cobaltstrike | 6ee8be4283e152ec0f971b540abe35dfd47feb9fc8baecd6d3a29d7afef49bb7

Analysis

max time kernel
144s
max time network
148s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

007ee70834c2ad0a8085c7d9acdf8747
SHA1

8da4d88529f2f717b8e53ec68e9b4a107221914f
SHA256

6ee8be4283e152ec0f971b540abe35dfd47feb9fc8baecd6d3a29d7afef49bb7
SHA512

fedae27262035593132576f0700da3c4eb2017afd26708bfcdbb272ecc4f7734238eba63160d26364b303478f8dae651f6cf53b189c5a418db8d492f442ec975
SSDEEP

49152:ROdWCCi7/ray56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lc:RWWBibh56utgpPFotBER/mQ32lUA

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\system\dOaVVXk.exe	cobalt_reflective_dll
\Windows\system\dBberBc.exe	cobalt_reflective_dll
C:\Windows\system\paxPFhF.exe	cobalt_reflective_dll
C:\Windows\system\fzGNuHy.exe	cobalt_reflective_dll
C:\Windows\system\FBPoQDd.exe	cobalt_reflective_dll
\Windows\system\ULPCAzF.exe	cobalt_reflective_dll
C:\Windows\system\AZjPHpW.exe	cobalt_reflective_dll
C:\Windows\system\Ocmkgfn.exe	cobalt_reflective_dll
C:\Windows\system\iozDjOy.exe	cobalt_reflective_dll
C:\Windows\system\hdLrMHg.exe	cobalt_reflective_dll
\Windows\system\RgWFtKF.exe	cobalt_reflective_dll
C:\Windows\system\jWuZXxL.exe	cobalt_reflective_dll
C:\Windows\system\qayzRPF.exe	cobalt_reflective_dll
C:\Windows\system\udrcOUr.exe	cobalt_reflective_dll
C:\Windows\system\FJpZwNq.exe	cobalt_reflective_dll
C:\Windows\system\mOPQVtG.exe	cobalt_reflective_dll
C:\Windows\system\fpXMgtM.exe	cobalt_reflective_dll
C:\Windows\system\GJTTjqk.exe	cobalt_reflective_dll
\Windows\system\tLpzsZY.exe	cobalt_reflective_dll
C:\Windows\system\gFludyH.exe	cobalt_reflective_dll
C:\Windows\system\NgRHpTU.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\system\dOaVVXk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\dBberBc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\paxPFhF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\fzGNuHy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\FBPoQDd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\ULPCAzF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\AZjPHpW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\Ocmkgfn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\iozDjOy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\hdLrMHg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\RgWFtKF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\jWuZXxL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\qayzRPF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\udrcOUr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\FJpZwNq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\mOPQVtG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\fpXMgtM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\GJTTjqk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\tLpzsZY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\gFludyH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\NgRHpTU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2400-0-0x000000013FB80000-0x000000013FED1000-memory.dmp	UPX
C:\Windows\system\dOaVVXk.exe	UPX
behavioral1/memory/3024-9-0x000000013F560000-0x000000013F8B1000-memory.dmp	UPX
\Windows\system\dBberBc.exe	UPX
behavioral1/memory/2624-15-0x000000013F170000-0x000000013F4C1000-memory.dmp	UPX
C:\Windows\system\paxPFhF.exe	UPX
C:\Windows\system\fzGNuHy.exe	UPX
C:\Windows\system\FBPoQDd.exe	UPX
behavioral1/memory/2812-39-0x000000013F6F0000-0x000000013FA41000-memory.dmp	UPX
\Windows\system\ULPCAzF.exe	UPX
behavioral1/memory/2588-48-0x000000013FDD0000-0x0000000140121000-memory.dmp	UPX
behavioral1/memory/2400-47-0x000000013FB80000-0x000000013FED1000-memory.dmp	UPX
C:\Windows\system\AZjPHpW.exe	UPX
behavioral1/memory/2524-61-0x000000013FD50000-0x00000001400A1000-memory.dmp	UPX
C:\Windows\system\Ocmkgfn.exe	UPX
behavioral1/memory/2492-55-0x000000013F620000-0x000000013F971000-memory.dmp	UPX
behavioral1/memory/2732-34-0x000000013F960000-0x000000013FCB1000-memory.dmp	UPX
C:\Windows\system\iozDjOy.exe	UPX
behavioral1/memory/2844-28-0x000000013F700000-0x000000013FA51000-memory.dmp	UPX
behavioral1/memory/2708-27-0x000000013FAF0000-0x000000013FE41000-memory.dmp	UPX
C:\Windows\system\hdLrMHg.exe	UPX
behavioral1/memory/2536-88-0x000000013FF60000-0x00000001402B1000-memory.dmp	UPX
\Windows\system\RgWFtKF.exe	UPX
C:\Windows\system\jWuZXxL.exe	UPX
C:\Windows\system\qayzRPF.exe	UPX
behavioral1/memory/2768-94-0x000000013F0E0000-0x000000013F431000-memory.dmp	UPX
C:\Windows\system\udrcOUr.exe	UPX
C:\Windows\system\FJpZwNq.exe	UPX
C:\Windows\system\mOPQVtG.exe	UPX
C:\Windows\system\fpXMgtM.exe	UPX
C:\Windows\system\GJTTjqk.exe	UPX
\Windows\system\tLpzsZY.exe	UPX
behavioral1/memory/2196-105-0x000000013F950000-0x000000013FCA1000-memory.dmp	UPX
C:\Windows\system\gFludyH.exe	UPX
behavioral1/memory/2624-72-0x000000013F170000-0x000000013F4C1000-memory.dmp	UPX
behavioral1/memory/1592-86-0x000000013FC00000-0x000000013FF51000-memory.dmp	UPX
C:\Windows\system\NgRHpTU.exe	UPX
behavioral1/memory/2732-135-0x000000013F960000-0x000000013FCB1000-memory.dmp	UPX
behavioral1/memory/2400-133-0x000000013FB80000-0x000000013FED1000-memory.dmp	UPX
behavioral1/memory/2812-141-0x000000013F6F0000-0x000000013FA41000-memory.dmp	UPX
behavioral1/memory/2524-144-0x000000013FD50000-0x00000001400A1000-memory.dmp	UPX
behavioral1/memory/2492-143-0x000000013F620000-0x000000013F971000-memory.dmp	UPX
behavioral1/memory/2588-142-0x000000013FDD0000-0x0000000140121000-memory.dmp	UPX
behavioral1/memory/2820-149-0x000000013FC30000-0x000000013FF81000-memory.dmp	UPX
behavioral1/memory/2140-152-0x000000013FD60000-0x00000001400B1000-memory.dmp	UPX
behavioral1/memory/2148-156-0x000000013F800000-0x000000013FB51000-memory.dmp	UPX
behavioral1/memory/532-155-0x000000013FA30000-0x000000013FD81000-memory.dmp	UPX
behavioral1/memory/2360-154-0x000000013FDE0000-0x0000000140131000-memory.dmp	UPX
behavioral1/memory/2136-153-0x000000013F460000-0x000000013F7B1000-memory.dmp	UPX
behavioral1/memory/2192-151-0x000000013F620000-0x000000013F971000-memory.dmp	UPX
behavioral1/memory/1456-157-0x000000013F9E0000-0x000000013FD31000-memory.dmp	UPX
behavioral1/memory/2400-159-0x000000013FB80000-0x000000013FED1000-memory.dmp	UPX
behavioral1/memory/3024-206-0x000000013F560000-0x000000013F8B1000-memory.dmp	UPX
behavioral1/memory/2624-217-0x000000013F170000-0x000000013F4C1000-memory.dmp	UPX
behavioral1/memory/2708-219-0x000000013FAF0000-0x000000013FE41000-memory.dmp	UPX
behavioral1/memory/2844-221-0x000000013F700000-0x000000013FA51000-memory.dmp	UPX
behavioral1/memory/2812-223-0x000000013F6F0000-0x000000013FA41000-memory.dmp	UPX
behavioral1/memory/2732-225-0x000000013F960000-0x000000013FCB1000-memory.dmp	UPX
behavioral1/memory/2588-227-0x000000013FDD0000-0x0000000140121000-memory.dmp	UPX
behavioral1/memory/2492-229-0x000000013F620000-0x000000013F971000-memory.dmp	UPX
behavioral1/memory/2524-231-0x000000013FD50000-0x00000001400A1000-memory.dmp	UPX
behavioral1/memory/1592-245-0x000000013FC00000-0x000000013FF51000-memory.dmp	UPX
behavioral1/memory/2536-247-0x000000013FF60000-0x00000001402B1000-memory.dmp	UPX
behavioral1/memory/2768-249-0x000000013F0E0000-0x000000013F431000-memory.dmp	UPX

XMRig Miner payload 40 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/3024-9-0x000000013F560000-0x000000013F8B1000-memory.dmp	xmrig
behavioral1/memory/2400-47-0x000000013FB80000-0x000000013FED1000-memory.dmp	xmrig
behavioral1/memory/2844-28-0x000000013F700000-0x000000013FA51000-memory.dmp	xmrig
behavioral1/memory/2708-27-0x000000013FAF0000-0x000000013FE41000-memory.dmp	xmrig
behavioral1/memory/2536-88-0x000000013FF60000-0x00000001402B1000-memory.dmp	xmrig
behavioral1/memory/2400-91-0x000000013F0E0000-0x000000013F431000-memory.dmp	xmrig
behavioral1/memory/2400-90-0x000000013FF60000-0x00000001402B1000-memory.dmp	xmrig
behavioral1/memory/2768-94-0x000000013F0E0000-0x000000013F431000-memory.dmp	xmrig
behavioral1/memory/2196-105-0x000000013F950000-0x000000013FCA1000-memory.dmp	xmrig
behavioral1/memory/2400-101-0x0000000002180000-0x00000000024D1000-memory.dmp	xmrig
behavioral1/memory/2624-72-0x000000013F170000-0x000000013F4C1000-memory.dmp	xmrig
behavioral1/memory/1592-86-0x000000013FC00000-0x000000013FF51000-memory.dmp	xmrig
behavioral1/memory/2732-135-0x000000013F960000-0x000000013FCB1000-memory.dmp	xmrig
behavioral1/memory/2400-133-0x000000013FB80000-0x000000013FED1000-memory.dmp	xmrig
behavioral1/memory/2812-141-0x000000013F6F0000-0x000000013FA41000-memory.dmp	xmrig
behavioral1/memory/2524-144-0x000000013FD50000-0x00000001400A1000-memory.dmp	xmrig
behavioral1/memory/2492-143-0x000000013F620000-0x000000013F971000-memory.dmp	xmrig
behavioral1/memory/2588-142-0x000000013FDD0000-0x0000000140121000-memory.dmp	xmrig
behavioral1/memory/2820-149-0x000000013FC30000-0x000000013FF81000-memory.dmp	xmrig
behavioral1/memory/2140-152-0x000000013FD60000-0x00000001400B1000-memory.dmp	xmrig
behavioral1/memory/2148-156-0x000000013F800000-0x000000013FB51000-memory.dmp	xmrig
behavioral1/memory/532-155-0x000000013FA30000-0x000000013FD81000-memory.dmp	xmrig
behavioral1/memory/2360-154-0x000000013FDE0000-0x0000000140131000-memory.dmp	xmrig
behavioral1/memory/2136-153-0x000000013F460000-0x000000013F7B1000-memory.dmp	xmrig
behavioral1/memory/2192-151-0x000000013F620000-0x000000013F971000-memory.dmp	xmrig
behavioral1/memory/1456-157-0x000000013F9E0000-0x000000013FD31000-memory.dmp	xmrig
behavioral1/memory/2400-159-0x000000013FB80000-0x000000013FED1000-memory.dmp	xmrig
behavioral1/memory/3024-206-0x000000013F560000-0x000000013F8B1000-memory.dmp	xmrig
behavioral1/memory/2624-217-0x000000013F170000-0x000000013F4C1000-memory.dmp	xmrig
behavioral1/memory/2708-219-0x000000013FAF0000-0x000000013FE41000-memory.dmp	xmrig
behavioral1/memory/2844-221-0x000000013F700000-0x000000013FA51000-memory.dmp	xmrig
behavioral1/memory/2812-223-0x000000013F6F0000-0x000000013FA41000-memory.dmp	xmrig
behavioral1/memory/2732-225-0x000000013F960000-0x000000013FCB1000-memory.dmp	xmrig
behavioral1/memory/2588-227-0x000000013FDD0000-0x0000000140121000-memory.dmp	xmrig
behavioral1/memory/2492-229-0x000000013F620000-0x000000013F971000-memory.dmp	xmrig
behavioral1/memory/2524-231-0x000000013FD50000-0x00000001400A1000-memory.dmp	xmrig
behavioral1/memory/1592-245-0x000000013FC00000-0x000000013FF51000-memory.dmp	xmrig
behavioral1/memory/2536-247-0x000000013FF60000-0x00000001402B1000-memory.dmp	xmrig
behavioral1/memory/2768-249-0x000000013F0E0000-0x000000013F431000-memory.dmp	xmrig
behavioral1/memory/2196-251-0x000000013F950000-0x000000013FCA1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

dOaVVXk.exedBberBc.exepaxPFhF.exefzGNuHy.exeiozDjOy.exeFBPoQDd.exeOcmkgfn.exeULPCAzF.exeAZjPHpW.exehdLrMHg.exejWuZXxL.exeNgRHpTU.exeqayzRPF.exeRgWFtKF.exemOPQVtG.exeFJpZwNq.exeudrcOUr.exegFludyH.exefpXMgtM.exeGJTTjqk.exetLpzsZY.exe

pid	process
3024	dOaVVXk.exe
2624	dBberBc.exe
2708	paxPFhF.exe
2844	fzGNuHy.exe
2732	iozDjOy.exe
2812	FBPoQDd.exe
2588	Ocmkgfn.exe
2492	ULPCAzF.exe
2524	AZjPHpW.exe
1592	hdLrMHg.exe
2536	jWuZXxL.exe
2768	NgRHpTU.exe
2196	qayzRPF.exe
2140	RgWFtKF.exe
2820	mOPQVtG.exe
2192	FJpZwNq.exe
2136	udrcOUr.exe
2360	gFludyH.exe
532	fpXMgtM.exe
2148	GJTTjqk.exe
1456	tLpzsZY.exe

Loads dropped DLL 21 IoCs

Processes:

2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe

pid	process
2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2400-0-0x000000013FB80000-0x000000013FED1000-memory.dmp	upx
C:\Windows\system\dOaVVXk.exe	upx
behavioral1/memory/3024-9-0x000000013F560000-0x000000013F8B1000-memory.dmp	upx
\Windows\system\dBberBc.exe	upx
behavioral1/memory/2624-15-0x000000013F170000-0x000000013F4C1000-memory.dmp	upx
C:\Windows\system\paxPFhF.exe	upx
C:\Windows\system\fzGNuHy.exe	upx
C:\Windows\system\FBPoQDd.exe	upx
behavioral1/memory/2812-39-0x000000013F6F0000-0x000000013FA41000-memory.dmp	upx
\Windows\system\ULPCAzF.exe	upx
behavioral1/memory/2588-48-0x000000013FDD0000-0x0000000140121000-memory.dmp	upx
behavioral1/memory/2400-47-0x000000013FB80000-0x000000013FED1000-memory.dmp	upx
C:\Windows\system\AZjPHpW.exe	upx
behavioral1/memory/2524-61-0x000000013FD50000-0x00000001400A1000-memory.dmp	upx
C:\Windows\system\Ocmkgfn.exe	upx
behavioral1/memory/2492-55-0x000000013F620000-0x000000013F971000-memory.dmp	upx
behavioral1/memory/2732-34-0x000000013F960000-0x000000013FCB1000-memory.dmp	upx
C:\Windows\system\iozDjOy.exe	upx
behavioral1/memory/2844-28-0x000000013F700000-0x000000013FA51000-memory.dmp	upx
behavioral1/memory/2708-27-0x000000013FAF0000-0x000000013FE41000-memory.dmp	upx
C:\Windows\system\hdLrMHg.exe	upx
behavioral1/memory/2536-88-0x000000013FF60000-0x00000001402B1000-memory.dmp	upx
\Windows\system\RgWFtKF.exe	upx
C:\Windows\system\jWuZXxL.exe	upx
C:\Windows\system\qayzRPF.exe	upx
behavioral1/memory/2768-94-0x000000013F0E0000-0x000000013F431000-memory.dmp	upx
C:\Windows\system\udrcOUr.exe	upx
C:\Windows\system\FJpZwNq.exe	upx
C:\Windows\system\mOPQVtG.exe	upx
C:\Windows\system\fpXMgtM.exe	upx
C:\Windows\system\GJTTjqk.exe	upx
\Windows\system\tLpzsZY.exe	upx
behavioral1/memory/2196-105-0x000000013F950000-0x000000013FCA1000-memory.dmp	upx
C:\Windows\system\gFludyH.exe	upx
behavioral1/memory/2624-72-0x000000013F170000-0x000000013F4C1000-memory.dmp	upx
behavioral1/memory/1592-86-0x000000013FC00000-0x000000013FF51000-memory.dmp	upx
C:\Windows\system\NgRHpTU.exe	upx
behavioral1/memory/2732-135-0x000000013F960000-0x000000013FCB1000-memory.dmp	upx
behavioral1/memory/2400-133-0x000000013FB80000-0x000000013FED1000-memory.dmp	upx
behavioral1/memory/2812-141-0x000000013F6F0000-0x000000013FA41000-memory.dmp	upx
behavioral1/memory/2524-144-0x000000013FD50000-0x00000001400A1000-memory.dmp	upx
behavioral1/memory/2492-143-0x000000013F620000-0x000000013F971000-memory.dmp	upx
behavioral1/memory/2588-142-0x000000013FDD0000-0x0000000140121000-memory.dmp	upx
behavioral1/memory/2820-149-0x000000013FC30000-0x000000013FF81000-memory.dmp	upx
behavioral1/memory/2140-152-0x000000013FD60000-0x00000001400B1000-memory.dmp	upx
behavioral1/memory/2148-156-0x000000013F800000-0x000000013FB51000-memory.dmp	upx
behavioral1/memory/532-155-0x000000013FA30000-0x000000013FD81000-memory.dmp	upx
behavioral1/memory/2360-154-0x000000013FDE0000-0x0000000140131000-memory.dmp	upx
behavioral1/memory/2136-153-0x000000013F460000-0x000000013F7B1000-memory.dmp	upx
behavioral1/memory/2192-151-0x000000013F620000-0x000000013F971000-memory.dmp	upx
behavioral1/memory/1456-157-0x000000013F9E0000-0x000000013FD31000-memory.dmp	upx
behavioral1/memory/2400-159-0x000000013FB80000-0x000000013FED1000-memory.dmp	upx
behavioral1/memory/3024-206-0x000000013F560000-0x000000013F8B1000-memory.dmp	upx
behavioral1/memory/2624-217-0x000000013F170000-0x000000013F4C1000-memory.dmp	upx
behavioral1/memory/2708-219-0x000000013FAF0000-0x000000013FE41000-memory.dmp	upx
behavioral1/memory/2844-221-0x000000013F700000-0x000000013FA51000-memory.dmp	upx
behavioral1/memory/2812-223-0x000000013F6F0000-0x000000013FA41000-memory.dmp	upx
behavioral1/memory/2732-225-0x000000013F960000-0x000000013FCB1000-memory.dmp	upx
behavioral1/memory/2588-227-0x000000013FDD0000-0x0000000140121000-memory.dmp	upx
behavioral1/memory/2492-229-0x000000013F620000-0x000000013F971000-memory.dmp	upx
behavioral1/memory/2524-231-0x000000013FD50000-0x00000001400A1000-memory.dmp	upx
behavioral1/memory/1592-245-0x000000013FC00000-0x000000013FF51000-memory.dmp	upx
behavioral1/memory/2536-247-0x000000013FF60000-0x00000001402B1000-memory.dmp	upx
behavioral1/memory/2768-249-0x000000013F0E0000-0x000000013F431000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\fzGNuHy.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FJpZwNq.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fpXMgtM.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tLpzsZY.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dOaVVXk.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mOPQVtG.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qayzRPF.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dBberBc.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iozDjOy.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ULPCAzF.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AZjPHpW.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hdLrMHg.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NgRHpTU.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RgWFtKF.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\udrcOUr.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\paxPFhF.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GJTTjqk.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\Ocmkgfn.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jWuZXxL.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gFludyH.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FBPoQDd.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2400 wrote to memory of 3024	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	dOaVVXk.exe
PID 2400 wrote to memory of 3024	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	dOaVVXk.exe
PID 2400 wrote to memory of 3024	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	dOaVVXk.exe
PID 2400 wrote to memory of 2624	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	dBberBc.exe
PID 2400 wrote to memory of 2624	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	dBberBc.exe
PID 2400 wrote to memory of 2624	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	dBberBc.exe
PID 2400 wrote to memory of 2708	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	paxPFhF.exe
PID 2400 wrote to memory of 2708	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	paxPFhF.exe
PID 2400 wrote to memory of 2708	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	paxPFhF.exe
PID 2400 wrote to memory of 2844	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	fzGNuHy.exe
PID 2400 wrote to memory of 2844	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	fzGNuHy.exe
PID 2400 wrote to memory of 2844	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	fzGNuHy.exe
PID 2400 wrote to memory of 2732	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	iozDjOy.exe
PID 2400 wrote to memory of 2732	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	iozDjOy.exe
PID 2400 wrote to memory of 2732	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	iozDjOy.exe
PID 2400 wrote to memory of 2812	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	FBPoQDd.exe
PID 2400 wrote to memory of 2812	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	FBPoQDd.exe
PID 2400 wrote to memory of 2812	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	FBPoQDd.exe
PID 2400 wrote to memory of 2588	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	Ocmkgfn.exe
PID 2400 wrote to memory of 2588	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	Ocmkgfn.exe
PID 2400 wrote to memory of 2588	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	Ocmkgfn.exe
PID 2400 wrote to memory of 2492	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	ULPCAzF.exe
PID 2400 wrote to memory of 2492	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	ULPCAzF.exe
PID 2400 wrote to memory of 2492	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	ULPCAzF.exe
PID 2400 wrote to memory of 2524	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	AZjPHpW.exe
PID 2400 wrote to memory of 2524	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	AZjPHpW.exe
PID 2400 wrote to memory of 2524	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	AZjPHpW.exe
PID 2400 wrote to memory of 1592	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	hdLrMHg.exe
PID 2400 wrote to memory of 1592	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	hdLrMHg.exe
PID 2400 wrote to memory of 1592	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	hdLrMHg.exe
PID 2400 wrote to memory of 2536	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	jWuZXxL.exe
PID 2400 wrote to memory of 2536	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	jWuZXxL.exe
PID 2400 wrote to memory of 2536	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	jWuZXxL.exe
PID 2400 wrote to memory of 2768	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	NgRHpTU.exe
PID 2400 wrote to memory of 2768	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	NgRHpTU.exe
PID 2400 wrote to memory of 2768	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	NgRHpTU.exe
PID 2400 wrote to memory of 2820	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	mOPQVtG.exe
PID 2400 wrote to memory of 2820	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	mOPQVtG.exe
PID 2400 wrote to memory of 2820	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	mOPQVtG.exe
PID 2400 wrote to memory of 2196	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	qayzRPF.exe
PID 2400 wrote to memory of 2196	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	qayzRPF.exe
PID 2400 wrote to memory of 2196	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	qayzRPF.exe
PID 2400 wrote to memory of 2192	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	FJpZwNq.exe
PID 2400 wrote to memory of 2192	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	FJpZwNq.exe
PID 2400 wrote to memory of 2192	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	FJpZwNq.exe
PID 2400 wrote to memory of 2140	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	RgWFtKF.exe
PID 2400 wrote to memory of 2140	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	RgWFtKF.exe
PID 2400 wrote to memory of 2140	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	RgWFtKF.exe
PID 2400 wrote to memory of 2136	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	udrcOUr.exe
PID 2400 wrote to memory of 2136	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	udrcOUr.exe
PID 2400 wrote to memory of 2136	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	udrcOUr.exe
PID 2400 wrote to memory of 2360	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	gFludyH.exe
PID 2400 wrote to memory of 2360	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	gFludyH.exe
PID 2400 wrote to memory of 2360	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	gFludyH.exe
PID 2400 wrote to memory of 532	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	fpXMgtM.exe
PID 2400 wrote to memory of 532	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	fpXMgtM.exe
PID 2400 wrote to memory of 532	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	fpXMgtM.exe
PID 2400 wrote to memory of 2148	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	GJTTjqk.exe
PID 2400 wrote to memory of 2148	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	GJTTjqk.exe
PID 2400 wrote to memory of 2148	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	GJTTjqk.exe
PID 2400 wrote to memory of 1456	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	tLpzsZY.exe
PID 2400 wrote to memory of 1456	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	tLpzsZY.exe
PID 2400 wrote to memory of 1456	2400	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	tLpzsZY.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400

C:\Windows\System\dOaVVXk.exe
C:\Windows\System\dOaVVXk.exe
2⤵
- Executes dropped EXE
PID:3024

C:\Windows\System\dBberBc.exe
C:\Windows\System\dBberBc.exe
2⤵
- Executes dropped EXE
PID:2624

C:\Windows\System\paxPFhF.exe
C:\Windows\System\paxPFhF.exe
2⤵
- Executes dropped EXE
PID:2708

C:\Windows\System\fzGNuHy.exe
C:\Windows\System\fzGNuHy.exe
2⤵
- Executes dropped EXE
PID:2844

C:\Windows\System\iozDjOy.exe
C:\Windows\System\iozDjOy.exe
2⤵
- Executes dropped EXE
PID:2732

C:\Windows\System\FBPoQDd.exe
C:\Windows\System\FBPoQDd.exe
2⤵
- Executes dropped EXE
PID:2812

C:\Windows\System\Ocmkgfn.exe
C:\Windows\System\Ocmkgfn.exe
2⤵
- Executes dropped EXE
PID:2588

C:\Windows\System\ULPCAzF.exe
C:\Windows\System\ULPCAzF.exe
2⤵
- Executes dropped EXE
PID:2492

C:\Windows\System\AZjPHpW.exe
C:\Windows\System\AZjPHpW.exe
2⤵
- Executes dropped EXE
PID:2524

C:\Windows\System\hdLrMHg.exe
C:\Windows\System\hdLrMHg.exe
2⤵
- Executes dropped EXE
PID:1592

C:\Windows\System\jWuZXxL.exe
C:\Windows\System\jWuZXxL.exe
2⤵
- Executes dropped EXE
PID:2536

C:\Windows\System\NgRHpTU.exe
C:\Windows\System\NgRHpTU.exe
2⤵
- Executes dropped EXE
PID:2768

C:\Windows\System\mOPQVtG.exe
C:\Windows\System\mOPQVtG.exe
2⤵
- Executes dropped EXE
PID:2820

C:\Windows\System\qayzRPF.exe
C:\Windows\System\qayzRPF.exe
2⤵
- Executes dropped EXE
PID:2196

C:\Windows\System\FJpZwNq.exe
C:\Windows\System\FJpZwNq.exe
2⤵
- Executes dropped EXE
PID:2192

C:\Windows\System\RgWFtKF.exe
C:\Windows\System\RgWFtKF.exe
2⤵
- Executes dropped EXE
PID:2140

C:\Windows\System\udrcOUr.exe
C:\Windows\System\udrcOUr.exe
2⤵
- Executes dropped EXE
PID:2136

C:\Windows\System\gFludyH.exe
C:\Windows\System\gFludyH.exe
2⤵
- Executes dropped EXE
PID:2360

C:\Windows\System\fpXMgtM.exe
C:\Windows\System\fpXMgtM.exe
2⤵
- Executes dropped EXE
PID:532

C:\Windows\System\GJTTjqk.exe
C:\Windows\System\GJTTjqk.exe
2⤵
- Executes dropped EXE
PID:2148

C:\Windows\System\tLpzsZY.exe
C:\Windows\System\tLpzsZY.exe
2⤵
- Executes dropped EXE
PID:1456

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AZjPHpW.exe
Filesize
5.2MB

MD5
a3872da49eeb8f4c3db3fb4a7ffcbf7d

SHA1
a8954653feb9971c962e463d12c86a485f67131a

SHA256
f2618f494f3382fe2da00ea0c7cdc22cb5cb9c151698710c3ee349539d055296

SHA512
cee5798abab7e82ecdf9e4ef9b264ae2af4087b352017e6b203c11d18aac03263b414baf03b9fa4cea9ee6b70a041700641d4427f89315ec4fddd4a8b121ac13

Download Submit
C:\Windows\system\FBPoQDd.exe
Filesize
5.2MB

MD5
dd6b49a8b5c5b773e4d90aa08e56521c

SHA1
6252a1e8ead3beda336f2c29fd16883f80c83ba8

SHA256
cfd3111ad7bb37a37ea1c63b55dcbf168feb71d8d763f4e99a00b7d51792991e

SHA512
5c4c448d9bb33dc39438bba98bc6cbce6a37d6adc80c25173b2744c52a788adf5082487b86addaaf6c9978666cd4ed8c6bcc37438fb2c1c1a46b5978ecfbce62

Download Submit
C:\Windows\system\FJpZwNq.exe
Filesize
5.2MB

MD5
7767a4ee091839adde70584e1aa2e411

SHA1
67f4c4117b94feb5ade1d5e600a477dd90055e49

SHA256
0763c0319281d657a2c1cde86a7c11531a30f88fbdfd5a68e250b09626c38741

SHA512
4deea21dd485c5f10688c6ce3dfc2559215944e9cbada6fcc9be53d98867bf130ab9fff65b07d0cd65692d39ba9f19e4b2bc79d804a8260802546720a4d72108

Download Submit
C:\Windows\system\GJTTjqk.exe
Filesize
5.2MB

MD5
3402c70aee2a0f680d3692611b8b53fd

SHA1
0b46a30f64cfc4823b94b6d7d1499e82a5bb89a9

SHA256
a8eacd4004e8ad7232b0ba9229204df889dca66e47947f51c02c39c9b53f63c6

SHA512
530bbc5b37773f58a91e60b7df09233692d0cb245fc86998521ab062ead01abe8185c500dc707128f2f18a073a0d7d7c9e36320860f34d939697bbb83994c526

Download Submit
C:\Windows\system\NgRHpTU.exe
Filesize
5.2MB

MD5
d20e81a8531793f789dde7aee6970f3a

SHA1
9aa3cec3e6d2232598b5445e20f973df36dff3d9

SHA256
4b3a378748cfee3f40b8444dee4709f433be18b3dd8a0ed631d0b70fa44cc228

SHA512
553ff161d13589daf17e03954383cb4b48c6f6c56231deeb3d09eb1b454d9b70fa7810fa4fb18f427eda160f7c2f2f363f5b7e08a49192c81f21423b518db713

Download Submit
C:\Windows\system\Ocmkgfn.exe
Filesize
5.2MB

MD5
74d63d699dac2dfee955ae88f994265a

SHA1
9365bd52cacab08ea6ac9fbf360f7bc1cd22e398

SHA256
3d0c7dc55351a825b5dc13e92e79ed0cba0523f61f90fa24ba90c62f1bc6941a

SHA512
f54277d5cb36851e568ede9f19cd9a5691e6ee799a48db53d8a6519db09c751e868266c14ba3bd311e2c1eb69a0d1151d52e55e38331e47f5d60dab9c4128368

Download Submit
C:\Windows\system\dOaVVXk.exe
Filesize
5.2MB

MD5
ff36529f103f96ab50d1f030ffe2e8f2

SHA1
0838acf0097cced786b18fa474e6066dcda4ec9d

SHA256
21d09c2924c43dfaaaa4fe40e5c4f492d49f228e8e4d0747ab4e44f45ca18800

SHA512
c094b480cac2e5a728eea4c9f296929b5b80088ca838f7a21f5c13f4f720ebb75dc6253d3cbdc353597c426e62090431cf0b1e803e48b7e585a750570a05ac6d

Download Submit
C:\Windows\system\fpXMgtM.exe
Filesize
5.2MB

MD5
954ca189f306bb80850792a3d3b02562

SHA1
325557113393fdbf62e22914e9cf7d7a3133b717

SHA256
b75458533eae6268074da66492917d943b9cca16f5611a6e293fff3da18953b0

SHA512
fb51fae7c6caa13913deae08efdfdd611edac603df54f24a19ef7022da1b4e7427d77679d2cc994ca7f073a873573076f07709c30093f9a7627ab72062eb88b3

Download Submit
C:\Windows\system\fzGNuHy.exe
Filesize
5.2MB

MD5
7ed7afc83ed892cd41575e4a4a9a2e84

SHA1
eb80412725a6222c3803f20c0ecdbc5936a5944b

SHA256
71b1b2ed4a06b6bbb8b8b4fa80887277d0c111e9fc24a448822b4fc1f4a15cba

SHA512
4d2743ecd7e4619b0d932dc0290c0d1f65146b4f9658322e1e2d1a1f7fadf1c05970aa7bbb08c20bf98680c83e89f1ae61bf3e856b6388c8113d583f510e28b4

Download Submit
C:\Windows\system\gFludyH.exe
Filesize
5.2MB

MD5
54cd9f82598defcc6f7cdf14d9a124c8

SHA1
b70018011c0d0d1568ef9d49f20a40e8c2dec619

SHA256
b209bfeaf00eb709b7b1ab7f33af97b6efd0fca303b41674d1a696bcfc271bdb

SHA512
4b2eaa8ca7f7a3aacc586d0b9855b57be8c6d2fe1740e1866ccd8ddad37f0a174ccb6d73d34b435dbb4788deef1d016f172fa4ecc5ba740d59d27dfb3a925417

Download Submit
C:\Windows\system\hdLrMHg.exe
Filesize
5.2MB

MD5
f7dea2a93669581e1b5d9235980f76d7

SHA1
453b4fd151527d925cc9f3b300184f621b446864

SHA256
32e854389170e8aec5cbcac9a83549b8b73327239666b34ca7685bf65c1350f8

SHA512
4abf72441c9f674f3daf762f7cfe9cda500968e0cdb03d3cd2998020d0f2c42caa800afd7c8f72e8ad5472255fa57b0e47ad5242131bfc36da5ccd88dd5bab47

Download Submit
C:\Windows\system\iozDjOy.exe
Filesize
5.2MB

MD5
770de14839a458f82ce1f1b9e3190411

SHA1
310ca44d1dca1c945584a2afdee690b9e5d9604c

SHA256
308a1fbd9470d1132725664556c88a31b3599a54b55c1dcf0c705da2604360d8

SHA512
1cb9128736f14dbef756c4b3de79aa4777d21b1bbaa4c4add7bf756cf2610aa7c7d4dca6cb5127fb79ca61eb9cea2511025e8ea65a0aba03831d69e165ace7a4

Download Submit
C:\Windows\system\jWuZXxL.exe
Filesize
5.2MB

MD5
f5497658bfd8a7458c75aa4d72886d42

SHA1
ce5c48a0ae292f055ab93c12c53b3930e4bf024c

SHA256
a0cd238415e20a4a35a5791fd5262290242f5c2d2f088ba7574c99c8ec39232c

SHA512
02b2fa116fe84a6c8b1478b180b83f1c06e9f3b95bb6a9d0d52835be0d74da267633ac8513d59ac11cc260851b3f5569c5e03c281e61b73b14e17348c7e81475

Download Submit
C:\Windows\system\mOPQVtG.exe
Filesize
5.2MB

MD5
4c7a746568f8b0f3f0ead8b460e382b7

SHA1
a8b2a75b9b1f773af286cfb0a52cd4f836a37909

SHA256
26ab71bfdde7a78bd26d3817104297b2f34102d2e9d05ff88205dc3b5702ef62

SHA512
9873d8937a4fa428e7090557e19b681c015c369816aadaf686b2a8779cf61bbf1b6233d29979633888396e464be4244386f66fc96f9ede9016f59c4d81f39dc1

Download Submit
C:\Windows\system\paxPFhF.exe
Filesize
5.2MB

MD5
f87d9aa9b82c368fbf3a18bb46b104dc

SHA1
78d6c4a91e02c45a31d160abb1a09ca3d7d4941c

SHA256
078238d031ee4a7bd56ebb2c7d5d98d1b1a5a99df1e5af2619539f9194952e3d

SHA512
1024ae15b017ef211fd2e9b8dcf87defeb3490601998934e8c95ebb412b476446a039ad0787efe9253ec8c54c85d6536ac870a9133bd0b88819c5ccc945d6834

Download Submit
C:\Windows\system\qayzRPF.exe
Filesize
5.2MB

MD5
f87adbfea9867c96adcc9616654df9d7

SHA1
c96381bc170cb86442f210e1c42c46cc399ece3f

SHA256
4736b6a4f6b875f6c73d1e39febbcb0c9784a7fad64f12b921b47467e89a5458

SHA512
6533244db267c4a3b8598c30d38b1972e1d2010a3ea1e49d807d59fc57d7a3e68ad0f162180f839bfa45efd26a5d2b1d43bd140c2142a41b84c902558f3aa0d9

Download Submit
C:\Windows\system\udrcOUr.exe
Filesize
5.2MB

MD5
dd9e971d0b6e6ee4070103223aac0810

SHA1
5e39d38c18e5817db4a7bf1bae7c92d0b41440b9

SHA256
80f97947724c04d0dff8974646ddb5033fb117e8ae7fc326f6ef877856fd51a1

SHA512
87796f4716f4b6e649716e892c756ddbd1d6af32eb963313d462c56581d8aa6719cb427e9d133edda02a497a1092a1dc0f4838a91b2539cc25d96dbd31f0ddbe

Download Submit
\Windows\system\RgWFtKF.exe
Filesize
5.2MB

MD5
c63c3b160c63f6296a185984a36c417a

SHA1
8daa917425801c1c94c348ab4b0dbeca64cd94f4

SHA256
4287cba3ee1b7f7d9871cb48408b00024e4ec770ae454d2f020f1f78abb1a038

SHA512
fa0abd1e323cfc208632fe9fed0aa5e9824a72f7200c3cbd11bd82e74cdec914337924cb99b9f6b34ec6ff8d469e6b5a65bf6f08ec99752fafd6ba285c0cec7b

Download Submit
\Windows\system\ULPCAzF.exe
Filesize
5.2MB

MD5
531ecc1ef8ac47cf6025cf808ac2110b

SHA1
78db83162b58b2edc0aab458227ad49efaa5beea

SHA256
1783db31bbaeab9d975db05cd1a3f98a61a47cf8524c5151e1d0a2c62aafcb9e

SHA512
e97c66a55dc2b898316364203cdd2fe926ef3676ac192fe3d8f226125313612e3fe58166bf086d8396b3a1701ce20d617b5e37676795c3c81b931c1c6ba5cbf8

Download Submit
\Windows\system\dBberBc.exe
Filesize
5.2MB

MD5
47363a15e81655eb7cca03adb155e2d2

SHA1
c3f38c3e106995d482bcd9fb38baa82b9a8918df

SHA256
109a241a28f7bce96d785438e58b4b64e5d8f4c62cb078e255426fef41679ae6

SHA512
08301a7439432b317616ebbda17e96ebc59f0beb9b9a04c3396091ae626dc756bda44d4632d242478aa8c13981be7117048538e424428db515dcb83f1eae117c

Download Submit
\Windows\system\tLpzsZY.exe
Filesize
5.2MB

MD5
c448d229c356c3b8dcb69ce23f9027cc

SHA1
76a2d1121a8867e626b783d567437ff1f7acd281

SHA256
67537ca14b206a100907a9ee6cbe16fc1236c982ac16d084d4e03574891bc311

SHA512
6f8918109cec5c434263e86cb6095294a435cfe78eccf925b0656c601baa78258deb78bd96d576455f3f9fec333d540fd2c70c3529a795566530fe4aecbf3630

Download Submit
memory/532-155-0x000000013FA30000-0x000000013FD81000-memory.dmp

Filesize
3.3MB

Download
memory/1456-157-0x000000013F9E0000-0x000000013FD31000-memory.dmp

Filesize
3.3MB

Download
memory/1592-245-0x000000013FC00000-0x000000013FF51000-memory.dmp

Filesize
3.3MB

Download
memory/1592-86-0x000000013FC00000-0x000000013FF51000-memory.dmp

Filesize
3.3MB

Download
memory/2136-153-0x000000013F460000-0x000000013F7B1000-memory.dmp

Filesize
3.3MB

Download
memory/2140-152-0x000000013FD60000-0x00000001400B1000-memory.dmp

Filesize
3.3MB

Download
memory/2148-156-0x000000013F800000-0x000000013FB51000-memory.dmp

Filesize
3.3MB

Download
memory/2192-151-0x000000013F620000-0x000000013F971000-memory.dmp

Filesize
3.3MB

Download
memory/2196-105-0x000000013F950000-0x000000013FCA1000-memory.dmp

Filesize
3.3MB

Download
memory/2196-251-0x000000013F950000-0x000000013FCA1000-memory.dmp

Filesize
3.3MB

Download
memory/2360-154-0x000000013FDE0000-0x0000000140131000-memory.dmp

Filesize
3.3MB

Download
memory/2400-107-0x0000000002180000-0x00000000024D1000-memory.dmp

Filesize
3.3MB

Download
memory/2400-159-0x000000013FB80000-0x000000013FED1000-memory.dmp

Filesize
3.3MB

Download
memory/2400-90-0x000000013FF60000-0x00000001402B1000-memory.dmp

Filesize
3.3MB

Download
memory/2400-7-0x000000013F560000-0x000000013F8B1000-memory.dmp

Filesize
3.3MB

Download
memory/2400-182-0x000000013F0E0000-0x000000013F431000-memory.dmp

Filesize
3.3MB

Download
memory/2400-26-0x0000000002180000-0x00000000024D1000-memory.dmp

Filesize
3.3MB

Download
memory/2400-181-0x000000013FF60000-0x00000001402B1000-memory.dmp

Filesize
3.3MB

Download
memory/2400-0-0x000000013FB80000-0x000000013FED1000-memory.dmp

Filesize
3.3MB

Download
memory/2400-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2400-106-0x000000013F620000-0x000000013F971000-memory.dmp

Filesize
3.3MB

Download
memory/2400-29-0x000000013F700000-0x000000013FA51000-memory.dmp

Filesize
3.3MB

Download
memory/2400-104-0x0000000002180000-0x00000000024D1000-memory.dmp

Filesize
3.3MB

Download
memory/2400-101-0x0000000002180000-0x00000000024D1000-memory.dmp

Filesize
3.3MB

Download
memory/2400-38-0x000000013F6F0000-0x000000013FA41000-memory.dmp

Filesize
3.3MB

Download
memory/2400-82-0x0000000002180000-0x00000000024D1000-memory.dmp

Filesize
3.3MB

Download
memory/2400-158-0x000000013F620000-0x000000013F971000-memory.dmp

Filesize
3.3MB

Download
memory/2400-54-0x000000013F620000-0x000000013F971000-memory.dmp

Filesize
3.3MB

Download
memory/2400-145-0x0000000002180000-0x00000000024D1000-memory.dmp

Filesize
3.3MB

Download
memory/2400-47-0x000000013FB80000-0x000000013FED1000-memory.dmp

Filesize
3.3MB

Download
memory/2400-133-0x000000013FB80000-0x000000013FED1000-memory.dmp

Filesize
3.3MB

Download
memory/2400-91-0x000000013F0E0000-0x000000013F431000-memory.dmp

Filesize
3.3MB

Download
memory/2492-55-0x000000013F620000-0x000000013F971000-memory.dmp

Filesize
3.3MB

Download
memory/2492-229-0x000000013F620000-0x000000013F971000-memory.dmp

Filesize
3.3MB

Download
memory/2492-143-0x000000013F620000-0x000000013F971000-memory.dmp

Filesize
3.3MB

Download
memory/2524-231-0x000000013FD50000-0x00000001400A1000-memory.dmp

Filesize
3.3MB

Download
memory/2524-144-0x000000013FD50000-0x00000001400A1000-memory.dmp

Filesize
3.3MB

Download
memory/2524-61-0x000000013FD50000-0x00000001400A1000-memory.dmp

Filesize
3.3MB

Download
memory/2536-88-0x000000013FF60000-0x00000001402B1000-memory.dmp

Filesize
3.3MB

Download
memory/2536-247-0x000000013FF60000-0x00000001402B1000-memory.dmp

Filesize
3.3MB

Download
memory/2588-142-0x000000013FDD0000-0x0000000140121000-memory.dmp

Filesize
3.3MB

Download
memory/2588-48-0x000000013FDD0000-0x0000000140121000-memory.dmp

Filesize
3.3MB

Download
memory/2588-227-0x000000013FDD0000-0x0000000140121000-memory.dmp

Filesize
3.3MB

Download
memory/2624-15-0x000000013F170000-0x000000013F4C1000-memory.dmp

Filesize
3.3MB

Download
memory/2624-72-0x000000013F170000-0x000000013F4C1000-memory.dmp

Filesize
3.3MB

Download
memory/2624-217-0x000000013F170000-0x000000013F4C1000-memory.dmp

Filesize
3.3MB

Download
memory/2708-219-0x000000013FAF0000-0x000000013FE41000-memory.dmp

Filesize
3.3MB

Download
memory/2708-27-0x000000013FAF0000-0x000000013FE41000-memory.dmp

Filesize
3.3MB

Download
memory/2732-135-0x000000013F960000-0x000000013FCB1000-memory.dmp

Filesize
3.3MB

Download
memory/2732-34-0x000000013F960000-0x000000013FCB1000-memory.dmp

Filesize
3.3MB

Download
memory/2732-225-0x000000013F960000-0x000000013FCB1000-memory.dmp

Filesize
3.3MB

Download
memory/2768-94-0x000000013F0E0000-0x000000013F431000-memory.dmp

Filesize
3.3MB

Download
memory/2768-249-0x000000013F0E0000-0x000000013F431000-memory.dmp

Filesize
3.3MB

Download
memory/2812-141-0x000000013F6F0000-0x000000013FA41000-memory.dmp

Filesize
3.3MB

Download
memory/2812-39-0x000000013F6F0000-0x000000013FA41000-memory.dmp

Filesize
3.3MB

Download
memory/2812-223-0x000000013F6F0000-0x000000013FA41000-memory.dmp

Filesize
3.3MB

Download
memory/2820-149-0x000000013FC30000-0x000000013FF81000-memory.dmp

Filesize
3.3MB

Download
memory/2844-221-0x000000013F700000-0x000000013FA51000-memory.dmp

Filesize
3.3MB

Download
memory/2844-28-0x000000013F700000-0x000000013FA51000-memory.dmp

Filesize
3.3MB

Download
memory/3024-206-0x000000013F560000-0x000000013F8B1000-memory.dmp

Filesize
3.3MB

Download
memory/3024-9-0x000000013F560000-0x000000013F8B1000-memory.dmp

Filesize
3.3MB

Download