cobaltstrike | 1fc4ac3736a393dc3beb491920aa1b353be72bfef033c05bfc35d26bd8275719

Analysis

max time kernel
138s
max time network
148s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
11-06-2024 11:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

ca4c1f6eec8fadbaca2284a0574a6475
SHA1

4e6242174e1c8d8927ee29a29294974574189250
SHA256

1fc4ac3736a393dc3beb491920aa1b353be72bfef033c05bfc35d26bd8275719
SHA512

94aa3b2fdf4e86f6eba7d08ecbf12dc228d847c94065bfa53172f3173b72754a507c2fb035d98c18c5b8f8cc73bc1e6a64ce782dd7d4f03339629c88f576ecb4
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUf:Q+856utgpPF8u/7f

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\UtLQMGb.exe	cobalt_reflective_dll
\Windows\system\mYukFOr.exe	cobalt_reflective_dll
\Windows\system\nQmmVAm.exe	cobalt_reflective_dll
C:\Windows\system\QweZySa.exe	cobalt_reflective_dll
C:\Windows\system\SvQowBm.exe	cobalt_reflective_dll
C:\Windows\system\PAgrtRR.exe	cobalt_reflective_dll
C:\Windows\system\BzVYkZf.exe	cobalt_reflective_dll
\Windows\system\MTsSeBZ.exe	cobalt_reflective_dll
\Windows\system\hxPULpd.exe	cobalt_reflective_dll
C:\Windows\system\YhheFtS.exe	cobalt_reflective_dll
C:\Windows\system\QCqHaUr.exe	cobalt_reflective_dll
C:\Windows\system\knBxeQo.exe	cobalt_reflective_dll
C:\Windows\system\vPEPAKP.exe	cobalt_reflective_dll
C:\Windows\system\oIpOnWM.exe	cobalt_reflective_dll
C:\Windows\system\gCxVdDZ.exe	cobalt_reflective_dll
C:\Windows\system\FNfnKyZ.exe	cobalt_reflective_dll
\Windows\system\dSKnadV.exe	cobalt_reflective_dll
C:\Windows\system\YviJdaX.exe	cobalt_reflective_dll
C:\Windows\system\wGpBcCe.exe	cobalt_reflective_dll
C:\Windows\system\OHZAsct.exe	cobalt_reflective_dll
C:\Windows\system\jHSDWMo.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\UtLQMGb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\mYukFOr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\nQmmVAm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\QweZySa.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\SvQowBm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\PAgrtRR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\BzVYkZf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\MTsSeBZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\hxPULpd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\YhheFtS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\QCqHaUr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\knBxeQo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\vPEPAKP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\oIpOnWM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\gCxVdDZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\FNfnKyZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\dSKnadV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\YviJdaX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\wGpBcCe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\OHZAsct.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\jHSDWMo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 57 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2028-0-0x000000013F900000-0x000000013FC54000-memory.dmp	UPX
\Windows\system\UtLQMGb.exe	UPX
behavioral1/memory/2028-6-0x0000000002390000-0x00000000026E4000-memory.dmp	UPX
\Windows\system\mYukFOr.exe	UPX
\Windows\system\nQmmVAm.exe	UPX
C:\Windows\system\QweZySa.exe	UPX
C:\Windows\system\SvQowBm.exe	UPX
behavioral1/memory/3020-19-0x000000013FB00000-0x000000013FE54000-memory.dmp	UPX
behavioral1/memory/2596-37-0x000000013F850000-0x000000013FBA4000-memory.dmp	UPX
behavioral1/memory/2112-34-0x000000013FA30000-0x000000013FD84000-memory.dmp	UPX
behavioral1/memory/2796-32-0x000000013FB20000-0x000000013FE74000-memory.dmp	UPX
behavioral1/memory/2076-29-0x000000013FC90000-0x000000013FFE4000-memory.dmp	UPX
C:\Windows\system\PAgrtRR.exe	UPX
behavioral1/memory/2476-44-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	UPX
C:\Windows\system\BzVYkZf.exe	UPX
\Windows\system\MTsSeBZ.exe	UPX
behavioral1/memory/2480-73-0x000000013FED0000-0x0000000140224000-memory.dmp	UPX
behavioral1/memory/2800-79-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	UPX
\Windows\system\hxPULpd.exe	UPX
C:\Windows\system\YhheFtS.exe	UPX
behavioral1/memory/816-94-0x000000013F140000-0x000000013F494000-memory.dmp	UPX
behavioral1/memory/2820-100-0x000000013FA10000-0x000000013FD64000-memory.dmp	UPX
behavioral1/memory/2964-85-0x000000013FAE0000-0x000000013FE34000-memory.dmp	UPX
C:\Windows\system\QCqHaUr.exe	UPX
C:\Windows\system\knBxeQo.exe	UPX
behavioral1/memory/2028-66-0x000000013F900000-0x000000013FC54000-memory.dmp	UPX
behavioral1/memory/2732-64-0x000000013F530000-0x000000013F884000-memory.dmp	UPX
C:\Windows\system\vPEPAKP.exe	UPX
behavioral1/memory/2492-60-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	UPX
behavioral1/memory/2348-107-0x000000013FF40000-0x0000000140294000-memory.dmp	UPX
C:\Windows\system\oIpOnWM.exe	UPX
behavioral1/memory/2348-50-0x000000013FF40000-0x0000000140294000-memory.dmp	UPX
C:\Windows\system\gCxVdDZ.exe	UPX
C:\Windows\system\FNfnKyZ.exe	UPX
\Windows\system\dSKnadV.exe	UPX
C:\Windows\system\YviJdaX.exe	UPX
C:\Windows\system\wGpBcCe.exe	UPX
C:\Windows\system\OHZAsct.exe	UPX
C:\Windows\system\jHSDWMo.exe	UPX
behavioral1/memory/2732-139-0x000000013F530000-0x000000013F884000-memory.dmp	UPX
behavioral1/memory/2800-141-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	UPX
behavioral1/memory/2964-143-0x000000013FAE0000-0x000000013FE34000-memory.dmp	UPX
behavioral1/memory/2820-145-0x000000013FA10000-0x000000013FD64000-memory.dmp	UPX
behavioral1/memory/2076-146-0x000000013FC90000-0x000000013FFE4000-memory.dmp	UPX
behavioral1/memory/3020-147-0x000000013FB00000-0x000000013FE54000-memory.dmp	UPX
behavioral1/memory/2796-148-0x000000013FB20000-0x000000013FE74000-memory.dmp	UPX
behavioral1/memory/2112-149-0x000000013FA30000-0x000000013FD84000-memory.dmp	UPX
behavioral1/memory/2596-150-0x000000013F850000-0x000000013FBA4000-memory.dmp	UPX
behavioral1/memory/2476-151-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	UPX
behavioral1/memory/2492-152-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	UPX
behavioral1/memory/2348-153-0x000000013FF40000-0x0000000140294000-memory.dmp	UPX
behavioral1/memory/2480-154-0x000000013FED0000-0x0000000140224000-memory.dmp	UPX
behavioral1/memory/2732-155-0x000000013F530000-0x000000013F884000-memory.dmp	UPX
behavioral1/memory/2800-156-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	UPX
behavioral1/memory/2964-157-0x000000013FAE0000-0x000000013FE34000-memory.dmp	UPX
behavioral1/memory/816-158-0x000000013F140000-0x000000013F494000-memory.dmp	UPX
behavioral1/memory/2820-159-0x000000013FA10000-0x000000013FD64000-memory.dmp	UPX

XMRig Miner payload 61 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2028-0-0x000000013F900000-0x000000013FC54000-memory.dmp	xmrig
\Windows\system\UtLQMGb.exe	xmrig
behavioral1/memory/2028-6-0x0000000002390000-0x00000000026E4000-memory.dmp	xmrig
\Windows\system\mYukFOr.exe	xmrig
\Windows\system\nQmmVAm.exe	xmrig
C:\Windows\system\QweZySa.exe	xmrig
C:\Windows\system\SvQowBm.exe	xmrig
behavioral1/memory/3020-19-0x000000013FB00000-0x000000013FE54000-memory.dmp	xmrig
behavioral1/memory/2596-37-0x000000013F850000-0x000000013FBA4000-memory.dmp	xmrig
behavioral1/memory/2028-35-0x0000000002390000-0x00000000026E4000-memory.dmp	xmrig
behavioral1/memory/2112-34-0x000000013FA30000-0x000000013FD84000-memory.dmp	xmrig
behavioral1/memory/2796-32-0x000000013FB20000-0x000000013FE74000-memory.dmp	xmrig
behavioral1/memory/2028-30-0x0000000002390000-0x00000000026E4000-memory.dmp	xmrig
behavioral1/memory/2076-29-0x000000013FC90000-0x000000013FFE4000-memory.dmp	xmrig
C:\Windows\system\PAgrtRR.exe	xmrig
behavioral1/memory/2476-44-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	xmrig
C:\Windows\system\BzVYkZf.exe	xmrig
\Windows\system\MTsSeBZ.exe	xmrig
behavioral1/memory/2480-73-0x000000013FED0000-0x0000000140224000-memory.dmp	xmrig
behavioral1/memory/2028-67-0x000000013FED0000-0x0000000140224000-memory.dmp	xmrig
behavioral1/memory/2800-79-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	xmrig
\Windows\system\hxPULpd.exe	xmrig
C:\Windows\system\YhheFtS.exe	xmrig
behavioral1/memory/816-94-0x000000013F140000-0x000000013F494000-memory.dmp	xmrig
behavioral1/memory/2820-100-0x000000013FA10000-0x000000013FD64000-memory.dmp	xmrig
behavioral1/memory/2964-85-0x000000013FAE0000-0x000000013FE34000-memory.dmp	xmrig
C:\Windows\system\QCqHaUr.exe	xmrig
C:\Windows\system\knBxeQo.exe	xmrig
behavioral1/memory/2028-66-0x000000013F900000-0x000000013FC54000-memory.dmp	xmrig
behavioral1/memory/2732-64-0x000000013F530000-0x000000013F884000-memory.dmp	xmrig
C:\Windows\system\vPEPAKP.exe	xmrig
behavioral1/memory/2492-60-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	xmrig
behavioral1/memory/2348-107-0x000000013FF40000-0x0000000140294000-memory.dmp	xmrig
C:\Windows\system\oIpOnWM.exe	xmrig
behavioral1/memory/2348-50-0x000000013FF40000-0x0000000140294000-memory.dmp	xmrig
C:\Windows\system\gCxVdDZ.exe	xmrig
C:\Windows\system\FNfnKyZ.exe	xmrig
\Windows\system\dSKnadV.exe	xmrig
C:\Windows\system\YviJdaX.exe	xmrig
C:\Windows\system\wGpBcCe.exe	xmrig
C:\Windows\system\OHZAsct.exe	xmrig
C:\Windows\system\jHSDWMo.exe	xmrig
behavioral1/memory/2732-139-0x000000013F530000-0x000000013F884000-memory.dmp	xmrig
behavioral1/memory/2028-140-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	xmrig
behavioral1/memory/2800-141-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	xmrig
behavioral1/memory/2964-143-0x000000013FAE0000-0x000000013FE34000-memory.dmp	xmrig
behavioral1/memory/2820-145-0x000000013FA10000-0x000000013FD64000-memory.dmp	xmrig
behavioral1/memory/2076-146-0x000000013FC90000-0x000000013FFE4000-memory.dmp	xmrig
behavioral1/memory/3020-147-0x000000013FB00000-0x000000013FE54000-memory.dmp	xmrig
behavioral1/memory/2796-148-0x000000013FB20000-0x000000013FE74000-memory.dmp	xmrig
behavioral1/memory/2112-149-0x000000013FA30000-0x000000013FD84000-memory.dmp	xmrig
behavioral1/memory/2596-150-0x000000013F850000-0x000000013FBA4000-memory.dmp	xmrig
behavioral1/memory/2476-151-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	xmrig
behavioral1/memory/2492-152-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	xmrig
behavioral1/memory/2348-153-0x000000013FF40000-0x0000000140294000-memory.dmp	xmrig
behavioral1/memory/2480-154-0x000000013FED0000-0x0000000140224000-memory.dmp	xmrig
behavioral1/memory/2732-155-0x000000013F530000-0x000000013F884000-memory.dmp	xmrig
behavioral1/memory/2800-156-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	xmrig
behavioral1/memory/2964-157-0x000000013FAE0000-0x000000013FE34000-memory.dmp	xmrig
behavioral1/memory/816-158-0x000000013F140000-0x000000013F494000-memory.dmp	xmrig
behavioral1/memory/2820-159-0x000000013FA10000-0x000000013FD64000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

UtLQMGb.exemYukFOr.exeSvQowBm.exeQweZySa.exenQmmVAm.exePAgrtRR.exegCxVdDZ.exeBzVYkZf.exevPEPAKP.exeMTsSeBZ.exeknBxeQo.exeQCqHaUr.exehxPULpd.exeYhheFtS.exeoIpOnWM.exejHSDWMo.exewGpBcCe.exeOHZAsct.exeFNfnKyZ.exeYviJdaX.exedSKnadV.exe

pid	process
3020	UtLQMGb.exe
2076	mYukFOr.exe
2796	SvQowBm.exe
2112	QweZySa.exe
2596	nQmmVAm.exe
2476	PAgrtRR.exe
2348	gCxVdDZ.exe
2492	BzVYkZf.exe
2732	vPEPAKP.exe
2480	MTsSeBZ.exe
2800	knBxeQo.exe
2964	QCqHaUr.exe
816	hxPULpd.exe
2820	YhheFtS.exe
2772	oIpOnWM.exe
2808	jHSDWMo.exe
2956	wGpBcCe.exe
2996	OHZAsct.exe
1608	FNfnKyZ.exe
1564	YviJdaX.exe
632	dSKnadV.exe

Loads dropped DLL 21 IoCs

Processes:

2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe

pid	process
2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2028-0-0x000000013F900000-0x000000013FC54000-memory.dmp	upx
\Windows\system\UtLQMGb.exe	upx
behavioral1/memory/2028-6-0x0000000002390000-0x00000000026E4000-memory.dmp	upx
\Windows\system\mYukFOr.exe	upx
\Windows\system\nQmmVAm.exe	upx
C:\Windows\system\QweZySa.exe	upx
C:\Windows\system\SvQowBm.exe	upx
behavioral1/memory/3020-19-0x000000013FB00000-0x000000013FE54000-memory.dmp	upx
behavioral1/memory/2596-37-0x000000013F850000-0x000000013FBA4000-memory.dmp	upx
behavioral1/memory/2112-34-0x000000013FA30000-0x000000013FD84000-memory.dmp	upx
behavioral1/memory/2796-32-0x000000013FB20000-0x000000013FE74000-memory.dmp	upx
behavioral1/memory/2076-29-0x000000013FC90000-0x000000013FFE4000-memory.dmp	upx
C:\Windows\system\PAgrtRR.exe	upx
behavioral1/memory/2476-44-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	upx
C:\Windows\system\BzVYkZf.exe	upx
\Windows\system\MTsSeBZ.exe	upx
behavioral1/memory/2480-73-0x000000013FED0000-0x0000000140224000-memory.dmp	upx
behavioral1/memory/2800-79-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	upx
\Windows\system\hxPULpd.exe	upx
C:\Windows\system\YhheFtS.exe	upx
behavioral1/memory/816-94-0x000000013F140000-0x000000013F494000-memory.dmp	upx
behavioral1/memory/2820-100-0x000000013FA10000-0x000000013FD64000-memory.dmp	upx
behavioral1/memory/2964-85-0x000000013FAE0000-0x000000013FE34000-memory.dmp	upx
C:\Windows\system\QCqHaUr.exe	upx
C:\Windows\system\knBxeQo.exe	upx
behavioral1/memory/2028-66-0x000000013F900000-0x000000013FC54000-memory.dmp	upx
behavioral1/memory/2732-64-0x000000013F530000-0x000000013F884000-memory.dmp	upx
C:\Windows\system\vPEPAKP.exe	upx
behavioral1/memory/2492-60-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	upx
behavioral1/memory/2348-107-0x000000013FF40000-0x0000000140294000-memory.dmp	upx
C:\Windows\system\oIpOnWM.exe	upx
behavioral1/memory/2348-50-0x000000013FF40000-0x0000000140294000-memory.dmp	upx
C:\Windows\system\gCxVdDZ.exe	upx
C:\Windows\system\FNfnKyZ.exe	upx
\Windows\system\dSKnadV.exe	upx
C:\Windows\system\YviJdaX.exe	upx
C:\Windows\system\wGpBcCe.exe	upx
C:\Windows\system\OHZAsct.exe	upx
C:\Windows\system\jHSDWMo.exe	upx
behavioral1/memory/2732-139-0x000000013F530000-0x000000013F884000-memory.dmp	upx
behavioral1/memory/2800-141-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	upx
behavioral1/memory/2964-143-0x000000013FAE0000-0x000000013FE34000-memory.dmp	upx
behavioral1/memory/2820-145-0x000000013FA10000-0x000000013FD64000-memory.dmp	upx
behavioral1/memory/2076-146-0x000000013FC90000-0x000000013FFE4000-memory.dmp	upx
behavioral1/memory/3020-147-0x000000013FB00000-0x000000013FE54000-memory.dmp	upx
behavioral1/memory/2796-148-0x000000013FB20000-0x000000013FE74000-memory.dmp	upx
behavioral1/memory/2112-149-0x000000013FA30000-0x000000013FD84000-memory.dmp	upx
behavioral1/memory/2596-150-0x000000013F850000-0x000000013FBA4000-memory.dmp	upx
behavioral1/memory/2476-151-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	upx
behavioral1/memory/2492-152-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	upx
behavioral1/memory/2348-153-0x000000013FF40000-0x0000000140294000-memory.dmp	upx
behavioral1/memory/2480-154-0x000000013FED0000-0x0000000140224000-memory.dmp	upx
behavioral1/memory/2732-155-0x000000013F530000-0x000000013F884000-memory.dmp	upx
behavioral1/memory/2800-156-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	upx
behavioral1/memory/2964-157-0x000000013FAE0000-0x000000013FE34000-memory.dmp	upx
behavioral1/memory/816-158-0x000000013F140000-0x000000013F494000-memory.dmp	upx
behavioral1/memory/2820-159-0x000000013FA10000-0x000000013FD64000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\nQmmVAm.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gCxVdDZ.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MTsSeBZ.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QCqHaUr.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YhheFtS.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wGpBcCe.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OHZAsct.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UtLQMGb.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PAgrtRR.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BzVYkZf.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vPEPAKP.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YviJdaX.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QweZySa.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SvQowBm.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jHSDWMo.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FNfnKyZ.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dSKnadV.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mYukFOr.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\knBxeQo.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hxPULpd.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oIpOnWM.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2028 wrote to memory of 3020	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	UtLQMGb.exe
PID 2028 wrote to memory of 3020	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	UtLQMGb.exe
PID 2028 wrote to memory of 3020	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	UtLQMGb.exe
PID 2028 wrote to memory of 2076	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	mYukFOr.exe
PID 2028 wrote to memory of 2076	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	mYukFOr.exe
PID 2028 wrote to memory of 2076	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	mYukFOr.exe
PID 2028 wrote to memory of 2112	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	QweZySa.exe
PID 2028 wrote to memory of 2112	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	QweZySa.exe
PID 2028 wrote to memory of 2112	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	QweZySa.exe
PID 2028 wrote to memory of 2796	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	SvQowBm.exe
PID 2028 wrote to memory of 2796	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	SvQowBm.exe
PID 2028 wrote to memory of 2796	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	SvQowBm.exe
PID 2028 wrote to memory of 2596	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	nQmmVAm.exe
PID 2028 wrote to memory of 2596	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	nQmmVAm.exe
PID 2028 wrote to memory of 2596	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	nQmmVAm.exe
PID 2028 wrote to memory of 2476	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	PAgrtRR.exe
PID 2028 wrote to memory of 2476	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	PAgrtRR.exe
PID 2028 wrote to memory of 2476	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	PAgrtRR.exe
PID 2028 wrote to memory of 2348	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	gCxVdDZ.exe
PID 2028 wrote to memory of 2348	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	gCxVdDZ.exe
PID 2028 wrote to memory of 2348	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	gCxVdDZ.exe
PID 2028 wrote to memory of 2492	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	BzVYkZf.exe
PID 2028 wrote to memory of 2492	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	BzVYkZf.exe
PID 2028 wrote to memory of 2492	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	BzVYkZf.exe
PID 2028 wrote to memory of 2732	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	vPEPAKP.exe
PID 2028 wrote to memory of 2732	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	vPEPAKP.exe
PID 2028 wrote to memory of 2732	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	vPEPAKP.exe
PID 2028 wrote to memory of 2480	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	MTsSeBZ.exe
PID 2028 wrote to memory of 2480	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	MTsSeBZ.exe
PID 2028 wrote to memory of 2480	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	MTsSeBZ.exe
PID 2028 wrote to memory of 2800	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	knBxeQo.exe
PID 2028 wrote to memory of 2800	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	knBxeQo.exe
PID 2028 wrote to memory of 2800	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	knBxeQo.exe
PID 2028 wrote to memory of 2964	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	QCqHaUr.exe
PID 2028 wrote to memory of 2964	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	QCqHaUr.exe
PID 2028 wrote to memory of 2964	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	QCqHaUr.exe
PID 2028 wrote to memory of 816	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	hxPULpd.exe
PID 2028 wrote to memory of 816	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	hxPULpd.exe
PID 2028 wrote to memory of 816	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	hxPULpd.exe
PID 2028 wrote to memory of 2820	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	YhheFtS.exe
PID 2028 wrote to memory of 2820	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	YhheFtS.exe
PID 2028 wrote to memory of 2820	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	YhheFtS.exe
PID 2028 wrote to memory of 2772	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	oIpOnWM.exe
PID 2028 wrote to memory of 2772	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	oIpOnWM.exe
PID 2028 wrote to memory of 2772	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	oIpOnWM.exe
PID 2028 wrote to memory of 2808	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	jHSDWMo.exe
PID 2028 wrote to memory of 2808	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	jHSDWMo.exe
PID 2028 wrote to memory of 2808	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	jHSDWMo.exe
PID 2028 wrote to memory of 2956	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	wGpBcCe.exe
PID 2028 wrote to memory of 2956	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	wGpBcCe.exe
PID 2028 wrote to memory of 2956	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	wGpBcCe.exe
PID 2028 wrote to memory of 2996	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	OHZAsct.exe
PID 2028 wrote to memory of 2996	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	OHZAsct.exe
PID 2028 wrote to memory of 2996	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	OHZAsct.exe
PID 2028 wrote to memory of 1608	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	FNfnKyZ.exe
PID 2028 wrote to memory of 1608	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	FNfnKyZ.exe
PID 2028 wrote to memory of 1608	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	FNfnKyZ.exe
PID 2028 wrote to memory of 1564	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	YviJdaX.exe
PID 2028 wrote to memory of 1564	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	YviJdaX.exe
PID 2028 wrote to memory of 1564	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	YviJdaX.exe
PID 2028 wrote to memory of 632	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	dSKnadV.exe
PID 2028 wrote to memory of 632	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	dSKnadV.exe
PID 2028 wrote to memory of 632	2028	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	dSKnadV.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\System\UtLQMGb.exe
C:\Windows\System\UtLQMGb.exe
2⤵
- Executes dropped EXE
PID:3020

C:\Windows\System\mYukFOr.exe
C:\Windows\System\mYukFOr.exe
2⤵
- Executes dropped EXE
PID:2076

C:\Windows\System\QweZySa.exe
C:\Windows\System\QweZySa.exe
2⤵
- Executes dropped EXE
PID:2112

C:\Windows\System\SvQowBm.exe
C:\Windows\System\SvQowBm.exe
2⤵
- Executes dropped EXE
PID:2796

C:\Windows\System\nQmmVAm.exe
C:\Windows\System\nQmmVAm.exe
2⤵
- Executes dropped EXE
PID:2596

C:\Windows\System\PAgrtRR.exe
C:\Windows\System\PAgrtRR.exe
2⤵
- Executes dropped EXE
PID:2476

C:\Windows\System\gCxVdDZ.exe
C:\Windows\System\gCxVdDZ.exe
2⤵
- Executes dropped EXE
PID:2348

C:\Windows\System\BzVYkZf.exe
C:\Windows\System\BzVYkZf.exe
2⤵
- Executes dropped EXE
PID:2492

C:\Windows\System\vPEPAKP.exe
C:\Windows\System\vPEPAKP.exe
2⤵
- Executes dropped EXE
PID:2732

C:\Windows\System\MTsSeBZ.exe
C:\Windows\System\MTsSeBZ.exe
2⤵
- Executes dropped EXE
PID:2480

C:\Windows\System\knBxeQo.exe
C:\Windows\System\knBxeQo.exe
2⤵
- Executes dropped EXE
PID:2800

C:\Windows\System\QCqHaUr.exe
C:\Windows\System\QCqHaUr.exe
2⤵
- Executes dropped EXE
PID:2964

C:\Windows\System\hxPULpd.exe
C:\Windows\System\hxPULpd.exe
2⤵
- Executes dropped EXE
PID:816

C:\Windows\System\YhheFtS.exe
C:\Windows\System\YhheFtS.exe
2⤵
- Executes dropped EXE
PID:2820

C:\Windows\System\oIpOnWM.exe
C:\Windows\System\oIpOnWM.exe
2⤵
- Executes dropped EXE
PID:2772

C:\Windows\System\jHSDWMo.exe
C:\Windows\System\jHSDWMo.exe
2⤵
- Executes dropped EXE
PID:2808

C:\Windows\System\wGpBcCe.exe
C:\Windows\System\wGpBcCe.exe
2⤵
- Executes dropped EXE
PID:2956

C:\Windows\System\OHZAsct.exe
C:\Windows\System\OHZAsct.exe
2⤵
- Executes dropped EXE
PID:2996

C:\Windows\System\FNfnKyZ.exe
C:\Windows\System\FNfnKyZ.exe
2⤵
- Executes dropped EXE
PID:1608

C:\Windows\System\YviJdaX.exe
C:\Windows\System\YviJdaX.exe
2⤵
- Executes dropped EXE
PID:1564

C:\Windows\System\dSKnadV.exe
C:\Windows\System\dSKnadV.exe
2⤵
- Executes dropped EXE
PID:632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BzVYkZf.exe
Filesize
5.9MB

MD5
ee48eb25342dd855cff5bc3cda27ff83

SHA1
b8a4032c00074c624832cd1fada597591a7a1697

SHA256
30c66623c688dc663e5c69efe9b85daf5fb321e122162e022e88541e7977e67f

SHA512
d781de14adc65087125b431748a222d0a8d2170be4af466b633e08281b33a0e4f182f192f27d68c481e2438a0d1d5e3e87f1d862ef7acfd13d8da232bea97912

Download Submit
C:\Windows\system\FNfnKyZ.exe
Filesize
5.9MB

MD5
aa62089919dc1abb582b061095373d88

SHA1
d8485e3a36b844c611034e082e7c106e68b28a14

SHA256
10bf1403c588db7795d9bb680d97434af31e651a16b6424b17af133234545288

SHA512
4ef0e404be7bfb67ae7f2d03872585d2939e3ab2cc6a3e1549e6e799a1577e5cbf2391d4671dc204ed16d547c778e019257f89e63169d37f0cd48cc77139790f

Download Submit
C:\Windows\system\OHZAsct.exe
Filesize
5.9MB

MD5
1d552d6ac691c064ed8b074973b6d63b

SHA1
120d885b221c790ee2f3215b2a4232556db9fe36

SHA256
2c600c2b287bcff6e27f41d02b329f8f14028f402bb3ff45cfd17347f41fcc9d

SHA512
705f9996d084b6419ce971afd1aeba73541fc0b26d9b00a50182cb79814d46cfa845f3eb7778b62f9f989a11b6493b7abec15f50acfef7ba64f994327881ae5d

Download Submit
C:\Windows\system\PAgrtRR.exe
Filesize
5.9MB

MD5
cdd64e03de186620b928e4b5fb0f72cb

SHA1
ccd471c3732e9058bbea865212174f3add0f41b7

SHA256
2ccd2e7607ffcfb8e55258996ee3052e47b2c82306e44a7347947f9eeb4217eb

SHA512
030edecc8433c3381d8ead9f3bdfe21d0deb944d3ae2f5bb5a33b89e65e34c73bfd120c6d09b58f143929fde254f90ab2edd497e4d13827ff71cd63498c56813

Download Submit
C:\Windows\system\QCqHaUr.exe
Filesize
5.9MB

MD5
17b40fc95eaa88451e751a6d0bac5fb4

SHA1
cd0cf1127e7619434df94162e1b0fe22b48f8d73

SHA256
dc8b3748cedeb49a6af4bbc6a27b208cf24dce79365a09f37fe47a12af54c097

SHA512
3e15bcf6eb6be87a1bfdab6822fb104a681678f4b0178c18a0ccdac440150311d97e293960c876dfa8ea3d2e36679b786d5be19f56d9530194ed78b5e70cdf14

Download Submit
C:\Windows\system\QweZySa.exe
Filesize
5.9MB

MD5
02c83a79f7647820137f33fbc939ad1f

SHA1
a5423e924fce223e77360751dbcc898588612726

SHA256
3f92dc9a25a446ad8aa4ea6e305d7f00366343180d7aad8f64f15f01dcc617b1

SHA512
3e257aa421db95b7d12d39b1a1822c94d359cc98c17f7d7f23fcdd1437f48cb5fd745b6e179719409bd274877846059cc758afdcca2fab4ec0d3f04a35d01d35

Download Submit
C:\Windows\system\SvQowBm.exe
Filesize
5.9MB

MD5
9eaf340e6d4c020d4008784b2f873c84

SHA1
3f831f3c5377f5a050ff99aad51776731a72f2d9

SHA256
7617e78ff08240d46c3b61ba4eb9a303ac417f1338231d1acfe50945ee19360e

SHA512
b9cf5b0053a98301a2ff07e0c332dcdb6137d08bc6968cc419ec4c1c0db4a89f86da5494772e5c64bc6fdda8c36410d3decaf8fd885c52874b88ee5e7067ee1d

Download Submit
C:\Windows\system\YhheFtS.exe
Filesize
5.9MB

MD5
8342fb0315750bf7adfc0e675d2e9779

SHA1
bb6d3a3508960291a8978ee03d443344173a9046

SHA256
07f5e6091d1b887c788588e1fc528272252259905f305639fc825f3ae19be532

SHA512
b6f0de8d1a50cb19513c365bbd5d928c985e8f58423d3f0140d9e84d3f026f0175e2def78eb15d57c56f31d27ba81644bb4d93242cb4592d6f0d735dc113e36c

Download Submit
C:\Windows\system\YviJdaX.exe
Filesize
5.9MB

MD5
bbca29b4783df128d9128c09a0ed6c90

SHA1
ee925231f1e0af5b2d7962f58b55ddbe766ebf72

SHA256
f25275b90ca696e810ed421c8c4e34a460a2fd1eb69c0d57300e7a2ca180454d

SHA512
58cc7e4c0d3bc5d1b0cd062954f6b93152e610ceb5c38042a9ae38981bea5c04707425dc803c64ce48bbd3e94c372e6c1fd7582f1d6b45cf363f0678b9255511

Download Submit
C:\Windows\system\gCxVdDZ.exe
Filesize
5.9MB

MD5
e72ad466ffbbecb84621afef92d3da83

SHA1
4ab86324b203b462a9ab2c4a13b0fdc2a4a6b09b

SHA256
ce9adf0dbf581dc2cb9a1dec50c6f8ea419a218b50792e1ffd94efac23e68375

SHA512
2a3362af8f898ee09124724ac0935cd8fdedbf8a6ff0075ab97528b9b20802b65e178cea6682745721721d4fcf6eda08aec72f0c8334481a33fbdbe424d0d0e7

Download Submit
C:\Windows\system\jHSDWMo.exe
Filesize
5.9MB

MD5
fabc981e02f38e9536c87f438ea0bb58

SHA1
b2ab070f8f097280fd5c886b10bf86af016a4434

SHA256
3c165f4f8d0a85f3c0b6a6c1c43d1d6a9e9664d032b6e921425753b1ff4ce225

SHA512
3b721f31e0a126201b05cb1dda0a5bfbfad94acfcf7b09aa5a6c6acd1f18ff2d1bfd91deccd0b8dd950d48777affac9b414b41e6d08f25349b97b001278e65d7

Download Submit
C:\Windows\system\knBxeQo.exe
Filesize
5.9MB

MD5
aff976e94179045dd9680cc56a5be2a9

SHA1
7f7f78dfba1dc2e982b467ec70b3f6ad52a483a7

SHA256
b28fe87e15555173b7649fed52461d68d0e495252c81793fe391c110ba7e71d5

SHA512
af95c536a49ce37667948d46889136de8f341cff8765ce66e800b3682419eb784c70ea9749b6b91c83eda0c2b9f44acd95fdedccf089d14905703442b7e9011a

Download Submit
C:\Windows\system\oIpOnWM.exe
Filesize
5.9MB

MD5
46382a2e8b43e0b09bdb8484650f9609

SHA1
b2d08939db946cf02ae25a033fa95adebe61c928

SHA256
0acf0249506c9767c795eac38aa1f9dea7c832283fbc461d7571bfbe6de78794

SHA512
7cdd1fb0abc1b77ed8422b05df3b429da5bcf54b1fec45101c6f2802e7c8fbd97da51d2eac9d8ea3d90ce0259921dfaba74c14f66ebd0469b66d9bfc8cd73729

Download Submit
C:\Windows\system\vPEPAKP.exe
Filesize
5.9MB

MD5
b0fe59d5c775e54e77fc499567983851

SHA1
e698eb332c8aa757a7a11f70768d4ad0d4a6d061

SHA256
d0724e75d8dba56640813d70e2b45130de01fdecd1e284df946e1364ca55e007

SHA512
992e92d2c7a25fa556bf5bfe97436928749403b039aa6d4139f4fb8d4d253b54b9824d7dd7b817d94c0180c97f514cb5193677cda41052a967377180b0e7def9

Download Submit
C:\Windows\system\wGpBcCe.exe
Filesize
5.9MB

MD5
06f839370fd041f1f8957cdb2d228fe9

SHA1
5bc6a5c191b87da3d6648939fd504ab1df4f1300

SHA256
6313a46bf22abe69da128ae24fdc4e88646d1bfce7f37ad74f75a0756184373b

SHA512
f0770b6c9177ab8a56b9a2a8a8b6e7774fd01857c540ddbe1bb1937a261cf7b45a2e374ef0b5b0963c23eb209782d0188171fd470d587fb65ce92086cc66c3f7

Download Submit
\Windows\system\MTsSeBZ.exe
Filesize
5.9MB

MD5
f54c37c7c72082d29fc63dd88446551e

SHA1
f4b736678faaae7b5577835f6d7e505d1cd84c29

SHA256
1c65ad0a1e4446f83e2475f68b2d5d9f73b636f94476c047c3910193a4d3551b

SHA512
94f01795812d5a3878face14ed027b647561b5aea965adc6e43bcc3cfb5138ab1d2becd830dcad48911ed2047af4e0ea26e84b510addee5cb521768bf9214247

Download Submit
\Windows\system\UtLQMGb.exe
Filesize
5.9MB

MD5
b99c8302a6735495c4b90cc9e7066e90

SHA1
a96bbc5d8404784344ca863fd2024a63062c6e11

SHA256
bbe455c5c6cdffa7bec959a866aceaa89f045070bc5b678d7fc571475c073ba6

SHA512
116f8d845b8f11e4e16cc5df0f7403ca5d42e1acd19c5562ca1d3edba1f76934322a77b6d13337618d01cc55ea8dfce7e24043087f05ce289d337f435ff4abcd

Download Submit
\Windows\system\dSKnadV.exe
Filesize
5.9MB

MD5
66f405d11b3e517f77628bf8c3f7c8bc

SHA1
d87fc9630b33622b58a07413bc1458cbf0c94bd6

SHA256
e46ee2c07196e25be85f420d5abfad0b79f8a0fd6c2146c5917361ad7c24474d

SHA512
ef36d1dab426b52fd98849854167527050714aa8b3699cedc17894aed535668f707927d56563b8389496c55a80df15aab59f7a476a8ea8597763aad911e9bc17

Download Submit
\Windows\system\hxPULpd.exe
Filesize
5.9MB

MD5
69effbe44c2e98ca06ac65a55059894c

SHA1
96141de7be8f2ab1650c99763896d3064787c925

SHA256
9a658bb61c591b27b4e1b134b55963ef30a708dfaba03d009e7b0ccfe09d8b53

SHA512
a096c6c8ee8ad87e4c314de888920761f6f8809e47b9ee34fde0c912dbf271ee9092ccc7dcfd4791cc59ac643b75c2ea0240854ec3913046041b3e5f2165e3e5

Download Submit
\Windows\system\mYukFOr.exe
Filesize
5.9MB

MD5
9600c2fa07c4010730e06765ccc8ddf6

SHA1
97021add3da4ece5b26c230058f6bd67ba20e5fa

SHA256
6e4366ddcfe630dc907f371ef023ae41f13ed52f65bed777bd6b0cf0f71472dc

SHA512
ca1751fdec206d38facb9b84ef4d7d3a629970ef8cda3e234a2a071c1dee79ae160004388b45aa3fc4fac15381caf0921b001f86444ce862b02ba4a3e7492d09

Download Submit
\Windows\system\nQmmVAm.exe
Filesize
5.9MB

MD5
c256132507be60c3c7b9bd4b8373b64e

SHA1
3ed480bf79f31e62769c25c25c57255452304de1

SHA256
b6e1947a58c777c062f9ffab700a17a8fa2674c2880c47495a008c6143d20689

SHA512
c32937dda3572f65af8b4e8e7d786303d691e9e034c0afb1e8262de9be814d3084f0270afdeccff0750d6e7dcf861b9531b392d54c3d40d052f2f82ff6c7dd01

Download Submit
memory/816-94-0x000000013F140000-0x000000013F494000-memory.dmp

Filesize
3.3MB

Download
memory/816-158-0x000000013F140000-0x000000013F494000-memory.dmp

Filesize
3.3MB

Download
memory/2028-62-0x000000013F530000-0x000000013F884000-memory.dmp

Filesize
3.3MB

Download
memory/2028-48-0x000000013FF40000-0x0000000140294000-memory.dmp

Filesize
3.3MB

Download
memory/2028-67-0x000000013FED0000-0x0000000140224000-memory.dmp

Filesize
3.3MB

Download
memory/2028-1-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2028-144-0x000000013F140000-0x000000013F494000-memory.dmp

Filesize
3.3MB

Download
memory/2028-93-0x000000013F140000-0x000000013F494000-memory.dmp

Filesize
3.3MB

Download
memory/2028-99-0x0000000002390000-0x00000000026E4000-memory.dmp

Filesize
3.3MB

Download
memory/2028-142-0x0000000002390000-0x00000000026E4000-memory.dmp

Filesize
3.3MB

Download
memory/2028-84-0x0000000002390000-0x00000000026E4000-memory.dmp

Filesize
3.3MB

Download
memory/2028-140-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

Filesize
3.3MB

Download
memory/2028-78-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

Filesize
3.3MB

Download
memory/2028-43-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

Filesize
3.3MB

Download
memory/2028-66-0x000000013F900000-0x000000013FC54000-memory.dmp

Filesize
3.3MB

Download
memory/2028-138-0x000000013F530000-0x000000013F884000-memory.dmp

Filesize
3.3MB

Download
memory/2028-6-0x0000000002390000-0x00000000026E4000-memory.dmp

Filesize
3.3MB

Download
memory/2028-0-0x000000013F900000-0x000000013FC54000-memory.dmp

Filesize
3.3MB

Download
memory/2028-36-0x0000000002390000-0x00000000026E4000-memory.dmp

Filesize
3.3MB

Download
memory/2028-58-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

Filesize
3.3MB

Download
memory/2028-35-0x0000000002390000-0x00000000026E4000-memory.dmp

Filesize
3.3MB

Download
memory/2028-30-0x0000000002390000-0x00000000026E4000-memory.dmp

Filesize
3.3MB

Download
memory/2028-108-0x0000000002390000-0x00000000026E4000-memory.dmp

Filesize
3.3MB

Download
memory/2028-27-0x000000013FC90000-0x000000013FFE4000-memory.dmp

Filesize
3.3MB

Download
memory/2076-29-0x000000013FC90000-0x000000013FFE4000-memory.dmp

Filesize
3.3MB

Download
memory/2076-146-0x000000013FC90000-0x000000013FFE4000-memory.dmp

Filesize
3.3MB

Download
memory/2112-34-0x000000013FA30000-0x000000013FD84000-memory.dmp

Filesize
3.3MB

Download
memory/2112-149-0x000000013FA30000-0x000000013FD84000-memory.dmp

Filesize
3.3MB

Download
memory/2348-50-0x000000013FF40000-0x0000000140294000-memory.dmp

Filesize
3.3MB

Download
memory/2348-107-0x000000013FF40000-0x0000000140294000-memory.dmp

Filesize
3.3MB

Download
memory/2348-153-0x000000013FF40000-0x0000000140294000-memory.dmp

Filesize
3.3MB

Download
memory/2476-44-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

Filesize
3.3MB

Download
memory/2476-151-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

Filesize
3.3MB

Download
memory/2480-73-0x000000013FED0000-0x0000000140224000-memory.dmp

Filesize
3.3MB

Download
memory/2480-154-0x000000013FED0000-0x0000000140224000-memory.dmp

Filesize
3.3MB

Download
memory/2492-60-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

Filesize
3.3MB

Download
memory/2492-152-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

Filesize
3.3MB

Download
memory/2596-37-0x000000013F850000-0x000000013FBA4000-memory.dmp

Filesize
3.3MB

Download
memory/2596-150-0x000000013F850000-0x000000013FBA4000-memory.dmp

Filesize
3.3MB

Download
memory/2732-155-0x000000013F530000-0x000000013F884000-memory.dmp

Filesize
3.3MB

Download
memory/2732-139-0x000000013F530000-0x000000013F884000-memory.dmp

Filesize
3.3MB

Download
memory/2732-64-0x000000013F530000-0x000000013F884000-memory.dmp

Filesize
3.3MB

Download
memory/2796-32-0x000000013FB20000-0x000000013FE74000-memory.dmp

Filesize
3.3MB

Download
memory/2796-148-0x000000013FB20000-0x000000013FE74000-memory.dmp

Filesize
3.3MB

Download
memory/2800-79-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

Filesize
3.3MB

Download
memory/2800-141-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

Filesize
3.3MB

Download
memory/2800-156-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

Filesize
3.3MB

Download
memory/2820-145-0x000000013FA10000-0x000000013FD64000-memory.dmp

Filesize
3.3MB

Download
memory/2820-100-0x000000013FA10000-0x000000013FD64000-memory.dmp

Filesize
3.3MB

Download
memory/2820-159-0x000000013FA10000-0x000000013FD64000-memory.dmp

Filesize
3.3MB

Download
memory/2964-143-0x000000013FAE0000-0x000000013FE34000-memory.dmp

Filesize
3.3MB

Download
memory/2964-85-0x000000013FAE0000-0x000000013FE34000-memory.dmp

Filesize
3.3MB

Download
memory/2964-157-0x000000013FAE0000-0x000000013FE34000-memory.dmp

Filesize
3.3MB

Download
memory/3020-147-0x000000013FB00000-0x000000013FE54000-memory.dmp

Filesize
3.3MB

Download
memory/3020-19-0x000000013FB00000-0x000000013FE54000-memory.dmp

Filesize
3.3MB

Download