cobaltstrike | b1253867c8c0a4c8c6ff50cf756298d6e0ffce9ef427648b429446252e167cd4

Analysis

max time kernel
137s
max time network
148s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
29/05/2024, 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
Size

8.3MB
MD5

6bc4bb3ff20e2b7eb5e8d96f1f7d4558
SHA1

1e704db1cf05e777e075104032bef4a5e3f829ea
SHA256

b1253867c8c0a4c8c6ff50cf756298d6e0ffce9ef427648b429446252e167cd4
SHA512

99015e2b0be40965e6a5ae57440c6b5cfc8856fc18b16a3f8a534f6300e28d2a1b8113a919aac98600dad044a8f38ff20a1b15032cbd65c06ebcac17f6178c86
SSDEEP

98304:MemTLkNdfE0pZbR56utgpPFotBER/mQ32lUL:v+A56utgpPF8u/7L

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x00090000000141a2-3.dat	cobalt_reflective_dll
behavioral1/files/0x00090000000143ec-7.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000144ac-18.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014539-25.dat	cobalt_reflective_dll
behavioral1/files/0x000a000000014667-33.dat	cobalt_reflective_dll
behavioral1/files/0x00090000000146a2-36.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000146b8-53.dat	cobalt_reflective_dll
behavioral1/files/0x000800000001447e-46.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000146c0-58.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000147ea-65.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000149f5-73.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000014af6-89.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000014abe-83.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014825-79.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000014b70-104.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000014de9-105.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000155ed-122.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015018-121.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000014ef8-113.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000014b31-112.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000155f3-131.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x00090000000141a2-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00090000000143ec-7.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00080000000144ac-18.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014539-25.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000a000000014667-33.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00090000000146a2-36.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00080000000146b8-53.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000800000001447e-46.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00080000000146c0-58.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00070000000147ea-65.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00070000000149f5-73.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000014af6-89.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000014abe-83.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014825-79.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000014b70-104.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000014de9-105.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000155ed-122.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015018-121.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000014ef8-113.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000014b31-112.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000155f3-131.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 54 IoCs

resource	yara_rule
behavioral1/memory/1540-0-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/files/0x00090000000141a2-3.dat	UPX
behavioral1/files/0x00090000000143ec-7.dat	UPX
behavioral1/memory/2176-11-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2540-15-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/files/0x00080000000144ac-18.dat	UPX
behavioral1/files/0x0007000000014539-25.dat	UPX
behavioral1/memory/3032-26-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/1876-29-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/files/0x000a000000014667-33.dat	UPX
behavioral1/memory/2640-35-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/files/0x00090000000146a2-36.dat	UPX
behavioral1/memory/2676-42-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/files/0x00080000000146b8-53.dat	UPX
behavioral1/memory/2096-57-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2176-48-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/1540-47-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/files/0x000800000001447e-46.dat	UPX
behavioral1/files/0x00080000000146c0-58.dat	UPX
behavioral1/files/0x00070000000147ea-65.dat	UPX
behavioral1/memory/2444-69-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/files/0x00070000000149f5-73.dat	UPX
behavioral1/files/0x0006000000014af6-89.dat	UPX
behavioral1/memory/2212-90-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2912-91-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/952-93-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/files/0x0006000000014abe-83.dat	UPX
behavioral1/files/0x0007000000014825-79.dat	UPX
behavioral1/memory/2488-72-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/files/0x0006000000014b70-104.dat	UPX
behavioral1/files/0x0006000000014de9-105.dat	UPX
behavioral1/files/0x00060000000155ed-122.dat	UPX
behavioral1/files/0x0006000000015018-121.dat	UPX
behavioral1/files/0x0006000000014ef8-113.dat	UPX
behavioral1/files/0x0006000000014b31-112.dat	UPX
behavioral1/files/0x00060000000155f3-131.dat	UPX
behavioral1/memory/2700-133-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2212-135-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2080-136-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/952-137-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2176-138-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2540-139-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/3032-140-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/1876-141-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2640-142-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2676-143-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2700-144-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2096-145-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2488-146-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2444-147-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2912-148-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/952-149-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2212-150-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2080-151-0x0000000140000000-0x0000000140352000-memory.dmp	UPX

XMRig Miner payload 58 IoCs

miner

resource	yara_rule
behavioral1/memory/1540-0-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/files/0x00090000000141a2-3.dat	xmrig
behavioral1/files/0x00090000000143ec-7.dat	xmrig
behavioral1/memory/2176-11-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2540-15-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/files/0x00080000000144ac-18.dat	xmrig
behavioral1/files/0x0007000000014539-25.dat	xmrig
behavioral1/memory/3032-26-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/1876-29-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/files/0x000a000000014667-33.dat	xmrig
behavioral1/memory/2640-35-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/files/0x00090000000146a2-36.dat	xmrig
behavioral1/memory/2676-42-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/files/0x00080000000146b8-53.dat	xmrig
behavioral1/memory/1540-54-0x0000000002520000-0x0000000002872000-memory.dmp	xmrig
behavioral1/memory/1540-55-0x0000000002520000-0x0000000002872000-memory.dmp	xmrig
behavioral1/memory/2096-57-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2176-48-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/1540-47-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/files/0x000800000001447e-46.dat	xmrig
behavioral1/files/0x00080000000146c0-58.dat	xmrig
behavioral1/files/0x00070000000147ea-65.dat	xmrig
behavioral1/memory/2444-69-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/files/0x00070000000149f5-73.dat	xmrig
behavioral1/memory/1540-76-0x0000000002520000-0x0000000002872000-memory.dmp	xmrig
behavioral1/files/0x0006000000014af6-89.dat	xmrig
behavioral1/memory/2212-90-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2912-91-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/952-93-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/files/0x0006000000014abe-83.dat	xmrig
behavioral1/files/0x0007000000014825-79.dat	xmrig
behavioral1/memory/2488-72-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/files/0x0006000000014b70-104.dat	xmrig
behavioral1/files/0x0006000000014de9-105.dat	xmrig
behavioral1/files/0x00060000000155ed-122.dat	xmrig
behavioral1/files/0x0006000000015018-121.dat	xmrig
behavioral1/files/0x0006000000014ef8-113.dat	xmrig
behavioral1/files/0x0006000000014b31-112.dat	xmrig
behavioral1/memory/1540-103-0x0000000002520000-0x0000000002872000-memory.dmp	xmrig
behavioral1/files/0x00060000000155f3-131.dat	xmrig
behavioral1/memory/2700-133-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2212-135-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2080-136-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/952-137-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2176-138-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2540-139-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/3032-140-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/1876-141-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2640-142-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2676-143-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2700-144-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2096-145-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2488-146-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2444-147-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2912-148-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/952-149-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2212-150-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2080-151-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2176	ueaIhom.exe
2540	YvhDrpg.exe
3032	FELqohj.exe
1876	LiRDPad.exe
2640	aMDsqfx.exe
2676	JzbQRCJ.exe
2700	cqzIxjF.exe
2096	wImPAfQ.exe
2444	ysOnsOS.exe
2488	FdtHSpb.exe
2212	HnAXEYt.exe
2912	gakzbxL.exe
2080	PGhOJSl.exe
952	OCPmGVS.exe
2036	OqKzJSY.exe
1656	uLSiDLi.exe
1872	GcXZQSq.exe
1196	XdUbslb.exe
812	pHlDOCn.exe
2748	eQlKteY.exe
2812	oaZXNyc.exe

Loads dropped DLL 21 IoCs

pid	Process
1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe

UPX packed file 55 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1540-0-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/files/0x00090000000141a2-3.dat	upx
behavioral1/files/0x00090000000143ec-7.dat	upx
behavioral1/memory/2176-11-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2540-15-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/files/0x00080000000144ac-18.dat	upx
behavioral1/files/0x0007000000014539-25.dat	upx
behavioral1/memory/3032-26-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/1876-29-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/files/0x000a000000014667-33.dat	upx
behavioral1/memory/2640-35-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/files/0x00090000000146a2-36.dat	upx
behavioral1/memory/2676-42-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/files/0x00080000000146b8-53.dat	upx
behavioral1/memory/1540-54-0x0000000002520000-0x0000000002872000-memory.dmp	upx
behavioral1/memory/2096-57-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2176-48-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/1540-47-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/files/0x000800000001447e-46.dat	upx
behavioral1/files/0x00080000000146c0-58.dat	upx
behavioral1/files/0x00070000000147ea-65.dat	upx
behavioral1/memory/2444-69-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/files/0x00070000000149f5-73.dat	upx
behavioral1/files/0x0006000000014af6-89.dat	upx
behavioral1/memory/2212-90-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2912-91-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/952-93-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/files/0x0006000000014abe-83.dat	upx
behavioral1/files/0x0007000000014825-79.dat	upx
behavioral1/memory/2488-72-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/files/0x0006000000014b70-104.dat	upx
behavioral1/files/0x0006000000014de9-105.dat	upx
behavioral1/files/0x00060000000155ed-122.dat	upx
behavioral1/files/0x0006000000015018-121.dat	upx
behavioral1/files/0x0006000000014ef8-113.dat	upx
behavioral1/files/0x0006000000014b31-112.dat	upx
behavioral1/files/0x00060000000155f3-131.dat	upx
behavioral1/memory/2700-133-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2212-135-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2080-136-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/952-137-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2176-138-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2540-139-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/3032-140-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/1876-141-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2640-142-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2676-143-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2700-144-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2096-145-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2488-146-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2444-147-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2912-148-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/952-149-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2212-150-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2080-151-0x0000000140000000-0x0000000140352000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\OqKzJSY.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XdUbslb.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ueaIhom.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YvhDrpg.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FELqohj.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cqzIxjF.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wImPAfQ.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FdtHSpb.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aMDsqfx.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JzbQRCJ.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HnAXEYt.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OCPmGVS.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uLSiDLi.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oaZXNyc.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LiRDPad.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PGhOJSl.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pHlDOCn.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eQlKteY.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ysOnsOS.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gakzbxL.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GcXZQSq.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 2176	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	29
PID 1540 wrote to memory of 2176	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	29
PID 1540 wrote to memory of 2176	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	29
PID 1540 wrote to memory of 2540	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	30
PID 1540 wrote to memory of 2540	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	30
PID 1540 wrote to memory of 2540	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	30
PID 1540 wrote to memory of 3032	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	31
PID 1540 wrote to memory of 3032	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	31
PID 1540 wrote to memory of 3032	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	31
PID 1540 wrote to memory of 1876	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	32
PID 1540 wrote to memory of 1876	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	32
PID 1540 wrote to memory of 1876	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	32
PID 1540 wrote to memory of 2640	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	33
PID 1540 wrote to memory of 2640	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	33
PID 1540 wrote to memory of 2640	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	33
PID 1540 wrote to memory of 2676	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	34
PID 1540 wrote to memory of 2676	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	34
PID 1540 wrote to memory of 2676	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	34
PID 1540 wrote to memory of 2700	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	35
PID 1540 wrote to memory of 2700	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	35
PID 1540 wrote to memory of 2700	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	35
PID 1540 wrote to memory of 2096	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	36
PID 1540 wrote to memory of 2096	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	36
PID 1540 wrote to memory of 2096	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	36
PID 1540 wrote to memory of 2444	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	37
PID 1540 wrote to memory of 2444	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	37
PID 1540 wrote to memory of 2444	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	37
PID 1540 wrote to memory of 2488	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	38
PID 1540 wrote to memory of 2488	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	38
PID 1540 wrote to memory of 2488	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	38
PID 1540 wrote to memory of 2212	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	39
PID 1540 wrote to memory of 2212	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	39
PID 1540 wrote to memory of 2212	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	39
PID 1540 wrote to memory of 2912	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	40
PID 1540 wrote to memory of 2912	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	40
PID 1540 wrote to memory of 2912	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	40
PID 1540 wrote to memory of 2080	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	41
PID 1540 wrote to memory of 2080	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	41
PID 1540 wrote to memory of 2080	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	41
PID 1540 wrote to memory of 952	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	42
PID 1540 wrote to memory of 952	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	42
PID 1540 wrote to memory of 952	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	42
PID 1540 wrote to memory of 1656	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	43
PID 1540 wrote to memory of 1656	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	43
PID 1540 wrote to memory of 1656	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	43
PID 1540 wrote to memory of 2036	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	44
PID 1540 wrote to memory of 2036	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	44
PID 1540 wrote to memory of 2036	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	44
PID 1540 wrote to memory of 1196	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	45
PID 1540 wrote to memory of 1196	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	45
PID 1540 wrote to memory of 1196	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	45
PID 1540 wrote to memory of 1872	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	46
PID 1540 wrote to memory of 1872	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	46
PID 1540 wrote to memory of 1872	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	46
PID 1540 wrote to memory of 812	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	47
PID 1540 wrote to memory of 812	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	47
PID 1540 wrote to memory of 812	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	47
PID 1540 wrote to memory of 2748	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	48
PID 1540 wrote to memory of 2748	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	48
PID 1540 wrote to memory of 2748	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	48
PID 1540 wrote to memory of 2812	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	49
PID 1540 wrote to memory of 2812	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	49
PID 1540 wrote to memory of 2812	1540	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\System\ueaIhom.exe
  C:\Windows\System\ueaIhom.exe
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\System\YvhDrpg.exe
  C:\Windows\System\YvhDrpg.exe
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\System\FELqohj.exe
  C:\Windows\System\FELqohj.exe
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\System\LiRDPad.exe
  C:\Windows\System\LiRDPad.exe
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Windows\System\aMDsqfx.exe
  C:\Windows\System\aMDsqfx.exe
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\System\JzbQRCJ.exe
  C:\Windows\System\JzbQRCJ.exe
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\System\cqzIxjF.exe
  C:\Windows\System\cqzIxjF.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\System\wImPAfQ.exe
  C:\Windows\System\wImPAfQ.exe
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\System\ysOnsOS.exe
  C:\Windows\System\ysOnsOS.exe
  2⤵
  - Executes dropped EXE
  PID:2444
- C:\Windows\System\FdtHSpb.exe
  C:\Windows\System\FdtHSpb.exe
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\System\HnAXEYt.exe
  C:\Windows\System\HnAXEYt.exe
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\System\gakzbxL.exe
  C:\Windows\System\gakzbxL.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System\PGhOJSl.exe
  C:\Windows\System\PGhOJSl.exe
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Windows\System\OCPmGVS.exe
  C:\Windows\System\OCPmGVS.exe
  2⤵
  - Executes dropped EXE
  PID:952
- C:\Windows\System\uLSiDLi.exe
  C:\Windows\System\uLSiDLi.exe
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\System\OqKzJSY.exe
  C:\Windows\System\OqKzJSY.exe
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\System\XdUbslb.exe
  C:\Windows\System\XdUbslb.exe
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Windows\System\GcXZQSq.exe
  C:\Windows\System\GcXZQSq.exe
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\System\pHlDOCn.exe
  C:\Windows\System\pHlDOCn.exe
  2⤵
  - Executes dropped EXE
  PID:812
- C:\Windows\System\eQlKteY.exe
  C:\Windows\System\eQlKteY.exe
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\System\oaZXNyc.exe
  C:\Windows\System\oaZXNyc.exe
  2⤵
  - Executes dropped EXE
  PID:2812

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\FELqohj.exe

Filesize
8.3MB

MD5
e34cc4efd294d4076d621de717a36daa

SHA1
5dce4cc8cfeb50c1543dd123c6cbbf7f4d5c107e

SHA256
f23727c99512e203ee80a43e2b19e4dfa74e6ce871e60bb2c335fbd985293c95

SHA512
27376e317e19495c072d1f62ea74546745c670d81fc2c354794f06fd7ad8b5af209348d340b891dcf34f128b6f27afcf6b911a1de619736b02ff373352684ebb

Download Submit
C:\Windows\system\FdtHSpb.exe

Filesize
8.3MB

MD5
eb5c4231338d894d77a58fb0a78ee06b

SHA1
df21e262016ef7600464322893744e999f19278c

SHA256
598a8537b02e83212b4891502d08c4e153d8474c83119ffb51507296da18e92f

SHA512
73fe6a87bbc9ea61c55576b53c126d704af24ba768720be6640d7ad4bf9c7dfe0b6d16368fe4b8bc070d2270a0d6a74881eec4ab88fd1f5ce4af807a3e4464a9

Download Submit
C:\Windows\system\GcXZQSq.exe

Filesize
8.3MB

MD5
72ad293fded0110a592819f4634fd846

SHA1
c7ffaa421adfe757416d24301b9ab6e91935a4d6

SHA256
51a64c251d7619eb993613400d993d7f7869bd7c2626ec7c19747e1e47dc9d8c

SHA512
5b21619fc322086ddc8de1c3becae6287b2069118bffeead8ae54d31daa746528ae6d310d724cc624a8465bdb98d27f01fee9da98600021de492b36614b2c247

Download Submit
C:\Windows\system\HnAXEYt.exe

Filesize
8.3MB

MD5
0a01ccfd18b94808f507b1065241ed57

SHA1
7a5384d35c0116ac6fdb73658747a70fea12e74b

SHA256
8575ba1da1dda59f2ef6550bf884117ab5899d0b2e958df4ec1dd3f2af9dcb1a

SHA512
9e115c4f943b9230128f6a375a4333e246db88a516afff079230be807057203eafd5100915f188416333bfbdca2b6338291ff5404d8863487f2a39a9cd838f14

Download Submit
C:\Windows\system\LiRDPad.exe

Filesize
8.3MB

MD5
f47de5a8f9f63bca02afba81454d48be

SHA1
541992cba4544ad3732bb635c51dbeae602715cd

SHA256
69680fc6f663345eae172005a9be1b8dd5f7e358f9090370220ad8efefa9cdb0

SHA512
0daef7817236372a2fbac1886486d2982d58307823dbd5b69a1654441c545d02548c93dee238205bbfb69d5bde27bcac33c79ff3a21340664fe367519e98ac19

Download Submit
C:\Windows\system\OCPmGVS.exe

Filesize
8.3MB

MD5
67497ceb892b46404dc1ce2bbd74f981

SHA1
f3447936df675a264df472c2c927c15314f11deb

SHA256
a5edf3fc69805fea2d6ab66999ca84becfc72fa594e6340378d3ecb413f2b37e

SHA512
dac20e8f07ef6c92adfcdb72dabdf8b5c589ccd0ae1de324df7c56c423a8539b9d51bda93ac6ec63749f4a78d5f3493e88c4ec8cfa9da7c46e97a8cc71b4b196

Download Submit
C:\Windows\system\OqKzJSY.exe

Filesize
8.3MB

MD5
bc2d8e8b76ed111e173d80bfb534b63d

SHA1
afa8dd538684103452131bde9fb1ba0c7dc9e001

SHA256
f384e70ec904ca3f69c0975c0dd19a4c88f23601ff27556641aabfe0340a06a7

SHA512
bd6bb6383cab77ccd625a976ee651f9c024c0d08df12a9e0251e6efc533564c8c92d98fdadcf2097d41dc4cdb46a61419c5c2e686f5b2c6c40883e2d733341fa

Download Submit
C:\Windows\system\PGhOJSl.exe

Filesize
8.3MB

MD5
5e2214f7985f82f3e5390f6871ebb67a

SHA1
1e78b3a671af8b61fa2d9940fa73cb54b2ec5b30

SHA256
e257326e0aa9df519a7451492b656e8d7722a645c1e555984a6a462642fe940d

SHA512
23661f2dd22213eba6ba7e70dca87dbd8d8e7fc9dc72173ee189c3d044f3311b2aab92f81b0c3cf5d362e9b7320de7d84a10febdb3da9b77b27eef89e3a09339

Download Submit
C:\Windows\system\aMDsqfx.exe

Filesize
8.3MB

MD5
79f5149e408e42ca3c13cb79e0fde6f4

SHA1
9fa7d422580f3026860573d6faa8397915cd460d

SHA256
99f582665fa442907d50c54778a78def82941974f9f2421957c765750dca6015

SHA512
ae9ef9892402e7aca9d96bb34e3f840373050f4113812f9d1f2afdec20c2d172900e414fa76c97773f128a084186da6afc68fb4b1b8be8a5d60c078b9cf27c22

Download Submit
C:\Windows\system\cqzIxjF.exe

Filesize
8.3MB

MD5
1cf3f394ca02e7a37210070596f8e765

SHA1
ad6119aaa9c17b9622896746b859770ccebd55b9

SHA256
b77221a570d8533d96876705ed32d26613d0e9d7f045847a9732587ac38a4e1c

SHA512
1bb907be473a246022f5beac6bc3b62ea12b90dbcfc4e0a3bb622afc1fa3b084cf8d31934c163bec8289986621de63ae261f276c55ab0fdd937d1d902e569bf0

Download Submit
C:\Windows\system\oaZXNyc.exe

Filesize
8.3MB

MD5
437f5e5c5a9a754bb83cdf570ee1918f

SHA1
9140048f98d3698bfc67b6fcc13fe3e2bc735571

SHA256
b21f3d179bf8ab4c3695fa337018926dbb51732a22a322ad5a6841addaa36e2c

SHA512
e3df01a2bc197a1f421bfe04c193888fd4c7afbe80e9b729ebde856a407026fac7e9f2f3f78a8f84d4445b6519b107704822d57db3f7d7c55a63987c15873923

Download Submit
C:\Windows\system\pHlDOCn.exe

Filesize
8.3MB

MD5
b13c11e9dd89da380e57edf4f8a9c314

SHA1
949fc0ab09bd94a52b309e0330cd8af9483a690e

SHA256
974f35a1612c5951804cc4de47f73e3d8590d98e66d0b5bf0dafc56302414871

SHA512
1253f2ce516a71251a40edebc65e8ec616468c21e7b3a8d3457e6dc14d4153dc925719c80140dc87f92eeae62be55cf043b72719cf6cdaac27f71832467f2cb3

Download Submit
C:\Windows\system\uLSiDLi.exe

Filesize
8.3MB

MD5
d8508fa6b74d63caceb4fe11cf58f238

SHA1
a24e18e27bdddcb7d17887991df60012b6c8dfaf

SHA256
365947799b59f173c1e17815a383c43cead6bff57a917e3b7820f0422bfe055d

SHA512
47e07b8fbc32c6c54a68521ba9cb03ef05861b123781379a39756b68106e866312f54c166b77e7e9c2f65812f11e38794d197bae60f802242b8988c9bd20f2bc

Download Submit
C:\Windows\system\wImPAfQ.exe

Filesize
8.3MB

MD5
0533b18483bd77dee8bedda26d37203c

SHA1
53ffa477ac2a6e84b1d36354fa3bb8eb9a8b2e30

SHA256
9af35e1087cc55c6b0d6f8036218095aba07c742d97af103efa4f6b672e20a03

SHA512
933e20b00e9d863eed0d5cfeda4fa974b6ed9aa2dc44f623edf4d0e058101da63120b1fd3a6270c2fa6506ca4f6f43b7a0e708126bf11cc91cc1d6a8b69f656c

Download Submit
\Windows\system\JzbQRCJ.exe

Filesize
8.3MB

MD5
aec0543173e0dab577b19f80e4586a4c

SHA1
2faa1b7e840c1a922f272d8f3143517bbd9e0209

SHA256
82d76c4a815be6818e39433986b52d97ac95e4559fe1cf7cd212b9a4d26198f6

SHA512
219088e7e337a5bc16c4895b8b5008ab90399a826c57744bd006045e43889cb478aa1444b1893147d52e89e27c3269c33e187cedc4b5d950918c452864b90a00

Download Submit
\Windows\system\XdUbslb.exe

Filesize
8.3MB

MD5
1a18dc464a0763244753b9168be47ae4

SHA1
2e82dd768863004df9bd7557eeabe74d8a6cc4d2

SHA256
262364b7df26edfecf5766e52ff6ae2c042a7048bd15a8e344247cc223f031d1

SHA512
a4c306b78aa46db02cd6bf36114e5041452d86a9ce3e408c5e0cf614455d806757edf5def9c7eab297d1afbb8818521ba904b5e77130c765a035e5157d47ede9

Download Submit
\Windows\system\YvhDrpg.exe

Filesize
8.3MB

MD5
6753dbfea65c4d33717711f992ecf4d0

SHA1
74cbba5dab4dff79d442b3bb3a4adf13cb876177

SHA256
aa4c4a9f2fd21120624577947cf04a78657e08926c07088e8841e863c84c3a75

SHA512
b6fc67a83ebc2063655c34833560878bc32e809eacdc002c3b536808a890b37de99c13b607ceb5bab04659072927beeb63b5c42766d886419675a9e7647339ae

Download Submit
\Windows\system\eQlKteY.exe

Filesize
8.3MB

MD5
c8cabfd6d6d568713dfff31b8438186b

SHA1
9c0bb131ac9aa505349a0896113214dbec0155fe

SHA256
cf69916738d07050b2fe07096911148887fef3c37fb54e74a988281574bbe7ba

SHA512
91020b0ade47d786f7ba75262a1b1865de252a2fe20009a5aa4bf0d1723fb02796e3052f370b1b81d5a805612c0e6aabe756eb237047678be1c997bf42f670fc

Download Submit
\Windows\system\gakzbxL.exe

Filesize
8.3MB

MD5
c8643bd95f325006bd957364491cab6b

SHA1
8f5093ff8e95bc3bc1b0b7d70871287c32081f32

SHA256
37b544d70d802a03b28cd3985af566aa21512b3593e506dd22ace9a9b8c5f275

SHA512
8831d58a20d8cee710027bef8c33c54cc8b34939a00ffa8a39b5c0bd0fa98927ffe59c4e5e6e620af3251ab03f7abae627e95a21e122a47ddb1a576968fea72d

Download Submit
\Windows\system\ueaIhom.exe

Filesize
8.3MB

MD5
6cd9eefce76e62797aa78c3aa91459bc

SHA1
cea6eed4f1faf40c746f9eb268b39df8542c26d2

SHA256
9bba472e005e3e87f453faa28b76fbf51d2a39f566585c9bf0157d647e952e10

SHA512
eae37c7e51d311712feea0a39db940462100ea09494b99e764c55026e3280a46a606d8692b3ddcc3d701dffdccb2d8a9fb9de8ca15d874c89a65e79d14a49096

Download Submit
\Windows\system\ysOnsOS.exe

Filesize
8.3MB

MD5
c1bd7aa674550ad20f493a79f9e4bc33

SHA1
be46f869f9f2cde4a28b7bdfe69380146f20355e

SHA256
5518ca745caa8bbed91e612a5d9adb9d0eccff106a44ae9b563ca5097922a013

SHA512
18d795dd054e16221206655d00dfec2911dc61591bb7386022c01f0a0c2b63b313fa806fba33f0027157b20fe642f625be336dce9ce92cd28070b4d148e4ac8a

Download Submit
memory/952-137-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/952-93-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/952-149-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/1540-92-0x0000000002520000-0x0000000002872000-memory.dmp

Filesize
3.3MB

Download
memory/1540-24-0x0000000002520000-0x0000000002872000-memory.dmp

Filesize
3.3MB

Download
memory/1540-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/1540-14-0x0000000002520000-0x0000000002872000-memory.dmp

Filesize
3.3MB

Download
memory/1540-134-0x0000000002520000-0x0000000002872000-memory.dmp

Filesize
3.3MB

Download
memory/1540-76-0x0000000002520000-0x0000000002872000-memory.dmp

Filesize
3.3MB

Download
memory/1540-55-0x0000000002520000-0x0000000002872000-memory.dmp

Filesize
3.3MB

Download
memory/1540-103-0x0000000002520000-0x0000000002872000-memory.dmp

Filesize
3.3MB

Download
memory/1540-88-0x0000000002520000-0x0000000002872000-memory.dmp

Filesize
3.3MB

Download
memory/1540-47-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/1540-0-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/1540-54-0x0000000002520000-0x0000000002872000-memory.dmp

Filesize
3.3MB

Download
memory/1540-41-0x0000000002520000-0x0000000002872000-memory.dmp

Filesize
3.3MB

Download
memory/1540-82-0x0000000002520000-0x0000000002872000-memory.dmp

Filesize
3.3MB

Download
memory/1540-80-0x0000000002520000-0x0000000002872000-memory.dmp

Filesize
3.3MB

Download
memory/1540-27-0x0000000002520000-0x0000000002872000-memory.dmp

Filesize
3.3MB

Download
memory/1876-29-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/1876-141-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2080-151-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2080-136-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2096-57-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2096-145-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2176-138-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2176-11-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2176-48-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2212-150-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2212-135-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2212-90-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2444-147-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2444-69-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2488-146-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2488-72-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2540-139-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2540-15-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2640-35-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2640-142-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2676-143-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2676-42-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2700-144-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2700-133-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2912-91-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2912-148-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/3032-26-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/3032-140-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download