cobaltstrike | eff7865b0b779d6feead5d680cbc692e2990743c4ae5a9827ed3acbfd6f1e55c

Analysis

max time kernel
141s
max time network
147s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

feba9a81b63fffdfb7da4f95e1c4b37d
SHA1

be3ee88082f8578fdee271765ec48267bf44f6d0
SHA256

eff7865b0b779d6feead5d680cbc692e2990743c4ae5a9827ed3acbfd6f1e55c
SHA512

81b207b1ecc8dd88ad40d62a1eb2dc13116e2876f4c2d98ed38837aa4f9142ea4cc0fbdf07befbcde3fc7baf21d46fb7b84bab929f63358403f19b215ff1bcd0
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l9:RWWBibf56utgpPFotBER/mQ32lUJ

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\gjUzQPu.exe	cobalt_reflective_dll
\Windows\system\layCLCS.exe	cobalt_reflective_dll
\Windows\system\tlnZLfQ.exe	cobalt_reflective_dll
C:\Windows\system\pJXMGAn.exe	cobalt_reflective_dll
C:\Windows\system\ktwhyRp.exe	cobalt_reflective_dll
C:\Windows\system\adkEapm.exe	cobalt_reflective_dll
\Windows\system\FyVMFTE.exe	cobalt_reflective_dll
C:\Windows\system\DiBZMza.exe	cobalt_reflective_dll
\Windows\system\IaJXazR.exe	cobalt_reflective_dll
C:\Windows\system\naEyrnV.exe	cobalt_reflective_dll
C:\Windows\system\NDlymSX.exe	cobalt_reflective_dll
\Windows\system\RCFWgKx.exe	cobalt_reflective_dll
\Windows\system\DWbRBQv.exe	cobalt_reflective_dll
C:\Windows\system\wqWgiwh.exe	cobalt_reflective_dll
C:\Windows\system\SkcvFXL.exe	cobalt_reflective_dll
C:\Windows\system\yoZyGvk.exe	cobalt_reflective_dll
\Windows\system\hZMoKcA.exe	cobalt_reflective_dll
C:\Windows\system\BYShBWj.exe	cobalt_reflective_dll
\Windows\system\WrXpaKc.exe	cobalt_reflective_dll
C:\Windows\system\siRxAHg.exe	cobalt_reflective_dll
C:\Windows\system\wNjJlQP.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\gjUzQPu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\layCLCS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\tlnZLfQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\pJXMGAn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ktwhyRp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\adkEapm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\FyVMFTE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\DiBZMza.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\IaJXazR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\naEyrnV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\NDlymSX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\RCFWgKx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\DWbRBQv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\wqWgiwh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\SkcvFXL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\yoZyGvk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\hZMoKcA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\BYShBWj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\WrXpaKc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\siRxAHg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\wNjJlQP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2884-0-0x000000013F460000-0x000000013F7B1000-memory.dmp	UPX
\Windows\system\gjUzQPu.exe	UPX
behavioral1/memory/2900-9-0x000000013F0B0000-0x000000013F401000-memory.dmp	UPX
\Windows\system\layCLCS.exe	UPX
\Windows\system\tlnZLfQ.exe	UPX
behavioral1/memory/2568-29-0x000000013FEE0000-0x0000000140231000-memory.dmp	UPX
behavioral1/memory/3004-28-0x000000013FCB0000-0x0000000140001000-memory.dmp	UPX
C:\Windows\system\pJXMGAn.exe	UPX
behavioral1/memory/2736-15-0x000000013F450000-0x000000013F7A1000-memory.dmp	UPX
C:\Windows\system\ktwhyRp.exe	UPX
behavioral1/memory/2644-39-0x000000013FF50000-0x00000001402A1000-memory.dmp	UPX
behavioral1/memory/2788-43-0x000000013F700000-0x000000013FA51000-memory.dmp	UPX
C:\Windows\system\adkEapm.exe	UPX
\Windows\system\FyVMFTE.exe	UPX
C:\Windows\system\DiBZMza.exe	UPX
\Windows\system\IaJXazR.exe	UPX
C:\Windows\system\naEyrnV.exe	UPX
behavioral1/memory/2736-83-0x000000013F450000-0x000000013F7A1000-memory.dmp	UPX
behavioral1/memory/2456-84-0x000000013F580000-0x000000013F8D1000-memory.dmp	UPX
behavioral1/memory/2712-82-0x000000013F310000-0x000000013F661000-memory.dmp	UPX
behavioral1/memory/2520-81-0x000000013FA20000-0x000000013FD71000-memory.dmp	UPX
C:\Windows\system\NDlymSX.exe	UPX
behavioral1/memory/2756-75-0x000000013FB50000-0x000000013FEA1000-memory.dmp	UPX
\Windows\system\RCFWgKx.exe	UPX
behavioral1/memory/1428-91-0x000000013F300000-0x000000013F651000-memory.dmp	UPX
\Windows\system\DWbRBQv.exe	UPX
behavioral1/memory/2672-68-0x000000013F0B0000-0x000000013F401000-memory.dmp	UPX
C:\Windows\system\wqWgiwh.exe	UPX
behavioral1/memory/2884-55-0x000000013F460000-0x000000013F7B1000-memory.dmp	UPX
behavioral1/memory/2708-51-0x000000013F990000-0x000000013FCE1000-memory.dmp	UPX
C:\Windows\system\SkcvFXL.exe	UPX
C:\Windows\system\yoZyGvk.exe	UPX
\Windows\system\hZMoKcA.exe	UPX
C:\Windows\system\BYShBWj.exe	UPX
\Windows\system\WrXpaKc.exe	UPX
C:\Windows\system\siRxAHg.exe	UPX
C:\Windows\system\wNjJlQP.exe	UPX
behavioral1/memory/2644-133-0x000000013FF50000-0x00000001402A1000-memory.dmp	UPX
behavioral1/memory/1820-134-0x000000013F6F0000-0x000000013FA41000-memory.dmp	UPX
behavioral1/memory/2708-137-0x000000013F990000-0x000000013FCE1000-memory.dmp	UPX
behavioral1/memory/2884-138-0x000000013F460000-0x000000013F7B1000-memory.dmp	UPX
behavioral1/memory/2672-154-0x000000013F0B0000-0x000000013F401000-memory.dmp	UPX
behavioral1/memory/1428-151-0x000000013F300000-0x000000013F651000-memory.dmp	UPX
behavioral1/memory/1968-156-0x000000013FD00000-0x0000000140051000-memory.dmp	UPX
behavioral1/memory/668-158-0x000000013FFD0000-0x0000000140321000-memory.dmp	UPX
behavioral1/memory/1592-161-0x000000013F3E0000-0x000000013F731000-memory.dmp	UPX
behavioral1/memory/1292-159-0x000000013F480000-0x000000013F7D1000-memory.dmp	UPX
behavioral1/memory/2320-157-0x000000013FF10000-0x0000000140261000-memory.dmp	UPX
behavioral1/memory/2080-160-0x000000013F3C0000-0x000000013F711000-memory.dmp	UPX
behavioral1/memory/320-155-0x000000013FD50000-0x00000001400A1000-memory.dmp	UPX
behavioral1/memory/2884-163-0x000000013F460000-0x000000013F7B1000-memory.dmp	UPX
behavioral1/memory/2900-221-0x000000013F0B0000-0x000000013F401000-memory.dmp	UPX
behavioral1/memory/2736-223-0x000000013F450000-0x000000013F7A1000-memory.dmp	UPX
behavioral1/memory/3004-226-0x000000013FCB0000-0x0000000140001000-memory.dmp	UPX
behavioral1/memory/2568-227-0x000000013FEE0000-0x0000000140231000-memory.dmp	UPX
behavioral1/memory/2644-230-0x000000013FF50000-0x00000001402A1000-memory.dmp	UPX
behavioral1/memory/2788-231-0x000000013F700000-0x000000013FA51000-memory.dmp	UPX
behavioral1/memory/2756-234-0x000000013FB50000-0x000000013FEA1000-memory.dmp	UPX
behavioral1/memory/2708-235-0x000000013F990000-0x000000013FCE1000-memory.dmp	UPX
behavioral1/memory/2672-237-0x000000013F0B0000-0x000000013F401000-memory.dmp	UPX
behavioral1/memory/2520-240-0x000000013FA20000-0x000000013FD71000-memory.dmp	UPX
behavioral1/memory/2712-241-0x000000013F310000-0x000000013F661000-memory.dmp	UPX
behavioral1/memory/2456-243-0x000000013F580000-0x000000013F8D1000-memory.dmp	UPX
behavioral1/memory/1428-245-0x000000013F300000-0x000000013F651000-memory.dmp	UPX

XMRig Miner payload 39 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2900-9-0x000000013F0B0000-0x000000013F401000-memory.dmp	xmrig
behavioral1/memory/2568-29-0x000000013FEE0000-0x0000000140231000-memory.dmp	xmrig
behavioral1/memory/3004-28-0x000000013FCB0000-0x0000000140001000-memory.dmp	xmrig
behavioral1/memory/2788-43-0x000000013F700000-0x000000013FA51000-memory.dmp	xmrig
behavioral1/memory/2736-83-0x000000013F450000-0x000000013F7A1000-memory.dmp	xmrig
behavioral1/memory/2456-84-0x000000013F580000-0x000000013F8D1000-memory.dmp	xmrig
behavioral1/memory/2712-82-0x000000013F310000-0x000000013F661000-memory.dmp	xmrig
behavioral1/memory/2520-81-0x000000013FA20000-0x000000013FD71000-memory.dmp	xmrig
behavioral1/memory/2756-75-0x000000013FB50000-0x000000013FEA1000-memory.dmp	xmrig
behavioral1/memory/2884-55-0x000000013F460000-0x000000013F7B1000-memory.dmp	xmrig
behavioral1/memory/2884-58-0x000000013FB50000-0x000000013FEA1000-memory.dmp	xmrig
behavioral1/memory/2644-133-0x000000013FF50000-0x00000001402A1000-memory.dmp	xmrig
behavioral1/memory/1820-134-0x000000013F6F0000-0x000000013FA41000-memory.dmp	xmrig
behavioral1/memory/2708-137-0x000000013F990000-0x000000013FCE1000-memory.dmp	xmrig
behavioral1/memory/2884-138-0x000000013F460000-0x000000013F7B1000-memory.dmp	xmrig
behavioral1/memory/2672-154-0x000000013F0B0000-0x000000013F401000-memory.dmp	xmrig
behavioral1/memory/1428-151-0x000000013F300000-0x000000013F651000-memory.dmp	xmrig
behavioral1/memory/1968-156-0x000000013FD00000-0x0000000140051000-memory.dmp	xmrig
behavioral1/memory/668-158-0x000000013FFD0000-0x0000000140321000-memory.dmp	xmrig
behavioral1/memory/1592-161-0x000000013F3E0000-0x000000013F731000-memory.dmp	xmrig
behavioral1/memory/1292-159-0x000000013F480000-0x000000013F7D1000-memory.dmp	xmrig
behavioral1/memory/2320-157-0x000000013FF10000-0x0000000140261000-memory.dmp	xmrig
behavioral1/memory/2080-160-0x000000013F3C0000-0x000000013F711000-memory.dmp	xmrig
behavioral1/memory/320-155-0x000000013FD50000-0x00000001400A1000-memory.dmp	xmrig
behavioral1/memory/2884-163-0x000000013F460000-0x000000013F7B1000-memory.dmp	xmrig
behavioral1/memory/2900-221-0x000000013F0B0000-0x000000013F401000-memory.dmp	xmrig
behavioral1/memory/2736-223-0x000000013F450000-0x000000013F7A1000-memory.dmp	xmrig
behavioral1/memory/3004-226-0x000000013FCB0000-0x0000000140001000-memory.dmp	xmrig
behavioral1/memory/2568-227-0x000000013FEE0000-0x0000000140231000-memory.dmp	xmrig
behavioral1/memory/2644-230-0x000000013FF50000-0x00000001402A1000-memory.dmp	xmrig
behavioral1/memory/2788-231-0x000000013F700000-0x000000013FA51000-memory.dmp	xmrig
behavioral1/memory/2756-234-0x000000013FB50000-0x000000013FEA1000-memory.dmp	xmrig
behavioral1/memory/2708-235-0x000000013F990000-0x000000013FCE1000-memory.dmp	xmrig
behavioral1/memory/2672-237-0x000000013F0B0000-0x000000013F401000-memory.dmp	xmrig
behavioral1/memory/2520-240-0x000000013FA20000-0x000000013FD71000-memory.dmp	xmrig
behavioral1/memory/2712-241-0x000000013F310000-0x000000013F661000-memory.dmp	xmrig
behavioral1/memory/2456-243-0x000000013F580000-0x000000013F8D1000-memory.dmp	xmrig
behavioral1/memory/1428-245-0x000000013F300000-0x000000013F651000-memory.dmp	xmrig
behavioral1/memory/1820-249-0x000000013F6F0000-0x000000013FA41000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

gjUzQPu.exelayCLCS.exetlnZLfQ.exepJXMGAn.exektwhyRp.exeadkEapm.exeFyVMFTE.exeDiBZMza.exewqWgiwh.exenaEyrnV.exeIaJXazR.exeNDlymSX.exeRCFWgKx.exeDWbRBQv.exewNjJlQP.exeSkcvFXL.exesiRxAHg.exeyoZyGvk.exeBYShBWj.exehZMoKcA.exeWrXpaKc.exe

pid	process
2900	gjUzQPu.exe
2736	layCLCS.exe
3004	tlnZLfQ.exe
2568	pJXMGAn.exe
2644	ktwhyRp.exe
2788	adkEapm.exe
2708	FyVMFTE.exe
2756	DiBZMza.exe
2672	wqWgiwh.exe
2712	naEyrnV.exe
2520	IaJXazR.exe
2456	NDlymSX.exe
1428	RCFWgKx.exe
1820	DWbRBQv.exe
320	wNjJlQP.exe
1968	SkcvFXL.exe
2320	siRxAHg.exe
668	yoZyGvk.exe
1292	BYShBWj.exe
2080	hZMoKcA.exe
1592	WrXpaKc.exe

Loads dropped DLL 21 IoCs

Processes:

2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe

pid	process
2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2884-0-0x000000013F460000-0x000000013F7B1000-memory.dmp	upx
\Windows\system\gjUzQPu.exe	upx
behavioral1/memory/2900-9-0x000000013F0B0000-0x000000013F401000-memory.dmp	upx
\Windows\system\layCLCS.exe	upx
\Windows\system\tlnZLfQ.exe	upx
behavioral1/memory/2568-29-0x000000013FEE0000-0x0000000140231000-memory.dmp	upx
behavioral1/memory/3004-28-0x000000013FCB0000-0x0000000140001000-memory.dmp	upx
C:\Windows\system\pJXMGAn.exe	upx
behavioral1/memory/2736-15-0x000000013F450000-0x000000013F7A1000-memory.dmp	upx
C:\Windows\system\ktwhyRp.exe	upx
behavioral1/memory/2644-39-0x000000013FF50000-0x00000001402A1000-memory.dmp	upx
behavioral1/memory/2788-43-0x000000013F700000-0x000000013FA51000-memory.dmp	upx
C:\Windows\system\adkEapm.exe	upx
\Windows\system\FyVMFTE.exe	upx
C:\Windows\system\DiBZMza.exe	upx
\Windows\system\IaJXazR.exe	upx
C:\Windows\system\naEyrnV.exe	upx
behavioral1/memory/2736-83-0x000000013F450000-0x000000013F7A1000-memory.dmp	upx
behavioral1/memory/2456-84-0x000000013F580000-0x000000013F8D1000-memory.dmp	upx
behavioral1/memory/2712-82-0x000000013F310000-0x000000013F661000-memory.dmp	upx
behavioral1/memory/2520-81-0x000000013FA20000-0x000000013FD71000-memory.dmp	upx
C:\Windows\system\NDlymSX.exe	upx
behavioral1/memory/2756-75-0x000000013FB50000-0x000000013FEA1000-memory.dmp	upx
\Windows\system\RCFWgKx.exe	upx
behavioral1/memory/1428-91-0x000000013F300000-0x000000013F651000-memory.dmp	upx
\Windows\system\DWbRBQv.exe	upx
behavioral1/memory/2672-68-0x000000013F0B0000-0x000000013F401000-memory.dmp	upx
C:\Windows\system\wqWgiwh.exe	upx
behavioral1/memory/2884-55-0x000000013F460000-0x000000013F7B1000-memory.dmp	upx
behavioral1/memory/2708-51-0x000000013F990000-0x000000013FCE1000-memory.dmp	upx
C:\Windows\system\SkcvFXL.exe	upx
C:\Windows\system\yoZyGvk.exe	upx
\Windows\system\hZMoKcA.exe	upx
C:\Windows\system\BYShBWj.exe	upx
\Windows\system\WrXpaKc.exe	upx
C:\Windows\system\siRxAHg.exe	upx
C:\Windows\system\wNjJlQP.exe	upx
behavioral1/memory/2644-133-0x000000013FF50000-0x00000001402A1000-memory.dmp	upx
behavioral1/memory/1820-134-0x000000013F6F0000-0x000000013FA41000-memory.dmp	upx
behavioral1/memory/2708-137-0x000000013F990000-0x000000013FCE1000-memory.dmp	upx
behavioral1/memory/2884-138-0x000000013F460000-0x000000013F7B1000-memory.dmp	upx
behavioral1/memory/2672-154-0x000000013F0B0000-0x000000013F401000-memory.dmp	upx
behavioral1/memory/1428-151-0x000000013F300000-0x000000013F651000-memory.dmp	upx
behavioral1/memory/1968-156-0x000000013FD00000-0x0000000140051000-memory.dmp	upx
behavioral1/memory/668-158-0x000000013FFD0000-0x0000000140321000-memory.dmp	upx
behavioral1/memory/1592-161-0x000000013F3E0000-0x000000013F731000-memory.dmp	upx
behavioral1/memory/1292-159-0x000000013F480000-0x000000013F7D1000-memory.dmp	upx
behavioral1/memory/2320-157-0x000000013FF10000-0x0000000140261000-memory.dmp	upx
behavioral1/memory/2080-160-0x000000013F3C0000-0x000000013F711000-memory.dmp	upx
behavioral1/memory/320-155-0x000000013FD50000-0x00000001400A1000-memory.dmp	upx
behavioral1/memory/2884-163-0x000000013F460000-0x000000013F7B1000-memory.dmp	upx
behavioral1/memory/2900-221-0x000000013F0B0000-0x000000013F401000-memory.dmp	upx
behavioral1/memory/2736-223-0x000000013F450000-0x000000013F7A1000-memory.dmp	upx
behavioral1/memory/3004-226-0x000000013FCB0000-0x0000000140001000-memory.dmp	upx
behavioral1/memory/2568-227-0x000000013FEE0000-0x0000000140231000-memory.dmp	upx
behavioral1/memory/2644-230-0x000000013FF50000-0x00000001402A1000-memory.dmp	upx
behavioral1/memory/2788-231-0x000000013F700000-0x000000013FA51000-memory.dmp	upx
behavioral1/memory/2756-234-0x000000013FB50000-0x000000013FEA1000-memory.dmp	upx
behavioral1/memory/2708-235-0x000000013F990000-0x000000013FCE1000-memory.dmp	upx
behavioral1/memory/2672-237-0x000000013F0B0000-0x000000013F401000-memory.dmp	upx
behavioral1/memory/2520-240-0x000000013FA20000-0x000000013FD71000-memory.dmp	upx
behavioral1/memory/2712-241-0x000000013F310000-0x000000013F661000-memory.dmp	upx
behavioral1/memory/2456-243-0x000000013F580000-0x000000013F8D1000-memory.dmp	upx
behavioral1/memory/1428-245-0x000000013F300000-0x000000013F651000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\DiBZMza.exe	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NDlymSX.exe	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IaJXazR.exe	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wNjJlQP.exe	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hZMoKcA.exe	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pJXMGAn.exe	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\adkEapm.exe	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RCFWgKx.exe	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\siRxAHg.exe	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WrXpaKc.exe	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gjUzQPu.exe	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\layCLCS.exe	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ktwhyRp.exe	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FyVMFTE.exe	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DWbRBQv.exe	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tlnZLfQ.exe	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\naEyrnV.exe	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wqWgiwh.exe	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SkcvFXL.exe	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yoZyGvk.exe	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BYShBWj.exe	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2884 wrote to memory of 2900	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	gjUzQPu.exe
PID 2884 wrote to memory of 2900	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	gjUzQPu.exe
PID 2884 wrote to memory of 2900	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	gjUzQPu.exe
PID 2884 wrote to memory of 2736	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	layCLCS.exe
PID 2884 wrote to memory of 2736	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	layCLCS.exe
PID 2884 wrote to memory of 2736	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	layCLCS.exe
PID 2884 wrote to memory of 3004	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	tlnZLfQ.exe
PID 2884 wrote to memory of 3004	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	tlnZLfQ.exe
PID 2884 wrote to memory of 3004	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	tlnZLfQ.exe
PID 2884 wrote to memory of 2568	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	pJXMGAn.exe
PID 2884 wrote to memory of 2568	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	pJXMGAn.exe
PID 2884 wrote to memory of 2568	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	pJXMGAn.exe
PID 2884 wrote to memory of 2644	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	ktwhyRp.exe
PID 2884 wrote to memory of 2644	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	ktwhyRp.exe
PID 2884 wrote to memory of 2644	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	ktwhyRp.exe
PID 2884 wrote to memory of 2788	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	adkEapm.exe
PID 2884 wrote to memory of 2788	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	adkEapm.exe
PID 2884 wrote to memory of 2788	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	adkEapm.exe
PID 2884 wrote to memory of 2708	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	FyVMFTE.exe
PID 2884 wrote to memory of 2708	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	FyVMFTE.exe
PID 2884 wrote to memory of 2708	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	FyVMFTE.exe
PID 2884 wrote to memory of 2756	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	DiBZMza.exe
PID 2884 wrote to memory of 2756	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	DiBZMza.exe
PID 2884 wrote to memory of 2756	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	DiBZMza.exe
PID 2884 wrote to memory of 2712	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	naEyrnV.exe
PID 2884 wrote to memory of 2712	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	naEyrnV.exe
PID 2884 wrote to memory of 2712	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	naEyrnV.exe
PID 2884 wrote to memory of 2672	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	wqWgiwh.exe
PID 2884 wrote to memory of 2672	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	wqWgiwh.exe
PID 2884 wrote to memory of 2672	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	wqWgiwh.exe
PID 2884 wrote to memory of 2456	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	NDlymSX.exe
PID 2884 wrote to memory of 2456	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	NDlymSX.exe
PID 2884 wrote to memory of 2456	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	NDlymSX.exe
PID 2884 wrote to memory of 2520	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	IaJXazR.exe
PID 2884 wrote to memory of 2520	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	IaJXazR.exe
PID 2884 wrote to memory of 2520	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	IaJXazR.exe
PID 2884 wrote to memory of 1428	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	RCFWgKx.exe
PID 2884 wrote to memory of 1428	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	RCFWgKx.exe
PID 2884 wrote to memory of 1428	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	RCFWgKx.exe
PID 2884 wrote to memory of 1820	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	DWbRBQv.exe
PID 2884 wrote to memory of 1820	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	DWbRBQv.exe
PID 2884 wrote to memory of 1820	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	DWbRBQv.exe
PID 2884 wrote to memory of 320	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	wNjJlQP.exe
PID 2884 wrote to memory of 320	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	wNjJlQP.exe
PID 2884 wrote to memory of 320	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	wNjJlQP.exe
PID 2884 wrote to memory of 1968	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	SkcvFXL.exe
PID 2884 wrote to memory of 1968	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	SkcvFXL.exe
PID 2884 wrote to memory of 1968	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	SkcvFXL.exe
PID 2884 wrote to memory of 2320	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	siRxAHg.exe
PID 2884 wrote to memory of 2320	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	siRxAHg.exe
PID 2884 wrote to memory of 2320	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	siRxAHg.exe
PID 2884 wrote to memory of 668	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	yoZyGvk.exe
PID 2884 wrote to memory of 668	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	yoZyGvk.exe
PID 2884 wrote to memory of 668	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	yoZyGvk.exe
PID 2884 wrote to memory of 1292	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	BYShBWj.exe
PID 2884 wrote to memory of 1292	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	BYShBWj.exe
PID 2884 wrote to memory of 1292	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	BYShBWj.exe
PID 2884 wrote to memory of 2080	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	hZMoKcA.exe
PID 2884 wrote to memory of 2080	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	hZMoKcA.exe
PID 2884 wrote to memory of 2080	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	hZMoKcA.exe
PID 2884 wrote to memory of 1592	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	WrXpaKc.exe
PID 2884 wrote to memory of 1592	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	WrXpaKc.exe
PID 2884 wrote to memory of 1592	2884	2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe	WrXpaKc.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_feba9a81b63fffdfb7da4f95e1c4b37d_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\System\gjUzQPu.exe
C:\Windows\System\gjUzQPu.exe
2⤵
- Executes dropped EXE
PID:2900

C:\Windows\System\layCLCS.exe
C:\Windows\System\layCLCS.exe
2⤵
- Executes dropped EXE
PID:2736

C:\Windows\System\tlnZLfQ.exe
C:\Windows\System\tlnZLfQ.exe
2⤵
- Executes dropped EXE
PID:3004

C:\Windows\System\pJXMGAn.exe
C:\Windows\System\pJXMGAn.exe
2⤵
- Executes dropped EXE
PID:2568

C:\Windows\System\ktwhyRp.exe
C:\Windows\System\ktwhyRp.exe
2⤵
- Executes dropped EXE
PID:2644

C:\Windows\System\adkEapm.exe
C:\Windows\System\adkEapm.exe
2⤵
- Executes dropped EXE
PID:2788

C:\Windows\System\FyVMFTE.exe
C:\Windows\System\FyVMFTE.exe
2⤵
- Executes dropped EXE
PID:2708

C:\Windows\System\DiBZMza.exe
C:\Windows\System\DiBZMza.exe
2⤵
- Executes dropped EXE
PID:2756

C:\Windows\System\naEyrnV.exe
C:\Windows\System\naEyrnV.exe
2⤵
- Executes dropped EXE
PID:2712

C:\Windows\System\wqWgiwh.exe
C:\Windows\System\wqWgiwh.exe
2⤵
- Executes dropped EXE
PID:2672

C:\Windows\System\NDlymSX.exe
C:\Windows\System\NDlymSX.exe
2⤵
- Executes dropped EXE
PID:2456

C:\Windows\System\IaJXazR.exe
C:\Windows\System\IaJXazR.exe
2⤵
- Executes dropped EXE
PID:2520

C:\Windows\System\RCFWgKx.exe
C:\Windows\System\RCFWgKx.exe
2⤵
- Executes dropped EXE
PID:1428

C:\Windows\System\DWbRBQv.exe
C:\Windows\System\DWbRBQv.exe
2⤵
- Executes dropped EXE
PID:1820

C:\Windows\System\wNjJlQP.exe
C:\Windows\System\wNjJlQP.exe
2⤵
- Executes dropped EXE
PID:320

C:\Windows\System\SkcvFXL.exe
C:\Windows\System\SkcvFXL.exe
2⤵
- Executes dropped EXE
PID:1968

C:\Windows\System\siRxAHg.exe
C:\Windows\System\siRxAHg.exe
2⤵
- Executes dropped EXE
PID:2320

C:\Windows\System\yoZyGvk.exe
C:\Windows\System\yoZyGvk.exe
2⤵
- Executes dropped EXE
PID:668

C:\Windows\System\BYShBWj.exe
C:\Windows\System\BYShBWj.exe
2⤵
- Executes dropped EXE
PID:1292

C:\Windows\System\hZMoKcA.exe
C:\Windows\System\hZMoKcA.exe
2⤵
- Executes dropped EXE
PID:2080

C:\Windows\System\WrXpaKc.exe
C:\Windows\System\WrXpaKc.exe
2⤵
- Executes dropped EXE
PID:1592

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BYShBWj.exe
Filesize
5.2MB

MD5
f3e16659d68be4fba6d56bd0e84c96ba

SHA1
106e7bbbaf823f697342bfae5cf91e5c23734008

SHA256
965f60712f23671a1da231387320ccc36589e1ca2b48b671b744469363551e4d

SHA512
c0013dfdd21cd816aa3468463c8b11296c0f7c94f076f89054b494684ce5a5c3c3fadf1393e1e62b71a853d4305401a8f96029ecb4ebb969f2b88951211dee2e

Download Submit
C:\Windows\system\DiBZMza.exe
Filesize
5.2MB

MD5
ea8dd8f2030362dc905a6d574808316a

SHA1
d351253ea753116081a1127b95189e4029c7d94b

SHA256
df4a0c62639e9c3f3e322db36a2dfd7a4d992d9af64a63dcb7cf3fb2b24dc04d

SHA512
f6fd99f797d871d576873a7d0d1d19d868182fc9ddbc5763a4d36f9dd07da05a3d4e005557ba9494a4b547589c05b6a4fbd9cf2e343ae7819de381c21414cbac

Download Submit
C:\Windows\system\NDlymSX.exe
Filesize
5.2MB

MD5
8eb3263c2914be13b1460c6e51f45df6

SHA1
ec61b71b1ff69dc1b8da0d1b980f6b6df1a242c7

SHA256
4d517cc6f12b926da04550f9e78e02f5ead7515e5580b4b8236a8d639074601c

SHA512
ef15dc1d87c7a001bbd1deef4cc79e51431ca576c4d07013b0a55ce7ea1f9dc756a918902451356d801c797e7a5edf42d497b3afef431d3f3ced704d0f2f39d3

Download Submit
C:\Windows\system\SkcvFXL.exe
Filesize
5.2MB

MD5
cebc1dbeb28a379a8c205820de76b902

SHA1
65c42637352002d153fd71464c4ca771e72e6d80

SHA256
23b5ac6f46fcc51079bb1d9efef29915bb9439c1577242cd180674821f561b9e

SHA512
05426734f0ba5c60921113449413b3076950692fbbf1d2011087522bc1367211ebdd7bad540f6a9821aeee351df9e628e037cb89ce2fdf8c9b0906002d07bdd9

Download Submit
C:\Windows\system\adkEapm.exe
Filesize
5.2MB

MD5
93170dfbfd54c59c1e569c7c820dd948

SHA1
d54eb35345c153524a5e0f3452a0cfca1da705c8

SHA256
a2ed0b4f52c29e1021ec23815468897a8e1770d04f6b0fee2eee4d899993c0f0

SHA512
bd632a4ae87a8ec683b6e474350c0249e1ff0b932463ff9989616f01a34f38c2c19cfd5420e6a8ec36a1e2fea9e6632a04a08ccf2a6cf9af9f01704401ec2f39

Download Submit
C:\Windows\system\ktwhyRp.exe
Filesize
5.2MB

MD5
4a31c39e46cb7e92a2e896dae5d50a36

SHA1
bda3174d8f4ad33e62488ec2fde377fb80066df6

SHA256
cd57f7b6800f981cae44d2bcba0d6c335b445cd2196f185d3fa0f4b52fb7eae7

SHA512
e980ed66f8196c45e511080923f3220081b1a233704885b185d23f3c60c0fd48e05d2e18c32a68def537e5180c2411d66a644a4823edfaba7cd0135e9ad17b5e

Download Submit
C:\Windows\system\naEyrnV.exe
Filesize
5.2MB

MD5
174896a4f435924c63c5f88cba47634c

SHA1
ef263a055888232365bb43115e978227ce34f0e2

SHA256
629be9a2b891363c585930f1d3f4770b4bb9de2b67fce57ffa229026ba448a23

SHA512
da2dec30cb541d582b419b86c1b850358f39127c9ae41b518affc95bd97a1f8da247585eaf905eef1df8b812c52030a115fd4f15568e5437478490a214412bb8

Download Submit
C:\Windows\system\pJXMGAn.exe
Filesize
5.2MB

MD5
df33341e65914aec0e236589acf83ef1

SHA1
eeec667acd94ba5970b69a3b43ee870e36fc3950

SHA256
53feeddce2463e8dde82303a20b5b5a1004cae262c37c2affedb329fe88a2a57

SHA512
1e795c28a287b84644efebb65b0efdef30a9efbb3075dfd1580f77d52953ada84006aa7fdf5bf84f18ed53c213700b58fa56890ae964fca4421b904481c2f17c

Download Submit
C:\Windows\system\siRxAHg.exe
Filesize
5.2MB

MD5
1ea0204058a274106583ad6f898790b0

SHA1
50950748ff4b2fd0b7b193ae286c560357d6f9d3

SHA256
4f1c938c96a9fb3b5d50240ff27b56aafa135e1d079943e22d0e9ea5adacb759

SHA512
067bd62493ae9bd5ce2f78556603c02eb3e6d28483433753c3f5d1283315895bba6323d044a5aa368658190b1ac54975072aa105f9bca6cf54b48b472b9dbe98

Download Submit
C:\Windows\system\wNjJlQP.exe
Filesize
5.2MB

MD5
1a8e6e2cb3f1e7a831226dec8a5e8f7d

SHA1
b59e79a9d52dbb76c0f468b7cdb239a63584b09f

SHA256
8138303b29af88c0ac06395801f40be3956497d878eab60fb58ef0a2a9cc9211

SHA512
0e95b6fa45497df645acfa6ece77a4ee368e1d872ede6e6ae1c1451fd92f460c7db0db4634d8907ca1cb1ae6722d2ed896df16d31638779cb68f259d7e73471e

Download Submit
C:\Windows\system\wqWgiwh.exe
Filesize
5.2MB

MD5
5fdea7f5b1dd5ad6b0395eb099f7e197

SHA1
382258fe1c2a942d7c35f0453144a58394a18db8

SHA256
0c15f06695e9a3b4e4b0d3bee64befb90610527107b8047c26c958f4ccd1bb5d

SHA512
df55255934c5388162a0b3e18c1fd9b957ec81c38e803cac3aaa8822204f8330b549a3028ab8d33d4172973ab7cc37abd9b55238a03c786273a94ee0ef3c45a3

Download Submit
C:\Windows\system\yoZyGvk.exe
Filesize
5.2MB

MD5
66609d0ca8f4d48f5ce38bff2fa5279e

SHA1
090747f9f6d37c85f0b17e355e510670a789ac2a

SHA256
4e69ef893b0fa5cafde3b302db024cd5173ab5000b09daf5a27e1f65910ff3a5

SHA512
232d51f92836cc4657c890844f418efe7d4045479f3eb9bcb6b1636122dcb91f3d3a9f280915744924681533cc8244dac14cd9022da61139d804a5aa25e06397

Download Submit
\Windows\system\DWbRBQv.exe
Filesize
5.2MB

MD5
9668878607863c4ba6eba921905217a9

SHA1
3af8ca01a0b9d0fd90b2c64ee635fb81678573ad

SHA256
4c2c778e5971da2e694485f98882629d6cd7e843f7f62d2079cff80e5fcb975d

SHA512
7f1db5e3aa61a738a3fc7cd30809ef6c214d309c40141dfcb3d89e50323ee55c18c3c83d9a75313c1429f99c13447daf6689e85961cc78640a277b521d693d16

Download Submit
\Windows\system\FyVMFTE.exe
Filesize
5.2MB

MD5
76574cf423cf7578649d44d3fd3cd76f

SHA1
46f1f4e23eebc37051e9cd7685eeaaa73d83a61a

SHA256
ec763f0f42de8333be3f47b3a67b4794bda6bf612fb54eb1d0d614d09187f118

SHA512
ad0d256cf01313538a0e5b05235f20901ef598dadeef2f9f8598681b9cb508a51be3ec7e5ab150e10a3b7440e817d4ac226b8c74d44f00acde5ff5198cf654a3

Download Submit
\Windows\system\IaJXazR.exe
Filesize
5.2MB

MD5
feb0c17f8543dff56ea99d372c290b38

SHA1
7ad317906a54bfcf072430ee988d6a5b4edd8018

SHA256
32db004d67ec8dc1ce7e5c5c580eae607c53812bf60c18e83e64bdd1d2f1544f

SHA512
2d85a308d38d799c5ed8d0dc9bafc086994df2ad1517241f16392e22ff640e0d3dc0bcc0f6ab14d978ddeb3d26167692e92df5c42eed72dc58c5e346b83dcf60

Download Submit
\Windows\system\RCFWgKx.exe
Filesize
5.2MB

MD5
cd66a54cbc8dd9d949f54cadcc5ae522

SHA1
8bd189244ed53803958ff90b06bfc3379dd0b15e

SHA256
2a6cc392caeee5ffcb5046229fe1e01172106250d159b09a7ecd5c8f49356d4c

SHA512
ca4443f9e57bafa6e6d7644a2676b2d418c7985dde3802ba6287a8f5f4dbc82a9ece1d599db5bdd2d04ad78a7380e254a1f25712236710666d81d28b01eebcaf

Download Submit
\Windows\system\WrXpaKc.exe
Filesize
5.2MB

MD5
9c3cdd2628b5398636792bdc2236e20a

SHA1
aca7b7f21eb76339363ec3ba964de068b9277177

SHA256
311e3d186f2d1ebf343374a89e7dc6de1e811a6b315f3dcf53beac3b8898cd76

SHA512
f66a99768ba7b8372230804bc4c0c8d4fa0758e31ec6f6d73ea73879ace5545672f4635f01a4384406c20b441182b19b30dc087efeac0b4ca722491047ec67cc

Download Submit
\Windows\system\gjUzQPu.exe
Filesize
5.2MB

MD5
2b2521d80ed2f918993803b6ebe5538a

SHA1
f2080ca243203a05cf32de9d546934c830e28473

SHA256
9a32db819966ce6bf09383356c916175a3c6fd7ba6ed0e14d7f6e408a4583d20

SHA512
414a11709a8adadab631737c92405502f9dc59e7ee6a4d1b2917b734d199a594441e5768b877e66656dad6b3f0bc8f49d21eff5f8ec5505f0db4515ead58b643

Download Submit
\Windows\system\hZMoKcA.exe
Filesize
5.2MB

MD5
1498158a2947713c59a0707bc873bf43

SHA1
f5f184648ac8724d3f2979202edc20fe0dd5be34

SHA256
290b4e901346bb9aa17c2f958b44f2013051252384da404e79ad2d8e308824a8

SHA512
3e0a6a4c85245ac7307cfc511dff26099991182d36e1b20b8952fe081fd6eb7d608f722e8fdf9cf49ec9b9abaf70189edc3a16df3a6bdd6315cb275590aee923

Download Submit
\Windows\system\layCLCS.exe
Filesize
5.2MB

MD5
8c1e802d02a62a337628f360e0e86b4b

SHA1
0160fee6ba8a3d76469ef9eeb2c5a2dd718b9974

SHA256
8fe26b48a82a45207995155936450c38d1f724e7f8e1b2c3f3d3f952021d31b4

SHA512
08e1467adaf4bb8bed098e768555a89762b442d3b37dedfe04e1af69968a63607bc4e7380c4b5d0a864c90c52abe0b1cb16f67d985127f1ee3fd2565d2d71310

Download Submit
\Windows\system\tlnZLfQ.exe
Filesize
5.2MB

MD5
5cdf6e8b7c83c900ddd946ed8f3a1936

SHA1
c158680c8c122d5dbf504b65f1cafa10b9015a25

SHA256
665d287f906d703856639ef7abe4ecee06d0926aa86f33e2deddeb4fa39e87e4

SHA512
b221cead4f04cc9a7454da01954811f499655d1dae4fa80a9d3969143a7c9d0c47b324d1d4925f8a3485cd73ec29b963b7382ba2e541e4ec9c3ab18c53a9a466

Download Submit
memory/320-155-0x000000013FD50000-0x00000001400A1000-memory.dmp

Filesize
3.3MB

Download
memory/668-158-0x000000013FFD0000-0x0000000140321000-memory.dmp

Filesize
3.3MB

Download
memory/1292-159-0x000000013F480000-0x000000013F7D1000-memory.dmp

Filesize
3.3MB

Download
memory/1428-91-0x000000013F300000-0x000000013F651000-memory.dmp

Filesize
3.3MB

Download
memory/1428-245-0x000000013F300000-0x000000013F651000-memory.dmp

Filesize
3.3MB

Download
memory/1428-151-0x000000013F300000-0x000000013F651000-memory.dmp

Filesize
3.3MB

Download
memory/1592-161-0x000000013F3E0000-0x000000013F731000-memory.dmp

Filesize
3.3MB

Download
memory/1820-134-0x000000013F6F0000-0x000000013FA41000-memory.dmp

Filesize
3.3MB

Download
memory/1820-249-0x000000013F6F0000-0x000000013FA41000-memory.dmp

Filesize
3.3MB

Download
memory/1968-156-0x000000013FD00000-0x0000000140051000-memory.dmp

Filesize
3.3MB

Download
memory/2080-160-0x000000013F3C0000-0x000000013F711000-memory.dmp

Filesize
3.3MB

Download
memory/2320-157-0x000000013FF10000-0x0000000140261000-memory.dmp

Filesize
3.3MB

Download
memory/2456-243-0x000000013F580000-0x000000013F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/2456-84-0x000000013F580000-0x000000013F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/2520-81-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download
memory/2520-240-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download
memory/2568-227-0x000000013FEE0000-0x0000000140231000-memory.dmp

Filesize
3.3MB

Download
memory/2568-29-0x000000013FEE0000-0x0000000140231000-memory.dmp

Filesize
3.3MB

Download
memory/2644-133-0x000000013FF50000-0x00000001402A1000-memory.dmp

Filesize
3.3MB

Download
memory/2644-39-0x000000013FF50000-0x00000001402A1000-memory.dmp

Filesize
3.3MB

Download
memory/2644-230-0x000000013FF50000-0x00000001402A1000-memory.dmp

Filesize
3.3MB

Download
memory/2672-237-0x000000013F0B0000-0x000000013F401000-memory.dmp

Filesize
3.3MB

Download
memory/2672-68-0x000000013F0B0000-0x000000013F401000-memory.dmp

Filesize
3.3MB

Download
memory/2672-154-0x000000013F0B0000-0x000000013F401000-memory.dmp

Filesize
3.3MB

Download
memory/2708-235-0x000000013F990000-0x000000013FCE1000-memory.dmp

Filesize
3.3MB

Download
memory/2708-137-0x000000013F990000-0x000000013FCE1000-memory.dmp

Filesize
3.3MB

Download
memory/2708-51-0x000000013F990000-0x000000013FCE1000-memory.dmp

Filesize
3.3MB

Download
memory/2712-241-0x000000013F310000-0x000000013F661000-memory.dmp

Filesize
3.3MB

Download
memory/2712-82-0x000000013F310000-0x000000013F661000-memory.dmp

Filesize
3.3MB

Download
memory/2736-15-0x000000013F450000-0x000000013F7A1000-memory.dmp

Filesize
3.3MB

Download
memory/2736-83-0x000000013F450000-0x000000013F7A1000-memory.dmp

Filesize
3.3MB

Download
memory/2736-223-0x000000013F450000-0x000000013F7A1000-memory.dmp

Filesize
3.3MB

Download
memory/2756-75-0x000000013FB50000-0x000000013FEA1000-memory.dmp

Filesize
3.3MB

Download
memory/2756-234-0x000000013FB50000-0x000000013FEA1000-memory.dmp

Filesize
3.3MB

Download
memory/2788-231-0x000000013F700000-0x000000013FA51000-memory.dmp

Filesize
3.3MB

Download
memory/2788-43-0x000000013F700000-0x000000013FA51000-memory.dmp

Filesize
3.3MB

Download
memory/2884-135-0x000000013FD50000-0x00000001400A1000-memory.dmp

Filesize
3.3MB

Download
memory/2884-58-0x000000013FB50000-0x000000013FEA1000-memory.dmp

Filesize
3.3MB

Download
memory/2884-79-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download
memory/2884-138-0x000000013F460000-0x000000013F7B1000-memory.dmp

Filesize
3.3MB

Download
memory/2884-0-0x000000013F460000-0x000000013F7B1000-memory.dmp

Filesize
3.3MB

Download
memory/2884-162-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download
memory/2884-136-0x00000000022A0000-0x00000000025F1000-memory.dmp

Filesize
3.3MB

Download
memory/2884-8-0x000000013F0B0000-0x000000013F401000-memory.dmp

Filesize
3.3MB

Download
memory/2884-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2884-163-0x000000013F460000-0x000000013F7B1000-memory.dmp

Filesize
3.3MB

Download
memory/2884-90-0x000000013FEE0000-0x0000000140231000-memory.dmp

Filesize
3.3MB

Download
memory/2884-88-0x00000000022A0000-0x00000000025F1000-memory.dmp

Filesize
3.3MB

Download
memory/2884-42-0x00000000022A0000-0x00000000025F1000-memory.dmp

Filesize
3.3MB

Download
memory/2884-25-0x000000013FEE0000-0x0000000140231000-memory.dmp

Filesize
3.3MB

Download
memory/2884-13-0x00000000022A0000-0x00000000025F1000-memory.dmp

Filesize
3.3MB

Download
memory/2884-36-0x000000013FF50000-0x00000001402A1000-memory.dmp

Filesize
3.3MB

Download
memory/2884-153-0x000000013FB50000-0x000000013FEA1000-memory.dmp

Filesize
3.3MB

Download
memory/2884-55-0x000000013F460000-0x000000013F7B1000-memory.dmp

Filesize
3.3MB

Download
memory/2884-72-0x00000000022A0000-0x00000000025F1000-memory.dmp

Filesize
3.3MB

Download
memory/2884-94-0x00000000022A0000-0x00000000025F1000-memory.dmp

Filesize
3.3MB

Download
memory/2900-221-0x000000013F0B0000-0x000000013F401000-memory.dmp

Filesize
3.3MB

Download
memory/2900-9-0x000000013F0B0000-0x000000013F401000-memory.dmp

Filesize
3.3MB

Download
memory/3004-226-0x000000013FCB0000-0x0000000140001000-memory.dmp

Filesize
3.3MB

Download
memory/3004-28-0x000000013FCB0000-0x0000000140001000-memory.dmp

Filesize
3.3MB

Download