cobaltstrike | a65d85db75c55db0e7df50a56374f921226cf9a633c9c9660d64c04eb389e894

Analysis

max time kernel
144s
max time network
148s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28-05-2024 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

e3ccc407b8d6b9ee94206b7767540ad2
SHA1

cead53f14776a44ab20ddab832d6269469d0b321
SHA256

a65d85db75c55db0e7df50a56374f921226cf9a633c9c9660d64c04eb389e894
SHA512

f760a936a8c9840fd27dfc82eab161a734fb7ff1c5d6c417bdb130e0d9d5118a137d5660a3ff474d354db1354f3e77e9ea893a54d33bc17deb5bba9d50920208
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU1:Q+856utgpPF8u/71

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000a000000012280-3.dat	cobalt_reflective_dll
behavioral1/files/0x0036000000013108-6.dat	cobalt_reflective_dll
behavioral1/files/0x00090000000133d7-21.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000013324-20.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000013432-33.dat	cobalt_reflective_dll
behavioral1/files/0x000800000001343b-37.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000135b4-58.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001473f-124.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000014a10-137.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001489f-134.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000014749-129.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001472b-119.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000014723-114.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001471a-108.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000014691-100.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000145be-92.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000014531-84.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000144c0-76.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000014464-69.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000013449-48.dat	cobalt_reflective_dll
behavioral1/files/0x0036000000013153-54.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012280-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0036000000013108-6.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00090000000133d7-21.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000013324-20.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000013432-33.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000800000001343b-37.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00080000000135b4-58.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000600000001473f-124.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000014a10-137.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000600000001489f-134.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000014749-129.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000600000001472b-119.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000014723-114.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000600000001471a-108.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000014691-100.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000145be-92.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000014531-84.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000144c0-76.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000014464-69.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000013449-48.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0036000000013153-54.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 61 IoCs

resource	yara_rule
behavioral1/memory/1612-0-0x000000013F750000-0x000000013FAA4000-memory.dmp	UPX
behavioral1/files/0x000a000000012280-3.dat	UPX
behavioral1/files/0x0036000000013108-6.dat	UPX
behavioral1/memory/2760-11-0x000000013F6F0000-0x000000013FA44000-memory.dmp	UPX
behavioral1/files/0x00090000000133d7-21.dat	UPX
behavioral1/memory/2636-29-0x000000013F620000-0x000000013F974000-memory.dmp	UPX
behavioral1/files/0x0009000000013324-20.dat	UPX
behavioral1/memory/3068-18-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	UPX
behavioral1/memory/2592-24-0x000000013FE90000-0x00000001401E4000-memory.dmp	UPX
behavioral1/files/0x0008000000013432-33.dat	UPX
behavioral1/files/0x000800000001343b-37.dat	UPX
behavioral1/memory/2788-41-0x000000013F2E0000-0x000000013F634000-memory.dmp	UPX
behavioral1/memory/2492-50-0x000000013F230000-0x000000013F584000-memory.dmp	UPX
behavioral1/memory/2468-57-0x000000013F5F0000-0x000000013F944000-memory.dmp	UPX
behavioral1/files/0x00080000000135b4-58.dat	UPX
behavioral1/memory/2068-72-0x000000013FB40000-0x000000013FE94000-memory.dmp	UPX
behavioral1/memory/1220-79-0x000000013F090000-0x000000013F3E4000-memory.dmp	UPX
behavioral1/files/0x000600000001473f-124.dat	UPX
behavioral1/files/0x0006000000014a10-137.dat	UPX
behavioral1/files/0x000600000001489f-134.dat	UPX
behavioral1/files/0x0006000000014749-129.dat	UPX
behavioral1/files/0x000600000001472b-119.dat	UPX
behavioral1/files/0x0006000000014723-114.dat	UPX
behavioral1/files/0x000600000001471a-108.dat	UPX
behavioral1/memory/2104-105-0x000000013FAE0000-0x000000013FE34000-memory.dmp	UPX
behavioral1/memory/2788-103-0x000000013F2E0000-0x000000013F634000-memory.dmp	UPX
behavioral1/files/0x0006000000014691-100.dat	UPX
behavioral1/memory/2684-96-0x000000013FC70000-0x000000013FFC4000-memory.dmp	UPX
behavioral1/memory/2728-94-0x000000013FC80000-0x000000013FFD4000-memory.dmp	UPX
behavioral1/files/0x00060000000145be-92.dat	UPX
behavioral1/memory/1116-87-0x000000013F9F0000-0x000000013FD44000-memory.dmp	UPX
behavioral1/memory/2636-85-0x000000013F620000-0x000000013F974000-memory.dmp	UPX
behavioral1/files/0x0006000000014531-84.dat	UPX
behavioral1/memory/2592-77-0x000000013FE90000-0x00000001401E4000-memory.dmp	UPX
behavioral1/files/0x00060000000144c0-76.dat	UPX
behavioral1/memory/2904-66-0x000000013FC80000-0x000000013FFD4000-memory.dmp	UPX
behavioral1/files/0x0008000000014464-69.dat	UPX
behavioral1/memory/3068-65-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	UPX
behavioral1/memory/2760-62-0x000000013F6F0000-0x000000013FA44000-memory.dmp	UPX
behavioral1/memory/1612-61-0x000000013F750000-0x000000013FAA4000-memory.dmp	UPX
behavioral1/files/0x0008000000013449-48.dat	UPX
behavioral1/files/0x0036000000013153-54.dat	UPX
behavioral1/memory/2728-35-0x000000013FC80000-0x000000013FFD4000-memory.dmp	UPX
behavioral1/memory/2068-142-0x000000013FB40000-0x000000013FE94000-memory.dmp	UPX
behavioral1/memory/1220-144-0x000000013F090000-0x000000013F3E4000-memory.dmp	UPX
behavioral1/memory/1116-146-0x000000013F9F0000-0x000000013FD44000-memory.dmp	UPX
behavioral1/memory/2684-148-0x000000013FC70000-0x000000013FFC4000-memory.dmp	UPX
behavioral1/memory/2760-150-0x000000013F6F0000-0x000000013FA44000-memory.dmp	UPX
behavioral1/memory/3068-151-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	UPX
behavioral1/memory/2636-152-0x000000013F620000-0x000000013F974000-memory.dmp	UPX
behavioral1/memory/2592-153-0x000000013FE90000-0x00000001401E4000-memory.dmp	UPX
behavioral1/memory/2728-154-0x000000013FC80000-0x000000013FFD4000-memory.dmp	UPX
behavioral1/memory/2788-155-0x000000013F2E0000-0x000000013F634000-memory.dmp	UPX
behavioral1/memory/2492-156-0x000000013F230000-0x000000013F584000-memory.dmp	UPX
behavioral1/memory/2468-157-0x000000013F5F0000-0x000000013F944000-memory.dmp	UPX
behavioral1/memory/2904-158-0x000000013FC80000-0x000000013FFD4000-memory.dmp	UPX
behavioral1/memory/2068-159-0x000000013FB40000-0x000000013FE94000-memory.dmp	UPX
behavioral1/memory/1220-160-0x000000013F090000-0x000000013F3E4000-memory.dmp	UPX
behavioral1/memory/1116-161-0x000000013F9F0000-0x000000013FD44000-memory.dmp	UPX
behavioral1/memory/2684-162-0x000000013FC70000-0x000000013FFC4000-memory.dmp	UPX
behavioral1/memory/2104-163-0x000000013FAE0000-0x000000013FE34000-memory.dmp	UPX

XMRig Miner payload 63 IoCs

miner

resource	yara_rule
behavioral1/memory/1612-0-0x000000013F750000-0x000000013FAA4000-memory.dmp	xmrig
behavioral1/files/0x000a000000012280-3.dat	xmrig
behavioral1/files/0x0036000000013108-6.dat	xmrig
behavioral1/memory/2760-11-0x000000013F6F0000-0x000000013FA44000-memory.dmp	xmrig
behavioral1/files/0x00090000000133d7-21.dat	xmrig
behavioral1/memory/2636-29-0x000000013F620000-0x000000013F974000-memory.dmp	xmrig
behavioral1/files/0x0009000000013324-20.dat	xmrig
behavioral1/memory/3068-18-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	xmrig
behavioral1/memory/2592-24-0x000000013FE90000-0x00000001401E4000-memory.dmp	xmrig
behavioral1/files/0x0008000000013432-33.dat	xmrig
behavioral1/files/0x000800000001343b-37.dat	xmrig
behavioral1/memory/2788-41-0x000000013F2E0000-0x000000013F634000-memory.dmp	xmrig
behavioral1/memory/2492-50-0x000000013F230000-0x000000013F584000-memory.dmp	xmrig
behavioral1/memory/2468-57-0x000000013F5F0000-0x000000013F944000-memory.dmp	xmrig
behavioral1/files/0x00080000000135b4-58.dat	xmrig
behavioral1/memory/2068-72-0x000000013FB40000-0x000000013FE94000-memory.dmp	xmrig
behavioral1/memory/1220-79-0x000000013F090000-0x000000013F3E4000-memory.dmp	xmrig
behavioral1/files/0x000600000001473f-124.dat	xmrig
behavioral1/files/0x0006000000014a10-137.dat	xmrig
behavioral1/files/0x000600000001489f-134.dat	xmrig
behavioral1/files/0x0006000000014749-129.dat	xmrig
behavioral1/files/0x000600000001472b-119.dat	xmrig
behavioral1/files/0x0006000000014723-114.dat	xmrig
behavioral1/files/0x000600000001471a-108.dat	xmrig
behavioral1/memory/2104-105-0x000000013FAE0000-0x000000013FE34000-memory.dmp	xmrig
behavioral1/memory/2788-103-0x000000013F2E0000-0x000000013F634000-memory.dmp	xmrig
behavioral1/files/0x0006000000014691-100.dat	xmrig
behavioral1/memory/2684-96-0x000000013FC70000-0x000000013FFC4000-memory.dmp	xmrig
behavioral1/memory/2728-94-0x000000013FC80000-0x000000013FFD4000-memory.dmp	xmrig
behavioral1/files/0x00060000000145be-92.dat	xmrig
behavioral1/memory/1116-87-0x000000013F9F0000-0x000000013FD44000-memory.dmp	xmrig
behavioral1/memory/1612-86-0x0000000002270000-0x00000000025C4000-memory.dmp	xmrig
behavioral1/memory/2636-85-0x000000013F620000-0x000000013F974000-memory.dmp	xmrig
behavioral1/files/0x0006000000014531-84.dat	xmrig
behavioral1/memory/2592-77-0x000000013FE90000-0x00000001401E4000-memory.dmp	xmrig
behavioral1/files/0x00060000000144c0-76.dat	xmrig
behavioral1/memory/2904-66-0x000000013FC80000-0x000000013FFD4000-memory.dmp	xmrig
behavioral1/files/0x0008000000014464-69.dat	xmrig
behavioral1/memory/3068-65-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	xmrig
behavioral1/memory/2760-62-0x000000013F6F0000-0x000000013FA44000-memory.dmp	xmrig
behavioral1/memory/1612-61-0x000000013F750000-0x000000013FAA4000-memory.dmp	xmrig
behavioral1/files/0x0008000000013449-48.dat	xmrig
behavioral1/files/0x0036000000013153-54.dat	xmrig
behavioral1/memory/2728-35-0x000000013FC80000-0x000000013FFD4000-memory.dmp	xmrig
behavioral1/memory/2068-142-0x000000013FB40000-0x000000013FE94000-memory.dmp	xmrig
behavioral1/memory/1612-143-0x000000013F090000-0x000000013F3E4000-memory.dmp	xmrig
behavioral1/memory/1220-144-0x000000013F090000-0x000000013F3E4000-memory.dmp	xmrig
behavioral1/memory/1116-146-0x000000013F9F0000-0x000000013FD44000-memory.dmp	xmrig
behavioral1/memory/2684-148-0x000000013FC70000-0x000000013FFC4000-memory.dmp	xmrig
behavioral1/memory/2760-150-0x000000013F6F0000-0x000000013FA44000-memory.dmp	xmrig
behavioral1/memory/3068-151-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	xmrig
behavioral1/memory/2636-152-0x000000013F620000-0x000000013F974000-memory.dmp	xmrig
behavioral1/memory/2592-153-0x000000013FE90000-0x00000001401E4000-memory.dmp	xmrig
behavioral1/memory/2728-154-0x000000013FC80000-0x000000013FFD4000-memory.dmp	xmrig
behavioral1/memory/2788-155-0x000000013F2E0000-0x000000013F634000-memory.dmp	xmrig
behavioral1/memory/2492-156-0x000000013F230000-0x000000013F584000-memory.dmp	xmrig
behavioral1/memory/2468-157-0x000000013F5F0000-0x000000013F944000-memory.dmp	xmrig
behavioral1/memory/2904-158-0x000000013FC80000-0x000000013FFD4000-memory.dmp	xmrig
behavioral1/memory/2068-159-0x000000013FB40000-0x000000013FE94000-memory.dmp	xmrig
behavioral1/memory/1220-160-0x000000013F090000-0x000000013F3E4000-memory.dmp	xmrig
behavioral1/memory/1116-161-0x000000013F9F0000-0x000000013FD44000-memory.dmp	xmrig
behavioral1/memory/2684-162-0x000000013FC70000-0x000000013FFC4000-memory.dmp	xmrig
behavioral1/memory/2104-163-0x000000013FAE0000-0x000000013FE34000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2760	OyzxRNc.exe
3068	nGuQrKm.exe
2592	QEBMydk.exe
2636	BXaDfJt.exe
2728	djmtiPx.exe
2788	DooAUau.exe
2492	FEZVoRu.exe
2468	nExCktC.exe
2904	iOoDOZA.exe
2068	mmvfYbW.exe
1220	MFhRBxy.exe
1116	fKVAzUj.exe
2684	tEPpIkk.exe
2104	LTWMJZY.exe
380	mAODcQv.exe
796	uwgqsgr.exe
620	BHkKNca.exe
1744	KQkjfwI.exe
2324	QupBMCl.exe
2088	yokyPdY.exe
2024	iIHdwIq.exe

Loads dropped DLL 21 IoCs

pid	Process
1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe

UPX packed file 61 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1612-0-0x000000013F750000-0x000000013FAA4000-memory.dmp	upx
behavioral1/files/0x000a000000012280-3.dat	upx
behavioral1/files/0x0036000000013108-6.dat	upx
behavioral1/memory/2760-11-0x000000013F6F0000-0x000000013FA44000-memory.dmp	upx
behavioral1/files/0x00090000000133d7-21.dat	upx
behavioral1/memory/2636-29-0x000000013F620000-0x000000013F974000-memory.dmp	upx
behavioral1/files/0x0009000000013324-20.dat	upx
behavioral1/memory/3068-18-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	upx
behavioral1/memory/2592-24-0x000000013FE90000-0x00000001401E4000-memory.dmp	upx
behavioral1/files/0x0008000000013432-33.dat	upx
behavioral1/files/0x000800000001343b-37.dat	upx
behavioral1/memory/2788-41-0x000000013F2E0000-0x000000013F634000-memory.dmp	upx
behavioral1/memory/2492-50-0x000000013F230000-0x000000013F584000-memory.dmp	upx
behavioral1/memory/2468-57-0x000000013F5F0000-0x000000013F944000-memory.dmp	upx
behavioral1/files/0x00080000000135b4-58.dat	upx
behavioral1/memory/2068-72-0x000000013FB40000-0x000000013FE94000-memory.dmp	upx
behavioral1/memory/1220-79-0x000000013F090000-0x000000013F3E4000-memory.dmp	upx
behavioral1/files/0x000600000001473f-124.dat	upx
behavioral1/files/0x0006000000014a10-137.dat	upx
behavioral1/files/0x000600000001489f-134.dat	upx
behavioral1/files/0x0006000000014749-129.dat	upx
behavioral1/files/0x000600000001472b-119.dat	upx
behavioral1/files/0x0006000000014723-114.dat	upx
behavioral1/files/0x000600000001471a-108.dat	upx
behavioral1/memory/2104-105-0x000000013FAE0000-0x000000013FE34000-memory.dmp	upx
behavioral1/memory/2788-103-0x000000013F2E0000-0x000000013F634000-memory.dmp	upx
behavioral1/files/0x0006000000014691-100.dat	upx
behavioral1/memory/2684-96-0x000000013FC70000-0x000000013FFC4000-memory.dmp	upx
behavioral1/memory/2728-94-0x000000013FC80000-0x000000013FFD4000-memory.dmp	upx
behavioral1/files/0x00060000000145be-92.dat	upx
behavioral1/memory/1116-87-0x000000013F9F0000-0x000000013FD44000-memory.dmp	upx
behavioral1/memory/2636-85-0x000000013F620000-0x000000013F974000-memory.dmp	upx
behavioral1/files/0x0006000000014531-84.dat	upx
behavioral1/memory/2592-77-0x000000013FE90000-0x00000001401E4000-memory.dmp	upx
behavioral1/files/0x00060000000144c0-76.dat	upx
behavioral1/memory/2904-66-0x000000013FC80000-0x000000013FFD4000-memory.dmp	upx
behavioral1/files/0x0008000000014464-69.dat	upx
behavioral1/memory/3068-65-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	upx
behavioral1/memory/2760-62-0x000000013F6F0000-0x000000013FA44000-memory.dmp	upx
behavioral1/memory/1612-61-0x000000013F750000-0x000000013FAA4000-memory.dmp	upx
behavioral1/files/0x0008000000013449-48.dat	upx
behavioral1/files/0x0036000000013153-54.dat	upx
behavioral1/memory/2728-35-0x000000013FC80000-0x000000013FFD4000-memory.dmp	upx
behavioral1/memory/2068-142-0x000000013FB40000-0x000000013FE94000-memory.dmp	upx
behavioral1/memory/1220-144-0x000000013F090000-0x000000013F3E4000-memory.dmp	upx
behavioral1/memory/1116-146-0x000000013F9F0000-0x000000013FD44000-memory.dmp	upx
behavioral1/memory/2684-148-0x000000013FC70000-0x000000013FFC4000-memory.dmp	upx
behavioral1/memory/2760-150-0x000000013F6F0000-0x000000013FA44000-memory.dmp	upx
behavioral1/memory/3068-151-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	upx
behavioral1/memory/2636-152-0x000000013F620000-0x000000013F974000-memory.dmp	upx
behavioral1/memory/2592-153-0x000000013FE90000-0x00000001401E4000-memory.dmp	upx
behavioral1/memory/2728-154-0x000000013FC80000-0x000000013FFD4000-memory.dmp	upx
behavioral1/memory/2788-155-0x000000013F2E0000-0x000000013F634000-memory.dmp	upx
behavioral1/memory/2492-156-0x000000013F230000-0x000000013F584000-memory.dmp	upx
behavioral1/memory/2468-157-0x000000013F5F0000-0x000000013F944000-memory.dmp	upx
behavioral1/memory/2904-158-0x000000013FC80000-0x000000013FFD4000-memory.dmp	upx
behavioral1/memory/2068-159-0x000000013FB40000-0x000000013FE94000-memory.dmp	upx
behavioral1/memory/1220-160-0x000000013F090000-0x000000013F3E4000-memory.dmp	upx
behavioral1/memory/1116-161-0x000000013F9F0000-0x000000013FD44000-memory.dmp	upx
behavioral1/memory/2684-162-0x000000013FC70000-0x000000013FFC4000-memory.dmp	upx
behavioral1/memory/2104-163-0x000000013FAE0000-0x000000013FE34000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\DooAUau.exe	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BHkKNca.exe	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QupBMCl.exe	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yokyPdY.exe	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nExCktC.exe	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fKVAzUj.exe	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tEPpIkk.exe	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mAODcQv.exe	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uwgqsgr.exe	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iIHdwIq.exe	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QEBMydk.exe	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iOoDOZA.exe	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mmvfYbW.exe	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MFhRBxy.exe	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LTWMJZY.exe	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KQkjfwI.exe	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OyzxRNc.exe	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nGuQrKm.exe	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BXaDfJt.exe	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\djmtiPx.exe	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FEZVoRu.exe	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 2760	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	29
PID 1612 wrote to memory of 2760	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	29
PID 1612 wrote to memory of 2760	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	29
PID 1612 wrote to memory of 3068	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	30
PID 1612 wrote to memory of 3068	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	30
PID 1612 wrote to memory of 3068	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	30
PID 1612 wrote to memory of 2592	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	31
PID 1612 wrote to memory of 2592	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	31
PID 1612 wrote to memory of 2592	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	31
PID 1612 wrote to memory of 2636	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	32
PID 1612 wrote to memory of 2636	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	32
PID 1612 wrote to memory of 2636	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	32
PID 1612 wrote to memory of 2728	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	33
PID 1612 wrote to memory of 2728	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	33
PID 1612 wrote to memory of 2728	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	33
PID 1612 wrote to memory of 2788	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	34
PID 1612 wrote to memory of 2788	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	34
PID 1612 wrote to memory of 2788	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	34
PID 1612 wrote to memory of 2492	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	35
PID 1612 wrote to memory of 2492	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	35
PID 1612 wrote to memory of 2492	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	35
PID 1612 wrote to memory of 2468	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	36
PID 1612 wrote to memory of 2468	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	36
PID 1612 wrote to memory of 2468	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	36
PID 1612 wrote to memory of 2904	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	37
PID 1612 wrote to memory of 2904	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	37
PID 1612 wrote to memory of 2904	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	37
PID 1612 wrote to memory of 2068	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	38
PID 1612 wrote to memory of 2068	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	38
PID 1612 wrote to memory of 2068	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	38
PID 1612 wrote to memory of 1220	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	39
PID 1612 wrote to memory of 1220	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	39
PID 1612 wrote to memory of 1220	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	39
PID 1612 wrote to memory of 1116	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	40
PID 1612 wrote to memory of 1116	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	40
PID 1612 wrote to memory of 1116	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	40
PID 1612 wrote to memory of 2684	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	41
PID 1612 wrote to memory of 2684	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	41
PID 1612 wrote to memory of 2684	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	41
PID 1612 wrote to memory of 2104	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	42
PID 1612 wrote to memory of 2104	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	42
PID 1612 wrote to memory of 2104	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	42
PID 1612 wrote to memory of 380	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	43
PID 1612 wrote to memory of 380	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	43
PID 1612 wrote to memory of 380	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	43
PID 1612 wrote to memory of 796	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	44
PID 1612 wrote to memory of 796	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	44
PID 1612 wrote to memory of 796	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	44
PID 1612 wrote to memory of 620	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	45
PID 1612 wrote to memory of 620	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	45
PID 1612 wrote to memory of 620	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	45
PID 1612 wrote to memory of 1744	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	46
PID 1612 wrote to memory of 1744	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	46
PID 1612 wrote to memory of 1744	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	46
PID 1612 wrote to memory of 2324	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	47
PID 1612 wrote to memory of 2324	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	47
PID 1612 wrote to memory of 2324	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	47
PID 1612 wrote to memory of 2088	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	48
PID 1612 wrote to memory of 2088	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	48
PID 1612 wrote to memory of 2088	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	48
PID 1612 wrote to memory of 2024	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	49
PID 1612 wrote to memory of 2024	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	49
PID 1612 wrote to memory of 2024	1612	2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-28_e3ccc407b8d6b9ee94206b7767540ad2_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\System\OyzxRNc.exe
  C:\Windows\System\OyzxRNc.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System\nGuQrKm.exe
  C:\Windows\System\nGuQrKm.exe
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\System\QEBMydk.exe
  C:\Windows\System\QEBMydk.exe
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\System\BXaDfJt.exe
  C:\Windows\System\BXaDfJt.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\System\djmtiPx.exe
  C:\Windows\System\djmtiPx.exe
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\System\DooAUau.exe
  C:\Windows\System\DooAUau.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System\FEZVoRu.exe
  C:\Windows\System\FEZVoRu.exe
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Windows\System\nExCktC.exe
  C:\Windows\System\nExCktC.exe
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\System\iOoDOZA.exe
  C:\Windows\System\iOoDOZA.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System\mmvfYbW.exe
  C:\Windows\System\mmvfYbW.exe
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\System\MFhRBxy.exe
  C:\Windows\System\MFhRBxy.exe
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Windows\System\fKVAzUj.exe
  C:\Windows\System\fKVAzUj.exe
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Windows\System\tEPpIkk.exe
  C:\Windows\System\tEPpIkk.exe
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\System\LTWMJZY.exe
  C:\Windows\System\LTWMJZY.exe
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\System\mAODcQv.exe
  C:\Windows\System\mAODcQv.exe
  2⤵
  - Executes dropped EXE
  PID:380
- C:\Windows\System\uwgqsgr.exe
  C:\Windows\System\uwgqsgr.exe
  2⤵
  - Executes dropped EXE
  PID:796
- C:\Windows\System\BHkKNca.exe
  C:\Windows\System\BHkKNca.exe
  2⤵
  - Executes dropped EXE
  PID:620
- C:\Windows\System\KQkjfwI.exe
  C:\Windows\System\KQkjfwI.exe
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\System\QupBMCl.exe
  C:\Windows\System\QupBMCl.exe
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\System\yokyPdY.exe
  C:\Windows\System\yokyPdY.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System\iIHdwIq.exe
  C:\Windows\System\iIHdwIq.exe
  2⤵
  - Executes dropped EXE
  PID:2024

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BHkKNca.exe

Filesize
5.9MB

MD5
3ad7bec44a175ea5f1155ea53bb8ce39

SHA1
2dafc919866004e59709c55da8dd5dc838b37f97

SHA256
330df279819108f01bccc34fa5c50719f46b9f21b95b49c04e1423b933f8bd93

SHA512
704b11bb12107eb16ff9e6b52abb4656c9cad03c45ee15fbd19cb73d99afd7be9fcc2076fb049f0eee79d28391dc6277a1986bc61585461cac536411c886434f

Download Submit
C:\Windows\system\FEZVoRu.exe

Filesize
5.9MB

MD5
4f4a6d001eedee97ad496ea3b9d493be

SHA1
ebba520fea93394821154944017cc179d3abceab

SHA256
4456d98cd22af73867d48f6e18de6fb09ab613784830cceadc204cfcf344a76c

SHA512
d4a4d103e39c6c05f36e4138bff9de530c89077094ada01ad2ed891c7aee82c3da69b327212e5bbb3380bb069088a283201933b61cf6eab9d66d07f45131e3a7

Download Submit
C:\Windows\system\KQkjfwI.exe

Filesize
5.9MB

MD5
f49766d4d65dd49a7f05b94d577f569e

SHA1
5c0c2b1e006118dc9e4a791425544166ee67b087

SHA256
2ce8e5936b58f7243f05eed669029f0c3cc75c5fc040bc547fc811768eaaf2fa

SHA512
def18ab2f38d1eef79c4047feb2839ec7b7f808e6003aad2f8b4b81ba07ef641a0ee25770506001b8adec995c8a6851775bccf1adf95d82d0b83ec364914ddc9

Download Submit
C:\Windows\system\LTWMJZY.exe

Filesize
5.9MB

MD5
917c96589a95f1057766b2c235d3b768

SHA1
822abb6cd9e5149b822d165c8c9f2e51c4d9b64d

SHA256
1408b0ff439912cff3592be745aecde63749f84829167ad763fd6814f3c83aff

SHA512
7d36dcccf2443784b254526c7a7afef24ab775d606e62e6ae265be7ff39f027a8d25453b52aea8f4df9ee5032a6f83feffbc49b15deb0e913432c2f68a0bf69a

Download Submit
C:\Windows\system\MFhRBxy.exe

Filesize
5.9MB

MD5
a9c57e78d5afd606bb9aa6df36e905b6

SHA1
d2f16409e7c43808be2161c9a34e2d4910af84f3

SHA256
05ac19d50b84d78c6e5ec650cd53d6cad9ff1401fe4faf5182ecbbaccf4becf0

SHA512
d7de81b204a0cd65ae8ff5636efb0931cf9185c1d77970d8eb6472714c0f01d4b7aaa73e5159136d4b6efd8f414ca68d64f2308db717dd84d7756bc3607bca9d

Download Submit
C:\Windows\system\QEBMydk.exe

Filesize
5.9MB

MD5
50a62d0545da0e48c81e27510fa86f5d

SHA1
4de1ae5f04994c441ee7ce747db62c1edfd472ec

SHA256
3e98cc2977fda22ad9a4f62161988f758c484e5cccda6e2655e86660f195e3de

SHA512
87198b6eb8260499eaff9cc0151e274aa7ac530032a714fc1ee33ccaff1dc5b4c441d09349c9db8578a0c979566952e5ad2326613832319ba0bbb63eddadd121

Download Submit
C:\Windows\system\QupBMCl.exe

Filesize
5.9MB

MD5
5f16ec46383a7c9eea7d7a32a20e1ac6

SHA1
77d34c88fdb48ce72eeda88ab78a9b5bedf9aa9f

SHA256
324692e48ca6d5785b8a3074eb72cca9a1fc77f7989e48c24081c6c4383ef43c

SHA512
57e9f36281b74bc6ca642edfe341d55a6256a84318ec083c4e2d83d25b3a234c41ea47a5af2cfc6285825d982031a7eb73add99fbeaa62c153749e901b15069c

Download Submit
C:\Windows\system\djmtiPx.exe

Filesize
5.9MB

MD5
4e0f1453d40e441f03182b386728c6e2

SHA1
ffb6ecf5dee3412040e3a0e9262ce353f8a11431

SHA256
0b3350c9ec4ef85bfbc4b5f6c1b045057c16f1b745ab637af58804d5e0240d81

SHA512
acc88f297bc3000e05e8cf5b9bbd663b488962d4e5b2d812cc6436b18f98901a44dfcbb9b01fd0995d2aea92753c3a2848aa135bca4dd7fa56f27cb5acdf8c68

Download Submit
C:\Windows\system\fKVAzUj.exe

Filesize
5.9MB

MD5
35f74ea335efc9049a9ecebf14033ac6

SHA1
1dd539f837c200f513bee8fb75cb42868ddb29df

SHA256
18bba7db8840f13283bf92490f1f69b30417cf8b377aef743ac9854ffd883986

SHA512
f775599bcf6ceff3870ccd031cb9dbd0520230a5ba847ed20dec90d253741eb8e1509e70d777ab27af442df79a76150282006bfccca89ff9ee465a03a4f3ed58

Download Submit
C:\Windows\system\mAODcQv.exe

Filesize
5.9MB

MD5
231f4f49915a9f8c1a04984a12cda997

SHA1
c37919e3f862bfa58b54b2d1154162b488a3e02b

SHA256
9c1117c616e56443b40e1f20d09e8099f24c74824d89697cac6f6911a5468929

SHA512
fc8e5287de7697fab3f7e57c12249ed2161a7d066dcbca5b66e19b3245c55cbfd23c76105e344530d8b84a5b72004495b9313fbea2a0ceb3ec450caad6f0891b

Download Submit
C:\Windows\system\mmvfYbW.exe

Filesize
5.9MB

MD5
640146c84ad9fa14be5caf09d469e991

SHA1
4e1c2eb94abe4b3500cfa0bd277b29c9427cdad8

SHA256
bb8765bcd255c16ca1373d5e4d3c3c6155a63c4e67b1adeeb4274baea36c5f77

SHA512
d30b7e5667c1993229279d3023eba0db9a754eb0543d834063c248b6969c0080c5e5599e476d52ccdbeeb44dceaad22be44fb1eaab1b9af22f7e0dc707657d3d

Download Submit
C:\Windows\system\nExCktC.exe

Filesize
5.9MB

MD5
5d36efe124535a7c0124e5e47fd739db

SHA1
954376e5ac382f7b73423408f4362d07ab6bf343

SHA256
2d70da1b07cbacdf67d09875b18c6d71c22bc3ec0fcd5cc466cc43a441b28d9c

SHA512
42ff560ee4a80eccb52f7e92ebef1768c62d32133cba0bd152f9b8764c0be8e17dc713641d22ab317623ba8750ea3d025f08009a298a9276f5d4b0665a68effb

Download Submit
C:\Windows\system\nGuQrKm.exe

Filesize
5.9MB

MD5
57de3780ba44670a067d03450b443f8b

SHA1
7ce0e01617ee6e0fe76dc6daa1002d19f81eec02

SHA256
5a487018299a9a7de9e2e67b256afb21dfc7804139d1b37cf6e38ca152b95113

SHA512
d9cd84a8cfdc54fd50d4f2af163157023ad1bb39d2a525248f1cf356b5de01df940d2a2cce1c1382d86ea1ecda2702c6828f39765b57b4a21cc22fa65555ef3f

Download Submit
C:\Windows\system\tEPpIkk.exe

Filesize
5.9MB

MD5
451a622ec4a3616dc1e7cd375815d8ff

SHA1
95fb38a52c985145043b3ba9919efe1899ee99df

SHA256
71ab259c760c5381b1aa416e3321292c8670d218bffe737837a1bebaec473d91

SHA512
851be1a71d4ff0b483d7064ea18c8f9225c1921700a4e799ee4e61939c65f5df897f76b3eaa363216bc46319b73968039b0c026c7a0bc0d05bc65ba2b6a00971

Download Submit
C:\Windows\system\uwgqsgr.exe

Filesize
5.9MB

MD5
159571de7614e80ef5608ceb754c1a88

SHA1
e71fb0f803f9318aa1abe3ac435ac3660c271be8

SHA256
e7c98cc957ac9d243e0acc6477f62e7dc01f043a41fa26a56e6b7a2a4428f2a8

SHA512
13c84343b9b4bc954c05c301ab00a7c7d58571ed85fabf4addc54a4627432fd57d4b86e3016abe60c9a598b49d419606162a2d0a26d90c8d9a90561e7dbc37cc

Download Submit
C:\Windows\system\yokyPdY.exe

Filesize
5.9MB

MD5
e0f1beff3d5eac29b1242eaf0a65d223

SHA1
1a1ade074bcb107b479a4ba606349546df6b74bd

SHA256
95c5db4ee210c914867f4ba49c64d547f62c9b6971e37480536874fbf433f992

SHA512
c789a6e8fc2ad0a56bc74ba795c7afba9461d75492bd1ab1cdd5d1c2a5daf19d148593af1d314709eb653f1a4b4d73baafd20f45662a60af93039e3cca89fd88

Download Submit
\Windows\system\BXaDfJt.exe

Filesize
5.9MB

MD5
c7a308575657d129f8a7af3ac6f4a721

SHA1
af760863fa6be89069a7bc1bec45d38db75448e8

SHA256
4956f46275f8195ef5ecfb1900616b083db1dcf452c9815da67ee246c03256e7

SHA512
5755b6374754bae638da39e1c9407b8fe6877cdd8498829fe9c131724ec7fa8d275e112f8393f92e94853cddb3353a2cbac2a5f725f57a0066c3b3672b70508d

Download Submit
\Windows\system\DooAUau.exe

Filesize
5.9MB

MD5
83496ac8212f0e33ed5e241fc248be22

SHA1
1c2a706edf1cd499a01c171f1ef4b805a8d94884

SHA256
135d48eb991054916f17edae2f8e287895cefe09036bdd18fa6b59fce6b4bfe3

SHA512
bc43e1f2195fae0a9ec1b97bb1348e3615c5eb945bef472a25fd9d4d3b5f0c550a67558b49aa12a561735a8810c9579af5000c1760baeec08f59f0881ed16b60

Download Submit
\Windows\system\OyzxRNc.exe

Filesize
5.9MB

MD5
8987adfa0703adcc87b69da2e5d3468d

SHA1
ccbf95af5fe86356b9cd1d0f08debfd7fe8a9f70

SHA256
38502a786aa23b21964ca209d1ce5e715164fec4f4c5f3d365aca1d780d2f6cb

SHA512
82b51d6c9d333effcab597ce6382c1fc58215e46d22da183f57252142b9b3dc51e6482b4a493b91398c1a33ba23335f87fbe3cec9c6edae9d8155a4392994680

Download Submit
\Windows\system\iIHdwIq.exe

Filesize
5.9MB

MD5
279c436e108ac2baf8037fd18adaaf18

SHA1
db0ef425a3c735dc34c564c82f8a5a6ac534c538

SHA256
0860f631d9e68a326997c732900061de42a8630e54e8d831bb61be404970b922

SHA512
6085f71744482057517968b8fc2f1982c80ba477f6cff39f403c3df3d112c35435a6d7ba742c1dddcbc248d94dd6abed79e7b3745aa0689dc8bfebb6b6ad50df

Download Submit
\Windows\system\iOoDOZA.exe

Filesize
5.9MB

MD5
1a3a885f7174114757ad408b64f72734

SHA1
ebcfac8c03e5cfd7483cdbe31fe13e47d696ccd6

SHA256
743d144fb8a622e1a2ca456d0a2b7d39f535c32133a483c03d8d95f571a21dc4

SHA512
5620124f3438de3ccaac7f9adb55a25da8b7823c75056e59b7c623b3496d783600c698db9f299ecdeadeddb010c13d312969f24c5dbca26fd3f98c226abf5f72

Download Submit
memory/1116-87-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/1116-161-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/1116-146-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/1220-160-0x000000013F090000-0x000000013F3E4000-memory.dmp

Filesize
3.3MB

Download
memory/1220-79-0x000000013F090000-0x000000013F3E4000-memory.dmp

Filesize
3.3MB

Download
memory/1220-144-0x000000013F090000-0x000000013F3E4000-memory.dmp

Filesize
3.3MB

Download
memory/1612-86-0x0000000002270000-0x00000000025C4000-memory.dmp

Filesize
3.3MB

Download
memory/1612-19-0x0000000002270000-0x00000000025C4000-memory.dmp

Filesize
3.3MB

Download
memory/1612-110-0x0000000002270000-0x00000000025C4000-memory.dmp

Filesize
3.3MB

Download
memory/1612-71-0x000000013FB40000-0x000000013FE94000-memory.dmp

Filesize
3.3MB

Download
memory/1612-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/1612-104-0x000000013FAE0000-0x000000013FE34000-memory.dmp

Filesize
3.3MB

Download
memory/1612-149-0x000000013FAE0000-0x000000013FE34000-memory.dmp

Filesize
3.3MB

Download
memory/1612-147-0x000000013FC70000-0x000000013FFC4000-memory.dmp

Filesize
3.3MB

Download
memory/1612-145-0x0000000002270000-0x00000000025C4000-memory.dmp

Filesize
3.3MB

Download
memory/1612-95-0x000000013FC70000-0x000000013FFC4000-memory.dmp

Filesize
3.3MB

Download
memory/1612-26-0x0000000002270000-0x00000000025C4000-memory.dmp

Filesize
3.3MB

Download
memory/1612-143-0x000000013F090000-0x000000013F3E4000-memory.dmp

Filesize
3.3MB

Download
memory/1612-141-0x000000013FB40000-0x000000013FE94000-memory.dmp

Filesize
3.3MB

Download
memory/1612-0-0x000000013F750000-0x000000013FAA4000-memory.dmp

Filesize
3.3MB

Download
memory/1612-34-0x000000013FC80000-0x000000013FFD4000-memory.dmp

Filesize
3.3MB

Download
memory/1612-40-0x000000013F2E0000-0x000000013F634000-memory.dmp

Filesize
3.3MB

Download
memory/1612-78-0x000000013F090000-0x000000013F3E4000-memory.dmp

Filesize
3.3MB

Download
memory/1612-47-0x000000013F230000-0x000000013F584000-memory.dmp

Filesize
3.3MB

Download
memory/1612-56-0x0000000002270000-0x00000000025C4000-memory.dmp

Filesize
3.3MB

Download
memory/1612-61-0x000000013F750000-0x000000013FAA4000-memory.dmp

Filesize
3.3MB

Download
memory/1612-16-0x000000013FE90000-0x00000001401E4000-memory.dmp

Filesize
3.3MB

Download
memory/2068-159-0x000000013FB40000-0x000000013FE94000-memory.dmp

Filesize
3.3MB

Download
memory/2068-72-0x000000013FB40000-0x000000013FE94000-memory.dmp

Filesize
3.3MB

Download
memory/2068-142-0x000000013FB40000-0x000000013FE94000-memory.dmp

Filesize
3.3MB

Download
memory/2104-163-0x000000013FAE0000-0x000000013FE34000-memory.dmp

Filesize
3.3MB

Download
memory/2104-105-0x000000013FAE0000-0x000000013FE34000-memory.dmp

Filesize
3.3MB

Download
memory/2468-57-0x000000013F5F0000-0x000000013F944000-memory.dmp

Filesize
3.3MB

Download
memory/2468-157-0x000000013F5F0000-0x000000013F944000-memory.dmp

Filesize
3.3MB

Download
memory/2492-156-0x000000013F230000-0x000000013F584000-memory.dmp

Filesize
3.3MB

Download
memory/2492-50-0x000000013F230000-0x000000013F584000-memory.dmp

Filesize
3.3MB

Download
memory/2592-24-0x000000013FE90000-0x00000001401E4000-memory.dmp

Filesize
3.3MB

Download
memory/2592-77-0x000000013FE90000-0x00000001401E4000-memory.dmp

Filesize
3.3MB

Download
memory/2592-153-0x000000013FE90000-0x00000001401E4000-memory.dmp

Filesize
3.3MB

Download
memory/2636-85-0x000000013F620000-0x000000013F974000-memory.dmp

Filesize
3.3MB

Download
memory/2636-29-0x000000013F620000-0x000000013F974000-memory.dmp

Filesize
3.3MB

Download
memory/2636-152-0x000000013F620000-0x000000013F974000-memory.dmp

Filesize
3.3MB

Download
memory/2684-148-0x000000013FC70000-0x000000013FFC4000-memory.dmp

Filesize
3.3MB

Download
memory/2684-96-0x000000013FC70000-0x000000013FFC4000-memory.dmp

Filesize
3.3MB

Download
memory/2684-162-0x000000013FC70000-0x000000013FFC4000-memory.dmp

Filesize
3.3MB

Download
memory/2728-35-0x000000013FC80000-0x000000013FFD4000-memory.dmp

Filesize
3.3MB

Download
memory/2728-94-0x000000013FC80000-0x000000013FFD4000-memory.dmp

Filesize
3.3MB

Download
memory/2728-154-0x000000013FC80000-0x000000013FFD4000-memory.dmp

Filesize
3.3MB

Download
memory/2760-150-0x000000013F6F0000-0x000000013FA44000-memory.dmp

Filesize
3.3MB

Download
memory/2760-62-0x000000013F6F0000-0x000000013FA44000-memory.dmp

Filesize
3.3MB

Download
memory/2760-11-0x000000013F6F0000-0x000000013FA44000-memory.dmp

Filesize
3.3MB

Download
memory/2788-103-0x000000013F2E0000-0x000000013F634000-memory.dmp

Filesize
3.3MB

Download
memory/2788-155-0x000000013F2E0000-0x000000013F634000-memory.dmp

Filesize
3.3MB

Download
memory/2788-41-0x000000013F2E0000-0x000000013F634000-memory.dmp

Filesize
3.3MB

Download
memory/2904-158-0x000000013FC80000-0x000000013FFD4000-memory.dmp

Filesize
3.3MB

Download
memory/2904-66-0x000000013FC80000-0x000000013FFD4000-memory.dmp

Filesize
3.3MB

Download
memory/3068-65-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

Filesize
3.3MB

Download
memory/3068-18-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

Filesize
3.3MB

Download
memory/3068-151-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

Filesize
3.3MB

Download