cobaltstrike | b1e2ee470b78ae5b34e997c2adab810dac726ee69ea7526774c134d487304303

Analysis

max time kernel
146s
max time network
154s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

f8ee575b38e5e8cb77defb63bb547570
SHA1

278c201404a9c37ba1a860ac18f81adc77e254a8
SHA256

b1e2ee470b78ae5b34e997c2adab810dac726ee69ea7526774c134d487304303
SHA512

dc37534470e319257ac9539677665f3b65b79e157e0116326ebc57c5f6e09b7bb68168ad96e63794506a2129eb814b39fd3cf5ff45573e6976b9f440df193338
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUj:Q+856utgpPF8u/7j

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000f000000012028-3.dat	cobalt_reflective_dll
behavioral1/files/0x00360000000144c0-9.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014723-11.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001472b-24.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014749-36.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001473f-40.dat	cobalt_reflective_dll
behavioral1/files/0x0036000000014531-53.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cdf-62.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015b6e-69.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cf0-83.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d3b-109.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d73-119.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d90-134.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d83-129.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d7b-124.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d53-114.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d24-103.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d12-97.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d08-90.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015ce8-75.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000014a10-47.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000f000000012028-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00360000000144c0-9.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014723-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000700000001472b-24.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014749-36.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000700000001473f-40.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0036000000014531-53.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015cdf-62.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015b6e-69.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015cf0-83.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d3b-109.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d73-119.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d90-134.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d83-129.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d7b-124.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d53-114.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d24-103.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d12-97.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d08-90.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015ce8-75.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000014a10-47.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral1/memory/956-0-0x000000013F0B0000-0x000000013F404000-memory.dmp	UPX
behavioral1/files/0x000f000000012028-3.dat	UPX
behavioral1/memory/2084-7-0x000000013F680000-0x000000013F9D4000-memory.dmp	UPX
behavioral1/files/0x00360000000144c0-9.dat	UPX
behavioral1/memory/2080-14-0x000000013F820000-0x000000013FB74000-memory.dmp	UPX
behavioral1/files/0x0007000000014723-11.dat	UPX
behavioral1/memory/2600-21-0x000000013F050000-0x000000013F3A4000-memory.dmp	UPX
behavioral1/files/0x000700000001472b-24.dat	UPX
behavioral1/files/0x0007000000014749-36.dat	UPX
behavioral1/files/0x000700000001473f-40.dat	UPX
behavioral1/memory/956-41-0x000000013F0B0000-0x000000013F404000-memory.dmp	UPX
behavioral1/memory/1316-42-0x000000013FD60000-0x00000001400B4000-memory.dmp	UPX
behavioral1/memory/2628-38-0x000000013F300000-0x000000013F654000-memory.dmp	UPX
behavioral1/memory/2732-31-0x000000013F410000-0x000000013F764000-memory.dmp	UPX
behavioral1/files/0x0036000000014531-53.dat	UPX
behavioral1/memory/2696-49-0x000000013F8E0000-0x000000013FC34000-memory.dmp	UPX
behavioral1/memory/1976-56-0x000000013FCF0000-0x0000000140044000-memory.dmp	UPX
behavioral1/memory/2084-48-0x000000013F680000-0x000000013F9D4000-memory.dmp	UPX
behavioral1/files/0x0006000000015cdf-62.dat	UPX
behavioral1/files/0x0007000000015b6e-69.dat	UPX
behavioral1/memory/2512-70-0x000000013F640000-0x000000013F994000-memory.dmp	UPX
behavioral1/files/0x0006000000015cf0-83.dat	UPX
behavioral1/memory/1984-86-0x000000013F770000-0x000000013FAC4000-memory.dmp	UPX
behavioral1/memory/1920-93-0x000000013FE30000-0x0000000140184000-memory.dmp	UPX
behavioral1/files/0x0006000000015d3b-109.dat	UPX
behavioral1/files/0x0006000000015d73-119.dat	UPX
behavioral1/files/0x0006000000015d90-134.dat	UPX
behavioral1/files/0x0006000000015d83-129.dat	UPX
behavioral1/files/0x0006000000015d7b-124.dat	UPX
behavioral1/files/0x0006000000015d53-114.dat	UPX
behavioral1/memory/1976-137-0x000000013FCF0000-0x0000000140044000-memory.dmp	UPX
behavioral1/memory/2696-105-0x000000013F8E0000-0x000000013FC34000-memory.dmp	UPX
behavioral1/files/0x0006000000015d24-103.dat	UPX
behavioral1/memory/2496-98-0x000000013F0C0000-0x000000013F414000-memory.dmp	UPX
behavioral1/memory/1316-92-0x000000013FD60000-0x00000001400B4000-memory.dmp	UPX
behavioral1/files/0x0006000000015d12-97.dat	UPX
behavioral1/files/0x0006000000015d08-90.dat	UPX
behavioral1/memory/1360-79-0x000000013F030000-0x000000013F384000-memory.dmp	UPX
behavioral1/memory/2628-77-0x000000013F300000-0x000000013F654000-memory.dmp	UPX
behavioral1/files/0x0006000000015ce8-75.dat	UPX
behavioral1/memory/2080-60-0x000000013F820000-0x000000013FB74000-memory.dmp	UPX
behavioral1/memory/2572-68-0x000000013F2F0000-0x000000013F644000-memory.dmp	UPX
behavioral1/memory/2600-64-0x000000013F050000-0x000000013F3A4000-memory.dmp	UPX
behavioral1/files/0x0008000000014a10-47.dat	UPX
behavioral1/memory/2572-140-0x000000013F2F0000-0x000000013F644000-memory.dmp	UPX
behavioral1/memory/2512-142-0x000000013F640000-0x000000013F994000-memory.dmp	UPX
behavioral1/memory/1360-144-0x000000013F030000-0x000000013F384000-memory.dmp	UPX
behavioral1/memory/1984-145-0x000000013F770000-0x000000013FAC4000-memory.dmp	UPX
behavioral1/memory/1920-146-0x000000013FE30000-0x0000000140184000-memory.dmp	UPX
behavioral1/memory/2496-147-0x000000013F0C0000-0x000000013F414000-memory.dmp	UPX
behavioral1/memory/2084-148-0x000000013F680000-0x000000013F9D4000-memory.dmp	UPX
behavioral1/memory/2080-149-0x000000013F820000-0x000000013FB74000-memory.dmp	UPX
behavioral1/memory/2600-150-0x000000013F050000-0x000000013F3A4000-memory.dmp	UPX
behavioral1/memory/2732-151-0x000000013F410000-0x000000013F764000-memory.dmp	UPX
behavioral1/memory/2628-152-0x000000013F300000-0x000000013F654000-memory.dmp	UPX
behavioral1/memory/1316-153-0x000000013FD60000-0x00000001400B4000-memory.dmp	UPX
behavioral1/memory/1976-154-0x000000013FCF0000-0x0000000140044000-memory.dmp	UPX
behavioral1/memory/2572-155-0x000000013F2F0000-0x000000013F644000-memory.dmp	UPX
behavioral1/memory/2512-156-0x000000013F640000-0x000000013F994000-memory.dmp	UPX
behavioral1/memory/1984-157-0x000000013F770000-0x000000013FAC4000-memory.dmp	UPX
behavioral1/memory/1360-158-0x000000013F030000-0x000000013F384000-memory.dmp	UPX
behavioral1/memory/1920-159-0x000000013FE30000-0x0000000140184000-memory.dmp	UPX
behavioral1/memory/2496-160-0x000000013F0C0000-0x000000013F414000-memory.dmp	UPX
behavioral1/memory/2696-161-0x000000013F8E0000-0x000000013FC34000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral1/memory/956-0-0x000000013F0B0000-0x000000013F404000-memory.dmp	xmrig
behavioral1/files/0x000f000000012028-3.dat	xmrig
behavioral1/memory/2084-7-0x000000013F680000-0x000000013F9D4000-memory.dmp	xmrig
behavioral1/files/0x00360000000144c0-9.dat	xmrig
behavioral1/memory/2080-14-0x000000013F820000-0x000000013FB74000-memory.dmp	xmrig
behavioral1/files/0x0007000000014723-11.dat	xmrig
behavioral1/memory/2600-21-0x000000013F050000-0x000000013F3A4000-memory.dmp	xmrig
behavioral1/files/0x000700000001472b-24.dat	xmrig
behavioral1/files/0x0007000000014749-36.dat	xmrig
behavioral1/files/0x000700000001473f-40.dat	xmrig
behavioral1/memory/956-41-0x000000013F0B0000-0x000000013F404000-memory.dmp	xmrig
behavioral1/memory/1316-42-0x000000013FD60000-0x00000001400B4000-memory.dmp	xmrig
behavioral1/memory/2628-38-0x000000013F300000-0x000000013F654000-memory.dmp	xmrig
behavioral1/memory/2732-31-0x000000013F410000-0x000000013F764000-memory.dmp	xmrig
behavioral1/files/0x0036000000014531-53.dat	xmrig
behavioral1/memory/2696-49-0x000000013F8E0000-0x000000013FC34000-memory.dmp	xmrig
behavioral1/memory/1976-56-0x000000013FCF0000-0x0000000140044000-memory.dmp	xmrig
behavioral1/memory/2084-48-0x000000013F680000-0x000000013F9D4000-memory.dmp	xmrig
behavioral1/files/0x0006000000015cdf-62.dat	xmrig
behavioral1/memory/956-67-0x0000000002500000-0x0000000002854000-memory.dmp	xmrig
behavioral1/files/0x0007000000015b6e-69.dat	xmrig
behavioral1/memory/2512-70-0x000000013F640000-0x000000013F994000-memory.dmp	xmrig
behavioral1/files/0x0006000000015cf0-83.dat	xmrig
behavioral1/memory/1984-86-0x000000013F770000-0x000000013FAC4000-memory.dmp	xmrig
behavioral1/memory/1920-93-0x000000013FE30000-0x0000000140184000-memory.dmp	xmrig
behavioral1/files/0x0006000000015d3b-109.dat	xmrig
behavioral1/files/0x0006000000015d73-119.dat	xmrig
behavioral1/files/0x0006000000015d90-134.dat	xmrig
behavioral1/files/0x0006000000015d83-129.dat	xmrig
behavioral1/files/0x0006000000015d7b-124.dat	xmrig
behavioral1/files/0x0006000000015d53-114.dat	xmrig
behavioral1/memory/1976-137-0x000000013FCF0000-0x0000000140044000-memory.dmp	xmrig
behavioral1/memory/2696-105-0x000000013F8E0000-0x000000013FC34000-memory.dmp	xmrig
behavioral1/files/0x0006000000015d24-103.dat	xmrig
behavioral1/memory/2496-98-0x000000013F0C0000-0x000000013F414000-memory.dmp	xmrig
behavioral1/memory/1316-92-0x000000013FD60000-0x00000001400B4000-memory.dmp	xmrig
behavioral1/files/0x0006000000015d12-97.dat	xmrig
behavioral1/files/0x0006000000015d08-90.dat	xmrig
behavioral1/memory/1360-79-0x000000013F030000-0x000000013F384000-memory.dmp	xmrig
behavioral1/memory/956-78-0x0000000002500000-0x0000000002854000-memory.dmp	xmrig
behavioral1/memory/956-138-0x000000013F640000-0x000000013F994000-memory.dmp	xmrig
behavioral1/memory/2628-77-0x000000013F300000-0x000000013F654000-memory.dmp	xmrig
behavioral1/files/0x0006000000015ce8-75.dat	xmrig
behavioral1/memory/2080-60-0x000000013F820000-0x000000013FB74000-memory.dmp	xmrig
behavioral1/memory/2572-68-0x000000013F2F0000-0x000000013F644000-memory.dmp	xmrig
behavioral1/memory/2600-64-0x000000013F050000-0x000000013F3A4000-memory.dmp	xmrig
behavioral1/files/0x0008000000014a10-47.dat	xmrig
behavioral1/memory/956-34-0x000000013FD60000-0x00000001400B4000-memory.dmp	xmrig
behavioral1/memory/956-139-0x0000000002500000-0x0000000002854000-memory.dmp	xmrig
behavioral1/memory/2572-140-0x000000013F2F0000-0x000000013F644000-memory.dmp	xmrig
behavioral1/memory/2512-142-0x000000013F640000-0x000000013F994000-memory.dmp	xmrig
behavioral1/memory/1360-144-0x000000013F030000-0x000000013F384000-memory.dmp	xmrig
behavioral1/memory/1984-145-0x000000013F770000-0x000000013FAC4000-memory.dmp	xmrig
behavioral1/memory/1920-146-0x000000013FE30000-0x0000000140184000-memory.dmp	xmrig
behavioral1/memory/2496-147-0x000000013F0C0000-0x000000013F414000-memory.dmp	xmrig
behavioral1/memory/2084-148-0x000000013F680000-0x000000013F9D4000-memory.dmp	xmrig
behavioral1/memory/2080-149-0x000000013F820000-0x000000013FB74000-memory.dmp	xmrig
behavioral1/memory/2600-150-0x000000013F050000-0x000000013F3A4000-memory.dmp	xmrig
behavioral1/memory/2732-151-0x000000013F410000-0x000000013F764000-memory.dmp	xmrig
behavioral1/memory/2628-152-0x000000013F300000-0x000000013F654000-memory.dmp	xmrig
behavioral1/memory/1316-153-0x000000013FD60000-0x00000001400B4000-memory.dmp	xmrig
behavioral1/memory/1976-154-0x000000013FCF0000-0x0000000140044000-memory.dmp	xmrig
behavioral1/memory/2572-155-0x000000013F2F0000-0x000000013F644000-memory.dmp	xmrig
behavioral1/memory/2512-156-0x000000013F640000-0x000000013F994000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2084	BnicaCV.exe
2080	pLJbyxh.exe
2600	OaIYEsJ.exe
2732	qNJpXRf.exe
2628	kOkCiMD.exe
1316	dtDxcpx.exe
2696	HzTfXok.exe
1976	hgvsvNT.exe
2572	kPBlUAw.exe
2512	ukBoXCN.exe
1360	XdfSYMU.exe
1984	DZTVzzA.exe
1920	KUAEVRb.exe
2496	ZqazLCv.exe
1092	yajQtlu.exe
304	nZGluPc.exe
1440	IYOFjpZ.exe
1324	LCvHurl.exe
2428	NiZOEag.exe
2440	hLLcElS.exe
2312	UeaBQFR.exe

Loads dropped DLL 21 IoCs

pid	Process
956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/956-0-0x000000013F0B0000-0x000000013F404000-memory.dmp	upx
behavioral1/files/0x000f000000012028-3.dat	upx
behavioral1/memory/2084-7-0x000000013F680000-0x000000013F9D4000-memory.dmp	upx
behavioral1/files/0x00360000000144c0-9.dat	upx
behavioral1/memory/2080-14-0x000000013F820000-0x000000013FB74000-memory.dmp	upx
behavioral1/files/0x0007000000014723-11.dat	upx
behavioral1/memory/2600-21-0x000000013F050000-0x000000013F3A4000-memory.dmp	upx
behavioral1/files/0x000700000001472b-24.dat	upx
behavioral1/files/0x0007000000014749-36.dat	upx
behavioral1/files/0x000700000001473f-40.dat	upx
behavioral1/memory/956-41-0x000000013F0B0000-0x000000013F404000-memory.dmp	upx
behavioral1/memory/1316-42-0x000000013FD60000-0x00000001400B4000-memory.dmp	upx
behavioral1/memory/2628-38-0x000000013F300000-0x000000013F654000-memory.dmp	upx
behavioral1/memory/2732-31-0x000000013F410000-0x000000013F764000-memory.dmp	upx
behavioral1/files/0x0036000000014531-53.dat	upx
behavioral1/memory/2696-49-0x000000013F8E0000-0x000000013FC34000-memory.dmp	upx
behavioral1/memory/1976-56-0x000000013FCF0000-0x0000000140044000-memory.dmp	upx
behavioral1/memory/2084-48-0x000000013F680000-0x000000013F9D4000-memory.dmp	upx
behavioral1/files/0x0006000000015cdf-62.dat	upx
behavioral1/files/0x0007000000015b6e-69.dat	upx
behavioral1/memory/2512-70-0x000000013F640000-0x000000013F994000-memory.dmp	upx
behavioral1/files/0x0006000000015cf0-83.dat	upx
behavioral1/memory/1984-86-0x000000013F770000-0x000000013FAC4000-memory.dmp	upx
behavioral1/memory/1920-93-0x000000013FE30000-0x0000000140184000-memory.dmp	upx
behavioral1/files/0x0006000000015d3b-109.dat	upx
behavioral1/files/0x0006000000015d73-119.dat	upx
behavioral1/files/0x0006000000015d90-134.dat	upx
behavioral1/files/0x0006000000015d83-129.dat	upx
behavioral1/files/0x0006000000015d7b-124.dat	upx
behavioral1/files/0x0006000000015d53-114.dat	upx
behavioral1/memory/1976-137-0x000000013FCF0000-0x0000000140044000-memory.dmp	upx
behavioral1/memory/2696-105-0x000000013F8E0000-0x000000013FC34000-memory.dmp	upx
behavioral1/files/0x0006000000015d24-103.dat	upx
behavioral1/memory/2496-98-0x000000013F0C0000-0x000000013F414000-memory.dmp	upx
behavioral1/memory/1316-92-0x000000013FD60000-0x00000001400B4000-memory.dmp	upx
behavioral1/files/0x0006000000015d12-97.dat	upx
behavioral1/files/0x0006000000015d08-90.dat	upx
behavioral1/memory/1360-79-0x000000013F030000-0x000000013F384000-memory.dmp	upx
behavioral1/memory/2628-77-0x000000013F300000-0x000000013F654000-memory.dmp	upx
behavioral1/files/0x0006000000015ce8-75.dat	upx
behavioral1/memory/2080-60-0x000000013F820000-0x000000013FB74000-memory.dmp	upx
behavioral1/memory/2572-68-0x000000013F2F0000-0x000000013F644000-memory.dmp	upx
behavioral1/memory/2600-64-0x000000013F050000-0x000000013F3A4000-memory.dmp	upx
behavioral1/files/0x0008000000014a10-47.dat	upx
behavioral1/memory/2572-140-0x000000013F2F0000-0x000000013F644000-memory.dmp	upx
behavioral1/memory/2512-142-0x000000013F640000-0x000000013F994000-memory.dmp	upx
behavioral1/memory/1360-144-0x000000013F030000-0x000000013F384000-memory.dmp	upx
behavioral1/memory/1984-145-0x000000013F770000-0x000000013FAC4000-memory.dmp	upx
behavioral1/memory/1920-146-0x000000013FE30000-0x0000000140184000-memory.dmp	upx
behavioral1/memory/2496-147-0x000000013F0C0000-0x000000013F414000-memory.dmp	upx
behavioral1/memory/2084-148-0x000000013F680000-0x000000013F9D4000-memory.dmp	upx
behavioral1/memory/2080-149-0x000000013F820000-0x000000013FB74000-memory.dmp	upx
behavioral1/memory/2600-150-0x000000013F050000-0x000000013F3A4000-memory.dmp	upx
behavioral1/memory/2732-151-0x000000013F410000-0x000000013F764000-memory.dmp	upx
behavioral1/memory/2628-152-0x000000013F300000-0x000000013F654000-memory.dmp	upx
behavioral1/memory/1316-153-0x000000013FD60000-0x00000001400B4000-memory.dmp	upx
behavioral1/memory/1976-154-0x000000013FCF0000-0x0000000140044000-memory.dmp	upx
behavioral1/memory/2572-155-0x000000013F2F0000-0x000000013F644000-memory.dmp	upx
behavioral1/memory/2512-156-0x000000013F640000-0x000000013F994000-memory.dmp	upx
behavioral1/memory/1984-157-0x000000013F770000-0x000000013FAC4000-memory.dmp	upx
behavioral1/memory/1360-158-0x000000013F030000-0x000000013F384000-memory.dmp	upx
behavioral1/memory/1920-159-0x000000013FE30000-0x0000000140184000-memory.dmp	upx
behavioral1/memory/2496-160-0x000000013F0C0000-0x000000013F414000-memory.dmp	upx
behavioral1/memory/2696-161-0x000000013F8E0000-0x000000013FC34000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\hgvsvNT.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IYOFjpZ.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LCvHurl.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OaIYEsJ.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qNJpXRf.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dtDxcpx.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ukBoXCN.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZqazLCv.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pLJbyxh.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kOkCiMD.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kPBlUAw.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XdfSYMU.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DZTVzzA.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nZGluPc.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NiZOEag.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UeaBQFR.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BnicaCV.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HzTfXok.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KUAEVRb.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yajQtlu.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hLLcElS.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 2084	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	30
PID 956 wrote to memory of 2084	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	30
PID 956 wrote to memory of 2084	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	30
PID 956 wrote to memory of 2080	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	31
PID 956 wrote to memory of 2080	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	31
PID 956 wrote to memory of 2080	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	31
PID 956 wrote to memory of 2600	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	32
PID 956 wrote to memory of 2600	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	32
PID 956 wrote to memory of 2600	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	32
PID 956 wrote to memory of 2732	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	33
PID 956 wrote to memory of 2732	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	33
PID 956 wrote to memory of 2732	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	33
PID 956 wrote to memory of 1316	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	34
PID 956 wrote to memory of 1316	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	34
PID 956 wrote to memory of 1316	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	34
PID 956 wrote to memory of 2628	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	35
PID 956 wrote to memory of 2628	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	35
PID 956 wrote to memory of 2628	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	35
PID 956 wrote to memory of 2696	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	36
PID 956 wrote to memory of 2696	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	36
PID 956 wrote to memory of 2696	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	36
PID 956 wrote to memory of 1976	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	37
PID 956 wrote to memory of 1976	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	37
PID 956 wrote to memory of 1976	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	37
PID 956 wrote to memory of 2512	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	38
PID 956 wrote to memory of 2512	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	38
PID 956 wrote to memory of 2512	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	38
PID 956 wrote to memory of 2572	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	39
PID 956 wrote to memory of 2572	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	39
PID 956 wrote to memory of 2572	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	39
PID 956 wrote to memory of 1360	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	40
PID 956 wrote to memory of 1360	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	40
PID 956 wrote to memory of 1360	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	40
PID 956 wrote to memory of 1984	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	41
PID 956 wrote to memory of 1984	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	41
PID 956 wrote to memory of 1984	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	41
PID 956 wrote to memory of 1920	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	42
PID 956 wrote to memory of 1920	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	42
PID 956 wrote to memory of 1920	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	42
PID 956 wrote to memory of 2496	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	43
PID 956 wrote to memory of 2496	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	43
PID 956 wrote to memory of 2496	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	43
PID 956 wrote to memory of 1092	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	44
PID 956 wrote to memory of 1092	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	44
PID 956 wrote to memory of 1092	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	44
PID 956 wrote to memory of 304	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	45
PID 956 wrote to memory of 304	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	45
PID 956 wrote to memory of 304	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	45
PID 956 wrote to memory of 1440	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	46
PID 956 wrote to memory of 1440	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	46
PID 956 wrote to memory of 1440	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	46
PID 956 wrote to memory of 1324	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	47
PID 956 wrote to memory of 1324	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	47
PID 956 wrote to memory of 1324	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	47
PID 956 wrote to memory of 2428	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	48
PID 956 wrote to memory of 2428	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	48
PID 956 wrote to memory of 2428	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	48
PID 956 wrote to memory of 2440	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	49
PID 956 wrote to memory of 2440	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	49
PID 956 wrote to memory of 2440	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	49
PID 956 wrote to memory of 2312	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	50
PID 956 wrote to memory of 2312	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	50
PID 956 wrote to memory of 2312	956	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	50

C:\Users\Admin\AppData\Local\Temp\2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\System\BnicaCV.exe
  C:\Windows\System\BnicaCV.exe
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\System\pLJbyxh.exe
  C:\Windows\System\pLJbyxh.exe
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Windows\System\OaIYEsJ.exe
  C:\Windows\System\OaIYEsJ.exe
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\System\qNJpXRf.exe
  C:\Windows\System\qNJpXRf.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System\dtDxcpx.exe
  C:\Windows\System\dtDxcpx.exe
  2⤵
  - Executes dropped EXE
  PID:1316
- C:\Windows\System\kOkCiMD.exe
  C:\Windows\System\kOkCiMD.exe
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\System\HzTfXok.exe
  C:\Windows\System\HzTfXok.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System\hgvsvNT.exe
  C:\Windows\System\hgvsvNT.exe
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\System\ukBoXCN.exe
  C:\Windows\System\ukBoXCN.exe
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\System\kPBlUAw.exe
  C:\Windows\System\kPBlUAw.exe
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\System\XdfSYMU.exe
  C:\Windows\System\XdfSYMU.exe
  2⤵
  - Executes dropped EXE
  PID:1360
- C:\Windows\System\DZTVzzA.exe
  C:\Windows\System\DZTVzzA.exe
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\System\KUAEVRb.exe
  C:\Windows\System\KUAEVRb.exe
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\System\ZqazLCv.exe
  C:\Windows\System\ZqazLCv.exe
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\System\yajQtlu.exe
  C:\Windows\System\yajQtlu.exe
  2⤵
  - Executes dropped EXE
  PID:1092
- C:\Windows\System\nZGluPc.exe
  C:\Windows\System\nZGluPc.exe
  2⤵
  - Executes dropped EXE
  PID:304
- C:\Windows\System\IYOFjpZ.exe
  C:\Windows\System\IYOFjpZ.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System\LCvHurl.exe
  C:\Windows\System\LCvHurl.exe
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Windows\System\NiZOEag.exe
  C:\Windows\System\NiZOEag.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System\hLLcElS.exe
  C:\Windows\System\hLLcElS.exe
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\System\UeaBQFR.exe
  C:\Windows\System\UeaBQFR.exe
  2⤵
  - Executes dropped EXE
  PID:2312

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\DZTVzzA.exe

Filesize
5.9MB

MD5
7791508e29529391c8df1cf2e085618c

SHA1
bad43dfdc7b458c33a45affdecac635e441ce09e

SHA256
b9c1f67f595738917ca1fc5f29e368199c87b777e8ae001bec8fad1d353a0f06

SHA512
c272d9afb746a934b9f4ee26c730f0cf4540200fa8663e28ef68f84b287cc3830408d944c3e1af4932f01ee789b468f9083f3fbf80efa86253b9b9dbfa8bd3a5

Download Submit
C:\Windows\system\HzTfXok.exe

Filesize
5.9MB

MD5
9d99c95703f806343f851e12d2fd2ba7

SHA1
1a0f89222323cf18f2ed5af05688022f109b737b

SHA256
80d3d3637c0093d799178037a6720e3d88a8d14c518de2097c46388a687603c7

SHA512
90317de3eaa5b9895d862ca777c3e9c8689f0f90db3cfbf8172f98726f0b72c885287bf7974011a18e9217da977d1d64196a410d6da244aa341cef13b2353f49

Download Submit
C:\Windows\system\IYOFjpZ.exe

Filesize
5.9MB

MD5
9aa0eb5444ee43b5172f4babb3d87fb0

SHA1
4d949c5e95f024beeb9d07a3b0b442f22bc47c6a

SHA256
ede67bc880897d91700296241eb7092e0d0b0cdd6969a9761429bb10afe202db

SHA512
4235aac318760fd78b335b941aeb891fdb8038487bb091e0047a9c43c9d8fcb7cc161ace6272b33f9d6061c972b0f3975ff3bf9e507c4123d7a2a4637f2def27

Download Submit
C:\Windows\system\KUAEVRb.exe

Filesize
5.9MB

MD5
94b74ec19329d9f40526036cec4c9194

SHA1
906db98f3b2d14b4bc700c8a4c10c7156b5588bd

SHA256
864f258a467390c00c157a41b1be85e26c73e0b2d619cee308b7c077b0c10b78

SHA512
48e318c2dea3e8b3570daf9bc1ea03398afa6f11861d5bd1949be63086dec6cc320cf2d4afba2ea3c7cd29fccd2e1fdb168a0e1fdec80b243e3d69e442478f42

Download Submit
C:\Windows\system\LCvHurl.exe

Filesize
5.9MB

MD5
e32bd85ccac33a811bd706721ce7123f

SHA1
ee3c49f9f11ad161e89528b08c1a6ffb87b7cb9f

SHA256
f1ff07543588664314236176a640bde71f919b53b6f4096e81a63d89909698b3

SHA512
f34409ea6c09ef9b7f541b35c666f45094ed992d768d6a5f2def594673264edd8f59c31cb48e9e1c54147eb709e613bccebea174e4858b5dde0291072960bdcf

Download Submit
C:\Windows\system\NiZOEag.exe

Filesize
5.9MB

MD5
9a77dec0bd45bd8f887e688772cb055d

SHA1
1d105c3b7537a6719ffdb4a7423d68521b11be17

SHA256
e68af106cd397dc07f8c5204f6f4e1ae571383525c09ec8d7854f6553f27929e

SHA512
1640517aaf0616d737404ac7acf9862000f3657477220298dd15495af25a6d6da44251efa7502e39303b31d6bc2ba72ac6dce02d95a6ad104416f75b8e280bbb

Download Submit
C:\Windows\system\OaIYEsJ.exe

Filesize
5.9MB

MD5
3f8ec3e3a0507413752287ccbc002cf4

SHA1
6dd579189bb4718a3587f011028d0ff0088ce0b6

SHA256
84b42eab4646cc083331b64cb699d50565e378756ed2fa8d845910d621155fdd

SHA512
3ad6f6dc0b9650a9496d800cf0a287b06b052f9ea1081eb31742c31751fb0dafc2875b80fa6b8ae452ff65c9d60073f1f47f694fa13c256db60c6d60f6a5271b

Download Submit
C:\Windows\system\UeaBQFR.exe

Filesize
5.9MB

MD5
6093db0ddbfb561f4878f386d7c83b90

SHA1
ecb546fcaefb309974fd47cafd4522cd60bfe938

SHA256
6649e026420af3aac236191a522e230396c2f64142a8b3387ab5ae852819b35b

SHA512
369fd3ec36e9d1f84d3cd92f83a1a424cc3830156ee2ed4069eef5e131e87dc537f817f5e2357f0f063ed7bd121510901f8769e594f6f8d247150a4330fa6fce

Download Submit
C:\Windows\system\XdfSYMU.exe

Filesize
5.9MB

MD5
4d94d8b0119377dddd273c557bc3f163

SHA1
a49baee21cce1c249776e0dabc3a7f75c3b6b19b

SHA256
5ce6bd48782c34b016799eff6357800f97535f29717838b5ff642773d3b21671

SHA512
edad15cbdb7be5ced5d312b77ae5a1c23ff84a39480a8fce6433bda495174826b5331ba28004ca435a68ffa2629f512beed0c8261950b8aa1f68f98b08e8cbbe

Download Submit
C:\Windows\system\ZqazLCv.exe

Filesize
5.9MB

MD5
19d5d7a97d444c3ca097d2b9c481c6c6

SHA1
e400ad22201179ef6e076210b7e9d7d335e9cb8f

SHA256
8f0486d9ab9b164ca5aeb0bb2b290d5d73172df2eca6173f96f0edd461824f06

SHA512
1e67d496715853b1f2a31793b52a19a8b2f1cebe805322d31aa0bc603ace4b11752e65e58303bbde00e324ada8a52f42c4f0173074f5aeb602785d53329da71e

Download Submit
C:\Windows\system\dtDxcpx.exe

Filesize
5.9MB

MD5
841d687f3479d7962731117e68c6dd58

SHA1
a6d04f5aa4ecbba37a25f4c8d5c82980367f512f

SHA256
6771819c6819e8e9fd2944b07a77fd5a04239d8692b2208f74d544ab5fb89f95

SHA512
8b8eb12da4c7152ef5428283036cd9be4b7b84c75a3c7c2faec227829b15f720db42fdf936e731c2033f171ec6ca6fa21e331e6bdb98e62fdced9dc258c3cbc6

Download Submit
C:\Windows\system\hLLcElS.exe

Filesize
5.9MB

MD5
ca471c89199d4c787c089a5fe38c5c52

SHA1
ee8c5d205f683166efffc70a3c5505b1a05615fd

SHA256
ad726df3ace160f02fcd4562110d14833681d7703e1cce05227c3cb1a8d1a9de

SHA512
e05a61317068665c43e0f8da5f959cc41570e19380b8237c2b90d5d309ffc16fd1c8293e750a66489946c60c247c09a65263aa29273878959603776bace5f9e6

Download Submit
C:\Windows\system\hgvsvNT.exe

Filesize
5.9MB

MD5
a02123b64f3e4baf4407b8015f6ff89f

SHA1
c607d1a46e4b50d9850489f4dce13e9e0127bb08

SHA256
2b9a1ca872351d12ac72d075eeb50d196ed85050d0f57109e76972aa3b203267

SHA512
7d461d6dd8193a61c2cb3f9e521b59f008c3a2c363d8e60593cbd88abe1a5e0c120df1dca63bdcb4a61e0fa8bac7512298a29529a2c5bbf1e844aad0ad007656

Download Submit
C:\Windows\system\kOkCiMD.exe

Filesize
5.9MB

MD5
63a3810604c31ae1bb4e1ee0d8add961

SHA1
eadada4dc622b1a6aeba18fadd1c30ceeee61381

SHA256
caaf38230c56a4f57389efd27abdd9500de8089842d425ed7a0574c1bed154c5

SHA512
55ada4d4f9d680c3af4b86b59be81b8f68b6978a1879d50384a0617a5c815b1b42199ebefdb9b820270843a3040738012bf148c360913437f054ef984cde7a3f

Download Submit
C:\Windows\system\nZGluPc.exe

Filesize
5.9MB

MD5
c6672cbf5dfad2dcafc2057ba22c516c

SHA1
17b024ef372e66068d8f88864ba0abbd87791758

SHA256
da68aed2dc02fe7645c74149c7a92b7651c5a7a19c7f7dcf42172a7a0da18d86

SHA512
a39a10f44035eb4aa116dc0c17ae8b2a3a48eccb9777475ee2293a7e54df6a564fde6bcd555093e095b42540db1761f6b586e36a523ff504223454174ca548d0

Download Submit
C:\Windows\system\qNJpXRf.exe

Filesize
5.9MB

MD5
c1dcc755511d636e95e4aefbcf1892be

SHA1
1d3c40afc68ba4c79d68436c638fa2962679b96c

SHA256
ce44974c2281082a522d59262babed1fcb3c2868bad40924c995cb487a3a76e8

SHA512
d25d47a1a1632d406d2e181f90a119a724952e97b576dff2fdacc03ca9649111606eea135686e34fcee8dc0ae93dc203d92cb01ecf112233489e99ff14484e9a

Download Submit
C:\Windows\system\ukBoXCN.exe

Filesize
5.9MB

MD5
9256c2f1d9814a31541f79d4dbf387b7

SHA1
4fc4796e08d5b383a3e876cee9e1b6bf427f0c5d

SHA256
9307a6e183b4c215fca78ee67125d961490ea9e66d22a3b58c8763abfdd3cabf

SHA512
ca28aa70831c7d28ba1237cfd268b45daff8ecc57b68ec4daedad41aed75419242b5273250783ca3350e6a00933d2526768f6d5da410d2bcdec0735ca34ff0c6

Download Submit
C:\Windows\system\yajQtlu.exe

Filesize
5.9MB

MD5
fb2119fbd6e2c2d0f0dc926512c99893

SHA1
3ae27568774f31469fce898ae7f50fe78c4c5651

SHA256
06bd67c2a4130b8dbfea4fb0486f9586d7af62ceca7ef5360d7a8db68332cd32

SHA512
876bbe49d4f813bf69fcde31677af5190124028abbc7d45732d7cf91ff38aa81dcf78b37ab7d3f0fe45b7db98549186eacb2ac3ce172676fec838ecfd627cb28

Download Submit
\Windows\system\BnicaCV.exe

Filesize
5.9MB

MD5
2b00c6280068da8aa6470d8d745f66c9

SHA1
a5d6cf41c3bdc906542073a1e7d5ce22e61c3c7e

SHA256
d3f354f36c9cfff85eb9391f8f1d49374e1f6c16bbcaa0f9abae89114df0a4e3

SHA512
d3aaacf21507cbfcb0c54c64aacd78aa008fbe8ab1b045c4661e78f71be00e02654c3ebaa29f4cf8dc93a762fa0c4d58e6f081f52cc404a9d904ba71efb49b4d

Download Submit
\Windows\system\kPBlUAw.exe

Filesize
5.9MB

MD5
f39e78c6dd171cf850d431e29aac01b1

SHA1
23cbdc06b0de5c9dbacc4a9cec367cf3eebeaae8

SHA256
1d5d50278e1188c6f7153530feb7e6c8c7aeee8eb47037fb247237f4cfa4ac5a

SHA512
3ec86eb5e1a224ae0dfd1b03e34440d63afb8d04bdd1a5a37f3af533471ad166c15f572fa55e1cc5f07f9bf512a5a686dae5df8bf5d0dc144c65095e29144973

Download Submit
\Windows\system\pLJbyxh.exe

Filesize
5.9MB

MD5
6318a3dcbbd6f42efaec09bf134f15d4

SHA1
ff2ca9d8fce5302d71ce435355d19e8c37a5cfc0

SHA256
cd330ffc484a9d2160dbba64c2e6df2e88a6959c64ae30a9176481de59e2821d

SHA512
0fb86ef57d221e635a4e1676a47f38f223a205be3261973b1f5031957b24b54120185535916b74260bfc36a151e3fec0c34e8eea6871cd28f2f2f9daab224967

Download Submit
memory/956-41-0x000000013F0B0000-0x000000013F404000-memory.dmp

Filesize
3.3MB

Download
memory/956-19-0x0000000002500000-0x0000000002854000-memory.dmp

Filesize
3.3MB

Download
memory/956-67-0x0000000002500000-0x0000000002854000-memory.dmp

Filesize
3.3MB

Download
memory/956-139-0x0000000002500000-0x0000000002854000-memory.dmp

Filesize
3.3MB

Download
memory/956-34-0x000000013FD60000-0x00000001400B4000-memory.dmp

Filesize
3.3MB

Download
memory/956-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/956-54-0x000000013FCF0000-0x0000000140044000-memory.dmp

Filesize
3.3MB

Download
memory/956-61-0x000000013F640000-0x000000013F994000-memory.dmp

Filesize
3.3MB

Download
memory/956-138-0x000000013F640000-0x000000013F994000-memory.dmp

Filesize
3.3MB

Download
memory/956-78-0x0000000002500000-0x0000000002854000-memory.dmp

Filesize
3.3MB

Download
memory/956-85-0x000000013F770000-0x000000013FAC4000-memory.dmp

Filesize
3.3MB

Download
memory/956-143-0x0000000002500000-0x0000000002854000-memory.dmp

Filesize
3.3MB

Download
memory/956-37-0x0000000002500000-0x0000000002854000-memory.dmp

Filesize
3.3MB

Download
memory/956-27-0x000000013F410000-0x000000013F764000-memory.dmp

Filesize
3.3MB

Download
memory/956-0-0x000000013F0B0000-0x000000013F404000-memory.dmp

Filesize
3.3MB

Download
memory/956-136-0x000000013FCF0000-0x0000000140044000-memory.dmp

Filesize
3.3MB

Download
memory/1316-42-0x000000013FD60000-0x00000001400B4000-memory.dmp

Filesize
3.3MB

Download
memory/1316-92-0x000000013FD60000-0x00000001400B4000-memory.dmp

Filesize
3.3MB

Download
memory/1316-153-0x000000013FD60000-0x00000001400B4000-memory.dmp

Filesize
3.3MB

Download
memory/1360-144-0x000000013F030000-0x000000013F384000-memory.dmp

Filesize
3.3MB

Download
memory/1360-79-0x000000013F030000-0x000000013F384000-memory.dmp

Filesize
3.3MB

Download
memory/1360-158-0x000000013F030000-0x000000013F384000-memory.dmp

Filesize
3.3MB

Download
memory/1920-159-0x000000013FE30000-0x0000000140184000-memory.dmp

Filesize
3.3MB

Download
memory/1920-93-0x000000013FE30000-0x0000000140184000-memory.dmp

Filesize
3.3MB

Download
memory/1920-146-0x000000013FE30000-0x0000000140184000-memory.dmp

Filesize
3.3MB

Download
memory/1976-137-0x000000013FCF0000-0x0000000140044000-memory.dmp

Filesize
3.3MB

Download
memory/1976-154-0x000000013FCF0000-0x0000000140044000-memory.dmp

Filesize
3.3MB

Download
memory/1976-56-0x000000013FCF0000-0x0000000140044000-memory.dmp

Filesize
3.3MB

Download
memory/1984-157-0x000000013F770000-0x000000013FAC4000-memory.dmp

Filesize
3.3MB

Download
memory/1984-145-0x000000013F770000-0x000000013FAC4000-memory.dmp

Filesize
3.3MB

Download
memory/1984-86-0x000000013F770000-0x000000013FAC4000-memory.dmp

Filesize
3.3MB

Download
memory/2080-14-0x000000013F820000-0x000000013FB74000-memory.dmp

Filesize
3.3MB

Download
memory/2080-60-0x000000013F820000-0x000000013FB74000-memory.dmp

Filesize
3.3MB

Download
memory/2080-149-0x000000013F820000-0x000000013FB74000-memory.dmp

Filesize
3.3MB

Download
memory/2084-48-0x000000013F680000-0x000000013F9D4000-memory.dmp

Filesize
3.3MB

Download
memory/2084-7-0x000000013F680000-0x000000013F9D4000-memory.dmp

Filesize
3.3MB

Download
memory/2084-148-0x000000013F680000-0x000000013F9D4000-memory.dmp

Filesize
3.3MB

Download
memory/2496-98-0x000000013F0C0000-0x000000013F414000-memory.dmp

Filesize
3.3MB

Download
memory/2496-160-0x000000013F0C0000-0x000000013F414000-memory.dmp

Filesize
3.3MB

Download
memory/2496-147-0x000000013F0C0000-0x000000013F414000-memory.dmp

Filesize
3.3MB

Download
memory/2512-70-0x000000013F640000-0x000000013F994000-memory.dmp

Filesize
3.3MB

Download
memory/2512-156-0x000000013F640000-0x000000013F994000-memory.dmp

Filesize
3.3MB

Download
memory/2512-142-0x000000013F640000-0x000000013F994000-memory.dmp

Filesize
3.3MB

Download
memory/2572-155-0x000000013F2F0000-0x000000013F644000-memory.dmp

Filesize
3.3MB

Download
memory/2572-68-0x000000013F2F0000-0x000000013F644000-memory.dmp

Filesize
3.3MB

Download
memory/2572-140-0x000000013F2F0000-0x000000013F644000-memory.dmp

Filesize
3.3MB

Download
memory/2600-150-0x000000013F050000-0x000000013F3A4000-memory.dmp

Filesize
3.3MB

Download
memory/2600-21-0x000000013F050000-0x000000013F3A4000-memory.dmp

Filesize
3.3MB

Download
memory/2600-64-0x000000013F050000-0x000000013F3A4000-memory.dmp

Filesize
3.3MB

Download
memory/2628-152-0x000000013F300000-0x000000013F654000-memory.dmp

Filesize
3.3MB

Download
memory/2628-77-0x000000013F300000-0x000000013F654000-memory.dmp

Filesize
3.3MB

Download
memory/2628-38-0x000000013F300000-0x000000013F654000-memory.dmp

Filesize
3.3MB

Download
memory/2696-49-0x000000013F8E0000-0x000000013FC34000-memory.dmp

Filesize
3.3MB

Download
memory/2696-105-0x000000013F8E0000-0x000000013FC34000-memory.dmp

Filesize
3.3MB

Download
memory/2696-161-0x000000013F8E0000-0x000000013FC34000-memory.dmp

Filesize
3.3MB

Download
memory/2732-31-0x000000013F410000-0x000000013F764000-memory.dmp

Filesize
3.3MB

Download
memory/2732-151-0x000000013F410000-0x000000013F764000-memory.dmp

Filesize
3.3MB

Download