cobaltstrike | 6b7f06541946df826c8019760f8c0aa6b7b4293f9d76d7e3e1884b2ee9f45fc9

Analysis

max time kernel
147s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30/05/2024, 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

78325fef59f4218f566f53dc512cb2ed
SHA1

0a0b278439d2bce24287c439f70b5544205c4677
SHA256

6b7f06541946df826c8019760f8c0aa6b7b4293f9d76d7e3e1884b2ee9f45fc9
SHA512

4994848b5288045a5fe4e2b7ff4772af12e77771e870d63247198e6e7d247e03ac1da3a279764979e97bdc584c0b4a76e7257c5fa3d6e0fe32116d14297f79fa
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU1:Q+856utgpPF8u/71

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000b000000014aec-3.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000014fe1-10.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000155d9-12.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000155e2-21.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015e41-33.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d41-68.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d36-58.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d4a-72.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d84-95.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016e56-110.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017090-119.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000186a0-133.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018698-130.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001868c-125.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001704f-115.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d89-105.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d55-88.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d4f-81.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001560a-25.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000015264-43.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015a2d-39.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000b000000014aec-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000014fe1-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00080000000155d9-12.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00070000000155e2-21.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015e41-33.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d41-68.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d36-58.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d4a-72.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d84-95.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016e56-110.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000017090-119.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00050000000186a0-133.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0005000000018698-130.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000500000001868c-125.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000600000001704f-115.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d89-105.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d55-88.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d4f-81.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000700000001560a-25.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000015264-43.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015a2d-39.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 63 IoCs

resource	yara_rule
behavioral1/memory/1300-0-0x000000013F170000-0x000000013F4C4000-memory.dmp	UPX
behavioral1/files/0x000b000000014aec-3.dat	UPX
behavioral1/memory/1300-6-0x0000000002460000-0x00000000027B4000-memory.dmp	UPX
behavioral1/memory/2060-9-0x000000013F2E0000-0x000000013F634000-memory.dmp	UPX
behavioral1/files/0x0009000000014fe1-10.dat	UPX
behavioral1/files/0x00080000000155d9-12.dat	UPX
behavioral1/files/0x00070000000155e2-21.dat	UPX
behavioral1/memory/2468-45-0x000000013FA10000-0x000000013FD64000-memory.dmp	UPX
behavioral1/memory/2608-48-0x000000013F3F0000-0x000000013F744000-memory.dmp	UPX
behavioral1/memory/2584-50-0x000000013F320000-0x000000013F674000-memory.dmp	UPX
behavioral1/memory/2564-53-0x000000013FBB0000-0x000000013FF04000-memory.dmp	UPX
behavioral1/files/0x0007000000015e41-33.dat	UPX
behavioral1/memory/1300-65-0x000000013F170000-0x000000013F4C4000-memory.dmp	UPX
behavioral1/files/0x0006000000016d41-68.dat	UPX
behavioral1/memory/1808-69-0x000000013FE40000-0x0000000140194000-memory.dmp	UPX
behavioral1/files/0x0006000000016d36-58.dat	UPX
behavioral1/memory/2488-57-0x000000013F560000-0x000000013F8B4000-memory.dmp	UPX
behavioral1/memory/2880-62-0x000000013F6B0000-0x000000013FA04000-memory.dmp	UPX
behavioral1/memory/2648-83-0x000000013F750000-0x000000013FAA4000-memory.dmp	UPX
behavioral1/files/0x0006000000016d4a-72.dat	UPX
behavioral1/files/0x0006000000016d84-95.dat	UPX
behavioral1/memory/1020-91-0x000000013FF70000-0x00000001402C4000-memory.dmp	UPX
behavioral1/memory/580-99-0x000000013F4D0000-0x000000013F824000-memory.dmp	UPX
behavioral1/files/0x0006000000016e56-110.dat	UPX
behavioral1/files/0x0006000000017090-119.dat	UPX
behavioral1/files/0x00050000000186a0-133.dat	UPX
behavioral1/files/0x0005000000018698-130.dat	UPX
behavioral1/files/0x000500000001868c-125.dat	UPX
behavioral1/files/0x000600000001704f-115.dat	UPX
behavioral1/memory/2564-137-0x000000013FBB0000-0x000000013FF04000-memory.dmp	UPX
behavioral1/files/0x0006000000016d89-105.dat	UPX
behavioral1/files/0x0006000000016e56-108.dat	UPX
behavioral1/memory/2584-103-0x000000013F320000-0x000000013F674000-memory.dmp	UPX
behavioral1/files/0x0006000000016d55-88.dat	UPX
behavioral1/memory/2660-97-0x000000013F3D0000-0x000000013F724000-memory.dmp	UPX
behavioral1/memory/2428-77-0x000000013FC70000-0x000000013FFC4000-memory.dmp	UPX
behavioral1/memory/2060-76-0x000000013F2E0000-0x000000013F634000-memory.dmp	UPX
behavioral1/files/0x0006000000016d4f-81.dat	UPX
behavioral1/files/0x000700000001560a-25.dat	UPX
behavioral1/memory/2880-138-0x000000013F6B0000-0x000000013FA04000-memory.dmp	UPX
behavioral1/files/0x0009000000015264-43.dat	UPX
behavioral1/memory/2660-42-0x000000013F3D0000-0x000000013F724000-memory.dmp	UPX
behavioral1/files/0x0007000000015a2d-39.dat	UPX
behavioral1/memory/2228-16-0x000000013FF70000-0x00000001402C4000-memory.dmp	UPX
behavioral1/memory/1808-139-0x000000013FE40000-0x0000000140194000-memory.dmp	UPX
behavioral1/memory/2428-140-0x000000013FC70000-0x000000013FFC4000-memory.dmp	UPX
behavioral1/memory/2648-142-0x000000013F750000-0x000000013FAA4000-memory.dmp	UPX
behavioral1/memory/1020-144-0x000000013FF70000-0x00000001402C4000-memory.dmp	UPX
behavioral1/memory/580-146-0x000000013F4D0000-0x000000013F824000-memory.dmp	UPX
behavioral1/memory/2060-148-0x000000013F2E0000-0x000000013F634000-memory.dmp	UPX
behavioral1/memory/2228-149-0x000000013FF70000-0x00000001402C4000-memory.dmp	UPX
behavioral1/memory/2468-150-0x000000013FA10000-0x000000013FD64000-memory.dmp	UPX
behavioral1/memory/2660-152-0x000000013F3D0000-0x000000013F724000-memory.dmp	UPX
behavioral1/memory/2608-151-0x000000013F3F0000-0x000000013F744000-memory.dmp	UPX
behavioral1/memory/2584-153-0x000000013F320000-0x000000013F674000-memory.dmp	UPX
behavioral1/memory/2564-154-0x000000013FBB0000-0x000000013FF04000-memory.dmp	UPX
behavioral1/memory/2488-155-0x000000013F560000-0x000000013F8B4000-memory.dmp	UPX
behavioral1/memory/2880-156-0x000000013F6B0000-0x000000013FA04000-memory.dmp	UPX
behavioral1/memory/1808-157-0x000000013FE40000-0x0000000140194000-memory.dmp	UPX
behavioral1/memory/2428-158-0x000000013FC70000-0x000000013FFC4000-memory.dmp	UPX
behavioral1/memory/2648-159-0x000000013F750000-0x000000013FAA4000-memory.dmp	UPX
behavioral1/memory/1020-160-0x000000013FF70000-0x00000001402C4000-memory.dmp	UPX
behavioral1/memory/580-161-0x000000013F4D0000-0x000000013F824000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral1/memory/1300-0-0x000000013F170000-0x000000013F4C4000-memory.dmp	xmrig
behavioral1/files/0x000b000000014aec-3.dat	xmrig
behavioral1/memory/1300-6-0x0000000002460000-0x00000000027B4000-memory.dmp	xmrig
behavioral1/memory/2060-9-0x000000013F2E0000-0x000000013F634000-memory.dmp	xmrig
behavioral1/files/0x0009000000014fe1-10.dat	xmrig
behavioral1/files/0x00080000000155d9-12.dat	xmrig
behavioral1/files/0x00070000000155e2-21.dat	xmrig
behavioral1/memory/2468-45-0x000000013FA10000-0x000000013FD64000-memory.dmp	xmrig
behavioral1/memory/1300-46-0x000000013F560000-0x000000013F8B4000-memory.dmp	xmrig
behavioral1/memory/2608-48-0x000000013F3F0000-0x000000013F744000-memory.dmp	xmrig
behavioral1/memory/2584-50-0x000000013F320000-0x000000013F674000-memory.dmp	xmrig
behavioral1/memory/2564-53-0x000000013FBB0000-0x000000013FF04000-memory.dmp	xmrig
behavioral1/files/0x0007000000015e41-33.dat	xmrig
behavioral1/memory/1300-65-0x000000013F170000-0x000000013F4C4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d41-68.dat	xmrig
behavioral1/memory/1808-69-0x000000013FE40000-0x0000000140194000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d36-58.dat	xmrig
behavioral1/memory/2488-57-0x000000013F560000-0x000000013F8B4000-memory.dmp	xmrig
behavioral1/memory/2880-62-0x000000013F6B0000-0x000000013FA04000-memory.dmp	xmrig
behavioral1/memory/2648-83-0x000000013F750000-0x000000013FAA4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d4a-72.dat	xmrig
behavioral1/files/0x0006000000016d84-95.dat	xmrig
behavioral1/memory/1020-91-0x000000013FF70000-0x00000001402C4000-memory.dmp	xmrig
behavioral1/memory/580-99-0x000000013F4D0000-0x000000013F824000-memory.dmp	xmrig
behavioral1/files/0x0006000000016e56-110.dat	xmrig
behavioral1/files/0x0006000000017090-119.dat	xmrig
behavioral1/files/0x00050000000186a0-133.dat	xmrig
behavioral1/files/0x0005000000018698-130.dat	xmrig
behavioral1/files/0x000500000001868c-125.dat	xmrig
behavioral1/files/0x000600000001704f-115.dat	xmrig
behavioral1/memory/2564-137-0x000000013FBB0000-0x000000013FF04000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d89-105.dat	xmrig
behavioral1/files/0x0006000000016e56-108.dat	xmrig
behavioral1/memory/2584-103-0x000000013F320000-0x000000013F674000-memory.dmp	xmrig
behavioral1/memory/1300-98-0x000000013F4D0000-0x000000013F824000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d55-88.dat	xmrig
behavioral1/memory/2660-97-0x000000013F3D0000-0x000000013F724000-memory.dmp	xmrig
behavioral1/memory/2428-77-0x000000013FC70000-0x000000013FFC4000-memory.dmp	xmrig
behavioral1/memory/2060-76-0x000000013F2E0000-0x000000013F634000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d4f-81.dat	xmrig
behavioral1/memory/1300-66-0x000000013FE40000-0x0000000140194000-memory.dmp	xmrig
behavioral1/files/0x000700000001560a-25.dat	xmrig
behavioral1/memory/2880-138-0x000000013F6B0000-0x000000013FA04000-memory.dmp	xmrig
behavioral1/memory/1300-49-0x0000000002460000-0x00000000027B4000-memory.dmp	xmrig
behavioral1/files/0x0009000000015264-43.dat	xmrig
behavioral1/memory/2660-42-0x000000013F3D0000-0x000000013F724000-memory.dmp	xmrig
behavioral1/files/0x0007000000015a2d-39.dat	xmrig
behavioral1/memory/2228-16-0x000000013FF70000-0x00000001402C4000-memory.dmp	xmrig
behavioral1/memory/1808-139-0x000000013FE40000-0x0000000140194000-memory.dmp	xmrig
behavioral1/memory/2428-140-0x000000013FC70000-0x000000013FFC4000-memory.dmp	xmrig
behavioral1/memory/2648-142-0x000000013F750000-0x000000013FAA4000-memory.dmp	xmrig
behavioral1/memory/1020-144-0x000000013FF70000-0x00000001402C4000-memory.dmp	xmrig
behavioral1/memory/580-146-0x000000013F4D0000-0x000000013F824000-memory.dmp	xmrig
behavioral1/memory/2060-148-0x000000013F2E0000-0x000000013F634000-memory.dmp	xmrig
behavioral1/memory/2228-149-0x000000013FF70000-0x00000001402C4000-memory.dmp	xmrig
behavioral1/memory/2468-150-0x000000013FA10000-0x000000013FD64000-memory.dmp	xmrig
behavioral1/memory/2660-152-0x000000013F3D0000-0x000000013F724000-memory.dmp	xmrig
behavioral1/memory/2608-151-0x000000013F3F0000-0x000000013F744000-memory.dmp	xmrig
behavioral1/memory/2584-153-0x000000013F320000-0x000000013F674000-memory.dmp	xmrig
behavioral1/memory/2564-154-0x000000013FBB0000-0x000000013FF04000-memory.dmp	xmrig
behavioral1/memory/2488-155-0x000000013F560000-0x000000013F8B4000-memory.dmp	xmrig
behavioral1/memory/2880-156-0x000000013F6B0000-0x000000013FA04000-memory.dmp	xmrig
behavioral1/memory/1808-157-0x000000013FE40000-0x0000000140194000-memory.dmp	xmrig
behavioral1/memory/2428-158-0x000000013FC70000-0x000000013FFC4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2060	lOnuciX.exe
2228	YxdKAen.exe
2660	xVOuSOk.exe
2468	MhehzTw.exe
2608	zOlZawL.exe
2584	mrlvaYL.exe
2564	SyEqYRP.exe
2488	ZwYoIPD.exe
2880	kuSbUEo.exe
1808	jLkyLxu.exe
2428	HNIHZsc.exe
2648	KNOhyvI.exe
1020	AuDBTBk.exe
580	ekJMmbN.exe
1668	IuTcIyx.exe
1636	bKwlYlI.exe
2704	JWzMRDD.exe
2728	FAWzFlQ.exe
1972	PydQnIY.exe
2020	IufaNdo.exe
2256	slKMFPx.exe

Loads dropped DLL 21 IoCs

pid	Process
1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe

UPX packed file 63 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1300-0-0x000000013F170000-0x000000013F4C4000-memory.dmp	upx
behavioral1/files/0x000b000000014aec-3.dat	upx
behavioral1/memory/1300-6-0x0000000002460000-0x00000000027B4000-memory.dmp	upx
behavioral1/memory/2060-9-0x000000013F2E0000-0x000000013F634000-memory.dmp	upx
behavioral1/files/0x0009000000014fe1-10.dat	upx
behavioral1/files/0x00080000000155d9-12.dat	upx
behavioral1/files/0x00070000000155e2-21.dat	upx
behavioral1/memory/2468-45-0x000000013FA10000-0x000000013FD64000-memory.dmp	upx
behavioral1/memory/2608-48-0x000000013F3F0000-0x000000013F744000-memory.dmp	upx
behavioral1/memory/2584-50-0x000000013F320000-0x000000013F674000-memory.dmp	upx
behavioral1/memory/2564-53-0x000000013FBB0000-0x000000013FF04000-memory.dmp	upx
behavioral1/files/0x0007000000015e41-33.dat	upx
behavioral1/memory/1300-65-0x000000013F170000-0x000000013F4C4000-memory.dmp	upx
behavioral1/files/0x0006000000016d41-68.dat	upx
behavioral1/memory/1808-69-0x000000013FE40000-0x0000000140194000-memory.dmp	upx
behavioral1/files/0x0006000000016d36-58.dat	upx
behavioral1/memory/2488-57-0x000000013F560000-0x000000013F8B4000-memory.dmp	upx
behavioral1/memory/2880-62-0x000000013F6B0000-0x000000013FA04000-memory.dmp	upx
behavioral1/memory/2648-83-0x000000013F750000-0x000000013FAA4000-memory.dmp	upx
behavioral1/files/0x0006000000016d4a-72.dat	upx
behavioral1/files/0x0006000000016d84-95.dat	upx
behavioral1/memory/1020-91-0x000000013FF70000-0x00000001402C4000-memory.dmp	upx
behavioral1/memory/580-99-0x000000013F4D0000-0x000000013F824000-memory.dmp	upx
behavioral1/files/0x0006000000016e56-110.dat	upx
behavioral1/files/0x0006000000017090-119.dat	upx
behavioral1/files/0x00050000000186a0-133.dat	upx
behavioral1/files/0x0005000000018698-130.dat	upx
behavioral1/files/0x000500000001868c-125.dat	upx
behavioral1/files/0x000600000001704f-115.dat	upx
behavioral1/memory/2564-137-0x000000013FBB0000-0x000000013FF04000-memory.dmp	upx
behavioral1/files/0x0006000000016d89-105.dat	upx
behavioral1/files/0x0006000000016e56-108.dat	upx
behavioral1/memory/2584-103-0x000000013F320000-0x000000013F674000-memory.dmp	upx
behavioral1/files/0x0006000000016d55-88.dat	upx
behavioral1/memory/2660-97-0x000000013F3D0000-0x000000013F724000-memory.dmp	upx
behavioral1/memory/2428-77-0x000000013FC70000-0x000000013FFC4000-memory.dmp	upx
behavioral1/memory/2060-76-0x000000013F2E0000-0x000000013F634000-memory.dmp	upx
behavioral1/files/0x0006000000016d4f-81.dat	upx
behavioral1/files/0x000700000001560a-25.dat	upx
behavioral1/memory/2880-138-0x000000013F6B0000-0x000000013FA04000-memory.dmp	upx
behavioral1/files/0x0009000000015264-43.dat	upx
behavioral1/memory/2660-42-0x000000013F3D0000-0x000000013F724000-memory.dmp	upx
behavioral1/files/0x0007000000015a2d-39.dat	upx
behavioral1/memory/2228-16-0x000000013FF70000-0x00000001402C4000-memory.dmp	upx
behavioral1/memory/1808-139-0x000000013FE40000-0x0000000140194000-memory.dmp	upx
behavioral1/memory/2428-140-0x000000013FC70000-0x000000013FFC4000-memory.dmp	upx
behavioral1/memory/2648-142-0x000000013F750000-0x000000013FAA4000-memory.dmp	upx
behavioral1/memory/1020-144-0x000000013FF70000-0x00000001402C4000-memory.dmp	upx
behavioral1/memory/580-146-0x000000013F4D0000-0x000000013F824000-memory.dmp	upx
behavioral1/memory/2060-148-0x000000013F2E0000-0x000000013F634000-memory.dmp	upx
behavioral1/memory/2228-149-0x000000013FF70000-0x00000001402C4000-memory.dmp	upx
behavioral1/memory/2468-150-0x000000013FA10000-0x000000013FD64000-memory.dmp	upx
behavioral1/memory/2660-152-0x000000013F3D0000-0x000000013F724000-memory.dmp	upx
behavioral1/memory/2608-151-0x000000013F3F0000-0x000000013F744000-memory.dmp	upx
behavioral1/memory/2584-153-0x000000013F320000-0x000000013F674000-memory.dmp	upx
behavioral1/memory/2564-154-0x000000013FBB0000-0x000000013FF04000-memory.dmp	upx
behavioral1/memory/2488-155-0x000000013F560000-0x000000013F8B4000-memory.dmp	upx
behavioral1/memory/2880-156-0x000000013F6B0000-0x000000013FA04000-memory.dmp	upx
behavioral1/memory/1808-157-0x000000013FE40000-0x0000000140194000-memory.dmp	upx
behavioral1/memory/2428-158-0x000000013FC70000-0x000000013FFC4000-memory.dmp	upx
behavioral1/memory/2648-159-0x000000013F750000-0x000000013FAA4000-memory.dmp	upx
behavioral1/memory/1020-160-0x000000013FF70000-0x00000001402C4000-memory.dmp	upx
behavioral1/memory/580-161-0x000000013F4D0000-0x000000013F824000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\PydQnIY.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lOnuciX.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SyEqYRP.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kuSbUEo.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KNOhyvI.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ekJMmbN.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FAWzFlQ.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MhehzTw.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HNIHZsc.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IuTcIyx.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bKwlYlI.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xVOuSOk.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zOlZawL.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AuDBTBk.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JWzMRDD.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IufaNdo.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\slKMFPx.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YxdKAen.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZwYoIPD.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mrlvaYL.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jLkyLxu.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 2060	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	29
PID 1300 wrote to memory of 2060	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	29
PID 1300 wrote to memory of 2060	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	29
PID 1300 wrote to memory of 2228	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	30
PID 1300 wrote to memory of 2228	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	30
PID 1300 wrote to memory of 2228	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	30
PID 1300 wrote to memory of 2660	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	31
PID 1300 wrote to memory of 2660	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	31
PID 1300 wrote to memory of 2660	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	31
PID 1300 wrote to memory of 2468	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	32
PID 1300 wrote to memory of 2468	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	32
PID 1300 wrote to memory of 2468	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	32
PID 1300 wrote to memory of 2564	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	33
PID 1300 wrote to memory of 2564	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	33
PID 1300 wrote to memory of 2564	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	33
PID 1300 wrote to memory of 2608	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	34
PID 1300 wrote to memory of 2608	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	34
PID 1300 wrote to memory of 2608	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	34
PID 1300 wrote to memory of 2488	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	35
PID 1300 wrote to memory of 2488	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	35
PID 1300 wrote to memory of 2488	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	35
PID 1300 wrote to memory of 2584	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	36
PID 1300 wrote to memory of 2584	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	36
PID 1300 wrote to memory of 2584	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	36
PID 1300 wrote to memory of 2880	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	37
PID 1300 wrote to memory of 2880	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	37
PID 1300 wrote to memory of 2880	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	37
PID 1300 wrote to memory of 1808	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	38
PID 1300 wrote to memory of 1808	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	38
PID 1300 wrote to memory of 1808	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	38
PID 1300 wrote to memory of 2428	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	39
PID 1300 wrote to memory of 2428	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	39
PID 1300 wrote to memory of 2428	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	39
PID 1300 wrote to memory of 2648	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	40
PID 1300 wrote to memory of 2648	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	40
PID 1300 wrote to memory of 2648	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	40
PID 1300 wrote to memory of 1020	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	41
PID 1300 wrote to memory of 1020	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	41
PID 1300 wrote to memory of 1020	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	41
PID 1300 wrote to memory of 580	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	42
PID 1300 wrote to memory of 580	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	42
PID 1300 wrote to memory of 580	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	42
PID 1300 wrote to memory of 1668	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	43
PID 1300 wrote to memory of 1668	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	43
PID 1300 wrote to memory of 1668	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	43
PID 1300 wrote to memory of 1636	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	44
PID 1300 wrote to memory of 1636	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	44
PID 1300 wrote to memory of 1636	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	44
PID 1300 wrote to memory of 2704	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	45
PID 1300 wrote to memory of 2704	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	45
PID 1300 wrote to memory of 2704	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	45
PID 1300 wrote to memory of 2728	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	46
PID 1300 wrote to memory of 2728	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	46
PID 1300 wrote to memory of 2728	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	46
PID 1300 wrote to memory of 1972	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	47
PID 1300 wrote to memory of 1972	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	47
PID 1300 wrote to memory of 1972	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	47
PID 1300 wrote to memory of 2020	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	48
PID 1300 wrote to memory of 2020	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	48
PID 1300 wrote to memory of 2020	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	48
PID 1300 wrote to memory of 2256	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	49
PID 1300 wrote to memory of 2256	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	49
PID 1300 wrote to memory of 2256	1300	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\System\lOnuciX.exe
  C:\Windows\System\lOnuciX.exe
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\System\YxdKAen.exe
  C:\Windows\System\YxdKAen.exe
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\System\xVOuSOk.exe
  C:\Windows\System\xVOuSOk.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System\MhehzTw.exe
  C:\Windows\System\MhehzTw.exe
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\System\SyEqYRP.exe
  C:\Windows\System\SyEqYRP.exe
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\System\zOlZawL.exe
  C:\Windows\System\zOlZawL.exe
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\System\ZwYoIPD.exe
  C:\Windows\System\ZwYoIPD.exe
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\System\mrlvaYL.exe
  C:\Windows\System\mrlvaYL.exe
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\System\kuSbUEo.exe
  C:\Windows\System\kuSbUEo.exe
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\System\jLkyLxu.exe
  C:\Windows\System\jLkyLxu.exe
  2⤵
  - Executes dropped EXE
  PID:1808
- C:\Windows\System\HNIHZsc.exe
  C:\Windows\System\HNIHZsc.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System\KNOhyvI.exe
  C:\Windows\System\KNOhyvI.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System\AuDBTBk.exe
  C:\Windows\System\AuDBTBk.exe
  2⤵
  - Executes dropped EXE
  PID:1020
- C:\Windows\System\ekJMmbN.exe
  C:\Windows\System\ekJMmbN.exe
  2⤵
  - Executes dropped EXE
  PID:580
- C:\Windows\System\IuTcIyx.exe
  C:\Windows\System\IuTcIyx.exe
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\System\bKwlYlI.exe
  C:\Windows\System\bKwlYlI.exe
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\System\JWzMRDD.exe
  C:\Windows\System\JWzMRDD.exe
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\System\FAWzFlQ.exe
  C:\Windows\System\FAWzFlQ.exe
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\System\PydQnIY.exe
  C:\Windows\System\PydQnIY.exe
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\System\IufaNdo.exe
  C:\Windows\System\IufaNdo.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\System\slKMFPx.exe
  C:\Windows\System\slKMFPx.exe
  2⤵
  - Executes dropped EXE
  PID:2256

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AuDBTBk.exe

Filesize
5.9MB

MD5
6e52542bbc2ca59d120c0817a021a72b

SHA1
93e3c8b93e91bd2284e9cfc431ebde438af916d5

SHA256
bffb89142db317f3849b6617eb9ead94157719c839ef56422785c59744992362

SHA512
496c90ed393798a794ad3f432503214c82a7f32b83eb00232218217b38951b267de6ba3be95b0bbac3f670a39639a077325aa2c5c7c5c28cc1cac73fef4df9c8

Download Submit
C:\Windows\system\FAWzFlQ.exe

Filesize
5.9MB

MD5
bef1cae52eb98b2cb45b0c4ee534b7d4

SHA1
f85bddfa981a3cd088836c5d917895a286b6d031

SHA256
06fbb5b599e1ba56b9c8fbf40be7be409f225cf3f608115d23d03efc1ec03104

SHA512
08409363f8023d4fc3ca8b634c9dbfe8df93f62ea787e02ad3ebd862cc6e686bca59515461ca04efc1b62ab306c7ab3db414e1ba52725f3150420a87a4f35141

Download Submit
C:\Windows\system\IuTcIyx.exe

Filesize
5.9MB

MD5
569d836c83d05348f5c2b920c804ffe7

SHA1
6bde0951fd7c870b403d0e47e2b52ca38e0aebde

SHA256
9db69dff65c664ec9dcee5a555bf6b68f896b704bc303d9f060d4396826e6459

SHA512
467efa818d0f2a907b2503281a3434f8c713adfbfdec9390e745d99f176f436add73150874446b019ccc383c7ad81c5382cd85407553f3f24806326532fb73bf

Download Submit
C:\Windows\system\IufaNdo.exe

Filesize
5.9MB

MD5
7ef0dd8f24760335249023765652d715

SHA1
3413b599e075108a958a47f8ce156d2287c6742b

SHA256
45fe0701553acad485d9dc02549539987213aba984dda22a2536fa32d59ba96b

SHA512
9257c3bbaccc7b3979c75b26f2949f8eab878835893221d6db27b31f2c8011143753375879d8980dee348011d94c2e918e58836b428ee946c69801e1da3c34ae

Download Submit
C:\Windows\system\JWzMRDD.exe

Filesize
5.9MB

MD5
aefcf82f64cf3d173fe0cba0be3f9042

SHA1
3d31c45b2badeb5d6ee2f5f77063a4e856c85345

SHA256
de69a9acbbbb5e76546e3b4dbf9b3258d9499ce081b8013cf174efe94697ee16

SHA512
97d42966ddfad5644eca1e7fff7012330430f4d730ab6ce49f9c268fbe0b123ca5fb8605ceb97dbdef0599b31e020a1dd1a11140b40986197c6058f888a07851

Download Submit
C:\Windows\system\KNOhyvI.exe

Filesize
5.9MB

MD5
2e7207ee00bdc1a36f83d15e3a07df8e

SHA1
281a725db807557fa70d551a0eddcbe1ae844149

SHA256
a70db7656d4fdf7ce50282413d8bc3d6095459a6a03c8a7b206a6e46ebe4bea7

SHA512
9639d52e5a8e4588af32cc0386387b8aacae8c353369710ad5364986b044409d70bf1212621133fac0b62e1d60e43899d66f8c858f7a941d8976698e074253b6

Download Submit
C:\Windows\system\PydQnIY.exe

Filesize
5.9MB

MD5
e4c52a3807f40d4d13f29b1b3e2daebf

SHA1
a4475181e8777d864c4626d6e16887c0d6e962ad

SHA256
db1c939d1a06425a79197eb1b2753d53c65068a97118d299324a678ffc36e0c0

SHA512
1a2e75f6e06bd9764695d89f02b7460a156ad10d11cd8f2dd1aaa4aa2f7c05c43c2a5249f3f3f1779f384aec0e136a028135f2c4142dca9bb2ec1a547f0efe7e

Download Submit
C:\Windows\system\bKwlYlI.exe

Filesize
5.9MB

MD5
b883beed8c0b13ce29e2cae65988dfc7

SHA1
5eb31dac6448d83c67e3034bdb60c1e8c05ad298

SHA256
d46526b07c0345c35b9a13362c61e0be26cdbe2c046e3dd3084db759de60dd07

SHA512
7bbfd5a6253312969234eb5fc688ca9a7bbf880a7e97592fda8ae1c2753af4201cf3b2d5619b087e645cc2671a3b144a7c66e832a8c06710fbb07084b1c916bc

Download Submit
C:\Windows\system\ekJMmbN.exe

Filesize
5.9MB

MD5
704b6760809dedb0094753069eae3457

SHA1
022dc577e4a7a7dd2c40048571cdfd678c37c576

SHA256
584f990f225e6baa3660c539c471a70bc068238c771367ce7f428292e1ccaea8

SHA512
c71163ef7fe8d01e3a79756b31d6537ec8a6e5f8d46c81be4d484b8854104b76696b77ce2b03e39ce8f2e0e8e8b2dc4f2ab954eac6fc49e142522438bdd201f4

Download Submit
C:\Windows\system\jLkyLxu.exe

Filesize
5.9MB

MD5
e9c7cd48123ec2b9582540431656ee94

SHA1
33edb689261491b129f704623c487e38ee2e0d1f

SHA256
e989efdf26b86ed6d5406e7d52fc9b6aa9d24ac034ca031c9797bda26027e688

SHA512
e95a9ce5ed770bf52f2f4a9538609a1546e8d4d126f19582ceb95784e164ea335db9bcf183f744fe457867f510d983bdf635bb226e2cbf4543c3b4dcef632a79

Download Submit
C:\Windows\system\mrlvaYL.exe

Filesize
5.9MB

MD5
d050514c2861e766c839ee0384795ad5

SHA1
23a17ad29740b9f001048377b1407f18e93fb8d2

SHA256
1d19ae73ba6700b676e365c0d6923fd84f7471982551e95f8c5f63ada511b49c

SHA512
f1799bbfcecb235f881c2dc442a514ca1859977169116492bb740abccb6d5a06e25e20e93564db6969f600b82d712f8409be087b7147761a765d039164539763

Download Submit
C:\Windows\system\xVOuSOk.exe

Filesize
5.9MB

MD5
ef35f85dc26796ccdff194e0ee9391bd

SHA1
9abce7d974888250f5ba9e2785e50b1e1fc80e7d

SHA256
4ac7134fdde6fb929671da0137d96467b0c27e0746af8c933790b37e465df977

SHA512
60e73f45ddfcb8cb3966a3f3fe5ffc090d7ad396f0f3941f0bc07a0bc0ef29d9c134a8df1fdc359c0915130ab8bf52e88f00756333ddfdfc4cea78b9ac584c66

Download Submit
C:\Windows\system\zOlZawL.exe

Filesize
5.9MB

MD5
0527ea1d2e6ef72169680f72796acc88

SHA1
9941a7efeeb3bf55f7034cb0136d3db7f7a46fca

SHA256
0792a5aa487a4357c157a08b31745f9678bd0bf92ce4d25eba3ecec0260abddd

SHA512
93393232fc25d78cb630037ca81e376f6120b60e57197055b4f082557928e4c688fc9ad4acb1f5ae4cece1cc64c04a27135c3a1554fc0f4bb9d72895e84c5c24

Download Submit
\Windows\system\HNIHZsc.exe

Filesize
5.9MB

MD5
5a0bf1077dd8326a0b08f437ac4fa523

SHA1
6a09907b97282b8697d0556b0c1dc0907537fa25

SHA256
1394d284a79fe8c22e36c3b28137563330515a2059dd8b221f81747bd372040e

SHA512
1f99c402cd5bc9b3a12335064a26b981c1e5a2fdde9a584103cbf432f8b1b853164854464d25ea7d34365325344897ee3f5962df0d680b2a465076305f730441

Download Submit
\Windows\system\MhehzTw.exe

Filesize
5.9MB

MD5
935d72d788b0b559f30741f539a41a2b

SHA1
d657cffcf4bbca8b52d1541be5cec9ab8dfa8422

SHA256
8149dda5796a879d61d1ae98e0539ac74b2eca16576c168509e859da7b82e9bc

SHA512
79be5c9f033647069d5e49b445134dc794f925ffd309fc128249980e79b6a651d8b74cafc87665a09613039edf084d43f2066fe5f651b742334c3f55f1c3c4f6

Download Submit
\Windows\system\SyEqYRP.exe

Filesize
5.9MB

MD5
8bda2bd386039552663102de254e6943

SHA1
884b028de26ab1b938cefe6f4816ea233b7d3411

SHA256
1fc32bc3adf0d6c5ea0f3b6616d423ee1e66f0564bf0ba1b6cbb912fa1485e3a

SHA512
57d8f71c56b5a91d74ae84dea1b2d88f3b9700befc677dded7d3e171d87bbaa65441196d8d2054ac2581cc0700898dda9b1a7b00f9a6d4c0f395741c32a1c3c6

Download Submit
\Windows\system\YxdKAen.exe

Filesize
5.9MB

MD5
d95db8c82c51df83ee93d674031602c7

SHA1
5d892c87e24f6e6e23f47894f4c47c975c427df7

SHA256
aa43c05b254832f8adcff9c063643b5cc3333f6052745adbb7ccc9c1535b7adb

SHA512
54ecbfb2d1e5ff0f1f41b6f9d12017c88a4a238168587d283ab755ce75db1256bec467f68b372ee542040d401a2855cfb9d3512eeb8c880cd0fb43d9fb6af0e5

Download Submit
\Windows\system\ZwYoIPD.exe

Filesize
5.9MB

MD5
c71bd990619af2a03cb35da3a358b30c

SHA1
d464178b73d5663e919056a62d8bd09c04eb1b7c

SHA256
ed1466038a1e7121977c3aa24871f23dbe8cf8d9a791f50435705deb099cfc4e

SHA512
2cacbdfdc0e9214b5e31323ed5b36dbe9a98b1401a223a2a2b3aac82f25786dd9d650e856335d37b0425b38c5382c09232c5cecbcb488c9407a4bef30b73f44d

Download Submit
\Windows\system\bKwlYlI.exe

Filesize
5.5MB

MD5
992e15ebc2245cf970acce9948576d6c

SHA1
3322f50d4aebf915abc8a5277cd07a23adf5f127

SHA256
34aca34b8538d4e7f9b5ca1806b2281a0382769188fd9d2c13b1e312e96b00f5

SHA512
2299491ec9c9bd4a6ac0a40bf192f660f0f17c74b61aa4e0097b4c4f83a6d479f7a76f02af36d33e9826debb7591943213a22619c67db9751ef075d87dd44bf7

Download Submit
\Windows\system\kuSbUEo.exe

Filesize
5.9MB

MD5
63ffafb5006689b4f925315a64782d35

SHA1
fadd7b307d588082527c8296d71047208a848ba2

SHA256
bf799659ace4bf717ff34ce14ccb2a09c48747aabe0fe0f94281f92797a366c8

SHA512
8fe407359ea0b166deeb2726892bf80f196fa5764a73e32d89319484e25dc907e3e3c866c06fd5f1db9bee89fa0b979cb0068c3fa42fa8131347a60b60f50064

Download Submit
\Windows\system\lOnuciX.exe

Filesize
5.9MB

MD5
fd377addd732f0c19d74a3daabde1e4c

SHA1
a4f6fd84d2f396893280bef5259f8742a4f0427f

SHA256
f3b4fc34aa9faf53f7cb0859857c1acc78f7558f537b3df38553cbc2f2039dcf

SHA512
aa64fd9361d7cde5d39fb578cabd94a53d666cde9d89bdde4a68751b25115df18d6ff75eb8437632c7c7ea90b15007edf77a3088b7bc2d307fc5641fb59ec6e1

Download Submit
\Windows\system\slKMFPx.exe

Filesize
5.9MB

MD5
fdc4a8d5c6cada9a3c766b8d55397354

SHA1
ebbcc40ef91b050b20785ea506ef7656e1dc2742

SHA256
dda2579ee41e49d04de4a354e601358fe4ca477cc43ea2c0f883e58dadc831ca

SHA512
47d84be863996376432178e7c51949bf9be0bea0d7d55b4311d72a31c529eb2c41031fb04f0666acb0d1d96e07269d2c314f779e1f65b0669b56709c7468cf37

Download Submit
memory/580-99-0x000000013F4D0000-0x000000013F824000-memory.dmp

Filesize
3.3MB

Download
memory/580-146-0x000000013F4D0000-0x000000013F824000-memory.dmp

Filesize
3.3MB

Download
memory/580-161-0x000000013F4D0000-0x000000013F824000-memory.dmp

Filesize
3.3MB

Download
memory/1020-160-0x000000013FF70000-0x00000001402C4000-memory.dmp

Filesize
3.3MB

Download
memory/1020-91-0x000000013FF70000-0x00000001402C4000-memory.dmp

Filesize
3.3MB

Download
memory/1020-144-0x000000013FF70000-0x00000001402C4000-memory.dmp

Filesize
3.3MB

Download
memory/1300-46-0x000000013F560000-0x000000013F8B4000-memory.dmp

Filesize
3.3MB

Download
memory/1300-141-0x000000013F750000-0x000000013FAA4000-memory.dmp

Filesize
3.3MB

Download
memory/1300-143-0x000000013FF70000-0x00000001402C4000-memory.dmp

Filesize
3.3MB

Download
memory/1300-0-0x000000013F170000-0x000000013F4C4000-memory.dmp

Filesize
3.3MB

Download
memory/1300-65-0x000000013F170000-0x000000013F4C4000-memory.dmp

Filesize
3.3MB

Download
memory/1300-145-0x000000013F4D0000-0x000000013F824000-memory.dmp

Filesize
3.3MB

Download
memory/1300-147-0x0000000002460000-0x00000000027B4000-memory.dmp

Filesize
3.3MB

Download
memory/1300-44-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download
memory/1300-104-0x0000000002460000-0x00000000027B4000-memory.dmp

Filesize
3.3MB

Download
memory/1300-15-0x000000013FF70000-0x00000001402C4000-memory.dmp

Filesize
3.3MB

Download
memory/1300-98-0x000000013F4D0000-0x000000013F824000-memory.dmp

Filesize
3.3MB

Download
memory/1300-90-0x000000013FF70000-0x00000001402C4000-memory.dmp

Filesize
3.3MB

Download
memory/1300-6-0x0000000002460000-0x00000000027B4000-memory.dmp

Filesize
3.3MB

Download
memory/1300-47-0x0000000002460000-0x00000000027B4000-memory.dmp

Filesize
3.3MB

Download
memory/1300-49-0x0000000002460000-0x00000000027B4000-memory.dmp

Filesize
3.3MB

Download
memory/1300-20-0x0000000002460000-0x00000000027B4000-memory.dmp

Filesize
3.3MB

Download
memory/1300-82-0x000000013F750000-0x000000013FAA4000-memory.dmp

Filesize
3.3MB

Download
memory/1300-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/1300-66-0x000000013FE40000-0x0000000140194000-memory.dmp

Filesize
3.3MB

Download
memory/1808-69-0x000000013FE40000-0x0000000140194000-memory.dmp

Filesize
3.3MB

Download
memory/1808-157-0x000000013FE40000-0x0000000140194000-memory.dmp

Filesize
3.3MB

Download
memory/1808-139-0x000000013FE40000-0x0000000140194000-memory.dmp

Filesize
3.3MB

Download
memory/2060-9-0x000000013F2E0000-0x000000013F634000-memory.dmp

Filesize
3.3MB

Download
memory/2060-76-0x000000013F2E0000-0x000000013F634000-memory.dmp

Filesize
3.3MB

Download
memory/2060-148-0x000000013F2E0000-0x000000013F634000-memory.dmp

Filesize
3.3MB

Download
memory/2228-149-0x000000013FF70000-0x00000001402C4000-memory.dmp

Filesize
3.3MB

Download
memory/2228-16-0x000000013FF70000-0x00000001402C4000-memory.dmp

Filesize
3.3MB

Download
memory/2428-77-0x000000013FC70000-0x000000013FFC4000-memory.dmp

Filesize
3.3MB

Download
memory/2428-158-0x000000013FC70000-0x000000013FFC4000-memory.dmp

Filesize
3.3MB

Download
memory/2428-140-0x000000013FC70000-0x000000013FFC4000-memory.dmp

Filesize
3.3MB

Download
memory/2468-45-0x000000013FA10000-0x000000013FD64000-memory.dmp

Filesize
3.3MB

Download
memory/2468-150-0x000000013FA10000-0x000000013FD64000-memory.dmp

Filesize
3.3MB

Download
memory/2488-155-0x000000013F560000-0x000000013F8B4000-memory.dmp

Filesize
3.3MB

Download
memory/2488-57-0x000000013F560000-0x000000013F8B4000-memory.dmp

Filesize
3.3MB

Download
memory/2564-53-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download
memory/2564-154-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download
memory/2564-137-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download
memory/2584-103-0x000000013F320000-0x000000013F674000-memory.dmp

Filesize
3.3MB

Download
memory/2584-153-0x000000013F320000-0x000000013F674000-memory.dmp

Filesize
3.3MB

Download
memory/2584-50-0x000000013F320000-0x000000013F674000-memory.dmp

Filesize
3.3MB

Download
memory/2608-151-0x000000013F3F0000-0x000000013F744000-memory.dmp

Filesize
3.3MB

Download
memory/2608-48-0x000000013F3F0000-0x000000013F744000-memory.dmp

Filesize
3.3MB

Download
memory/2648-83-0x000000013F750000-0x000000013FAA4000-memory.dmp

Filesize
3.3MB

Download
memory/2648-142-0x000000013F750000-0x000000013FAA4000-memory.dmp

Filesize
3.3MB

Download
memory/2648-159-0x000000013F750000-0x000000013FAA4000-memory.dmp

Filesize
3.3MB

Download
memory/2660-152-0x000000013F3D0000-0x000000013F724000-memory.dmp

Filesize
3.3MB

Download
memory/2660-42-0x000000013F3D0000-0x000000013F724000-memory.dmp

Filesize
3.3MB

Download
memory/2660-97-0x000000013F3D0000-0x000000013F724000-memory.dmp

Filesize
3.3MB

Download
memory/2880-62-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Filesize
3.3MB

Download
memory/2880-156-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Filesize
3.3MB

Download
memory/2880-138-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Filesize
3.3MB

Download