKe.exe
2536	asoUAzR.exe
2384	iWTWCDW.exe
2424	lDRlTtg.exe
2356	kypkSlQ.exe
2968	wTbMnHs.exe
548	VvAnGnk.exe
1428	mDeVZFb.exe
1816	qPXrReZ.exe
764	ehlbCId.exe
2540	apVCHsx.exe
2760	OQLLlpj.exe
2988	sXKFAUX.exe
1768	hchBuPv.exe
1740	uSpRlIo.exe
948	GdqiBef.exe

Loads dropped DLL 21 IoCs

Processes:

2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe

pid	process
2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2772-0-0x0000000140000000-0x0000000140352000-memory.dmp	upx
\Windows\system\vZbopha.exe	upx
behavioral1/memory/3004-8-0x0000000140000000-0x0000000140352000-memory.dmp	upx
C:\Windows\system\BtQuXOr.exe	upx
\Windows\system\TNxMNUK.exe	upx
C:\Windows\system\gtQufKd.exe	upx
C:\Windows\system\UqvyyKe.exe	upx
behavioral1/memory/2848-36-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2584-40-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2368-39-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2772-28-0x00000000025B0000-0x0000000002902000-memory.dmp	upx
C:\Windows\system\lDRlTtg.exe	upx
behavioral1/memory/2772-65-0x0000000140000000-0x0000000140352000-memory.dmp	upx
C:\Windows\system\iWTWCDW.exe	upx
\Windows\system\kypkSlQ.exe	upx
C:\Windows\system\VvAnGnk.exe	upx
\Windows\system\wTbMnHs.exe	upx
C:\Windows\system\qPXrReZ.exe	upx
behavioral1/memory/2848-85-0x0000000140000000-0x0000000140352000-memory.dmp	upx
\Windows\system\sXKFAUX.exe	upx
C:\Windows\system\uSpRlIo.exe	upx
C:\Windows\system\hchBuPv.exe	upx
\Windows\system\GdqiBef.exe	upx
C:\Windows\system\OQLLlpj.exe	upx
behavioral1/memory/2424-137-0x0000000140000000-0x0000000140352000-memory.dmp	upx
C:\Windows\system\ehlbCId.exe	upx
behavioral1/memory/2356-138-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2384-104-0x0000000140000000-0x0000000140352000-memory.dmp	upx
C:\Windows\system\apVCHsx.exe	upx
behavioral1/memory/1428-93-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2584-91-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2368-90-0x0000000140000000-0x0000000140352000-memory.dmp	upx
C:\Windows\system\mDeVZFb.exe	upx
behavioral1/memory/2968-76-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2968-140-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/3004-74-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2536-98-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/548-142-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2536-54-0x0000000140000000-0x0000000140352000-memory.dmp	upx
C:\Windows\system\asoUAzR.exe	upx
behavioral1/memory/2556-35-0x0000000140000000-0x0000000140352000-memory.dmp	upx
C:\Windows\system\QRhCpiZ.exe	upx
behavioral1/memory/2544-24-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/1428-144-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/1816-146-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/3004-148-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2544-149-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2556-150-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2368-151-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2584-152-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2848-153-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2536-154-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2384-155-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2424-156-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2356-157-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2968-158-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/1428-160-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/548-159-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/1816-161-0x0000000140000000-0x0000000140352000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\kypkSlQ.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uSpRlIo.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GdqiBef.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vZbopha.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gtQufKd.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iWTWCDW.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OQLLlpj.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QRhCpiZ.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\asoUAzR.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\apVCHsx.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hchBuPv.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TNxMNUK.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UqvyyKe.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lDRlTtg.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mDeVZFb.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qPXrReZ.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ehlbCId.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sXKFAUX.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BtQuXOr.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wTbMnHs.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VvAnGnk.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2772 wrote to memory of 3004	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	vZbopha.exe
PID 2772 wrote to memory of 3004	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	vZbopha.exe
PID 2772 wrote to memory of 3004	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	vZbopha.exe
PID 2772 wrote to memory of 2544	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	BtQuXOr.exe
PID 2772 wrote to memory of 2544	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	BtQuXOr.exe
PID 2772 wrote to memory of 2544	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	BtQuXOr.exe
PID 2772 wrote to memory of 2848	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	gtQufKd.exe
PID 2772 wrote to memory of 2848	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	gtQufKd.exe
PID 2772 wrote to memory of 2848	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	gtQufKd.exe
PID 2772 wrote to memory of 2556	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	TNxMNUK.exe
PID 2772 wrote to memory of 2556	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	TNxMNUK.exe
PID 2772 wrote to memory of 2556	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	TNxMNUK.exe
PID 2772 wrote to memory of 2584	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	UqvyyKe.exe
PID 2772 wrote to memory of 2584	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	UqvyyKe.exe
PID 2772 wrote to memory of 2584	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	UqvyyKe.exe
PID 2772 wrote to memory of 2368	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	QRhCpiZ.exe
PID 2772 wrote to memory of 2368	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	QRhCpiZ.exe
PID 2772 wrote to memory of 2368	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	QRhCpiZ.exe
PID 2772 wrote to memory of 2384	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	iWTWCDW.exe
PID 2772 wrote to memory of 2384	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	iWTWCDW.exe
PID 2772 wrote to memory of 2384	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	iWTWCDW.exe
PID 2772 wrote to memory of 2536	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	asoUAzR.exe
PID 2772 wrote to memory of 2536	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	asoUAzR.exe
PID 2772 wrote to memory of 2536	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	asoUAzR.exe
PID 2772 wrote to memory of 2356	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	kypkSlQ.exe
PID 2772 wrote to memory of 2356	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	kypkSlQ.exe
PID 2772 wrote to memory of 2356	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	kypkSlQ.exe
PID 2772 wrote to memory of 2424	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	lDRlTtg.exe
PID 2772 wrote to memory of 2424	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	lDRlTtg.exe
PID 2772 wrote to memory of 2424	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	lDRlTtg.exe
PID 2772 wrote to memory of 2968	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	wTbMnHs.exe
PID 2772 wrote to memory of 2968	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	wTbMnHs.exe
PID 2772 wrote to memory of 2968	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	wTbMnHs.exe
PID 2772 wrote to memory of 548	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	VvAnGnk.exe
PID 2772 wrote to memory of 548	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	VvAnGnk.exe
PID 2772 wrote to memory of 548	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	VvAnGnk.exe
PID 2772 wrote to memory of 1428	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	mDeVZFb.exe
PID 2772 wrote to memory of 1428	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	mDeVZFb.exe
PID 2772 wrote to memory of 1428	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	mDeVZFb.exe
PID 2772 wrote to memory of 1816	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	qPXrReZ.exe
PID 2772 wrote to memory of 1816	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	qPXrReZ.exe
PID 2772 wrote to memory of 1816	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	qPXrReZ.exe
PID 2772 wrote to memory of 764	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	ehlbCId.exe
PID 2772 wrote to memory of 764	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	ehlbCId.exe
PID 2772 wrote to memory of 764	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	ehlbCId.exe
PID 2772 wrote to memory of 2540	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	apVCHsx.exe
PID 2772 wrote to memory of 2540	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	apVCHsx.exe
PID 2772 wrote to memory of 2540	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	apVCHsx.exe
PID 2772 wrote to memory of 2760	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	OQLLlpj.exe
PID 2772 wrote to memory of 2760	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	OQLLlpj.exe
PID 2772 wrote to memory of 2760	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	OQLLlpj.exe
PID 2772 wrote to memory of 2988	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	sXKFAUX.exe
PID 2772 wrote to memory of 2988	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	sXKFAUX.exe
PID 2772 wrote to memory of 2988	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	sXKFAUX.exe
PID 2772 wrote to memory of 1768	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	hchBuPv.exe
PID 2772 wrote to memory of 1768	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	hchBuPv.exe
PID 2772 wrote to memory of 1768	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	hchBuPv.exe
PID 2772 wrote to memory of 1740	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	uSpRlIo.exe
PID 2772 wrote to memory of 1740	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	uSpRlIo.exe
PID 2772 wrote to memory of 1740	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	uSpRlIo.exe
PID 2772 wrote to memory of 948	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	GdqiBef.exe
PID 2772 wrote to memory of 948	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	GdqiBef.exe
PID 2772 wrote to memory of 948	2772	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	GdqiBef.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\System\vZbopha.exe
  C:\Windows\System\vZbopha.exe
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\System\BtQuXOr.exe
  C:\Windows\System\BtQuXOr.exe
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\System\gtQufKd.exe
  C:\Windows\System\gtQufKd.exe
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\System\TNxMNUK.exe
  C:\Windows\System\TNxMNUK.exe
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\System\UqvyyKe.exe
  C:\Windows\System\UqvyyKe.exe
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\System\QRhCpiZ.exe
  C:\Windows\System\QRhCpiZ.exe
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\System\iWTWCDW.exe
  C:\Windows\System\iWTWCDW.exe
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\System\asoUAzR.exe
  C:\Windows\System\asoUAzR.exe
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\System\kypkSlQ.exe
  C:\Windows\System\kypkSlQ.exe
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\System\lDRlTtg.exe
  C:\Windows\System\lDRlTtg.exe
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\System\wTbMnHs.exe
  C:\Windows\System\wTbMnHs.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System\VvAnGnk.exe
  C:\Windows\System\VvAnGnk.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System\mDeVZFb.exe
  C:\Windows\System\mDeVZFb.exe
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\System\qPXrReZ.exe
  C:\Windows\System\qPXrReZ.exe
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Windows\System\ehlbCId.exe
  C:\Windows\System\ehlbCId.exe
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\System\apVCHsx.exe
  C:\Windows\System\apVCHsx.exe
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\System\OQLLlpj.exe
  C:\Windows\System\OQLLlpj.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System\sXKFAUX.exe
  C:\Windows\System\sXKFAUX.exe
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\System\hchBuPv.exe
  C:\Windows\System\hchBuPv.exe
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\Windows\System\uSpRlIo.exe
  C:\Windows\System\uSpRlIo.exe
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\System\GdqiBef.exe
  C:\Windows\System\GdqiBef.exe
  2⤵
  - Executes dropped EXE
  PID:948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BtQuXOr.exe

Filesize
8.3MB

MD5
651b840edc9b73be579d013d007fd212

SHA1
9a1605c5c276cc4a707b0d88d361d458f1788e56

SHA256
c4f7284e82e59e1e9c53ba24e009e506e940271f493aa911af70620b5f50d63c

SHA512
38f185335bde84d5c2e6e0d4831050ac82c2ae9593de0a4f6c666ebb6d362d3a2a5444fb3cc51a82cb14bdf634738314efc0f18f43135ead94702e428b180e8e

Download Submit
C:\Windows\system\OQLLlpj.exe

Filesize
8.3MB

MD5
c0efa70364960743dfaea8894b494604

SHA1
07af4451c99c7a949ad04bdfb89cdbf032633419

SHA256
615ba0d27fc6c074e2a681c0b2bba8cf5153d0557604e1fcc3a08cc988ba3167

SHA512
d2c9bbe7b732ac8fc015042e2988a792b75608ed9ab34822606980aed4124505fe8ae9e1c662e163e5f95c074a58d1cfaaedbac70e1ece18328caf6bcd11dc9b

Download Submit
C:\Windows\system\QRhCpiZ.exe

Filesize
8.3MB

MD5
320bca51c8d72bc7430a4a6524f4dc24

SHA1
59a9d06d3ee2a448d5a8c76e02b278f986acf211

SHA256
b116282040983cdf72b1b78b82afea9f7a2452a4a64f7b04ecedc49d00338786

SHA512
6ff00391d7e85134350acbcc4c977c6e48f5636024a95111bd1ecfb33c90f57516ec8fcfdea576b49e2d61ce676d4c940c2ae92ac14b5f63e10e90a08b201633

Download Submit
C:\Windows\system\UqvyyKe.exe

Filesize
8.3MB

MD5
e9b4f8905be6b7b1de2183f11fc5f9fd

SHA1
ac8344754a31473d2869ea2a0ae5e436932f5622

SHA256
3d07bb56eae930f8870da08b270870ac8eb6cc2c614144dae364d97284e08590

SHA512
bd5db50e9b9a66b653dec4cd17d8b65b322ef2b60dc381b773b8753033813612d3bf8926b2ed16f4eba723222124ff4023b854c1f857d8dac3735fa6d360ca0a

Download Submit
C:\Windows\system\VvAnGnk.exe

Filesize
8.3MB

MD5
1acf5fc8d390ee97c16ff6b11cd46d3d

SHA1
ae95e4dbf66f0cfcf50830d9fbe38c6c39aa8d4f

SHA256
bd5491c02d451420fd7da97cd04451fc1fb4a7eab60413d50cf2546b26ada282

SHA512
82cac186404a881113d9327b04955ecb78805ff6bb18e3a5f4aa8b76aa08129921d5bddd4ad27b6c1c4a27d81809b59bf4e4d3c93472213c333a02ea44ab7cb2

Download Submit
C:\Windows\system\apVCHsx.exe

Filesize
8.3MB

MD5
d86e9b5c02cb571d7845486eb4edb083

SHA1
9e7c92effbcea78503fe35cc8f92d06160851c0f

SHA256
cd91228d14d5cb6a2180820329674d0694a3eb694cd37ba318ab8a21241928d6

SHA512
1fb2c4147e11465508f3f0ff41a6e726f9428cfc00e851a1e0649f2a9a680c53e311ff43d6c8c2c24ce147e60d9ccecea8f8ea0e3e8e32de2359d750f4ee4713

Download Submit
C:\Windows\system\asoUAzR.exe

Filesize
8.3MB

MD5
df57cc67cf08a9321241b5b8911cb827

SHA1
b21dedb5d077c8df44b6ffac7072f2b79feb54c5

SHA256
2f90d5ed2baeabc771805943f55c04f1fdea66b3a902669aaee4a433cce11456

SHA512
546349c2100f7c8abbf7e893732522ab3a54cfb3e27739d505c8b7cfa279f51039923d96e3a77c063bf84027754086a5d32eb3b209829ba806358141575c1e83

Download Submit
C:\Windows\system\ehlbCId.exe

Filesize
8.3MB

MD5
c1ade07dea11ecf7270d13bd8637334a

SHA1
1f1d71e2ac0a5561a5058b43167225e0750c2249

SHA256
cf92ba77ac39c5529f7b395b255b3d7b29541888052d1ed812f711cdf40af10e

SHA512
63913577da54a6165818b6101898b84e89d0cacd58ee88d07aa255de01aaa3df569c4565a1baef123e7123caff8a485561a7a4cb97a02fd0702f4063bffef6f7

Download Submit
C:\Windows\system\gtQufKd.exe

Filesize
8.3MB

MD5
eb8ee11a70f3964960d7d650ee5cc65a

SHA1
5fbf88df38a71d78f342c8eca7bbf39721631781

SHA256
da779249b974c2a17dabbdae97c7d562262742e6c4ed21aae62d9c4048ddd1d4

SHA512
64c69e02058bcbfd7ea47b8d5a7c6a5231a3069a1a2874de792a0cc5601bdc13b2682529f988cf2878c88d68fa8cab558cc9a68edc1d4d3eb43d96459b8f6ac4

Download Submit
C:\Windows\system\hchBuPv.exe

Filesize
8.3MB

MD5
6c3484230eb95aaa8c936b2370b86a39

SHA1
a51b4485ecb73b0ac494d28957c8932ed197b069

SHA256
8f8eab5d8288ca5c1ca6b64e433a9f9d57ae53b4e503aee36dde10a6c6b48bc7

SHA512
65e28d521752d9ef9ef59373b907224089643e21b2acf57046480152969613ee0460b431fe8e71972d68da8df4625195e895048f0d8ced15d03238b52f5c52d5

Download Submit
C:\Windows\system\iWTWCDW.exe

Filesize
8.3MB

MD5
cba3721a15ad8e911a23c5182767ee60

SHA1
56de70db0f945a399d8abebb96cf43f4a24a42fc

SHA256
f5498aefcc1b2de6296e3ea5395f159e7348eb7fc30a4b640b7cec996e08a75a

SHA512
ce2dc201f320a285ee7d65e39b14ab9d6f4aad0461b6b2c80ffa8b558d188e5128607c91ec5fe43ffce1f5d6c45acb326810886d781ae2d73522a219104e13bc

Download Submit
C:\Windows\system\lDRlTtg.exe

Filesize
8.3MB

MD5
106f3468be5f3650dc7220b361cf21e4

SHA1
e3c7f691f546ab8cd417d963d6a3f7cd2211e002

SHA256
f45a4138d71e9b5599a8b09a663aa302f88fbbafb7e8b4b01d28fe7a7f7f9c73

SHA512
b7d1d25c3c9ec1134f54395c4f4f9f629f4eb924cfb36c5e83eeb1b3744304ac84a4412973bed415d99d4398273f4378073421d0942a045cee6fa08246959a97

Download Submit
C:\Windows\system\mDeVZFb.exe

Filesize
8.3MB

MD5
db4b8e56b4ac7d6e0ae5a1566097d436

SHA1
b3a487e249476a2883e52c1e01b5410ef9ce625c

SHA256
911151f76a3014a100ef050928a1d6b4d70ce91c927032ff7f20e933ed3cf5ab

SHA512
cdb962edfd7f34d7d4369d2100074b2700cd4b0435a258e0bb3e5f2a73f7f668b260792c009cda4e6e4567e400208b999b9da7fee6127081888faf7acdc70b4f

Download Submit
C:\Windows\system\qPXrReZ.exe

Filesize
8.3MB

MD5
79c53bb210acab58fcfd87093b0b1d50

SHA1
5fd65eeb709994584e29676e58c17173a1e41183

SHA256
b5cf25deca876f4fe9ab6966ac2e9233cb802a7f3b58bc4b3e21b48f9a2f57db

SHA512
b483ff2eea1488233d013b21db5f7b884c2b9ccc266fe38141344c9680d336e9cd7253358ef39be477d3420b4ac7bcf60e3927fa2a56880216320e1d4860d2c6

Download Submit
C:\Windows\system\uSpRlIo.exe

Filesize
8.3MB

MD5
d4a7d2432f6e0dcccd6e21ed3b6a8ab5

SHA1
ae6a9b715f0d1d493296386090a75096cd17e294

SHA256
6a0fd47344c5940bbb26a6af035deee49fb41cec37d53d95392408130da7823b

SHA512
7a838df3dc4324d4d5faa87763fc6c49bae3f5c9945f91784e3aa28168c5fef0f101c2613d7f5ffd7bedc932a04c72c1779aa08879bbaaf46e50efa8e5a760da

Download Submit
\Windows\system\GdqiBef.exe

Filesize
8.3MB

MD5
a8c4c2bd0b062460178d233cdabb74e9

SHA1
ee1f76fa973a712469b9d7aa3b310f93eb522df6

SHA256
a3514886960403fe8054c703b93f2e91b6fa93c29b9309543b017a9b7f7beba1

SHA512
ec712599f5251b428c05f3a49bd3b5ee840d1c9dc6e20f356b4c30b3e6c67becead7b8ee344b7489fa17b87a49cc0ee4b214803ac5fce7f535c863c664bbeb93

Download Submit
\Windows\system\TNxMNUK.exe

Filesize
8.3MB

MD5
4bf421b829d7ba0cdabfa8f1f9d8588d

SHA1
898e504b9475b577eec3ed54e175d056e07eb75e

SHA256
f1c9699b8b61a4dfc271f270956154cbe6a3d38e773adbfd7e8716bdef1946ab

SHA512
b929a530ed4c04942a9b92f6a1304064a0577505e2a0ff55c66a4dd4236f1e1ba67944371bf9e3ae3e453a5ad8e34c72badaf1279b02c7da57c7bd50ccdfb2fb

Download Submit
\Windows\system\kypkSlQ.exe

Filesize
8.3MB

MD5
0fcbcdbf1e9656018330a756e316b2d9

SHA1
993f98332b2230f2cfcafb080ef5a0c0d54fadb3

SHA256
e5e609f5b4957fae773d0efa00d151be19edcc2d53c2bda0b65abe8ca0251fc6

SHA512
72c5542e1e161a900161855ec2981d41cd48ab1eb6a15d444f2222d22ed70f447f1c1c30fc6c3ebbc78657dcb10bba8dcaaae3191d4be09e772a92a0cb35f6d8

Download Submit
\Windows\system\sXKFAUX.exe

Filesize
8.3MB

MD5
15db16217722811a89da9dec42c2e6b6

SHA1
d57063ee7dfe504b7b15cc877d0b92fdbda32979

SHA256
1271e3e28593d1674925b08d59ee7f37057561c23aea4cc24f42fa6583a12026

SHA512
d4cc9f872b045f56ec9550572a4f248aa880eed3531d084fc9e59d528eb4dacae0b8932cd3caf0cf0c41833af7d1d95d05aebc21ae7985df950030157a34f3df

Download Submit
\Windows\system\vZbopha.exe

Filesize
8.3MB

MD5
bcf828033289287766d5df6975fa52ac

SHA1
3b80a8c13834ea07f080138c51649d6788622f29

SHA256
2af2f03dc1dc789da3014d7ab1cba9bc1c4f579e0593cf039d04c86745220675

SHA512
b8040d19fed46a1b06519ddbc2d86f4dcc695eb04850268d5004e4c64dc03a164690449b3dbe21cc3054808da87f1a9b8440b3eac8f931fa82f4aaa1b6c42b03

Download Submit
\Windows\system\wTbMnHs.exe

Filesize
8.3MB

MD5
5d15c78ca89210b45eb168b97738fb6c

SHA1
3f937fd8fe97490281673e77ed54fab686ce8303

SHA256
6d44ed8fdc6b4052c9b19dc3de395b5d2654f8151e5291096759fa6a2438d9da

SHA512
5da482e0358b429ae9c156f78e08425e54863218963858aa9e3534dc647721d4ec59785c4a2140c011e11d7fa2fc5abdf37d15d9ac3e75f738b0246d3ba0b86f

Download Submit
memory/548-142-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/548-159-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/1428-93-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/1428-144-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/1428-160-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/1816-146-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/1816-161-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2356-157-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2356-138-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2368-90-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2368-151-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2368-39-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2384-104-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2384-155-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2424-137-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2424-156-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2536-154-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2536-98-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2536-54-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2544-149-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2544-24-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2556-150-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2556-35-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2584-91-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2584-40-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2584-152-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2772-47-0x00000000025B0000-0x0000000002902000-memory.dmp

Filesize
3.3MB

Download
memory/2772-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2772-141-0x00000000025B0000-0x0000000002902000-memory.dmp

Filesize
3.3MB

Download
memory/2772-82-0x00000000025B0000-0x0000000002902000-memory.dmp

Filesize
3.3MB

Download
memory/2772-71-0x00000000025B0000-0x0000000002902000-memory.dmp

Filesize
3.3MB

Download
memory/2772-95-0x00000000025B0000-0x0000000002902000-memory.dmp

Filesize
3.3MB

Download
memory/2772-143-0x00000000025B0000-0x0000000002902000-memory.dmp

Filesize
3.3MB

Download
memory/2772-28-0x00000000025B0000-0x0000000002902000-memory.dmp

Filesize
3.3MB

Download
memory/2772-33-0x00000000025B0000-0x0000000002902000-memory.dmp

Filesize
3.3MB

Download
memory/2772-75-0x00000000025B0000-0x0000000002902000-memory.dmp

Filesize
3.3MB

Download
memory/2772-31-0x00000000025B0000-0x0000000002902000-memory.dmp

Filesize
3.3MB

Download
memory/2772-105-0x00000000025B0000-0x0000000002902000-memory.dmp

Filesize
3.3MB

Download
memory/2772-17-0x00000000025B0000-0x0000000002902000-memory.dmp

Filesize
3.3MB

Download
memory/2772-52-0x00000000025B0000-0x0000000002902000-memory.dmp

Filesize
3.3MB

Download
memory/2772-145-0x00000000025B0000-0x0000000002902000-memory.dmp

Filesize
3.3MB

Download
memory/2772-37-0x00000000025B0000-0x0000000002902000-memory.dmp

Filesize
3.3MB

Download
memory/2772-147-0x00000000025B0000-0x0000000002902000-memory.dmp

Filesize
3.3MB

Download
memory/2772-65-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2772-86-0x00000000025B0000-0x0000000002902000-memory.dmp

Filesize
3.3MB

Download
memory/2772-62-0x00000000025B0000-0x0000000002902000-memory.dmp

Filesize
3.3MB

Download
memory/2772-0-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2772-139-0x00000000025B0000-0x0000000002902000-memory.dmp

Filesize
3.3MB

Download
memory/2848-153-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2848-36-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2848-85-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2968-140-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2968-158-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2968-76-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/3004-148-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/3004-74-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/3004-8-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download