cobaltstrike | ce17babb4a3b210807c39de42c0e23cb3fca611439f47d9d27012bc6350c1e16

Analysis

max time kernel
144s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
31-03-2024 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

32575eaae95a51e89bdc0875ed2b0f37
SHA1

7770cb64cf9db4138a97c654b49fbaebf8574994
SHA256

ce17babb4a3b210807c39de42c0e23cb3fca611439f47d9d27012bc6350c1e16
SHA512

5581742f53ac64d6a059f3021cb8a3f2b53d5d0607818a004b01bf598952ce0feb55d7450e2b4b5504eace59dcafeb0aa163896937beb4a834e32821aa477ec8
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lL:RWWBibf56utgpPFotBER/mQ32lUX

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\zeMqeid.exe	cobalt_reflective_dll
C:\Windows\system\jmDodws.exe	cobalt_reflective_dll
C:\Windows\system\EdGzMaJ.exe	cobalt_reflective_dll
C:\Windows\system\KOFmdpi.exe	cobalt_reflective_dll
C:\Windows\system\GHhAtpX.exe	cobalt_reflective_dll
\Windows\system\uYBphBY.exe	cobalt_reflective_dll
C:\Windows\system\yUyvlPl.exe	cobalt_reflective_dll
C:\Windows\system\GLsJPAQ.exe	cobalt_reflective_dll
C:\Windows\system\gUmztkb.exe	cobalt_reflective_dll
\Windows\system\pzjlkZc.exe	cobalt_reflective_dll
C:\Windows\system\FJmNtvO.exe	cobalt_reflective_dll
C:\Windows\system\mmkEhQb.exe	cobalt_reflective_dll
C:\Windows\system\DPLLcSx.exe	cobalt_reflective_dll
C:\Windows\system\IGHtkKL.exe	cobalt_reflective_dll
C:\Windows\system\nklVfUD.exe	cobalt_reflective_dll
C:\Windows\system\LSyeiwO.exe	cobalt_reflective_dll
C:\Windows\system\MwAZLzx.exe	cobalt_reflective_dll
C:\Windows\system\tKHhmfG.exe	cobalt_reflective_dll
C:\Windows\system\VrVDtEA.exe	cobalt_reflective_dll
\Windows\system\gzflWoL.exe	cobalt_reflective_dll
C:\Windows\system\hKdsKAe.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\zeMqeid.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\jmDodws.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\EdGzMaJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\KOFmdpi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\GHhAtpX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\uYBphBY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\yUyvlPl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\GLsJPAQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\gUmztkb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\pzjlkZc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\FJmNtvO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\mmkEhQb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\DPLLcSx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\IGHtkKL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\nklVfUD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\LSyeiwO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\MwAZLzx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\tKHhmfG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\VrVDtEA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\gzflWoL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\hKdsKAe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1924-0-0x000000013F440000-0x000000013F791000-memory.dmp	UPX
\Windows\system\zeMqeid.exe	UPX
C:\Windows\system\jmDodws.exe	UPX
C:\Windows\system\EdGzMaJ.exe	UPX
C:\Windows\system\KOFmdpi.exe	UPX
behavioral1/memory/2160-11-0x000000013FC10000-0x000000013FF61000-memory.dmp	UPX
C:\Windows\system\GHhAtpX.exe	UPX
\Windows\system\uYBphBY.exe	UPX
C:\Windows\system\yUyvlPl.exe	UPX
C:\Windows\system\GLsJPAQ.exe	UPX
C:\Windows\system\gUmztkb.exe	UPX
\Windows\system\pzjlkZc.exe	UPX
C:\Windows\system\FJmNtvO.exe	UPX
C:\Windows\system\mmkEhQb.exe	UPX
C:\Windows\system\DPLLcSx.exe	UPX
C:\Windows\system\IGHtkKL.exe	UPX
C:\Windows\system\nklVfUD.exe	UPX
C:\Windows\system\LSyeiwO.exe	UPX
C:\Windows\system\MwAZLzx.exe	UPX
behavioral1/memory/2732-104-0x000000013F9D0000-0x000000013FD21000-memory.dmp	UPX
C:\Windows\system\tKHhmfG.exe	UPX
C:\Windows\system\VrVDtEA.exe	UPX
behavioral1/memory/1924-114-0x000000013F440000-0x000000013F791000-memory.dmp	UPX
behavioral1/memory/2160-115-0x000000013FC10000-0x000000013FF61000-memory.dmp	UPX
\Windows\system\gzflWoL.exe	UPX
C:\Windows\system\hKdsKAe.exe	UPX
behavioral1/memory/2604-67-0x000000013FA50000-0x000000013FDA1000-memory.dmp	UPX
behavioral1/memory/2516-40-0x000000013F150000-0x000000013F4A1000-memory.dmp	UPX
behavioral1/memory/2868-118-0x000000013FC90000-0x000000013FFE1000-memory.dmp	UPX
behavioral1/memory/2600-120-0x000000013F460000-0x000000013F7B1000-memory.dmp	UPX
behavioral1/memory/2444-121-0x000000013FB40000-0x000000013FE91000-memory.dmp	UPX
behavioral1/memory/2404-123-0x000000013FED0000-0x0000000140221000-memory.dmp	UPX
behavioral1/memory/2456-122-0x000000013F820000-0x000000013FB71000-memory.dmp	UPX
behavioral1/memory/2480-124-0x000000013F170000-0x000000013F4C1000-memory.dmp	UPX
behavioral1/memory/2928-125-0x000000013F1B0000-0x000000013F501000-memory.dmp	UPX
behavioral1/memory/1224-127-0x000000013F1B0000-0x000000013F501000-memory.dmp	UPX
behavioral1/memory/2412-126-0x000000013FC40000-0x000000013FF91000-memory.dmp	UPX
behavioral1/memory/604-129-0x000000013F690000-0x000000013F9E1000-memory.dmp	UPX
behavioral1/memory/476-128-0x000000013F490000-0x000000013F7E1000-memory.dmp	UPX
behavioral1/memory/2596-131-0x000000013F3D0000-0x000000013F721000-memory.dmp	UPX
behavioral1/memory/2668-130-0x000000013FBE0000-0x000000013FF31000-memory.dmp	UPX
behavioral1/memory/2800-133-0x000000013F6E0000-0x000000013FA31000-memory.dmp	UPX
behavioral1/memory/2764-132-0x000000013FB00000-0x000000013FE51000-memory.dmp	UPX
behavioral1/memory/1864-135-0x000000013F2A0000-0x000000013F5F1000-memory.dmp	UPX
behavioral1/memory/2828-134-0x000000013F890000-0x000000013FBE1000-memory.dmp	UPX
behavioral1/memory/1924-137-0x000000013F440000-0x000000013F791000-memory.dmp	UPX
behavioral1/memory/2604-178-0x000000013FA50000-0x000000013FDA1000-memory.dmp	UPX
behavioral1/memory/2160-177-0x000000013FC10000-0x000000013FF61000-memory.dmp	UPX
behavioral1/memory/2732-182-0x000000013F9D0000-0x000000013FD21000-memory.dmp	UPX
behavioral1/memory/2516-181-0x000000013F150000-0x000000013F4A1000-memory.dmp	UPX
behavioral1/memory/2444-191-0x000000013FB40000-0x000000013FE91000-memory.dmp	UPX
behavioral1/memory/2404-197-0x000000013FED0000-0x0000000140221000-memory.dmp	UPX
behavioral1/memory/2868-201-0x000000013FC90000-0x000000013FFE1000-memory.dmp	UPX
behavioral1/memory/2928-208-0x000000013F1B0000-0x000000013F501000-memory.dmp	UPX
behavioral1/memory/1224-220-0x000000013F1B0000-0x000000013F501000-memory.dmp	UPX
behavioral1/memory/2456-222-0x000000013F820000-0x000000013FB71000-memory.dmp	UPX
behavioral1/memory/604-244-0x000000013F690000-0x000000013F9E1000-memory.dmp	UPX
behavioral1/memory/2596-243-0x000000013F3D0000-0x000000013F721000-memory.dmp	UPX
behavioral1/memory/2800-252-0x000000013F6E0000-0x000000013FA31000-memory.dmp	UPX
behavioral1/memory/1864-259-0x000000013F2A0000-0x000000013F5F1000-memory.dmp	UPX
behavioral1/memory/476-262-0x000000013F490000-0x000000013F7E1000-memory.dmp	UPX
behavioral1/memory/2764-264-0x000000013FB00000-0x000000013FE51000-memory.dmp	UPX
behavioral1/memory/2668-265-0x000000013FBE0000-0x000000013FF31000-memory.dmp	UPX
behavioral1/memory/2828-267-0x000000013F890000-0x000000013FBE1000-memory.dmp	UPX

XMRig Miner payload 45 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2732-104-0x000000013F9D0000-0x000000013FD21000-memory.dmp	xmrig
behavioral1/memory/1924-114-0x000000013F440000-0x000000013F791000-memory.dmp	xmrig
behavioral1/memory/2160-115-0x000000013FC10000-0x000000013FF61000-memory.dmp	xmrig
behavioral1/memory/2604-67-0x000000013FA50000-0x000000013FDA1000-memory.dmp	xmrig
behavioral1/memory/2516-40-0x000000013F150000-0x000000013F4A1000-memory.dmp	xmrig
behavioral1/memory/2868-118-0x000000013FC90000-0x000000013FFE1000-memory.dmp	xmrig
behavioral1/memory/2600-120-0x000000013F460000-0x000000013F7B1000-memory.dmp	xmrig
behavioral1/memory/2444-121-0x000000013FB40000-0x000000013FE91000-memory.dmp	xmrig
behavioral1/memory/2404-123-0x000000013FED0000-0x0000000140221000-memory.dmp	xmrig
behavioral1/memory/2456-122-0x000000013F820000-0x000000013FB71000-memory.dmp	xmrig
behavioral1/memory/2480-124-0x000000013F170000-0x000000013F4C1000-memory.dmp	xmrig
behavioral1/memory/2928-125-0x000000013F1B0000-0x000000013F501000-memory.dmp	xmrig
behavioral1/memory/1224-127-0x000000013F1B0000-0x000000013F501000-memory.dmp	xmrig
behavioral1/memory/2412-126-0x000000013FC40000-0x000000013FF91000-memory.dmp	xmrig
behavioral1/memory/604-129-0x000000013F690000-0x000000013F9E1000-memory.dmp	xmrig
behavioral1/memory/476-128-0x000000013F490000-0x000000013F7E1000-memory.dmp	xmrig
behavioral1/memory/2596-131-0x000000013F3D0000-0x000000013F721000-memory.dmp	xmrig
behavioral1/memory/2668-130-0x000000013FBE0000-0x000000013FF31000-memory.dmp	xmrig
behavioral1/memory/2800-133-0x000000013F6E0000-0x000000013FA31000-memory.dmp	xmrig
behavioral1/memory/2764-132-0x000000013FB00000-0x000000013FE51000-memory.dmp	xmrig
behavioral1/memory/1864-135-0x000000013F2A0000-0x000000013F5F1000-memory.dmp	xmrig
behavioral1/memory/2828-134-0x000000013F890000-0x000000013FBE1000-memory.dmp	xmrig
behavioral1/memory/1924-137-0x000000013F440000-0x000000013F791000-memory.dmp	xmrig
behavioral1/memory/1924-164-0x00000000023B0000-0x0000000002701000-memory.dmp	xmrig
behavioral1/memory/1924-166-0x000000013FED0000-0x0000000140221000-memory.dmp	xmrig
behavioral1/memory/1924-168-0x00000000023B0000-0x0000000002701000-memory.dmp	xmrig
behavioral1/memory/2604-178-0x000000013FA50000-0x000000013FDA1000-memory.dmp	xmrig
behavioral1/memory/2160-177-0x000000013FC10000-0x000000013FF61000-memory.dmp	xmrig
behavioral1/memory/2732-182-0x000000013F9D0000-0x000000013FD21000-memory.dmp	xmrig
behavioral1/memory/2516-181-0x000000013F150000-0x000000013F4A1000-memory.dmp	xmrig
behavioral1/memory/2444-191-0x000000013FB40000-0x000000013FE91000-memory.dmp	xmrig
behavioral1/memory/2404-197-0x000000013FED0000-0x0000000140221000-memory.dmp	xmrig
behavioral1/memory/2868-201-0x000000013FC90000-0x000000013FFE1000-memory.dmp	xmrig
behavioral1/memory/2928-208-0x000000013F1B0000-0x000000013F501000-memory.dmp	xmrig
behavioral1/memory/1224-220-0x000000013F1B0000-0x000000013F501000-memory.dmp	xmrig
behavioral1/memory/2456-222-0x000000013F820000-0x000000013FB71000-memory.dmp	xmrig
behavioral1/memory/604-244-0x000000013F690000-0x000000013F9E1000-memory.dmp	xmrig
behavioral1/memory/2596-243-0x000000013F3D0000-0x000000013F721000-memory.dmp	xmrig
behavioral1/memory/2800-252-0x000000013F6E0000-0x000000013FA31000-memory.dmp	xmrig
behavioral1/memory/1864-259-0x000000013F2A0000-0x000000013F5F1000-memory.dmp	xmrig
behavioral1/memory/476-262-0x000000013F490000-0x000000013F7E1000-memory.dmp	xmrig
behavioral1/memory/2764-264-0x000000013FB00000-0x000000013FE51000-memory.dmp	xmrig
behavioral1/memory/2668-265-0x000000013FBE0000-0x000000013FF31000-memory.dmp	xmrig
behavioral1/memory/2828-267-0x000000013F890000-0x000000013FBE1000-memory.dmp	xmrig
behavioral1/memory/1924-304-0x000000013F440000-0x000000013F791000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

zeMqeid.exeEdGzMaJ.exejmDodws.exeuYBphBY.exeGHhAtpX.exeKOFmdpi.exeFJmNtvO.exepzjlkZc.exegUmztkb.exeGLsJPAQ.exeyUyvlPl.exehKdsKAe.exeVrVDtEA.exegzflWoL.exetKHhmfG.exeDPLLcSx.exemmkEhQb.exeIGHtkKL.exeMwAZLzx.exeLSyeiwO.exenklVfUD.exe

pid	process
2160	zeMqeid.exe
2516	EdGzMaJ.exe
2604	jmDodws.exe
2868	uYBphBY.exe
2732	GHhAtpX.exe
2444	KOFmdpi.exe
2404	FJmNtvO.exe
2600	pzjlkZc.exe
2928	gUmztkb.exe
1224	GLsJPAQ.exe
2456	yUyvlPl.exe
604	hKdsKAe.exe
2596	VrVDtEA.exe
2480	gzflWoL.exe
2800	tKHhmfG.exe
1864	DPLLcSx.exe
2412	mmkEhQb.exe
476	IGHtkKL.exe
2668	MwAZLzx.exe
2764	LSyeiwO.exe
2828	nklVfUD.exe

Loads dropped DLL 21 IoCs

Processes:

2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe

pid	process
1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1924-0-0x000000013F440000-0x000000013F791000-memory.dmp	upx
\Windows\system\zeMqeid.exe	upx
C:\Windows\system\jmDodws.exe	upx
C:\Windows\system\EdGzMaJ.exe	upx
C:\Windows\system\KOFmdpi.exe	upx
behavioral1/memory/2160-11-0x000000013FC10000-0x000000013FF61000-memory.dmp	upx
C:\Windows\system\GHhAtpX.exe	upx
\Windows\system\uYBphBY.exe	upx
C:\Windows\system\yUyvlPl.exe	upx
C:\Windows\system\GLsJPAQ.exe	upx
C:\Windows\system\gUmztkb.exe	upx
\Windows\system\pzjlkZc.exe	upx
C:\Windows\system\FJmNtvO.exe	upx
C:\Windows\system\mmkEhQb.exe	upx
C:\Windows\system\DPLLcSx.exe	upx
C:\Windows\system\IGHtkKL.exe	upx
C:\Windows\system\nklVfUD.exe	upx
C:\Windows\system\LSyeiwO.exe	upx
C:\Windows\system\MwAZLzx.exe	upx
behavioral1/memory/2732-104-0x000000013F9D0000-0x000000013FD21000-memory.dmp	upx
C:\Windows\system\tKHhmfG.exe	upx
C:\Windows\system\VrVDtEA.exe	upx
behavioral1/memory/1924-114-0x000000013F440000-0x000000013F791000-memory.dmp	upx
behavioral1/memory/2160-115-0x000000013FC10000-0x000000013FF61000-memory.dmp	upx
\Windows\system\gzflWoL.exe	upx
C:\Windows\system\hKdsKAe.exe	upx
behavioral1/memory/2604-67-0x000000013FA50000-0x000000013FDA1000-memory.dmp	upx
behavioral1/memory/2516-40-0x000000013F150000-0x000000013F4A1000-memory.dmp	upx
behavioral1/memory/2868-118-0x000000013FC90000-0x000000013FFE1000-memory.dmp	upx
behavioral1/memory/2600-120-0x000000013F460000-0x000000013F7B1000-memory.dmp	upx
behavioral1/memory/2444-121-0x000000013FB40000-0x000000013FE91000-memory.dmp	upx
behavioral1/memory/2404-123-0x000000013FED0000-0x0000000140221000-memory.dmp	upx
behavioral1/memory/2456-122-0x000000013F820000-0x000000013FB71000-memory.dmp	upx
behavioral1/memory/2480-124-0x000000013F170000-0x000000013F4C1000-memory.dmp	upx
behavioral1/memory/2928-125-0x000000013F1B0000-0x000000013F501000-memory.dmp	upx
behavioral1/memory/1224-127-0x000000013F1B0000-0x000000013F501000-memory.dmp	upx
behavioral1/memory/2412-126-0x000000013FC40000-0x000000013FF91000-memory.dmp	upx
behavioral1/memory/604-129-0x000000013F690000-0x000000013F9E1000-memory.dmp	upx
behavioral1/memory/476-128-0x000000013F490000-0x000000013F7E1000-memory.dmp	upx
behavioral1/memory/2596-131-0x000000013F3D0000-0x000000013F721000-memory.dmp	upx
behavioral1/memory/2668-130-0x000000013FBE0000-0x000000013FF31000-memory.dmp	upx
behavioral1/memory/2800-133-0x000000013F6E0000-0x000000013FA31000-memory.dmp	upx
behavioral1/memory/2764-132-0x000000013FB00000-0x000000013FE51000-memory.dmp	upx
behavioral1/memory/1864-135-0x000000013F2A0000-0x000000013F5F1000-memory.dmp	upx
behavioral1/memory/2828-134-0x000000013F890000-0x000000013FBE1000-memory.dmp	upx
behavioral1/memory/1924-137-0x000000013F440000-0x000000013F791000-memory.dmp	upx
behavioral1/memory/2604-178-0x000000013FA50000-0x000000013FDA1000-memory.dmp	upx
behavioral1/memory/2160-177-0x000000013FC10000-0x000000013FF61000-memory.dmp	upx
behavioral1/memory/2732-182-0x000000013F9D0000-0x000000013FD21000-memory.dmp	upx
behavioral1/memory/2516-181-0x000000013F150000-0x000000013F4A1000-memory.dmp	upx
behavioral1/memory/2444-191-0x000000013FB40000-0x000000013FE91000-memory.dmp	upx
behavioral1/memory/2404-197-0x000000013FED0000-0x0000000140221000-memory.dmp	upx
behavioral1/memory/2868-201-0x000000013FC90000-0x000000013FFE1000-memory.dmp	upx
behavioral1/memory/2928-208-0x000000013F1B0000-0x000000013F501000-memory.dmp	upx
behavioral1/memory/1224-220-0x000000013F1B0000-0x000000013F501000-memory.dmp	upx
behavioral1/memory/2456-222-0x000000013F820000-0x000000013FB71000-memory.dmp	upx
behavioral1/memory/604-244-0x000000013F690000-0x000000013F9E1000-memory.dmp	upx
behavioral1/memory/2596-243-0x000000013F3D0000-0x000000013F721000-memory.dmp	upx
behavioral1/memory/2800-252-0x000000013F6E0000-0x000000013FA31000-memory.dmp	upx
behavioral1/memory/1864-259-0x000000013F2A0000-0x000000013F5F1000-memory.dmp	upx
behavioral1/memory/476-262-0x000000013F490000-0x000000013F7E1000-memory.dmp	upx
behavioral1/memory/2764-264-0x000000013FB00000-0x000000013FE51000-memory.dmp	upx
behavioral1/memory/2668-265-0x000000013FBE0000-0x000000013FF31000-memory.dmp	upx
behavioral1/memory/2828-267-0x000000013F890000-0x000000013FBE1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\LSyeiwO.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nklVfUD.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KOFmdpi.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FJmNtvO.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gzflWoL.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mmkEhQb.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IGHtkKL.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GHhAtpX.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tKHhmfG.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VrVDtEA.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DPLLcSx.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EdGzMaJ.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uYBphBY.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pzjlkZc.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hKdsKAe.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MwAZLzx.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zeMqeid.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jmDodws.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yUyvlPl.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gUmztkb.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GLsJPAQ.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 1924 wrote to memory of 2160	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	zeMqeid.exe
PID 1924 wrote to memory of 2160	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	zeMqeid.exe
PID 1924 wrote to memory of 2160	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	zeMqeid.exe
PID 1924 wrote to memory of 2516	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	EdGzMaJ.exe
PID 1924 wrote to memory of 2516	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	EdGzMaJ.exe
PID 1924 wrote to memory of 2516	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	EdGzMaJ.exe
PID 1924 wrote to memory of 2604	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	jmDodws.exe
PID 1924 wrote to memory of 2604	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	jmDodws.exe
PID 1924 wrote to memory of 2604	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	jmDodws.exe
PID 1924 wrote to memory of 2868	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	uYBphBY.exe
PID 1924 wrote to memory of 2868	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	uYBphBY.exe
PID 1924 wrote to memory of 2868	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	uYBphBY.exe
PID 1924 wrote to memory of 2732	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	GHhAtpX.exe
PID 1924 wrote to memory of 2732	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	GHhAtpX.exe
PID 1924 wrote to memory of 2732	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	GHhAtpX.exe
PID 1924 wrote to memory of 2600	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	pzjlkZc.exe
PID 1924 wrote to memory of 2600	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	pzjlkZc.exe
PID 1924 wrote to memory of 2600	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	pzjlkZc.exe
PID 1924 wrote to memory of 2444	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	KOFmdpi.exe
PID 1924 wrote to memory of 2444	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	KOFmdpi.exe
PID 1924 wrote to memory of 2444	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	KOFmdpi.exe
PID 1924 wrote to memory of 2456	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	yUyvlPl.exe
PID 1924 wrote to memory of 2456	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	yUyvlPl.exe
PID 1924 wrote to memory of 2456	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	yUyvlPl.exe
PID 1924 wrote to memory of 2404	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	FJmNtvO.exe
PID 1924 wrote to memory of 2404	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	FJmNtvO.exe
PID 1924 wrote to memory of 2404	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	FJmNtvO.exe
PID 1924 wrote to memory of 2480	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	gzflWoL.exe
PID 1924 wrote to memory of 2480	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	gzflWoL.exe
PID 1924 wrote to memory of 2480	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	gzflWoL.exe
PID 1924 wrote to memory of 2928	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	gUmztkb.exe
PID 1924 wrote to memory of 2928	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	gUmztkb.exe
PID 1924 wrote to memory of 2928	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	gUmztkb.exe
PID 1924 wrote to memory of 2412	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	mmkEhQb.exe
PID 1924 wrote to memory of 2412	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	mmkEhQb.exe
PID 1924 wrote to memory of 2412	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	mmkEhQb.exe
PID 1924 wrote to memory of 1224	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	GLsJPAQ.exe
PID 1924 wrote to memory of 1224	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	GLsJPAQ.exe
PID 1924 wrote to memory of 1224	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	GLsJPAQ.exe
PID 1924 wrote to memory of 476	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	IGHtkKL.exe
PID 1924 wrote to memory of 476	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	IGHtkKL.exe
PID 1924 wrote to memory of 476	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	IGHtkKL.exe
PID 1924 wrote to memory of 604	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	hKdsKAe.exe
PID 1924 wrote to memory of 604	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	hKdsKAe.exe
PID 1924 wrote to memory of 604	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	hKdsKAe.exe
PID 1924 wrote to memory of 2668	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	MwAZLzx.exe
PID 1924 wrote to memory of 2668	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	MwAZLzx.exe
PID 1924 wrote to memory of 2668	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	MwAZLzx.exe
PID 1924 wrote to memory of 2596	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	VrVDtEA.exe
PID 1924 wrote to memory of 2596	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	VrVDtEA.exe
PID 1924 wrote to memory of 2596	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	VrVDtEA.exe
PID 1924 wrote to memory of 2764	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	LSyeiwO.exe
PID 1924 wrote to memory of 2764	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	LSyeiwO.exe
PID 1924 wrote to memory of 2764	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	LSyeiwO.exe
PID 1924 wrote to memory of 2800	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	tKHhmfG.exe
PID 1924 wrote to memory of 2800	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	tKHhmfG.exe
PID 1924 wrote to memory of 2800	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	tKHhmfG.exe
PID 1924 wrote to memory of 2828	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	nklVfUD.exe
PID 1924 wrote to memory of 2828	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	nklVfUD.exe
PID 1924 wrote to memory of 2828	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	nklVfUD.exe
PID 1924 wrote to memory of 1864	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	DPLLcSx.exe
PID 1924 wrote to memory of 1864	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	DPLLcSx.exe
PID 1924 wrote to memory of 1864	1924	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	DPLLcSx.exe

C:\Users\Admin\AppData\Local\Temp\2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\System\zeMqeid.exe
C:\Windows\System\zeMqeid.exe
2⤵
- Executes dropped EXE
PID:2160

C:\Windows\System\EdGzMaJ.exe
C:\Windows\System\EdGzMaJ.exe
2⤵
- Executes dropped EXE
PID:2516

C:\Windows\System\jmDodws.exe
C:\Windows\System\jmDodws.exe
2⤵
- Executes dropped EXE
PID:2604

C:\Windows\System\uYBphBY.exe
C:\Windows\System\uYBphBY.exe
2⤵
- Executes dropped EXE
PID:2868

C:\Windows\System\GHhAtpX.exe
C:\Windows\System\GHhAtpX.exe
2⤵
- Executes dropped EXE
PID:2732

C:\Windows\System\pzjlkZc.exe
C:\Windows\System\pzjlkZc.exe
2⤵
- Executes dropped EXE
PID:2600

C:\Windows\System\KOFmdpi.exe
C:\Windows\System\KOFmdpi.exe
2⤵
- Executes dropped EXE
PID:2444

C:\Windows\System\yUyvlPl.exe
C:\Windows\System\yUyvlPl.exe
2⤵
- Executes dropped EXE
PID:2456

C:\Windows\System\FJmNtvO.exe
C:\Windows\System\FJmNtvO.exe
2⤵
- Executes dropped EXE
PID:2404

C:\Windows\System\gzflWoL.exe
C:\Windows\System\gzflWoL.exe
2⤵
- Executes dropped EXE
PID:2480

C:\Windows\System\gUmztkb.exe
C:\Windows\System\gUmztkb.exe
2⤵
- Executes dropped EXE
PID:2928

C:\Windows\System\mmkEhQb.exe
C:\Windows\System\mmkEhQb.exe
2⤵
- Executes dropped EXE
PID:2412

C:\Windows\System\GLsJPAQ.exe
C:\Windows\System\GLsJPAQ.exe
2⤵
- Executes dropped EXE
PID:1224

C:\Windows\System\IGHtkKL.exe
C:\Windows\System\IGHtkKL.exe
2⤵
- Executes dropped EXE
PID:476

C:\Windows\System\hKdsKAe.exe
C:\Windows\System\hKdsKAe.exe
2⤵
- Executes dropped EXE
PID:604

C:\Windows\System\MwAZLzx.exe
C:\Windows\System\MwAZLzx.exe
2⤵
- Executes dropped EXE
PID:2668

C:\Windows\System\VrVDtEA.exe
C:\Windows\System\VrVDtEA.exe
2⤵
- Executes dropped EXE
PID:2596

C:\Windows\System\LSyeiwO.exe
C:\Windows\System\LSyeiwO.exe
2⤵
- Executes dropped EXE
PID:2764

C:\Windows\System\tKHhmfG.exe
C:\Windows\System\tKHhmfG.exe
2⤵
- Executes dropped EXE
PID:2800

C:\Windows\System\nklVfUD.exe
C:\Windows\System\nklVfUD.exe
2⤵
- Executes dropped EXE
PID:2828

C:\Windows\System\DPLLcSx.exe
C:\Windows\System\DPLLcSx.exe
2⤵
- Executes dropped EXE
PID:1864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\DPLLcSx.exe
Filesize
5.2MB

MD5
ff4ff1fe820ba75f273280afd0959524

SHA1
40de780ec204deb2fe5dcdc881383b47060e1139

SHA256
92e2f5b0f6ad7e10c3db2734979c1e26642491ccb34f21a2e543d8ab19e5a442

SHA512
59214b27f8fae08408256b39c27d2b2c51b0d75e6ac6eac1e33ae55851e6edf51d5f65da745d467afa37a59bbc4c1d99235952cbbf7e8322a2ff2a57837ea94d

Download Submit
C:\Windows\system\EdGzMaJ.exe
Filesize
5.2MB

MD5
61026012ebdd9bdf5a76ae88e837e6ba

SHA1
484cfafd00c55e7e4cc4b05f0f274856d5d59e15

SHA256
efb201df479405278cf73ccac94a29bd11268564a69252563c55e66db983d1a4

SHA512
6659c9f6223d3c61bde0ff35e7017fd24b85c20a3e3cc9925e3b3f1cc17b54b8985f66af238fb198df8e3b4ec05fa366c91ad75243573583ef6843c6fa4341e1

Download Submit
C:\Windows\system\FJmNtvO.exe
Filesize
5.2MB

MD5
a04d8b17f51df8a1e3ac6fe72ef56df1

SHA1
66fe9e53237a2831c9b87b9fc5f4fa5283079fb3

SHA256
6af67a9fc327400b4c03e61c6672a31638d0896e14e12525eefdc29f399e29f3

SHA512
b783d9ff1cfe753403d3a868d35f86fa496e43dd8243fa868e9078e9b4ce4cf3304961889d178e43832f39bcc9eb2d9285ed5fd7ccb4ca6a93647f3ff9dfa2c9

Download Submit
C:\Windows\system\GHhAtpX.exe
Filesize
5.2MB

MD5
95e22d4d127d5f291bb0987e84bf5eb8

SHA1
d397ce995acb17690e323fc169e3dd66220525a1

SHA256
d7e0940c7520be46023dd2742fa78f1cc6e1e07397fe26b49e4e4839e89b7afd

SHA512
1a18b549bed9c1e9cce946757ad1ff5f667763dbdcb086e7736cce9e9d9d264a80c10fbdea557fc0772c749d413799e5b78353339b88ba534495c5f52bb7531e

Download Submit
C:\Windows\system\GLsJPAQ.exe
Filesize
5.2MB

MD5
d396e66ecab477b98d67d43bb311ad11

SHA1
ad7841e52db1f0e006f2387763b1e9826ff7bafc

SHA256
461adb6f2109881263b1c6159a370ecf04d193c6cf0ac5b49403937057db9da6

SHA512
00baef39eb95fa8de341b715d6463aa2235e9dafb7e54e8ad501b742f6b2004496f1b4ed65d60c26a07011af19c0870f16dae5d9e4b4120ef85208e1a434fc29

Download Submit
C:\Windows\system\IGHtkKL.exe
Filesize
5.2MB

MD5
a4c82bdba51577ce6c6a141f1d1333f0

SHA1
ebfe167c4f7f6fe41b313c8b12bc37c0005fd61f

SHA256
ae048488055ce8268830d6d5f9f06fb102c5af33d939301945b235cfc2c4523e

SHA512
45b9240b533dbbd67f2882e15577b0367dcc735ee7761cbeb962b260d5895ef06f5ba3d825743b5f7a3756e05520a08467d32fa130349e5047093b75e2196b73

Download Submit
C:\Windows\system\KOFmdpi.exe
Filesize
5.2MB

MD5
ed4f0e5bd0f87afc32fc7026b015f48b

SHA1
7a7982640e07cc8a6f7234a14f6b87d03c6e3b52

SHA256
5673f4dac356b7951cb712f6d0b321a3ef58dc32471874e0a742ed315a3d24e5

SHA512
5f0d34b5f79146740bfe1d535d804283cf79e39413cd505b67d478dcd68e4de6b6309251353d9edb5a0d98e6d005f7bd4cbe3bce639c702c055d9b9267f22b2a

Download Submit
C:\Windows\system\LSyeiwO.exe
Filesize
5.2MB

MD5
f405b41a742aa3d88366867e86b69b5c

SHA1
d009f41a0935b2bddd434ee18c6c2e95ae1074a6

SHA256
6ad80954d8ec96bf21760f48917353eda744bfa596b3b32b2a443206d7b6b9b8

SHA512
799e52792d4d65b4d1dfaded2bc3da38db039a6747526ed840c3216a34d01ccb715bbb396da2c315c2106705354a3f01100a9194f7237a22ba0fa0f95b7597f6

Download Submit
C:\Windows\system\MwAZLzx.exe
Filesize
5.2MB

MD5
0876a00079f10bd6810dc56d41f4e48b

SHA1
d766000db8d62fd39f59e7d0ba18980358186b91

SHA256
69cac70cff6f15259fb090575133af999dd2c57eaf036d71352c6d304c4c001d

SHA512
da65a893f9d805f498de46239a69c7f0346a6d1e72f24d3522501952a6e4503ec832cd5812a6248a96e629eeae5d5c0f7acc70587673f67457d1c9b4e27e2cd3

Download Submit
C:\Windows\system\VrVDtEA.exe
Filesize
5.2MB

MD5
1ee08e13c87217e5b2e32fcc19a61b7e

SHA1
d9d9f83b7e9a1fef27418b61e8839de52cce9bf5

SHA256
9615e95a71786ee4aab4cc0fcc68e64604a1242249d2be141f66bbfc7e4296a2

SHA512
da5dca46f31c0c260dcc4f4ea07c3fb7340b5b252a80170cfd0a4f0cf224cf01885dfe8d00c4dd768a5d1093094d2690f7709654331a7511cf00c70314eb3526

Download Submit
C:\Windows\system\gUmztkb.exe
Filesize
5.2MB

MD5
5931e9190b7406ddbe547200306961e5

SHA1
c7fe66ec4101a098acb9b173984783d11216a563

SHA256
163c7c9383fbf588124e673bec6f0659b7a501dacc4aab1336333fd8414a7e76

SHA512
6a47e2d6a0c74eb097d9b5ebf69cc5e1f58dccbcb4374a634c799c0b1f81a49346fc939b000455fe9142a0aa5133bd21543b993de310e3b76d2a3f49709da3af

Download Submit
C:\Windows\system\hKdsKAe.exe
Filesize
5.2MB

MD5
d6898aff007c65b19ab1f36e50ba13ef

SHA1
27f2175689a8532968ef80236dcf5fc893dff441

SHA256
78cefad790490813fc0215ab7cb94514516edab7f8a81202da81fd3ba0f4ff75

SHA512
75090e94be0845e3c883d8da8c479ab6384e7c2ab809729c483b8d21a340a352b1c19f3784b9c84e8912336a4cd4edbb31244b6204d99d57c1eb3ca9adfff404

Download Submit
C:\Windows\system\jmDodws.exe
Filesize
5.2MB

MD5
f08818bc813c6536cc67cd3388ac3d64

SHA1
7955da85ffb88d2703d6195c48e142e4b342fc37

SHA256
2652b5f061bba32c34cbbbc9a968b69b8995b3c7f705a570d7ed2c126ceaf569

SHA512
878177efc40012c3b1a84396292c2f8ba3c5fee32fe87db4717a70db48848df5c738078ed18e95beb42cab414f7e7b4416f58fef407b94a234ffc8bdbc0c6b34

Download Submit
C:\Windows\system\mmkEhQb.exe
Filesize
5.2MB

MD5
94ea3ff0c267bd069b97b2618065ee98

SHA1
9c8d58ad0bb6b3b3479c2c1c0c42439a7977250c

SHA256
adf0f16486ed464bbd940514514ab7da7474b05eb56f3e6b4bf4d53ff1a199a8

SHA512
b404f9e3f8bf3d68baa7af6b9bf90053b2ce115ee0e864532a720ad0973f23d7032db0b7430e847250402af3de5f4e18d2f3b4ef451d89497fde9cf067cd7b94

Download Submit
C:\Windows\system\nklVfUD.exe
Filesize
5.2MB

MD5
d21fcf72fe31b900e4234d6dd8f61d30

SHA1
479038bbaefbb0b6060b55ed3ac4baa2e63675ad

SHA256
80e7c6b5ee1b6c81b9978825f36f950b74f7076bf6b14c3ec83b1e47ffc17ab9

SHA512
06396daf6b4bb84bcd370823a0150076e82a96997c6e0721b3868894b02278f6b717e4dfe1ee50c865f21cca6e8a55c454fee18448762d7921b6210d15220766

Download Submit
C:\Windows\system\tKHhmfG.exe
Filesize
5.2MB

MD5
ffc5d2da53901e725900d1252d3a1e23

SHA1
b47f68b7d3ae9fd1efccc32885ea46010dd652e9

SHA256
d26367a819b7820677fc4b29d38b6e8732751faafb5758803caf5cd49a5bdd4e

SHA512
80ccc2c955adc1ca0f61750ef4bd31bcd43a0aaf71574343cf58c8daa1ba2820055af675c4064ee883509969293e4abc921af1a2ec57390803efa85133ce4729

Download Submit
C:\Windows\system\yUyvlPl.exe
Filesize
5.2MB

MD5
335d9709884bae5f73e76f38c7f2f23e

SHA1
9867fd83004d2d5010976db3e78e2de7a2bd1349

SHA256
0092345abced860422ea11556c434cdb8fb9d7b9413d0caa1f825cc587b02498

SHA512
30f36e9fc4f5e04225361eb1cafbac9d410cdc4a6e667818774f3066cfdbb87fcf8f6da2f8768d769aa9fc15b3346e37486e1160ee5c8aca389fbfe583970ebf

Download Submit
\Windows\system\gzflWoL.exe
Filesize
5.2MB

MD5
c732095173f68ffa1c84a999fdc7a9b9

SHA1
9a373d14d698d2c39002f73f0ead2dc82f8c5dd9

SHA256
71bb4924d39c6dbf972c040cda423f243b0387f8ba755d3c7a4964940d23e541

SHA512
eb819ddcc449fdc76c28c862f6395d35b08403c2efa5aebe8e626fcdbe15aee11dcd70ef0f361914f4e7e14e709748892d9aa685c5281b000c1666cca1bcbd47

Download Submit
\Windows\system\pzjlkZc.exe
Filesize
5.2MB

MD5
e0e98ce51c46a6f3e71b7ce6f2159a9e

SHA1
5ee4ba6f8d870edd928cbbf0cf30468e17e23502

SHA256
3f97fd8be12de805062eb1b7a99ac2702af3671c82f953bbdec0028711e49b47

SHA512
b247859c98f83d56a4bba22913040222e07a8d57cd0da8fdc4ffc8fc2bb4ebfb22648ee42c8361bab9e8d669c5eca8cbed63d312808a2c6287db8a852d3b5d09

Download Submit
\Windows\system\uYBphBY.exe
Filesize
5.2MB

MD5
b8f85400b8752729df0c74806025be57

SHA1
a1f6fad35f71533299faf10b39a1bb25d5b0cec9

SHA256
a0b75618e64f8ae71b7137b91bde7d6223284c2b97970e9be323ae672cece845

SHA512
67197f01f7dbb25a43eb64fb7f8bffaa72342889c2522af6d88709609c2893a8087aa4295f84d9896407e369310ea76471942d14ad622351479cd5bc838508b7

Download Submit
\Windows\system\zeMqeid.exe
Filesize
5.2MB

MD5
111d3d36f57e6e8b8651a5fdf008efd5

SHA1
5a6498d87975c4ade8748f9725ddc6a24bebabb3

SHA256
cafdd8e3568c5c49eb4950cbcd966d2d82232c714c5f3c2d76b84ece9b9dadcd

SHA512
4588bcf755a113eaa2bba507cf7f2c7997c9afc5d85955d68a9501b29bb93411e64e87afd2e0cda80be80ef65c2591c0198585a2985c1599253eb14def19275f

Download Submit
memory/476-128-0x000000013F490000-0x000000013F7E1000-memory.dmp

Filesize
3.3MB

Download
memory/476-262-0x000000013F490000-0x000000013F7E1000-memory.dmp

Filesize
3.3MB

Download
memory/604-129-0x000000013F690000-0x000000013F9E1000-memory.dmp

Filesize
3.3MB

Download
memory/604-244-0x000000013F690000-0x000000013F9E1000-memory.dmp

Filesize
3.3MB

Download
memory/1224-127-0x000000013F1B0000-0x000000013F501000-memory.dmp

Filesize
3.3MB

Download
memory/1224-220-0x000000013F1B0000-0x000000013F501000-memory.dmp

Filesize
3.3MB

Download
memory/1864-135-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

Filesize
3.3MB

Download
memory/1864-259-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

Filesize
3.3MB

Download
memory/1924-160-0x00000000023B0000-0x0000000002701000-memory.dmp

Filesize
3.3MB

Download
memory/1924-304-0x000000013F440000-0x000000013F791000-memory.dmp

Filesize
3.3MB

Download
memory/1924-23-0x000000013FA50000-0x000000013FDA1000-memory.dmp

Filesize
3.3MB

Download
memory/1924-168-0x00000000023B0000-0x0000000002701000-memory.dmp

Filesize
3.3MB

Download
memory/1924-71-0x000000013F9D0000-0x000000013FD21000-memory.dmp

Filesize
3.3MB

Download
memory/1924-164-0x00000000023B0000-0x0000000002701000-memory.dmp

Filesize
3.3MB

Download
memory/1924-154-0x00000000023B0000-0x0000000002701000-memory.dmp

Filesize
3.3MB

Download
memory/1924-113-0x00000000023B0000-0x0000000002701000-memory.dmp

Filesize
3.3MB

Download
memory/1924-151-0x00000000023B0000-0x0000000002701000-memory.dmp

Filesize
3.3MB

Download
memory/1924-137-0x000000013F440000-0x000000013F791000-memory.dmp

Filesize
3.3MB

Download
memory/1924-155-0x000000013FB00000-0x000000013FE51000-memory.dmp

Filesize
3.3MB

Download
memory/1924-153-0x000000013FBE0000-0x000000013FF31000-memory.dmp

Filesize
3.3MB

Download
memory/1924-0-0x000000013F440000-0x000000013F791000-memory.dmp

Filesize
3.3MB

Download
memory/1924-308-0x000000013FA50000-0x000000013FDA1000-memory.dmp

Filesize
3.3MB

Download
memory/1924-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/1924-166-0x000000013FED0000-0x0000000140221000-memory.dmp

Filesize
3.3MB

Download
memory/1924-169-0x00000000023B0000-0x0000000002701000-memory.dmp

Filesize
3.3MB

Download
memory/1924-114-0x000000013F440000-0x000000013F791000-memory.dmp

Filesize
3.3MB

Download
memory/1924-157-0x00000000023B0000-0x0000000002701000-memory.dmp

Filesize
3.3MB

Download
memory/1924-159-0x000000013F890000-0x000000013FBE1000-memory.dmp

Filesize
3.3MB

Download
memory/1924-136-0x000000013FB40000-0x000000013FE91000-memory.dmp

Filesize
3.3MB

Download
memory/2160-177-0x000000013FC10000-0x000000013FF61000-memory.dmp

Filesize
3.3MB

Download
memory/2160-115-0x000000013FC10000-0x000000013FF61000-memory.dmp

Filesize
3.3MB

Download
memory/2160-11-0x000000013FC10000-0x000000013FF61000-memory.dmp

Filesize
3.3MB

Download
memory/2404-197-0x000000013FED0000-0x0000000140221000-memory.dmp

Filesize
3.3MB

Download
memory/2404-123-0x000000013FED0000-0x0000000140221000-memory.dmp

Filesize
3.3MB

Download
memory/2412-126-0x000000013FC40000-0x000000013FF91000-memory.dmp

Filesize
3.3MB

Download
memory/2444-121-0x000000013FB40000-0x000000013FE91000-memory.dmp

Filesize
3.3MB

Download
memory/2444-191-0x000000013FB40000-0x000000013FE91000-memory.dmp

Filesize
3.3MB

Download
memory/2456-222-0x000000013F820000-0x000000013FB71000-memory.dmp

Filesize
3.3MB

Download
memory/2456-122-0x000000013F820000-0x000000013FB71000-memory.dmp

Filesize
3.3MB

Download
memory/2480-124-0x000000013F170000-0x000000013F4C1000-memory.dmp

Filesize
3.3MB

Download
memory/2516-40-0x000000013F150000-0x000000013F4A1000-memory.dmp

Filesize
3.3MB

Download
memory/2516-181-0x000000013F150000-0x000000013F4A1000-memory.dmp

Filesize
3.3MB

Download
memory/2596-243-0x000000013F3D0000-0x000000013F721000-memory.dmp

Filesize
3.3MB

Download
memory/2596-131-0x000000013F3D0000-0x000000013F721000-memory.dmp

Filesize
3.3MB

Download
memory/2600-120-0x000000013F460000-0x000000013F7B1000-memory.dmp

Filesize
3.3MB

Download
memory/2604-67-0x000000013FA50000-0x000000013FDA1000-memory.dmp

Filesize
3.3MB

Download
memory/2604-178-0x000000013FA50000-0x000000013FDA1000-memory.dmp

Filesize
3.3MB

Download
memory/2668-265-0x000000013FBE0000-0x000000013FF31000-memory.dmp

Filesize
3.3MB

Download
memory/2668-130-0x000000013FBE0000-0x000000013FF31000-memory.dmp

Filesize
3.3MB

Download
memory/2732-182-0x000000013F9D0000-0x000000013FD21000-memory.dmp

Filesize
3.3MB

Download
memory/2732-104-0x000000013F9D0000-0x000000013FD21000-memory.dmp

Filesize
3.3MB

Download
memory/2764-264-0x000000013FB00000-0x000000013FE51000-memory.dmp

Filesize
3.3MB

Download
memory/2764-132-0x000000013FB00000-0x000000013FE51000-memory.dmp

Filesize
3.3MB

Download
memory/2800-252-0x000000013F6E0000-0x000000013FA31000-memory.dmp

Filesize
3.3MB

Download
memory/2800-133-0x000000013F6E0000-0x000000013FA31000-memory.dmp

Filesize
3.3MB

Download
memory/2828-134-0x000000013F890000-0x000000013FBE1000-memory.dmp

Filesize
3.3MB

Download
memory/2828-267-0x000000013F890000-0x000000013FBE1000-memory.dmp

Filesize
3.3MB

Download
memory/2868-118-0x000000013FC90000-0x000000013FFE1000-memory.dmp

Filesize
3.3MB

Download
memory/2868-201-0x000000013FC90000-0x000000013FFE1000-memory.dmp

Filesize
3.3MB

Download
memory/2928-208-0x000000013F1B0000-0x000000013F501000-memory.dmp

Filesize
3.3MB

Download
memory/2928-125-0x000000013F1B0000-0x000000013F501000-memory.dmp

Filesize
3.3MB

Download