cobaltstrike | 182e143a6dc2d086af7155787ef24047e0611722fe51adcb05e950f5c1abf951

Analysis

max time kernel
142s
max time network
146s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
Size

6.0MB
MD5

78d03ec87d437a82166a5445881810a1
SHA1

dd41fb771558841a42010cb65f81edf3452575b1
SHA256

182e143a6dc2d086af7155787ef24047e0611722fe51adcb05e950f5c1abf951
SHA512

178f44259c10382062c95790ef94072edc7268f80d3b2f635c015a196eaadb2ca57e0af570622c794cb9594624819d407ce8bdd8e113430f37785abc607d5ad9
SSDEEP

98304:demTLkNdfE0pZ3656utgpPFotBER/mQ32lUU:E+v56utgpPF8u/7U

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\rmqZUdy.exe	cobalt_reflective_dll
\Windows\system\xYJOwnX.exe	cobalt_reflective_dll
C:\Windows\system\RMUbPRS.exe	cobalt_reflective_dll
C:\Windows\system\oemRswg.exe	cobalt_reflective_dll
C:\Windows\system\mrOmtXn.exe	cobalt_reflective_dll
C:\Windows\system\UozJmJx.exe	cobalt_reflective_dll
C:\Windows\system\NeuNxzD.exe	cobalt_reflective_dll
C:\Windows\system\HBGlKPq.exe	cobalt_reflective_dll
C:\Windows\system\OrQQOqq.exe	cobalt_reflective_dll
\Windows\system\oiTXSQe.exe	cobalt_reflective_dll
C:\Windows\system\eJLSWId.exe	cobalt_reflective_dll
\Windows\system\DrTvwwV.exe	cobalt_reflective_dll
C:\Windows\system\wfxsBKA.exe	cobalt_reflective_dll
C:\Windows\system\kRdiruL.exe	cobalt_reflective_dll
C:\Windows\system\LVCtgUp.exe	cobalt_reflective_dll
C:\Windows\system\SMeqmZE.exe	cobalt_reflective_dll
C:\Windows\system\QfKaMic.exe	cobalt_reflective_dll
C:\Windows\system\bGbPufl.exe	cobalt_reflective_dll
C:\Windows\system\zsxGRQr.exe	cobalt_reflective_dll
C:\Windows\system\pZbtgmA.exe	cobalt_reflective_dll
C:\Windows\system\obviwZB.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\rmqZUdy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\xYJOwnX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\RMUbPRS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\oemRswg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\mrOmtXn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\UozJmJx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\NeuNxzD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\HBGlKPq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\OrQQOqq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\oiTXSQe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\eJLSWId.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\DrTvwwV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\wfxsBKA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\kRdiruL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\LVCtgUp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\SMeqmZE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\QfKaMic.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\bGbPufl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\zsxGRQr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\pZbtgmA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\obviwZB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 60 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2280-0-0x000000013F530000-0x000000013F884000-memory.dmp	UPX
\Windows\system\rmqZUdy.exe	UPX
behavioral1/memory/1712-8-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	UPX
\Windows\system\xYJOwnX.exe	UPX
behavioral1/memory/1636-13-0x000000013F830000-0x000000013FB84000-memory.dmp	UPX
C:\Windows\system\RMUbPRS.exe	UPX
behavioral1/memory/2620-21-0x000000013FD50000-0x00000001400A4000-memory.dmp	UPX
C:\Windows\system\oemRswg.exe	UPX
behavioral1/memory/2720-28-0x000000013F5C0000-0x000000013F914000-memory.dmp	UPX
C:\Windows\system\mrOmtXn.exe	UPX
behavioral1/memory/2520-41-0x000000013F500000-0x000000013F854000-memory.dmp	UPX
C:\Windows\system\UozJmJx.exe	UPX
C:\Windows\system\NeuNxzD.exe	UPX
behavioral1/memory/2656-55-0x000000013F6B0000-0x000000013FA04000-memory.dmp	UPX
behavioral1/memory/1712-54-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	UPX
behavioral1/memory/1636-68-0x000000013F830000-0x000000013FB84000-memory.dmp	UPX
behavioral1/memory/1232-70-0x000000013F210000-0x000000013F564000-memory.dmp	UPX
C:\Windows\system\HBGlKPq.exe	UPX
behavioral1/memory/2560-85-0x000000013FFA0000-0x00000001402F4000-memory.dmp	UPX
behavioral1/memory/1020-97-0x000000013FC40000-0x000000013FF94000-memory.dmp	UPX
C:\Windows\system\OrQQOqq.exe	UPX
\Windows\system\oiTXSQe.exe	UPX
C:\Windows\system\eJLSWId.exe	UPX
\Windows\system\DrTvwwV.exe	UPX
C:\Windows\system\wfxsBKA.exe	UPX
C:\Windows\system\kRdiruL.exe	UPX
C:\Windows\system\LVCtgUp.exe	UPX
behavioral1/memory/2812-91-0x000000013FEA0000-0x00000001401F4000-memory.dmp	UPX
C:\Windows\system\SMeqmZE.exe	UPX
behavioral1/memory/3024-95-0x000000013F880000-0x000000013FBD4000-memory.dmp	UPX
C:\Windows\system\QfKaMic.exe	UPX
behavioral1/memory/1240-76-0x000000013F8B0000-0x000000013FC04000-memory.dmp	UPX
behavioral1/memory/2620-74-0x000000013FD50000-0x00000001400A4000-memory.dmp	UPX
C:\Windows\system\bGbPufl.exe	UPX
behavioral1/memory/2568-60-0x000000013F670000-0x000000013F9C4000-memory.dmp	UPX
C:\Windows\system\zsxGRQr.exe	UPX
C:\Windows\system\pZbtgmA.exe	UPX
behavioral1/memory/2280-45-0x000000013F530000-0x000000013F884000-memory.dmp	UPX
behavioral1/memory/2548-51-0x000000013F730000-0x000000013FA84000-memory.dmp	UPX
behavioral1/memory/3024-34-0x000000013F880000-0x000000013FBD4000-memory.dmp	UPX
C:\Windows\system\obviwZB.exe	UPX
behavioral1/memory/2656-136-0x000000013F6B0000-0x000000013FA04000-memory.dmp	UPX
behavioral1/memory/2568-137-0x000000013F670000-0x000000013F9C4000-memory.dmp	UPX
behavioral1/memory/1240-140-0x000000013F8B0000-0x000000013FC04000-memory.dmp	UPX
behavioral1/memory/2812-143-0x000000013FEA0000-0x00000001401F4000-memory.dmp	UPX
behavioral1/memory/1020-145-0x000000013FC40000-0x000000013FF94000-memory.dmp	UPX
behavioral1/memory/1712-147-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	UPX
behavioral1/memory/1636-148-0x000000013F830000-0x000000013FB84000-memory.dmp	UPX
behavioral1/memory/2620-149-0x000000013FD50000-0x00000001400A4000-memory.dmp	UPX
behavioral1/memory/2720-150-0x000000013F5C0000-0x000000013F914000-memory.dmp	UPX
behavioral1/memory/2520-151-0x000000013F500000-0x000000013F854000-memory.dmp	UPX
behavioral1/memory/2548-152-0x000000013F730000-0x000000013FA84000-memory.dmp	UPX
behavioral1/memory/3024-153-0x000000013F880000-0x000000013FBD4000-memory.dmp	UPX
behavioral1/memory/2568-154-0x000000013F670000-0x000000013F9C4000-memory.dmp	UPX
behavioral1/memory/2656-155-0x000000013F6B0000-0x000000013FA04000-memory.dmp	UPX
behavioral1/memory/1232-156-0x000000013F210000-0x000000013F564000-memory.dmp	UPX
behavioral1/memory/1240-157-0x000000013F8B0000-0x000000013FC04000-memory.dmp	UPX
behavioral1/memory/2560-158-0x000000013FFA0000-0x00000001402F4000-memory.dmp	UPX
behavioral1/memory/1020-159-0x000000013FC40000-0x000000013FF94000-memory.dmp	UPX
behavioral1/memory/2812-160-0x000000013FEA0000-0x00000001401F4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2280-0-0x000000013F530000-0x000000013F884000-memory.dmp	xmrig
\Windows\system\rmqZUdy.exe	xmrig
behavioral1/memory/1712-8-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	xmrig
\Windows\system\xYJOwnX.exe	xmrig
behavioral1/memory/1636-13-0x000000013F830000-0x000000013FB84000-memory.dmp	xmrig
C:\Windows\system\RMUbPRS.exe	xmrig
behavioral1/memory/2620-21-0x000000013FD50000-0x00000001400A4000-memory.dmp	xmrig
C:\Windows\system\oemRswg.exe	xmrig
behavioral1/memory/2720-28-0x000000013F5C0000-0x000000013F914000-memory.dmp	xmrig
C:\Windows\system\mrOmtXn.exe	xmrig
behavioral1/memory/2520-41-0x000000013F500000-0x000000013F854000-memory.dmp	xmrig
C:\Windows\system\UozJmJx.exe	xmrig
C:\Windows\system\NeuNxzD.exe	xmrig
behavioral1/memory/2656-55-0x000000013F6B0000-0x000000013FA04000-memory.dmp	xmrig
behavioral1/memory/1712-54-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	xmrig
behavioral1/memory/1636-68-0x000000013F830000-0x000000013FB84000-memory.dmp	xmrig
behavioral1/memory/1232-70-0x000000013F210000-0x000000013F564000-memory.dmp	xmrig
behavioral1/memory/2280-69-0x00000000024D0000-0x0000000002824000-memory.dmp	xmrig
C:\Windows\system\HBGlKPq.exe	xmrig
behavioral1/memory/2560-85-0x000000013FFA0000-0x00000001402F4000-memory.dmp	xmrig
behavioral1/memory/1020-97-0x000000013FC40000-0x000000013FF94000-memory.dmp	xmrig
C:\Windows\system\OrQQOqq.exe	xmrig
\Windows\system\oiTXSQe.exe	xmrig
C:\Windows\system\eJLSWId.exe	xmrig
\Windows\system\DrTvwwV.exe	xmrig
C:\Windows\system\wfxsBKA.exe	xmrig
C:\Windows\system\kRdiruL.exe	xmrig
C:\Windows\system\LVCtgUp.exe	xmrig
behavioral1/memory/2280-104-0x000000013FA40000-0x000000013FD94000-memory.dmp	xmrig
behavioral1/memory/2812-91-0x000000013FEA0000-0x00000001401F4000-memory.dmp	xmrig
C:\Windows\system\SMeqmZE.exe	xmrig
behavioral1/memory/2280-96-0x000000013FC40000-0x000000013FF94000-memory.dmp	xmrig
behavioral1/memory/3024-95-0x000000013F880000-0x000000013FBD4000-memory.dmp	xmrig
C:\Windows\system\QfKaMic.exe	xmrig
behavioral1/memory/1240-76-0x000000013F8B0000-0x000000013FC04000-memory.dmp	xmrig
behavioral1/memory/2620-74-0x000000013FD50000-0x00000001400A4000-memory.dmp	xmrig
C:\Windows\system\bGbPufl.exe	xmrig
behavioral1/memory/2568-60-0x000000013F670000-0x000000013F9C4000-memory.dmp	xmrig
C:\Windows\system\zsxGRQr.exe	xmrig
C:\Windows\system\pZbtgmA.exe	xmrig
behavioral1/memory/2280-45-0x000000013F530000-0x000000013F884000-memory.dmp	xmrig
behavioral1/memory/2548-51-0x000000013F730000-0x000000013FA84000-memory.dmp	xmrig
behavioral1/memory/3024-34-0x000000013F880000-0x000000013FBD4000-memory.dmp	xmrig
C:\Windows\system\obviwZB.exe	xmrig
behavioral1/memory/2656-136-0x000000013F6B0000-0x000000013FA04000-memory.dmp	xmrig
behavioral1/memory/2568-137-0x000000013F670000-0x000000013F9C4000-memory.dmp	xmrig
behavioral1/memory/1240-140-0x000000013F8B0000-0x000000013FC04000-memory.dmp	xmrig
behavioral1/memory/2812-143-0x000000013FEA0000-0x00000001401F4000-memory.dmp	xmrig
behavioral1/memory/2280-144-0x000000013FC40000-0x000000013FF94000-memory.dmp	xmrig
behavioral1/memory/1020-145-0x000000013FC40000-0x000000013FF94000-memory.dmp	xmrig
behavioral1/memory/1712-147-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	xmrig
behavioral1/memory/1636-148-0x000000013F830000-0x000000013FB84000-memory.dmp	xmrig
behavioral1/memory/2620-149-0x000000013FD50000-0x00000001400A4000-memory.dmp	xmrig
behavioral1/memory/2720-150-0x000000013F5C0000-0x000000013F914000-memory.dmp	xmrig
behavioral1/memory/2520-151-0x000000013F500000-0x000000013F854000-memory.dmp	xmrig
behavioral1/memory/2548-152-0x000000013F730000-0x000000013FA84000-memory.dmp	xmrig
behavioral1/memory/3024-153-0x000000013F880000-0x000000013FBD4000-memory.dmp	xmrig
behavioral1/memory/2568-154-0x000000013F670000-0x000000013F9C4000-memory.dmp	xmrig
behavioral1/memory/2656-155-0x000000013F6B0000-0x000000013FA04000-memory.dmp	xmrig
behavioral1/memory/1232-156-0x000000013F210000-0x000000013F564000-memory.dmp	xmrig
behavioral1/memory/1240-157-0x000000013F8B0000-0x000000013FC04000-memory.dmp	xmrig
behavioral1/memory/2560-158-0x000000013FFA0000-0x00000001402F4000-memory.dmp	xmrig
behavioral1/memory/1020-159-0x000000013FC40000-0x000000013FF94000-memory.dmp	xmrig
behavioral1/memory/2812-160-0x000000013FEA0000-0x00000001401F4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

rmqZUdy.exexYJOwnX.exeRMUbPRS.exeoemRswg.exeobviwZB.exemrOmtXn.exeUozJmJx.exeNeuNxzD.exezsxGRQr.exepZbtgmA.exebGbPufl.exeHBGlKPq.exeSMeqmZE.exeQfKaMic.exeLVCtgUp.exeOrQQOqq.exewfxsBKA.exekRdiruL.exeoiTXSQe.exeeJLSWId.exeDrTvwwV.exe

pid	process
1712	rmqZUdy.exe
1636	xYJOwnX.exe
2620	RMUbPRS.exe
2720	oemRswg.exe
3024	obviwZB.exe
2520	mrOmtXn.exe
2548	UozJmJx.exe
2656	NeuNxzD.exe
2568	zsxGRQr.exe
1232	pZbtgmA.exe
1240	bGbPufl.exe
2560	HBGlKPq.exe
2812	SMeqmZE.exe
1020	QfKaMic.exe
1604	LVCtgUp.exe
1548	OrQQOqq.exe
2284	wfxsBKA.exe
1660	kRdiruL.exe
1668	oiTXSQe.exe
1356	eJLSWId.exe
2036	DrTvwwV.exe

Loads dropped DLL 21 IoCs

Processes:

2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe

pid	process
2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2280-0-0x000000013F530000-0x000000013F884000-memory.dmp	upx
\Windows\system\rmqZUdy.exe	upx
behavioral1/memory/1712-8-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	upx
\Windows\system\xYJOwnX.exe	upx
behavioral1/memory/1636-13-0x000000013F830000-0x000000013FB84000-memory.dmp	upx
C:\Windows\system\RMUbPRS.exe	upx
behavioral1/memory/2620-21-0x000000013FD50000-0x00000001400A4000-memory.dmp	upx
C:\Windows\system\oemRswg.exe	upx
behavioral1/memory/2720-28-0x000000013F5C0000-0x000000013F914000-memory.dmp	upx
C:\Windows\system\mrOmtXn.exe	upx
behavioral1/memory/2520-41-0x000000013F500000-0x000000013F854000-memory.dmp	upx
C:\Windows\system\UozJmJx.exe	upx
C:\Windows\system\NeuNxzD.exe	upx
behavioral1/memory/2656-55-0x000000013F6B0000-0x000000013FA04000-memory.dmp	upx
behavioral1/memory/1712-54-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	upx
behavioral1/memory/1636-68-0x000000013F830000-0x000000013FB84000-memory.dmp	upx
behavioral1/memory/1232-70-0x000000013F210000-0x000000013F564000-memory.dmp	upx
C:\Windows\system\HBGlKPq.exe	upx
behavioral1/memory/2560-85-0x000000013FFA0000-0x00000001402F4000-memory.dmp	upx
behavioral1/memory/1020-97-0x000000013FC40000-0x000000013FF94000-memory.dmp	upx
C:\Windows\system\OrQQOqq.exe	upx
\Windows\system\oiTXSQe.exe	upx
C:\Windows\system\eJLSWId.exe	upx
\Windows\system\DrTvwwV.exe	upx
C:\Windows\system\wfxsBKA.exe	upx
C:\Windows\system\kRdiruL.exe	upx
C:\Windows\system\LVCtgUp.exe	upx
behavioral1/memory/2812-91-0x000000013FEA0000-0x00000001401F4000-memory.dmp	upx
C:\Windows\system\SMeqmZE.exe	upx
behavioral1/memory/3024-95-0x000000013F880000-0x000000013FBD4000-memory.dmp	upx
C:\Windows\system\QfKaMic.exe	upx
behavioral1/memory/1240-76-0x000000013F8B0000-0x000000013FC04000-memory.dmp	upx
behavioral1/memory/2620-74-0x000000013FD50000-0x00000001400A4000-memory.dmp	upx
C:\Windows\system\bGbPufl.exe	upx
behavioral1/memory/2568-60-0x000000013F670000-0x000000013F9C4000-memory.dmp	upx
C:\Windows\system\zsxGRQr.exe	upx
C:\Windows\system\pZbtgmA.exe	upx
behavioral1/memory/2280-45-0x000000013F530000-0x000000013F884000-memory.dmp	upx
behavioral1/memory/2548-51-0x000000013F730000-0x000000013FA84000-memory.dmp	upx
behavioral1/memory/3024-34-0x000000013F880000-0x000000013FBD4000-memory.dmp	upx
C:\Windows\system\obviwZB.exe	upx
behavioral1/memory/2656-136-0x000000013F6B0000-0x000000013FA04000-memory.dmp	upx
behavioral1/memory/2568-137-0x000000013F670000-0x000000013F9C4000-memory.dmp	upx
behavioral1/memory/1240-140-0x000000013F8B0000-0x000000013FC04000-memory.dmp	upx
behavioral1/memory/2812-143-0x000000013FEA0000-0x00000001401F4000-memory.dmp	upx
behavioral1/memory/1020-145-0x000000013FC40000-0x000000013FF94000-memory.dmp	upx
behavioral1/memory/1712-147-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	upx
behavioral1/memory/1636-148-0x000000013F830000-0x000000013FB84000-memory.dmp	upx
behavioral1/memory/2620-149-0x000000013FD50000-0x00000001400A4000-memory.dmp	upx
behavioral1/memory/2720-150-0x000000013F5C0000-0x000000013F914000-memory.dmp	upx
behavioral1/memory/2520-151-0x000000013F500000-0x000000013F854000-memory.dmp	upx
behavioral1/memory/2548-152-0x000000013F730000-0x000000013FA84000-memory.dmp	upx
behavioral1/memory/3024-153-0x000000013F880000-0x000000013FBD4000-memory.dmp	upx
behavioral1/memory/2568-154-0x000000013F670000-0x000000013F9C4000-memory.dmp	upx
behavioral1/memory/2656-155-0x000000013F6B0000-0x000000013FA04000-memory.dmp	upx
behavioral1/memory/1232-156-0x000000013F210000-0x000000013F564000-memory.dmp	upx
behavioral1/memory/1240-157-0x000000013F8B0000-0x000000013FC04000-memory.dmp	upx
behavioral1/memory/2560-158-0x000000013FFA0000-0x00000001402F4000-memory.dmp	upx
behavioral1/memory/1020-159-0x000000013FC40000-0x000000013FF94000-memory.dmp	upx
behavioral1/memory/2812-160-0x000000013FEA0000-0x00000001401F4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\oemRswg.exe	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\obviwZB.exe	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pZbtgmA.exe	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bGbPufl.exe	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SMeqmZE.exe	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QfKaMic.exe	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eJLSWId.exe	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HBGlKPq.exe	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kRdiruL.exe	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oiTXSQe.exe	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rmqZUdy.exe	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mrOmtXn.exe	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NeuNxzD.exe	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zsxGRQr.exe	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LVCtgUp.exe	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OrQQOqq.exe	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DrTvwwV.exe	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xYJOwnX.exe	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RMUbPRS.exe	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UozJmJx.exe	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wfxsBKA.exe	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2280 wrote to memory of 1712	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	rmqZUdy.exe
PID 2280 wrote to memory of 1712	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	rmqZUdy.exe
PID 2280 wrote to memory of 1712	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	rmqZUdy.exe
PID 2280 wrote to memory of 1636	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	xYJOwnX.exe
PID 2280 wrote to memory of 1636	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	xYJOwnX.exe
PID 2280 wrote to memory of 1636	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	xYJOwnX.exe
PID 2280 wrote to memory of 2620	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	RMUbPRS.exe
PID 2280 wrote to memory of 2620	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	RMUbPRS.exe
PID 2280 wrote to memory of 2620	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	RMUbPRS.exe
PID 2280 wrote to memory of 2720	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	oemRswg.exe
PID 2280 wrote to memory of 2720	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	oemRswg.exe
PID 2280 wrote to memory of 2720	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	oemRswg.exe
PID 2280 wrote to memory of 3024	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	obviwZB.exe
PID 2280 wrote to memory of 3024	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	obviwZB.exe
PID 2280 wrote to memory of 3024	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	obviwZB.exe
PID 2280 wrote to memory of 2520	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	mrOmtXn.exe
PID 2280 wrote to memory of 2520	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	mrOmtXn.exe
PID 2280 wrote to memory of 2520	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	mrOmtXn.exe
PID 2280 wrote to memory of 2656	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	NeuNxzD.exe
PID 2280 wrote to memory of 2656	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	NeuNxzD.exe
PID 2280 wrote to memory of 2656	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	NeuNxzD.exe
PID 2280 wrote to memory of 2548	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	UozJmJx.exe
PID 2280 wrote to memory of 2548	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	UozJmJx.exe
PID 2280 wrote to memory of 2548	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	UozJmJx.exe
PID 2280 wrote to memory of 2568	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	zsxGRQr.exe
PID 2280 wrote to memory of 2568	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	zsxGRQr.exe
PID 2280 wrote to memory of 2568	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	zsxGRQr.exe
PID 2280 wrote to memory of 1232	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	pZbtgmA.exe
PID 2280 wrote to memory of 1232	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	pZbtgmA.exe
PID 2280 wrote to memory of 1232	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	pZbtgmA.exe
PID 2280 wrote to memory of 1240	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	bGbPufl.exe
PID 2280 wrote to memory of 1240	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	bGbPufl.exe
PID 2280 wrote to memory of 1240	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	bGbPufl.exe
PID 2280 wrote to memory of 2560	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	HBGlKPq.exe
PID 2280 wrote to memory of 2560	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	HBGlKPq.exe
PID 2280 wrote to memory of 2560	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	HBGlKPq.exe
PID 2280 wrote to memory of 2812	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	SMeqmZE.exe
PID 2280 wrote to memory of 2812	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	SMeqmZE.exe
PID 2280 wrote to memory of 2812	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	SMeqmZE.exe
PID 2280 wrote to memory of 1020	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	QfKaMic.exe
PID 2280 wrote to memory of 1020	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	QfKaMic.exe
PID 2280 wrote to memory of 1020	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	QfKaMic.exe
PID 2280 wrote to memory of 1604	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	LVCtgUp.exe
PID 2280 wrote to memory of 1604	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	LVCtgUp.exe
PID 2280 wrote to memory of 1604	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	LVCtgUp.exe
PID 2280 wrote to memory of 1548	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	OrQQOqq.exe
PID 2280 wrote to memory of 1548	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	OrQQOqq.exe
PID 2280 wrote to memory of 1548	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	OrQQOqq.exe
PID 2280 wrote to memory of 2284	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	wfxsBKA.exe
PID 2280 wrote to memory of 2284	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	wfxsBKA.exe
PID 2280 wrote to memory of 2284	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	wfxsBKA.exe
PID 2280 wrote to memory of 1660	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	kRdiruL.exe
PID 2280 wrote to memory of 1660	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	kRdiruL.exe
PID 2280 wrote to memory of 1660	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	kRdiruL.exe
PID 2280 wrote to memory of 1668	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	oiTXSQe.exe
PID 2280 wrote to memory of 1668	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	oiTXSQe.exe
PID 2280 wrote to memory of 1668	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	oiTXSQe.exe
PID 2280 wrote to memory of 1356	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	eJLSWId.exe
PID 2280 wrote to memory of 1356	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	eJLSWId.exe
PID 2280 wrote to memory of 1356	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	eJLSWId.exe
PID 2280 wrote to memory of 2036	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	DrTvwwV.exe
PID 2280 wrote to memory of 2036	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	DrTvwwV.exe
PID 2280 wrote to memory of 2036	2280	2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe	DrTvwwV.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_78d03ec87d437a82166a5445881810a1_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280

C:\Windows\System\rmqZUdy.exe
C:\Windows\System\rmqZUdy.exe
2⤵
- Executes dropped EXE
PID:1712

C:\Windows\System\xYJOwnX.exe
C:\Windows\System\xYJOwnX.exe
2⤵
- Executes dropped EXE
PID:1636

C:\Windows\System\RMUbPRS.exe
C:\Windows\System\RMUbPRS.exe
2⤵
- Executes dropped EXE
PID:2620

C:\Windows\System\oemRswg.exe
C:\Windows\System\oemRswg.exe
2⤵
- Executes dropped EXE
PID:2720

C:\Windows\System\obviwZB.exe
C:\Windows\System\obviwZB.exe
2⤵
- Executes dropped EXE
PID:3024

C:\Windows\System\mrOmtXn.exe
C:\Windows\System\mrOmtXn.exe
2⤵
- Executes dropped EXE
PID:2520

C:\Windows\System\NeuNxzD.exe
C:\Windows\System\NeuNxzD.exe
2⤵
- Executes dropped EXE
PID:2656

C:\Windows\System\UozJmJx.exe
C:\Windows\System\UozJmJx.exe
2⤵
- Executes dropped EXE
PID:2548

C:\Windows\System\zsxGRQr.exe
C:\Windows\System\zsxGRQr.exe
2⤵
- Executes dropped EXE
PID:2568

C:\Windows\System\pZbtgmA.exe
C:\Windows\System\pZbtgmA.exe
2⤵
- Executes dropped EXE
PID:1232

C:\Windows\System\bGbPufl.exe
C:\Windows\System\bGbPufl.exe
2⤵
- Executes dropped EXE
PID:1240

C:\Windows\System\HBGlKPq.exe
C:\Windows\System\HBGlKPq.exe
2⤵
- Executes dropped EXE
PID:2560

C:\Windows\System\SMeqmZE.exe
C:\Windows\System\SMeqmZE.exe
2⤵
- Executes dropped EXE
PID:2812

C:\Windows\System\QfKaMic.exe
C:\Windows\System\QfKaMic.exe
2⤵
- Executes dropped EXE
PID:1020

C:\Windows\System\LVCtgUp.exe
C:\Windows\System\LVCtgUp.exe
2⤵
- Executes dropped EXE
PID:1604

C:\Windows\System\OrQQOqq.exe
C:\Windows\System\OrQQOqq.exe
2⤵
- Executes dropped EXE
PID:1548

C:\Windows\System\wfxsBKA.exe
C:\Windows\System\wfxsBKA.exe
2⤵
- Executes dropped EXE
PID:2284

C:\Windows\System\kRdiruL.exe
C:\Windows\System\kRdiruL.exe
2⤵
- Executes dropped EXE
PID:1660

C:\Windows\System\oiTXSQe.exe
C:\Windows\System\oiTXSQe.exe
2⤵
- Executes dropped EXE
PID:1668

C:\Windows\System\eJLSWId.exe
C:\Windows\System\eJLSWId.exe
2⤵
- Executes dropped EXE
PID:1356

C:\Windows\System\DrTvwwV.exe
C:\Windows\System\DrTvwwV.exe
2⤵
- Executes dropped EXE
PID:2036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\HBGlKPq.exe
Filesize
6.0MB

MD5
13de392b7c18a9811668c14a95ff0032

SHA1
cd6e969939701274ad28238adde0f22c38977273

SHA256
9c9ea2f7d0be54401a3636f7842dcc24742f6106031e38f616e9a533c289bd2f

SHA512
64467c3b71d2fd7977d64c8fb376f344654d2e50dee02d8d39b0b4cb708655a168931ca8ad9e20b0ac0e01c3a4d7df909c9989e4eafc364893ea5c03c166158c

Download Submit
C:\Windows\system\LVCtgUp.exe
Filesize
6.0MB

MD5
74f922c35cb987f648111fe291f4e7f2

SHA1
d4eb8c6c6386b858ea80f73d75d88a39e11b9dfc

SHA256
ed2b8005dbe386a56df01316ecbb4a7108330765efb2a4d2e591edc893745b45

SHA512
b05314727e1e4181bed7078b5bdf4c6adafdf143497e03981a0b543c5b120a4966a615d6b33e2eea4a9186d015eaeb988e3f93c3f1dfd6311ba78e54cabd3fbb

Download Submit
C:\Windows\system\NeuNxzD.exe
Filesize
6.0MB

MD5
17b559b838e2327883117413b94294b5

SHA1
ab9db2938b806394eb39a17d348c431396352fd2

SHA256
2bb3f5336d7359cc8d4f6706a2ebf7d6d4194be0d9db8049f1b092c56c04de72

SHA512
9b194a3f30882896b6c3246241a4eefd87553d89b9d5566ac93c074c976acf555988433affefd5c516ad36295215830bb0a32cd1cfb74631c73cfcf3f578d8c8

Download Submit
C:\Windows\system\OrQQOqq.exe
Filesize
6.0MB

MD5
37a76cebc28e7ad1322937039e911b45

SHA1
5213b5e0951072d3ac1a32f60628757e740cb9b9

SHA256
65b2c859f8d9a2a390e534fb651a0507bb9e18cb17cd9c74f42e1dcb4b696675

SHA512
f6d4a54d92060e3f445ef82fe8a4b537469403ca0a25c753d1f5446e687e56502ba700d60c2a4788ff1ab82497094562f3bd6db6bb51fcf631a083efeef4cdaa

Download Submit
C:\Windows\system\QfKaMic.exe
Filesize
6.0MB

MD5
fc6cd230b8a7c8607821a2716d719eb1

SHA1
fc03fbbb787cee916fcc4d15b2ccb0f7b11add7a

SHA256
04fcb7905268bb195b57c9a5f3f486ee0278964280e99ab9dbcf3ccf9584cbc3

SHA512
68aca8582d985979c0edbf1f97c0728519c640ab30d8246b08436e9a2c6e4bacfe3c8c4d5571d2a4f57e05ca7da5c1f5e40f7e903ff49c68a310010721abea4b

Download Submit
C:\Windows\system\RMUbPRS.exe
Filesize
6.0MB

MD5
757b3110e916df254bdc875bf312156b

SHA1
ebf3203bd7aa25e7fd53c32d5b6e8365d4cea5f6

SHA256
429de783143355ef69aebf092ff32e92ecf4db26b82b065ef48f618d52b51c17

SHA512
72ed843e21e83622326ada38e12339d3ebf5756f6e3052adab8ac21a3d42567dd9073a8bf55efba42bd30aa27f9a025191bbf9717efc0dac6a6b2462354f25b7

Download Submit
C:\Windows\system\SMeqmZE.exe
Filesize
6.0MB

MD5
9836b3ce8d2647fa8297bc7591fdd6bc

SHA1
deef3b7ddeb9811766e68b562c9116ac8848d29c

SHA256
5e4dae68a9a41973b008f0cecc01fa08aaf53c78bcb4fc7cccf68549d32d5f82

SHA512
b8ee1fb1837261729b788ad1dd3dc2443662858351607dc3067accf059ddee02aaada130d453c7298c5b673c8ba889dae48f26d690f5a1451ad8d74ba0e8f06e

Download Submit
C:\Windows\system\UozJmJx.exe
Filesize
6.0MB

MD5
21bf7f72570336b06be5bb4d513afe50

SHA1
3dcdaae5756133b9b09869679b92cc7c9fd170a5

SHA256
53199081c56b5215f0982c3809a1504b56f4d283d5325f9930141c52ec6ee142

SHA512
90bd9dc5796ae911cd07eb159d89812e10d24cff864a24e9981391589c6ebbc01592eb8a8e1711ffe8797fb410df98eadbf69a271c56765f00c15c126eb9b8a3

Download Submit
C:\Windows\system\bGbPufl.exe
Filesize
6.0MB

MD5
37fd1d72d61ebece9fd8891684e1dfe3

SHA1
c8de02c6a7cd7cfc734d82674c997563bd49eddd

SHA256
18be315480ed1c322112d769e2c62d0faa2d783cdf7069222a5fa4866cec373d

SHA512
2eed918d3605ab4798db9e164b250ce7c70298bc147902f0e21a5cf680cd004e4e6e94653670078c865c169a1425508f54cd9b3bb2b778b63cd810878c387a4f

Download Submit
C:\Windows\system\eJLSWId.exe
Filesize
6.0MB

MD5
8cfb8a8b3f677474b0bc1443edf6bed6

SHA1
3493058b39193dea2e0d3f653549007342ae3f0d

SHA256
af14692b0706eceeeb45bf6c5b4849fd64552344c997fb0bc2c0d641749f554e

SHA512
3bd8715b3a0c919881cc10adb86017102dfefd6a8d07ef67f30ddb08913bf0e0d01fe7695194aed1db3bb11f0b9457efec54c78f040a228442bec2bb074d1299

Download Submit
C:\Windows\system\kRdiruL.exe
Filesize
6.0MB

MD5
cc6aa488cd5f1a3085c8ec7a9883af01

SHA1
c0dfaf4bddc07c60ebdc9cd50388bb56a2056abc

SHA256
d9d5907a5e1a989613178ff858aa82a0019ee629b18b1d4a203a255b316e16ab

SHA512
a99ca51c763208a39cabfe15f5d53ace29c3443433dc8056fadc8e65860287eca0f3b956467fb1d465eda6c4a27a5d6ab0e225a8f2816ed05deb40a1f637a696

Download Submit
C:\Windows\system\mrOmtXn.exe
Filesize
6.0MB

MD5
0fcf12a1b0120c9a6aab35ce620e8ff1

SHA1
b115e05648b261c5b2cc591f0534d2eaa1eb87c1

SHA256
724ebe647b0b38ed50ec6261fcf35adf5ea3f9c8239cad3f3c00f6afc46411e0

SHA512
221b5f26105597b0bd988151df22ab66cb60ff9bde8d1253e55ff095331badc08dfaa88f614937933362614c9e64f39c5f288762955b3ddbd62d513b720dc5d9

Download Submit
C:\Windows\system\obviwZB.exe
Filesize
6.0MB

MD5
3d35400de9c068ca6cbac4cad5c7129c

SHA1
47e12d6e706e6f5ca941601edf4ec1c51aa61da0

SHA256
006f95bc61f4fe09409ec37024c290577d0a7b7fecc86d586f31f51643ce292b

SHA512
86fa2195b7215e2be3b38d8a5c5d0caac17d3f1faf4331bb50b003463faa83ce5a9782ce75696dc0f0593b8f2e12d19236b29c19c96e2ad3b0317b052a5811fc

Download Submit
C:\Windows\system\oemRswg.exe
Filesize
6.0MB

MD5
08baf0f2fddb8af1680c9dab8c74fd1c

SHA1
c30da6065f9ee9a672f0290195982de05d30ffe1

SHA256
ccbf54d12e27589358112d25c4798df59a65bc6613aacac1e825e3e5afc61012

SHA512
9af578d3eab4be7b8d2c8589ae590781dcea99074414df388e84c626577637a13c356455342556cd255a80bbc83c83f99924035d078641ed8baf6e8f511b2b53

Download Submit
C:\Windows\system\pZbtgmA.exe
Filesize
6.0MB

MD5
7cacc617ad7a3f5c48347b5d80e733a8

SHA1
dea1ba0eb7e1ac5f4d58cde2534a983295541f1c

SHA256
fcf649762b5e4ef7490d023c06f7871f2ab872eb205c3d0249bb2549491e3032

SHA512
c730534519b4ade189bfaea51a3e86d135e026115c5bbaa1d88533d4eb2b84f19329f571d90e0cc646448b515e75586f86fed7d22f590e45747a853d350fe5a6

Download Submit
C:\Windows\system\wfxsBKA.exe
Filesize
6.0MB

MD5
74b3c7eda5c639821259abc1928455ee

SHA1
1541ed32c05f61a993ce1dc9d02a14e52f4e4375

SHA256
673363dcf53cd40218f433e4258850d5458cd0940bf9da487d4c2b99bb0cd3e6

SHA512
c1f30dd4974335a2c67011b8d45edbdb0487f54d3c3498d349f379761d10fa36144b7eac8325ba01244c29a50c93a51d60aef5f905363f7c338cd6ff61f2337a

Download Submit
C:\Windows\system\zsxGRQr.exe
Filesize
6.0MB

MD5
443c06ea624ef48027b29c66e49e8e14

SHA1
9fe08868859b9546c883a75cd8e5af9f9e0c57bc

SHA256
7433bb5dac58cc6b68b3a6eb20c2c7c41ef41176d2d7a0de88c2d67f91adcc89

SHA512
3322da7ae51f24ec725c6a6fd978248235fa9cd97ef966bd6dfb74144cc6bf4f5f857fc2f45406cc516b0f97db5eee54d4e3ad67f6825dd1875056cd5428f3af

Download Submit
\Windows\system\DrTvwwV.exe
Filesize
6.0MB

MD5
834cf1c611ae9ba5aec85d914e939504

SHA1
ba6f953e883981341e981100df116d35c4977c0a

SHA256
12a65a71b9b564d2c34099d71ab7a7a706a9abfbf76996855011a8ac8752927f

SHA512
8b2230e01d3f1c5e81536ddf68f67b82edf476ccdc154a03025769ba21f515e6124154be5d3b15062c8159abcb2e229c79f2d094f6ae76da7433ce01c4b4638e

Download Submit
\Windows\system\oiTXSQe.exe
Filesize
6.0MB

MD5
136e72b5123bd867eea009bfdbbd02f2

SHA1
4b8ec13cd796e38d2219a1e046abcc279e8729bb

SHA256
2bc6bfc7b6d43d4a03d9cbe16b361a0b835ed4261228a05b548e6cc4e696f172

SHA512
b13ca0648f2551e5e72b4abae83e644fb2c21aefea345bdc20b0f9965e6aec47d8d93fa151bc435a030044792310506ea0b8c6df4e2df91f82da7f625f12b481

Download Submit
\Windows\system\rmqZUdy.exe
Filesize
6.0MB

MD5
3fd5457ca03b3458cc1f5aca9ed3a7b5

SHA1
5f1472409528c7421713698ea4e6b4da86f4e3f8

SHA256
33260f17d229224a7f0f34bb52a1184fcc3c1925c41fbea7d308918451396039

SHA512
fde6837dcd8ea6a03e6d6ab5fbabdec60a5431ae22f2e598bc18e049e7fe1123ca887d4d2f16504f24ff9000e3f516dcc9c91e821d6d0d288ce1651ced40e92c

Download Submit
\Windows\system\xYJOwnX.exe
Filesize
6.0MB

MD5
52ba6a10c6f145796fa2b77de2496a61

SHA1
9873adfc3ae931df20b299335efa360a2a3736c4

SHA256
a3a020ed40e50a668384ee81559b93b9b3fd675c19660f4b85cbbd442df4385a

SHA512
48567d250c114925962f7f9a03118804f494de9a3e468a9938a5d9b743bbad05655112f3d36b84c6f3dcbc2ac72ba89f49f272a0366c3c055f46ebc842048997

Download Submit
memory/1020-97-0x000000013FC40000-0x000000013FF94000-memory.dmp

Filesize
3.3MB

Download
memory/1020-159-0x000000013FC40000-0x000000013FF94000-memory.dmp

Filesize
3.3MB

Download
memory/1020-145-0x000000013FC40000-0x000000013FF94000-memory.dmp

Filesize
3.3MB

Download
memory/1232-156-0x000000013F210000-0x000000013F564000-memory.dmp

Filesize
3.3MB

Download
memory/1232-70-0x000000013F210000-0x000000013F564000-memory.dmp

Filesize
3.3MB

Download
memory/1240-76-0x000000013F8B0000-0x000000013FC04000-memory.dmp

Filesize
3.3MB

Download
memory/1240-140-0x000000013F8B0000-0x000000013FC04000-memory.dmp

Filesize
3.3MB

Download
memory/1240-157-0x000000013F8B0000-0x000000013FC04000-memory.dmp

Filesize
3.3MB

Download
memory/1636-148-0x000000013F830000-0x000000013FB84000-memory.dmp

Filesize
3.3MB

Download
memory/1636-13-0x000000013F830000-0x000000013FB84000-memory.dmp

Filesize
3.3MB

Download
memory/1636-68-0x000000013F830000-0x000000013FB84000-memory.dmp

Filesize
3.3MB

Download
memory/1712-147-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

Filesize
3.3MB

Download
memory/1712-8-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

Filesize
3.3MB

Download
memory/1712-54-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

Filesize
3.3MB

Download
memory/2280-84-0x000000013FFA0000-0x00000001402F4000-memory.dmp

Filesize
3.3MB

Download
memory/2280-138-0x00000000024D0000-0x0000000002824000-memory.dmp

Filesize
3.3MB

Download
memory/2280-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2280-90-0x000000013FEA0000-0x00000001401F4000-memory.dmp

Filesize
3.3MB

Download
memory/2280-0-0x000000013F530000-0x000000013F884000-memory.dmp

Filesize
3.3MB

Download
memory/2280-19-0x000000013FD50000-0x00000001400A4000-memory.dmp

Filesize
3.3MB

Download
memory/2280-75-0x000000013F8B0000-0x000000013FC04000-memory.dmp

Filesize
3.3MB

Download
memory/2280-27-0x00000000024D0000-0x0000000002824000-memory.dmp

Filesize
3.3MB

Download
memory/2280-104-0x000000013FA40000-0x000000013FD94000-memory.dmp

Filesize
3.3MB

Download
memory/2280-146-0x000000013FA40000-0x000000013FD94000-memory.dmp

Filesize
3.3MB

Download
memory/2280-40-0x00000000024D0000-0x0000000002824000-memory.dmp

Filesize
3.3MB

Download
memory/2280-69-0x00000000024D0000-0x0000000002824000-memory.dmp

Filesize
3.3MB

Download
memory/2280-45-0x000000013F530000-0x000000013F884000-memory.dmp

Filesize
3.3MB

Download
memory/2280-144-0x000000013FC40000-0x000000013FF94000-memory.dmp

Filesize
3.3MB

Download
memory/2280-142-0x000000013FEA0000-0x00000001401F4000-memory.dmp

Filesize
3.3MB

Download
memory/2280-141-0x000000013FFA0000-0x00000001402F4000-memory.dmp

Filesize
3.3MB

Download
memory/2280-32-0x00000000024D0000-0x0000000002824000-memory.dmp

Filesize
3.3MB

Download
memory/2280-96-0x000000013FC40000-0x000000013FF94000-memory.dmp

Filesize
3.3MB

Download
memory/2280-139-0x000000013F8B0000-0x000000013FC04000-memory.dmp

Filesize
3.3MB

Download
memory/2520-41-0x000000013F500000-0x000000013F854000-memory.dmp

Filesize
3.3MB

Download
memory/2520-151-0x000000013F500000-0x000000013F854000-memory.dmp

Filesize
3.3MB

Download
memory/2548-51-0x000000013F730000-0x000000013FA84000-memory.dmp

Filesize
3.3MB

Download
memory/2548-152-0x000000013F730000-0x000000013FA84000-memory.dmp

Filesize
3.3MB

Download
memory/2560-158-0x000000013FFA0000-0x00000001402F4000-memory.dmp

Filesize
3.3MB

Download
memory/2560-85-0x000000013FFA0000-0x00000001402F4000-memory.dmp

Filesize
3.3MB

Download
memory/2568-154-0x000000013F670000-0x000000013F9C4000-memory.dmp

Filesize
3.3MB

Download
memory/2568-137-0x000000013F670000-0x000000013F9C4000-memory.dmp

Filesize
3.3MB

Download
memory/2568-60-0x000000013F670000-0x000000013F9C4000-memory.dmp

Filesize
3.3MB

Download
memory/2620-21-0x000000013FD50000-0x00000001400A4000-memory.dmp

Filesize
3.3MB

Download
memory/2620-149-0x000000013FD50000-0x00000001400A4000-memory.dmp

Filesize
3.3MB

Download
memory/2620-74-0x000000013FD50000-0x00000001400A4000-memory.dmp

Filesize
3.3MB

Download
memory/2656-155-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Filesize
3.3MB

Download
memory/2656-136-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Filesize
3.3MB

Download
memory/2656-55-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Filesize
3.3MB

Download
memory/2720-150-0x000000013F5C0000-0x000000013F914000-memory.dmp

Filesize
3.3MB

Download
memory/2720-28-0x000000013F5C0000-0x000000013F914000-memory.dmp

Filesize
3.3MB

Download
memory/2812-143-0x000000013FEA0000-0x00000001401F4000-memory.dmp

Filesize
3.3MB

Download
memory/2812-91-0x000000013FEA0000-0x00000001401F4000-memory.dmp

Filesize
3.3MB

Download
memory/2812-160-0x000000013FEA0000-0x00000001401F4000-memory.dmp

Filesize
3.3MB

Download
memory/3024-153-0x000000013F880000-0x000000013FBD4000-memory.dmp

Filesize
3.3MB

Download
memory/3024-34-0x000000013F880000-0x000000013FBD4000-memory.dmp

Filesize
3.3MB

Download
memory/3024-95-0x000000013F880000-0x000000013FBD4000-memory.dmp

Filesize
3.3MB

Download