cobaltstrike | a9b48d62702ce0649694d108b0e09bec566805d928d73030acb6e64fc5a73032

Analysis

max time kernel
144s
max time network
148s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20-05-2024 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

f841b0ad9eb5462e9ca1eb0a3149cbc7
SHA1

514d0e8f419fe084180c49fcbd4239ce338a3844
SHA256

a9b48d62702ce0649694d108b0e09bec566805d928d73030acb6e64fc5a73032
SHA512

6556e95ff456a434bb804b041ae8dac50a34ef6c01660417bdb26a9666ee8e3b39185d4f1b37a67e53a5a8200cfbe38308b866cf2975e7b366e9800511572f0a
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l6:RWWBibf56utgpPFotBER/mQ32lUe

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\system\HXhDqUM.exe	cobalt_reflective_dll
\Windows\system\sOcrqiv.exe	cobalt_reflective_dll
C:\Windows\system\LGVURot.exe	cobalt_reflective_dll
C:\Windows\system\OHWvaiJ.exe	cobalt_reflective_dll
C:\Windows\system\QWarkcp.exe	cobalt_reflective_dll
C:\Windows\system\fwEdDTq.exe	cobalt_reflective_dll
C:\Windows\system\iOKifaq.exe	cobalt_reflective_dll
C:\Windows\system\aWHsMrW.exe	cobalt_reflective_dll
C:\Windows\system\guaFEyi.exe	cobalt_reflective_dll
C:\Windows\system\JQJpGTl.exe	cobalt_reflective_dll
C:\Windows\system\GlyRHAj.exe	cobalt_reflective_dll
C:\Windows\system\uYxMPNt.exe	cobalt_reflective_dll
C:\Windows\system\OMkjMnJ.exe	cobalt_reflective_dll
C:\Windows\system\StPyELK.exe	cobalt_reflective_dll
\Windows\system\RdIsYUO.exe	cobalt_reflective_dll
\Windows\system\VbOzqfM.exe	cobalt_reflective_dll
C:\Windows\system\nxJRYFn.exe	cobalt_reflective_dll
C:\Windows\system\TolnlCr.exe	cobalt_reflective_dll
C:\Windows\system\BVqSSOM.exe	cobalt_reflective_dll
C:\Windows\system\PrAjENG.exe	cobalt_reflective_dll
C:\Windows\system\ZjzulCJ.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\system\HXhDqUM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\sOcrqiv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\LGVURot.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\OHWvaiJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\QWarkcp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\fwEdDTq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\iOKifaq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\aWHsMrW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\guaFEyi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\JQJpGTl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\GlyRHAj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\uYxMPNt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\OMkjMnJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\StPyELK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\RdIsYUO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\VbOzqfM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\nxJRYFn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\TolnlCr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\BVqSSOM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\PrAjENG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ZjzulCJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1684-0-0x000000013F4C0000-0x000000013F811000-memory.dmp	UPX
C:\Windows\system\HXhDqUM.exe	UPX
\Windows\system\sOcrqiv.exe	UPX
behavioral1/memory/2340-14-0x000000013F350000-0x000000013F6A1000-memory.dmp	UPX
behavioral1/memory/1144-13-0x000000013F280000-0x000000013F5D1000-memory.dmp	UPX
C:\Windows\system\LGVURot.exe	UPX
C:\Windows\system\OHWvaiJ.exe	UPX
behavioral1/memory/2616-27-0x000000013F7B0000-0x000000013FB01000-memory.dmp	UPX
behavioral1/memory/2788-35-0x000000013F8B0000-0x000000013FC01000-memory.dmp	UPX
behavioral1/memory/2612-42-0x000000013FCC0000-0x0000000140011000-memory.dmp	UPX
C:\Windows\system\QWarkcp.exe	UPX
C:\Windows\system\fwEdDTq.exe	UPX
C:\Windows\system\iOKifaq.exe	UPX
C:\Windows\system\aWHsMrW.exe	UPX
C:\Windows\system\guaFEyi.exe	UPX
C:\Windows\system\JQJpGTl.exe	UPX
C:\Windows\system\GlyRHAj.exe	UPX
C:\Windows\system\uYxMPNt.exe	UPX
C:\Windows\system\OMkjMnJ.exe	UPX
behavioral1/memory/2168-97-0x000000013F7E0000-0x000000013FB31000-memory.dmp	UPX
C:\Windows\system\StPyELK.exe	UPX
behavioral1/memory/2828-92-0x000000013FC70000-0x000000013FFC1000-memory.dmp	UPX
behavioral1/memory/2616-90-0x000000013F7B0000-0x000000013FB01000-memory.dmp	UPX
behavioral1/memory/3040-80-0x000000013F3A0000-0x000000013F6F1000-memory.dmp	UPX
behavioral1/memory/2880-62-0x000000013F6E0000-0x000000013FA31000-memory.dmp	UPX
behavioral1/memory/2680-75-0x000000013FD00000-0x0000000140051000-memory.dmp	UPX
behavioral1/memory/2880-135-0x000000013F6E0000-0x000000013FA31000-memory.dmp	UPX
behavioral1/memory/2540-74-0x000000013FE50000-0x00000001401A1000-memory.dmp	UPX
\Windows\system\RdIsYUO.exe	UPX
\Windows\system\VbOzqfM.exe	UPX
behavioral1/memory/2508-71-0x000000013F430000-0x000000013F781000-memory.dmp	UPX
behavioral1/memory/2340-70-0x000000013F350000-0x000000013F6A1000-memory.dmp	UPX
C:\Windows\system\nxJRYFn.exe	UPX
behavioral1/memory/1684-67-0x000000013F4C0000-0x000000013F811000-memory.dmp	UPX
C:\Windows\system\TolnlCr.exe	UPX
behavioral1/memory/2936-52-0x000000013F0B0000-0x000000013F401000-memory.dmp	UPX
C:\Windows\system\BVqSSOM.exe	UPX
C:\Windows\system\PrAjENG.exe	UPX
C:\Windows\system\ZjzulCJ.exe	UPX
behavioral1/memory/2364-24-0x000000013FCE0000-0x0000000140031000-memory.dmp	UPX
behavioral1/memory/1684-136-0x000000013F4C0000-0x000000013F811000-memory.dmp	UPX
behavioral1/memory/3040-148-0x000000013F3A0000-0x000000013F6F1000-memory.dmp	UPX
behavioral1/memory/2508-147-0x000000013F430000-0x000000013F781000-memory.dmp	UPX
behavioral1/memory/2680-146-0x000000013FD00000-0x0000000140051000-memory.dmp	UPX
behavioral1/memory/2540-144-0x000000013FE50000-0x00000001401A1000-memory.dmp	UPX
behavioral1/memory/748-156-0x000000013FAA0000-0x000000013FDF1000-memory.dmp	UPX
behavioral1/memory/1052-157-0x000000013FB90000-0x000000013FEE1000-memory.dmp	UPX
behavioral1/memory/264-155-0x000000013F6E0000-0x000000013FA31000-memory.dmp	UPX
behavioral1/memory/2220-154-0x000000013F590000-0x000000013F8E1000-memory.dmp	UPX
behavioral1/memory/568-153-0x000000013F8F0000-0x000000013FC41000-memory.dmp	UPX
behavioral1/memory/1820-151-0x000000013F600000-0x000000013F951000-memory.dmp	UPX
behavioral1/memory/2168-150-0x000000013F7E0000-0x000000013FB31000-memory.dmp	UPX
behavioral1/memory/620-152-0x000000013F990000-0x000000013FCE1000-memory.dmp	UPX
behavioral1/memory/1684-159-0x000000013F4C0000-0x000000013F811000-memory.dmp	UPX
behavioral1/memory/1144-205-0x000000013F280000-0x000000013F5D1000-memory.dmp	UPX
behavioral1/memory/2340-207-0x000000013F350000-0x000000013F6A1000-memory.dmp	UPX
behavioral1/memory/2364-209-0x000000013FCE0000-0x0000000140031000-memory.dmp	UPX
behavioral1/memory/2616-213-0x000000013F7B0000-0x000000013FB01000-memory.dmp	UPX
behavioral1/memory/2788-211-0x000000013F8B0000-0x000000013FC01000-memory.dmp	UPX
behavioral1/memory/2612-215-0x000000013FCC0000-0x0000000140011000-memory.dmp	UPX
behavioral1/memory/2936-217-0x000000013F0B0000-0x000000013F401000-memory.dmp	UPX
behavioral1/memory/2880-219-0x000000013F6E0000-0x000000013FA31000-memory.dmp	UPX
behavioral1/memory/2508-221-0x000000013F430000-0x000000013F781000-memory.dmp	UPX
behavioral1/memory/2680-225-0x000000013FD00000-0x0000000140051000-memory.dmp	UPX

XMRig Miner payload 43 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1144-13-0x000000013F280000-0x000000013F5D1000-memory.dmp	xmrig
behavioral1/memory/2788-35-0x000000013F8B0000-0x000000013FC01000-memory.dmp	xmrig
behavioral1/memory/2612-42-0x000000013FCC0000-0x0000000140011000-memory.dmp	xmrig
behavioral1/memory/1684-96-0x0000000002230000-0x0000000002581000-memory.dmp	xmrig
behavioral1/memory/2828-92-0x000000013FC70000-0x000000013FFC1000-memory.dmp	xmrig
behavioral1/memory/1684-91-0x000000013FC70000-0x000000013FFC1000-memory.dmp	xmrig
behavioral1/memory/2616-90-0x000000013F7B0000-0x000000013FB01000-memory.dmp	xmrig
behavioral1/memory/2880-62-0x000000013F6E0000-0x000000013FA31000-memory.dmp	xmrig
behavioral1/memory/2880-135-0x000000013F6E0000-0x000000013FA31000-memory.dmp	xmrig
behavioral1/memory/2340-70-0x000000013F350000-0x000000013F6A1000-memory.dmp	xmrig
behavioral1/memory/1684-69-0x0000000002230000-0x0000000002581000-memory.dmp	xmrig
behavioral1/memory/1684-67-0x000000013F4C0000-0x000000013F811000-memory.dmp	xmrig
behavioral1/memory/2936-52-0x000000013F0B0000-0x000000013F401000-memory.dmp	xmrig
behavioral1/memory/2364-24-0x000000013FCE0000-0x0000000140031000-memory.dmp	xmrig
behavioral1/memory/1684-136-0x000000013F4C0000-0x000000013F811000-memory.dmp	xmrig
behavioral1/memory/3040-148-0x000000013F3A0000-0x000000013F6F1000-memory.dmp	xmrig
behavioral1/memory/2508-147-0x000000013F430000-0x000000013F781000-memory.dmp	xmrig
behavioral1/memory/2680-146-0x000000013FD00000-0x0000000140051000-memory.dmp	xmrig
behavioral1/memory/2540-144-0x000000013FE50000-0x00000001401A1000-memory.dmp	xmrig
behavioral1/memory/748-156-0x000000013FAA0000-0x000000013FDF1000-memory.dmp	xmrig
behavioral1/memory/1052-157-0x000000013FB90000-0x000000013FEE1000-memory.dmp	xmrig
behavioral1/memory/264-155-0x000000013F6E0000-0x000000013FA31000-memory.dmp	xmrig
behavioral1/memory/2220-154-0x000000013F590000-0x000000013F8E1000-memory.dmp	xmrig
behavioral1/memory/568-153-0x000000013F8F0000-0x000000013FC41000-memory.dmp	xmrig
behavioral1/memory/1820-151-0x000000013F600000-0x000000013F951000-memory.dmp	xmrig
behavioral1/memory/2168-150-0x000000013F7E0000-0x000000013FB31000-memory.dmp	xmrig
behavioral1/memory/620-152-0x000000013F990000-0x000000013FCE1000-memory.dmp	xmrig
behavioral1/memory/1684-159-0x000000013F4C0000-0x000000013F811000-memory.dmp	xmrig
behavioral1/memory/1684-171-0x000000013FC70000-0x000000013FFC1000-memory.dmp	xmrig
behavioral1/memory/1144-205-0x000000013F280000-0x000000013F5D1000-memory.dmp	xmrig
behavioral1/memory/2340-207-0x000000013F350000-0x000000013F6A1000-memory.dmp	xmrig
behavioral1/memory/2364-209-0x000000013FCE0000-0x0000000140031000-memory.dmp	xmrig
behavioral1/memory/2616-213-0x000000013F7B0000-0x000000013FB01000-memory.dmp	xmrig
behavioral1/memory/2788-211-0x000000013F8B0000-0x000000013FC01000-memory.dmp	xmrig
behavioral1/memory/2612-215-0x000000013FCC0000-0x0000000140011000-memory.dmp	xmrig
behavioral1/memory/2936-217-0x000000013F0B0000-0x000000013F401000-memory.dmp	xmrig
behavioral1/memory/2880-219-0x000000013F6E0000-0x000000013FA31000-memory.dmp	xmrig
behavioral1/memory/2508-221-0x000000013F430000-0x000000013F781000-memory.dmp	xmrig
behavioral1/memory/2680-225-0x000000013FD00000-0x0000000140051000-memory.dmp	xmrig
behavioral1/memory/2540-223-0x000000013FE50000-0x00000001401A1000-memory.dmp	xmrig
behavioral1/memory/2828-229-0x000000013FC70000-0x000000013FFC1000-memory.dmp	xmrig
behavioral1/memory/3040-228-0x000000013F3A0000-0x000000013F6F1000-memory.dmp	xmrig
behavioral1/memory/2168-231-0x000000013F7E0000-0x000000013FB31000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

HXhDqUM.exesOcrqiv.exeLGVURot.exeOHWvaiJ.exeZjzulCJ.exePrAjENG.exeBVqSSOM.exeTolnlCr.exenxJRYFn.exeVbOzqfM.exeRdIsYUO.exeQWarkcp.exefwEdDTq.exeStPyELK.exeOMkjMnJ.exeuYxMPNt.exeGlyRHAj.exeJQJpGTl.exeiOKifaq.exeaWHsMrW.exeguaFEyi.exe

pid	process
1144	HXhDqUM.exe
2340	sOcrqiv.exe
2364	LGVURot.exe
2616	OHWvaiJ.exe
2788	ZjzulCJ.exe
2612	PrAjENG.exe
2936	BVqSSOM.exe
2880	TolnlCr.exe
2508	nxJRYFn.exe
2540	VbOzqfM.exe
2680	RdIsYUO.exe
3040	QWarkcp.exe
2828	fwEdDTq.exe
2168	StPyELK.exe
1820	OMkjMnJ.exe
568	uYxMPNt.exe
620	GlyRHAj.exe
2220	JQJpGTl.exe
264	iOKifaq.exe
748	aWHsMrW.exe
1052	guaFEyi.exe

Loads dropped DLL 21 IoCs

Processes:

2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe

pid	process
1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1684-0-0x000000013F4C0000-0x000000013F811000-memory.dmp	upx
C:\Windows\system\HXhDqUM.exe	upx
\Windows\system\sOcrqiv.exe	upx
behavioral1/memory/2340-14-0x000000013F350000-0x000000013F6A1000-memory.dmp	upx
behavioral1/memory/1144-13-0x000000013F280000-0x000000013F5D1000-memory.dmp	upx
C:\Windows\system\LGVURot.exe	upx
C:\Windows\system\OHWvaiJ.exe	upx
behavioral1/memory/2616-27-0x000000013F7B0000-0x000000013FB01000-memory.dmp	upx
behavioral1/memory/2788-35-0x000000013F8B0000-0x000000013FC01000-memory.dmp	upx
behavioral1/memory/2612-42-0x000000013FCC0000-0x0000000140011000-memory.dmp	upx
C:\Windows\system\QWarkcp.exe	upx
C:\Windows\system\fwEdDTq.exe	upx
C:\Windows\system\iOKifaq.exe	upx
C:\Windows\system\aWHsMrW.exe	upx
C:\Windows\system\guaFEyi.exe	upx
C:\Windows\system\JQJpGTl.exe	upx
C:\Windows\system\GlyRHAj.exe	upx
C:\Windows\system\uYxMPNt.exe	upx
C:\Windows\system\OMkjMnJ.exe	upx
behavioral1/memory/2168-97-0x000000013F7E0000-0x000000013FB31000-memory.dmp	upx
C:\Windows\system\StPyELK.exe	upx
behavioral1/memory/2828-92-0x000000013FC70000-0x000000013FFC1000-memory.dmp	upx
behavioral1/memory/2616-90-0x000000013F7B0000-0x000000013FB01000-memory.dmp	upx
behavioral1/memory/3040-80-0x000000013F3A0000-0x000000013F6F1000-memory.dmp	upx
behavioral1/memory/2880-62-0x000000013F6E0000-0x000000013FA31000-memory.dmp	upx
behavioral1/memory/2680-75-0x000000013FD00000-0x0000000140051000-memory.dmp	upx
behavioral1/memory/2880-135-0x000000013F6E0000-0x000000013FA31000-memory.dmp	upx
behavioral1/memory/2540-74-0x000000013FE50000-0x00000001401A1000-memory.dmp	upx
\Windows\system\RdIsYUO.exe	upx
\Windows\system\VbOzqfM.exe	upx
behavioral1/memory/2508-71-0x000000013F430000-0x000000013F781000-memory.dmp	upx
behavioral1/memory/2340-70-0x000000013F350000-0x000000013F6A1000-memory.dmp	upx
C:\Windows\system\nxJRYFn.exe	upx
behavioral1/memory/1684-67-0x000000013F4C0000-0x000000013F811000-memory.dmp	upx
C:\Windows\system\TolnlCr.exe	upx
behavioral1/memory/2936-52-0x000000013F0B0000-0x000000013F401000-memory.dmp	upx
C:\Windows\system\BVqSSOM.exe	upx
C:\Windows\system\PrAjENG.exe	upx
C:\Windows\system\ZjzulCJ.exe	upx
behavioral1/memory/2364-24-0x000000013FCE0000-0x0000000140031000-memory.dmp	upx
behavioral1/memory/1684-136-0x000000013F4C0000-0x000000013F811000-memory.dmp	upx
behavioral1/memory/3040-148-0x000000013F3A0000-0x000000013F6F1000-memory.dmp	upx
behavioral1/memory/2508-147-0x000000013F430000-0x000000013F781000-memory.dmp	upx
behavioral1/memory/2680-146-0x000000013FD00000-0x0000000140051000-memory.dmp	upx
behavioral1/memory/2540-144-0x000000013FE50000-0x00000001401A1000-memory.dmp	upx
behavioral1/memory/748-156-0x000000013FAA0000-0x000000013FDF1000-memory.dmp	upx
behavioral1/memory/1052-157-0x000000013FB90000-0x000000013FEE1000-memory.dmp	upx
behavioral1/memory/264-155-0x000000013F6E0000-0x000000013FA31000-memory.dmp	upx
behavioral1/memory/2220-154-0x000000013F590000-0x000000013F8E1000-memory.dmp	upx
behavioral1/memory/568-153-0x000000013F8F0000-0x000000013FC41000-memory.dmp	upx
behavioral1/memory/1820-151-0x000000013F600000-0x000000013F951000-memory.dmp	upx
behavioral1/memory/2168-150-0x000000013F7E0000-0x000000013FB31000-memory.dmp	upx
behavioral1/memory/620-152-0x000000013F990000-0x000000013FCE1000-memory.dmp	upx
behavioral1/memory/1684-159-0x000000013F4C0000-0x000000013F811000-memory.dmp	upx
behavioral1/memory/1144-205-0x000000013F280000-0x000000013F5D1000-memory.dmp	upx
behavioral1/memory/2340-207-0x000000013F350000-0x000000013F6A1000-memory.dmp	upx
behavioral1/memory/2364-209-0x000000013FCE0000-0x0000000140031000-memory.dmp	upx
behavioral1/memory/2616-213-0x000000013F7B0000-0x000000013FB01000-memory.dmp	upx
behavioral1/memory/2788-211-0x000000013F8B0000-0x000000013FC01000-memory.dmp	upx
behavioral1/memory/2612-215-0x000000013FCC0000-0x0000000140011000-memory.dmp	upx
behavioral1/memory/2936-217-0x000000013F0B0000-0x000000013F401000-memory.dmp	upx
behavioral1/memory/2880-219-0x000000013F6E0000-0x000000013FA31000-memory.dmp	upx
behavioral1/memory/2508-221-0x000000013F430000-0x000000013F781000-memory.dmp	upx
behavioral1/memory/2680-225-0x000000013FD00000-0x0000000140051000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\ZjzulCJ.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nxJRYFn.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iOKifaq.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LGVURot.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OHWvaiJ.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TolnlCr.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RdIsYUO.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GlyRHAj.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uYxMPNt.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sOcrqiv.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BVqSSOM.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fwEdDTq.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JQJpGTl.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aWHsMrW.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PrAjENG.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QWarkcp.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\StPyELK.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OMkjMnJ.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\guaFEyi.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HXhDqUM.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VbOzqfM.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 1684 wrote to memory of 1144	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	HXhDqUM.exe
PID 1684 wrote to memory of 1144	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	HXhDqUM.exe
PID 1684 wrote to memory of 1144	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	HXhDqUM.exe
PID 1684 wrote to memory of 2340	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	sOcrqiv.exe
PID 1684 wrote to memory of 2340	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	sOcrqiv.exe
PID 1684 wrote to memory of 2340	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	sOcrqiv.exe
PID 1684 wrote to memory of 2364	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	LGVURot.exe
PID 1684 wrote to memory of 2364	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	LGVURot.exe
PID 1684 wrote to memory of 2364	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	LGVURot.exe
PID 1684 wrote to memory of 2616	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	OHWvaiJ.exe
PID 1684 wrote to memory of 2616	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	OHWvaiJ.exe
PID 1684 wrote to memory of 2616	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	OHWvaiJ.exe
PID 1684 wrote to memory of 2788	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	ZjzulCJ.exe
PID 1684 wrote to memory of 2788	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	ZjzulCJ.exe
PID 1684 wrote to memory of 2788	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	ZjzulCJ.exe
PID 1684 wrote to memory of 2612	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	PrAjENG.exe
PID 1684 wrote to memory of 2612	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	PrAjENG.exe
PID 1684 wrote to memory of 2612	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	PrAjENG.exe
PID 1684 wrote to memory of 2936	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	BVqSSOM.exe
PID 1684 wrote to memory of 2936	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	BVqSSOM.exe
PID 1684 wrote to memory of 2936	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	BVqSSOM.exe
PID 1684 wrote to memory of 2540	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	VbOzqfM.exe
PID 1684 wrote to memory of 2540	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	VbOzqfM.exe
PID 1684 wrote to memory of 2540	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	VbOzqfM.exe
PID 1684 wrote to memory of 2880	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	TolnlCr.exe
PID 1684 wrote to memory of 2880	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	TolnlCr.exe
PID 1684 wrote to memory of 2880	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	TolnlCr.exe
PID 1684 wrote to memory of 2680	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	RdIsYUO.exe
PID 1684 wrote to memory of 2680	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	RdIsYUO.exe
PID 1684 wrote to memory of 2680	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	RdIsYUO.exe
PID 1684 wrote to memory of 2508	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	nxJRYFn.exe
PID 1684 wrote to memory of 2508	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	nxJRYFn.exe
PID 1684 wrote to memory of 2508	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	nxJRYFn.exe
PID 1684 wrote to memory of 3040	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	QWarkcp.exe
PID 1684 wrote to memory of 3040	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	QWarkcp.exe
PID 1684 wrote to memory of 3040	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	QWarkcp.exe
PID 1684 wrote to memory of 2828	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	fwEdDTq.exe
PID 1684 wrote to memory of 2828	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	fwEdDTq.exe
PID 1684 wrote to memory of 2828	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	fwEdDTq.exe
PID 1684 wrote to memory of 2168	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	StPyELK.exe
PID 1684 wrote to memory of 2168	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	StPyELK.exe
PID 1684 wrote to memory of 2168	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	StPyELK.exe
PID 1684 wrote to memory of 1820	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	OMkjMnJ.exe
PID 1684 wrote to memory of 1820	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	OMkjMnJ.exe
PID 1684 wrote to memory of 1820	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	OMkjMnJ.exe
PID 1684 wrote to memory of 620	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	GlyRHAj.exe
PID 1684 wrote to memory of 620	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	GlyRHAj.exe
PID 1684 wrote to memory of 620	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	GlyRHAj.exe
PID 1684 wrote to memory of 568	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	uYxMPNt.exe
PID 1684 wrote to memory of 568	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	uYxMPNt.exe
PID 1684 wrote to memory of 568	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	uYxMPNt.exe
PID 1684 wrote to memory of 2220	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	JQJpGTl.exe
PID 1684 wrote to memory of 2220	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	JQJpGTl.exe
PID 1684 wrote to memory of 2220	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	JQJpGTl.exe
PID 1684 wrote to memory of 264	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	iOKifaq.exe
PID 1684 wrote to memory of 264	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	iOKifaq.exe
PID 1684 wrote to memory of 264	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	iOKifaq.exe
PID 1684 wrote to memory of 748	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	aWHsMrW.exe
PID 1684 wrote to memory of 748	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	aWHsMrW.exe
PID 1684 wrote to memory of 748	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	aWHsMrW.exe
PID 1684 wrote to memory of 1052	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	guaFEyi.exe
PID 1684 wrote to memory of 1052	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	guaFEyi.exe
PID 1684 wrote to memory of 1052	1684	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	guaFEyi.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\System\HXhDqUM.exe
C:\Windows\System\HXhDqUM.exe
2⤵
- Executes dropped EXE
PID:1144

C:\Windows\System\sOcrqiv.exe
C:\Windows\System\sOcrqiv.exe
2⤵
- Executes dropped EXE
PID:2340

C:\Windows\System\LGVURot.exe
C:\Windows\System\LGVURot.exe
2⤵
- Executes dropped EXE
PID:2364

C:\Windows\System\OHWvaiJ.exe
C:\Windows\System\OHWvaiJ.exe
2⤵
- Executes dropped EXE
PID:2616

C:\Windows\System\ZjzulCJ.exe
C:\Windows\System\ZjzulCJ.exe
2⤵
- Executes dropped EXE
PID:2788

C:\Windows\System\PrAjENG.exe
C:\Windows\System\PrAjENG.exe
2⤵
- Executes dropped EXE
PID:2612

C:\Windows\System\BVqSSOM.exe
C:\Windows\System\BVqSSOM.exe
2⤵
- Executes dropped EXE
PID:2936

C:\Windows\System\VbOzqfM.exe
C:\Windows\System\VbOzqfM.exe
2⤵
- Executes dropped EXE
PID:2540

C:\Windows\System\TolnlCr.exe
C:\Windows\System\TolnlCr.exe
2⤵
- Executes dropped EXE
PID:2880

C:\Windows\System\RdIsYUO.exe
C:\Windows\System\RdIsYUO.exe
2⤵
- Executes dropped EXE
PID:2680

C:\Windows\System\nxJRYFn.exe
C:\Windows\System\nxJRYFn.exe
2⤵
- Executes dropped EXE
PID:2508

C:\Windows\System\QWarkcp.exe
C:\Windows\System\QWarkcp.exe
2⤵
- Executes dropped EXE
PID:3040

C:\Windows\System\fwEdDTq.exe
C:\Windows\System\fwEdDTq.exe
2⤵
- Executes dropped EXE
PID:2828

C:\Windows\System\StPyELK.exe
C:\Windows\System\StPyELK.exe
2⤵
- Executes dropped EXE
PID:2168

C:\Windows\System\OMkjMnJ.exe
C:\Windows\System\OMkjMnJ.exe
2⤵
- Executes dropped EXE
PID:1820

C:\Windows\System\GlyRHAj.exe
C:\Windows\System\GlyRHAj.exe
2⤵
- Executes dropped EXE
PID:620

C:\Windows\System\uYxMPNt.exe
C:\Windows\System\uYxMPNt.exe
2⤵
- Executes dropped EXE
PID:568

C:\Windows\System\JQJpGTl.exe
C:\Windows\System\JQJpGTl.exe
2⤵
- Executes dropped EXE
PID:2220

C:\Windows\System\iOKifaq.exe
C:\Windows\System\iOKifaq.exe
2⤵
- Executes dropped EXE
PID:264

C:\Windows\System\aWHsMrW.exe
C:\Windows\System\aWHsMrW.exe
2⤵
- Executes dropped EXE
PID:748

C:\Windows\System\guaFEyi.exe
C:\Windows\System\guaFEyi.exe
2⤵
- Executes dropped EXE
PID:1052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BVqSSOM.exe

Filesize
5.2MB

MD5
81b5bf66927cb2fe7604462acce0499c

SHA1
30fcf18bd7a2699abd111cda8696a91b693b907b

SHA256
692f4044a9a510744857351766f9e4b10b413f49b3b1c1c269f3ae9d1d6f3d18

SHA512
47c7e022d9a37beb70113cc3f99d20eee22f563963b1ef553ab55491c62af847eeee1e669389078e72da67f385e928d7beb059f4728a658195f399f30061967a

Download Submit
C:\Windows\system\GlyRHAj.exe

Filesize
5.2MB

MD5
987814f3ec88d344d4cf526367e8181f

SHA1
ad2d256bde801c70d95639408583332bc465adcb

SHA256
e37dd7181fa65f0ef3b16442b8cd78c1e6054c7980c460806c20e69700c0451f

SHA512
cf4fb9df1610ab2df5b94035ed892363488fb3720549811aff4f400c646b426eeeebb1df207342b3295be428432cc2bf7b38f77fd5488acf9ab0d2044be9f059

Download Submit
C:\Windows\system\HXhDqUM.exe

Filesize
5.2MB

MD5
75856cdefadddd18042ad4c9f371d497

SHA1
faac0a04a001a9b1aa44a6d889991bea86320db0

SHA256
a00c792df622f6bf67aeb80afe3e538d35d3ae86585a74abd00af296fb9445e6

SHA512
a075c5818a63050a785406647ef0e45c1efe3bb77261a4dc2b5bb97293b5b2e362b312fa763e0cdf960fd67449089114c0e025f5f5ee3d0902c139326a4d2ec2

Download Submit
C:\Windows\system\JQJpGTl.exe

Filesize
5.2MB

MD5
bddddb42d79cb278bd4767fe7b22b5ae

SHA1
5c08ae6a0907b5d48fed197306ecbb8a0bcce174

SHA256
3c629c1c10accc87934e8744644320e873768367b5ae29c30fd21a083c491d1f

SHA512
7a08a839a56784778434d28cb16f514990b6d158b23e10f11da745155347c45296f48ebc1d864d7861dce880e0a3ba27db2d9973ea415819e895b07b06a027cf

Download Submit
C:\Windows\system\LGVURot.exe

Filesize
5.2MB

MD5
144fbd920227191ed9263ba858282567

SHA1
b0faa278757d118f1085970de81ce27ad51b6b7a

SHA256
92375dc45aab42ce134d5503ffc1952fc3f37fac19ec143580c2fd7e52a349dc

SHA512
0847acdcc939083906165528287055e93d53348302e4b1cc9968bb4f8fdddc17e0be39e8b4e118a36340706656628997b8096ea172f5c46971dbdc46ce902a71

Download Submit
C:\Windows\system\OHWvaiJ.exe

Filesize
5.2MB

MD5
0e5a133c4258fd5ff38dfe819b93fadd

SHA1
43dcb08d9ea964aa5a6b72f0e387e27873b82869

SHA256
db20c4de625b163d9a1e5db6694276ae7ab2fe9675c65cc009691a2c773452e8

SHA512
02afb95c0da3dad9d04438c6dd03003b595c8f780d778e0eff072d55399b0041b28e6c1e6d67a59cb738ea74345a3ee08731c039e9c15123f0e0782972707471

Download Submit
C:\Windows\system\OMkjMnJ.exe

Filesize
5.2MB

MD5
e3e3ab2f7918c04aa29f2286cae71501

SHA1
f009a63fea4ebca27da4f00c738fcbbcfcd1612d

SHA256
4d2e6ca8dc7da4e9b4f76fb5ab96e6aa429f322d4429125d0425620c89797e4f

SHA512
246cbf1afc2fec85eb784db1ee39697fa3b3979abd84efd027b85673d9a9b1504465d16bb50b677ee267cb7cfbcfc66b2b9acfe88dbc717e16e69664f449a830

Download Submit
C:\Windows\system\PrAjENG.exe

Filesize
5.2MB

MD5
561141d5174847b65d4d3d42ae6b0405

SHA1
b443ffba813df637251f3d2ed7e780a2baa61e3e

SHA256
b5060765549455f881f08cf848fe04ab67118a811bdadb14fa64865a4a442bbc

SHA512
0cc3879485bec13372ebc768d6b7646b024b9e91c8cf21fc7cebb442062a3a350383cfdc5ceae6d0e22005bf4a08ecb0e74383be47252dcc3fafd326f29479db

Download Submit
C:\Windows\system\QWarkcp.exe

Filesize
5.2MB

MD5
a7fe3af58b0692bba8c4d4095d924e32

SHA1
ecddda919e1c86face222f51377f5f0d8f4ec1b1

SHA256
a61298d03334f1dd492036e9463bcdc129be237b3b1037c5493d739623d5b8e1

SHA512
1d8f2cd1702b206665a1d82e2d2c5b1fab0e4a796cbbcee52ceb9e7aed6794190d249120e22fd24e9267a37674ef19cd2f8b0c8244fc52c64ebca57cd2c68c41

Download Submit
C:\Windows\system\StPyELK.exe

Filesize
5.2MB

MD5
ec60f5a6f1d1c06656475f213ab69746

SHA1
93151d53e2aa24e22ebedb7c4bcb01c2c0d725e7

SHA256
bc9dc7a076eab8235a4acc99c9283aab4e90207fe1b27efdd2e1c1baad2c102f

SHA512
00c99b72e52ed1b003b9f1cbc8ea33a5a0dcb35ee4bb3455797d44a20a2dde250a22243d384961a191809aba67d4e6f254f8eb7c96a5a8280b6e4a95dd6063bd

Download Submit
C:\Windows\system\TolnlCr.exe

Filesize
5.2MB

MD5
23c5030caf2f009c849af979f00ea5c7

SHA1
35f2e25bfe44f9d7e769f2196c35d0d073b0f8a6

SHA256
56613e624389f03b60fe5d1edb4e45bf343cbea50c51efe603543f95cef439a2

SHA512
34e04dd3a597138ef960d65a1ee39ef4c23c5fcb4e2a0e2ba7c28abb314f7c66f0531da788451371b962b5ca90df504563bdb82ecd1a3b0546aaf6dd1aecf558

Download Submit
C:\Windows\system\ZjzulCJ.exe

Filesize
5.2MB

MD5
a44bf10c8640b2a6de3c627d65ecb396

SHA1
aaac568a8a169010310e5c3e61fdcfe22bd2061d

SHA256
623190f5abc9deef5d27fe946c4e07a48c2d58505c7d3352bf2bc1e31d9df693

SHA512
aeccb6191013956b7ab363f57396aeffe27c7c1e4a27d940ef39ffd178205ad66eef7fa4a9c4dd21dec11f9b6b92c2e5cb8a84ec1c1c3b4e0eb17afcdfaa7b36

Download Submit
C:\Windows\system\aWHsMrW.exe

Filesize
5.2MB

MD5
17ddf20a5a7ef98019707302de11d6b8

SHA1
37a4ff5758a3c930c68413cb8dd038838f5fe040

SHA256
c130ed98f90e91a9c0a8bb88436de8909bafe5bcef1686bc32ccf819dbfe10f2

SHA512
b5436de9a97d89bc477135cd9cf1736c95bb4dfae02f05e2f59ce90d93034f20fd5dd3eb00a82d9feec66717535060f2a10a27d8d59191f034ea8e0784b83ed6

Download Submit
C:\Windows\system\fwEdDTq.exe

Filesize
5.2MB

MD5
e87ad7e8a827e08a8eecad13d33d1e5e

SHA1
8bf4ae43683d82908b88bf479120b205123edeb1

SHA256
0affb2b35cb7728aae5715af3c5ee83dcedf7b43a4f42f42192c98f09803ddd3

SHA512
0152c090d5bf154d57e56d332acb5569265b4f172e4665aa3605267e10b55d81afe0d493c2954ac91623414c7e25e344ea5854859f4973e54982d67cb4dff789

Download Submit
C:\Windows\system\guaFEyi.exe

Filesize
5.2MB

MD5
8578fe838a15ce8ee3ce211cb0342341

SHA1
19e6fb9392430d59c11030e4f3f5091946d4784f

SHA256
ce8786354c30176570b5770a2c35393af0021d06ab088b4ea2821c4574a9f8ee

SHA512
03ec7c246b86d13b001d60c910c5b957447f4abc6d306c05b2a4e517f8dfc4a7467240cfbf3bf8593dab24892a5abb0cbc109eb4ea1b774348f5cee156b25d0b

Download Submit
C:\Windows\system\iOKifaq.exe

Filesize
5.2MB

MD5
70286a9b3c866f095804852acffe95a8

SHA1
d7eb7905a89abb6b6d90f2c757deb5543206ca02

SHA256
c1e0d10785dccd67590e47b97564f354fac0e2bfaf6990b65414969d3a7ab7bb

SHA512
6b062ee20f596a1ec59e7ca84113a352ffc6018d472eeedf6de009621f89267abbbbe7a4fe2f0653d2a4c89235999fa73c20d853a939abb449c95a0ec902950a

Download Submit
C:\Windows\system\nxJRYFn.exe

Filesize
5.2MB

MD5
a763daa5de1102376434287233e61efd

SHA1
83ad27e3bc39e853da5217f22e115e380e2174a9

SHA256
541697eecccfd1cb8b122d9d590f60d75882fdb9a3489391920369d5b539740d

SHA512
98e102e4929431abc63d13d1a50ba9afdf223d3fb7989665a472e69dddfd0957e8cc403e3b1963f795562d5deb14b0bc16fab2aa4ff95071b74ccae834158335

Download Submit
C:\Windows\system\uYxMPNt.exe

Filesize
5.2MB

MD5
f4070fbbf1b6db69796650cca18ba8ea

SHA1
e9448b60609da1bb8a8d4853ec331c9f7fdf2ab0

SHA256
48f639a4d3dce69c057a837ff7075461e4caef50d9957a554bbfd256f567f4df

SHA512
5c1738b6f24f12a8a4fa8a8ff893230d8b62bd0f730ba90b39890421fa41f6472182c1556707603d363e51762d47af587bc0d505f999faf15fd258aad2ce96e7

Download Submit
\Windows\system\RdIsYUO.exe

Filesize
5.2MB

MD5
da50c3ecfcea8741e08b8f6f76994208

SHA1
c1acf03c1ee9c724d23e90e649731c2ae95ed3ac

SHA256
670d35a057b1c91e43ded83ff51c799812547f372ce688ee4a65d3ddc97e4969

SHA512
2e73c144e0d4746cd7f32233f4243bb7f91baa0c72ed4cd7c3f34313b825998d1104715c99997e3f940b8a76f76b1643cb610a1b0aafcc58adce6cdb842b03aa

Download Submit
\Windows\system\VbOzqfM.exe

Filesize
5.2MB

MD5
219c7c22acc773e9d7d228d52fc149f7

SHA1
c68a805da02949676645738e85d8018bccdb3b2a

SHA256
73462c9d535c14e8100d5ea5f21e75cd3aabcd5257eeb03918dba5b810ab48b5

SHA512
56b0a028b1adb0f8f3ed205c23e32e809176611e45b4459994b168416af576d1b2285c767ec4136107ef7466f34241d54737dd925bcc9d37b03d2c714ebd444e

Download Submit
\Windows\system\sOcrqiv.exe

Filesize
5.2MB

MD5
fdb9ce2abe0dac1664adc45f535978f8

SHA1
ddc05c8c90f9def0ff1d5298334bed8920218fed

SHA256
5fbf45a2c38ab3b076212b6ed9995d008c7d40dcbcf6face63cd2a6f5ab98c95

SHA512
d1c44f117a105e6f7aeac47f67f93bf9687da714bc5fab0f85100c6325673514d5c5c6eafc6cfc930d1a70a71421fcfd311cfa6e8f54b87ccc9fa1905f77799b

Download Submit
memory/264-155-0x000000013F6E0000-0x000000013FA31000-memory.dmp

Filesize
3.3MB

Download
memory/568-153-0x000000013F8F0000-0x000000013FC41000-memory.dmp

Filesize
3.3MB

Download
memory/620-152-0x000000013F990000-0x000000013FCE1000-memory.dmp

Filesize
3.3MB

Download
memory/748-156-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

Filesize
3.3MB

Download
memory/1052-157-0x000000013FB90000-0x000000013FEE1000-memory.dmp

Filesize
3.3MB

Download
memory/1144-13-0x000000013F280000-0x000000013F5D1000-memory.dmp

Filesize
3.3MB

Download
memory/1144-205-0x000000013F280000-0x000000013F5D1000-memory.dmp

Filesize
3.3MB

Download
memory/1684-158-0x0000000002230000-0x0000000002581000-memory.dmp

Filesize
3.3MB

Download
memory/1684-96-0x0000000002230000-0x0000000002581000-memory.dmp

Filesize
3.3MB

Download
memory/1684-171-0x000000013FC70000-0x000000013FFC1000-memory.dmp

Filesize
3.3MB

Download
memory/1684-159-0x000000013F4C0000-0x000000013F811000-memory.dmp

Filesize
3.3MB

Download
memory/1684-114-0x0000000002230000-0x0000000002581000-memory.dmp

Filesize
3.3MB

Download
memory/1684-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/1684-60-0x0000000002230000-0x0000000002581000-memory.dmp

Filesize
3.3MB

Download
memory/1684-0-0x000000013F4C0000-0x000000013F811000-memory.dmp

Filesize
3.3MB

Download
memory/1684-41-0x000000013FCC0000-0x0000000140011000-memory.dmp

Filesize
3.3MB

Download
memory/1684-91-0x000000013FC70000-0x000000013FFC1000-memory.dmp

Filesize
3.3MB

Download
memory/1684-136-0x000000013F4C0000-0x000000013F811000-memory.dmp

Filesize
3.3MB

Download
memory/1684-69-0x0000000002230000-0x0000000002581000-memory.dmp

Filesize
3.3MB

Download
memory/1684-25-0x0000000002230000-0x0000000002581000-memory.dmp

Filesize
3.3MB

Download
memory/1684-67-0x000000013F4C0000-0x000000013F811000-memory.dmp

Filesize
3.3MB

Download
memory/1684-64-0x000000013FD00000-0x0000000140051000-memory.dmp

Filesize
3.3MB

Download
memory/1684-56-0x000000013FE50000-0x00000001401A1000-memory.dmp

Filesize
3.3MB

Download
memory/1684-11-0x0000000002230000-0x0000000002581000-memory.dmp

Filesize
3.3MB

Download
memory/1684-34-0x000000013F8B0000-0x000000013FC01000-memory.dmp

Filesize
3.3MB

Download
memory/1820-151-0x000000013F600000-0x000000013F951000-memory.dmp

Filesize
3.3MB

Download
memory/2168-150-0x000000013F7E0000-0x000000013FB31000-memory.dmp

Filesize
3.3MB

Download
memory/2168-97-0x000000013F7E0000-0x000000013FB31000-memory.dmp

Filesize
3.3MB

Download
memory/2168-231-0x000000013F7E0000-0x000000013FB31000-memory.dmp

Filesize
3.3MB

Download
memory/2220-154-0x000000013F590000-0x000000013F8E1000-memory.dmp

Filesize
3.3MB

Download
memory/2340-70-0x000000013F350000-0x000000013F6A1000-memory.dmp

Filesize
3.3MB

Download
memory/2340-207-0x000000013F350000-0x000000013F6A1000-memory.dmp

Filesize
3.3MB

Download
memory/2340-14-0x000000013F350000-0x000000013F6A1000-memory.dmp

Filesize
3.3MB

Download
memory/2364-24-0x000000013FCE0000-0x0000000140031000-memory.dmp

Filesize
3.3MB

Download
memory/2364-209-0x000000013FCE0000-0x0000000140031000-memory.dmp

Filesize
3.3MB

Download
memory/2508-221-0x000000013F430000-0x000000013F781000-memory.dmp

Filesize
3.3MB

Download
memory/2508-71-0x000000013F430000-0x000000013F781000-memory.dmp

Filesize
3.3MB

Download
memory/2508-147-0x000000013F430000-0x000000013F781000-memory.dmp

Filesize
3.3MB

Download
memory/2540-74-0x000000013FE50000-0x00000001401A1000-memory.dmp

Filesize
3.3MB

Download
memory/2540-144-0x000000013FE50000-0x00000001401A1000-memory.dmp

Filesize
3.3MB

Download
memory/2540-223-0x000000013FE50000-0x00000001401A1000-memory.dmp

Filesize
3.3MB

Download
memory/2612-42-0x000000013FCC0000-0x0000000140011000-memory.dmp

Filesize
3.3MB

Download
memory/2612-215-0x000000013FCC0000-0x0000000140011000-memory.dmp

Filesize
3.3MB

Download
memory/2616-213-0x000000013F7B0000-0x000000013FB01000-memory.dmp

Filesize
3.3MB

Download
memory/2616-90-0x000000013F7B0000-0x000000013FB01000-memory.dmp

Filesize
3.3MB

Download
memory/2616-27-0x000000013F7B0000-0x000000013FB01000-memory.dmp

Filesize
3.3MB

Download
memory/2680-225-0x000000013FD00000-0x0000000140051000-memory.dmp

Filesize
3.3MB

Download
memory/2680-146-0x000000013FD00000-0x0000000140051000-memory.dmp

Filesize
3.3MB

Download
memory/2680-75-0x000000013FD00000-0x0000000140051000-memory.dmp

Filesize
3.3MB

Download
memory/2788-35-0x000000013F8B0000-0x000000013FC01000-memory.dmp

Filesize
3.3MB

Download
memory/2788-211-0x000000013F8B0000-0x000000013FC01000-memory.dmp

Filesize
3.3MB

Download
memory/2828-92-0x000000013FC70000-0x000000013FFC1000-memory.dmp

Filesize
3.3MB

Download
memory/2828-229-0x000000013FC70000-0x000000013FFC1000-memory.dmp

Filesize
3.3MB

Download
memory/2880-135-0x000000013F6E0000-0x000000013FA31000-memory.dmp

Filesize
3.3MB

Download
memory/2880-219-0x000000013F6E0000-0x000000013FA31000-memory.dmp

Filesize
3.3MB

Download
memory/2880-62-0x000000013F6E0000-0x000000013FA31000-memory.dmp

Filesize
3.3MB

Download
memory/2936-52-0x000000013F0B0000-0x000000013F401000-memory.dmp

Filesize
3.3MB

Download
memory/2936-217-0x000000013F0B0000-0x000000013F401000-memory.dmp

Filesize
3.3MB

Download
memory/3040-148-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

Filesize
3.3MB

Download
memory/3040-80-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

Filesize
3.3MB

Download
memory/3040-228-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

Filesize
3.3MB

Download