cobaltstrike | b7f172168180b323c7eabe13d1b41b9cd6a2d274f7668754eefc5f93ecea6863

Analysis

max time kernel
141s
max time network
147s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/05/2024, 16:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

f75ec048d2aaa9b7e109e0a54629072c
SHA1

f46335b57a565a80b2de855e7f9c249af4ab26e7
SHA256

b7f172168180b323c7eabe13d1b41b9cd6a2d274f7668754eefc5f93ecea6863
SHA512

bbd601edc967e5cd2fe815baeae750ddfa091e8c2463ee19de652c0a8211fa8b042066de2c1d3ab123299626b5b7d5a258c00c6c17ca5f82a9c1e3c4a4dbd933
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6li:RWWBibW56utgpPFotBER/mQ32lU2

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000c00000001565d-3.dat	cobalt_reflective_dll
behavioral1/files/0x002c000000015cb6-9.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d20-11.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d42-27.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000015d5f-34.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d4e-36.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000015d6b-45.dat	cobalt_reflective_dll
behavioral1/files/0x002c000000015ccd-52.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001658a-56.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016616-63.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016851-74.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016c44-107.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d07-104.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d20-126.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d34-133.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016cdc-123.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016c64-122.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016cb0-112.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d18-109.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016c5e-95.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016adc-82.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001565d-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x002c000000015cb6-9.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015d20-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015d42-27.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000015d5f-34.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015d4e-36.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000015d6b-45.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x002c000000015ccd-52.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000700000001658a-56.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016616-63.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016851-74.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016c44-107.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d07-104.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d20-126.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d34-133.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016cdc-123.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016c64-122.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016cb0-112.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d18-109.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016c5e-95.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016adc-82.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral1/memory/2696-0-0x000000013F140000-0x000000013F491000-memory.dmp	UPX
behavioral1/files/0x000c00000001565d-3.dat	UPX
behavioral1/memory/2028-7-0x000000013FC20000-0x000000013FF71000-memory.dmp	UPX
behavioral1/files/0x002c000000015cb6-9.dat	UPX
behavioral1/memory/2592-14-0x000000013F7B0000-0x000000013FB01000-memory.dmp	UPX
behavioral1/files/0x0007000000015d20-11.dat	UPX
behavioral1/files/0x0007000000015d42-27.dat	UPX
behavioral1/files/0x0009000000015d5f-34.dat	UPX
behavioral1/memory/2640-41-0x000000013FB20000-0x000000013FE71000-memory.dmp	UPX
behavioral1/memory/2616-40-0x000000013F0E0000-0x000000013F431000-memory.dmp	UPX
behavioral1/files/0x0007000000015d4e-36.dat	UPX
behavioral1/memory/2612-35-0x000000013F480000-0x000000013F7D1000-memory.dmp	UPX
behavioral1/memory/2964-31-0x000000013F540000-0x000000013F891000-memory.dmp	UPX
behavioral1/files/0x0009000000015d6b-45.dat	UPX
behavioral1/files/0x002c000000015ccd-52.dat	UPX
behavioral1/memory/2668-47-0x000000013FA10000-0x000000013FD61000-memory.dmp	UPX
behavioral1/memory/2660-55-0x000000013FB50000-0x000000013FEA1000-memory.dmp	UPX
behavioral1/memory/2696-54-0x000000013F140000-0x000000013F491000-memory.dmp	UPX
behavioral1/files/0x000700000001658a-56.dat	UPX
behavioral1/memory/2440-62-0x000000013F470000-0x000000013F7C1000-memory.dmp	UPX
behavioral1/files/0x0006000000016616-63.dat	UPX
behavioral1/memory/2028-64-0x000000013FC20000-0x000000013FF71000-memory.dmp	UPX
behavioral1/memory/2808-71-0x000000013FA60000-0x000000013FDB1000-memory.dmp	UPX
behavioral1/files/0x0006000000016851-74.dat	UPX
behavioral1/memory/2964-108-0x000000013F540000-0x000000013F891000-memory.dmp	UPX
behavioral1/files/0x0006000000016c44-107.dat	UPX
behavioral1/files/0x0006000000016d07-104.dat	UPX
behavioral1/files/0x0006000000016d20-126.dat	UPX
behavioral1/files/0x0006000000016d34-133.dat	UPX
behavioral1/files/0x0006000000016cdc-123.dat	UPX
behavioral1/files/0x0006000000016c64-122.dat	UPX
behavioral1/memory/1464-121-0x000000013F550000-0x000000013F8A1000-memory.dmp	UPX
behavioral1/files/0x0006000000016cb0-112.dat	UPX
behavioral1/files/0x0006000000016d18-109.dat	UPX
behavioral1/files/0x0006000000016c5e-95.dat	UPX
behavioral1/memory/1492-94-0x000000013F300000-0x000000013F651000-memory.dmp	UPX
behavioral1/files/0x0006000000016adc-82.dat	UPX
behavioral1/memory/2204-90-0x000000013FA40000-0x000000013FD91000-memory.dmp	UPX
behavioral1/memory/2592-76-0x000000013F7B0000-0x000000013FB01000-memory.dmp	UPX
behavioral1/memory/2668-138-0x000000013FA10000-0x000000013FD61000-memory.dmp	UPX
behavioral1/memory/2696-139-0x000000013F140000-0x000000013F491000-memory.dmp	UPX
behavioral1/memory/1900-154-0x000000013F1F0000-0x000000013F541000-memory.dmp	UPX
behavioral1/memory/2808-149-0x000000013FA60000-0x000000013FDB1000-memory.dmp	UPX
behavioral1/memory/1048-156-0x000000013FE50000-0x00000001401A1000-memory.dmp	UPX
behavioral1/memory/1040-155-0x000000013F100000-0x000000013F451000-memory.dmp	UPX
behavioral1/memory/852-160-0x000000013F080000-0x000000013F3D1000-memory.dmp	UPX
behavioral1/memory/2240-159-0x000000013F840000-0x000000013FB91000-memory.dmp	UPX
behavioral1/memory/1908-157-0x000000013FF00000-0x0000000140251000-memory.dmp	UPX
behavioral1/memory/1496-152-0x000000013FA50000-0x000000013FDA1000-memory.dmp	UPX
behavioral1/memory/1584-158-0x000000013F820000-0x000000013FB71000-memory.dmp	UPX
behavioral1/memory/2696-164-0x000000013F140000-0x000000013F491000-memory.dmp	UPX
behavioral1/memory/2028-217-0x000000013FC20000-0x000000013FF71000-memory.dmp	UPX
behavioral1/memory/2592-219-0x000000013F7B0000-0x000000013FB01000-memory.dmp	UPX
behavioral1/memory/2964-221-0x000000013F540000-0x000000013F891000-memory.dmp	UPX
behavioral1/memory/2612-223-0x000000013F480000-0x000000013F7D1000-memory.dmp	UPX
behavioral1/memory/2640-227-0x000000013FB20000-0x000000013FE71000-memory.dmp	UPX
behavioral1/memory/2616-226-0x000000013F0E0000-0x000000013F431000-memory.dmp	UPX
behavioral1/memory/2668-229-0x000000013FA10000-0x000000013FD61000-memory.dmp	UPX
behavioral1/memory/2660-231-0x000000013FB50000-0x000000013FEA1000-memory.dmp	UPX
behavioral1/memory/2440-233-0x000000013F470000-0x000000013F7C1000-memory.dmp	UPX
behavioral1/memory/2808-247-0x000000013FA60000-0x000000013FDB1000-memory.dmp	UPX
behavioral1/memory/2204-249-0x000000013FA40000-0x000000013FD91000-memory.dmp	UPX
behavioral1/memory/1492-251-0x000000013F300000-0x000000013F651000-memory.dmp	UPX
behavioral1/memory/1464-253-0x000000013F550000-0x000000013F8A1000-memory.dmp	UPX

XMRig Miner payload 41 IoCs

miner

resource	yara_rule
behavioral1/memory/2696-39-0x00000000021B0000-0x0000000002501000-memory.dmp	xmrig
behavioral1/memory/2640-41-0x000000013FB20000-0x000000013FE71000-memory.dmp	xmrig
behavioral1/memory/2616-40-0x000000013F0E0000-0x000000013F431000-memory.dmp	xmrig
behavioral1/memory/2612-35-0x000000013F480000-0x000000013F7D1000-memory.dmp	xmrig
behavioral1/memory/2964-31-0x000000013F540000-0x000000013F891000-memory.dmp	xmrig
behavioral1/memory/2660-55-0x000000013FB50000-0x000000013FEA1000-memory.dmp	xmrig
behavioral1/memory/2696-54-0x000000013F140000-0x000000013F491000-memory.dmp	xmrig
behavioral1/memory/2440-62-0x000000013F470000-0x000000013F7C1000-memory.dmp	xmrig
behavioral1/memory/2028-64-0x000000013FC20000-0x000000013FF71000-memory.dmp	xmrig
behavioral1/memory/2696-83-0x000000013FA40000-0x000000013FD91000-memory.dmp	xmrig
behavioral1/memory/2964-108-0x000000013F540000-0x000000013F891000-memory.dmp	xmrig
behavioral1/memory/1464-121-0x000000013F550000-0x000000013F8A1000-memory.dmp	xmrig
behavioral1/memory/2696-117-0x000000013FA50000-0x000000013FDA1000-memory.dmp	xmrig
behavioral1/memory/1492-94-0x000000013F300000-0x000000013F651000-memory.dmp	xmrig
behavioral1/memory/2204-90-0x000000013FA40000-0x000000013FD91000-memory.dmp	xmrig
behavioral1/memory/2592-76-0x000000013F7B0000-0x000000013FB01000-memory.dmp	xmrig
behavioral1/memory/2668-138-0x000000013FA10000-0x000000013FD61000-memory.dmp	xmrig
behavioral1/memory/2696-139-0x000000013F140000-0x000000013F491000-memory.dmp	xmrig
behavioral1/memory/1900-154-0x000000013F1F0000-0x000000013F541000-memory.dmp	xmrig
behavioral1/memory/2808-149-0x000000013FA60000-0x000000013FDB1000-memory.dmp	xmrig
behavioral1/memory/1048-156-0x000000013FE50000-0x00000001401A1000-memory.dmp	xmrig
behavioral1/memory/1040-155-0x000000013F100000-0x000000013F451000-memory.dmp	xmrig
behavioral1/memory/852-160-0x000000013F080000-0x000000013F3D1000-memory.dmp	xmrig
behavioral1/memory/2240-159-0x000000013F840000-0x000000013FB91000-memory.dmp	xmrig
behavioral1/memory/1908-157-0x000000013FF00000-0x0000000140251000-memory.dmp	xmrig
behavioral1/memory/1496-152-0x000000013FA50000-0x000000013FDA1000-memory.dmp	xmrig
behavioral1/memory/1584-158-0x000000013F820000-0x000000013FB71000-memory.dmp	xmrig
behavioral1/memory/2696-164-0x000000013F140000-0x000000013F491000-memory.dmp	xmrig
behavioral1/memory/2028-217-0x000000013FC20000-0x000000013FF71000-memory.dmp	xmrig
behavioral1/memory/2592-219-0x000000013F7B0000-0x000000013FB01000-memory.dmp	xmrig
behavioral1/memory/2964-221-0x000000013F540000-0x000000013F891000-memory.dmp	xmrig
behavioral1/memory/2612-223-0x000000013F480000-0x000000013F7D1000-memory.dmp	xmrig
behavioral1/memory/2640-227-0x000000013FB20000-0x000000013FE71000-memory.dmp	xmrig
behavioral1/memory/2616-226-0x000000013F0E0000-0x000000013F431000-memory.dmp	xmrig
behavioral1/memory/2668-229-0x000000013FA10000-0x000000013FD61000-memory.dmp	xmrig
behavioral1/memory/2660-231-0x000000013FB50000-0x000000013FEA1000-memory.dmp	xmrig
behavioral1/memory/2440-233-0x000000013F470000-0x000000013F7C1000-memory.dmp	xmrig
behavioral1/memory/2808-247-0x000000013FA60000-0x000000013FDB1000-memory.dmp	xmrig
behavioral1/memory/2204-249-0x000000013FA40000-0x000000013FD91000-memory.dmp	xmrig
behavioral1/memory/1492-251-0x000000013F300000-0x000000013F651000-memory.dmp	xmrig
behavioral1/memory/1464-253-0x000000013F550000-0x000000013F8A1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2028	RAGLNOp.exe
2592	GZTLwbM.exe
2964	HsZGqob.exe
2612	XWpXIbv.exe
2616	DUVkUYA.exe
2640	moZwvnx.exe
2668	VcVnlic.exe
2660	GiEizVX.exe
2440	rDUoToA.exe
2808	YbOJVet.exe
2204	wwexSiV.exe
1492	kAzGoQs.exe
1464	iIjtFHF.exe
1496	ClXgLTF.exe
1040	bFjrRRh.exe
1908	UUDwYOi.exe
1900	uJSsHZM.exe
1048	SpQjsoN.exe
2240	XshXrXG.exe
1584	bjkcqbk.exe
852	XMzCLGC.exe

Loads dropped DLL 21 IoCs

pid	Process
2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2696-0-0x000000013F140000-0x000000013F491000-memory.dmp	upx
behavioral1/files/0x000c00000001565d-3.dat	upx
behavioral1/memory/2028-7-0x000000013FC20000-0x000000013FF71000-memory.dmp	upx
behavioral1/files/0x002c000000015cb6-9.dat	upx
behavioral1/memory/2592-14-0x000000013F7B0000-0x000000013FB01000-memory.dmp	upx
behavioral1/files/0x0007000000015d20-11.dat	upx
behavioral1/files/0x0007000000015d42-27.dat	upx
behavioral1/files/0x0009000000015d5f-34.dat	upx
behavioral1/memory/2640-41-0x000000013FB20000-0x000000013FE71000-memory.dmp	upx
behavioral1/memory/2616-40-0x000000013F0E0000-0x000000013F431000-memory.dmp	upx
behavioral1/files/0x0007000000015d4e-36.dat	upx
behavioral1/memory/2612-35-0x000000013F480000-0x000000013F7D1000-memory.dmp	upx
behavioral1/memory/2964-31-0x000000013F540000-0x000000013F891000-memory.dmp	upx
behavioral1/files/0x0009000000015d6b-45.dat	upx
behavioral1/files/0x002c000000015ccd-52.dat	upx
behavioral1/memory/2668-47-0x000000013FA10000-0x000000013FD61000-memory.dmp	upx
behavioral1/memory/2660-55-0x000000013FB50000-0x000000013FEA1000-memory.dmp	upx
behavioral1/memory/2696-54-0x000000013F140000-0x000000013F491000-memory.dmp	upx
behavioral1/files/0x000700000001658a-56.dat	upx
behavioral1/memory/2440-62-0x000000013F470000-0x000000013F7C1000-memory.dmp	upx
behavioral1/files/0x0006000000016616-63.dat	upx
behavioral1/memory/2028-64-0x000000013FC20000-0x000000013FF71000-memory.dmp	upx
behavioral1/memory/2808-71-0x000000013FA60000-0x000000013FDB1000-memory.dmp	upx
behavioral1/files/0x0006000000016851-74.dat	upx
behavioral1/memory/2964-108-0x000000013F540000-0x000000013F891000-memory.dmp	upx
behavioral1/files/0x0006000000016c44-107.dat	upx
behavioral1/files/0x0006000000016d07-104.dat	upx
behavioral1/files/0x0006000000016d20-126.dat	upx
behavioral1/files/0x0006000000016d34-133.dat	upx
behavioral1/files/0x0006000000016cdc-123.dat	upx
behavioral1/files/0x0006000000016c64-122.dat	upx
behavioral1/memory/1464-121-0x000000013F550000-0x000000013F8A1000-memory.dmp	upx
behavioral1/files/0x0006000000016cb0-112.dat	upx
behavioral1/files/0x0006000000016d18-109.dat	upx
behavioral1/files/0x0006000000016c5e-95.dat	upx
behavioral1/memory/1492-94-0x000000013F300000-0x000000013F651000-memory.dmp	upx
behavioral1/files/0x0006000000016adc-82.dat	upx
behavioral1/memory/2204-90-0x000000013FA40000-0x000000013FD91000-memory.dmp	upx
behavioral1/memory/2592-76-0x000000013F7B0000-0x000000013FB01000-memory.dmp	upx
behavioral1/memory/2668-138-0x000000013FA10000-0x000000013FD61000-memory.dmp	upx
behavioral1/memory/2696-139-0x000000013F140000-0x000000013F491000-memory.dmp	upx
behavioral1/memory/1900-154-0x000000013F1F0000-0x000000013F541000-memory.dmp	upx
behavioral1/memory/2808-149-0x000000013FA60000-0x000000013FDB1000-memory.dmp	upx
behavioral1/memory/1048-156-0x000000013FE50000-0x00000001401A1000-memory.dmp	upx
behavioral1/memory/1040-155-0x000000013F100000-0x000000013F451000-memory.dmp	upx
behavioral1/memory/852-160-0x000000013F080000-0x000000013F3D1000-memory.dmp	upx
behavioral1/memory/2240-159-0x000000013F840000-0x000000013FB91000-memory.dmp	upx
behavioral1/memory/1908-157-0x000000013FF00000-0x0000000140251000-memory.dmp	upx
behavioral1/memory/1496-152-0x000000013FA50000-0x000000013FDA1000-memory.dmp	upx
behavioral1/memory/1584-158-0x000000013F820000-0x000000013FB71000-memory.dmp	upx
behavioral1/memory/2696-164-0x000000013F140000-0x000000013F491000-memory.dmp	upx
behavioral1/memory/2028-217-0x000000013FC20000-0x000000013FF71000-memory.dmp	upx
behavioral1/memory/2592-219-0x000000013F7B0000-0x000000013FB01000-memory.dmp	upx
behavioral1/memory/2964-221-0x000000013F540000-0x000000013F891000-memory.dmp	upx
behavioral1/memory/2612-223-0x000000013F480000-0x000000013F7D1000-memory.dmp	upx
behavioral1/memory/2640-227-0x000000013FB20000-0x000000013FE71000-memory.dmp	upx
behavioral1/memory/2616-226-0x000000013F0E0000-0x000000013F431000-memory.dmp	upx
behavioral1/memory/2668-229-0x000000013FA10000-0x000000013FD61000-memory.dmp	upx
behavioral1/memory/2660-231-0x000000013FB50000-0x000000013FEA1000-memory.dmp	upx
behavioral1/memory/2440-233-0x000000013F470000-0x000000013F7C1000-memory.dmp	upx
behavioral1/memory/2808-247-0x000000013FA60000-0x000000013FDB1000-memory.dmp	upx
behavioral1/memory/2204-249-0x000000013FA40000-0x000000013FD91000-memory.dmp	upx
behavioral1/memory/1492-251-0x000000013F300000-0x000000013F651000-memory.dmp	upx
behavioral1/memory/1464-253-0x000000013F550000-0x000000013F8A1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\RAGLNOp.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HsZGqob.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XWpXIbv.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VcVnlic.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kAzGoQs.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XshXrXG.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XMzCLGC.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GZTLwbM.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\moZwvnx.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GiEizVX.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rDUoToA.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YbOJVet.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wwexSiV.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ClXgLTF.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bFjrRRh.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SpQjsoN.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UUDwYOi.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bjkcqbk.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DUVkUYA.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iIjtFHF.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uJSsHZM.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2028	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	29
PID 2696 wrote to memory of 2028	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	29
PID 2696 wrote to memory of 2028	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	29
PID 2696 wrote to memory of 2592	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	30
PID 2696 wrote to memory of 2592	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	30
PID 2696 wrote to memory of 2592	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	30
PID 2696 wrote to memory of 2964	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	31
PID 2696 wrote to memory of 2964	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	31
PID 2696 wrote to memory of 2964	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	31
PID 2696 wrote to memory of 2612	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	32
PID 2696 wrote to memory of 2612	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	32
PID 2696 wrote to memory of 2612	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	32
PID 2696 wrote to memory of 2640	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	33
PID 2696 wrote to memory of 2640	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	33
PID 2696 wrote to memory of 2640	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	33
PID 2696 wrote to memory of 2616	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	34
PID 2696 wrote to memory of 2616	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	34
PID 2696 wrote to memory of 2616	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	34
PID 2696 wrote to memory of 2668	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	35
PID 2696 wrote to memory of 2668	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	35
PID 2696 wrote to memory of 2668	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	35
PID 2696 wrote to memory of 2660	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	36
PID 2696 wrote to memory of 2660	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	36
PID 2696 wrote to memory of 2660	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	36
PID 2696 wrote to memory of 2440	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	37
PID 2696 wrote to memory of 2440	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	37
PID 2696 wrote to memory of 2440	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	37
PID 2696 wrote to memory of 2808	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	38
PID 2696 wrote to memory of 2808	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	38
PID 2696 wrote to memory of 2808	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	38
PID 2696 wrote to memory of 2204	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	39
PID 2696 wrote to memory of 2204	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	39
PID 2696 wrote to memory of 2204	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	39
PID 2696 wrote to memory of 1492	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	40
PID 2696 wrote to memory of 1492	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	40
PID 2696 wrote to memory of 1492	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	40
PID 2696 wrote to memory of 1496	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	41
PID 2696 wrote to memory of 1496	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	41
PID 2696 wrote to memory of 1496	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	41
PID 2696 wrote to memory of 1464	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	42
PID 2696 wrote to memory of 1464	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	42
PID 2696 wrote to memory of 1464	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	42
PID 2696 wrote to memory of 1900	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	43
PID 2696 wrote to memory of 1900	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	43
PID 2696 wrote to memory of 1900	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	43
PID 2696 wrote to memory of 1040	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	44
PID 2696 wrote to memory of 1040	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	44
PID 2696 wrote to memory of 1040	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	44
PID 2696 wrote to memory of 1048	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	45
PID 2696 wrote to memory of 1048	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	45
PID 2696 wrote to memory of 1048	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	45
PID 2696 wrote to memory of 1908	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	46
PID 2696 wrote to memory of 1908	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	46
PID 2696 wrote to memory of 1908	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	46
PID 2696 wrote to memory of 1584	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	47
PID 2696 wrote to memory of 1584	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	47
PID 2696 wrote to memory of 1584	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	47
PID 2696 wrote to memory of 2240	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	48
PID 2696 wrote to memory of 2240	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	48
PID 2696 wrote to memory of 2240	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	48
PID 2696 wrote to memory of 852	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	49
PID 2696 wrote to memory of 852	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	49
PID 2696 wrote to memory of 852	2696	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\System\RAGLNOp.exe
  C:\Windows\System\RAGLNOp.exe
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\System\GZTLwbM.exe
  C:\Windows\System\GZTLwbM.exe
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\System\HsZGqob.exe
  C:\Windows\System\HsZGqob.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\System\XWpXIbv.exe
  C:\Windows\System\XWpXIbv.exe
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\System\moZwvnx.exe
  C:\Windows\System\moZwvnx.exe
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\System\DUVkUYA.exe
  C:\Windows\System\DUVkUYA.exe
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\System\VcVnlic.exe
  C:\Windows\System\VcVnlic.exe
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Windows\System\GiEizVX.exe
  C:\Windows\System\GiEizVX.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System\rDUoToA.exe
  C:\Windows\System\rDUoToA.exe
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\System\YbOJVet.exe
  C:\Windows\System\YbOJVet.exe
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\System\wwexSiV.exe
  C:\Windows\System\wwexSiV.exe
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\System\kAzGoQs.exe
  C:\Windows\System\kAzGoQs.exe
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Windows\System\ClXgLTF.exe
  C:\Windows\System\ClXgLTF.exe
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Windows\System\iIjtFHF.exe
  C:\Windows\System\iIjtFHF.exe
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\System\uJSsHZM.exe
  C:\Windows\System\uJSsHZM.exe
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Windows\System\bFjrRRh.exe
  C:\Windows\System\bFjrRRh.exe
  2⤵
  - Executes dropped EXE
  PID:1040
- C:\Windows\System\SpQjsoN.exe
  C:\Windows\System\SpQjsoN.exe
  2⤵
  - Executes dropped EXE
  PID:1048
- C:\Windows\System\UUDwYOi.exe
  C:\Windows\System\UUDwYOi.exe
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\System\bjkcqbk.exe
  C:\Windows\System\bjkcqbk.exe
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\System\XshXrXG.exe
  C:\Windows\System\XshXrXG.exe
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\System\XMzCLGC.exe
  C:\Windows\System\XMzCLGC.exe
  2⤵
  - Executes dropped EXE
  PID:852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\ClXgLTF.exe

Filesize
5.2MB

MD5
336155fd6bdbbdc2026d7db9c96c4655

SHA1
1edf704a4d41526cf6bf68fa94ca3791c1574f23

SHA256
6b9861c303fced939b99fb756faaff1f2510716d22dc33f4600dab8cb0b72182

SHA512
70927840dc1f07845f7582d7c647cf59a75748be5e73d0b31967d470df225cda723dca2dda09672326f06176b837fdb7b3116e98baa737a58ae6e7cd48992bac

Download Submit
C:\Windows\system\DUVkUYA.exe

Filesize
5.2MB

MD5
50fab6538574ce6016d17eee586a8b08

SHA1
f1a4b46100544491e83513f1e1e02c53c816b596

SHA256
0c6c3b712e5327ccc84d1e8d01585734d69e72687fee4fd1e0b2d77a94b463ac

SHA512
c22f814a2c97c4aed94e9111a51e03f755204952d2fb30b8810eaad86f89a00ebb3698227f8b2357a0d5502970e681bbc9e66bfd8f2d1ef9e4e50f1ddaf6767a

Download Submit
C:\Windows\system\GiEizVX.exe

Filesize
5.2MB

MD5
eeb6413cd69f43d0f6bfbf79f40e1260

SHA1
c6ac6809a21b4238275a7b436a79313091dd4265

SHA256
04817d8412824c233c0ad5eec29432878c00a6b96513041b6e3d9cd38b94d673

SHA512
b72a17468cf89cbd4d0b1029482eca326799452a1e3da49c81c7171c3410f4a20fceb537495c3cfc9c36f91d4c3eb3eadcf2b0090bab0742fc636f0cf047aad0

Download Submit
C:\Windows\system\HsZGqob.exe

Filesize
5.2MB

MD5
b0a6518266850b7697a33a4975dfbef8

SHA1
66849ad1d797ec8473b303ccfcc0fb88a87be005

SHA256
a362f92e7af4f2dc835ccb2a816df44b7e4a9e426f3a9d3466a35200ea689d68

SHA512
dfc902febb6fc31942a075739d2966890d11c5a239c0823b149096ba7f325cf4abe0afdbb2b7501ffe8859c3808fd409e2d2a57471ffbd2f6f2071e86db34ef7

Download Submit
C:\Windows\system\SpQjsoN.exe

Filesize
5.2MB

MD5
c91f523d20ea3e3cec327d8a87ff4894

SHA1
905b828a698ea748ca114c57da623b1799d21708

SHA256
3844a9ca909b84d1a281536d486af1af175898f197d4c23e4a4d6d4bd909563c

SHA512
c13b284ce4210db0f7968b2ed520789db9b6c626a7e416043cf4d41fec97f470f07efc88e533ea2d6dd940ce1a1d1448f0ea5e955816ccffb985ab9ed61f2d62

Download Submit
C:\Windows\system\VcVnlic.exe

Filesize
5.2MB

MD5
fb2ca4f527ac10f2931579553adbc45b

SHA1
39c3ebc71fd35d017a621baba878bb2b278b3aa0

SHA256
3d52bdfad83df93d331520d57d808b8039e4989e3dd7257dddb8238fb4d75785

SHA512
6252b8db6a885a502b84fb5527e0b1f3bb66328df86684811d1076f9e2c003788eee72df6cff4fcbfb507bc1f8fb22b0a10cf51e76633ed1363804f568224d8e

Download Submit
C:\Windows\system\XWpXIbv.exe

Filesize
5.2MB

MD5
7e1e79b3da3ab58b1381cee46dfad189

SHA1
22f4dc8973aaffabeffc75d0ab7b8f81dd042581

SHA256
0aaf72b29021ae413b2669602f1158cd649dab9b893995c3c87dae454de4a053

SHA512
66a3fa39fb2f165150a4c3a22aead76eeab6af29be1ff0afc739f94bc8621a652f6f54253e9e3898c8db5c3ad6571eb5b2b0beed0a3f627e31271df70bbc91ed

Download Submit
C:\Windows\system\bFjrRRh.exe

Filesize
5.2MB

MD5
d346408c6b0cbee60195d73bcaa54a8e

SHA1
4ed8cccac9ad26931aafc89b336e9f027decbf2e

SHA256
56f9f0414b5b1bf100d2f061cbd89196fdd7c80022d4b69b18642b97100692ba

SHA512
b95ddb93a992a0fedac13ce59272cc75e0bdd2b6a9f3c142154231abb6403537b672ed9f7e351d06b3cc8c8944817c497d71322141c4bf57d1fa4510f06a2544

Download Submit
C:\Windows\system\iIjtFHF.exe

Filesize
5.2MB

MD5
4a89d800c13a9d8a09e405ead1bac5c7

SHA1
ba4547b6973238755bb3b848c543e8ac339ac07f

SHA256
e6c032b3ee69cb877b77694fb916901cefb71cab619837718a8a3c849b4b613e

SHA512
456df0964d3240f6a7b862a8ec08f599a408926fa6af180a490f3cd4de19081d2ab2a9d3d280493846eab97d6678fa02e0f81ebe3b50e7c25c74d10a99b5207d

Download Submit
C:\Windows\system\kAzGoQs.exe

Filesize
5.2MB

MD5
8a91bbb9946ae134f58e98facff06908

SHA1
e419a1b1a1a4cfacd0a66250e178590e6a24ec44

SHA256
abebbf2096a433a295198cec0454a646097451715ac9cd9c620ac30cf4938ae8

SHA512
7ed208ce52482ef7e47fb0282fefa72ae80bebd19abb425bf368ddea956fcc91e1827ef7e1adac91ab457a51a41e3cdd560e8a853bfdf77bb7549c5ea921decb

Download Submit
C:\Windows\system\moZwvnx.exe

Filesize
5.2MB

MD5
dfa84daba444496a7b6744ca0ccfd2f3

SHA1
61c3561ae673b080308be53a4952874c56dfe4e6

SHA256
a683dbc61cd5ed5b5578f9b77106dd7197e88406dfbb458b8c0d2aeef8e5015a

SHA512
5407d3a5edabda5bf8fbd620bcea9fe8bd8b513b50f5410b214ab026409f537c7b1cdd678791338381fddbf4412e71068c74fa9db1e1fecee09591ebb26cccb6

Download Submit
C:\Windows\system\uJSsHZM.exe

Filesize
5.2MB

MD5
72693fb2236a94f947dda3c3702d6e43

SHA1
60970c29c77eee0f6964d162c4ac1de0f06214b1

SHA256
eeebb391417ff19013cb6969e4208337b1409c9d0d10185a3006f9f1dc64aeee

SHA512
2337c6435bd25ed4e32d72c8302c029c56b2c356614a2f9b808eb6712cdb389b7dde912421ba19b31973b3352152e44b9755c224f3d51db94e6c9093e3b51a66

Download Submit
C:\Windows\system\wwexSiV.exe

Filesize
5.2MB

MD5
30ee5a12cd70be852adcb64902c5f37e

SHA1
5f494eada24e9600a24f3e55b77a0483960b7fa1

SHA256
7e02919dbbeab18fd82d05e896f4b5a56b6b238dd3c053aed53f6e4818023e3a

SHA512
d25e069f178d637692574c366092438fb2f0eab0f72a97f112548980f490531a60b78ca8bfa83f27ed84e54fb11ce3c24f68c0b4e6e3debc77426cbe4c8e49c5

Download Submit
\Windows\system\GZTLwbM.exe

Filesize
5.2MB

MD5
779d19d24f3126bda04058b79892bee5

SHA1
1f601483802c7c941b64899b3bd45f4566fe262d

SHA256
8e3c8c29b63f0b4e5299c1f346ce5cfad81430816bebfd0915a9c87a02d85ea3

SHA512
885480ba429b47f25a204b51a1d3066b0ad72281ded5ed3df280bc3b67b64dad274818a7bf70c3cc6fa795ef6ab887950a22cfe49e85680815dde6806d471af3

Download Submit
\Windows\system\RAGLNOp.exe

Filesize
5.2MB

MD5
a32eac8e7bc27ef99edaa232559574b5

SHA1
aeb0f179b7d958e4bf2bc651a228b1f37589d6fe

SHA256
f4033ff639a0d6f81a21dacdf2c8dc518b3d8998adabbd56ed6226895b5729ce

SHA512
2b6f15413e655b6788a6fe22e1a336f9b4a5bcb5c7b729032558c6019ebff868922819d7be0fbe48c0cb64830c640da24cfd1ee054832720e09a3e547d597e59

Download Submit
\Windows\system\UUDwYOi.exe

Filesize
5.2MB

MD5
5626de2dcae4de910f0b9ed8f0580006

SHA1
0410c23bf5db0fc3f2e452aba3809114e5b7a538

SHA256
60f858b9fcd5a497086456e924c199789193178cf21c0b730bd9ec5c6090ab78

SHA512
87881024aa47f412a308b22d0ba9e760e39a024bf5ca910200870b44c19007a64f08a40688a171c1576a13f3ddd75ce1f6edfef168f52968a2093c4e70be519e

Download Submit
\Windows\system\XMzCLGC.exe

Filesize
5.2MB

MD5
afd7c6f5ab105e969d11e71c5f266458

SHA1
08e11dd1dfa9872f10f1a5f0ef6cf080c9393a4a

SHA256
2c630114abace5641476a3934b1fc42c3d309fdecea44dcf7118e21ba8cb1ba6

SHA512
97f5a2ca94dea5514e82e51b9fa5d98fe8bbf90564c54a8d2922ae6aff7946618bbb7416b9c2ad039391a24f66448e5b1c04093686502f0c22ea06f860ae0eca

Download Submit
\Windows\system\XshXrXG.exe

Filesize
5.2MB

MD5
c1b31b49a64064a59e961d8c2f197024

SHA1
352f782b0ee678e478cee2e520ec76035ef3e667

SHA256
51acb42fa7c2b3fb1f16d5fea0d49d52077b90668be514c2e394385a75beedf4

SHA512
1a5a483b4f44187c110213fcfe5ed29f235adcf69968ae4814457d378e4855dc74592c8ba8b5632b1b85e01825e43118bfacaa44f64a20d932c2988ccc6c46de

Download Submit
\Windows\system\YbOJVet.exe

Filesize
5.2MB

MD5
441331e5fe0399b1740c419916ad0d8b

SHA1
8a0629aa05bf6fa8bf485b1851a55df28f0886a7

SHA256
9c349096697a7b2e62df5f4931215b46803a9c899c26dd1ced93bcfd36b11a25

SHA512
51e10c221b415a61fe6c1a38afe77742b2ca80e40839525e26e312663d1b97095fbaa1bed88efeb5d0768ad5e90658152c2f9387fd867157cf0f94ed2f229185

Download Submit
\Windows\system\bjkcqbk.exe

Filesize
5.2MB

MD5
4b3e0466471b5e965a0bd3afe57f54df

SHA1
8cb0fafec038c63aa660ca43a2037dc821d2c653

SHA256
fffd7aa4fa01e57c034e92cc6204d9b840d169a64a2896d0e8da621a672f6ce8

SHA512
03cde25a10a2b070525c95a3f16ba4a739723b53e5f229fc7a1f7f72fcb83aa94de373fd3df4b6f0c8e8e24442df33f00284c77db0d38c30f97984c64957c5c3

Download Submit
\Windows\system\rDUoToA.exe

Filesize
5.2MB

MD5
d629102ed8483ac0270b80340d746c44

SHA1
4f1f9b9b9fa9dab8fa0b01197deef76fa73e0264

SHA256
ce6732e75eb34aac37fdd3f8cd7917a2472f6c068d67f60ba845841b4a77ae1d

SHA512
0e9983e393181905763ed9c1b73ceae2023b482edefc316161840b7b2642bb825006933307583ced95324c8c0d84daa0e16e4f30806b78479776c0eb1d45c688

Download Submit
memory/852-160-0x000000013F080000-0x000000013F3D1000-memory.dmp

Filesize
3.3MB

Download
memory/1040-155-0x000000013F100000-0x000000013F451000-memory.dmp

Filesize
3.3MB

Download
memory/1048-156-0x000000013FE50000-0x00000001401A1000-memory.dmp

Filesize
3.3MB

Download
memory/1464-121-0x000000013F550000-0x000000013F8A1000-memory.dmp

Filesize
3.3MB

Download
memory/1464-253-0x000000013F550000-0x000000013F8A1000-memory.dmp

Filesize
3.3MB

Download
memory/1492-94-0x000000013F300000-0x000000013F651000-memory.dmp

Filesize
3.3MB

Download
memory/1492-251-0x000000013F300000-0x000000013F651000-memory.dmp

Filesize
3.3MB

Download
memory/1496-152-0x000000013FA50000-0x000000013FDA1000-memory.dmp

Filesize
3.3MB

Download
memory/1584-158-0x000000013F820000-0x000000013FB71000-memory.dmp

Filesize
3.3MB

Download
memory/1900-154-0x000000013F1F0000-0x000000013F541000-memory.dmp

Filesize
3.3MB

Download
memory/1908-157-0x000000013FF00000-0x0000000140251000-memory.dmp

Filesize
3.3MB

Download
memory/2028-7-0x000000013FC20000-0x000000013FF71000-memory.dmp

Filesize
3.3MB

Download
memory/2028-64-0x000000013FC20000-0x000000013FF71000-memory.dmp

Filesize
3.3MB

Download
memory/2028-217-0x000000013FC20000-0x000000013FF71000-memory.dmp

Filesize
3.3MB

Download
memory/2204-249-0x000000013FA40000-0x000000013FD91000-memory.dmp

Filesize
3.3MB

Download
memory/2204-90-0x000000013FA40000-0x000000013FD91000-memory.dmp

Filesize
3.3MB

Download
memory/2240-159-0x000000013F840000-0x000000013FB91000-memory.dmp

Filesize
3.3MB

Download
memory/2440-233-0x000000013F470000-0x000000013F7C1000-memory.dmp

Filesize
3.3MB

Download
memory/2440-62-0x000000013F470000-0x000000013F7C1000-memory.dmp

Filesize
3.3MB

Download
memory/2592-76-0x000000013F7B0000-0x000000013FB01000-memory.dmp

Filesize
3.3MB

Download
memory/2592-219-0x000000013F7B0000-0x000000013FB01000-memory.dmp

Filesize
3.3MB

Download
memory/2592-14-0x000000013F7B0000-0x000000013FB01000-memory.dmp

Filesize
3.3MB

Download
memory/2612-223-0x000000013F480000-0x000000013F7D1000-memory.dmp

Filesize
3.3MB

Download
memory/2612-35-0x000000013F480000-0x000000013F7D1000-memory.dmp

Filesize
3.3MB

Download
memory/2616-226-0x000000013F0E0000-0x000000013F431000-memory.dmp

Filesize
3.3MB

Download
memory/2616-40-0x000000013F0E0000-0x000000013F431000-memory.dmp

Filesize
3.3MB

Download
memory/2640-227-0x000000013FB20000-0x000000013FE71000-memory.dmp

Filesize
3.3MB

Download
memory/2640-41-0x000000013FB20000-0x000000013FE71000-memory.dmp

Filesize
3.3MB

Download
memory/2660-231-0x000000013FB50000-0x000000013FEA1000-memory.dmp

Filesize
3.3MB

Download
memory/2660-55-0x000000013FB50000-0x000000013FEA1000-memory.dmp

Filesize
3.3MB

Download
memory/2668-138-0x000000013FA10000-0x000000013FD61000-memory.dmp

Filesize
3.3MB

Download
memory/2668-47-0x000000013FA10000-0x000000013FD61000-memory.dmp

Filesize
3.3MB

Download
memory/2668-229-0x000000013FA10000-0x000000013FD61000-memory.dmp

Filesize
3.3MB

Download
memory/2696-0-0x000000013F140000-0x000000013F491000-memory.dmp

Filesize
3.3MB

Download
memory/2696-137-0x000000013FA10000-0x000000013FD61000-memory.dmp

Filesize
3.3MB

Download
memory/2696-39-0x00000000021B0000-0x0000000002501000-memory.dmp

Filesize
3.3MB

Download
memory/2696-61-0x00000000021B0000-0x0000000002501000-memory.dmp

Filesize
3.3MB

Download
memory/2696-117-0x000000013FA50000-0x000000013FDA1000-memory.dmp

Filesize
3.3MB

Download
memory/2696-12-0x000000013F7B0000-0x000000013FB01000-memory.dmp

Filesize
3.3MB

Download
memory/2696-161-0x00000000021B0000-0x0000000002501000-memory.dmp

Filesize
3.3MB

Download
memory/2696-1-0x0000000000180000-0x0000000000190000-memory.dmp

Filesize
64KB

Download
memory/2696-118-0x000000013F550000-0x000000013F8A1000-memory.dmp

Filesize
3.3MB

Download
memory/2696-119-0x00000000021B0000-0x0000000002501000-memory.dmp

Filesize
3.3MB

Download
memory/2696-120-0x00000000021B0000-0x0000000002501000-memory.dmp

Filesize
3.3MB

Download
memory/2696-103-0x00000000021B0000-0x0000000002501000-memory.dmp

Filesize
3.3MB

Download
memory/2696-162-0x000000013FA60000-0x000000013FDB1000-memory.dmp

Filesize
3.3MB

Download
memory/2696-163-0x000000013FA40000-0x000000013FD91000-memory.dmp

Filesize
3.3MB

Download
memory/2696-139-0x000000013F140000-0x000000013F491000-memory.dmp

Filesize
3.3MB

Download
memory/2696-33-0x000000013FB20000-0x000000013FE71000-memory.dmp

Filesize
3.3MB

Download
memory/2696-164-0x000000013F140000-0x000000013F491000-memory.dmp

Filesize
3.3MB

Download
memory/2696-68-0x000000013FA60000-0x000000013FDB1000-memory.dmp

Filesize
3.3MB

Download
memory/2696-67-0x000000013F7B0000-0x000000013FB01000-memory.dmp

Filesize
3.3MB

Download
memory/2696-186-0x000000013FA50000-0x000000013FDA1000-memory.dmp

Filesize
3.3MB

Download
memory/2696-46-0x000000013FA10000-0x000000013FD61000-memory.dmp

Filesize
3.3MB

Download
memory/2696-83-0x000000013FA40000-0x000000013FD91000-memory.dmp

Filesize
3.3MB

Download
memory/2696-54-0x000000013F140000-0x000000013F491000-memory.dmp

Filesize
3.3MB

Download
memory/2808-247-0x000000013FA60000-0x000000013FDB1000-memory.dmp

Filesize
3.3MB

Download
memory/2808-71-0x000000013FA60000-0x000000013FDB1000-memory.dmp

Filesize
3.3MB

Download
memory/2808-149-0x000000013FA60000-0x000000013FDB1000-memory.dmp

Filesize
3.3MB

Download
memory/2964-108-0x000000013F540000-0x000000013F891000-memory.dmp

Filesize
3.3MB

Download
memory/2964-221-0x000000013F540000-0x000000013F891000-memory.dmp

Filesize
3.3MB

Download
memory/2964-31-0x000000013F540000-0x000000013F891000-memory.dmp

Filesize
3.3MB

Download