cobaltstrike | fbd54c2f3784ddd36045fae5db3907fc111ea3f66b7ab122aa3a4dff87bef653

Analysis

max time kernel
140s
max time network
146s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
31-03-2024 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

02ae74c082adccc8f0d80c8930067d5b
SHA1

82ca12b9d33db9942bb40467b15d53c535bd8bc0
SHA256

fbd54c2f3784ddd36045fae5db3907fc111ea3f66b7ab122aa3a4dff87bef653
SHA512

be0fd7a6beec89b520a61e18dec1e24a1c19af1925300d9e967cebfcdf80630cba41a06a60a8bf2e5400cf7a9802a96f547c3224a5e2c523983e4d1964328584
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lu:RWWBibf56utgpPFotBER/mQ32lUq

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\wzMNENY.exe	cobalt_reflective_dll
\Windows\system\xCyAelT.exe	cobalt_reflective_dll
\Windows\system\KmkRdWQ.exe	cobalt_reflective_dll
\Windows\system\qSekdUx.exe	cobalt_reflective_dll
\Windows\system\iTSPkoy.exe	cobalt_reflective_dll
\Windows\system\DrRsEYJ.exe	cobalt_reflective_dll
\Windows\system\yioOfpq.exe	cobalt_reflective_dll
C:\Windows\system\LcZCTLY.exe	cobalt_reflective_dll
\Windows\system\vxPAnCD.exe	cobalt_reflective_dll
\Windows\system\ODsOGlG.exe	cobalt_reflective_dll
\Windows\system\mowQsUy.exe	cobalt_reflective_dll
\Windows\system\hUtWnwB.exe	cobalt_reflective_dll
\Windows\system\eYwKjSA.exe	cobalt_reflective_dll
C:\Windows\system\ORddxwc.exe	cobalt_reflective_dll
C:\Windows\system\JBexmrn.exe	cobalt_reflective_dll
C:\Windows\system\qRXFpOe.exe	cobalt_reflective_dll
\Windows\system\HXUHchu.exe	cobalt_reflective_dll
C:\Windows\system\vZlnuqV.exe	cobalt_reflective_dll
\Windows\system\WCICPdU.exe	cobalt_reflective_dll
C:\Windows\system\gaynRnP.exe	cobalt_reflective_dll
C:\Windows\system\nhBqNlp.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\wzMNENY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\xCyAelT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\KmkRdWQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\qSekdUx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\iTSPkoy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\DrRsEYJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\yioOfpq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\LcZCTLY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\vxPAnCD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\ODsOGlG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\mowQsUy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\hUtWnwB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\eYwKjSA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ORddxwc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\JBexmrn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\qRXFpOe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\HXUHchu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\vZlnuqV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\WCICPdU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\gaynRnP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\nhBqNlp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1808-0-0x000000013F2F0000-0x000000013F641000-memory.dmp	UPX
\Windows\system\wzMNENY.exe	UPX
behavioral1/memory/2256-9-0x000000013FCF0000-0x0000000140041000-memory.dmp	UPX
\Windows\system\xCyAelT.exe	UPX
\Windows\system\KmkRdWQ.exe	UPX
behavioral1/memory/2564-22-0x000000013F8B0000-0x000000013FC01000-memory.dmp	UPX
behavioral1/memory/1112-19-0x000000013F2E0000-0x000000013F631000-memory.dmp	UPX
\Windows\system\qSekdUx.exe	UPX
behavioral1/memory/2656-35-0x000000013FA20000-0x000000013FD71000-memory.dmp	UPX
\Windows\system\iTSPkoy.exe	UPX
\Windows\system\DrRsEYJ.exe	UPX
\Windows\system\yioOfpq.exe	UPX
behavioral1/memory/2592-44-0x000000013FDE0000-0x0000000140131000-memory.dmp	UPX
behavioral1/memory/2568-52-0x000000013F670000-0x000000013F9C1000-memory.dmp	UPX
C:\Windows\system\LcZCTLY.exe	UPX
behavioral1/memory/2712-53-0x000000013F720000-0x000000013FA71000-memory.dmp	UPX
behavioral1/memory/2488-54-0x000000013FD40000-0x0000000140091000-memory.dmp	UPX
\Windows\system\vxPAnCD.exe	UPX
behavioral1/memory/2508-61-0x000000013FD20000-0x0000000140071000-memory.dmp	UPX
\Windows\system\ODsOGlG.exe	UPX
behavioral1/memory/1232-70-0x000000013F9D0000-0x000000013FD21000-memory.dmp	UPX
\Windows\system\mowQsUy.exe	UPX
behavioral1/memory/888-77-0x000000013F640000-0x000000013F991000-memory.dmp	UPX
\Windows\system\hUtWnwB.exe	UPX
\Windows\system\eYwKjSA.exe	UPX
behavioral1/memory/2408-123-0x000000013FC80000-0x000000013FFD1000-memory.dmp	UPX
behavioral1/memory/2504-126-0x000000013F3B0000-0x000000013F701000-memory.dmp	UPX
behavioral1/memory/2700-131-0x000000013FDC0000-0x0000000140111000-memory.dmp	UPX
behavioral1/memory/2344-132-0x000000013F110000-0x000000013F461000-memory.dmp	UPX
behavioral1/memory/2824-133-0x000000013F360000-0x000000013F6B1000-memory.dmp	UPX
C:\Windows\system\ORddxwc.exe	UPX
C:\Windows\system\JBexmrn.exe	UPX
C:\Windows\system\qRXFpOe.exe	UPX
\Windows\system\HXUHchu.exe	UPX
C:\Windows\system\vZlnuqV.exe	UPX
\Windows\system\WCICPdU.exe	UPX
behavioral1/memory/2216-139-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	UPX
behavioral1/memory/2356-142-0x000000013F6A0000-0x000000013F9F1000-memory.dmp	UPX
behavioral1/memory/1952-146-0x000000013F790000-0x000000013FAE1000-memory.dmp	UPX
behavioral1/memory/2200-148-0x000000013F6B0000-0x000000013FA01000-memory.dmp	UPX
behavioral1/memory/1000-143-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	UPX
behavioral1/memory/1808-87-0x000000013F2F0000-0x000000013F641000-memory.dmp	UPX
C:\Windows\system\gaynRnP.exe	UPX
C:\Windows\system\nhBqNlp.exe	UPX
behavioral1/memory/2564-149-0x000000013F8B0000-0x000000013FC01000-memory.dmp	UPX
behavioral1/memory/1808-151-0x000000013F2F0000-0x000000013F641000-memory.dmp	UPX
behavioral1/memory/2656-155-0x000000013FA20000-0x000000013FD71000-memory.dmp	UPX
behavioral1/memory/2592-156-0x000000013FDE0000-0x0000000140131000-memory.dmp	UPX
behavioral1/memory/2508-160-0x000000013FD20000-0x0000000140071000-memory.dmp	UPX
behavioral1/memory/888-162-0x000000013F640000-0x000000013F991000-memory.dmp	UPX
behavioral1/memory/1808-173-0x000000013F2F0000-0x000000013F641000-memory.dmp	UPX
behavioral1/memory/2256-222-0x000000013FCF0000-0x0000000140041000-memory.dmp	UPX
behavioral1/memory/1112-224-0x000000013F2E0000-0x000000013F631000-memory.dmp	UPX
behavioral1/memory/2564-232-0x000000013F8B0000-0x000000013FC01000-memory.dmp	UPX
behavioral1/memory/2656-236-0x000000013FA20000-0x000000013FD71000-memory.dmp	UPX
behavioral1/memory/2592-241-0x000000013FDE0000-0x0000000140131000-memory.dmp	UPX
behavioral1/memory/2568-240-0x000000013F670000-0x000000013F9C1000-memory.dmp	UPX
behavioral1/memory/2712-242-0x000000013F720000-0x000000013FA71000-memory.dmp	UPX
behavioral1/memory/2488-244-0x000000013FD40000-0x0000000140091000-memory.dmp	UPX
behavioral1/memory/2508-246-0x000000013FD20000-0x0000000140071000-memory.dmp	UPX
behavioral1/memory/1232-248-0x000000013F9D0000-0x000000013FD21000-memory.dmp	UPX
behavioral1/memory/888-250-0x000000013F640000-0x000000013F991000-memory.dmp	UPX
behavioral1/memory/2408-252-0x000000013FC80000-0x000000013FFD1000-memory.dmp	UPX
behavioral1/memory/2504-254-0x000000013F3B0000-0x000000013F701000-memory.dmp	UPX

XMRig Miner payload 47 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2256-9-0x000000013FCF0000-0x0000000140041000-memory.dmp	xmrig
behavioral1/memory/2564-22-0x000000013F8B0000-0x000000013FC01000-memory.dmp	xmrig
behavioral1/memory/1112-19-0x000000013F2E0000-0x000000013F631000-memory.dmp	xmrig
behavioral1/memory/2592-44-0x000000013FDE0000-0x0000000140131000-memory.dmp	xmrig
behavioral1/memory/2568-52-0x000000013F670000-0x000000013F9C1000-memory.dmp	xmrig
behavioral1/memory/2712-53-0x000000013F720000-0x000000013FA71000-memory.dmp	xmrig
behavioral1/memory/2488-54-0x000000013FD40000-0x0000000140091000-memory.dmp	xmrig
behavioral1/memory/1808-55-0x000000013FDE0000-0x0000000140131000-memory.dmp	xmrig
behavioral1/memory/1232-70-0x000000013F9D0000-0x000000013FD21000-memory.dmp	xmrig
behavioral1/memory/888-77-0x000000013F640000-0x000000013F991000-memory.dmp	xmrig
behavioral1/memory/1808-119-0x000000013FC80000-0x000000013FFD1000-memory.dmp	xmrig
behavioral1/memory/2408-123-0x000000013FC80000-0x000000013FFD1000-memory.dmp	xmrig
behavioral1/memory/2504-126-0x000000013F3B0000-0x000000013F701000-memory.dmp	xmrig
behavioral1/memory/2700-131-0x000000013FDC0000-0x0000000140111000-memory.dmp	xmrig
behavioral1/memory/2344-132-0x000000013F110000-0x000000013F461000-memory.dmp	xmrig
behavioral1/memory/2824-133-0x000000013F360000-0x000000013F6B1000-memory.dmp	xmrig
behavioral1/memory/2216-139-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	xmrig
behavioral1/memory/2356-142-0x000000013F6A0000-0x000000013F9F1000-memory.dmp	xmrig
behavioral1/memory/1808-145-0x000000013F6A0000-0x000000013F9F1000-memory.dmp	xmrig
behavioral1/memory/1952-146-0x000000013F790000-0x000000013FAE1000-memory.dmp	xmrig
behavioral1/memory/1808-147-0x000000013F6B0000-0x000000013FA01000-memory.dmp	xmrig
behavioral1/memory/2200-148-0x000000013F6B0000-0x000000013FA01000-memory.dmp	xmrig
behavioral1/memory/1000-143-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	xmrig
behavioral1/memory/1808-87-0x000000013F2F0000-0x000000013F641000-memory.dmp	xmrig
behavioral1/memory/2564-149-0x000000013F8B0000-0x000000013FC01000-memory.dmp	xmrig
behavioral1/memory/1808-151-0x000000013F2F0000-0x000000013F641000-memory.dmp	xmrig
behavioral1/memory/2656-155-0x000000013FA20000-0x000000013FD71000-memory.dmp	xmrig
behavioral1/memory/2592-156-0x000000013FDE0000-0x0000000140131000-memory.dmp	xmrig
behavioral1/memory/2508-160-0x000000013FD20000-0x0000000140071000-memory.dmp	xmrig
behavioral1/memory/888-162-0x000000013F640000-0x000000013F991000-memory.dmp	xmrig
behavioral1/memory/1808-173-0x000000013F2F0000-0x000000013F641000-memory.dmp	xmrig
behavioral1/memory/1808-198-0x000000013F6B0000-0x000000013FA01000-memory.dmp	xmrig
behavioral1/memory/2256-222-0x000000013FCF0000-0x0000000140041000-memory.dmp	xmrig
behavioral1/memory/1112-224-0x000000013F2E0000-0x000000013F631000-memory.dmp	xmrig
behavioral1/memory/2564-232-0x000000013F8B0000-0x000000013FC01000-memory.dmp	xmrig
behavioral1/memory/2656-236-0x000000013FA20000-0x000000013FD71000-memory.dmp	xmrig
behavioral1/memory/2592-241-0x000000013FDE0000-0x0000000140131000-memory.dmp	xmrig
behavioral1/memory/2568-240-0x000000013F670000-0x000000013F9C1000-memory.dmp	xmrig
behavioral1/memory/2712-242-0x000000013F720000-0x000000013FA71000-memory.dmp	xmrig
behavioral1/memory/2488-244-0x000000013FD40000-0x0000000140091000-memory.dmp	xmrig
behavioral1/memory/2508-246-0x000000013FD20000-0x0000000140071000-memory.dmp	xmrig
behavioral1/memory/1232-248-0x000000013F9D0000-0x000000013FD21000-memory.dmp	xmrig
behavioral1/memory/888-250-0x000000013F640000-0x000000013F991000-memory.dmp	xmrig
behavioral1/memory/2408-252-0x000000013FC80000-0x000000013FFD1000-memory.dmp	xmrig
behavioral1/memory/2504-254-0x000000013F3B0000-0x000000013F701000-memory.dmp	xmrig
behavioral1/memory/2700-267-0x000000013FDC0000-0x0000000140111000-memory.dmp	xmrig
behavioral1/memory/2344-266-0x000000013F110000-0x000000013F461000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

wzMNENY.exexCyAelT.exeKmkRdWQ.exeqSekdUx.exeyioOfpq.exeDrRsEYJ.exeiTSPkoy.exeLcZCTLY.exevxPAnCD.exeODsOGlG.exemowQsUy.exenhBqNlp.exegaynRnP.exeHXUHchu.exeeYwKjSA.exevZlnuqV.exeqRXFpOe.exehUtWnwB.exeJBexmrn.exeORddxwc.exeWCICPdU.exe

pid	process
2256	wzMNENY.exe
1112	xCyAelT.exe
2564	KmkRdWQ.exe
2656	qSekdUx.exe
2592	yioOfpq.exe
2568	DrRsEYJ.exe
2712	iTSPkoy.exe
2488	LcZCTLY.exe
2508	vxPAnCD.exe
1232	ODsOGlG.exe
888	mowQsUy.exe
2408	nhBqNlp.exe
2504	gaynRnP.exe
2700	HXUHchu.exe
2344	eYwKjSA.exe
2824	vZlnuqV.exe
2216	qRXFpOe.exe
1952	hUtWnwB.exe
2356	JBexmrn.exe
1000	ORddxwc.exe
2200	WCICPdU.exe

Loads dropped DLL 21 IoCs

Processes:

2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe

pid	process
1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1808-0-0x000000013F2F0000-0x000000013F641000-memory.dmp	upx
\Windows\system\wzMNENY.exe	upx
behavioral1/memory/2256-9-0x000000013FCF0000-0x0000000140041000-memory.dmp	upx
\Windows\system\xCyAelT.exe	upx
\Windows\system\KmkRdWQ.exe	upx
behavioral1/memory/2564-22-0x000000013F8B0000-0x000000013FC01000-memory.dmp	upx
behavioral1/memory/1112-19-0x000000013F2E0000-0x000000013F631000-memory.dmp	upx
\Windows\system\qSekdUx.exe	upx
behavioral1/memory/2656-35-0x000000013FA20000-0x000000013FD71000-memory.dmp	upx
\Windows\system\iTSPkoy.exe	upx
\Windows\system\DrRsEYJ.exe	upx
\Windows\system\yioOfpq.exe	upx
behavioral1/memory/2592-44-0x000000013FDE0000-0x0000000140131000-memory.dmp	upx
behavioral1/memory/2568-52-0x000000013F670000-0x000000013F9C1000-memory.dmp	upx
C:\Windows\system\LcZCTLY.exe	upx
behavioral1/memory/2712-53-0x000000013F720000-0x000000013FA71000-memory.dmp	upx
behavioral1/memory/2488-54-0x000000013FD40000-0x0000000140091000-memory.dmp	upx
\Windows\system\vxPAnCD.exe	upx
behavioral1/memory/2508-61-0x000000013FD20000-0x0000000140071000-memory.dmp	upx
\Windows\system\ODsOGlG.exe	upx
behavioral1/memory/1232-70-0x000000013F9D0000-0x000000013FD21000-memory.dmp	upx
\Windows\system\mowQsUy.exe	upx
behavioral1/memory/888-77-0x000000013F640000-0x000000013F991000-memory.dmp	upx
\Windows\system\hUtWnwB.exe	upx
\Windows\system\eYwKjSA.exe	upx
behavioral1/memory/2408-123-0x000000013FC80000-0x000000013FFD1000-memory.dmp	upx
behavioral1/memory/2504-126-0x000000013F3B0000-0x000000013F701000-memory.dmp	upx
behavioral1/memory/2700-131-0x000000013FDC0000-0x0000000140111000-memory.dmp	upx
behavioral1/memory/2344-132-0x000000013F110000-0x000000013F461000-memory.dmp	upx
behavioral1/memory/2824-133-0x000000013F360000-0x000000013F6B1000-memory.dmp	upx
C:\Windows\system\ORddxwc.exe	upx
C:\Windows\system\JBexmrn.exe	upx
C:\Windows\system\qRXFpOe.exe	upx
\Windows\system\HXUHchu.exe	upx
C:\Windows\system\vZlnuqV.exe	upx
\Windows\system\WCICPdU.exe	upx
behavioral1/memory/2216-139-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	upx
behavioral1/memory/2356-142-0x000000013F6A0000-0x000000013F9F1000-memory.dmp	upx
behavioral1/memory/1952-146-0x000000013F790000-0x000000013FAE1000-memory.dmp	upx
behavioral1/memory/2200-148-0x000000013F6B0000-0x000000013FA01000-memory.dmp	upx
behavioral1/memory/1000-143-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	upx
behavioral1/memory/1808-87-0x000000013F2F0000-0x000000013F641000-memory.dmp	upx
C:\Windows\system\gaynRnP.exe	upx
C:\Windows\system\nhBqNlp.exe	upx
behavioral1/memory/2564-149-0x000000013F8B0000-0x000000013FC01000-memory.dmp	upx
behavioral1/memory/1808-151-0x000000013F2F0000-0x000000013F641000-memory.dmp	upx
behavioral1/memory/2656-155-0x000000013FA20000-0x000000013FD71000-memory.dmp	upx
behavioral1/memory/2592-156-0x000000013FDE0000-0x0000000140131000-memory.dmp	upx
behavioral1/memory/2508-160-0x000000013FD20000-0x0000000140071000-memory.dmp	upx
behavioral1/memory/888-162-0x000000013F640000-0x000000013F991000-memory.dmp	upx
behavioral1/memory/1808-173-0x000000013F2F0000-0x000000013F641000-memory.dmp	upx
behavioral1/memory/2256-222-0x000000013FCF0000-0x0000000140041000-memory.dmp	upx
behavioral1/memory/1112-224-0x000000013F2E0000-0x000000013F631000-memory.dmp	upx
behavioral1/memory/2564-232-0x000000013F8B0000-0x000000013FC01000-memory.dmp	upx
behavioral1/memory/2656-236-0x000000013FA20000-0x000000013FD71000-memory.dmp	upx
behavioral1/memory/2592-241-0x000000013FDE0000-0x0000000140131000-memory.dmp	upx
behavioral1/memory/2568-240-0x000000013F670000-0x000000013F9C1000-memory.dmp	upx
behavioral1/memory/2712-242-0x000000013F720000-0x000000013FA71000-memory.dmp	upx
behavioral1/memory/2488-244-0x000000013FD40000-0x0000000140091000-memory.dmp	upx
behavioral1/memory/2508-246-0x000000013FD20000-0x0000000140071000-memory.dmp	upx
behavioral1/memory/1232-248-0x000000013F9D0000-0x000000013FD21000-memory.dmp	upx
behavioral1/memory/888-250-0x000000013F640000-0x000000013F991000-memory.dmp	upx
behavioral1/memory/2408-252-0x000000013FC80000-0x000000013FFD1000-memory.dmp	upx
behavioral1/memory/2504-254-0x000000013F3B0000-0x000000013F701000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\ORddxwc.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wzMNENY.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xCyAelT.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LcZCTLY.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gaynRnP.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vxPAnCD.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mowQsUy.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HXUHchu.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eYwKjSA.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KmkRdWQ.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yioOfpq.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DrRsEYJ.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iTSPkoy.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qRXFpOe.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JBexmrn.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nhBqNlp.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vZlnuqV.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qSekdUx.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ODsOGlG.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hUtWnwB.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WCICPdU.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 1808 wrote to memory of 2256	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	wzMNENY.exe
PID 1808 wrote to memory of 2256	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	wzMNENY.exe
PID 1808 wrote to memory of 2256	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	wzMNENY.exe
PID 1808 wrote to memory of 1112	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	xCyAelT.exe
PID 1808 wrote to memory of 1112	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	xCyAelT.exe
PID 1808 wrote to memory of 1112	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	xCyAelT.exe
PID 1808 wrote to memory of 2564	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	KmkRdWQ.exe
PID 1808 wrote to memory of 2564	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	KmkRdWQ.exe
PID 1808 wrote to memory of 2564	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	KmkRdWQ.exe
PID 1808 wrote to memory of 2656	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	qSekdUx.exe
PID 1808 wrote to memory of 2656	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	qSekdUx.exe
PID 1808 wrote to memory of 2656	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	qSekdUx.exe
PID 1808 wrote to memory of 2592	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	yioOfpq.exe
PID 1808 wrote to memory of 2592	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	yioOfpq.exe
PID 1808 wrote to memory of 2592	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	yioOfpq.exe
PID 1808 wrote to memory of 2568	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	DrRsEYJ.exe
PID 1808 wrote to memory of 2568	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	DrRsEYJ.exe
PID 1808 wrote to memory of 2568	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	DrRsEYJ.exe
PID 1808 wrote to memory of 2712	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	iTSPkoy.exe
PID 1808 wrote to memory of 2712	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	iTSPkoy.exe
PID 1808 wrote to memory of 2712	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	iTSPkoy.exe
PID 1808 wrote to memory of 2488	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	LcZCTLY.exe
PID 1808 wrote to memory of 2488	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	LcZCTLY.exe
PID 1808 wrote to memory of 2488	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	LcZCTLY.exe
PID 1808 wrote to memory of 2508	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	vxPAnCD.exe
PID 1808 wrote to memory of 2508	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	vxPAnCD.exe
PID 1808 wrote to memory of 2508	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	vxPAnCD.exe
PID 1808 wrote to memory of 1232	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	ODsOGlG.exe
PID 1808 wrote to memory of 1232	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	ODsOGlG.exe
PID 1808 wrote to memory of 1232	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	ODsOGlG.exe
PID 1808 wrote to memory of 888	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	mowQsUy.exe
PID 1808 wrote to memory of 888	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	mowQsUy.exe
PID 1808 wrote to memory of 888	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	mowQsUy.exe
PID 1808 wrote to memory of 2408	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	nhBqNlp.exe
PID 1808 wrote to memory of 2408	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	nhBqNlp.exe
PID 1808 wrote to memory of 2408	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	nhBqNlp.exe
PID 1808 wrote to memory of 2504	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	gaynRnP.exe
PID 1808 wrote to memory of 2504	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	gaynRnP.exe
PID 1808 wrote to memory of 2504	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	gaynRnP.exe
PID 1808 wrote to memory of 2700	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	HXUHchu.exe
PID 1808 wrote to memory of 2700	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	HXUHchu.exe
PID 1808 wrote to memory of 2700	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	HXUHchu.exe
PID 1808 wrote to memory of 2824	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	vZlnuqV.exe
PID 1808 wrote to memory of 2824	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	vZlnuqV.exe
PID 1808 wrote to memory of 2824	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	vZlnuqV.exe
PID 1808 wrote to memory of 2344	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	eYwKjSA.exe
PID 1808 wrote to memory of 2344	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	eYwKjSA.exe
PID 1808 wrote to memory of 2344	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	eYwKjSA.exe
PID 1808 wrote to memory of 2216	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	qRXFpOe.exe
PID 1808 wrote to memory of 2216	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	qRXFpOe.exe
PID 1808 wrote to memory of 2216	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	qRXFpOe.exe
PID 1808 wrote to memory of 2356	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	JBexmrn.exe
PID 1808 wrote to memory of 2356	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	JBexmrn.exe
PID 1808 wrote to memory of 2356	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	JBexmrn.exe
PID 1808 wrote to memory of 1952	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	hUtWnwB.exe
PID 1808 wrote to memory of 1952	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	hUtWnwB.exe
PID 1808 wrote to memory of 1952	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	hUtWnwB.exe
PID 1808 wrote to memory of 1000	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	ORddxwc.exe
PID 1808 wrote to memory of 1000	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	ORddxwc.exe
PID 1808 wrote to memory of 1000	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	ORddxwc.exe
PID 1808 wrote to memory of 2200	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	WCICPdU.exe
PID 1808 wrote to memory of 2200	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	WCICPdU.exe
PID 1808 wrote to memory of 2200	1808	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	WCICPdU.exe

C:\Users\Admin\AppData\Local\Temp\2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\System\wzMNENY.exe
C:\Windows\System\wzMNENY.exe
2⤵
- Executes dropped EXE
PID:2256

C:\Windows\System\xCyAelT.exe
C:\Windows\System\xCyAelT.exe
2⤵
- Executes dropped EXE
PID:1112

C:\Windows\System\KmkRdWQ.exe
C:\Windows\System\KmkRdWQ.exe
2⤵
- Executes dropped EXE
PID:2564

C:\Windows\System\qSekdUx.exe
C:\Windows\System\qSekdUx.exe
2⤵
- Executes dropped EXE
PID:2656

C:\Windows\System\yioOfpq.exe
C:\Windows\System\yioOfpq.exe
2⤵
- Executes dropped EXE
PID:2592

C:\Windows\System\DrRsEYJ.exe
C:\Windows\System\DrRsEYJ.exe
2⤵
- Executes dropped EXE
PID:2568

C:\Windows\System\iTSPkoy.exe
C:\Windows\System\iTSPkoy.exe
2⤵
- Executes dropped EXE
PID:2712

C:\Windows\System\LcZCTLY.exe
C:\Windows\System\LcZCTLY.exe
2⤵
- Executes dropped EXE
PID:2488

C:\Windows\System\vxPAnCD.exe
C:\Windows\System\vxPAnCD.exe
2⤵
- Executes dropped EXE
PID:2508

C:\Windows\System\ODsOGlG.exe
C:\Windows\System\ODsOGlG.exe
2⤵
- Executes dropped EXE
PID:1232

C:\Windows\System\mowQsUy.exe
C:\Windows\System\mowQsUy.exe
2⤵
- Executes dropped EXE
PID:888

C:\Windows\System\nhBqNlp.exe
C:\Windows\System\nhBqNlp.exe
2⤵
- Executes dropped EXE
PID:2408

C:\Windows\System\gaynRnP.exe
C:\Windows\System\gaynRnP.exe
2⤵
- Executes dropped EXE
PID:2504

C:\Windows\System\HXUHchu.exe
C:\Windows\System\HXUHchu.exe
2⤵
- Executes dropped EXE
PID:2700

C:\Windows\System\vZlnuqV.exe
C:\Windows\System\vZlnuqV.exe
2⤵
- Executes dropped EXE
PID:2824

C:\Windows\System\eYwKjSA.exe
C:\Windows\System\eYwKjSA.exe
2⤵
- Executes dropped EXE
PID:2344

C:\Windows\System\qRXFpOe.exe
C:\Windows\System\qRXFpOe.exe
2⤵
- Executes dropped EXE
PID:2216

C:\Windows\System\JBexmrn.exe
C:\Windows\System\JBexmrn.exe
2⤵
- Executes dropped EXE
PID:2356

C:\Windows\System\hUtWnwB.exe
C:\Windows\System\hUtWnwB.exe
2⤵
- Executes dropped EXE
PID:1952

C:\Windows\System\ORddxwc.exe
C:\Windows\System\ORddxwc.exe
2⤵
- Executes dropped EXE
PID:1000

C:\Windows\System\WCICPdU.exe
C:\Windows\System\WCICPdU.exe
2⤵
- Executes dropped EXE
PID:2200

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\JBexmrn.exe
Filesize
5.2MB

MD5
cccc8cc35400c9a1633324fae4fdc7ed

SHA1
08fa134c6e360aaddcb2b4bfb47f32b1ffae790f

SHA256
90a993888631366e2d550ab2c2fb26cac523e403a3e732c1f392867960592a98

SHA512
bab5842a4010d987df4477e531540eed6c612e839dc45c81aa915d5709b5eadab2ea304f5abac5890559ab48428beec0c21f88caef5eab7a10da580e24825395

Download Submit
C:\Windows\system\LcZCTLY.exe
Filesize
5.2MB

MD5
35b17ffd2a623372bc30baedd3a822bf

SHA1
2d6d465ceed787a2942934a676d5347b220903ca

SHA256
32d53e54b54d93cd2cb80658d310429d53ea534ee5d15c2054ec5bed4c7b938f

SHA512
acef1d8c7e4796deaf882791bbc79f3ec3293122a4a3d71b6955b080b46f3b4c651854254c008ba70e9ecc99abafa42852cee939df6e9e62e24fcb53a3d89b51

Download Submit
C:\Windows\system\ORddxwc.exe
Filesize
5.2MB

MD5
69cdb5f43be2dc24073645c09699e18e

SHA1
8a5a4c51912399a6dfbd4fb2acdc8225913a6d56

SHA256
4b3b856b371ac9f630c70c03bf5c424b8dac1e746dbb9ae6a6fae521a3f67b74

SHA512
0f11cbfd9fefb4bbce686158385ad2792cbb2381da73589ec6387cd5c20a471f2c731ea4efd725d47051a71ece3a5a2cb3ba885007f1a14c34df1985c2f81c1d

Download Submit
C:\Windows\system\gaynRnP.exe
Filesize
5.2MB

MD5
8e8daf15986979b9c25b5e5432167b44

SHA1
2928fe40a7c7d013822fe871e9527098afae34fd

SHA256
9c76949f7d509d6e538616f0c79a998a11291575cf0ff2d5acb0c7457b2ca8fd

SHA512
2a8ff97dc9cd10c8ebe94706c947e4cc58e501872287c8c92468d2012ddd1a5eeef965ab7588f7a010d34b0d3a952c46ff2773a904408483f04575547a601e35

Download Submit
C:\Windows\system\nhBqNlp.exe
Filesize
5.2MB

MD5
e1ebf913686000e19a987c408bbf75e9

SHA1
88002233ce4562288b4ff5f2113c958372170a16

SHA256
b608ea5e5ac55f90ef68f58c0c76b1f254d043b84407d4fc20684f94f7990a22

SHA512
906770d3b6f9c5166a8326ca571831f19cc328860bd088671f709a5b65199aa9bb5249f8c7cd13324feb0956be199323ecf41821e7f16b997e40c53d10bcf63d

Download Submit
C:\Windows\system\qRXFpOe.exe
Filesize
5.2MB

MD5
5b51835599fe8f6bb770d55b6452393b

SHA1
552c0e0e0e963c42be21439183cae33eaa86624d

SHA256
7598453b931201b53351d1ab729eb23964cdac086a1ec3677ed6b2b4f9d920b4

SHA512
26934140a26abb03b0f250986496dbf916737b909fdde7f78a8a3609480c9a6c261999fd0a52e180bcaf1ca1891df9b505391d309fb7956a170d2edff23bb488

Download Submit
C:\Windows\system\vZlnuqV.exe
Filesize
5.2MB

MD5
6443c6cf8c03b110cdb9ac8d18b308d2

SHA1
eafb6ad0a0c0f89bf77d5a997cf89a2da72ccd28

SHA256
6ce0a56965c68342f5a7144b2ae008c0d0dbbf5d2a81dad4d15b9351dc184a6c

SHA512
d54cb65afcaf3cbfa19e5552f5721f9b1fe90871e40e34f799d55f25e7eaf47c4e2d563074b42d5dcd466875d32160289bef7acca8b3467661fcfcd927297c07

Download Submit
\Windows\system\DrRsEYJ.exe
Filesize
5.2MB

MD5
0c3dcdafc9986ef8d94c1e3a822a966e

SHA1
b192937fc1533d31e0db016890d37abfdb8df371

SHA256
4a592818518556543978e7228ab2be9f4901707d52a7bf321fe2f9de3c588501

SHA512
9fd537da85f5444dcb4920b627089964aac06102c3d8ba7299e82e686a3329835315dae8f42663ebf6f9f199cac2ac8816dcc98f8b20d2466b3729d53ea9b99d

Download Submit
\Windows\system\HXUHchu.exe
Filesize
5.2MB

MD5
55ebebc1f8bacee64b0f8346b8ca234e

SHA1
de16c4d0ad5727ec3fd1fc3c507218dac8403a3d

SHA256
5825c2704974b08ebbf4b04f60aeb8ab38f7dbdcb98e516b5d61589411d8449f

SHA512
2be8d20ef15761be81d5b181ccba90de27f7cdd34fa3b40757dd6918330a0cb36aa39a5c7d9dbd8441489fc89cf7684f5d02b3eb21b04596a149be0786cbbc93

Download Submit
\Windows\system\KmkRdWQ.exe
Filesize
5.2MB

MD5
db88f4c641eff54fd7f275a71ecaae45

SHA1
647861891702269603b2571ca7984f1b56e6a061

SHA256
58918e9bd47a51812a3ca58d70a0952cb053933c007b2bf5f050dddc5439b2ff

SHA512
9ab7f1baef2f070d6eb64f02e1eb391d0167325ae00c3042abdd6e62e8e66f0703137e8719ed3d656cc7f82d649b1f6e037be63d35b19b14687e93b76a5d5165

Download Submit
\Windows\system\ODsOGlG.exe
Filesize
5.2MB

MD5
7774be04cf4a86255f2539bceb8b489a

SHA1
30e68b621856337bb64cb51e643d8ca01ccb6014

SHA256
6947e5c115c67ce178e29c3d0e916bff7c425fbdf9359dc1925ede7d8bbe453e

SHA512
6b42b6b5cd8ef9691a17d48ef1b9d4b75c1d673951e08667e0039990eef5ed8ff1ff0ca358a9c4d4ce096a54f01ba2ea830b2a829463c30670beefb69427665d

Download Submit
\Windows\system\WCICPdU.exe
Filesize
5.2MB

MD5
5dcecaabed3bd5df316fb154c9ff0cd4

SHA1
a5fcc89438401f0344a9e8eca78817b81fc74552

SHA256
d545b9e9d7208ecf4693102712509e233d9f078195d533c95459972eb90c1035

SHA512
3361d14229ed9a6d1c2a2f4931d66d9bb5875786b0ae7dc0c9e2cc7a0c348342870a068155dab080a846d5589d2fbf468cdf76db37d69b8a28f1855aaefc6d7f

Download Submit
\Windows\system\eYwKjSA.exe
Filesize
5.2MB

MD5
a174947255e63b3fdc1284ce607f8d44

SHA1
e7db06b387b396f1526261bc5deb1d76d571ae68

SHA256
37e11ad538faf721d5116d763a0fa55ff7a5e32dca27a6e908e556d48d5afd6d

SHA512
e0f205c6603adff62b753cdb55653de6e8c1c34ab00d4e5da7fcbd0c16fb1fdf55c1ec55f0b93fe391f522e0068b22983efbbea8178188165e09f4ebfe4b620a

Download Submit
\Windows\system\hUtWnwB.exe
Filesize
5.2MB

MD5
6e4e850ddb1d12b0e2bf6e188775d04e

SHA1
3d0aebb53f36c2152c2e319de1925b87f8abf508

SHA256
592bdf49312ffc37e876d0367fc73c2baebcefdc7346dcdc423f613c84d1688d

SHA512
2d867e88ea698cac3009d37f0e5c7e0a3fd015c776a908f8e66eb4f4ec74cc7f3ef4440bcbaec4049c2cf7d8ab9018755a434587e767fdd86a3c6d5d3f117e21

Download Submit
\Windows\system\iTSPkoy.exe
Filesize
5.2MB

MD5
365c1e3b5b67b4b64055084de3888916

SHA1
21173a05b6d9012b94399951eb88debf9e91e7b6

SHA256
5b29071e752bb4824c287695365b8d441bfde4093c8bbae0fd133a9a207c1397

SHA512
7322170589491086fe82bd5109182859e00f9f762a3338f6e5d19243445e60fe11023d6b89051a438d8d8d1f1ef8123d30531986f4aee7a918f949bc275a8172

Download Submit
\Windows\system\mowQsUy.exe
Filesize
5.2MB

MD5
2e6775adab4b800fc9f5e2215ef0aeef

SHA1
9f522f81361960718fe1c798f61ac7871f352805

SHA256
1a14197d218fbf20743e6552f3c5160dbd233f58a1e69ed3e2dab360a968d1e0

SHA512
1415492bdf0236fdad71bfac81f1cade048052d0a18769696541e5997bf3ed3f9b9f72e2c631a625649f75a47af8a071e1ec3822a67dd761c0dbfaf14739150e

Download Submit
\Windows\system\qSekdUx.exe
Filesize
5.2MB

MD5
08d0ae45b966461ebf6d281aa411a5d4

SHA1
d62f5855aa2a49af348f5ea27be4f33bacfe03df

SHA256
bd9179b3682654b763d198893bcd3d63ffcdc00f2b529353d037960775e65646

SHA512
105de0de6f64fe0fe8f921361cb8bda4d2d87e55d4eac05cc88421061db2a391cd0af35c19dd2247bf716065b00e0121575218aada167acb23ce63721eba1c32

Download Submit
\Windows\system\vxPAnCD.exe
Filesize
5.2MB

MD5
177cc2495f802b701ce25754981e8a37

SHA1
f5f3e6596dafac437e3d1c91810fe2795b3e8222

SHA256
3ad4b7bcfecd4ea3e7b56eef7384237c799c755b9ffb8f90c063ed6df8de6d78

SHA512
19130885669104c49e8c087706ed1235b36fc44c7d28f43e2655f9bd7d7f33dda13e58f6cfd0353f13787783cd1e9266ecd435b4534a92e330663a4a06242514

Download Submit
\Windows\system\wzMNENY.exe
Filesize
5.2MB

MD5
829cedeb4e3aa40cf2ebd9cee4a68dd6

SHA1
f1c1739debefaf298402bf02ab554538ce82a0d6

SHA256
ca69ea81d457f2728c1df0063997deb48e4447c0ee0c968eb0b41f8d5207f96e

SHA512
8d63832d13e84c537cf2609a66a56ec602609a0deeb0b619433011a82c0e1bb345a32d6f8ee6338a8c8639c06d7a26408f72e01b2e54ee91b5cdd3eefc4d3764

Download Submit
\Windows\system\xCyAelT.exe
Filesize
5.2MB

MD5
dcf872f3df74ce14bd78b1a68571738e

SHA1
1a16d38a2e7abc8aaedc6c6b4eaa48c2abbcce4d

SHA256
dfa482e6d845f8a4fc51af10f8786077f5b38c224ad39eb6e328e53e2287b8dc

SHA512
7c1155636309194fb09144d0b8d3c5c8d527e7cc86c147b42cb32000210a53dbad21fc7888c9ed3d7b126293eddd43b75e210641fecfe0128ffa4dd393082a56

Download Submit
\Windows\system\yioOfpq.exe
Filesize
5.2MB

MD5
5568245fc6cb96ac668635fcc6c14046

SHA1
13837a5f38d8b9eeaaf9b899513a97850b9c7133

SHA256
479bff03a5a96f5a640a7651f5892a21e05f2c3f4bce565311c57a2e8372b401

SHA512
ece6c2a9739fddb87c1f056a113b03c5899e79adbb7e25f9df0c38fd19e9abbe661bfccaa11a651ac3757c4102c85ad0a7203f02b8ddb44df77f221e6bbd7a51

Download Submit
memory/888-162-0x000000013F640000-0x000000013F991000-memory.dmp

Filesize
3.3MB

Download
memory/888-77-0x000000013F640000-0x000000013F991000-memory.dmp

Filesize
3.3MB

Download
memory/888-250-0x000000013F640000-0x000000013F991000-memory.dmp

Filesize
3.3MB

Download
memory/1000-143-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

Filesize
3.3MB

Download
memory/1112-19-0x000000013F2E0000-0x000000013F631000-memory.dmp

Filesize
3.3MB

Download
memory/1112-224-0x000000013F2E0000-0x000000013F631000-memory.dmp

Filesize
3.3MB

Download
memory/1232-70-0x000000013F9D0000-0x000000013FD21000-memory.dmp

Filesize
3.3MB

Download
memory/1232-248-0x000000013F9D0000-0x000000013FD21000-memory.dmp

Filesize
3.3MB

Download
memory/1808-55-0x000000013FDE0000-0x0000000140131000-memory.dmp

Filesize
3.3MB

Download
memory/1808-197-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

Filesize
3.3MB

Download
memory/1808-76-0x0000000002370000-0x00000000026C1000-memory.dmp

Filesize
3.3MB

Download
memory/1808-56-0x000000013FD40000-0x0000000140091000-memory.dmp

Filesize
3.3MB

Download
memory/1808-63-0x000000013FD20000-0x0000000140071000-memory.dmp

Filesize
3.3MB

Download
memory/1808-1-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/1808-119-0x000000013FC80000-0x000000013FFD1000-memory.dmp

Filesize
3.3MB

Download
memory/1808-7-0x000000013FCF0000-0x0000000140041000-memory.dmp

Filesize
3.3MB

Download
memory/1808-198-0x000000013F6B0000-0x000000013FA01000-memory.dmp

Filesize
3.3MB

Download
memory/1808-127-0x000000013FDC0000-0x0000000140111000-memory.dmp

Filesize
3.3MB

Download
memory/1808-128-0x0000000002370000-0x00000000026C1000-memory.dmp

Filesize
3.3MB

Download
memory/1808-129-0x0000000002370000-0x00000000026C1000-memory.dmp

Filesize
3.3MB

Download
memory/1808-130-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

Filesize
3.3MB

Download
memory/1808-69-0x000000013F9D0000-0x000000013FD21000-memory.dmp

Filesize
3.3MB

Download
memory/1808-196-0x000000013FC80000-0x000000013FFD1000-memory.dmp

Filesize
3.3MB

Download
memory/1808-134-0x000000013F790000-0x000000013FAE1000-memory.dmp

Filesize
3.3MB

Download
memory/1808-184-0x000000013F9D0000-0x000000013FD21000-memory.dmp

Filesize
3.3MB

Download
memory/1808-0-0x000000013F2F0000-0x000000013F641000-memory.dmp

Filesize
3.3MB

Download
memory/1808-173-0x000000013F2F0000-0x000000013F641000-memory.dmp

Filesize
3.3MB

Download
memory/1808-151-0x000000013F2F0000-0x000000013F641000-memory.dmp

Filesize
3.3MB

Download
memory/1808-150-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download
memory/1808-51-0x000000013F720000-0x000000013FA71000-memory.dmp

Filesize
3.3MB

Download
memory/1808-135-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

Filesize
3.3MB

Download
memory/1808-48-0x000000013F670000-0x000000013F9C1000-memory.dmp

Filesize
3.3MB

Download
memory/1808-14-0x0000000002370000-0x00000000026C1000-memory.dmp

Filesize
3.3MB

Download
memory/1808-141-0x000000013FCF0000-0x0000000140041000-memory.dmp

Filesize
3.3MB

Download
memory/1808-87-0x000000013F2F0000-0x000000013F641000-memory.dmp

Filesize
3.3MB

Download
memory/1808-144-0x0000000002370000-0x00000000026C1000-memory.dmp

Filesize
3.3MB

Download
memory/1808-145-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

Filesize
3.3MB

Download
memory/1808-147-0x000000013F6B0000-0x000000013FA01000-memory.dmp

Filesize
3.3MB

Download
memory/1952-146-0x000000013F790000-0x000000013FAE1000-memory.dmp

Filesize
3.3MB

Download
memory/2200-148-0x000000013F6B0000-0x000000013FA01000-memory.dmp

Filesize
3.3MB

Download
memory/2216-139-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

Filesize
3.3MB

Download
memory/2256-222-0x000000013FCF0000-0x0000000140041000-memory.dmp

Filesize
3.3MB

Download
memory/2256-9-0x000000013FCF0000-0x0000000140041000-memory.dmp

Filesize
3.3MB

Download
memory/2344-266-0x000000013F110000-0x000000013F461000-memory.dmp

Filesize
3.3MB

Download
memory/2344-132-0x000000013F110000-0x000000013F461000-memory.dmp

Filesize
3.3MB

Download
memory/2356-142-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

Filesize
3.3MB

Download
memory/2408-123-0x000000013FC80000-0x000000013FFD1000-memory.dmp

Filesize
3.3MB

Download
memory/2408-252-0x000000013FC80000-0x000000013FFD1000-memory.dmp

Filesize
3.3MB

Download
memory/2488-54-0x000000013FD40000-0x0000000140091000-memory.dmp

Filesize
3.3MB

Download
memory/2488-244-0x000000013FD40000-0x0000000140091000-memory.dmp

Filesize
3.3MB

Download
memory/2504-254-0x000000013F3B0000-0x000000013F701000-memory.dmp

Filesize
3.3MB

Download
memory/2504-126-0x000000013F3B0000-0x000000013F701000-memory.dmp

Filesize
3.3MB

Download
memory/2508-160-0x000000013FD20000-0x0000000140071000-memory.dmp

Filesize
3.3MB

Download
memory/2508-246-0x000000013FD20000-0x0000000140071000-memory.dmp

Filesize
3.3MB

Download
memory/2508-61-0x000000013FD20000-0x0000000140071000-memory.dmp

Filesize
3.3MB

Download
memory/2564-22-0x000000013F8B0000-0x000000013FC01000-memory.dmp

Filesize
3.3MB

Download
memory/2564-232-0x000000013F8B0000-0x000000013FC01000-memory.dmp

Filesize
3.3MB

Download
memory/2564-149-0x000000013F8B0000-0x000000013FC01000-memory.dmp

Filesize
3.3MB

Download
memory/2568-52-0x000000013F670000-0x000000013F9C1000-memory.dmp

Filesize
3.3MB

Download
memory/2568-240-0x000000013F670000-0x000000013F9C1000-memory.dmp

Filesize
3.3MB

Download
memory/2592-241-0x000000013FDE0000-0x0000000140131000-memory.dmp

Filesize
3.3MB

Download
memory/2592-156-0x000000013FDE0000-0x0000000140131000-memory.dmp

Filesize
3.3MB

Download
memory/2592-44-0x000000013FDE0000-0x0000000140131000-memory.dmp

Filesize
3.3MB

Download
memory/2656-236-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download
memory/2656-155-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download
memory/2656-35-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download
memory/2700-267-0x000000013FDC0000-0x0000000140111000-memory.dmp

Filesize
3.3MB

Download
memory/2700-131-0x000000013FDC0000-0x0000000140111000-memory.dmp

Filesize
3.3MB

Download
memory/2712-53-0x000000013F720000-0x000000013FA71000-memory.dmp

Filesize
3.3MB

Download
memory/2712-242-0x000000013F720000-0x000000013FA71000-memory.dmp

Filesize
3.3MB

Download
memory/2824-133-0x000000013F360000-0x000000013F6B1000-memory.dmp

Filesize
3.3MB

Download