cobaltstrike | 5a8e6aa5b19df2c32cb52d99296ba56392cf999865ac86aee7131882713f07cc

Analysis

max time kernel
145s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
30/05/2024, 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

1f4307c0d945b94fedcef9b2e82c5f5e
SHA1

1344bc8a1034956c1b63e22e1e525667c4d24d9f
SHA256

5a8e6aa5b19df2c32cb52d99296ba56392cf999865ac86aee7131882713f07cc
SHA512

f403f0a51ef811e1981b72b048db528b5c2a0f56a4578b7c787126ca5b996dcba012eb204e6e5a950777ccfa8d8bba03e38b535f54f272cca7fa2e66d31f40b0
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUA:Q+856utgpPF8u/7A

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000a000000012289-3.dat	cobalt_reflective_dll
behavioral1/files/0x0033000000015cdf-9.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d12-11.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d3b-26.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d53-39.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d73-44.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016835-59.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016c6f-81.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016cc1-97.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016ceb-104.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d2a-115.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d43-130.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d4b-133.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d3b-125.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d32-120.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d17-110.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016c78-90.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016c52-73.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016a8a-67.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000015d83-53.dat	cobalt_reflective_dll
behavioral1/files/0x0033000000015ce8-34.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012289-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0033000000015cdf-9.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015d12-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015d3b-26.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015d53-39.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015d73-44.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000016835-59.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016c6f-81.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016cc1-97.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016ceb-104.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d2a-115.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d43-130.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d4b-133.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d3b-125.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d32-120.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d17-110.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016c78-90.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016c52-73.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016a8a-67.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000015d83-53.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0033000000015ce8-34.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral1/memory/2556-0-0x000000013FC40000-0x000000013FF94000-memory.dmp	UPX
behavioral1/files/0x000a000000012289-3.dat	UPX
behavioral1/memory/2356-8-0x000000013FC50000-0x000000013FFA4000-memory.dmp	UPX
behavioral1/files/0x0033000000015cdf-9.dat	UPX
behavioral1/memory/2556-12-0x000000013F4F0000-0x000000013F844000-memory.dmp	UPX
behavioral1/memory/2604-14-0x000000013F4F0000-0x000000013F844000-memory.dmp	UPX
behavioral1/files/0x0008000000015d12-11.dat	UPX
behavioral1/memory/2696-21-0x000000013F150000-0x000000013F4A4000-memory.dmp	UPX
behavioral1/files/0x0007000000015d3b-26.dat	UPX
behavioral1/files/0x0007000000015d53-39.dat	UPX
behavioral1/memory/2588-42-0x000000013F1A0000-0x000000013F4F4000-memory.dmp	UPX
behavioral1/memory/2492-55-0x000000013F670000-0x000000013F9C4000-memory.dmp	UPX
behavioral1/files/0x0007000000015d73-44.dat	UPX
behavioral1/files/0x0007000000016835-59.dat	UPX
behavioral1/files/0x0006000000016c6f-81.dat	UPX
behavioral1/files/0x0006000000016cc1-97.dat	UPX
behavioral1/files/0x0006000000016ceb-104.dat	UPX
behavioral1/files/0x0006000000016d2a-115.dat	UPX
behavioral1/files/0x0006000000016d43-130.dat	UPX
behavioral1/files/0x0006000000016d4b-133.dat	UPX
behavioral1/files/0x0006000000016d3b-125.dat	UPX
behavioral1/files/0x0006000000016d32-120.dat	UPX
behavioral1/files/0x0006000000016d17-110.dat	UPX
behavioral1/memory/2588-137-0x000000013F1A0000-0x000000013F4F4000-memory.dmp	UPX
behavioral1/memory/1232-100-0x000000013F310000-0x000000013F664000-memory.dmp	UPX
behavioral1/memory/1908-93-0x000000013F920000-0x000000013FC74000-memory.dmp	UPX
behavioral1/files/0x0006000000016c78-90.dat	UPX
behavioral1/memory/2776-86-0x000000013FA60000-0x000000013FDB4000-memory.dmp	UPX
behavioral1/memory/2600-84-0x000000013F330000-0x000000013F684000-memory.dmp	UPX
behavioral1/memory/2696-83-0x000000013F150000-0x000000013F4A4000-memory.dmp	UPX
behavioral1/memory/1544-77-0x000000013FFF0000-0x0000000140344000-memory.dmp	UPX
behavioral1/memory/2604-75-0x000000013F4F0000-0x000000013F844000-memory.dmp	UPX
behavioral1/files/0x0006000000016c52-73.dat	UPX
behavioral1/memory/1880-69-0x000000013FAC0000-0x000000013FE14000-memory.dmp	UPX
behavioral1/files/0x0006000000016a8a-67.dat	UPX
behavioral1/memory/2648-63-0x000000013F950000-0x000000013FCA4000-memory.dmp	UPX
behavioral1/memory/2356-62-0x000000013FC50000-0x000000013FFA4000-memory.dmp	UPX
behavioral1/memory/2556-47-0x000000013FC40000-0x000000013FF94000-memory.dmp	UPX
behavioral1/memory/2376-56-0x000000013F770000-0x000000013FAC4000-memory.dmp	UPX
behavioral1/files/0x0009000000015d83-53.dat	UPX
behavioral1/memory/2636-36-0x000000013F6B0000-0x000000013FA04000-memory.dmp	UPX
behavioral1/files/0x0033000000015ce8-34.dat	UPX
behavioral1/memory/2600-32-0x000000013F330000-0x000000013F684000-memory.dmp	UPX
behavioral1/memory/2376-138-0x000000013F770000-0x000000013FAC4000-memory.dmp	UPX
behavioral1/memory/2648-139-0x000000013F950000-0x000000013FCA4000-memory.dmp	UPX
behavioral1/memory/1880-140-0x000000013FAC0000-0x000000013FE14000-memory.dmp	UPX
behavioral1/memory/1544-142-0x000000013FFF0000-0x0000000140344000-memory.dmp	UPX
behavioral1/memory/2776-144-0x000000013FA60000-0x000000013FDB4000-memory.dmp	UPX
behavioral1/memory/1908-145-0x000000013F920000-0x000000013FC74000-memory.dmp	UPX
behavioral1/memory/1232-147-0x000000013F310000-0x000000013F664000-memory.dmp	UPX
behavioral1/memory/2356-149-0x000000013FC50000-0x000000013FFA4000-memory.dmp	UPX
behavioral1/memory/2604-150-0x000000013F4F0000-0x000000013F844000-memory.dmp	UPX
behavioral1/memory/2696-151-0x000000013F150000-0x000000013F4A4000-memory.dmp	UPX
behavioral1/memory/2600-152-0x000000013F330000-0x000000013F684000-memory.dmp	UPX
behavioral1/memory/2636-153-0x000000013F6B0000-0x000000013FA04000-memory.dmp	UPX
behavioral1/memory/2588-154-0x000000013F1A0000-0x000000013F4F4000-memory.dmp	UPX
behavioral1/memory/2492-155-0x000000013F670000-0x000000013F9C4000-memory.dmp	UPX
behavioral1/memory/2376-156-0x000000013F770000-0x000000013FAC4000-memory.dmp	UPX
behavioral1/memory/2648-157-0x000000013F950000-0x000000013FCA4000-memory.dmp	UPX
behavioral1/memory/1880-158-0x000000013FAC0000-0x000000013FE14000-memory.dmp	UPX
behavioral1/memory/1544-159-0x000000013FFF0000-0x0000000140344000-memory.dmp	UPX
behavioral1/memory/2776-160-0x000000013FA60000-0x000000013FDB4000-memory.dmp	UPX
behavioral1/memory/1908-161-0x000000013F920000-0x000000013FC74000-memory.dmp	UPX
behavioral1/memory/1232-162-0x000000013F310000-0x000000013F664000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral1/memory/2556-0-0x000000013FC40000-0x000000013FF94000-memory.dmp	xmrig
behavioral1/files/0x000a000000012289-3.dat	xmrig
behavioral1/memory/2356-8-0x000000013FC50000-0x000000013FFA4000-memory.dmp	xmrig
behavioral1/files/0x0033000000015cdf-9.dat	xmrig
behavioral1/memory/2556-12-0x000000013F4F0000-0x000000013F844000-memory.dmp	xmrig
behavioral1/memory/2604-14-0x000000013F4F0000-0x000000013F844000-memory.dmp	xmrig
behavioral1/files/0x0008000000015d12-11.dat	xmrig
behavioral1/memory/2696-21-0x000000013F150000-0x000000013F4A4000-memory.dmp	xmrig
behavioral1/files/0x0007000000015d3b-26.dat	xmrig
behavioral1/files/0x0007000000015d53-39.dat	xmrig
behavioral1/memory/2588-42-0x000000013F1A0000-0x000000013F4F4000-memory.dmp	xmrig
behavioral1/memory/2492-55-0x000000013F670000-0x000000013F9C4000-memory.dmp	xmrig
behavioral1/files/0x0007000000015d73-44.dat	xmrig
behavioral1/files/0x0007000000016835-59.dat	xmrig
behavioral1/files/0x0006000000016c6f-81.dat	xmrig
behavioral1/files/0x0006000000016cc1-97.dat	xmrig
behavioral1/files/0x0006000000016ceb-104.dat	xmrig
behavioral1/files/0x0006000000016d2a-115.dat	xmrig
behavioral1/files/0x0006000000016d43-130.dat	xmrig
behavioral1/files/0x0006000000016d4b-133.dat	xmrig
behavioral1/files/0x0006000000016d3b-125.dat	xmrig
behavioral1/files/0x0006000000016d32-120.dat	xmrig
behavioral1/files/0x0006000000016d17-110.dat	xmrig
behavioral1/memory/2588-137-0x000000013F1A0000-0x000000013F4F4000-memory.dmp	xmrig
behavioral1/memory/1232-100-0x000000013F310000-0x000000013F664000-memory.dmp	xmrig
behavioral1/memory/1908-93-0x000000013F920000-0x000000013FC74000-memory.dmp	xmrig
behavioral1/files/0x0006000000016c78-90.dat	xmrig
behavioral1/memory/2776-86-0x000000013FA60000-0x000000013FDB4000-memory.dmp	xmrig
behavioral1/memory/2600-84-0x000000013F330000-0x000000013F684000-memory.dmp	xmrig
behavioral1/memory/2696-83-0x000000013F150000-0x000000013F4A4000-memory.dmp	xmrig
behavioral1/memory/1544-77-0x000000013FFF0000-0x0000000140344000-memory.dmp	xmrig
behavioral1/memory/2556-76-0x000000013FFF0000-0x0000000140344000-memory.dmp	xmrig
behavioral1/memory/2604-75-0x000000013F4F0000-0x000000013F844000-memory.dmp	xmrig
behavioral1/files/0x0006000000016c52-73.dat	xmrig
behavioral1/memory/1880-69-0x000000013FAC0000-0x000000013FE14000-memory.dmp	xmrig
behavioral1/files/0x0006000000016a8a-67.dat	xmrig
behavioral1/memory/2648-63-0x000000013F950000-0x000000013FCA4000-memory.dmp	xmrig
behavioral1/memory/2356-62-0x000000013FC50000-0x000000013FFA4000-memory.dmp	xmrig
behavioral1/memory/2556-47-0x000000013FC40000-0x000000013FF94000-memory.dmp	xmrig
behavioral1/memory/2376-56-0x000000013F770000-0x000000013FAC4000-memory.dmp	xmrig
behavioral1/files/0x0009000000015d83-53.dat	xmrig
behavioral1/memory/2636-36-0x000000013F6B0000-0x000000013FA04000-memory.dmp	xmrig
behavioral1/files/0x0033000000015ce8-34.dat	xmrig
behavioral1/memory/2556-33-0x000000013F6B0000-0x000000013FA04000-memory.dmp	xmrig
behavioral1/memory/2600-32-0x000000013F330000-0x000000013F684000-memory.dmp	xmrig
behavioral1/memory/2376-138-0x000000013F770000-0x000000013FAC4000-memory.dmp	xmrig
behavioral1/memory/2648-139-0x000000013F950000-0x000000013FCA4000-memory.dmp	xmrig
behavioral1/memory/1880-140-0x000000013FAC0000-0x000000013FE14000-memory.dmp	xmrig
behavioral1/memory/2556-141-0x000000013FFF0000-0x0000000140344000-memory.dmp	xmrig
behavioral1/memory/1544-142-0x000000013FFF0000-0x0000000140344000-memory.dmp	xmrig
behavioral1/memory/2776-144-0x000000013FA60000-0x000000013FDB4000-memory.dmp	xmrig
behavioral1/memory/1908-145-0x000000013F920000-0x000000013FC74000-memory.dmp	xmrig
behavioral1/memory/1232-147-0x000000013F310000-0x000000013F664000-memory.dmp	xmrig
behavioral1/memory/2556-148-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	xmrig
behavioral1/memory/2356-149-0x000000013FC50000-0x000000013FFA4000-memory.dmp	xmrig
behavioral1/memory/2604-150-0x000000013F4F0000-0x000000013F844000-memory.dmp	xmrig
behavioral1/memory/2696-151-0x000000013F150000-0x000000013F4A4000-memory.dmp	xmrig
behavioral1/memory/2600-152-0x000000013F330000-0x000000013F684000-memory.dmp	xmrig
behavioral1/memory/2636-153-0x000000013F6B0000-0x000000013FA04000-memory.dmp	xmrig
behavioral1/memory/2588-154-0x000000013F1A0000-0x000000013F4F4000-memory.dmp	xmrig
behavioral1/memory/2492-155-0x000000013F670000-0x000000013F9C4000-memory.dmp	xmrig
behavioral1/memory/2376-156-0x000000013F770000-0x000000013FAC4000-memory.dmp	xmrig
behavioral1/memory/2648-157-0x000000013F950000-0x000000013FCA4000-memory.dmp	xmrig
behavioral1/memory/1880-158-0x000000013FAC0000-0x000000013FE14000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2356	xHuRZVG.exe
2604	MtIoWrp.exe
2696	hZPLrMQ.exe
2600	lwNdiZx.exe
2636	WyLoawo.exe
2588	wAsuwsN.exe
2492	RlUnUxX.exe
2376	SqJphCS.exe
2648	lokocvv.exe
1880	WWjewwM.exe
1544	HgzcmVK.exe
2776	iphUnIh.exe
1908	EVzhCMB.exe
1232	gXVeenH.exe
316	KcGbBhl.exe
1944	xsuqwWC.exe
1628	xYuuBGk.exe
1616	SJtcRYY.exe
2364	zXmUnzj.exe
1452	fkjErld.exe
1348	kdkkxFW.exe

Loads dropped DLL 21 IoCs

pid	Process
2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2556-0-0x000000013FC40000-0x000000013FF94000-memory.dmp	upx
behavioral1/files/0x000a000000012289-3.dat	upx
behavioral1/memory/2356-8-0x000000013FC50000-0x000000013FFA4000-memory.dmp	upx
behavioral1/files/0x0033000000015cdf-9.dat	upx
behavioral1/memory/2556-12-0x000000013F4F0000-0x000000013F844000-memory.dmp	upx
behavioral1/memory/2604-14-0x000000013F4F0000-0x000000013F844000-memory.dmp	upx
behavioral1/files/0x0008000000015d12-11.dat	upx
behavioral1/memory/2696-21-0x000000013F150000-0x000000013F4A4000-memory.dmp	upx
behavioral1/files/0x0007000000015d3b-26.dat	upx
behavioral1/files/0x0007000000015d53-39.dat	upx
behavioral1/memory/2588-42-0x000000013F1A0000-0x000000013F4F4000-memory.dmp	upx
behavioral1/memory/2492-55-0x000000013F670000-0x000000013F9C4000-memory.dmp	upx
behavioral1/files/0x0007000000015d73-44.dat	upx
behavioral1/files/0x0007000000016835-59.dat	upx
behavioral1/files/0x0006000000016c6f-81.dat	upx
behavioral1/files/0x0006000000016cc1-97.dat	upx
behavioral1/files/0x0006000000016ceb-104.dat	upx
behavioral1/files/0x0006000000016d2a-115.dat	upx
behavioral1/files/0x0006000000016d43-130.dat	upx
behavioral1/files/0x0006000000016d4b-133.dat	upx
behavioral1/files/0x0006000000016d3b-125.dat	upx
behavioral1/files/0x0006000000016d32-120.dat	upx
behavioral1/files/0x0006000000016d17-110.dat	upx
behavioral1/memory/2588-137-0x000000013F1A0000-0x000000013F4F4000-memory.dmp	upx
behavioral1/memory/1232-100-0x000000013F310000-0x000000013F664000-memory.dmp	upx
behavioral1/memory/1908-93-0x000000013F920000-0x000000013FC74000-memory.dmp	upx
behavioral1/files/0x0006000000016c78-90.dat	upx
behavioral1/memory/2776-86-0x000000013FA60000-0x000000013FDB4000-memory.dmp	upx
behavioral1/memory/2600-84-0x000000013F330000-0x000000013F684000-memory.dmp	upx
behavioral1/memory/2696-83-0x000000013F150000-0x000000013F4A4000-memory.dmp	upx
behavioral1/memory/1544-77-0x000000013FFF0000-0x0000000140344000-memory.dmp	upx
behavioral1/memory/2604-75-0x000000013F4F0000-0x000000013F844000-memory.dmp	upx
behavioral1/files/0x0006000000016c52-73.dat	upx
behavioral1/memory/1880-69-0x000000013FAC0000-0x000000013FE14000-memory.dmp	upx
behavioral1/files/0x0006000000016a8a-67.dat	upx
behavioral1/memory/2648-63-0x000000013F950000-0x000000013FCA4000-memory.dmp	upx
behavioral1/memory/2356-62-0x000000013FC50000-0x000000013FFA4000-memory.dmp	upx
behavioral1/memory/2556-47-0x000000013FC40000-0x000000013FF94000-memory.dmp	upx
behavioral1/memory/2376-56-0x000000013F770000-0x000000013FAC4000-memory.dmp	upx
behavioral1/files/0x0009000000015d83-53.dat	upx
behavioral1/memory/2636-36-0x000000013F6B0000-0x000000013FA04000-memory.dmp	upx
behavioral1/files/0x0033000000015ce8-34.dat	upx
behavioral1/memory/2600-32-0x000000013F330000-0x000000013F684000-memory.dmp	upx
behavioral1/memory/2376-138-0x000000013F770000-0x000000013FAC4000-memory.dmp	upx
behavioral1/memory/2648-139-0x000000013F950000-0x000000013FCA4000-memory.dmp	upx
behavioral1/memory/1880-140-0x000000013FAC0000-0x000000013FE14000-memory.dmp	upx
behavioral1/memory/1544-142-0x000000013FFF0000-0x0000000140344000-memory.dmp	upx
behavioral1/memory/2776-144-0x000000013FA60000-0x000000013FDB4000-memory.dmp	upx
behavioral1/memory/1908-145-0x000000013F920000-0x000000013FC74000-memory.dmp	upx
behavioral1/memory/1232-147-0x000000013F310000-0x000000013F664000-memory.dmp	upx
behavioral1/memory/2356-149-0x000000013FC50000-0x000000013FFA4000-memory.dmp	upx
behavioral1/memory/2604-150-0x000000013F4F0000-0x000000013F844000-memory.dmp	upx
behavioral1/memory/2696-151-0x000000013F150000-0x000000013F4A4000-memory.dmp	upx
behavioral1/memory/2600-152-0x000000013F330000-0x000000013F684000-memory.dmp	upx
behavioral1/memory/2636-153-0x000000013F6B0000-0x000000013FA04000-memory.dmp	upx
behavioral1/memory/2588-154-0x000000013F1A0000-0x000000013F4F4000-memory.dmp	upx
behavioral1/memory/2492-155-0x000000013F670000-0x000000013F9C4000-memory.dmp	upx
behavioral1/memory/2376-156-0x000000013F770000-0x000000013FAC4000-memory.dmp	upx
behavioral1/memory/2648-157-0x000000013F950000-0x000000013FCA4000-memory.dmp	upx
behavioral1/memory/1880-158-0x000000013FAC0000-0x000000013FE14000-memory.dmp	upx
behavioral1/memory/1544-159-0x000000013FFF0000-0x0000000140344000-memory.dmp	upx
behavioral1/memory/2776-160-0x000000013FA60000-0x000000013FDB4000-memory.dmp	upx
behavioral1/memory/1908-161-0x000000013F920000-0x000000013FC74000-memory.dmp	upx
behavioral1/memory/1232-162-0x000000013F310000-0x000000013F664000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\lwNdiZx.exe	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SqJphCS.exe	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xsuqwWC.exe	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xYuuBGk.exe	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hZPLrMQ.exe	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HgzcmVK.exe	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gXVeenH.exe	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KcGbBhl.exe	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kdkkxFW.exe	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wAsuwsN.exe	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iphUnIh.exe	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EVzhCMB.exe	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SJtcRYY.exe	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fkjErld.exe	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xHuRZVG.exe	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WyLoawo.exe	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RlUnUxX.exe	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lokocvv.exe	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WWjewwM.exe	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zXmUnzj.exe	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MtIoWrp.exe	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2356	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	29
PID 2556 wrote to memory of 2356	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	29
PID 2556 wrote to memory of 2356	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	29
PID 2556 wrote to memory of 2604	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	30
PID 2556 wrote to memory of 2604	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	30
PID 2556 wrote to memory of 2604	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	30
PID 2556 wrote to memory of 2696	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	31
PID 2556 wrote to memory of 2696	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	31
PID 2556 wrote to memory of 2696	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	31
PID 2556 wrote to memory of 2600	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	32
PID 2556 wrote to memory of 2600	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	32
PID 2556 wrote to memory of 2600	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	32
PID 2556 wrote to memory of 2636	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	33
PID 2556 wrote to memory of 2636	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	33
PID 2556 wrote to memory of 2636	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	33
PID 2556 wrote to memory of 2588	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	34
PID 2556 wrote to memory of 2588	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	34
PID 2556 wrote to memory of 2588	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	34
PID 2556 wrote to memory of 2492	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	35
PID 2556 wrote to memory of 2492	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	35
PID 2556 wrote to memory of 2492	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	35
PID 2556 wrote to memory of 2376	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	36
PID 2556 wrote to memory of 2376	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	36
PID 2556 wrote to memory of 2376	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	36
PID 2556 wrote to memory of 2648	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	37
PID 2556 wrote to memory of 2648	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	37
PID 2556 wrote to memory of 2648	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	37
PID 2556 wrote to memory of 1880	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	38
PID 2556 wrote to memory of 1880	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	38
PID 2556 wrote to memory of 1880	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	38
PID 2556 wrote to memory of 1544	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	39
PID 2556 wrote to memory of 1544	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	39
PID 2556 wrote to memory of 1544	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	39
PID 2556 wrote to memory of 2776	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	40
PID 2556 wrote to memory of 2776	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	40
PID 2556 wrote to memory of 2776	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	40
PID 2556 wrote to memory of 1908	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	41
PID 2556 wrote to memory of 1908	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	41
PID 2556 wrote to memory of 1908	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	41
PID 2556 wrote to memory of 1232	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	42
PID 2556 wrote to memory of 1232	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	42
PID 2556 wrote to memory of 1232	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	42
PID 2556 wrote to memory of 316	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	43
PID 2556 wrote to memory of 316	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	43
PID 2556 wrote to memory of 316	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	43
PID 2556 wrote to memory of 1944	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	44
PID 2556 wrote to memory of 1944	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	44
PID 2556 wrote to memory of 1944	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	44
PID 2556 wrote to memory of 1628	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	45
PID 2556 wrote to memory of 1628	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	45
PID 2556 wrote to memory of 1628	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	45
PID 2556 wrote to memory of 1616	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	46
PID 2556 wrote to memory of 1616	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	46
PID 2556 wrote to memory of 1616	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	46
PID 2556 wrote to memory of 2364	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	47
PID 2556 wrote to memory of 2364	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	47
PID 2556 wrote to memory of 2364	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	47
PID 2556 wrote to memory of 1452	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	48
PID 2556 wrote to memory of 1452	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	48
PID 2556 wrote to memory of 1452	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	48
PID 2556 wrote to memory of 1348	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	49
PID 2556 wrote to memory of 1348	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	49
PID 2556 wrote to memory of 1348	2556	2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_1f4307c0d945b94fedcef9b2e82c5f5e_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\System\xHuRZVG.exe
  C:\Windows\System\xHuRZVG.exe
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\System\MtIoWrp.exe
  C:\Windows\System\MtIoWrp.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System\hZPLrMQ.exe
  C:\Windows\System\hZPLrMQ.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System\lwNdiZx.exe
  C:\Windows\System\lwNdiZx.exe
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\System\WyLoawo.exe
  C:\Windows\System\WyLoawo.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\System\wAsuwsN.exe
  C:\Windows\System\wAsuwsN.exe
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\System\RlUnUxX.exe
  C:\Windows\System\RlUnUxX.exe
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Windows\System\SqJphCS.exe
  C:\Windows\System\SqJphCS.exe
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\System\lokocvv.exe
  C:\Windows\System\lokocvv.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System\WWjewwM.exe
  C:\Windows\System\WWjewwM.exe
  2⤵
  - Executes dropped EXE
  PID:1880
- C:\Windows\System\HgzcmVK.exe
  C:\Windows\System\HgzcmVK.exe
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Windows\System\iphUnIh.exe
  C:\Windows\System\iphUnIh.exe
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\System\EVzhCMB.exe
  C:\Windows\System\EVzhCMB.exe
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\System\gXVeenH.exe
  C:\Windows\System\gXVeenH.exe
  2⤵
  - Executes dropped EXE
  PID:1232
- C:\Windows\System\KcGbBhl.exe
  C:\Windows\System\KcGbBhl.exe
  2⤵
  - Executes dropped EXE
  PID:316
- C:\Windows\System\xsuqwWC.exe
  C:\Windows\System\xsuqwWC.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System\xYuuBGk.exe
  C:\Windows\System\xYuuBGk.exe
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\System\SJtcRYY.exe
  C:\Windows\System\SJtcRYY.exe
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\System\zXmUnzj.exe
  C:\Windows\System\zXmUnzj.exe
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\System\fkjErld.exe
  C:\Windows\System\fkjErld.exe
  2⤵
  - Executes dropped EXE
  PID:1452
- C:\Windows\System\kdkkxFW.exe
  C:\Windows\System\kdkkxFW.exe
  2⤵
  - Executes dropped EXE
  PID:1348

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\EVzhCMB.exe

Filesize
5.9MB

MD5
06ef8f3c5a028c405a68c9e66156ba3d

SHA1
e2d3828654b8eed82ef8b3065ea2dae575549280

SHA256
e403d49abba19d52b65b68de24e96e1cef825f3b9bac20dd5599b1c6a9a8c942

SHA512
73dbcd945d6a6ebde9fb720050f4604ef8014868645ca2ed76cd12004d2cc47891ffe58a639804c09cd0b26c044549469df9e3dc6b3a14232beaf116836aefd1

Download Submit
C:\Windows\system\HgzcmVK.exe

Filesize
5.9MB

MD5
58148a2e07a536a6f4c426afa1dbc8cf

SHA1
c00c81f46dd10c2de81548473f7e99e4601279d5

SHA256
46d238168cb865518d2f5c77f82d4ff5e83075c7ebfc9daa2ad45648d86e2504

SHA512
e95e2ade8d6387c66cd8f96d23dac73028403ff6c4026a8ae1ee1d7b70c0a67969d356ebff189afb3dc336277c99c44bd67fc1041e9a7c04edf2037e8b23145f

Download Submit
C:\Windows\system\KcGbBhl.exe

Filesize
5.9MB

MD5
03076388e49f2eec9e6dc9a65d86a5be

SHA1
0e072b00da07ddbbb2deacf5441467518a41eb41

SHA256
1142c693d7fffb418bb52165aed0a0a4e935d65aa81442950dd17be16bffd4dc

SHA512
36de32b45121c6c567daf41659a8557bddd2b866a9fe9478ace355261ee97362db8efe8a6192b1e44e3ef59f851c63f33dd53c1079400107ada2697fe9e68811

Download Submit
C:\Windows\system\SJtcRYY.exe

Filesize
5.9MB

MD5
2ba6939302207832149277b3869d7a57

SHA1
2af9b484bd6c917b0c3c0d24f570b8799d39758e

SHA256
064ae8e3b448c3d8f940c08ce14cba01bbe34d14e2bcfc6abefed424ac1c15a3

SHA512
767533e6d4283341e12acd923944b72ebba6f79d52bdda590b3f4449e7e1182cb39284b0a5db301f7f5817a5df5b4c2e61867281cb3dd4285ba71a02fd52012c

Download Submit
C:\Windows\system\SqJphCS.exe

Filesize
5.9MB

MD5
4af04343565419e92abe8c65ddd2aa53

SHA1
1eb9cb8f5462ad17947e385ec31d0ba6b3564727

SHA256
d157c63d7872f4aa33cecfaa44fac7e30af6d2dd510556bdd168d7e59073be8b

SHA512
679c18680e67ec75ade6c30584efefeb172b65de11fb8cf15670b98fa9bdfd3257223e3a520e6552a599b42643b362b6630147b09996505c9755560555355a22

Download Submit
C:\Windows\system\WWjewwM.exe

Filesize
5.9MB

MD5
5b2593c943e825f075fbad1d5f0556df

SHA1
3689e5dafb7ef6087ceabf470de0398ee3416d1a

SHA256
a76cc74157dc336d037e15c168b9e810c6d6d8225d74fb1cf48b25d62c5f0f68

SHA512
ff736bd58ce084ade8641b3b7e5c12aa52e6d1d1babaa4cba100ed5744238bf2a80b04b1337b414e23f0fd8eba679fa3ddc566e64565abe98a6b8058a076ceb4

Download Submit
C:\Windows\system\WyLoawo.exe

Filesize
5.9MB

MD5
01d1cb8f646e38d40726a52f47115c5d

SHA1
a0bb6d76e1f6c130b3e3dac1609b5e3bc9602b8d

SHA256
89fd91a4457f0e5d97c9d21e4d62f2eb0d32f00ff0896d803529e9d558e2e35d

SHA512
5fcd7d25f419d17981032fe1b6d7c849148d0657bb09824fda77cffe7188f266905d6f98d20a6e13c325bac237443fb1ff61d5f6905f03b5a1fe0ab998140779

Download Submit
C:\Windows\system\fkjErld.exe

Filesize
5.9MB

MD5
28ee7a26b27d3458af8a96a58a890946

SHA1
9642f2e8508f36491049e92d6b9bf9d5efed23c2

SHA256
d790191b7e60ea17fcf45a06532d4c8bef5f92e1015a09e11f30a9eb05657e3c

SHA512
d26ed424c732126ef9103cbbf622b905f8de8b138360e84f0cb5c2c976bd4d5fe9485d1640d9cd61473c6ce3bc05eee3e3c4075f1245df21a808b2e7e10faf28

Download Submit
C:\Windows\system\gXVeenH.exe

Filesize
5.9MB

MD5
cb214b328034f2f55a6cb97c67a9d451

SHA1
30774f5e658fa54eeae4841de17dc0ddca509794

SHA256
f9f53f75981f38e04d65832195b6070d61e9d0ed7fd7416840b4ba9f69b5fc28

SHA512
5a8a3b037fec3bccd295bc1ab774ed3d1ac8ebe7497b356d9579ea5892a9e320299bd825f0dafa3c641c96a2a0f9cf857189eeff706ac92e1d2656a0b0e538b9

Download Submit
C:\Windows\system\hZPLrMQ.exe

Filesize
5.9MB

MD5
588c5c22bb80400802c8d43c64f83c4c

SHA1
8801147c123dd54b9575482cca62ec1d9457fc78

SHA256
fe1e0bcffd1a91b80d4d270f608f6c54accc854083a140c9b77b75f4dee9df99

SHA512
f977897bea406143ec3641b485e3d88e34d70d73930a750cce3476ac8b5fdeb39ab65c58d3b0217ed42f489bab0874035299fc27650ad5d9d3813d0a618dda94

Download Submit
C:\Windows\system\iphUnIh.exe

Filesize
5.9MB

MD5
d856b2fcec35ebd6da060af691d8ab41

SHA1
d98c771665aa028e5deb609c048b66db28b5c785

SHA256
1804dce37496db106545680d39d63aed19c56c282852eb2ba432dcf1a751217f

SHA512
7bef74051d0727e680841760840c78d7b2ed66e71c54ce2ffe32b789f05c59e480194e8a727e55d811aee622b3407db50b0d92a514ef022bcbac397e1a4ff0fa

Download Submit
C:\Windows\system\lokocvv.exe

Filesize
5.9MB

MD5
e8985d99e649825fc6b2d8a466724bef

SHA1
c4419e2591afc1cac854b08b22e0b4906dd5ba21

SHA256
a63aa1f041b3c4957d453a58fefe2420344d32bd93eeaa9b7d95e47c3c0737e0

SHA512
40ad797c59dee6c7fb91549dc9ee6d98ecb7249a1c7a1790e2d9986124f9d47ecb5c30c3f4ce4451c6ebb49ee3750ee95db7289ed489a47ecbded4a7b5447c49

Download Submit
C:\Windows\system\lwNdiZx.exe

Filesize
5.9MB

MD5
b7e8e1620c983786df9e957c4e353e8e

SHA1
1c434240882740be72bc23de9a1a7e13469d3428

SHA256
89e9c64a5df64484c679d4b66973c73d2601d5fc291fdc50c06d91224f5e402f

SHA512
6875ea0c0959101096bda76a410b2756503eb24ecffd2af9db7f82edda11ec0410905da6085ac21f2af0e80879b1b837224d7464c0b6d9ccef0a6804ce2fc7ec

Download Submit
C:\Windows\system\wAsuwsN.exe

Filesize
5.9MB

MD5
c75071930137ecdac8b45d30abd526dd

SHA1
951900742b829b409ff54d607a5a74a6effd59f6

SHA256
0d4a92d2d5263846e557182c1c73f0f4612e51d49bd1bae8b10edc5a95c7bbb3

SHA512
1db79fb1a82b4458796fc816410eaf8392b47f167c85b5528409966db440af027c63c16265013b56558db29fa8161f88b933883cea21e4a3e055b388c1e85cb3

Download Submit
C:\Windows\system\xYuuBGk.exe

Filesize
5.9MB

MD5
c8efd9462aafdabc3c851bb0ec76ca06

SHA1
bc5981300c65931554fc79258debfae119f9e4bc

SHA256
e1da433a8d0d16880481f5f4cb92b0ea71d85c95a8e2d3165e24b03e22c92fbf

SHA512
758baa07bf5b88953c8e03abca3301f4c35e14bb7757e689fbef5881c094113c3575af1dc00a209ebb9a36365dd05ae3c6db5f46188dcca7764521ef4277b52d

Download Submit
C:\Windows\system\xsuqwWC.exe

Filesize
5.9MB

MD5
7bc0fe1cdf00f45cba9022fd34fc19b7

SHA1
a19ebe04b18fdf18633d35ed07b2ceb3e74218f0

SHA256
5cce35ebe2fd2a95f91a2e352ce8fc7050ad5b614bc86880ef500dcb4243540a

SHA512
760f823b188359d0e4a81aef7abc970b328eba126775df878728b828cd89f71bf6410209fb88af8ade185bada8772bc9dd20aeea42ab6e8edd3f3e14eda58695

Download Submit
C:\Windows\system\zXmUnzj.exe

Filesize
5.9MB

MD5
86c393635594049e390b7ad53dbf2aff

SHA1
3f8a36eae7e7c31ec3786da9d5ee62e179103159

SHA256
52647c495873001b3a4becafcd80c5893fc250e34e8f00f7596c9c6808fa9edf

SHA512
f9e19c12ce47dc53d5493457d3f1a67525618caf2d457d463076188f95c0013cd6940d787e810bbbd6e5dbea4eab9b5fa47232e9e05b5ec1384b2c0bb0de7634

Download Submit
\Windows\system\MtIoWrp.exe

Filesize
5.9MB

MD5
5b97d0268e086929d39f3bb9b5a3cfa5

SHA1
b80ef34b982817223e548a0eea4f84ada93bdb3d

SHA256
787914db64d504caec0464215ad261f28094ee46ea73308309e197fc84938c1c

SHA512
8baa7b3f5e3ff1bc4e9892026dc489f71791c83a96cede8de07806fc141796537d380b2ce8f4894f90f19b724a72731eb01ae000c6690ac6f4fa7bb5af0965d4

Download Submit
\Windows\system\RlUnUxX.exe

Filesize
5.9MB

MD5
e2a415459557a3a56065d38682b716fd

SHA1
281137370043b54a2996678b803307cd53ec8364

SHA256
3aa472236a2ea16e58e6311fcd8e1b8c5e948b094f1d17f3b7b4b78325682529

SHA512
f38711a54f188cdf659c8cf2a9dd1b7f64e954cf146fac4cbd0fce6ef17f753a0ee070e1ccc2c2defce5f2c9ce2a3b42d6792f964ad5d6be2f4e12ae4dda21f9

Download Submit
\Windows\system\kdkkxFW.exe

Filesize
5.9MB

MD5
9bc25054e45ed5bfde8fc3befd9fb380

SHA1
753389e5170ea1b2309b9d7586885622cb94f5b5

SHA256
a0791b8049ceec0710e94028f8c92573fc07c4049096e41c71b1a6b51504f159

SHA512
d55a7b6ea676416b0e72abcf7ff0afcd60a8f7f93388d303e7584bf25a88aec72d55221d0a60dae51e498a43e8fbf87443088d061c3e30ccbe306c84b2894a77

Download Submit
\Windows\system\xHuRZVG.exe

Filesize
5.9MB

MD5
74a858a70b678ed015e219ec3b6eaf8d

SHA1
09f1248bf9cf26c1212e08b4fc4b838cf6cc8af2

SHA256
f148aca265af23eae87303e464d3713ef41da0ab25a078a2413af6a8eae0e95e

SHA512
3e92f382cce98b89d0fa588ef1df804c9ff428d1e52daaef1c426e483159da6b9433ff0b3ae5d23ae2d8d25ba438b3c1f4e6469f24934b90c694c4768badbe41

Download Submit
memory/1232-100-0x000000013F310000-0x000000013F664000-memory.dmp

Filesize
3.3MB

Download
memory/1232-147-0x000000013F310000-0x000000013F664000-memory.dmp

Filesize
3.3MB

Download
memory/1232-162-0x000000013F310000-0x000000013F664000-memory.dmp

Filesize
3.3MB

Download
memory/1544-77-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/1544-159-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/1544-142-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/1880-140-0x000000013FAC0000-0x000000013FE14000-memory.dmp

Filesize
3.3MB

Download
memory/1880-69-0x000000013FAC0000-0x000000013FE14000-memory.dmp

Filesize
3.3MB

Download
memory/1880-158-0x000000013FAC0000-0x000000013FE14000-memory.dmp

Filesize
3.3MB

Download
memory/1908-161-0x000000013F920000-0x000000013FC74000-memory.dmp

Filesize
3.3MB

Download
memory/1908-145-0x000000013F920000-0x000000013FC74000-memory.dmp

Filesize
3.3MB

Download
memory/1908-93-0x000000013F920000-0x000000013FC74000-memory.dmp

Filesize
3.3MB

Download
memory/2356-149-0x000000013FC50000-0x000000013FFA4000-memory.dmp

Filesize
3.3MB

Download
memory/2356-8-0x000000013FC50000-0x000000013FFA4000-memory.dmp

Filesize
3.3MB

Download
memory/2356-62-0x000000013FC50000-0x000000013FFA4000-memory.dmp

Filesize
3.3MB

Download
memory/2376-56-0x000000013F770000-0x000000013FAC4000-memory.dmp

Filesize
3.3MB

Download
memory/2376-156-0x000000013F770000-0x000000013FAC4000-memory.dmp

Filesize
3.3MB

Download
memory/2376-138-0x000000013F770000-0x000000013FAC4000-memory.dmp

Filesize
3.3MB

Download
memory/2492-55-0x000000013F670000-0x000000013F9C4000-memory.dmp

Filesize
3.3MB

Download
memory/2492-155-0x000000013F670000-0x000000013F9C4000-memory.dmp

Filesize
3.3MB

Download
memory/2556-41-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

Filesize
3.3MB

Download
memory/2556-99-0x000000013F310000-0x000000013F664000-memory.dmp

Filesize
3.3MB

Download
memory/2556-76-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/2556-27-0x000000013F330000-0x000000013F684000-memory.dmp

Filesize
3.3MB

Download
memory/2556-85-0x0000000002460000-0x00000000027B4000-memory.dmp

Filesize
3.3MB

Download
memory/2556-54-0x0000000002460000-0x00000000027B4000-memory.dmp

Filesize
3.3MB

Download
memory/2556-47-0x000000013FC40000-0x000000013FF94000-memory.dmp

Filesize
3.3MB

Download
memory/2556-92-0x0000000002460000-0x00000000027B4000-memory.dmp

Filesize
3.3MB

Download
memory/2556-20-0x000000013F150000-0x000000013F4A4000-memory.dmp

Filesize
3.3MB

Download
memory/2556-143-0x0000000002460000-0x00000000027B4000-memory.dmp

Filesize
3.3MB

Download
memory/2556-148-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

Filesize
3.3MB

Download
memory/2556-33-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Filesize
3.3MB

Download
memory/2556-12-0x000000013F4F0000-0x000000013F844000-memory.dmp

Filesize
3.3MB

Download
memory/2556-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2556-146-0x000000013F310000-0x000000013F664000-memory.dmp

Filesize
3.3MB

Download
memory/2556-0-0x000000013FC40000-0x000000013FF94000-memory.dmp

Filesize
3.3MB

Download
memory/2556-141-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/2556-106-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

Filesize
3.3MB

Download
memory/2588-42-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

Filesize
3.3MB

Download
memory/2588-137-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

Filesize
3.3MB

Download
memory/2588-154-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

Filesize
3.3MB

Download
memory/2600-152-0x000000013F330000-0x000000013F684000-memory.dmp

Filesize
3.3MB

Download
memory/2600-84-0x000000013F330000-0x000000013F684000-memory.dmp

Filesize
3.3MB

Download
memory/2600-32-0x000000013F330000-0x000000013F684000-memory.dmp

Filesize
3.3MB

Download
memory/2604-75-0x000000013F4F0000-0x000000013F844000-memory.dmp

Filesize
3.3MB

Download
memory/2604-150-0x000000013F4F0000-0x000000013F844000-memory.dmp

Filesize
3.3MB

Download
memory/2604-14-0x000000013F4F0000-0x000000013F844000-memory.dmp

Filesize
3.3MB

Download
memory/2636-36-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Filesize
3.3MB

Download
memory/2636-153-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Filesize
3.3MB

Download
memory/2648-139-0x000000013F950000-0x000000013FCA4000-memory.dmp

Filesize
3.3MB

Download
memory/2648-63-0x000000013F950000-0x000000013FCA4000-memory.dmp

Filesize
3.3MB

Download
memory/2648-157-0x000000013F950000-0x000000013FCA4000-memory.dmp

Filesize
3.3MB

Download
memory/2696-83-0x000000013F150000-0x000000013F4A4000-memory.dmp

Filesize
3.3MB

Download
memory/2696-21-0x000000013F150000-0x000000013F4A4000-memory.dmp

Filesize
3.3MB

Download
memory/2696-151-0x000000013F150000-0x000000013F4A4000-memory.dmp

Filesize
3.3MB

Download
memory/2776-144-0x000000013FA60000-0x000000013FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/2776-160-0x000000013FA60000-0x000000013FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/2776-86-0x000000013FA60000-0x000000013FDB4000-memory.dmp

Filesize
3.3MB

Download