cobaltstrike | b0e1026312a3cb1967f8d3f60c9e4dc24f6b524bc8492b992802c9d6f82894c4

Analysis

max time kernel
139s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27/05/2024, 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

1ecb9d0787b6b3d13e1e185bd91ee021
SHA1

db0ced9c7d323267c7b693a8e0cfcbc50155601e
SHA256

b0e1026312a3cb1967f8d3f60c9e4dc24f6b524bc8492b992802c9d6f82894c4
SHA512

d5caab03dcf66f5fd91301991fe6d41aebf01be33dec63233a622c52f6bc1610c29aec559aa225e7eadadc6ffbdeee6665de583d04ba29b50a73d514dab04106
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU1:Q+856utgpPF8u/71

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000d00000001227e-6.dat	cobalt_reflective_dll
behavioral1/files/0x00380000000141ab-12.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000014345-11.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014353-23.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014415-32.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014471-36.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000014509-51.dat	cobalt_reflective_dll
behavioral1/files/0x00380000000141af-41.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015122-62.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015682-112.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015c93-127.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cb8-135.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015ca2-132.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015c6f-117.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015c7f-122.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015678-105.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001552d-89.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001562a-98.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015406-66.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014f41-58.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015424-76.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001227e-6.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00380000000141ab-12.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000014345-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014353-23.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014415-32.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014471-36.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000014509-51.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00380000000141af-41.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015122-62.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015682-112.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015c93-127.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015cb8-135.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015ca2-132.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015c6f-117.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015c7f-122.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015678-105.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000600000001552d-89.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000600000001562a-98.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015406-66.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014f41-58.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015424-76.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 61 IoCs

resource	yara_rule
behavioral1/memory/3016-0-0x000000013F3F0000-0x000000013F744000-memory.dmp	UPX
behavioral1/files/0x000d00000001227e-6.dat	UPX
behavioral1/files/0x00380000000141ab-12.dat	UPX
behavioral1/memory/2932-15-0x000000013FCC0000-0x0000000140014000-memory.dmp	UPX
behavioral1/memory/3056-13-0x000000013F2F0000-0x000000013F644000-memory.dmp	UPX
behavioral1/files/0x0008000000014345-11.dat	UPX
behavioral1/memory/1088-20-0x000000013FD50000-0x00000001400A4000-memory.dmp	UPX
behavioral1/files/0x0007000000014353-23.dat	UPX
behavioral1/files/0x0007000000014415-32.dat	UPX
behavioral1/memory/2748-33-0x000000013F6F0000-0x000000013FA44000-memory.dmp	UPX
behavioral1/files/0x0007000000014471-36.dat	UPX
behavioral1/memory/2656-38-0x000000013FA90000-0x000000013FDE4000-memory.dmp	UPX
behavioral1/files/0x0008000000014509-51.dat	UPX
behavioral1/memory/3016-52-0x000000013F3F0000-0x000000013F744000-memory.dmp	UPX
behavioral1/files/0x00380000000141af-41.dat	UPX
behavioral1/memory/2000-47-0x000000013F030000-0x000000013F384000-memory.dmp	UPX
behavioral1/memory/2700-55-0x000000013FCD0000-0x0000000140024000-memory.dmp	UPX
behavioral1/memory/2784-60-0x000000013F7C0000-0x000000013FB14000-memory.dmp	UPX
behavioral1/files/0x0006000000015122-62.dat	UPX
behavioral1/memory/1932-79-0x000000013FA70000-0x000000013FDC4000-memory.dmp	UPX
behavioral1/memory/2716-81-0x000000013F050000-0x000000013F3A4000-memory.dmp	UPX
behavioral1/memory/3064-85-0x000000013FFE0000-0x0000000140334000-memory.dmp	UPX
behavioral1/memory/1572-100-0x000000013F750000-0x000000013FAA4000-memory.dmp	UPX
behavioral1/files/0x0006000000015682-112.dat	UPX
behavioral1/files/0x0006000000015c93-127.dat	UPX
behavioral1/files/0x0006000000015cb8-135.dat	UPX
behavioral1/files/0x0006000000015ca2-132.dat	UPX
behavioral1/files/0x0006000000015c6f-117.dat	UPX
behavioral1/files/0x0006000000015c7f-122.dat	UPX
behavioral1/memory/2656-107-0x000000013FA90000-0x000000013FDE4000-memory.dmp	UPX
behavioral1/files/0x0006000000015678-105.dat	UPX
behavioral1/memory/2892-93-0x000000013FA40000-0x000000013FD94000-memory.dmp	UPX
behavioral1/memory/2748-91-0x000000013F6F0000-0x000000013FA44000-memory.dmp	UPX
behavioral1/files/0x000600000001552d-89.dat	UPX
behavioral1/files/0x000600000001562a-98.dat	UPX
behavioral1/files/0x0006000000015406-66.dat	UPX
behavioral1/memory/1088-80-0x000000013FD50000-0x00000001400A4000-memory.dmp	UPX
behavioral1/files/0x0007000000014f41-58.dat	UPX
behavioral1/files/0x0006000000015424-76.dat	UPX
behavioral1/memory/2584-74-0x000000013F170000-0x000000013F4C4000-memory.dmp	UPX
behavioral1/memory/2716-29-0x000000013F050000-0x000000013F3A4000-memory.dmp	UPX
behavioral1/memory/2784-139-0x000000013F7C0000-0x000000013FB14000-memory.dmp	UPX
behavioral1/memory/2584-141-0x000000013F170000-0x000000013F4C4000-memory.dmp	UPX
behavioral1/memory/1932-143-0x000000013FA70000-0x000000013FDC4000-memory.dmp	UPX
behavioral1/memory/3064-144-0x000000013FFE0000-0x0000000140334000-memory.dmp	UPX
behavioral1/memory/2892-146-0x000000013FA40000-0x000000013FD94000-memory.dmp	UPX
behavioral1/memory/1572-147-0x000000013F750000-0x000000013FAA4000-memory.dmp	UPX
behavioral1/memory/3056-149-0x000000013F2F0000-0x000000013F644000-memory.dmp	UPX
behavioral1/memory/2932-150-0x000000013FCC0000-0x0000000140014000-memory.dmp	UPX
behavioral1/memory/1088-151-0x000000013FD50000-0x00000001400A4000-memory.dmp	UPX
behavioral1/memory/2716-152-0x000000013F050000-0x000000013F3A4000-memory.dmp	UPX
behavioral1/memory/2656-153-0x000000013FA90000-0x000000013FDE4000-memory.dmp	UPX
behavioral1/memory/2000-154-0x000000013F030000-0x000000013F384000-memory.dmp	UPX
behavioral1/memory/2700-155-0x000000013FCD0000-0x0000000140024000-memory.dmp	UPX
behavioral1/memory/2784-156-0x000000013F7C0000-0x000000013FB14000-memory.dmp	UPX
behavioral1/memory/2748-157-0x000000013F6F0000-0x000000013FA44000-memory.dmp	UPX
behavioral1/memory/2584-158-0x000000013F170000-0x000000013F4C4000-memory.dmp	UPX
behavioral1/memory/1932-159-0x000000013FA70000-0x000000013FDC4000-memory.dmp	UPX
behavioral1/memory/3064-160-0x000000013FFE0000-0x0000000140334000-memory.dmp	UPX
behavioral1/memory/2892-161-0x000000013FA40000-0x000000013FD94000-memory.dmp	UPX
behavioral1/memory/1572-162-0x000000013F750000-0x000000013FAA4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral1/memory/3016-0-0x000000013F3F0000-0x000000013F744000-memory.dmp	xmrig
behavioral1/files/0x000d00000001227e-6.dat	xmrig
behavioral1/files/0x00380000000141ab-12.dat	xmrig
behavioral1/memory/2932-15-0x000000013FCC0000-0x0000000140014000-memory.dmp	xmrig
behavioral1/memory/3056-13-0x000000013F2F0000-0x000000013F644000-memory.dmp	xmrig
behavioral1/files/0x0008000000014345-11.dat	xmrig
behavioral1/memory/1088-20-0x000000013FD50000-0x00000001400A4000-memory.dmp	xmrig
behavioral1/files/0x0007000000014353-23.dat	xmrig
behavioral1/files/0x0007000000014415-32.dat	xmrig
behavioral1/memory/2748-33-0x000000013F6F0000-0x000000013FA44000-memory.dmp	xmrig
behavioral1/files/0x0007000000014471-36.dat	xmrig
behavioral1/memory/2656-38-0x000000013FA90000-0x000000013FDE4000-memory.dmp	xmrig
behavioral1/files/0x0008000000014509-51.dat	xmrig
behavioral1/memory/3016-52-0x000000013F3F0000-0x000000013F744000-memory.dmp	xmrig
behavioral1/files/0x00380000000141af-41.dat	xmrig
behavioral1/memory/2000-47-0x000000013F030000-0x000000013F384000-memory.dmp	xmrig
behavioral1/memory/2700-55-0x000000013FCD0000-0x0000000140024000-memory.dmp	xmrig
behavioral1/memory/3016-54-0x000000013FCD0000-0x0000000140024000-memory.dmp	xmrig
behavioral1/memory/2784-60-0x000000013F7C0000-0x000000013FB14000-memory.dmp	xmrig
behavioral1/files/0x0006000000015122-62.dat	xmrig
behavioral1/memory/1932-79-0x000000013FA70000-0x000000013FDC4000-memory.dmp	xmrig
behavioral1/memory/2716-81-0x000000013F050000-0x000000013F3A4000-memory.dmp	xmrig
behavioral1/memory/3064-85-0x000000013FFE0000-0x0000000140334000-memory.dmp	xmrig
behavioral1/memory/1572-100-0x000000013F750000-0x000000013FAA4000-memory.dmp	xmrig
behavioral1/files/0x0006000000015682-112.dat	xmrig
behavioral1/files/0x0006000000015c93-127.dat	xmrig
behavioral1/files/0x0006000000015cb8-135.dat	xmrig
behavioral1/files/0x0006000000015ca2-132.dat	xmrig
behavioral1/files/0x0006000000015c6f-117.dat	xmrig
behavioral1/files/0x0006000000015c7f-122.dat	xmrig
behavioral1/memory/2656-107-0x000000013FA90000-0x000000013FDE4000-memory.dmp	xmrig
behavioral1/files/0x0006000000015678-105.dat	xmrig
behavioral1/memory/2892-93-0x000000013FA40000-0x000000013FD94000-memory.dmp	xmrig
behavioral1/memory/2748-91-0x000000013F6F0000-0x000000013FA44000-memory.dmp	xmrig
behavioral1/files/0x000600000001552d-89.dat	xmrig
behavioral1/files/0x000600000001562a-98.dat	xmrig
behavioral1/files/0x0006000000015406-66.dat	xmrig
behavioral1/memory/1088-80-0x000000013FD50000-0x00000001400A4000-memory.dmp	xmrig
behavioral1/files/0x0007000000014f41-58.dat	xmrig
behavioral1/files/0x0006000000015424-76.dat	xmrig
behavioral1/memory/2584-74-0x000000013F170000-0x000000013F4C4000-memory.dmp	xmrig
behavioral1/memory/3016-73-0x00000000022F0000-0x0000000002644000-memory.dmp	xmrig
behavioral1/memory/3016-31-0x00000000022F0000-0x0000000002644000-memory.dmp	xmrig
behavioral1/memory/2716-29-0x000000013F050000-0x000000013F3A4000-memory.dmp	xmrig
behavioral1/memory/2784-139-0x000000013F7C0000-0x000000013FB14000-memory.dmp	xmrig
behavioral1/memory/2584-141-0x000000013F170000-0x000000013F4C4000-memory.dmp	xmrig
behavioral1/memory/1932-143-0x000000013FA70000-0x000000013FDC4000-memory.dmp	xmrig
behavioral1/memory/3064-144-0x000000013FFE0000-0x0000000140334000-memory.dmp	xmrig
behavioral1/memory/2892-146-0x000000013FA40000-0x000000013FD94000-memory.dmp	xmrig
behavioral1/memory/1572-147-0x000000013F750000-0x000000013FAA4000-memory.dmp	xmrig
behavioral1/memory/3056-149-0x000000013F2F0000-0x000000013F644000-memory.dmp	xmrig
behavioral1/memory/2932-150-0x000000013FCC0000-0x0000000140014000-memory.dmp	xmrig
behavioral1/memory/1088-151-0x000000013FD50000-0x00000001400A4000-memory.dmp	xmrig
behavioral1/memory/2716-152-0x000000013F050000-0x000000013F3A4000-memory.dmp	xmrig
behavioral1/memory/2656-153-0x000000013FA90000-0x000000013FDE4000-memory.dmp	xmrig
behavioral1/memory/2000-154-0x000000013F030000-0x000000013F384000-memory.dmp	xmrig
behavioral1/memory/2700-155-0x000000013FCD0000-0x0000000140024000-memory.dmp	xmrig
behavioral1/memory/2784-156-0x000000013F7C0000-0x000000013FB14000-memory.dmp	xmrig
behavioral1/memory/2748-157-0x000000013F6F0000-0x000000013FA44000-memory.dmp	xmrig
behavioral1/memory/2584-158-0x000000013F170000-0x000000013F4C4000-memory.dmp	xmrig
behavioral1/memory/1932-159-0x000000013FA70000-0x000000013FDC4000-memory.dmp	xmrig
behavioral1/memory/3064-160-0x000000013FFE0000-0x0000000140334000-memory.dmp	xmrig
behavioral1/memory/2892-161-0x000000013FA40000-0x000000013FD94000-memory.dmp	xmrig
behavioral1/memory/1572-162-0x000000013F750000-0x000000013FAA4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3056	MpOBvuO.exe
2932	suBxfNV.exe
1088	eQXbKpt.exe
2716	SgErRwc.exe
2748	BPCWheu.exe
2656	JPSCVGV.exe
2000	GlhqbrL.exe
2700	IDbojfs.exe
2784	PoUpUok.exe
2584	NjiBGej.exe
1932	CotfPxd.exe
3064	cvvwfyu.exe
2892	ZRGUSKX.exe
1572	RFIPrga.exe
1956	neNgwua.exe
1736	wgzftMf.exe
1612	QfFUPjL.exe
1568	tfejFnn.exe
2496	hbmitfT.exe
1184	tkIbfXP.exe
1396	LqkBUGR.exe

Loads dropped DLL 21 IoCs

pid	Process
3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe

UPX packed file 61 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3016-0-0x000000013F3F0000-0x000000013F744000-memory.dmp	upx
behavioral1/files/0x000d00000001227e-6.dat	upx
behavioral1/files/0x00380000000141ab-12.dat	upx
behavioral1/memory/2932-15-0x000000013FCC0000-0x0000000140014000-memory.dmp	upx
behavioral1/memory/3056-13-0x000000013F2F0000-0x000000013F644000-memory.dmp	upx
behavioral1/files/0x0008000000014345-11.dat	upx
behavioral1/memory/1088-20-0x000000013FD50000-0x00000001400A4000-memory.dmp	upx
behavioral1/files/0x0007000000014353-23.dat	upx
behavioral1/files/0x0007000000014415-32.dat	upx
behavioral1/memory/2748-33-0x000000013F6F0000-0x000000013FA44000-memory.dmp	upx
behavioral1/files/0x0007000000014471-36.dat	upx
behavioral1/memory/2656-38-0x000000013FA90000-0x000000013FDE4000-memory.dmp	upx
behavioral1/files/0x0008000000014509-51.dat	upx
behavioral1/memory/3016-52-0x000000013F3F0000-0x000000013F744000-memory.dmp	upx
behavioral1/files/0x00380000000141af-41.dat	upx
behavioral1/memory/2000-47-0x000000013F030000-0x000000013F384000-memory.dmp	upx
behavioral1/memory/2700-55-0x000000013FCD0000-0x0000000140024000-memory.dmp	upx
behavioral1/memory/2784-60-0x000000013F7C0000-0x000000013FB14000-memory.dmp	upx
behavioral1/files/0x0006000000015122-62.dat	upx
behavioral1/memory/1932-79-0x000000013FA70000-0x000000013FDC4000-memory.dmp	upx
behavioral1/memory/2716-81-0x000000013F050000-0x000000013F3A4000-memory.dmp	upx
behavioral1/memory/3064-85-0x000000013FFE0000-0x0000000140334000-memory.dmp	upx
behavioral1/memory/1572-100-0x000000013F750000-0x000000013FAA4000-memory.dmp	upx
behavioral1/files/0x0006000000015682-112.dat	upx
behavioral1/files/0x0006000000015c93-127.dat	upx
behavioral1/files/0x0006000000015cb8-135.dat	upx
behavioral1/files/0x0006000000015ca2-132.dat	upx
behavioral1/files/0x0006000000015c6f-117.dat	upx
behavioral1/files/0x0006000000015c7f-122.dat	upx
behavioral1/memory/2656-107-0x000000013FA90000-0x000000013FDE4000-memory.dmp	upx
behavioral1/files/0x0006000000015678-105.dat	upx
behavioral1/memory/2892-93-0x000000013FA40000-0x000000013FD94000-memory.dmp	upx
behavioral1/memory/2748-91-0x000000013F6F0000-0x000000013FA44000-memory.dmp	upx
behavioral1/files/0x000600000001552d-89.dat	upx
behavioral1/files/0x000600000001562a-98.dat	upx
behavioral1/files/0x0006000000015406-66.dat	upx
behavioral1/memory/1088-80-0x000000013FD50000-0x00000001400A4000-memory.dmp	upx
behavioral1/files/0x0007000000014f41-58.dat	upx
behavioral1/files/0x0006000000015424-76.dat	upx
behavioral1/memory/2584-74-0x000000013F170000-0x000000013F4C4000-memory.dmp	upx
behavioral1/memory/2716-29-0x000000013F050000-0x000000013F3A4000-memory.dmp	upx
behavioral1/memory/2784-139-0x000000013F7C0000-0x000000013FB14000-memory.dmp	upx
behavioral1/memory/2584-141-0x000000013F170000-0x000000013F4C4000-memory.dmp	upx
behavioral1/memory/1932-143-0x000000013FA70000-0x000000013FDC4000-memory.dmp	upx
behavioral1/memory/3064-144-0x000000013FFE0000-0x0000000140334000-memory.dmp	upx
behavioral1/memory/2892-146-0x000000013FA40000-0x000000013FD94000-memory.dmp	upx
behavioral1/memory/1572-147-0x000000013F750000-0x000000013FAA4000-memory.dmp	upx
behavioral1/memory/3056-149-0x000000013F2F0000-0x000000013F644000-memory.dmp	upx
behavioral1/memory/2932-150-0x000000013FCC0000-0x0000000140014000-memory.dmp	upx
behavioral1/memory/1088-151-0x000000013FD50000-0x00000001400A4000-memory.dmp	upx
behavioral1/memory/2716-152-0x000000013F050000-0x000000013F3A4000-memory.dmp	upx
behavioral1/memory/2656-153-0x000000013FA90000-0x000000013FDE4000-memory.dmp	upx
behavioral1/memory/2000-154-0x000000013F030000-0x000000013F384000-memory.dmp	upx
behavioral1/memory/2700-155-0x000000013FCD0000-0x0000000140024000-memory.dmp	upx
behavioral1/memory/2784-156-0x000000013F7C0000-0x000000013FB14000-memory.dmp	upx
behavioral1/memory/2748-157-0x000000013F6F0000-0x000000013FA44000-memory.dmp	upx
behavioral1/memory/2584-158-0x000000013F170000-0x000000013F4C4000-memory.dmp	upx
behavioral1/memory/1932-159-0x000000013FA70000-0x000000013FDC4000-memory.dmp	upx
behavioral1/memory/3064-160-0x000000013FFE0000-0x0000000140334000-memory.dmp	upx
behavioral1/memory/2892-161-0x000000013FA40000-0x000000013FD94000-memory.dmp	upx
behavioral1/memory/1572-162-0x000000013F750000-0x000000013FAA4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\PoUpUok.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NjiBGej.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\neNgwua.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wgzftMf.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QfFUPjL.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tfejFnn.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MpOBvuO.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SgErRwc.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JPSCVGV.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CotfPxd.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LqkBUGR.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\suBxfNV.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GlhqbrL.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IDbojfs.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZRGUSKX.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hbmitfT.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eQXbKpt.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BPCWheu.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cvvwfyu.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RFIPrga.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tkIbfXP.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 3056	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	29
PID 3016 wrote to memory of 3056	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	29
PID 3016 wrote to memory of 3056	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	29
PID 3016 wrote to memory of 2932	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	30
PID 3016 wrote to memory of 2932	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	30
PID 3016 wrote to memory of 2932	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	30
PID 3016 wrote to memory of 1088	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	31
PID 3016 wrote to memory of 1088	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	31
PID 3016 wrote to memory of 1088	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	31
PID 3016 wrote to memory of 2716	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	32
PID 3016 wrote to memory of 2716	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	32
PID 3016 wrote to memory of 2716	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	32
PID 3016 wrote to memory of 2748	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	33
PID 3016 wrote to memory of 2748	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	33
PID 3016 wrote to memory of 2748	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	33
PID 3016 wrote to memory of 2656	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	34
PID 3016 wrote to memory of 2656	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	34
PID 3016 wrote to memory of 2656	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	34
PID 3016 wrote to memory of 2000	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	35
PID 3016 wrote to memory of 2000	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	35
PID 3016 wrote to memory of 2000	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	35
PID 3016 wrote to memory of 2700	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	36
PID 3016 wrote to memory of 2700	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	36
PID 3016 wrote to memory of 2700	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	36
PID 3016 wrote to memory of 2784	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	37
PID 3016 wrote to memory of 2784	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	37
PID 3016 wrote to memory of 2784	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	37
PID 3016 wrote to memory of 2584	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	38
PID 3016 wrote to memory of 2584	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	38
PID 3016 wrote to memory of 2584	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	38
PID 3016 wrote to memory of 3064	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	39
PID 3016 wrote to memory of 3064	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	39
PID 3016 wrote to memory of 3064	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	39
PID 3016 wrote to memory of 1932	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	40
PID 3016 wrote to memory of 1932	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	40
PID 3016 wrote to memory of 1932	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	40
PID 3016 wrote to memory of 2892	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	41
PID 3016 wrote to memory of 2892	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	41
PID 3016 wrote to memory of 2892	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	41
PID 3016 wrote to memory of 1572	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	42
PID 3016 wrote to memory of 1572	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	42
PID 3016 wrote to memory of 1572	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	42
PID 3016 wrote to memory of 1956	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	43
PID 3016 wrote to memory of 1956	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	43
PID 3016 wrote to memory of 1956	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	43
PID 3016 wrote to memory of 1736	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	44
PID 3016 wrote to memory of 1736	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	44
PID 3016 wrote to memory of 1736	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	44
PID 3016 wrote to memory of 1612	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	45
PID 3016 wrote to memory of 1612	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	45
PID 3016 wrote to memory of 1612	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	45
PID 3016 wrote to memory of 1568	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	46
PID 3016 wrote to memory of 1568	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	46
PID 3016 wrote to memory of 1568	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	46
PID 3016 wrote to memory of 2496	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	47
PID 3016 wrote to memory of 2496	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	47
PID 3016 wrote to memory of 2496	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	47
PID 3016 wrote to memory of 1184	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	48
PID 3016 wrote to memory of 1184	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	48
PID 3016 wrote to memory of 1184	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	48
PID 3016 wrote to memory of 1396	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	49
PID 3016 wrote to memory of 1396	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	49
PID 3016 wrote to memory of 1396	3016	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\System\MpOBvuO.exe
  C:\Windows\System\MpOBvuO.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\System\suBxfNV.exe
  C:\Windows\System\suBxfNV.exe
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\System\eQXbKpt.exe
  C:\Windows\System\eQXbKpt.exe
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\System\SgErRwc.exe
  C:\Windows\System\SgErRwc.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System\BPCWheu.exe
  C:\Windows\System\BPCWheu.exe
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\System\JPSCVGV.exe
  C:\Windows\System\JPSCVGV.exe
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\System\GlhqbrL.exe
  C:\Windows\System\GlhqbrL.exe
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\System\IDbojfs.exe
  C:\Windows\System\IDbojfs.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\System\PoUpUok.exe
  C:\Windows\System\PoUpUok.exe
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\System\NjiBGej.exe
  C:\Windows\System\NjiBGej.exe
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\System\cvvwfyu.exe
  C:\Windows\System\cvvwfyu.exe
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Windows\System\CotfPxd.exe
  C:\Windows\System\CotfPxd.exe
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\System\ZRGUSKX.exe
  C:\Windows\System\ZRGUSKX.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System\RFIPrga.exe
  C:\Windows\System\RFIPrga.exe
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\System\neNgwua.exe
  C:\Windows\System\neNgwua.exe
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\System\wgzftMf.exe
  C:\Windows\System\wgzftMf.exe
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\System\QfFUPjL.exe
  C:\Windows\System\QfFUPjL.exe
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\System\tfejFnn.exe
  C:\Windows\System\tfejFnn.exe
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\System\hbmitfT.exe
  C:\Windows\System\hbmitfT.exe
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\System\tkIbfXP.exe
  C:\Windows\System\tkIbfXP.exe
  2⤵
  - Executes dropped EXE
  PID:1184
- C:\Windows\System\LqkBUGR.exe
  C:\Windows\System\LqkBUGR.exe
  2⤵
  - Executes dropped EXE
  PID:1396

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BPCWheu.exe

Filesize
5.9MB

MD5
6f925102819d5afcb0cf8ffce80d6a8e

SHA1
88b87b6d2e2b1819fad5bcd3fb293e7f7a77b03b

SHA256
993e5b4b39ab7436e36fbe6e0e8bbbe83daa27f98abbe69b8ae44c1158019f7f

SHA512
41d3dcdb5f6d4724cd23acd7cf728220221710f4896efc0485e77d1df2d2328179f19c65c0eb34d802bdb9d1c41350b01b9fe4da352d0861ef1569a23c50ed83

Download Submit
C:\Windows\system\CotfPxd.exe

Filesize
5.9MB

MD5
08883cb7d125940d27367db12f21111e

SHA1
35b984f59880588ca9746f8e1da9116c95ab58eb

SHA256
285f448d084d3f390b39a237dc325b4f30ba01e47fdfefcd01c9b167a009d068

SHA512
d4f60b0e4191e4f3452157a09aa022ccbf5d0ac7626cfa0b40a2949adee7c05b5b99c224edb2fed42c7f23483d7b63090603b8926134db5abef94bc81b1e1af7

Download Submit
C:\Windows\system\IDbojfs.exe

Filesize
5.9MB

MD5
eadeebe8c05d63b54c0745470974db71

SHA1
f885ebf6476a611ee834c56be043047d09033a7d

SHA256
f707ea9f8070c7d0f8ff23177f391b457b4ab7bf4a2ef5044ce2851a32ca19db

SHA512
a6d2de0364ce6b2216cd2cc803f91fb60c4c1eca5ce2131cf4b04255afc4b8d0ad288a200bd3798cc45679d33b0e6d8148963db462b924b92fd03b9e41a6aaf6

Download Submit
C:\Windows\system\JPSCVGV.exe

Filesize
5.9MB

MD5
9e7207d32b9f4c669d1834d9acd55dca

SHA1
c4ff6843a95cde216d6ff2c90b1c5f10d2890bbc

SHA256
abae3d7691e0775f2a859ccbd93784862d03beff9564bb3eefae9375d0241154

SHA512
ffae2b51a2ecf3d6bfd947923273204540bea745c0e386bcc783b1d75c6f3deac649fea1a557227ee3fcf5293cc92a3b7a982c32681e7477a5d7fd7afa934b60

Download Submit
C:\Windows\system\MpOBvuO.exe

Filesize
5.9MB

MD5
5f93c0dd9033f3dc7865a14141283f55

SHA1
5175739639cf6d31963ca2d114b5a595f2324731

SHA256
adda733f6486d3b96252ed788b566d9b3d2cbb1f9fc0552618e31f417cac38b4

SHA512
5d8547a46cf41fb5daa890aaa8b787a840ac1bbfeb073af2f9533bccfeb3558db762b48cc12b27c850fdebda458ea864eeadce99cc21f2e4799fe48a522500b5

Download Submit
C:\Windows\system\PoUpUok.exe

Filesize
5.9MB

MD5
a41d186499893936115808dcc9fb1e95

SHA1
b52fe048da96c56e6c27d33e9124eb3c95f0ca8e

SHA256
a87ced25020a5950a403978ed96d456b81c11993443c73ba3acb954c6e466ed3

SHA512
24594e026d6f95e6d2ca86d3283306b53f2199aa8d46cd16ec2a4627af28afa4acb931f51c2f4258d0975c684a90f32dc900905f3d9e9e7fdee6eb3eab5bd240

Download Submit
C:\Windows\system\QfFUPjL.exe

Filesize
5.9MB

MD5
d0c04bc8c5e3776f1f294fd7ccc86e78

SHA1
dfe5d8e26f141a250f9e3d908102084d704ba903

SHA256
0f4e6bde676cf6a2d0912f91058b4b1dd3a11db8d055724fa953895138477cf0

SHA512
3dfa30adf26da9e025ef7abbc37bcc0a8e4ae873e037566012457f1fd550e20cb0fae96c8d9a1581d5d6b2fd03c3ac783e619b096175a4b9ada09e922127334e

Download Submit
C:\Windows\system\RFIPrga.exe

Filesize
5.9MB

MD5
d206e687cf2a3e59551eddad7101331d

SHA1
e340559670a097c1013603974f3164c9d0fcdc6c

SHA256
0c4bcf73c543507491d1f18998c04a449d37baef18d060d88d191618a9d0c6e1

SHA512
c4e284844e5022d422e02105678197c74438d8d2185fdf1d483e9977d813da068c6acdd93100a344eed838807b9227146e11bbf0c30e1fbea3dd20d9c2eb9456

Download Submit
C:\Windows\system\SgErRwc.exe

Filesize
5.9MB

MD5
fae83343a29a4b1aabcd1290d7f710f1

SHA1
5ad079b8bf70de0df10401234617931c97e4799e

SHA256
7795948d325fb2e137779c84b49201fbd06ccfa8c77de59f4ffc612cfd07c9e6

SHA512
b71e069b2082dcdae7da04aa3a621c212c03d829a859ca3654ed50e5f383f682bc7e1890989261e5441055506ed184c2bd14a3a8204a44f5153e885d0171c3e5

Download Submit
C:\Windows\system\ZRGUSKX.exe

Filesize
5.9MB

MD5
750ed18f0b372ac2d4e000a3e514aba1

SHA1
f051fb9ab1271b405dba1326a09d5c5377091d13

SHA256
baafbde4451d7b97e6c942f2c671a0891204deaa926217f14b2cc320c3ea4f2c

SHA512
095fb549c554f7a6fd7c54c266ae9625009d8537e2619c4dc93349321703df3004915fbe20051407ece44c682b4b4e5ae9f0ef77b2ad6ee391b23aac397d5a1f

Download Submit
C:\Windows\system\eQXbKpt.exe

Filesize
5.9MB

MD5
9be80039eb5e5426fc6eff846e32e97a

SHA1
465ffa27279031b70deab31a745ca57605af7d04

SHA256
11f70425f7c70f0fa4247a5ce5819f84c941ca66bce84fd7f57c3b40c442c101

SHA512
89d692a1ad0fd9a74693a308c78c4737bcfc5c5281d175fe351a16c9a58bf1bfc403a011dd2a2fd4cf8ba176ef3a975154edb7d8ca963426b8a7585dcc73118b

Download Submit
C:\Windows\system\hbmitfT.exe

Filesize
5.9MB

MD5
c6106934c4c82cafee66a6ffbcee1283

SHA1
43250a596b56c222a0854a7a3e0587a1b9d3b2c6

SHA256
564d60d5ce8632a99bc42e0247986731b874bf86973806d2b7de03047883caa6

SHA512
c6fdcc6ddda64f11ea8a5db9bad3b72267a6c0a0e3789066681b7ab3a3206b895789a1bd060130b9230529a21c0879ede0932d0bef0cc3571220a399b211bfd0

Download Submit
C:\Windows\system\neNgwua.exe

Filesize
5.9MB

MD5
668929de178a6c4cd2d3af617309d75a

SHA1
84b65d222c949b83f6405f8b3228ee336abbf0b5

SHA256
049c5e10e5a8037eba26a13e9581778e2c840ee431d97d1252ba126c10d8216d

SHA512
cb8a61b0b8bdeb2df11c5e2e09375da7a5e6666fb2092064671812c05a45e09fcf3788577dfa5ed7cc6d4d7ad45b7b5436bc9240ed2957748f8b13edde371a62

Download Submit
C:\Windows\system\suBxfNV.exe

Filesize
5.9MB

MD5
f6502d1253d05979c1e20ce8eac2f368

SHA1
a4e505ccec2db59810c098f3c0fdb297aa5dc7a2

SHA256
ce9a1738855a2a08ce1a8ae0b7c8c7c321e58d003e88b4f7e433719bb636df40

SHA512
e7066e80b465486e4743ba0a7e4d3579e138470b08833eea1284b0994494b206629bf70b112a831f827bc5dc36473053514221958d8f52296443d75aa3765532

Download Submit
C:\Windows\system\tfejFnn.exe

Filesize
5.9MB

MD5
dcf561d3edc04c4238ec6170136076a2

SHA1
9c5120abadac197d3a7d7a5e5f41d46901c17a93

SHA256
5669e99ca313663335c28b16f353f69081e8b23b799361c1f1377c6b5fbd5735

SHA512
0b7ad07b7b3b98be9b5272deeb39e3a1a5139cbfec210769eb2f063cdcc26d98728ae5391db35747391bdbbd52df48f4d5eace0333cee2d9c6274216a36e909d

Download Submit
C:\Windows\system\tkIbfXP.exe

Filesize
5.9MB

MD5
f6ba879ea8fe6c8a1d93e736e36bdda4

SHA1
a38beac2f6f4e67bfd660e618f6fbab558ac12f2

SHA256
d4b4b370597cf72b5acea4f9ad67e46b73fbd1cef6494f686bd854ff67e3b205

SHA512
42e549cd07f1c083d0eeafd1ad1b4b0643672a39a700abd7fc32779c29afe14db0a61b926fa3e208c6ece08932e7afa9115cd21d1492fae3c0a3718b99bf37b4

Download Submit
C:\Windows\system\wgzftMf.exe

Filesize
5.9MB

MD5
bd38ca6e749675770f88b3f908ae294f

SHA1
1eb8d3edcd64dd75f9e8b9e28fed7f27347fb813

SHA256
08d65e668ead5af437c63c3787ed7f336e4ea4a4ae1402c8c04cbb7acb195371

SHA512
86db48cf2c604c3a8a23e99503dfc6c5e86f65deab5e333c4114f9745e8e7b7e9965977fa0801e0b5e16bc49db6dc1eec11b37237547af05b4da3e5ab381ce3a

Download Submit
\Windows\system\GlhqbrL.exe

Filesize
5.9MB

MD5
352b9cd355aeef96e98417d034cd18c4

SHA1
6d19383ba0bb3ed1049ccd8c7bdc68274f2031b5

SHA256
81013bf0722b83876c81d1b92706126df8b35f9a8bc04620f57728c13d2a1796

SHA512
f071d5ffb59b1bf87985137ed82e0c39c576ecdba520f71aec8f4a103eb35f17006f8362e4c5998031e513881097e67ea81c1a18828077e701fc42ebf5092d77

Download Submit
\Windows\system\LqkBUGR.exe

Filesize
5.9MB

MD5
3d4d4044852cbc3713ad20fd61360b4c

SHA1
7e704f75f2e85b05801961c0c1246f4a62e40c68

SHA256
269a7d29a153606da5b7532dfe3d58a18af74976a7ec1a0d9c0d155e829cbc86

SHA512
c9fb2ead67cb753a34be182acd55cfa34a44a264fe10242670f109f1d34dd588aac966569ba62784b31655706fb4d4288b93e9ba317856405b75801a7e587d59

Download Submit
\Windows\system\NjiBGej.exe

Filesize
5.9MB

MD5
cfbb70662fa84c01d617b4f631166cea

SHA1
a8349c0e727c2d52c6fe7d4a6846829e3cfbd6c9

SHA256
c3f53a678bd66457405e09c74630fe36ec5289c234d3f5c5b82f895fa6f5d2e6

SHA512
3fd4e81b9ebd5eeebcc28a34ae93127e8799270737948595e5f58e644f5ab0809caac1f85680a0d5a3ffefc2941a66bd04236f4a351aaef6cb2226317ca352cd

Download Submit
\Windows\system\cvvwfyu.exe

Filesize
5.9MB

MD5
64fb4f5c1499410640a8c7db3382d449

SHA1
b389d5113b42050daf0e96aa294f36ba14c66593

SHA256
4ee484f99f0f3c43f9feae02d8734aeaf557b7e3b11d681ff1cc132e0cf802df

SHA512
09e04998dac2b4ec831fcf83f8b9d166dec22c2d28f18346a59c1b70bb06591244958815e93642767bdd119755a9ef48c79378e735978c8f5d35f6efb884bd6a

Download Submit
memory/1088-20-0x000000013FD50000-0x00000001400A4000-memory.dmp

Filesize
3.3MB

Download
memory/1088-151-0x000000013FD50000-0x00000001400A4000-memory.dmp

Filesize
3.3MB

Download
memory/1088-80-0x000000013FD50000-0x00000001400A4000-memory.dmp

Filesize
3.3MB

Download
memory/1572-147-0x000000013F750000-0x000000013FAA4000-memory.dmp

Filesize
3.3MB

Download
memory/1572-162-0x000000013F750000-0x000000013FAA4000-memory.dmp

Filesize
3.3MB

Download
memory/1572-100-0x000000013F750000-0x000000013FAA4000-memory.dmp

Filesize
3.3MB

Download
memory/1932-79-0x000000013FA70000-0x000000013FDC4000-memory.dmp

Filesize
3.3MB

Download
memory/1932-143-0x000000013FA70000-0x000000013FDC4000-memory.dmp

Filesize
3.3MB

Download
memory/1932-159-0x000000013FA70000-0x000000013FDC4000-memory.dmp

Filesize
3.3MB

Download
memory/2000-47-0x000000013F030000-0x000000013F384000-memory.dmp

Filesize
3.3MB

Download
memory/2000-154-0x000000013F030000-0x000000013F384000-memory.dmp

Filesize
3.3MB

Download
memory/2584-74-0x000000013F170000-0x000000013F4C4000-memory.dmp

Filesize
3.3MB

Download
memory/2584-158-0x000000013F170000-0x000000013F4C4000-memory.dmp

Filesize
3.3MB

Download
memory/2584-141-0x000000013F170000-0x000000013F4C4000-memory.dmp

Filesize
3.3MB

Download
memory/2656-38-0x000000013FA90000-0x000000013FDE4000-memory.dmp

Filesize
3.3MB

Download
memory/2656-153-0x000000013FA90000-0x000000013FDE4000-memory.dmp

Filesize
3.3MB

Download
memory/2656-107-0x000000013FA90000-0x000000013FDE4000-memory.dmp

Filesize
3.3MB

Download
memory/2700-55-0x000000013FCD0000-0x0000000140024000-memory.dmp

Filesize
3.3MB

Download
memory/2700-155-0x000000013FCD0000-0x0000000140024000-memory.dmp

Filesize
3.3MB

Download
memory/2716-152-0x000000013F050000-0x000000013F3A4000-memory.dmp

Filesize
3.3MB

Download
memory/2716-29-0x000000013F050000-0x000000013F3A4000-memory.dmp

Filesize
3.3MB

Download
memory/2716-81-0x000000013F050000-0x000000013F3A4000-memory.dmp

Filesize
3.3MB

Download
memory/2748-33-0x000000013F6F0000-0x000000013FA44000-memory.dmp

Filesize
3.3MB

Download
memory/2748-157-0x000000013F6F0000-0x000000013FA44000-memory.dmp

Filesize
3.3MB

Download
memory/2748-91-0x000000013F6F0000-0x000000013FA44000-memory.dmp

Filesize
3.3MB

Download
memory/2784-156-0x000000013F7C0000-0x000000013FB14000-memory.dmp

Filesize
3.3MB

Download
memory/2784-60-0x000000013F7C0000-0x000000013FB14000-memory.dmp

Filesize
3.3MB

Download
memory/2784-139-0x000000013F7C0000-0x000000013FB14000-memory.dmp

Filesize
3.3MB

Download
memory/2892-161-0x000000013FA40000-0x000000013FD94000-memory.dmp

Filesize
3.3MB

Download
memory/2892-93-0x000000013FA40000-0x000000013FD94000-memory.dmp

Filesize
3.3MB

Download
memory/2892-146-0x000000013FA40000-0x000000013FD94000-memory.dmp

Filesize
3.3MB

Download
memory/2932-15-0x000000013FCC0000-0x0000000140014000-memory.dmp

Filesize
3.3MB

Download
memory/2932-150-0x000000013FCC0000-0x0000000140014000-memory.dmp

Filesize
3.3MB

Download
memory/3016-78-0x000000013FA70000-0x000000013FDC4000-memory.dmp

Filesize
3.3MB

Download
memory/3016-37-0x000000013FA90000-0x000000013FDE4000-memory.dmp

Filesize
3.3MB

Download
memory/3016-0-0x000000013F3F0000-0x000000013F744000-memory.dmp

Filesize
3.3MB

Download
memory/3016-140-0x00000000022F0000-0x0000000002644000-memory.dmp

Filesize
3.3MB

Download
memory/3016-142-0x000000013FA70000-0x000000013FDC4000-memory.dmp

Filesize
3.3MB

Download
memory/3016-46-0x000000013F030000-0x000000013F384000-memory.dmp

Filesize
3.3MB

Download
memory/3016-1-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/3016-145-0x000000013FA40000-0x000000013FD94000-memory.dmp

Filesize
3.3MB

Download
memory/3016-73-0x00000000022F0000-0x0000000002644000-memory.dmp

Filesize
3.3MB

Download
memory/3016-52-0x000000013F3F0000-0x000000013F744000-memory.dmp

Filesize
3.3MB

Download
memory/3016-148-0x000000013FA60000-0x000000013FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/3016-92-0x000000013FA40000-0x000000013FD94000-memory.dmp

Filesize
3.3MB

Download
memory/3016-54-0x000000013FCD0000-0x0000000140024000-memory.dmp

Filesize
3.3MB

Download
memory/3016-31-0x00000000022F0000-0x0000000002644000-memory.dmp

Filesize
3.3MB

Download
memory/3016-77-0x000000013FFE0000-0x0000000140334000-memory.dmp

Filesize
3.3MB

Download
memory/3016-84-0x000000013F050000-0x000000013F3A4000-memory.dmp

Filesize
3.3MB

Download
memory/3016-9-0x00000000022F0000-0x0000000002644000-memory.dmp

Filesize
3.3MB

Download
memory/3016-90-0x00000000022F0000-0x0000000002644000-memory.dmp

Filesize
3.3MB

Download
memory/3016-99-0x000000013F750000-0x000000013FAA4000-memory.dmp

Filesize
3.3MB

Download
memory/3016-108-0x000000013FA60000-0x000000013FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/3056-13-0x000000013F2F0000-0x000000013F644000-memory.dmp

Filesize
3.3MB

Download
memory/3056-149-0x000000013F2F0000-0x000000013F644000-memory.dmp

Filesize
3.3MB

Download
memory/3064-85-0x000000013FFE0000-0x0000000140334000-memory.dmp

Filesize
3.3MB

Download
memory/3064-160-0x000000013FFE0000-0x0000000140334000-memory.dmp

Filesize
3.3MB

Download
memory/3064-144-0x000000013FFE0000-0x0000000140334000-memory.dmp

Filesize
3.3MB

Download