cobaltstrike | 9d6244b114f9c3f39d73fc9f71c816ddfa17c5aaaca76ca4fbd3483766eb57a6

Analysis

max time kernel
136s
max time network
146s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
20-04-2024 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

5af509b12a42931dbb3a470a1184d1ed
SHA1

8bcef0a1c2bf59af44f06b1ad7b02f237d74fde1
SHA256

9d6244b114f9c3f39d73fc9f71c816ddfa17c5aaaca76ca4fbd3483766eb57a6
SHA512

1e6129500e92d5de1510804e375b5595083e9a74bd3a42da1e75933d6c0b308067d0d50f472132c59aca82385b953e25b09896a0b64875f8915a53defa79205c
SSDEEP

98304:demTLkNdfE0pZ3u56utgpPFotBER/mQ32lU7:E+b56utgpPF8u/77

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x00090000000155ed-3.dat	cobalt_reflective_dll
behavioral1/files/0x000c0000000155f7-10.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015cb6-20.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015c6b-22.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015cce-26.dat	cobalt_reflective_dll
behavioral1/files/0x000a000000015cee-35.dat	cobalt_reflective_dll
behavioral1/files/0x000a000000015cf6-42.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000015d07-53.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015c78-57.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d0f-63.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d1a-72.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d27-78.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016176-104.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000160af-114.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016448-111.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015f7a-120.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015df1-117.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016287-115.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015f01-113.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d31-102.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d98-89.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x00090000000155ed-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000c0000000155f7-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015cb6-20.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015c6b-22.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015cce-26.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000a000000015cee-35.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000a000000015cf6-42.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000015d07-53.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015c78-57.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015d0f-63.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015d1a-72.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015d27-78.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016176-104.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000160af-114.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016448-111.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015f7a-120.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015df1-117.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016287-115.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015f01-113.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d31-102.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d98-89.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral1/memory/2232-1-0x000000013F060000-0x000000013F3B4000-memory.dmp	UPX
behavioral1/files/0x00090000000155ed-3.dat	UPX
behavioral1/files/0x000c0000000155f7-10.dat	UPX
behavioral1/files/0x0007000000015cb6-20.dat	UPX
behavioral1/memory/2396-24-0x000000013F170000-0x000000013F4C4000-memory.dmp	UPX
behavioral1/memory/2388-25-0x000000013FAF0000-0x000000013FE44000-memory.dmp	UPX
behavioral1/files/0x0008000000015c6b-22.dat	UPX
behavioral1/files/0x0007000000015cce-26.dat	UPX
behavioral1/memory/2620-32-0x000000013F870000-0x000000013FBC4000-memory.dmp	UPX
behavioral1/memory/2580-33-0x000000013F950000-0x000000013FCA4000-memory.dmp	UPX
behavioral1/files/0x000a000000015cee-35.dat	UPX
behavioral1/memory/2624-40-0x000000013F660000-0x000000013F9B4000-memory.dmp	UPX
behavioral1/memory/2740-41-0x000000013F940000-0x000000013FC94000-memory.dmp	UPX
behavioral1/files/0x000a000000015cf6-42.dat	UPX
behavioral1/memory/2636-47-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	UPX
behavioral1/files/0x0009000000015d07-53.dat	UPX
behavioral1/memory/2468-56-0x000000013F6F0000-0x000000013FA44000-memory.dmp	UPX
behavioral1/files/0x0008000000015c78-57.dat	UPX
behavioral1/memory/2592-62-0x000000013FC70000-0x000000013FFC4000-memory.dmp	UPX
behavioral1/files/0x0007000000015d0f-63.dat	UPX
behavioral1/files/0x0007000000015d1a-72.dat	UPX
behavioral1/files/0x0007000000015d27-78.dat	UPX
behavioral1/files/0x0006000000016176-104.dat	UPX
behavioral1/files/0x00060000000160af-114.dat	UPX
behavioral1/memory/1900-125-0x000000013F2F0000-0x000000013F644000-memory.dmp	UPX
behavioral1/files/0x0006000000016448-111.dat	UPX
behavioral1/memory/2832-130-0x000000013F070000-0x000000013F3C4000-memory.dmp	UPX
behavioral1/memory/2192-134-0x000000013FA60000-0x000000013FDB4000-memory.dmp	UPX
behavioral1/memory/2840-135-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	UPX
behavioral1/memory/1904-136-0x000000013FB50000-0x000000013FEA4000-memory.dmp	UPX
behavioral1/memory/1588-137-0x000000013F840000-0x000000013FB94000-memory.dmp	UPX
behavioral1/memory/2232-138-0x000000013F060000-0x000000013F3B4000-memory.dmp	UPX
behavioral1/memory/2448-141-0x000000013FB60000-0x000000013FEB4000-memory.dmp	UPX
behavioral1/memory/2560-142-0x000000013F560000-0x000000013F8B4000-memory.dmp	UPX
behavioral1/memory/1700-133-0x000000013F2B0000-0x000000013F604000-memory.dmp	UPX
behavioral1/files/0x0006000000015f7a-120.dat	UPX
behavioral1/files/0x0006000000015df1-117.dat	UPX
behavioral1/files/0x0006000000016287-115.dat	UPX
behavioral1/files/0x0006000000015f01-113.dat	UPX
behavioral1/files/0x0006000000015d31-102.dat	UPX
behavioral1/memory/2360-90-0x000000013FD00000-0x0000000140054000-memory.dmp	UPX
behavioral1/files/0x0006000000015d98-89.dat	UPX
behavioral1/memory/2980-81-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	UPX
behavioral1/memory/2996-77-0x000000013F400000-0x000000013F754000-memory.dmp	UPX
behavioral1/memory/2396-143-0x000000013F170000-0x000000013F4C4000-memory.dmp	UPX
behavioral1/memory/2636-144-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	UPX
behavioral1/memory/2592-145-0x000000013FC70000-0x000000013FFC4000-memory.dmp	UPX
behavioral1/memory/2996-146-0x000000013F400000-0x000000013F754000-memory.dmp	UPX
behavioral1/memory/2832-148-0x000000013F070000-0x000000013F3C4000-memory.dmp	UPX
behavioral1/memory/1904-149-0x000000013FB50000-0x000000013FEA4000-memory.dmp	UPX
behavioral1/memory/1588-150-0x000000013F840000-0x000000013FB94000-memory.dmp	UPX
behavioral1/memory/2448-152-0x000000013FB60000-0x000000013FEB4000-memory.dmp	UPX
behavioral1/memory/2388-153-0x000000013FAF0000-0x000000013FE44000-memory.dmp	UPX
behavioral1/memory/2396-155-0x000000013F170000-0x000000013F4C4000-memory.dmp	UPX
behavioral1/memory/2620-154-0x000000013F870000-0x000000013FBC4000-memory.dmp	UPX
behavioral1/memory/2580-156-0x000000013F950000-0x000000013FCA4000-memory.dmp	UPX
behavioral1/memory/2624-157-0x000000013F660000-0x000000013F9B4000-memory.dmp	UPX
behavioral1/memory/2740-158-0x000000013F940000-0x000000013FC94000-memory.dmp	UPX
behavioral1/memory/2636-159-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	UPX
behavioral1/memory/2468-160-0x000000013F6F0000-0x000000013FA44000-memory.dmp	UPX
behavioral1/memory/2592-161-0x000000013FC70000-0x000000013FFC4000-memory.dmp	UPX
behavioral1/memory/2980-162-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	UPX
behavioral1/memory/2996-164-0x000000013F400000-0x000000013F754000-memory.dmp	UPX
behavioral1/memory/2360-163-0x000000013FD00000-0x0000000140054000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral1/memory/2232-1-0x000000013F060000-0x000000013F3B4000-memory.dmp	xmrig
behavioral1/files/0x00090000000155ed-3.dat	xmrig
behavioral1/files/0x000c0000000155f7-10.dat	xmrig
behavioral1/files/0x0007000000015cb6-20.dat	xmrig
behavioral1/memory/2396-24-0x000000013F170000-0x000000013F4C4000-memory.dmp	xmrig
behavioral1/memory/2388-25-0x000000013FAF0000-0x000000013FE44000-memory.dmp	xmrig
behavioral1/files/0x0008000000015c6b-22.dat	xmrig
behavioral1/files/0x0007000000015cce-26.dat	xmrig
behavioral1/memory/2620-32-0x000000013F870000-0x000000013FBC4000-memory.dmp	xmrig
behavioral1/memory/2580-33-0x000000013F950000-0x000000013FCA4000-memory.dmp	xmrig
behavioral1/files/0x000a000000015cee-35.dat	xmrig
behavioral1/memory/2624-40-0x000000013F660000-0x000000013F9B4000-memory.dmp	xmrig
behavioral1/memory/2740-41-0x000000013F940000-0x000000013FC94000-memory.dmp	xmrig
behavioral1/memory/2232-34-0x000000013FAF0000-0x000000013FE44000-memory.dmp	xmrig
behavioral1/files/0x000a000000015cf6-42.dat	xmrig
behavioral1/memory/2636-47-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	xmrig
behavioral1/memory/2232-45-0x000000013F940000-0x000000013FC94000-memory.dmp	xmrig
behavioral1/files/0x0009000000015d07-53.dat	xmrig
behavioral1/memory/2468-56-0x000000013F6F0000-0x000000013FA44000-memory.dmp	xmrig
behavioral1/files/0x0008000000015c78-57.dat	xmrig
behavioral1/memory/2592-62-0x000000013FC70000-0x000000013FFC4000-memory.dmp	xmrig
behavioral1/files/0x0007000000015d0f-63.dat	xmrig
behavioral1/files/0x0007000000015d1a-72.dat	xmrig
behavioral1/files/0x0007000000015d27-78.dat	xmrig
behavioral1/files/0x0006000000016176-104.dat	xmrig
behavioral1/files/0x00060000000160af-114.dat	xmrig
behavioral1/memory/1900-125-0x000000013F2F0000-0x000000013F644000-memory.dmp	xmrig
behavioral1/files/0x0006000000016448-111.dat	xmrig
behavioral1/memory/2832-130-0x000000013F070000-0x000000013F3C4000-memory.dmp	xmrig
behavioral1/memory/2192-134-0x000000013FA60000-0x000000013FDB4000-memory.dmp	xmrig
behavioral1/memory/2840-135-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	xmrig
behavioral1/memory/1904-136-0x000000013FB50000-0x000000013FEA4000-memory.dmp	xmrig
behavioral1/memory/1588-137-0x000000013F840000-0x000000013FB94000-memory.dmp	xmrig
behavioral1/memory/2232-138-0x000000013F060000-0x000000013F3B4000-memory.dmp	xmrig
behavioral1/memory/2232-140-0x000000013FB50000-0x000000013FEA4000-memory.dmp	xmrig
behavioral1/memory/2448-141-0x000000013FB60000-0x000000013FEB4000-memory.dmp	xmrig
behavioral1/memory/2560-142-0x000000013F560000-0x000000013F8B4000-memory.dmp	xmrig
behavioral1/memory/1700-133-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
behavioral1/files/0x0006000000015f7a-120.dat	xmrig
behavioral1/files/0x0006000000015df1-117.dat	xmrig
behavioral1/files/0x0006000000016287-115.dat	xmrig
behavioral1/files/0x0006000000015f01-113.dat	xmrig
behavioral1/files/0x0006000000015d31-102.dat	xmrig
behavioral1/memory/2360-90-0x000000013FD00000-0x0000000140054000-memory.dmp	xmrig
behavioral1/files/0x0006000000015d98-89.dat	xmrig
behavioral1/memory/2980-81-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	xmrig
behavioral1/memory/2996-77-0x000000013F400000-0x000000013F754000-memory.dmp	xmrig
behavioral1/memory/2396-143-0x000000013F170000-0x000000013F4C4000-memory.dmp	xmrig
behavioral1/memory/2636-144-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	xmrig
behavioral1/memory/2592-145-0x000000013FC70000-0x000000013FFC4000-memory.dmp	xmrig
behavioral1/memory/2996-146-0x000000013F400000-0x000000013F754000-memory.dmp	xmrig
behavioral1/memory/2832-148-0x000000013F070000-0x000000013F3C4000-memory.dmp	xmrig
behavioral1/memory/1904-149-0x000000013FB50000-0x000000013FEA4000-memory.dmp	xmrig
behavioral1/memory/1588-150-0x000000013F840000-0x000000013FB94000-memory.dmp	xmrig
behavioral1/memory/2448-152-0x000000013FB60000-0x000000013FEB4000-memory.dmp	xmrig
behavioral1/memory/2388-153-0x000000013FAF0000-0x000000013FE44000-memory.dmp	xmrig
behavioral1/memory/2396-155-0x000000013F170000-0x000000013F4C4000-memory.dmp	xmrig
behavioral1/memory/2620-154-0x000000013F870000-0x000000013FBC4000-memory.dmp	xmrig
behavioral1/memory/2580-156-0x000000013F950000-0x000000013FCA4000-memory.dmp	xmrig
behavioral1/memory/2624-157-0x000000013F660000-0x000000013F9B4000-memory.dmp	xmrig
behavioral1/memory/2740-158-0x000000013F940000-0x000000013FC94000-memory.dmp	xmrig
behavioral1/memory/2636-159-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	xmrig
behavioral1/memory/2468-160-0x000000013F6F0000-0x000000013FA44000-memory.dmp	xmrig
behavioral1/memory/2592-161-0x000000013FC70000-0x000000013FFC4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2396	GtKgNjs.exe
2388	qhkkZOc.exe
2620	pklkDjQ.exe
2580	gwnsVxC.exe
2624	xfEsuSS.exe
2740	ptXysWf.exe
2636	fpAdXEs.exe
2468	cZVSHJn.exe
2592	oGSJqyL.exe
2980	hUuwdLT.exe
2996	lYZjVEK.exe
2360	JGzAdVi.exe
1900	tIWvNsF.exe
2832	UILkDAa.exe
1700	wymrYCF.exe
2192	AqBDoUt.exe
2840	DurjFyp.exe
1904	BOgLWtY.exe
1588	BSzlrHW.exe
2448	fqpjTcp.exe
2560	sZIzcsO.exe

Loads dropped DLL 21 IoCs

pid	Process
2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2232-1-0x000000013F060000-0x000000013F3B4000-memory.dmp	upx
behavioral1/files/0x00090000000155ed-3.dat	upx
behavioral1/files/0x000c0000000155f7-10.dat	upx
behavioral1/files/0x0007000000015cb6-20.dat	upx
behavioral1/memory/2396-24-0x000000013F170000-0x000000013F4C4000-memory.dmp	upx
behavioral1/memory/2388-25-0x000000013FAF0000-0x000000013FE44000-memory.dmp	upx
behavioral1/files/0x0008000000015c6b-22.dat	upx
behavioral1/files/0x0007000000015cce-26.dat	upx
behavioral1/memory/2620-32-0x000000013F870000-0x000000013FBC4000-memory.dmp	upx
behavioral1/memory/2580-33-0x000000013F950000-0x000000013FCA4000-memory.dmp	upx
behavioral1/files/0x000a000000015cee-35.dat	upx
behavioral1/memory/2624-40-0x000000013F660000-0x000000013F9B4000-memory.dmp	upx
behavioral1/memory/2740-41-0x000000013F940000-0x000000013FC94000-memory.dmp	upx
behavioral1/files/0x000a000000015cf6-42.dat	upx
behavioral1/memory/2636-47-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	upx
behavioral1/files/0x0009000000015d07-53.dat	upx
behavioral1/memory/2468-56-0x000000013F6F0000-0x000000013FA44000-memory.dmp	upx
behavioral1/files/0x0008000000015c78-57.dat	upx
behavioral1/memory/2592-62-0x000000013FC70000-0x000000013FFC4000-memory.dmp	upx
behavioral1/files/0x0007000000015d0f-63.dat	upx
behavioral1/files/0x0007000000015d1a-72.dat	upx
behavioral1/files/0x0007000000015d27-78.dat	upx
behavioral1/files/0x0006000000016176-104.dat	upx
behavioral1/files/0x00060000000160af-114.dat	upx
behavioral1/memory/1900-125-0x000000013F2F0000-0x000000013F644000-memory.dmp	upx
behavioral1/files/0x0006000000016448-111.dat	upx
behavioral1/memory/2832-130-0x000000013F070000-0x000000013F3C4000-memory.dmp	upx
behavioral1/memory/2192-134-0x000000013FA60000-0x000000013FDB4000-memory.dmp	upx
behavioral1/memory/2840-135-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	upx
behavioral1/memory/1904-136-0x000000013FB50000-0x000000013FEA4000-memory.dmp	upx
behavioral1/memory/1588-137-0x000000013F840000-0x000000013FB94000-memory.dmp	upx
behavioral1/memory/2232-138-0x000000013F060000-0x000000013F3B4000-memory.dmp	upx
behavioral1/memory/2448-141-0x000000013FB60000-0x000000013FEB4000-memory.dmp	upx
behavioral1/memory/2560-142-0x000000013F560000-0x000000013F8B4000-memory.dmp	upx
behavioral1/memory/1700-133-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
behavioral1/files/0x0006000000015f7a-120.dat	upx
behavioral1/files/0x0006000000015df1-117.dat	upx
behavioral1/files/0x0006000000016287-115.dat	upx
behavioral1/files/0x0006000000015f01-113.dat	upx
behavioral1/files/0x0006000000015d31-102.dat	upx
behavioral1/memory/2360-90-0x000000013FD00000-0x0000000140054000-memory.dmp	upx
behavioral1/files/0x0006000000015d98-89.dat	upx
behavioral1/memory/2980-81-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	upx
behavioral1/memory/2996-77-0x000000013F400000-0x000000013F754000-memory.dmp	upx
behavioral1/memory/2396-143-0x000000013F170000-0x000000013F4C4000-memory.dmp	upx
behavioral1/memory/2636-144-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	upx
behavioral1/memory/2592-145-0x000000013FC70000-0x000000013FFC4000-memory.dmp	upx
behavioral1/memory/2996-146-0x000000013F400000-0x000000013F754000-memory.dmp	upx
behavioral1/memory/2832-148-0x000000013F070000-0x000000013F3C4000-memory.dmp	upx
behavioral1/memory/1904-149-0x000000013FB50000-0x000000013FEA4000-memory.dmp	upx
behavioral1/memory/1588-150-0x000000013F840000-0x000000013FB94000-memory.dmp	upx
behavioral1/memory/2448-152-0x000000013FB60000-0x000000013FEB4000-memory.dmp	upx
behavioral1/memory/2388-153-0x000000013FAF0000-0x000000013FE44000-memory.dmp	upx
behavioral1/memory/2396-155-0x000000013F170000-0x000000013F4C4000-memory.dmp	upx
behavioral1/memory/2620-154-0x000000013F870000-0x000000013FBC4000-memory.dmp	upx
behavioral1/memory/2580-156-0x000000013F950000-0x000000013FCA4000-memory.dmp	upx
behavioral1/memory/2624-157-0x000000013F660000-0x000000013F9B4000-memory.dmp	upx
behavioral1/memory/2740-158-0x000000013F940000-0x000000013FC94000-memory.dmp	upx
behavioral1/memory/2636-159-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	upx
behavioral1/memory/2468-160-0x000000013F6F0000-0x000000013FA44000-memory.dmp	upx
behavioral1/memory/2592-161-0x000000013FC70000-0x000000013FFC4000-memory.dmp	upx
behavioral1/memory/2980-162-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	upx
behavioral1/memory/2996-164-0x000000013F400000-0x000000013F754000-memory.dmp	upx
behavioral1/memory/2360-163-0x000000013FD00000-0x0000000140054000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\qhkkZOc.exe	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gwnsVxC.exe	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xfEsuSS.exe	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fpAdXEs.exe	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UILkDAa.exe	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tIWvNsF.exe	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BSzlrHW.exe	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fqpjTcp.exe	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pklkDjQ.exe	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oGSJqyL.exe	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lYZjVEK.exe	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AqBDoUt.exe	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sZIzcsO.exe	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DurjFyp.exe	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GtKgNjs.exe	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ptXysWf.exe	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cZVSHJn.exe	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hUuwdLT.exe	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JGzAdVi.exe	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BOgLWtY.exe	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wymrYCF.exe	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2396	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	29
PID 2232 wrote to memory of 2396	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	29
PID 2232 wrote to memory of 2396	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	29
PID 2232 wrote to memory of 2388	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	30
PID 2232 wrote to memory of 2388	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	30
PID 2232 wrote to memory of 2388	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	30
PID 2232 wrote to memory of 2580	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	31
PID 2232 wrote to memory of 2580	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	31
PID 2232 wrote to memory of 2580	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	31
PID 2232 wrote to memory of 2620	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	32
PID 2232 wrote to memory of 2620	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	32
PID 2232 wrote to memory of 2620	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	32
PID 2232 wrote to memory of 2624	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	33
PID 2232 wrote to memory of 2624	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	33
PID 2232 wrote to memory of 2624	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	33
PID 2232 wrote to memory of 2740	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	34
PID 2232 wrote to memory of 2740	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	34
PID 2232 wrote to memory of 2740	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	34
PID 2232 wrote to memory of 2636	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	35
PID 2232 wrote to memory of 2636	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	35
PID 2232 wrote to memory of 2636	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	35
PID 2232 wrote to memory of 2468	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	36
PID 2232 wrote to memory of 2468	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	36
PID 2232 wrote to memory of 2468	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	36
PID 2232 wrote to memory of 2592	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	37
PID 2232 wrote to memory of 2592	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	37
PID 2232 wrote to memory of 2592	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	37
PID 2232 wrote to memory of 2980	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	38
PID 2232 wrote to memory of 2980	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	38
PID 2232 wrote to memory of 2980	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	38
PID 2232 wrote to memory of 2996	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	39
PID 2232 wrote to memory of 2996	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	39
PID 2232 wrote to memory of 2996	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	39
PID 2232 wrote to memory of 2360	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	40
PID 2232 wrote to memory of 2360	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	40
PID 2232 wrote to memory of 2360	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	40
PID 2232 wrote to memory of 2832	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	41
PID 2232 wrote to memory of 2832	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	41
PID 2232 wrote to memory of 2832	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	41
PID 2232 wrote to memory of 1900	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	42
PID 2232 wrote to memory of 1900	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	42
PID 2232 wrote to memory of 1900	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	42
PID 2232 wrote to memory of 1904	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	43
PID 2232 wrote to memory of 1904	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	43
PID 2232 wrote to memory of 1904	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	43
PID 2232 wrote to memory of 1700	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	44
PID 2232 wrote to memory of 1700	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	44
PID 2232 wrote to memory of 1700	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	44
PID 2232 wrote to memory of 1588	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	45
PID 2232 wrote to memory of 1588	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	45
PID 2232 wrote to memory of 1588	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	45
PID 2232 wrote to memory of 2192	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	46
PID 2232 wrote to memory of 2192	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	46
PID 2232 wrote to memory of 2192	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	46
PID 2232 wrote to memory of 2448	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	47
PID 2232 wrote to memory of 2448	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	47
PID 2232 wrote to memory of 2448	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	47
PID 2232 wrote to memory of 2840	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	48
PID 2232 wrote to memory of 2840	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	48
PID 2232 wrote to memory of 2840	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	48
PID 2232 wrote to memory of 2560	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	49
PID 2232 wrote to memory of 2560	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	49
PID 2232 wrote to memory of 2560	2232	2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_5af509b12a42931dbb3a470a1184d1ed_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\System\GtKgNjs.exe
  C:\Windows\System\GtKgNjs.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System\qhkkZOc.exe
  C:\Windows\System\qhkkZOc.exe
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\System\gwnsVxC.exe
  C:\Windows\System\gwnsVxC.exe
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\System\pklkDjQ.exe
  C:\Windows\System\pklkDjQ.exe
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\System\xfEsuSS.exe
  C:\Windows\System\xfEsuSS.exe
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\System\ptXysWf.exe
  C:\Windows\System\ptXysWf.exe
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\System\fpAdXEs.exe
  C:\Windows\System\fpAdXEs.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\System\cZVSHJn.exe
  C:\Windows\System\cZVSHJn.exe
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\System\oGSJqyL.exe
  C:\Windows\System\oGSJqyL.exe
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\System\hUuwdLT.exe
  C:\Windows\System\hUuwdLT.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\System\lYZjVEK.exe
  C:\Windows\System\lYZjVEK.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System\JGzAdVi.exe
  C:\Windows\System\JGzAdVi.exe
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\System\UILkDAa.exe
  C:\Windows\System\UILkDAa.exe
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\System\tIWvNsF.exe
  C:\Windows\System\tIWvNsF.exe
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Windows\System\BOgLWtY.exe
  C:\Windows\System\BOgLWtY.exe
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\System\wymrYCF.exe
  C:\Windows\System\wymrYCF.exe
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\System\BSzlrHW.exe
  C:\Windows\System\BSzlrHW.exe
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\System\AqBDoUt.exe
  C:\Windows\System\AqBDoUt.exe
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\System\fqpjTcp.exe
  C:\Windows\System\fqpjTcp.exe
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\System\DurjFyp.exe
  C:\Windows\System\DurjFyp.exe
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\System\sZIzcsO.exe
  C:\Windows\System\sZIzcsO.exe
  2⤵
  - Executes dropped EXE
  PID:2560

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AqBDoUt.exe

Filesize
5.9MB

MD5
92a479ff6d505fa1d7b14604f9fa1105

SHA1
187f6a8fa7401b7ae2268c2954c8ceee20a16e01

SHA256
7972ae52f2f7941f1a6469b6e51931b83abcc271d00c6e54aac3dbc681657031

SHA512
cfe8b58c9e8bc4b02b8aac3262f4f86c0f2f890b7097162238d6eed6d3db2e27b15c282fb9de66945546e2bf461657452afbeafd098d5cd58e01f6c7673eeebf

Download Submit
C:\Windows\system\BOgLWtY.exe

Filesize
5.9MB

MD5
014f58f3679a6ab18d8a0cd5d4ca13d5

SHA1
7cd277a117f786d3baa432185f421ae9d37dee51

SHA256
04becbf33d2eb245184628c78324c06145daf3976479c41ef8341f1fa0f4f4a8

SHA512
b797a0601ef995120761700fd6ea9306d6110bfb6eeb01a047c8a488627c1ac58cd7e69209c6e5343f2f7f570d72d77ba060f9a1973db150b97d0445bf3b5b13

Download Submit
C:\Windows\system\BSzlrHW.exe

Filesize
5.9MB

MD5
f3b0a20ba57ae2cfca7710672e276eaa

SHA1
d81d3e9f4b39d25cb61ac2daf03b0faf5752c3b1

SHA256
e3b5414eb664ecb666976017c6aa6bc4af2a0ee4b9d9534aba7e5c2acaede57d

SHA512
42f34a8e046e687a4fd3cec478f6448fac18de825460fc69d7f53660cfb54ea33f85f85b1336a60254e47a55214ac6fa8d83e38f10e02a5d76603ca2e34dcc65

Download Submit
C:\Windows\system\DurjFyp.exe

Filesize
5.9MB

MD5
427f1860c0643dfeb354f08630353c91

SHA1
ae3c080eabce5cbc1393ff8de86f1b088e5e0a05

SHA256
8a1b1e4ccce3c2a3a7b120e5cfe141c01638fa8a862875fabf6b9561b641fd6a

SHA512
9c7c52aaa8cf86bd377934166576f9e92668cc0b8eac95e2ce444ebd340d959b2eabea4f26520f0a17eb900e2dc2f36de0a9d26ac67b957257a874e235fb05c9

Download Submit
C:\Windows\system\JGzAdVi.exe

Filesize
5.9MB

MD5
a0343482d8cdd8c5827a9d37aa3c96b9

SHA1
081222f12472a8ff6384ed6441e11103ca16a40f

SHA256
274a2700f939e7124bcfbacfbd826839e278fa7a71d751ae69a4ae14d98934fc

SHA512
e526102c4594ca373a3ae27cf71433d327d1f8216b34bf2a63513b33461015816e353a0ae5b68c7950905f616a024a2a1af7c9b55dfe2f063e94d49f5aab18a8

Download Submit
C:\Windows\system\UILkDAa.exe

Filesize
5.9MB

MD5
4d06469474aa55820e5c701c3e838000

SHA1
0d6493a926b89acbccc1b37071ef7344bc8ef5cd

SHA256
040862fb6816a07c84948e886986801fb0b793da97cd68b5901afcc58114ba00

SHA512
a181719bb2e43b0ca1e9849263f8befd2e707d5a95bce9751ba236ef92b8a655d867d618f3a4e797261570f9510076ab5c4065712cb5d7ae8a7558a5010b6d43

Download Submit
C:\Windows\system\cZVSHJn.exe

Filesize
5.9MB

MD5
195e2eb664edcf0c636574e9e3ccc8be

SHA1
5b634ce41611a181c13ea0db4fb738c1bded3b01

SHA256
74f40858672dd6f74f13d9366bc1a465412853a22fc231c4685a4ca0398e4314

SHA512
82162f98c2eba39814199075c1eb886525eb94d242da630b4de7e5316ff34c5f71b88f903f87b4932d28ffd068e465ac491c406bbb020b095f544af183c576d6

Download Submit
C:\Windows\system\gwnsVxC.exe

Filesize
5.9MB

MD5
55b1d40e383299c0b35f7cf8a159e622

SHA1
72208d20e2a9054cd66b4c2f5d5699bd9047b6ad

SHA256
3f30bd3f5612279771d0df4fd9df561f926ed9de4753a5807c7f46ffb12e01a1

SHA512
79f6dd02056901d7b4a45c3a844bd22dc50905916100402095704f62c515ae2eb883441acd9829148cd6c9dba86265176ebd9f476d353f47db544f1050554c1c

Download Submit
C:\Windows\system\lYZjVEK.exe

Filesize
5.9MB

MD5
82116671374feaea108ecd77d77ab78f

SHA1
713963ca0b1736f5e707190f2d3232887e53ed1d

SHA256
758f0590f2cc17a1c1f0134b450d8821af11c0a6dd505b2ba8cde3dbcd340616

SHA512
fb1927029769aa6f54c8d74f501d61cb1acc2672b546b00524eac4e65a9631600763e9dfa9b3c32068ccf7da6e5fed208580e94a3361eed60c99edc9f4022789

Download Submit
C:\Windows\system\pklkDjQ.exe

Filesize
5.9MB

MD5
3ca88b4dcfb28d423e0d1a28e6315e35

SHA1
b2262d67ec1261dd84081ee29b51fd0f69333350

SHA256
003fe8415e353407ac55471fa84be853be6738a60af7013575a069c736a80569

SHA512
353ac86bb0edaf5b25c9c161e2956bf7db20bef0781c09c8d436d362de498ad8624a0fd664dd3a07d2196aae6bc6fe0f1d61072f4885539b887408902e26ce47

Download Submit
C:\Windows\system\qhkkZOc.exe

Filesize
5.9MB

MD5
e121163c520ed9433811bc0edc6377ed

SHA1
e4d170997bc286f19e659419845087690429b4c2

SHA256
0c8f57556022692f2d78b4569583d537fcd17ce0c7e6a990559c5e0c129ddc12

SHA512
444a45a12e41194599668be3269cc76bc2eab092237d1c8b75d0e15afcb9febe6654647a2291a665d71e99e2e67bbfd518cbdbcf04e3ba3905e561cec3b807f5

Download Submit
C:\Windows\system\tIWvNsF.exe

Filesize
5.9MB

MD5
84d9eef1d1ae475f2143d4a0b58deb90

SHA1
38ab00d525ecfda792388a9592103133e7f83a41

SHA256
b02dd883f598ce2903e375a16eeae5a08100b9d16c703cb38937569e8ec2e5bd

SHA512
c4e40315975b5a698be2de3ec2d7d3440b7c6ce499e89d96c06408e4dae10e1d8455afd0e351d834f4a1ee34870a61f88ea466e988d94a608ff8da2050fb718e

Download Submit
C:\Windows\system\wymrYCF.exe

Filesize
5.9MB

MD5
9ed811f0ea5113bb7954ccd557afd94b

SHA1
a319a5ea97c0a4fe715599aeecdd5285e80aa9f6

SHA256
64f38120765029bbe1a8ee64bc578083ff303412d120975b0d077a77d398693a

SHA512
2ad4f41d8bdfc8b94a000f94a0204d7319d148b2b3bf3a47727a8a585946362834507adefff13619a902736bcacf6d9f8a54a03382188591728814a7429cdd92

Download Submit
\Windows\system\GtKgNjs.exe

Filesize
5.9MB

MD5
5de8594ba2373b5e00bfc9df601b3cc0

SHA1
1500ca4c2d9959e8d1104fe81da77c908b83199d

SHA256
bceefa66cda74760cc4e2d1d32ade9761b847190401ee287d2228a95c9fc6c02

SHA512
2c21a9d872768f1358e215cee988f89de8aade9dd14b05644ef515a52fb6eba82a012bd682029e02cb66f14028c5a2b0df234b79c4201fc9e245e62d086c6442

Download Submit
\Windows\system\fpAdXEs.exe

Filesize
5.9MB

MD5
cb38dc65d7a376c4e70c82a4bc0c143d

SHA1
88b9cffeaa7dbaa1c33e4252f98f3185c40862a2

SHA256
2ed59ceb1341d50c0ed7b958e3b49769c5b249fc0cefdf74d44d9b0c0359140c

SHA512
b85c3010e4a6de898222749dbc4e9e5ab5013dd4ef994d05ad3b78fc4bac5117f5e053bdff3734d88454fe3bc3285d1c07638b5298ed9409c32e8f84d1c2c429

Download Submit
\Windows\system\fqpjTcp.exe

Filesize
5.9MB

MD5
f03ed83e379fc5b62ecf0a177e92b82f

SHA1
7409f9133cdd1e0b720399be4cd9f3c905d914b3

SHA256
21271c54b86a76ea283e3681ddc446447d32baa9563ffef4301dddc7636ebb3e

SHA512
a86a14d6669c33e9b833334f1c1ed9f224ab6ce0cedf7914a64c7b42e85419412d42d58b3efafaff626df4f1427cd7ae82973e329c13970c82fc8c3d4d32bfc0

Download Submit
\Windows\system\hUuwdLT.exe

Filesize
5.9MB

MD5
96ede509eb808090536ef160ce9fcdd6

SHA1
d9d2eca7066700eb35f9e743112c94016385320c

SHA256
e95c95d9b2ae3d2ac1a61c8f96ca9d1bae87c063fe378b87f3413769b31d7dcb

SHA512
79eca7e6bad28cf8887fe1956d2590ab32f5198712f14b0270c1bea67c8f240597ac74f24873d20f012aa31051653ff52d5dd269e203fcb7448c9fd37566e56f

Download Submit
\Windows\system\oGSJqyL.exe

Filesize
5.9MB

MD5
64db234b380f63aeed822feb7fbc1709

SHA1
1915699512d250298863a373df1d96999f054901

SHA256
e683d25bc29cffd9cc4a690c1abd86cbc7e722869e84440f57b2bb15382d052f

SHA512
609491268f2a885d77046550e7926f45d5a461a3ad0dde631832127e1cd7ad05f1a47f630c5f6b28c0ee8cf05d15bd239f25f0a3f136505a3021be07a4130487

Download Submit
\Windows\system\ptXysWf.exe

Filesize
5.9MB

MD5
e6d3fd28f335dcb12b82b72821de1853

SHA1
23cf59b967a0878c54c8036d75a2d97df2f5e1ad

SHA256
a06a307a883a90087224a41126dcbfa472309c4fdb697b4ec13175fde417ff35

SHA512
237ef4b6eb830ff2fc621307533ce106c4554393014a046c19cef18eb14c9f3154393b7c11e92f4b1a457cbc113cf40ffa2cba1921754af59ce91883902a2d8a

Download Submit
\Windows\system\sZIzcsO.exe

Filesize
5.9MB

MD5
0a42ab2aae3691b2f6bfc965bb366543

SHA1
0c4d03524de2f24c27333b2dbfe793c07546148d

SHA256
e79c322311d351eaf2d6e24c8c98e39d348f02b0ea40773aa766def44225cfcb

SHA512
ca5876458f23cc28ec4dc8af3088342616b3d30bbbe28ee4ee4d42ba1cfe4cf4f5b570a1df568ea1a3b1fd150649b725840da765045543fd5b52ce28c5aa9ad5

Download Submit
\Windows\system\xfEsuSS.exe

Filesize
5.9MB

MD5
e85db852aafa8dd2d47e6029334e785b

SHA1
1b7815fd1fec3a138f3f52774a3dd1440c43ea46

SHA256
6dd69fed94b3d3a6c3caf503718fc4bc46a85aeae96d288fcafd29e78e21b754

SHA512
36441ba40f6b65db44f99bb8b65422b2807b9e939a332188e44af42cd95f5a4f980b992eb6a789c0a77bfba1fbf2e4e67b15574093c253812842cc4de55fc9d9

Download Submit
memory/1588-137-0x000000013F840000-0x000000013FB94000-memory.dmp

Filesize
3.3MB

Download
memory/1588-150-0x000000013F840000-0x000000013FB94000-memory.dmp

Filesize
3.3MB

Download
memory/1700-133-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/1700-166-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/1900-165-0x000000013F2F0000-0x000000013F644000-memory.dmp

Filesize
3.3MB

Download
memory/1900-125-0x000000013F2F0000-0x000000013F644000-memory.dmp

Filesize
3.3MB

Download
memory/1904-136-0x000000013FB50000-0x000000013FEA4000-memory.dmp

Filesize
3.3MB

Download
memory/1904-149-0x000000013FB50000-0x000000013FEA4000-memory.dmp

Filesize
3.3MB

Download
memory/2192-167-0x000000013FA60000-0x000000013FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/2192-134-0x000000013FA60000-0x000000013FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/2232-45-0x000000013F940000-0x000000013FC94000-memory.dmp

Filesize
3.3MB

Download
memory/2232-140-0x000000013FB50000-0x000000013FEA4000-memory.dmp

Filesize
3.3MB

Download
memory/2232-68-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

Filesize
3.3MB

Download
memory/2232-0-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2232-127-0x000000013F840000-0x000000013FB94000-memory.dmp

Filesize
3.3MB

Download
memory/2232-151-0x000000013FB50000-0x000000013FEA4000-memory.dmp

Filesize
3.3MB

Download
memory/2232-131-0x000000013FB60000-0x000000013FEB4000-memory.dmp

Filesize
3.3MB

Download
memory/2232-132-0x000000013F560000-0x000000013F8B4000-memory.dmp

Filesize
3.3MB

Download
memory/2232-147-0x000000013FA60000-0x000000013FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/2232-80-0x000000013FD00000-0x0000000140054000-memory.dmp

Filesize
3.3MB

Download
memory/2232-55-0x000000013F6F0000-0x000000013FA44000-memory.dmp

Filesize
3.3MB

Download
memory/2232-1-0x000000013F060000-0x000000013F3B4000-memory.dmp

Filesize
3.3MB

Download
memory/2232-138-0x000000013F060000-0x000000013F3B4000-memory.dmp

Filesize
3.3MB

Download
memory/2232-7-0x00000000023A0000-0x00000000026F4000-memory.dmp

Filesize
3.3MB

Download
memory/2232-34-0x000000013FAF0000-0x000000013FE44000-memory.dmp

Filesize
3.3MB

Download
memory/2232-31-0x000000013F870000-0x000000013FBC4000-memory.dmp

Filesize
3.3MB

Download
memory/2232-49-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

Filesize
3.3MB

Download
memory/2232-128-0x000000013FA60000-0x000000013FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/2232-126-0x00000000023A0000-0x00000000026F4000-memory.dmp

Filesize
3.3MB

Download
memory/2360-163-0x000000013FD00000-0x0000000140054000-memory.dmp

Filesize
3.3MB

Download
memory/2360-90-0x000000013FD00000-0x0000000140054000-memory.dmp

Filesize
3.3MB

Download
memory/2388-25-0x000000013FAF0000-0x000000013FE44000-memory.dmp

Filesize
3.3MB

Download
memory/2388-153-0x000000013FAF0000-0x000000013FE44000-memory.dmp

Filesize
3.3MB

Download
memory/2396-143-0x000000013F170000-0x000000013F4C4000-memory.dmp

Filesize
3.3MB

Download
memory/2396-155-0x000000013F170000-0x000000013F4C4000-memory.dmp

Filesize
3.3MB

Download
memory/2396-24-0x000000013F170000-0x000000013F4C4000-memory.dmp

Filesize
3.3MB

Download
memory/2448-141-0x000000013FB60000-0x000000013FEB4000-memory.dmp

Filesize
3.3MB

Download
memory/2448-152-0x000000013FB60000-0x000000013FEB4000-memory.dmp

Filesize
3.3MB

Download
memory/2468-56-0x000000013F6F0000-0x000000013FA44000-memory.dmp

Filesize
3.3MB

Download
memory/2468-160-0x000000013F6F0000-0x000000013FA44000-memory.dmp

Filesize
3.3MB

Download
memory/2560-142-0x000000013F560000-0x000000013F8B4000-memory.dmp

Filesize
3.3MB

Download
memory/2580-156-0x000000013F950000-0x000000013FCA4000-memory.dmp

Filesize
3.3MB

Download
memory/2580-33-0x000000013F950000-0x000000013FCA4000-memory.dmp

Filesize
3.3MB

Download
memory/2592-161-0x000000013FC70000-0x000000013FFC4000-memory.dmp

Filesize
3.3MB

Download
memory/2592-145-0x000000013FC70000-0x000000013FFC4000-memory.dmp

Filesize
3.3MB

Download
memory/2592-62-0x000000013FC70000-0x000000013FFC4000-memory.dmp

Filesize
3.3MB

Download
memory/2620-154-0x000000013F870000-0x000000013FBC4000-memory.dmp

Filesize
3.3MB

Download
memory/2620-32-0x000000013F870000-0x000000013FBC4000-memory.dmp

Filesize
3.3MB

Download
memory/2624-157-0x000000013F660000-0x000000013F9B4000-memory.dmp

Filesize
3.3MB

Download
memory/2624-40-0x000000013F660000-0x000000013F9B4000-memory.dmp

Filesize
3.3MB

Download
memory/2636-159-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

Filesize
3.3MB

Download
memory/2636-144-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

Filesize
3.3MB

Download
memory/2636-47-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

Filesize
3.3MB

Download
memory/2740-158-0x000000013F940000-0x000000013FC94000-memory.dmp

Filesize
3.3MB

Download
memory/2740-41-0x000000013F940000-0x000000013FC94000-memory.dmp

Filesize
3.3MB

Download
memory/2832-169-0x000000013F070000-0x000000013F3C4000-memory.dmp

Filesize
3.3MB

Download
memory/2832-148-0x000000013F070000-0x000000013F3C4000-memory.dmp

Filesize
3.3MB

Download
memory/2832-130-0x000000013F070000-0x000000013F3C4000-memory.dmp

Filesize
3.3MB

Download
memory/2840-135-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

Filesize
3.3MB

Download
memory/2840-168-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

Filesize
3.3MB

Download
memory/2980-81-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

Filesize
3.3MB

Download
memory/2980-162-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

Filesize
3.3MB

Download
memory/2996-164-0x000000013F400000-0x000000013F754000-memory.dmp

Filesize
3.3MB

Download
memory/2996-146-0x000000013F400000-0x000000013F754000-memory.dmp

Filesize
3.3MB

Download
memory/2996-77-0x000000013F400000-0x000000013F754000-memory.dmp

Filesize
3.3MB

Download