cobaltstrike | 13dfd72e64b69083fb2ffe8aa1bdd77e86d42a64571abcd6ca15341b6ba78292

Analysis

max time kernel
140s
max time network
146s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
20-05-2024 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

ece0c0ed1f879feceb90e1e7e9499bc5
SHA1

6516a5c1d0b4d00465532c8d84f47c917eef87e0
SHA256

13dfd72e64b69083fb2ffe8aa1bdd77e86d42a64571abcd6ca15341b6ba78292
SHA512

457629ac9bc2336e1cafa6018e6158861e8849241d0e8f8d71ec5435114797790d0122b63d22b71299fbe6026bd62791d1fd49e3600ffb8f0b89c685383034c9
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lx:RWWBibf56utgpPFotBER/mQ32lUd

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\kkLmAwS.exe	cobalt_reflective_dll
\Windows\system\FcjrvPG.exe	cobalt_reflective_dll
C:\Windows\system\GZkSehM.exe	cobalt_reflective_dll
C:\Windows\system\ZpYrMvx.exe	cobalt_reflective_dll
C:\Windows\system\quWGVCE.exe	cobalt_reflective_dll
C:\Windows\system\MHuAAJe.exe	cobalt_reflective_dll
C:\Windows\system\XPQBeuZ.exe	cobalt_reflective_dll
C:\Windows\system\AoQuQKt.exe	cobalt_reflective_dll
C:\Windows\system\OUnXSAQ.exe	cobalt_reflective_dll
\Windows\system\uKmiRWC.exe	cobalt_reflective_dll
C:\Windows\system\klEMvpc.exe	cobalt_reflective_dll
\Windows\system\oUAdFXk.exe	cobalt_reflective_dll
C:\Windows\system\dYxxszn.exe	cobalt_reflective_dll
C:\Windows\system\lePRYvn.exe	cobalt_reflective_dll
C:\Windows\system\ntgCvdG.exe	cobalt_reflective_dll
C:\Windows\system\TwxIZae.exe	cobalt_reflective_dll
C:\Windows\system\pYZbOwo.exe	cobalt_reflective_dll
C:\Windows\system\ziuMTHJ.exe	cobalt_reflective_dll
C:\Windows\system\alMzGCn.exe	cobalt_reflective_dll
C:\Windows\system\cquKkkD.exe	cobalt_reflective_dll
C:\Windows\system\uMUffvx.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\kkLmAwS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\FcjrvPG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\GZkSehM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ZpYrMvx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\quWGVCE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\MHuAAJe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\XPQBeuZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\AoQuQKt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\OUnXSAQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\uKmiRWC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\klEMvpc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\oUAdFXk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\dYxxszn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\lePRYvn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ntgCvdG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\TwxIZae.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\pYZbOwo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ziuMTHJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\alMzGCn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\cquKkkD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\uMUffvx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2392-0-0x000000013F670000-0x000000013F9C1000-memory.dmp	UPX
\Windows\system\kkLmAwS.exe	UPX
\Windows\system\FcjrvPG.exe	UPX
behavioral1/memory/3032-22-0x000000013FED0000-0x0000000140221000-memory.dmp	UPX
behavioral1/memory/2840-20-0x000000013F680000-0x000000013F9D1000-memory.dmp	UPX
behavioral1/memory/1344-18-0x000000013F4F0000-0x000000013F841000-memory.dmp	UPX
C:\Windows\system\GZkSehM.exe	UPX
C:\Windows\system\ZpYrMvx.exe	UPX
behavioral1/memory/2640-38-0x000000013F2D0000-0x000000013F621000-memory.dmp	UPX
C:\Windows\system\quWGVCE.exe	UPX
C:\Windows\system\MHuAAJe.exe	UPX
behavioral1/memory/2688-56-0x000000013F950000-0x000000013FCA1000-memory.dmp	UPX
behavioral1/memory/2692-54-0x000000013F740000-0x000000013FA91000-memory.dmp	UPX
behavioral1/memory/2444-53-0x000000013F6B0000-0x000000013FA01000-memory.dmp	UPX
C:\Windows\system\XPQBeuZ.exe	UPX
behavioral1/memory/2528-34-0x000000013F380000-0x000000013F6D1000-memory.dmp	UPX
C:\Windows\system\AoQuQKt.exe	UPX
C:\Windows\system\OUnXSAQ.exe	UPX
behavioral1/memory/2556-70-0x000000013FDE0000-0x0000000140131000-memory.dmp	UPX
\Windows\system\uKmiRWC.exe	UPX
behavioral1/memory/2460-62-0x000000013FB00000-0x000000013FE51000-memory.dmp	UPX
behavioral1/memory/3060-77-0x000000013FFF0000-0x0000000140341000-memory.dmp	UPX
behavioral1/memory/1344-76-0x000000013F4F0000-0x000000013F841000-memory.dmp	UPX
behavioral1/memory/2392-75-0x000000013F670000-0x000000013F9C1000-memory.dmp	UPX
C:\Windows\system\klEMvpc.exe	UPX
\Windows\system\oUAdFXk.exe	UPX
behavioral1/memory/2964-85-0x000000013F330000-0x000000013F681000-memory.dmp	UPX
C:\Windows\system\dYxxszn.exe	UPX
behavioral1/memory/3032-91-0x000000013FED0000-0x0000000140221000-memory.dmp	UPX
behavioral1/memory/1936-93-0x000000013F4F0000-0x000000013F841000-memory.dmp	UPX
C:\Windows\system\lePRYvn.exe	UPX
behavioral1/memory/2640-99-0x000000013F2D0000-0x000000013F621000-memory.dmp	UPX
behavioral1/memory/852-101-0x000000013FBC0000-0x000000013FF11000-memory.dmp	UPX
C:\Windows\system\ntgCvdG.exe	UPX
C:\Windows\system\TwxIZae.exe	UPX
C:\Windows\system\pYZbOwo.exe	UPX
C:\Windows\system\ziuMTHJ.exe	UPX
C:\Windows\system\alMzGCn.exe	UPX
C:\Windows\system\cquKkkD.exe	UPX
C:\Windows\system\uMUffvx.exe	UPX
behavioral1/memory/2392-138-0x000000013F670000-0x000000013F9C1000-memory.dmp	UPX
behavioral1/memory/2460-147-0x000000013FB00000-0x000000013FE51000-memory.dmp	UPX
behavioral1/memory/2964-151-0x000000013F330000-0x000000013F681000-memory.dmp	UPX
behavioral1/memory/3060-150-0x000000013FFF0000-0x0000000140341000-memory.dmp	UPX
behavioral1/memory/2764-157-0x000000013FD40000-0x0000000140091000-memory.dmp	UPX
behavioral1/memory/2716-155-0x000000013F770000-0x000000013FAC1000-memory.dmp	UPX
behavioral1/memory/2820-156-0x000000013F770000-0x000000013FAC1000-memory.dmp	UPX
behavioral1/memory/556-160-0x000000013F270000-0x000000013F5C1000-memory.dmp	UPX
behavioral1/memory/1404-159-0x000000013F7E0000-0x000000013FB31000-memory.dmp	UPX
behavioral1/memory/2816-158-0x000000013F060000-0x000000013F3B1000-memory.dmp	UPX
behavioral1/memory/2620-154-0x000000013F140000-0x000000013F491000-memory.dmp	UPX
behavioral1/memory/2392-161-0x000000013F670000-0x000000013F9C1000-memory.dmp	UPX
behavioral1/memory/1344-208-0x000000013F4F0000-0x000000013F841000-memory.dmp	UPX
behavioral1/memory/2840-210-0x000000013F680000-0x000000013F9D1000-memory.dmp	UPX
behavioral1/memory/3032-212-0x000000013FED0000-0x0000000140221000-memory.dmp	UPX
behavioral1/memory/2528-214-0x000000013F380000-0x000000013F6D1000-memory.dmp	UPX
behavioral1/memory/2640-216-0x000000013F2D0000-0x000000013F621000-memory.dmp	UPX
behavioral1/memory/2444-221-0x000000013F6B0000-0x000000013FA01000-memory.dmp	UPX
behavioral1/memory/2692-219-0x000000013F740000-0x000000013FA91000-memory.dmp	UPX
behavioral1/memory/2688-222-0x000000013F950000-0x000000013FCA1000-memory.dmp	UPX
behavioral1/memory/2460-228-0x000000013FB00000-0x000000013FE51000-memory.dmp	UPX
behavioral1/memory/2556-230-0x000000013FDE0000-0x0000000140131000-memory.dmp	UPX
behavioral1/memory/3060-232-0x000000013FFF0000-0x0000000140341000-memory.dmp	UPX
behavioral1/memory/2964-234-0x000000013F330000-0x000000013F681000-memory.dmp	UPX

XMRig Miner payload 42 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2840-20-0x000000013F680000-0x000000013F9D1000-memory.dmp	xmrig
behavioral1/memory/1344-18-0x000000013F4F0000-0x000000013F841000-memory.dmp	xmrig
behavioral1/memory/2640-38-0x000000013F2D0000-0x000000013F621000-memory.dmp	xmrig
behavioral1/memory/2688-56-0x000000013F950000-0x000000013FCA1000-memory.dmp	xmrig
behavioral1/memory/2692-54-0x000000013F740000-0x000000013FA91000-memory.dmp	xmrig
behavioral1/memory/2444-53-0x000000013F6B0000-0x000000013FA01000-memory.dmp	xmrig
behavioral1/memory/2528-34-0x000000013F380000-0x000000013F6D1000-memory.dmp	xmrig
behavioral1/memory/2556-70-0x000000013FDE0000-0x0000000140131000-memory.dmp	xmrig
behavioral1/memory/1344-76-0x000000013F4F0000-0x000000013F841000-memory.dmp	xmrig
behavioral1/memory/2392-75-0x000000013F670000-0x000000013F9C1000-memory.dmp	xmrig
behavioral1/memory/2964-85-0x000000013F330000-0x000000013F681000-memory.dmp	xmrig
behavioral1/memory/3032-91-0x000000013FED0000-0x0000000140221000-memory.dmp	xmrig
behavioral1/memory/1936-93-0x000000013F4F0000-0x000000013F841000-memory.dmp	xmrig
behavioral1/memory/2640-99-0x000000013F2D0000-0x000000013F621000-memory.dmp	xmrig
behavioral1/memory/852-101-0x000000013FBC0000-0x000000013FF11000-memory.dmp	xmrig
behavioral1/memory/2392-107-0x000000013F140000-0x000000013F491000-memory.dmp	xmrig
behavioral1/memory/2392-138-0x000000013F670000-0x000000013F9C1000-memory.dmp	xmrig
behavioral1/memory/2460-147-0x000000013FB00000-0x000000013FE51000-memory.dmp	xmrig
behavioral1/memory/2964-151-0x000000013F330000-0x000000013F681000-memory.dmp	xmrig
behavioral1/memory/3060-150-0x000000013FFF0000-0x0000000140341000-memory.dmp	xmrig
behavioral1/memory/2764-157-0x000000013FD40000-0x0000000140091000-memory.dmp	xmrig
behavioral1/memory/2716-155-0x000000013F770000-0x000000013FAC1000-memory.dmp	xmrig
behavioral1/memory/2820-156-0x000000013F770000-0x000000013FAC1000-memory.dmp	xmrig
behavioral1/memory/556-160-0x000000013F270000-0x000000013F5C1000-memory.dmp	xmrig
behavioral1/memory/1404-159-0x000000013F7E0000-0x000000013FB31000-memory.dmp	xmrig
behavioral1/memory/2816-158-0x000000013F060000-0x000000013F3B1000-memory.dmp	xmrig
behavioral1/memory/2620-154-0x000000013F140000-0x000000013F491000-memory.dmp	xmrig
behavioral1/memory/2392-161-0x000000013F670000-0x000000013F9C1000-memory.dmp	xmrig
behavioral1/memory/1344-208-0x000000013F4F0000-0x000000013F841000-memory.dmp	xmrig
behavioral1/memory/2840-210-0x000000013F680000-0x000000013F9D1000-memory.dmp	xmrig
behavioral1/memory/3032-212-0x000000013FED0000-0x0000000140221000-memory.dmp	xmrig
behavioral1/memory/2528-214-0x000000013F380000-0x000000013F6D1000-memory.dmp	xmrig
behavioral1/memory/2640-216-0x000000013F2D0000-0x000000013F621000-memory.dmp	xmrig
behavioral1/memory/2444-221-0x000000013F6B0000-0x000000013FA01000-memory.dmp	xmrig
behavioral1/memory/2692-219-0x000000013F740000-0x000000013FA91000-memory.dmp	xmrig
behavioral1/memory/2688-222-0x000000013F950000-0x000000013FCA1000-memory.dmp	xmrig
behavioral1/memory/2460-228-0x000000013FB00000-0x000000013FE51000-memory.dmp	xmrig
behavioral1/memory/2556-230-0x000000013FDE0000-0x0000000140131000-memory.dmp	xmrig
behavioral1/memory/3060-232-0x000000013FFF0000-0x0000000140341000-memory.dmp	xmrig
behavioral1/memory/2964-234-0x000000013F330000-0x000000013F681000-memory.dmp	xmrig
behavioral1/memory/1936-236-0x000000013F4F0000-0x000000013F841000-memory.dmp	xmrig
behavioral1/memory/852-243-0x000000013FBC0000-0x000000013FF11000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

kkLmAwS.exeGZkSehM.exeFcjrvPG.exeZpYrMvx.exeAoQuQKt.exequWGVCE.exeXPQBeuZ.exeMHuAAJe.exeklEMvpc.exeOUnXSAQ.exeuKmiRWC.exeoUAdFXk.exedYxxszn.exelePRYvn.exentgCvdG.exeTwxIZae.exeziuMTHJ.exepYZbOwo.exeuMUffvx.exealMzGCn.execquKkkD.exe

pid	process
1344	kkLmAwS.exe
2840	GZkSehM.exe
3032	FcjrvPG.exe
2528	ZpYrMvx.exe
2640	AoQuQKt.exe
2692	quWGVCE.exe
2688	XPQBeuZ.exe
2444	MHuAAJe.exe
2460	klEMvpc.exe
2556	OUnXSAQ.exe
3060	uKmiRWC.exe
2964	oUAdFXk.exe
1936	dYxxszn.exe
852	lePRYvn.exe
2620	ntgCvdG.exe
2716	TwxIZae.exe
2820	ziuMTHJ.exe
2764	pYZbOwo.exe
2816	uMUffvx.exe
1404	alMzGCn.exe
556	cquKkkD.exe

Loads dropped DLL 21 IoCs

Processes:

2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe

pid	process
2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2392-0-0x000000013F670000-0x000000013F9C1000-memory.dmp	upx
\Windows\system\kkLmAwS.exe	upx
\Windows\system\FcjrvPG.exe	upx
behavioral1/memory/2392-9-0x0000000002210000-0x0000000002561000-memory.dmp	upx
behavioral1/memory/3032-22-0x000000013FED0000-0x0000000140221000-memory.dmp	upx
behavioral1/memory/2840-20-0x000000013F680000-0x000000013F9D1000-memory.dmp	upx
behavioral1/memory/1344-18-0x000000013F4F0000-0x000000013F841000-memory.dmp	upx
C:\Windows\system\GZkSehM.exe	upx
C:\Windows\system\ZpYrMvx.exe	upx
behavioral1/memory/2640-38-0x000000013F2D0000-0x000000013F621000-memory.dmp	upx
C:\Windows\system\quWGVCE.exe	upx
C:\Windows\system\MHuAAJe.exe	upx
behavioral1/memory/2688-56-0x000000013F950000-0x000000013FCA1000-memory.dmp	upx
behavioral1/memory/2692-54-0x000000013F740000-0x000000013FA91000-memory.dmp	upx
behavioral1/memory/2444-53-0x000000013F6B0000-0x000000013FA01000-memory.dmp	upx
C:\Windows\system\XPQBeuZ.exe	upx
behavioral1/memory/2528-34-0x000000013F380000-0x000000013F6D1000-memory.dmp	upx
C:\Windows\system\AoQuQKt.exe	upx
C:\Windows\system\OUnXSAQ.exe	upx
behavioral1/memory/2556-70-0x000000013FDE0000-0x0000000140131000-memory.dmp	upx
\Windows\system\uKmiRWC.exe	upx
behavioral1/memory/2460-62-0x000000013FB00000-0x000000013FE51000-memory.dmp	upx
behavioral1/memory/3060-77-0x000000013FFF0000-0x0000000140341000-memory.dmp	upx
behavioral1/memory/1344-76-0x000000013F4F0000-0x000000013F841000-memory.dmp	upx
behavioral1/memory/2392-75-0x000000013F670000-0x000000013F9C1000-memory.dmp	upx
C:\Windows\system\klEMvpc.exe	upx
\Windows\system\oUAdFXk.exe	upx
behavioral1/memory/2964-85-0x000000013F330000-0x000000013F681000-memory.dmp	upx
C:\Windows\system\dYxxszn.exe	upx
behavioral1/memory/3032-91-0x000000013FED0000-0x0000000140221000-memory.dmp	upx
behavioral1/memory/1936-93-0x000000013F4F0000-0x000000013F841000-memory.dmp	upx
C:\Windows\system\lePRYvn.exe	upx
behavioral1/memory/2640-99-0x000000013F2D0000-0x000000013F621000-memory.dmp	upx
behavioral1/memory/852-101-0x000000013FBC0000-0x000000013FF11000-memory.dmp	upx
C:\Windows\system\ntgCvdG.exe	upx
C:\Windows\system\TwxIZae.exe	upx
C:\Windows\system\pYZbOwo.exe	upx
C:\Windows\system\ziuMTHJ.exe	upx
C:\Windows\system\alMzGCn.exe	upx
C:\Windows\system\cquKkkD.exe	upx
C:\Windows\system\uMUffvx.exe	upx
behavioral1/memory/2392-138-0x000000013F670000-0x000000013F9C1000-memory.dmp	upx
behavioral1/memory/2460-147-0x000000013FB00000-0x000000013FE51000-memory.dmp	upx
behavioral1/memory/2964-151-0x000000013F330000-0x000000013F681000-memory.dmp	upx
behavioral1/memory/3060-150-0x000000013FFF0000-0x0000000140341000-memory.dmp	upx
behavioral1/memory/2764-157-0x000000013FD40000-0x0000000140091000-memory.dmp	upx
behavioral1/memory/2716-155-0x000000013F770000-0x000000013FAC1000-memory.dmp	upx
behavioral1/memory/2820-156-0x000000013F770000-0x000000013FAC1000-memory.dmp	upx
behavioral1/memory/556-160-0x000000013F270000-0x000000013F5C1000-memory.dmp	upx
behavioral1/memory/1404-159-0x000000013F7E0000-0x000000013FB31000-memory.dmp	upx
behavioral1/memory/2816-158-0x000000013F060000-0x000000013F3B1000-memory.dmp	upx
behavioral1/memory/2620-154-0x000000013F140000-0x000000013F491000-memory.dmp	upx
behavioral1/memory/2392-161-0x000000013F670000-0x000000013F9C1000-memory.dmp	upx
behavioral1/memory/1344-208-0x000000013F4F0000-0x000000013F841000-memory.dmp	upx
behavioral1/memory/2840-210-0x000000013F680000-0x000000013F9D1000-memory.dmp	upx
behavioral1/memory/3032-212-0x000000013FED0000-0x0000000140221000-memory.dmp	upx
behavioral1/memory/2528-214-0x000000013F380000-0x000000013F6D1000-memory.dmp	upx
behavioral1/memory/2640-216-0x000000013F2D0000-0x000000013F621000-memory.dmp	upx
behavioral1/memory/2444-221-0x000000013F6B0000-0x000000013FA01000-memory.dmp	upx
behavioral1/memory/2692-219-0x000000013F740000-0x000000013FA91000-memory.dmp	upx
behavioral1/memory/2688-222-0x000000013F950000-0x000000013FCA1000-memory.dmp	upx
behavioral1/memory/2460-228-0x000000013FB00000-0x000000013FE51000-memory.dmp	upx
behavioral1/memory/2556-230-0x000000013FDE0000-0x0000000140131000-memory.dmp	upx
behavioral1/memory/3060-232-0x000000013FFF0000-0x0000000140341000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\XPQBeuZ.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MHuAAJe.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uKmiRWC.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lePRYvn.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cquKkkD.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kkLmAwS.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FcjrvPG.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TwxIZae.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pYZbOwo.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GZkSehM.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZpYrMvx.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oUAdFXk.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dYxxszn.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ntgCvdG.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AoQuQKt.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\klEMvpc.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ziuMTHJ.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uMUffvx.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\alMzGCn.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\quWGVCE.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OUnXSAQ.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2392 wrote to memory of 1344	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	kkLmAwS.exe
PID 2392 wrote to memory of 1344	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	kkLmAwS.exe
PID 2392 wrote to memory of 1344	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	kkLmAwS.exe
PID 2392 wrote to memory of 2840	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	GZkSehM.exe
PID 2392 wrote to memory of 2840	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	GZkSehM.exe
PID 2392 wrote to memory of 2840	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	GZkSehM.exe
PID 2392 wrote to memory of 3032	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	FcjrvPG.exe
PID 2392 wrote to memory of 3032	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	FcjrvPG.exe
PID 2392 wrote to memory of 3032	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	FcjrvPG.exe
PID 2392 wrote to memory of 2528	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	ZpYrMvx.exe
PID 2392 wrote to memory of 2528	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	ZpYrMvx.exe
PID 2392 wrote to memory of 2528	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	ZpYrMvx.exe
PID 2392 wrote to memory of 2640	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	AoQuQKt.exe
PID 2392 wrote to memory of 2640	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	AoQuQKt.exe
PID 2392 wrote to memory of 2640	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	AoQuQKt.exe
PID 2392 wrote to memory of 2692	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	quWGVCE.exe
PID 2392 wrote to memory of 2692	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	quWGVCE.exe
PID 2392 wrote to memory of 2692	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	quWGVCE.exe
PID 2392 wrote to memory of 2688	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	XPQBeuZ.exe
PID 2392 wrote to memory of 2688	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	XPQBeuZ.exe
PID 2392 wrote to memory of 2688	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	XPQBeuZ.exe
PID 2392 wrote to memory of 2444	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	MHuAAJe.exe
PID 2392 wrote to memory of 2444	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	MHuAAJe.exe
PID 2392 wrote to memory of 2444	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	MHuAAJe.exe
PID 2392 wrote to memory of 2460	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	klEMvpc.exe
PID 2392 wrote to memory of 2460	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	klEMvpc.exe
PID 2392 wrote to memory of 2460	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	klEMvpc.exe
PID 2392 wrote to memory of 2556	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	OUnXSAQ.exe
PID 2392 wrote to memory of 2556	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	OUnXSAQ.exe
PID 2392 wrote to memory of 2556	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	OUnXSAQ.exe
PID 2392 wrote to memory of 3060	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	uKmiRWC.exe
PID 2392 wrote to memory of 3060	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	uKmiRWC.exe
PID 2392 wrote to memory of 3060	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	uKmiRWC.exe
PID 2392 wrote to memory of 2964	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	oUAdFXk.exe
PID 2392 wrote to memory of 2964	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	oUAdFXk.exe
PID 2392 wrote to memory of 2964	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	oUAdFXk.exe
PID 2392 wrote to memory of 1936	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	dYxxszn.exe
PID 2392 wrote to memory of 1936	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	dYxxszn.exe
PID 2392 wrote to memory of 1936	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	dYxxszn.exe
PID 2392 wrote to memory of 852	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	lePRYvn.exe
PID 2392 wrote to memory of 852	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	lePRYvn.exe
PID 2392 wrote to memory of 852	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	lePRYvn.exe
PID 2392 wrote to memory of 2620	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	ntgCvdG.exe
PID 2392 wrote to memory of 2620	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	ntgCvdG.exe
PID 2392 wrote to memory of 2620	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	ntgCvdG.exe
PID 2392 wrote to memory of 2716	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	TwxIZae.exe
PID 2392 wrote to memory of 2716	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	TwxIZae.exe
PID 2392 wrote to memory of 2716	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	TwxIZae.exe
PID 2392 wrote to memory of 2820	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	ziuMTHJ.exe
PID 2392 wrote to memory of 2820	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	ziuMTHJ.exe
PID 2392 wrote to memory of 2820	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	ziuMTHJ.exe
PID 2392 wrote to memory of 2764	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	pYZbOwo.exe
PID 2392 wrote to memory of 2764	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	pYZbOwo.exe
PID 2392 wrote to memory of 2764	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	pYZbOwo.exe
PID 2392 wrote to memory of 2816	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	uMUffvx.exe
PID 2392 wrote to memory of 2816	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	uMUffvx.exe
PID 2392 wrote to memory of 2816	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	uMUffvx.exe
PID 2392 wrote to memory of 1404	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	alMzGCn.exe
PID 2392 wrote to memory of 1404	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	alMzGCn.exe
PID 2392 wrote to memory of 1404	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	alMzGCn.exe
PID 2392 wrote to memory of 556	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	cquKkkD.exe
PID 2392 wrote to memory of 556	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	cquKkkD.exe
PID 2392 wrote to memory of 556	2392	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	cquKkkD.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392

C:\Windows\System\kkLmAwS.exe
C:\Windows\System\kkLmAwS.exe
2⤵
- Executes dropped EXE
PID:1344

C:\Windows\System\GZkSehM.exe
C:\Windows\System\GZkSehM.exe
2⤵
- Executes dropped EXE
PID:2840

C:\Windows\System\FcjrvPG.exe
C:\Windows\System\FcjrvPG.exe
2⤵
- Executes dropped EXE
PID:3032

C:\Windows\System\ZpYrMvx.exe
C:\Windows\System\ZpYrMvx.exe
2⤵
- Executes dropped EXE
PID:2528

C:\Windows\System\AoQuQKt.exe
C:\Windows\System\AoQuQKt.exe
2⤵
- Executes dropped EXE
PID:2640

C:\Windows\System\quWGVCE.exe
C:\Windows\System\quWGVCE.exe
2⤵
- Executes dropped EXE
PID:2692

C:\Windows\System\XPQBeuZ.exe
C:\Windows\System\XPQBeuZ.exe
2⤵
- Executes dropped EXE
PID:2688

C:\Windows\System\MHuAAJe.exe
C:\Windows\System\MHuAAJe.exe
2⤵
- Executes dropped EXE
PID:2444

C:\Windows\System\klEMvpc.exe
C:\Windows\System\klEMvpc.exe
2⤵
- Executes dropped EXE
PID:2460

C:\Windows\System\OUnXSAQ.exe
C:\Windows\System\OUnXSAQ.exe
2⤵
- Executes dropped EXE
PID:2556

C:\Windows\System\uKmiRWC.exe
C:\Windows\System\uKmiRWC.exe
2⤵
- Executes dropped EXE
PID:3060

C:\Windows\System\oUAdFXk.exe
C:\Windows\System\oUAdFXk.exe
2⤵
- Executes dropped EXE
PID:2964

C:\Windows\System\dYxxszn.exe
C:\Windows\System\dYxxszn.exe
2⤵
- Executes dropped EXE
PID:1936

C:\Windows\System\lePRYvn.exe
C:\Windows\System\lePRYvn.exe
2⤵
- Executes dropped EXE
PID:852

C:\Windows\System\ntgCvdG.exe
C:\Windows\System\ntgCvdG.exe
2⤵
- Executes dropped EXE
PID:2620

C:\Windows\System\TwxIZae.exe
C:\Windows\System\TwxIZae.exe
2⤵
- Executes dropped EXE
PID:2716

C:\Windows\System\ziuMTHJ.exe
C:\Windows\System\ziuMTHJ.exe
2⤵
- Executes dropped EXE
PID:2820

C:\Windows\System\pYZbOwo.exe
C:\Windows\System\pYZbOwo.exe
2⤵
- Executes dropped EXE
PID:2764

C:\Windows\System\uMUffvx.exe
C:\Windows\System\uMUffvx.exe
2⤵
- Executes dropped EXE
PID:2816

C:\Windows\System\alMzGCn.exe
C:\Windows\System\alMzGCn.exe
2⤵
- Executes dropped EXE
PID:1404

C:\Windows\System\cquKkkD.exe
C:\Windows\System\cquKkkD.exe
2⤵
- Executes dropped EXE
PID:556

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AoQuQKt.exe

Filesize
5.2MB

MD5
67d36b0253d49f09c5fead53fdf9523e

SHA1
f004db349161a170b36b2c5b4b89724667e99c19

SHA256
ecaf36169e9bd773109f9c3a8e76330628506ce05b7ff45c85733f2ce0d301ce

SHA512
4e9a00f66c97cbb209fec92713fcda6495c5f7c2dcd8763edde2626b8d2a4933bdac3a7075b11a376414bfeaaf0dafd5652ad27190e5ee878a394e0347bfe6ac

Download Submit
C:\Windows\system\GZkSehM.exe

Filesize
5.2MB

MD5
4cb9e8395b0288ef07b0fd4e190893f1

SHA1
385b166b0a3b7f3c244f386ffe93c89523b9189e

SHA256
998c92bb22ce26a99f0335acf4181049abb9bb2e4b590de01786be27044cf75f

SHA512
29a0878905e8578aa2ce1b6e2e9dbda0b1b50adde70ba5e282262c781fbe187e82e39084a6f51f2337aff09f5b52072297d6de03d9e3db18d662f09902f0aa4b

Download Submit
C:\Windows\system\MHuAAJe.exe

Filesize
5.2MB

MD5
4611aff0bd35562aa6760f6cb79f3dd7

SHA1
2cbf18e3a196cf934e8ac06eade24d81b503069d

SHA256
31792d04f05e8d6e2603625080b4bc4b868330f5466568f080a631189f95f358

SHA512
6e65d46950fcdb99567aa66462a0a15eab44538f623859a18a7d235d16046c1de309493b366102e68ac1d170fcb600d701ee629e2d7f6c2e5a93415455d9d009

Download Submit
C:\Windows\system\OUnXSAQ.exe

Filesize
5.2MB

MD5
d6d02e25f9d6e8877241fa1758f4ebb9

SHA1
37ef94aba64be48816555b20bf53423d44b5e096

SHA256
1ca70c16d276ef5553846a3a60039d181a7cb1faa8437315b2bbb85081499191

SHA512
7de2c8729337c0891ef1be0ad45d6c4bb9c1f4bb9b314e210c7935398847cc1172d5411e78acb9a36ec2964590f152470569c56622c1d3382a42626234941b2b

Download Submit
C:\Windows\system\TwxIZae.exe

Filesize
5.2MB

MD5
30c82b76ae7c103480842d96bf82ce1b

SHA1
6475f6976a42a2abb40802b863cd30c442cf101a

SHA256
e66a4331863320b7da6d7e45f765e7c1d2dd04d31b5c14af99cb6337f492d842

SHA512
1f3c09f676546b89b85e7408a8917a8bceb0d2ed4d90e8210a6e379a4b2cc34729b18e8d024d89c9b3e86d5eeecd818563e5540b90562e4f65f911b103a31e6e

Download Submit
C:\Windows\system\XPQBeuZ.exe

Filesize
5.2MB

MD5
645a7e52ab1a4979be392b7fefd44ce5

SHA1
1ee95fe87a9722ff4f1e34bc349ae49cffba0c12

SHA256
41111c86409287fc90fe08e6e83607a5341d7faef0243785588f89098b4b03ae

SHA512
fed2237c7d020151de97b13bb7d66cf2999e47036a644bbc9088572c93fb2386fdeb4b23bb99808ae6a6e6bdec858334944f79bd3a2271be31cb2a6994f35042

Download Submit
C:\Windows\system\ZpYrMvx.exe

Filesize
5.2MB

MD5
2748d6ac864c956dd86c3d57924212d4

SHA1
b0680156d7c8a2585a11b0345e4cae83f15288fa

SHA256
f5d8757be8adb30a612ab85ac5ac71a4028091d451f91b9045c2bd43ff201319

SHA512
b67bc772d4f4a0a8e60e34145f9e2e4b4b15ac20ff2c90c26e2d7d9c4aadea826ee2dfed86d04dd4ccb9591d203e61e14d6280aa74194ca7aebd3c27edc54ba6

Download Submit
C:\Windows\system\alMzGCn.exe

Filesize
5.2MB

MD5
ffbff06881531db77ca92f830d62ed6b

SHA1
7f5ac7e9e2d7cc2a3ece13042d09bc8b3e121114

SHA256
85a96c6067935e65c0553bc4d5f94c00d5eb02d9fc45398cf65863eb7e262f17

SHA512
a5859983fe6d90429de46a69875211121d18bf3224aecacb534e3c1a55bb6a0ea8014b9ded1c14f3d615a4607138de29dbab7705f2a910cc03cdca0cb7a052b2

Download Submit
C:\Windows\system\cquKkkD.exe

Filesize
5.2MB

MD5
7bca03f0df86fe44e15c29f2876dafef

SHA1
1e5470042b567c9f17506b3f6f0fc2c144011d17

SHA256
63e0e20340d43bc6d46511379b3a257381b208137920d6099a2edfd2e652a1e6

SHA512
4dede7d0ed4b566d8323d22ebcce08dca8a5efa87b61ad65d7606caa7d099b49b29f54e2cc66bf7139459219a1406e1606e8cdfc2e4a076bfd0f37a47d746b13

Download Submit
C:\Windows\system\dYxxszn.exe

Filesize
5.2MB

MD5
58bae8922aa596a267177b73047faadb

SHA1
a3acfce87a996ec72117a338a8181c1d760d147a

SHA256
9842e907c49a5e6fbb2c7a79a5036febdab5c064bc34e42e1527932d977f3364

SHA512
f2de91feeb842c499d6c25f9d6d88ff796885b0343189e64ba6ff6a8867507ce966cb86d3ba04f4381e4830791b26d708d8b0e4679ef12e25ed24db4024439d2

Download Submit
C:\Windows\system\klEMvpc.exe

Filesize
5.2MB

MD5
397e32fe8caf012500469e44edc80a0b

SHA1
befbff9d7584f9f452197a7ee00b4e5b1dc1ccee

SHA256
78e5f6cabb84ff102f3e7c4e7980a63bef72ebca92e76098e8f5557abd34581e

SHA512
7206c425ea659ce07211b09778be6fbd3cba9ac6458ff1213f3196eeef1828fe6c51f740e30778b187d3eb96160ace286312fb00dc653e40e51a000427f18133

Download Submit
C:\Windows\system\lePRYvn.exe

Filesize
5.2MB

MD5
f19d6285a2b89e89ad9cdcb2f84911bf

SHA1
d6ca8c1a3ca8bfd4d3a895365def0796d1fcd90c

SHA256
4616dbfc42441b3c1d02d5af3271c339d642d86c09c015652f73aade17828569

SHA512
092fa92d44b069cc0c076319c49c2673d7d7aaaeed76a4b4d92f9a602055be1148077d97546721bfac435a547091fcaeeff0447e7ea70797fb02a2b4af4e10cb

Download Submit
C:\Windows\system\ntgCvdG.exe

Filesize
5.2MB

MD5
954b9829f9c1e5ebfd537e302258f4b1

SHA1
35fcc0744ad2f777cf43512afe2fdf3f0bca76f6

SHA256
1fa87a7d5809eb2f641794f133694b313000e18371f83e2186a7e3c5147f73a5

SHA512
33e0c0c0a1c0b12e6d8ba69c870849eed8d3936d26f20ab73581edb7c95289636469707dcfa20237375cb6e145806589a189153c61179a3b903716ea4988b11d

Download Submit
C:\Windows\system\pYZbOwo.exe

Filesize
5.2MB

MD5
8810a25d147394afda1b6ed155760865

SHA1
e0c45705dd5b0cd4ef5a7cf5dd756af2916c119a

SHA256
c2023587baf5feeada59cd3bda2b2a86f96eff33b53ee154ed7037edf3ed0ae2

SHA512
0272c0669d815637aad12ee21c0c5a9a3a335cf6a5085b38e8dd63d1db94079bff82ee7c496aad15401be3a08468d4f49c8c14f0c3fbe5bf7fadae8557254a16

Download Submit
C:\Windows\system\quWGVCE.exe

Filesize
5.2MB

MD5
7c2fe80ec46d3c4fb76270176f0c7f06

SHA1
0532f120ca4c01b5f770a15d648e0f5888d44c08

SHA256
87b93945fbffaf5cb4ec0984c958fd8a791a1dd1cea2acb136d5f72b3d1b04ee

SHA512
ebf8639a17ea1dd1b66076399f5773497e286465de2c98f2f62cf05b03f54947ccc05d546afbcd5377648c60a29d04183ebc43eb5beaa41b64058278b4e36ed0

Download Submit
C:\Windows\system\uMUffvx.exe

Filesize
5.2MB

MD5
1d2ce472422fe116708a8d07b63109be

SHA1
60314a8a4c258fc0638bc6109afa2c321bb51e2d

SHA256
2bbb8d6ef06b40e7708fb51611493be88836a74164bc162f388d7080b693aefc

SHA512
e41490e2b48e02663fef0bd9d3cd52865b019042d6207b5f48605af1ef5d95db3e714d6ba33cf001e7585b95db8921781972ec0d15ad6197b5759f3add4dc80b

Download Submit
C:\Windows\system\ziuMTHJ.exe

Filesize
5.2MB

MD5
48084f2bd3823e440d52e38079de396a

SHA1
12210ad01a4832728bc904a887e4fe2d66827439

SHA256
9fef6366d4f7df9f452b59a1c96b8ed33621124012bb688b76635bfd05b0b4df

SHA512
32dc6ebbde37df777dc2c3df2f10ca701378a87f5d6b945a77001bdaf0c87e2dc76db6d4b97037514f1f046fd42597addbf3ac773e4461ba8578fe97424918f4

Download Submit
\Windows\system\FcjrvPG.exe

Filesize
5.2MB

MD5
42b1bca772e4376277127828bb9bfe9b

SHA1
446466855c5277365f9ca850d46d2f7a1bf96d26

SHA256
7d4029292f0a93bbecdfb97934f2d4683c935a894512d286311792fc21d38c61

SHA512
c3df3c191903021559fa83ab40208b47891908e2a75e36349a74a976f6c938b35ffd14b3ab87e5df532f42a4d85ff6291e52f7c6cb6f994093be3796fcfdeb9b

Download Submit
\Windows\system\kkLmAwS.exe

Filesize
5.2MB

MD5
64a8fc020603e2a33337fa56f88aec15

SHA1
750f21f66f0152ed7a8146f7b96b78e057f7aeca

SHA256
77bde54752b11835e48924ca1661682794b246c4f6051be62f9c8b6486e45846

SHA512
dd1245369b4ba3c954f5632a9fba4a07f4f0b7764f5b388ba7410260ce4c3e723c1bc269fab5e9ea7a18abc9e819d7184578d510bf36a5834b83455c45d5c5eb

Download Submit
\Windows\system\oUAdFXk.exe

Filesize
5.2MB

MD5
e09138a2e2e7730c5af818874fa5a9a6

SHA1
ccc01810252c771b76023c1eddd86a00922a51c1

SHA256
275a83198569d52fe15e745a84e172fed8cd2afa44dd9cef5155f338b50e80f9

SHA512
f3fe414797671598d5a6694f69233b44f20d0ca0d485b6746dd6fc921063fcd5fc2bb118a683aa39113735938b092d81afe169b7e52dd5c681b830032ccaa329

Download Submit
\Windows\system\uKmiRWC.exe

Filesize
5.2MB

MD5
813507d57c5199097ccdcaf7b72d8853

SHA1
bfab06cff69dff421993fbe2b6c43020166f4f8e

SHA256
d38ca182b975e50fd47d0b9d2bda4a75c6e6465a65987b4d55101be61fa00294

SHA512
3e509ff96a67dc274e5984cc62215773f53d45f20672a4b72f88a454c17f2923ce9f6d7a7826c6ce76f362c9b38940551affe972ad2a8d25b8215744e98a6b53

Download Submit
memory/556-160-0x000000013F270000-0x000000013F5C1000-memory.dmp

Filesize
3.3MB

Download
memory/852-101-0x000000013FBC0000-0x000000013FF11000-memory.dmp

Filesize
3.3MB

Download
memory/852-243-0x000000013FBC0000-0x000000013FF11000-memory.dmp

Filesize
3.3MB

Download
memory/1344-18-0x000000013F4F0000-0x000000013F841000-memory.dmp

Filesize
3.3MB

Download
memory/1344-76-0x000000013F4F0000-0x000000013F841000-memory.dmp

Filesize
3.3MB

Download
memory/1344-208-0x000000013F4F0000-0x000000013F841000-memory.dmp

Filesize
3.3MB

Download
memory/1404-159-0x000000013F7E0000-0x000000013FB31000-memory.dmp

Filesize
3.3MB

Download
memory/1936-93-0x000000013F4F0000-0x000000013F841000-memory.dmp

Filesize
3.3MB

Download
memory/1936-236-0x000000013F4F0000-0x000000013F841000-memory.dmp

Filesize
3.3MB

Download
memory/2392-48-0x000000013F2D0000-0x000000013F621000-memory.dmp

Filesize
3.3MB

Download
memory/2392-32-0x0000000002210000-0x0000000002561000-memory.dmp

Filesize
3.3MB

Download
memory/2392-75-0x000000013F670000-0x000000013F9C1000-memory.dmp

Filesize
3.3MB

Download
memory/2392-61-0x000000013FB00000-0x000000013FE51000-memory.dmp

Filesize
3.3MB

Download
memory/2392-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2392-83-0x0000000002210000-0x0000000002561000-memory.dmp

Filesize
3.3MB

Download
memory/2392-11-0x0000000002210000-0x0000000002561000-memory.dmp

Filesize
3.3MB

Download
memory/2392-137-0x0000000002210000-0x0000000002561000-memory.dmp

Filesize
3.3MB

Download
memory/2392-92-0x0000000002210000-0x0000000002561000-memory.dmp

Filesize
3.3MB

Download
memory/2392-9-0x0000000002210000-0x0000000002561000-memory.dmp

Filesize
3.3MB

Download
memory/2392-69-0x000000013FDE0000-0x0000000140131000-memory.dmp

Filesize
3.3MB

Download
memory/2392-19-0x000000013FED0000-0x0000000140221000-memory.dmp

Filesize
3.3MB

Download
memory/2392-184-0x000000013F140000-0x000000013F491000-memory.dmp

Filesize
3.3MB

Download
memory/2392-183-0x000000013FBC0000-0x000000013FF11000-memory.dmp

Filesize
3.3MB

Download
memory/2392-100-0x000000013FBC0000-0x000000013FF11000-memory.dmp

Filesize
3.3MB

Download
memory/2392-0-0x000000013F670000-0x000000013F9C1000-memory.dmp

Filesize
3.3MB

Download
memory/2392-55-0x0000000002210000-0x0000000002561000-memory.dmp

Filesize
3.3MB

Download
memory/2392-161-0x000000013F670000-0x000000013F9C1000-memory.dmp

Filesize
3.3MB

Download
memory/2392-138-0x000000013F670000-0x000000013F9C1000-memory.dmp

Filesize
3.3MB

Download
memory/2392-107-0x000000013F140000-0x000000013F491000-memory.dmp

Filesize
3.3MB

Download
memory/2444-53-0x000000013F6B0000-0x000000013FA01000-memory.dmp

Filesize
3.3MB

Download
memory/2444-221-0x000000013F6B0000-0x000000013FA01000-memory.dmp

Filesize
3.3MB

Download
memory/2460-147-0x000000013FB00000-0x000000013FE51000-memory.dmp

Filesize
3.3MB

Download
memory/2460-62-0x000000013FB00000-0x000000013FE51000-memory.dmp

Filesize
3.3MB

Download
memory/2460-228-0x000000013FB00000-0x000000013FE51000-memory.dmp

Filesize
3.3MB

Download
memory/2528-34-0x000000013F380000-0x000000013F6D1000-memory.dmp

Filesize
3.3MB

Download
memory/2528-214-0x000000013F380000-0x000000013F6D1000-memory.dmp

Filesize
3.3MB

Download
memory/2556-230-0x000000013FDE0000-0x0000000140131000-memory.dmp

Filesize
3.3MB

Download
memory/2556-70-0x000000013FDE0000-0x0000000140131000-memory.dmp

Filesize
3.3MB

Download
memory/2620-154-0x000000013F140000-0x000000013F491000-memory.dmp

Filesize
3.3MB

Download
memory/2640-38-0x000000013F2D0000-0x000000013F621000-memory.dmp

Filesize
3.3MB

Download
memory/2640-216-0x000000013F2D0000-0x000000013F621000-memory.dmp

Filesize
3.3MB

Download
memory/2640-99-0x000000013F2D0000-0x000000013F621000-memory.dmp

Filesize
3.3MB

Download
memory/2688-56-0x000000013F950000-0x000000013FCA1000-memory.dmp

Filesize
3.3MB

Download
memory/2688-222-0x000000013F950000-0x000000013FCA1000-memory.dmp

Filesize
3.3MB

Download
memory/2692-219-0x000000013F740000-0x000000013FA91000-memory.dmp

Filesize
3.3MB

Download
memory/2692-54-0x000000013F740000-0x000000013FA91000-memory.dmp

Filesize
3.3MB

Download
memory/2716-155-0x000000013F770000-0x000000013FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/2764-157-0x000000013FD40000-0x0000000140091000-memory.dmp

Filesize
3.3MB

Download
memory/2816-158-0x000000013F060000-0x000000013F3B1000-memory.dmp

Filesize
3.3MB

Download
memory/2820-156-0x000000013F770000-0x000000013FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/2840-210-0x000000013F680000-0x000000013F9D1000-memory.dmp

Filesize
3.3MB

Download
memory/2840-20-0x000000013F680000-0x000000013F9D1000-memory.dmp

Filesize
3.3MB

Download
memory/2964-151-0x000000013F330000-0x000000013F681000-memory.dmp

Filesize
3.3MB

Download
memory/2964-85-0x000000013F330000-0x000000013F681000-memory.dmp

Filesize
3.3MB

Download
memory/2964-234-0x000000013F330000-0x000000013F681000-memory.dmp

Filesize
3.3MB

Download
memory/3032-212-0x000000013FED0000-0x0000000140221000-memory.dmp

Filesize
3.3MB

Download
memory/3032-22-0x000000013FED0000-0x0000000140221000-memory.dmp

Filesize
3.3MB

Download
memory/3032-91-0x000000013FED0000-0x0000000140221000-memory.dmp

Filesize
3.3MB

Download
memory/3060-150-0x000000013FFF0000-0x0000000140341000-memory.dmp

Filesize
3.3MB

Download
memory/3060-232-0x000000013FFF0000-0x0000000140341000-memory.dmp

Filesize
3.3MB

Download
memory/3060-77-0x000000013FFF0000-0x0000000140341000-memory.dmp

Filesize
3.3MB

Download