cobaltstrike | b75cd532c50dcb60baec52f6cedaca20ac30384a867a56ca5b7c874fd2a11ecc

Analysis

max time kernel
142s
max time network
146s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
30/05/2024, 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

7b58ae31b28cdcf1f61fe13af1dab6e1
SHA1

007bd9060f30cf84c40a88eaf19686021c6dbf2f
SHA256

b75cd532c50dcb60baec52f6cedaca20ac30384a867a56ca5b7c874fd2a11ecc
SHA512

bee8024c707e4c55b1fd440d23c254a33050049632c2f69427e2cf66a171d6880233ab3da080c671815603e3207edb9bf7e22928fe2ff0c9c21202aa30b224e1
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6le:RWWBibf56utgpPFotBER/mQ32lU6

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000c00000001226d-3.dat	cobalt_reflective_dll
behavioral1/files/0x0035000000015c82-8.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015cd6-12.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015cea-26.dat	cobalt_reflective_dll
behavioral1/files/0x0034000000015c8c-37.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000015d13-54.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016c5d-83.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d33-129.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d3b-134.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d2b-126.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d1a-116.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d22-121.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d05-111.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016cde-105.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016caf-98.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016c67-90.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016c4a-75.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016a7d-67.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016824-61.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015cfd-47.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015cf3-33.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001226d-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0035000000015c82-8.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015cd6-12.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015cea-26.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0034000000015c8c-37.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000015d13-54.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016c5d-83.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d33-129.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d3b-134.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d2b-126.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d1a-116.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d22-121.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d05-111.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016cde-105.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016caf-98.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016c67-90.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016c4a-75.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016a7d-67.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000016824-61.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015cfd-47.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015cf3-33.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral1/memory/1868-0-0x000000013FD50000-0x00000001400A1000-memory.dmp	UPX
behavioral1/files/0x000c00000001226d-3.dat	UPX
behavioral1/memory/1592-7-0x000000013F340000-0x000000013F691000-memory.dmp	UPX
behavioral1/files/0x0035000000015c82-8.dat	UPX
behavioral1/memory/2580-14-0x000000013F930000-0x000000013FC81000-memory.dmp	UPX
behavioral1/files/0x0008000000015cd6-12.dat	UPX
behavioral1/memory/2616-22-0x000000013F510000-0x000000013F861000-memory.dmp	UPX
behavioral1/files/0x0007000000015cea-26.dat	UPX
behavioral1/memory/2824-29-0x000000013F4E0000-0x000000013F831000-memory.dmp	UPX
behavioral1/files/0x0034000000015c8c-37.dat	UPX
behavioral1/memory/2620-35-0x000000013F3D0000-0x000000013F721000-memory.dmp	UPX
behavioral1/memory/2604-43-0x000000013FB40000-0x000000013FE91000-memory.dmp	UPX
behavioral1/files/0x0009000000015d13-54.dat	UPX
behavioral1/memory/1868-56-0x000000013FD50000-0x00000001400A1000-memory.dmp	UPX
behavioral1/memory/2652-57-0x000000013F1E0000-0x000000013F531000-memory.dmp	UPX
behavioral1/memory/2580-68-0x000000013F930000-0x000000013FC81000-memory.dmp	UPX
behavioral1/files/0x0006000000016c5d-83.dat	UPX
behavioral1/memory/1692-86-0x000000013FFC0000-0x0000000140311000-memory.dmp	UPX
behavioral1/memory/2460-101-0x000000013F690000-0x000000013F9E1000-memory.dmp	UPX
behavioral1/files/0x0006000000016d33-129.dat	UPX
behavioral1/files/0x0006000000016d3b-134.dat	UPX
behavioral1/files/0x0006000000016d2b-126.dat	UPX
behavioral1/files/0x0006000000016d1a-116.dat	UPX
behavioral1/files/0x0006000000016d22-121.dat	UPX
behavioral1/files/0x0006000000016d05-111.dat	UPX
behavioral1/files/0x0006000000016cde-105.dat	UPX
behavioral1/memory/2784-138-0x000000013FF80000-0x00000001402D1000-memory.dmp	UPX
behavioral1/files/0x0006000000016caf-98.dat	UPX
behavioral1/memory/1460-93-0x000000013F190000-0x000000013F4E1000-memory.dmp	UPX
behavioral1/memory/2620-91-0x000000013F3D0000-0x000000013F721000-memory.dmp	UPX
behavioral1/files/0x0006000000016c67-90.dat	UPX
behavioral1/memory/1876-78-0x000000013F360000-0x000000013F6B1000-memory.dmp	UPX
behavioral1/memory/2616-76-0x000000013F510000-0x000000013F861000-memory.dmp	UPX
behavioral1/files/0x0006000000016c4a-75.dat	UPX
behavioral1/memory/2904-70-0x000000013FD00000-0x0000000140051000-memory.dmp	UPX
behavioral1/files/0x0006000000016a7d-67.dat	UPX
behavioral1/memory/2528-63-0x000000013F420000-0x000000013F771000-memory.dmp	UPX
behavioral1/memory/1592-62-0x000000013F340000-0x000000013F691000-memory.dmp	UPX
behavioral1/files/0x0008000000016824-61.dat	UPX
behavioral1/memory/2784-49-0x000000013FF80000-0x00000001402D1000-memory.dmp	UPX
behavioral1/files/0x0007000000015cfd-47.dat	UPX
behavioral1/files/0x0007000000015cf3-33.dat	UPX
behavioral1/memory/1868-139-0x000000013FD50000-0x00000001400A1000-memory.dmp	UPX
behavioral1/memory/2904-149-0x000000013FD00000-0x0000000140051000-memory.dmp	UPX
behavioral1/memory/2528-152-0x000000013F420000-0x000000013F771000-memory.dmp	UPX
behavioral1/memory/1692-151-0x000000013FFC0000-0x0000000140311000-memory.dmp	UPX
behavioral1/memory/1876-150-0x000000013F360000-0x000000013F6B1000-memory.dmp	UPX
behavioral1/memory/1460-153-0x000000013F190000-0x000000013F4E1000-memory.dmp	UPX
behavioral1/memory/2380-156-0x000000013F040000-0x000000013F391000-memory.dmp	UPX
behavioral1/memory/1432-161-0x000000013FD90000-0x00000001400E1000-memory.dmp	UPX
behavioral1/memory/1028-160-0x000000013FE00000-0x0000000140151000-memory.dmp	UPX
behavioral1/memory/1448-158-0x000000013F9A0000-0x000000013FCF1000-memory.dmp	UPX
behavioral1/memory/1580-157-0x000000013F750000-0x000000013FAA1000-memory.dmp	UPX
behavioral1/memory/324-155-0x000000013FFC0000-0x0000000140311000-memory.dmp	UPX
behavioral1/memory/2460-154-0x000000013F690000-0x000000013F9E1000-memory.dmp	UPX
behavioral1/memory/1856-159-0x000000013FC00000-0x000000013FF51000-memory.dmp	UPX
behavioral1/memory/1868-164-0x000000013FD50000-0x00000001400A1000-memory.dmp	UPX
behavioral1/memory/1592-215-0x000000013F340000-0x000000013F691000-memory.dmp	UPX
behavioral1/memory/2616-218-0x000000013F510000-0x000000013F861000-memory.dmp	UPX
behavioral1/memory/2580-219-0x000000013F930000-0x000000013FC81000-memory.dmp	UPX
behavioral1/memory/2824-221-0x000000013F4E0000-0x000000013F831000-memory.dmp	UPX
behavioral1/memory/2620-223-0x000000013F3D0000-0x000000013F721000-memory.dmp	UPX
behavioral1/memory/2604-225-0x000000013FB40000-0x000000013FE91000-memory.dmp	UPX
behavioral1/memory/2784-227-0x000000013FF80000-0x00000001402D1000-memory.dmp	UPX

XMRig Miner payload 38 IoCs

miner

resource	yara_rule
behavioral1/memory/2824-29-0x000000013F4E0000-0x000000013F831000-memory.dmp	xmrig
behavioral1/memory/2604-43-0x000000013FB40000-0x000000013FE91000-memory.dmp	xmrig
behavioral1/memory/1868-56-0x000000013FD50000-0x00000001400A1000-memory.dmp	xmrig
behavioral1/memory/2652-57-0x000000013F1E0000-0x000000013F531000-memory.dmp	xmrig
behavioral1/memory/2580-68-0x000000013F930000-0x000000013FC81000-memory.dmp	xmrig
behavioral1/memory/2784-138-0x000000013FF80000-0x00000001402D1000-memory.dmp	xmrig
behavioral1/memory/2620-91-0x000000013F3D0000-0x000000013F721000-memory.dmp	xmrig
behavioral1/memory/2616-76-0x000000013F510000-0x000000013F861000-memory.dmp	xmrig
behavioral1/memory/1592-62-0x000000013F340000-0x000000013F691000-memory.dmp	xmrig
behavioral1/memory/1868-139-0x000000013FD50000-0x00000001400A1000-memory.dmp	xmrig
behavioral1/memory/2904-149-0x000000013FD00000-0x0000000140051000-memory.dmp	xmrig
behavioral1/memory/2528-152-0x000000013F420000-0x000000013F771000-memory.dmp	xmrig
behavioral1/memory/1692-151-0x000000013FFC0000-0x0000000140311000-memory.dmp	xmrig
behavioral1/memory/1876-150-0x000000013F360000-0x000000013F6B1000-memory.dmp	xmrig
behavioral1/memory/1460-153-0x000000013F190000-0x000000013F4E1000-memory.dmp	xmrig
behavioral1/memory/2380-156-0x000000013F040000-0x000000013F391000-memory.dmp	xmrig
behavioral1/memory/1432-161-0x000000013FD90000-0x00000001400E1000-memory.dmp	xmrig
behavioral1/memory/1028-160-0x000000013FE00000-0x0000000140151000-memory.dmp	xmrig
behavioral1/memory/1448-158-0x000000013F9A0000-0x000000013FCF1000-memory.dmp	xmrig
behavioral1/memory/1580-157-0x000000013F750000-0x000000013FAA1000-memory.dmp	xmrig
behavioral1/memory/324-155-0x000000013FFC0000-0x0000000140311000-memory.dmp	xmrig
behavioral1/memory/2460-154-0x000000013F690000-0x000000013F9E1000-memory.dmp	xmrig
behavioral1/memory/1856-159-0x000000013FC00000-0x000000013FF51000-memory.dmp	xmrig
behavioral1/memory/1868-164-0x000000013FD50000-0x00000001400A1000-memory.dmp	xmrig
behavioral1/memory/1592-215-0x000000013F340000-0x000000013F691000-memory.dmp	xmrig
behavioral1/memory/2616-218-0x000000013F510000-0x000000013F861000-memory.dmp	xmrig
behavioral1/memory/2580-219-0x000000013F930000-0x000000013FC81000-memory.dmp	xmrig
behavioral1/memory/2824-221-0x000000013F4E0000-0x000000013F831000-memory.dmp	xmrig
behavioral1/memory/2620-223-0x000000013F3D0000-0x000000013F721000-memory.dmp	xmrig
behavioral1/memory/2604-225-0x000000013FB40000-0x000000013FE91000-memory.dmp	xmrig
behavioral1/memory/2784-227-0x000000013FF80000-0x00000001402D1000-memory.dmp	xmrig
behavioral1/memory/2652-229-0x000000013F1E0000-0x000000013F531000-memory.dmp	xmrig
behavioral1/memory/2528-231-0x000000013F420000-0x000000013F771000-memory.dmp	xmrig
behavioral1/memory/2904-233-0x000000013FD00000-0x0000000140051000-memory.dmp	xmrig
behavioral1/memory/1876-235-0x000000013F360000-0x000000013F6B1000-memory.dmp	xmrig
behavioral1/memory/1692-247-0x000000013FFC0000-0x0000000140311000-memory.dmp	xmrig
behavioral1/memory/1460-249-0x000000013F190000-0x000000013F4E1000-memory.dmp	xmrig
behavioral1/memory/2460-251-0x000000013F690000-0x000000013F9E1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1592	OxIeEre.exe
2580	ykvmnWq.exe
2616	mbvhqVD.exe
2824	AwIunkD.exe
2620	UgowYkn.exe
2604	TPjnksV.exe
2784	eyJhdYO.exe
2652	qXjfiFV.exe
2528	rVkEMLS.exe
2904	JecGwJq.exe
1876	XKIvUZo.exe
1692	ZbiixIk.exe
1460	kbRyijo.exe
2460	GJjfyDd.exe
324	xzGtGSt.exe
2380	WrbIHQG.exe
1580	fheEzaU.exe
1448	gkyPiiU.exe
1856	CmoWDPs.exe
1028	XfXCDje.exe
1432	yKDrFGo.exe

Loads dropped DLL 21 IoCs

pid	Process
1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1868-0-0x000000013FD50000-0x00000001400A1000-memory.dmp	upx
behavioral1/files/0x000c00000001226d-3.dat	upx
behavioral1/memory/1592-7-0x000000013F340000-0x000000013F691000-memory.dmp	upx
behavioral1/files/0x0035000000015c82-8.dat	upx
behavioral1/memory/2580-14-0x000000013F930000-0x000000013FC81000-memory.dmp	upx
behavioral1/files/0x0008000000015cd6-12.dat	upx
behavioral1/memory/2616-22-0x000000013F510000-0x000000013F861000-memory.dmp	upx
behavioral1/files/0x0007000000015cea-26.dat	upx
behavioral1/memory/2824-29-0x000000013F4E0000-0x000000013F831000-memory.dmp	upx
behavioral1/files/0x0034000000015c8c-37.dat	upx
behavioral1/memory/2620-35-0x000000013F3D0000-0x000000013F721000-memory.dmp	upx
behavioral1/memory/2604-43-0x000000013FB40000-0x000000013FE91000-memory.dmp	upx
behavioral1/files/0x0009000000015d13-54.dat	upx
behavioral1/memory/1868-56-0x000000013FD50000-0x00000001400A1000-memory.dmp	upx
behavioral1/memory/2652-57-0x000000013F1E0000-0x000000013F531000-memory.dmp	upx
behavioral1/memory/2580-68-0x000000013F930000-0x000000013FC81000-memory.dmp	upx
behavioral1/files/0x0006000000016c5d-83.dat	upx
behavioral1/memory/1692-86-0x000000013FFC0000-0x0000000140311000-memory.dmp	upx
behavioral1/memory/2460-101-0x000000013F690000-0x000000013F9E1000-memory.dmp	upx
behavioral1/files/0x0006000000016d33-129.dat	upx
behavioral1/files/0x0006000000016d3b-134.dat	upx
behavioral1/files/0x0006000000016d2b-126.dat	upx
behavioral1/files/0x0006000000016d1a-116.dat	upx
behavioral1/files/0x0006000000016d22-121.dat	upx
behavioral1/files/0x0006000000016d05-111.dat	upx
behavioral1/files/0x0006000000016cde-105.dat	upx
behavioral1/memory/2784-138-0x000000013FF80000-0x00000001402D1000-memory.dmp	upx
behavioral1/files/0x0006000000016caf-98.dat	upx
behavioral1/memory/1460-93-0x000000013F190000-0x000000013F4E1000-memory.dmp	upx
behavioral1/memory/2620-91-0x000000013F3D0000-0x000000013F721000-memory.dmp	upx
behavioral1/files/0x0006000000016c67-90.dat	upx
behavioral1/memory/1876-78-0x000000013F360000-0x000000013F6B1000-memory.dmp	upx
behavioral1/memory/2616-76-0x000000013F510000-0x000000013F861000-memory.dmp	upx
behavioral1/files/0x0006000000016c4a-75.dat	upx
behavioral1/memory/2904-70-0x000000013FD00000-0x0000000140051000-memory.dmp	upx
behavioral1/files/0x0006000000016a7d-67.dat	upx
behavioral1/memory/2528-63-0x000000013F420000-0x000000013F771000-memory.dmp	upx
behavioral1/memory/1592-62-0x000000013F340000-0x000000013F691000-memory.dmp	upx
behavioral1/files/0x0008000000016824-61.dat	upx
behavioral1/memory/2784-49-0x000000013FF80000-0x00000001402D1000-memory.dmp	upx
behavioral1/files/0x0007000000015cfd-47.dat	upx
behavioral1/files/0x0007000000015cf3-33.dat	upx
behavioral1/memory/1868-139-0x000000013FD50000-0x00000001400A1000-memory.dmp	upx
behavioral1/memory/2904-149-0x000000013FD00000-0x0000000140051000-memory.dmp	upx
behavioral1/memory/2528-152-0x000000013F420000-0x000000013F771000-memory.dmp	upx
behavioral1/memory/1692-151-0x000000013FFC0000-0x0000000140311000-memory.dmp	upx
behavioral1/memory/1876-150-0x000000013F360000-0x000000013F6B1000-memory.dmp	upx
behavioral1/memory/1460-153-0x000000013F190000-0x000000013F4E1000-memory.dmp	upx
behavioral1/memory/2380-156-0x000000013F040000-0x000000013F391000-memory.dmp	upx
behavioral1/memory/1432-161-0x000000013FD90000-0x00000001400E1000-memory.dmp	upx
behavioral1/memory/1028-160-0x000000013FE00000-0x0000000140151000-memory.dmp	upx
behavioral1/memory/1448-158-0x000000013F9A0000-0x000000013FCF1000-memory.dmp	upx
behavioral1/memory/1580-157-0x000000013F750000-0x000000013FAA1000-memory.dmp	upx
behavioral1/memory/324-155-0x000000013FFC0000-0x0000000140311000-memory.dmp	upx
behavioral1/memory/2460-154-0x000000013F690000-0x000000013F9E1000-memory.dmp	upx
behavioral1/memory/1856-159-0x000000013FC00000-0x000000013FF51000-memory.dmp	upx
behavioral1/memory/1868-164-0x000000013FD50000-0x00000001400A1000-memory.dmp	upx
behavioral1/memory/1592-215-0x000000013F340000-0x000000013F691000-memory.dmp	upx
behavioral1/memory/2616-218-0x000000013F510000-0x000000013F861000-memory.dmp	upx
behavioral1/memory/2580-219-0x000000013F930000-0x000000013FC81000-memory.dmp	upx
behavioral1/memory/2824-221-0x000000013F4E0000-0x000000013F831000-memory.dmp	upx
behavioral1/memory/2620-223-0x000000013F3D0000-0x000000013F721000-memory.dmp	upx
behavioral1/memory/2604-225-0x000000013FB40000-0x000000013FE91000-memory.dmp	upx
behavioral1/memory/2784-227-0x000000013FF80000-0x00000001402D1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\mbvhqVD.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eyJhdYO.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ykvmnWq.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kbRyijo.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AwIunkD.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UgowYkn.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rVkEMLS.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GJjfyDd.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fheEzaU.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gkyPiiU.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CmoWDPs.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XfXCDje.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OxIeEre.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qXjfiFV.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JecGwJq.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XKIvUZo.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZbiixIk.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xzGtGSt.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WrbIHQG.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yKDrFGo.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TPjnksV.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 1592	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	29
PID 1868 wrote to memory of 1592	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	29
PID 1868 wrote to memory of 1592	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	29
PID 1868 wrote to memory of 2580	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	30
PID 1868 wrote to memory of 2580	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	30
PID 1868 wrote to memory of 2580	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	30
PID 1868 wrote to memory of 2616	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	31
PID 1868 wrote to memory of 2616	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	31
PID 1868 wrote to memory of 2616	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	31
PID 1868 wrote to memory of 2824	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	32
PID 1868 wrote to memory of 2824	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	32
PID 1868 wrote to memory of 2824	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	32
PID 1868 wrote to memory of 2620	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	33
PID 1868 wrote to memory of 2620	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	33
PID 1868 wrote to memory of 2620	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	33
PID 1868 wrote to memory of 2604	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	34
PID 1868 wrote to memory of 2604	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	34
PID 1868 wrote to memory of 2604	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	34
PID 1868 wrote to memory of 2784	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	35
PID 1868 wrote to memory of 2784	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	35
PID 1868 wrote to memory of 2784	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	35
PID 1868 wrote to memory of 2652	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	36
PID 1868 wrote to memory of 2652	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	36
PID 1868 wrote to memory of 2652	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	36
PID 1868 wrote to memory of 2528	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	37
PID 1868 wrote to memory of 2528	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	37
PID 1868 wrote to memory of 2528	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	37
PID 1868 wrote to memory of 2904	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	38
PID 1868 wrote to memory of 2904	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	38
PID 1868 wrote to memory of 2904	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	38
PID 1868 wrote to memory of 1876	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	39
PID 1868 wrote to memory of 1876	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	39
PID 1868 wrote to memory of 1876	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	39
PID 1868 wrote to memory of 1692	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	40
PID 1868 wrote to memory of 1692	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	40
PID 1868 wrote to memory of 1692	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	40
PID 1868 wrote to memory of 1460	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	41
PID 1868 wrote to memory of 1460	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	41
PID 1868 wrote to memory of 1460	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	41
PID 1868 wrote to memory of 2460	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	42
PID 1868 wrote to memory of 2460	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	42
PID 1868 wrote to memory of 2460	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	42
PID 1868 wrote to memory of 324	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	43
PID 1868 wrote to memory of 324	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	43
PID 1868 wrote to memory of 324	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	43
PID 1868 wrote to memory of 2380	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	44
PID 1868 wrote to memory of 2380	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	44
PID 1868 wrote to memory of 2380	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	44
PID 1868 wrote to memory of 1580	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	45
PID 1868 wrote to memory of 1580	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	45
PID 1868 wrote to memory of 1580	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	45
PID 1868 wrote to memory of 1448	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	46
PID 1868 wrote to memory of 1448	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	46
PID 1868 wrote to memory of 1448	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	46
PID 1868 wrote to memory of 1856	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	47
PID 1868 wrote to memory of 1856	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	47
PID 1868 wrote to memory of 1856	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	47
PID 1868 wrote to memory of 1028	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	48
PID 1868 wrote to memory of 1028	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	48
PID 1868 wrote to memory of 1028	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	48
PID 1868 wrote to memory of 1432	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	49
PID 1868 wrote to memory of 1432	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	49
PID 1868 wrote to memory of 1432	1868	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Windows\System\OxIeEre.exe
  C:\Windows\System\OxIeEre.exe
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Windows\System\ykvmnWq.exe
  C:\Windows\System\ykvmnWq.exe
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\System\mbvhqVD.exe
  C:\Windows\System\mbvhqVD.exe
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\System\AwIunkD.exe
  C:\Windows\System\AwIunkD.exe
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\System\UgowYkn.exe
  C:\Windows\System\UgowYkn.exe
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\System\TPjnksV.exe
  C:\Windows\System\TPjnksV.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System\eyJhdYO.exe
  C:\Windows\System\eyJhdYO.exe
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\System\qXjfiFV.exe
  C:\Windows\System\qXjfiFV.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\rVkEMLS.exe
  C:\Windows\System\rVkEMLS.exe
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\System\JecGwJq.exe
  C:\Windows\System\JecGwJq.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System\XKIvUZo.exe
  C:\Windows\System\XKIvUZo.exe
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Windows\System\ZbiixIk.exe
  C:\Windows\System\ZbiixIk.exe
  2⤵
  - Executes dropped EXE
  PID:1692
- C:\Windows\System\kbRyijo.exe
  C:\Windows\System\kbRyijo.exe
  2⤵
  - Executes dropped EXE
  PID:1460
- C:\Windows\System\GJjfyDd.exe
  C:\Windows\System\GJjfyDd.exe
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\System\xzGtGSt.exe
  C:\Windows\System\xzGtGSt.exe
  2⤵
  - Executes dropped EXE
  PID:324
- C:\Windows\System\WrbIHQG.exe
  C:\Windows\System\WrbIHQG.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System\fheEzaU.exe
  C:\Windows\System\fheEzaU.exe
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\System\gkyPiiU.exe
  C:\Windows\System\gkyPiiU.exe
  2⤵
  - Executes dropped EXE
  PID:1448
- C:\Windows\System\CmoWDPs.exe
  C:\Windows\System\CmoWDPs.exe
  2⤵
  - Executes dropped EXE
  PID:1856
- C:\Windows\System\XfXCDje.exe
  C:\Windows\System\XfXCDje.exe
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Windows\System\yKDrFGo.exe
  C:\Windows\System\yKDrFGo.exe
  2⤵
  - Executes dropped EXE
  PID:1432

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AwIunkD.exe

Filesize
5.2MB

MD5
204662c5aa2dfc9f8d4032d1e82dbfec

SHA1
9ba45e3243107f08692b2c33a3c38a53c50a2ef1

SHA256
1d105dcbb411701d7f8968722851add9ab65671da9d60c265900ca8c5242cdf4

SHA512
a49f11e378cae2540141eb2f4c61d7b8326c4b389ce6fe92d957d74672079f544a57a06507fe44f34bdab6beaf0caf4ea78ea3c546f4d212857a74d66b28f636

Download Submit
C:\Windows\system\CmoWDPs.exe

Filesize
5.2MB

MD5
910c78d2d56923170b20a2811cf51a37

SHA1
a41be74091273c616d2b1b1550ebf6bb1b30ee71

SHA256
bfd299bcfe65d17e2bfc99743627555f7691737f43991aaf54f300d5c92b4acc

SHA512
62790370601479d7e4f20f1615dd532447c3f52926bd482da9a2af7766d845bde0ce04dde26e716f2b39f40b0930aca4106246cb7337d3d012db431c498b8bb5

Download Submit
C:\Windows\system\GJjfyDd.exe

Filesize
5.2MB

MD5
cad72596e5650e1d00fe77503e1c65f4

SHA1
39469a5846140c16065fff015d6ec884cb35624d

SHA256
e501af565b31ab6a668b30dcc4765bbfe55de902a9d229c02743788cb12e5359

SHA512
9f6d867e1fa1d8bd8376111cc23684f749c9d94c8babd070400af4b5b0d105fa51b316d424eab72c4a89febf0e222af8ed4ca683fba8a657ca67369f13ff4ec2

Download Submit
C:\Windows\system\JecGwJq.exe

Filesize
5.2MB

MD5
3c49cd7bcdd16768a24dfae4f7a5833d

SHA1
86d2879342f67dbd7eb0100255024d8bd43786d7

SHA256
a82d4893db29286b7053c5c671cbfa9be19b1510db6851a9d3cac060877c4ab6

SHA512
f059468a6fdb1fc868b3333462be205348ab3f6cfe5ef1545c6f16f83814a664eb7ec6984f42077e36f05c12f79af4b081053a67dc11bf134c2e4003e98b2ff0

Download Submit
C:\Windows\system\UgowYkn.exe

Filesize
5.2MB

MD5
2e286be490a445e6db43cd86f10855dc

SHA1
c62cd19f67d6e7f86160e38a19bb4bb7f4598627

SHA256
805da2b2683bac9d987f2346079617ec3a40dd2845f15bea135df31525c3b04a

SHA512
ce1234ba4b2d75a288a2f572fbbb4bcdbc72b5cb86498a7930bf1cc412f18bfad9638c2b6f1e59261a58cbba9967f7a1c7e4e3084656fb89a67697c50753489c

Download Submit
C:\Windows\system\WrbIHQG.exe

Filesize
5.2MB

MD5
0c84d219721afda25605e12c6d81af34

SHA1
c11356823a169a52fe3a1e89b1b7431168800c6c

SHA256
5ff8e7067323fcfd4418b3fc6843acb8745b3dd3e9315461d1bc2a11e6337430

SHA512
42c614d0faef3ea652169481bd2156d13804bd30a66288a828b60cdd7d59659a0453538a7c819e9b61750e360404c672eeccf59c611faa617e994becc1828683

Download Submit
C:\Windows\system\XKIvUZo.exe

Filesize
5.2MB

MD5
77bfc1e4481b6cf220fdb38bbd67ae0e

SHA1
4b0c3671b56df5602addff255a007b35622cc6f2

SHA256
fdf843677932d203454bbf4f08a156eabcd541ca0445ba9a41467de28c75c03d

SHA512
dd5d2e123e162da7849288f2e19275e7ece0b7585c0fb750eb6ba07df2b8cd4b7d27b48c0e2a007d45539f0facc62d3eec800995787fece32545a3bdce2266c3

Download Submit
C:\Windows\system\ZbiixIk.exe

Filesize
5.2MB

MD5
83d01689a9f4f79be0b4263d036ba13a

SHA1
52d30ce1d8e8f02b6cf8631fdda92fd8d6b20e2d

SHA256
a8fb4ea1599a942aa8b6cfff77eeadc5e13acb5d6492d516f49ef9bc20accb5a

SHA512
4d44535ab7c61255c510326518368e7070f1d0d637f3f73e154caff49594913fa01c5ac2169e8bcf7c1498ebf52e3b33944574a6b1b9913c00ea3843c670e793

Download Submit
C:\Windows\system\eyJhdYO.exe

Filesize
5.2MB

MD5
c4dcc74edad33183e2b703a733eb73bb

SHA1
fb2b09ed9f657db57b38ab637a8f463c6bb82e49

SHA256
c925f9f45fefad55dcc4f902dce309532690f4c5066dbc075ce7a793d144a73b

SHA512
24e46615b623438d1a5ab557650bb0d5198b7f57e1e765f487ae6530c35b233fc13ff4be06ce9be7b938b8cc133964a91312b0c1ae503fc2ce42dd5e73799b6b

Download Submit
C:\Windows\system\fheEzaU.exe

Filesize
5.2MB

MD5
878f7a31887a0fb1cc41865046d47862

SHA1
e74e57e08c5bb82558be803b9f666cc20eaefc74

SHA256
8e76084df1514ab03b5b1c02914073d9e3d65c33016871d980ab46fbc9b0a3ef

SHA512
4b3b9d47f7b6dd2ab205cec895dbf9ea001a527305e2f8af5c85c71aef2694009a520739819cb63212ffd581a10dd9be209aa03bb94353f6c5e51f8f2b60e7ac

Download Submit
C:\Windows\system\gkyPiiU.exe

Filesize
5.2MB

MD5
53e534c8cbcecdec68b998f271c7c4a0

SHA1
767c4fa5973da9648bfa2fbc972103cdac64f7fa

SHA256
df6a6ea7173197d1b7137c1b228c08bbb41bed61d09330949909263b636c39a1

SHA512
1f1fa1078b553317a7c5ec1980ee057239eed24686894711533f33ef6f97b62874e3b54504f6658e36030702a8fdc93692583564bc0dadf3bb9607be8f44567d

Download Submit
C:\Windows\system\kbRyijo.exe

Filesize
5.2MB

MD5
abe9db469ce1d492831f9c26a8bc4498

SHA1
e4ccb533f3695929fb2013da8e54368daed41602

SHA256
b4ba906ccd1beec40b82472bc5bfb153741a6978c1fc516748d29883098231c9

SHA512
a074bc48359539c0856a858b1fa7a5b217274c8260ad6d814953649698c96b41ff65b046932ecf2192d6f03beff8cfd76b1184f092f8b30cd1dc26d826e0fb0f

Download Submit
C:\Windows\system\mbvhqVD.exe

Filesize
5.2MB

MD5
99f3e57e1fb3967997179473ae17d725

SHA1
096eec5a9cc59d98979a9c8329a8abf420131db6

SHA256
bc84112f9fd113f40e2932c28189e1709444b67bfd92976f0d188292206f6664

SHA512
98a4ba30ea352a025ac7110d14e246705b596f5a4563f032090e438616026e16205e46cb897a4ccbe7e398c1753584b1096cc8dca6156ffed8f25f32e8ff4e96

Download Submit
C:\Windows\system\qXjfiFV.exe

Filesize
5.2MB

MD5
a3b081fed06c96b2baccebe46430dc4b

SHA1
f28c9c6836e291ba9aa143c4076f0274fa37fec0

SHA256
6d7d1fe90388eb024b3cf631017967a0b64646b9d1c6afca16e48b54419dd5ab

SHA512
11d31779ebdb7649b3162d73edfe2bd09a85724ec477c7b2e24cdf03922ce77224ab3ba61d69d643dcbd2ac96de94c639ef7991f4b9ab19cee887dd8fa0a7e56

Download Submit
C:\Windows\system\rVkEMLS.exe

Filesize
5.2MB

MD5
82fc484f087584527ba152369ed6abb9

SHA1
90a3484cae7770c951104e8623846b72b8a5a215

SHA256
5719ee83992e71180453b77c6949c0b12a593dccfc5bfdbe780e8b1f700ce5fc

SHA512
24182f2c91f07ed4db52e88df601d6d60af7d3c4c880cb01dcc848320e9df16f591880e285e26e859d86f231bc072c507be8356888f10e409aa51db04b7afe80

Download Submit
C:\Windows\system\xzGtGSt.exe

Filesize
5.2MB

MD5
cbf08152c87077ad4628726cb6f2e8f5

SHA1
20d3f87220a473e7c05e77ef51b48d888a579c93

SHA256
df06969016c23f0726b960f24e164e5f5be2f7c1e16ba8016e34e8be3edce94c

SHA512
e659d42f092e0c4086b42f725a859c9a9b87cc39430f80ac209041ab3d6b21d0ad2ed675256304c39804563786f837abfcb86985aa14e124b283be051525b9c0

Download Submit
\Windows\system\OxIeEre.exe

Filesize
5.2MB

MD5
9fd53c1d3d2afd2c1556bd654be540f9

SHA1
24d57f87634cd604bd7f45fd0cce044a50a68b4d

SHA256
db3e02fca869ba89ef7e9c3df8da717fd1e71a610516f75d00cce6b7fb3f9d10

SHA512
b189df42fcda726b58a409e48f7f86196d5de66abbeb35cc54ec1ca77b3d528f5de07a9759eee769bb8d7258aa5deb1f4ec697c2e2ddd8d4b0386a659f035ce8

Download Submit
\Windows\system\TPjnksV.exe

Filesize
5.2MB

MD5
e18a5e143e7a25ed12053b315b93b2c8

SHA1
368743c6f5eaf7735c36e0afe9392c9ebc637e6a

SHA256
a04e3875ac1fe474dcb89c8f98732e3f77840f7fde5ad3c0694d30b312bfad60

SHA512
c6bff5b604b7b7dfcb9817ade0556b24375c4f312ada8e154e023af9b68a58ee5b34916c6aa73ae34552dbf9c7100982c0cdb6e29ca8984a7860fb69976c7fc8

Download Submit
\Windows\system\XfXCDje.exe

Filesize
5.2MB

MD5
0f2ddf9c836960db5951da656cefa354

SHA1
b9ef3b00494d75849498f386a6a5795e239f9005

SHA256
5f4b36d40bb8de23984d66ec2529ce98a56f304688f39346e4a5368374df390f

SHA512
25a4d26f8c52df4d48ccbb53579b5cfbcb84f57d0a4fe8282effea9f333fa94a759ae918a94f5778e5f535382c6571441501ac5f8d11f3c0070a79fa134bee55

Download Submit
\Windows\system\yKDrFGo.exe

Filesize
5.2MB

MD5
9cf878dcd77d5ebcb2db27ee99b3954f

SHA1
31d8d572b056ffad19ec02e7439adc9035bd796b

SHA256
54125f4b87d85903653ea3d5441a8a225a9ebb7c5e12ee9db28e7827a409118c

SHA512
8e34232dee9f85ff865c19e66eb390bb764b74c1566282ab4f33933f92227b1b1e16656caf195968614e5f6d3447ea2c20e54741af602b83e8c2db98a3bcbac9

Download Submit
\Windows\system\ykvmnWq.exe

Filesize
5.2MB

MD5
615109a05c8d9b924be02661d1d74d70

SHA1
60fbf361a4ceb8252cda364a023d57546b87a4dd

SHA256
2e3d13dc8721eddf4500429366528a1b347c18fea3a1c5508e3215196bd762d1

SHA512
864a5417fcda8a40096c3215ef56fe098017654a81060700a591a31942f0c07926b377d7f5976e159cbb08a70a0895b1f598f4d9c9d43aa1306597ebfb94b24b

Download Submit
memory/324-155-0x000000013FFC0000-0x0000000140311000-memory.dmp

Filesize
3.3MB

Download
memory/1028-160-0x000000013FE00000-0x0000000140151000-memory.dmp

Filesize
3.3MB

Download
memory/1432-161-0x000000013FD90000-0x00000001400E1000-memory.dmp

Filesize
3.3MB

Download
memory/1448-158-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

Filesize
3.3MB

Download
memory/1460-153-0x000000013F190000-0x000000013F4E1000-memory.dmp

Filesize
3.3MB

Download
memory/1460-249-0x000000013F190000-0x000000013F4E1000-memory.dmp

Filesize
3.3MB

Download
memory/1460-93-0x000000013F190000-0x000000013F4E1000-memory.dmp

Filesize
3.3MB

Download
memory/1580-157-0x000000013F750000-0x000000013FAA1000-memory.dmp

Filesize
3.3MB

Download
memory/1592-62-0x000000013F340000-0x000000013F691000-memory.dmp

Filesize
3.3MB

Download
memory/1592-215-0x000000013F340000-0x000000013F691000-memory.dmp

Filesize
3.3MB

Download
memory/1592-7-0x000000013F340000-0x000000013F691000-memory.dmp

Filesize
3.3MB

Download
memory/1692-86-0x000000013FFC0000-0x0000000140311000-memory.dmp

Filesize
3.3MB

Download
memory/1692-247-0x000000013FFC0000-0x0000000140311000-memory.dmp

Filesize
3.3MB

Download
memory/1692-151-0x000000013FFC0000-0x0000000140311000-memory.dmp

Filesize
3.3MB

Download
memory/1856-159-0x000000013FC00000-0x000000013FF51000-memory.dmp

Filesize
3.3MB

Download
memory/1868-0-0x000000013FD50000-0x00000001400A1000-memory.dmp

Filesize
3.3MB

Download
memory/1868-13-0x000000013F930000-0x000000013FC81000-memory.dmp

Filesize
3.3MB

Download
memory/1868-85-0x00000000024F0000-0x0000000002841000-memory.dmp

Filesize
3.3MB

Download
memory/1868-187-0x000000013F690000-0x000000013F9E1000-memory.dmp

Filesize
3.3MB

Download
memory/1868-77-0x000000013F360000-0x000000013F6B1000-memory.dmp

Filesize
3.3MB

Download
memory/1868-174-0x000000013F190000-0x000000013F4E1000-memory.dmp

Filesize
3.3MB

Download
memory/1868-164-0x000000013FD50000-0x00000001400A1000-memory.dmp

Filesize
3.3MB

Download
memory/1868-163-0x000000013F360000-0x000000013F6B1000-memory.dmp

Filesize
3.3MB

Download
memory/1868-69-0x00000000024F0000-0x0000000002841000-memory.dmp

Filesize
3.3MB

Download
memory/1868-92-0x000000013F190000-0x000000013F4E1000-memory.dmp

Filesize
3.3MB

Download
memory/1868-1-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/1868-107-0x00000000024F0000-0x0000000002841000-memory.dmp

Filesize
3.3MB

Download
memory/1868-19-0x000000013F510000-0x000000013F861000-memory.dmp

Filesize
3.3MB

Download
memory/1868-162-0x00000000024F0000-0x0000000002841000-memory.dmp

Filesize
3.3MB

Download
memory/1868-48-0x00000000024F0000-0x0000000002841000-memory.dmp

Filesize
3.3MB

Download
memory/1868-56-0x000000013FD50000-0x00000001400A1000-memory.dmp

Filesize
3.3MB

Download
memory/1868-38-0x00000000024F0000-0x0000000002841000-memory.dmp

Filesize
3.3MB

Download
memory/1868-34-0x000000013F3D0000-0x000000013F721000-memory.dmp

Filesize
3.3MB

Download
memory/1868-28-0x000000013F4E0000-0x000000013F831000-memory.dmp

Filesize
3.3MB

Download
memory/1868-139-0x000000013FD50000-0x00000001400A1000-memory.dmp

Filesize
3.3MB

Download
memory/1868-100-0x000000013F690000-0x000000013F9E1000-memory.dmp

Filesize
3.3MB

Download
memory/1876-150-0x000000013F360000-0x000000013F6B1000-memory.dmp

Filesize
3.3MB

Download
memory/1876-235-0x000000013F360000-0x000000013F6B1000-memory.dmp

Filesize
3.3MB

Download
memory/1876-78-0x000000013F360000-0x000000013F6B1000-memory.dmp

Filesize
3.3MB

Download
memory/2380-156-0x000000013F040000-0x000000013F391000-memory.dmp

Filesize
3.3MB

Download
memory/2460-251-0x000000013F690000-0x000000013F9E1000-memory.dmp

Filesize
3.3MB

Download
memory/2460-101-0x000000013F690000-0x000000013F9E1000-memory.dmp

Filesize
3.3MB

Download
memory/2460-154-0x000000013F690000-0x000000013F9E1000-memory.dmp

Filesize
3.3MB

Download
memory/2528-152-0x000000013F420000-0x000000013F771000-memory.dmp

Filesize
3.3MB

Download
memory/2528-231-0x000000013F420000-0x000000013F771000-memory.dmp

Filesize
3.3MB

Download
memory/2528-63-0x000000013F420000-0x000000013F771000-memory.dmp

Filesize
3.3MB

Download
memory/2580-68-0x000000013F930000-0x000000013FC81000-memory.dmp

Filesize
3.3MB

Download
memory/2580-14-0x000000013F930000-0x000000013FC81000-memory.dmp

Filesize
3.3MB

Download
memory/2580-219-0x000000013F930000-0x000000013FC81000-memory.dmp

Filesize
3.3MB

Download
memory/2604-225-0x000000013FB40000-0x000000013FE91000-memory.dmp

Filesize
3.3MB

Download
memory/2604-43-0x000000013FB40000-0x000000013FE91000-memory.dmp

Filesize
3.3MB

Download
memory/2616-76-0x000000013F510000-0x000000013F861000-memory.dmp

Filesize
3.3MB

Download
memory/2616-22-0x000000013F510000-0x000000013F861000-memory.dmp

Filesize
3.3MB

Download
memory/2616-218-0x000000013F510000-0x000000013F861000-memory.dmp

Filesize
3.3MB

Download
memory/2620-91-0x000000013F3D0000-0x000000013F721000-memory.dmp

Filesize
3.3MB

Download
memory/2620-223-0x000000013F3D0000-0x000000013F721000-memory.dmp

Filesize
3.3MB

Download
memory/2620-35-0x000000013F3D0000-0x000000013F721000-memory.dmp

Filesize
3.3MB

Download
memory/2652-229-0x000000013F1E0000-0x000000013F531000-memory.dmp

Filesize
3.3MB

Download
memory/2652-57-0x000000013F1E0000-0x000000013F531000-memory.dmp

Filesize
3.3MB

Download
memory/2784-49-0x000000013FF80000-0x00000001402D1000-memory.dmp

Filesize
3.3MB

Download
memory/2784-227-0x000000013FF80000-0x00000001402D1000-memory.dmp

Filesize
3.3MB

Download
memory/2784-138-0x000000013FF80000-0x00000001402D1000-memory.dmp

Filesize
3.3MB

Download
memory/2824-29-0x000000013F4E0000-0x000000013F831000-memory.dmp

Filesize
3.3MB

Download
memory/2824-221-0x000000013F4E0000-0x000000013F831000-memory.dmp

Filesize
3.3MB

Download
memory/2904-70-0x000000013FD00000-0x0000000140051000-memory.dmp

Filesize
3.3MB

Download
memory/2904-233-0x000000013FD00000-0x0000000140051000-memory.dmp

Filesize
3.3MB

Download
memory/2904-149-0x000000013FD00000-0x0000000140051000-memory.dmp

Filesize
3.3MB

Download