cobaltstrike | d36e2dd9ca091d8b9e5e3e60c380bf1531c07f6acd55d656fafe856faae0addb

Analysis

max time kernel
145s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01/06/2024, 06:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

375fe54900829ab58bd8d72e92bcd186
SHA1

27530d6c79be5133cca0cd7147dc390bd245ab66
SHA256

d36e2dd9ca091d8b9e5e3e60c380bf1531c07f6acd55d656fafe856faae0addb
SHA512

998b022f03622974d2d3001c4191fc5a27bb44aefc0a6074df548e7bdd16afe7d6df3d77b9259413a961d170a94492d9738ce111a84b4637c1bbb675131b493e
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUr:Q+856utgpPF8u/7r

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000d00000001227e-3.dat	cobalt_reflective_dll
behavioral1/files/0x00380000000141ab-9.dat	cobalt_reflective_dll
behavioral1/files/0x000a00000001429a-11.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000014345-22.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014353-34.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014415-40.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014471-44.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000014509-56.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014f41-61.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015424-81.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015406-70.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001552d-91.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001562a-99.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015678-105.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015ca2-132.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cb8-135.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015c93-127.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015c7f-122.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015c6f-117.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015682-111.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015122-69.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001227e-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00380000000141ab-9.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000a00000001429a-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000014345-22.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014353-34.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014415-40.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014471-44.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000014509-56.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014f41-61.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015424-81.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015406-70.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000600000001552d-91.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000600000001562a-99.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015678-105.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015ca2-132.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015cb8-135.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015c93-127.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015c7f-122.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015c6f-117.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015682-111.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015122-69.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 60 IoCs

resource	yara_rule
behavioral1/memory/2380-0-0x000000013FA90000-0x000000013FDE4000-memory.dmp	UPX
behavioral1/files/0x000d00000001227e-3.dat	UPX
behavioral1/memory/3048-8-0x000000013F550000-0x000000013F8A4000-memory.dmp	UPX
behavioral1/files/0x00380000000141ab-9.dat	UPX
behavioral1/memory/2932-14-0x000000013FE10000-0x0000000140164000-memory.dmp	UPX
behavioral1/files/0x000a00000001429a-11.dat	UPX
behavioral1/files/0x0008000000014345-22.dat	UPX
behavioral1/memory/1208-21-0x000000013FFF0000-0x0000000140344000-memory.dmp	UPX
behavioral1/memory/2716-26-0x000000013F9E0000-0x000000013FD34000-memory.dmp	UPX
behavioral1/files/0x0007000000014353-34.dat	UPX
behavioral1/memory/2148-36-0x000000013FE10000-0x0000000140164000-memory.dmp	UPX
behavioral1/files/0x0007000000014415-40.dat	UPX
behavioral1/memory/2756-41-0x000000013FA40000-0x000000013FD94000-memory.dmp	UPX
behavioral1/memory/2380-38-0x000000013FA90000-0x000000013FDE4000-memory.dmp	UPX
behavioral1/files/0x0007000000014471-44.dat	UPX
behavioral1/memory/2344-52-0x000000013F910000-0x000000013FC64000-memory.dmp	UPX
behavioral1/memory/1668-59-0x000000013FA20000-0x000000013FD74000-memory.dmp	UPX
behavioral1/memory/3048-45-0x000000013F550000-0x000000013F8A4000-memory.dmp	UPX
behavioral1/memory/1208-58-0x000000013FFF0000-0x0000000140344000-memory.dmp	UPX
behavioral1/files/0x0008000000014509-56.dat	UPX
behavioral1/memory/2932-55-0x000000013FE10000-0x0000000140164000-memory.dmp	UPX
behavioral1/files/0x0007000000014f41-61.dat	UPX
behavioral1/files/0x0006000000015424-81.dat	UPX
behavioral1/files/0x0006000000015406-70.dat	UPX
behavioral1/memory/3028-83-0x000000013F340000-0x000000013F694000-memory.dmp	UPX
behavioral1/memory/2600-82-0x000000013F2E0000-0x000000013F634000-memory.dmp	UPX
behavioral1/files/0x000600000001552d-91.dat	UPX
behavioral1/memory/2704-93-0x000000013FCE0000-0x0000000140034000-memory.dmp	UPX
behavioral1/files/0x000600000001562a-99.dat	UPX
behavioral1/memory/2176-101-0x000000013FDE0000-0x0000000140134000-memory.dmp	UPX
behavioral1/files/0x0006000000015678-105.dat	UPX
behavioral1/files/0x0006000000015ca2-132.dat	UPX
behavioral1/files/0x0006000000015cb8-135.dat	UPX
behavioral1/files/0x0006000000015c93-127.dat	UPX
behavioral1/files/0x0006000000015c7f-122.dat	UPX
behavioral1/files/0x0006000000015c6f-117.dat	UPX
behavioral1/files/0x0006000000015682-111.dat	UPX
behavioral1/memory/2756-92-0x000000013FA40000-0x000000013FD94000-memory.dmp	UPX
behavioral1/memory/3064-90-0x000000013FFA0000-0x00000001402F4000-memory.dmp	UPX
behavioral1/memory/2792-89-0x000000013FF90000-0x00000001402E4000-memory.dmp	UPX
behavioral1/files/0x0006000000015122-69.dat	UPX
behavioral1/memory/2716-64-0x000000013F9E0000-0x000000013FD34000-memory.dmp	UPX
behavioral1/memory/1668-139-0x000000013FA20000-0x000000013FD74000-memory.dmp	UPX
behavioral1/memory/3064-144-0x000000013FFA0000-0x00000001402F4000-memory.dmp	UPX
behavioral1/memory/2704-145-0x000000013FCE0000-0x0000000140034000-memory.dmp	UPX
behavioral1/memory/2176-146-0x000000013FDE0000-0x0000000140134000-memory.dmp	UPX
behavioral1/memory/3048-148-0x000000013F550000-0x000000013F8A4000-memory.dmp	UPX
behavioral1/memory/2932-149-0x000000013FE10000-0x0000000140164000-memory.dmp	UPX
behavioral1/memory/1208-150-0x000000013FFF0000-0x0000000140344000-memory.dmp	UPX
behavioral1/memory/2716-151-0x000000013F9E0000-0x000000013FD34000-memory.dmp	UPX
behavioral1/memory/2148-152-0x000000013FE10000-0x0000000140164000-memory.dmp	UPX
behavioral1/memory/2756-153-0x000000013FA40000-0x000000013FD94000-memory.dmp	UPX
behavioral1/memory/2344-154-0x000000013F910000-0x000000013FC64000-memory.dmp	UPX
behavioral1/memory/1668-155-0x000000013FA20000-0x000000013FD74000-memory.dmp	UPX
behavioral1/memory/3028-156-0x000000013F340000-0x000000013F694000-memory.dmp	UPX
behavioral1/memory/2792-158-0x000000013FF90000-0x00000001402E4000-memory.dmp	UPX
behavioral1/memory/2600-157-0x000000013F2E0000-0x000000013F634000-memory.dmp	UPX
behavioral1/memory/3064-159-0x000000013FFA0000-0x00000001402F4000-memory.dmp	UPX
behavioral1/memory/2704-160-0x000000013FCE0000-0x0000000140034000-memory.dmp	UPX
behavioral1/memory/2176-161-0x000000013FDE0000-0x0000000140134000-memory.dmp	UPX

XMRig Miner payload 63 IoCs

miner

resource	yara_rule
behavioral1/memory/2380-0-0x000000013FA90000-0x000000013FDE4000-memory.dmp	xmrig
behavioral1/files/0x000d00000001227e-3.dat	xmrig
behavioral1/memory/3048-8-0x000000013F550000-0x000000013F8A4000-memory.dmp	xmrig
behavioral1/files/0x00380000000141ab-9.dat	xmrig
behavioral1/memory/2932-14-0x000000013FE10000-0x0000000140164000-memory.dmp	xmrig
behavioral1/files/0x000a00000001429a-11.dat	xmrig
behavioral1/files/0x0008000000014345-22.dat	xmrig
behavioral1/memory/1208-21-0x000000013FFF0000-0x0000000140344000-memory.dmp	xmrig
behavioral1/memory/2716-26-0x000000013F9E0000-0x000000013FD34000-memory.dmp	xmrig
behavioral1/files/0x0007000000014353-34.dat	xmrig
behavioral1/memory/2148-36-0x000000013FE10000-0x0000000140164000-memory.dmp	xmrig
behavioral1/files/0x0007000000014415-40.dat	xmrig
behavioral1/memory/2756-41-0x000000013FA40000-0x000000013FD94000-memory.dmp	xmrig
behavioral1/memory/2380-38-0x000000013FA90000-0x000000013FDE4000-memory.dmp	xmrig
behavioral1/files/0x0007000000014471-44.dat	xmrig
behavioral1/memory/2344-52-0x000000013F910000-0x000000013FC64000-memory.dmp	xmrig
behavioral1/memory/2380-57-0x0000000002380000-0x00000000026D4000-memory.dmp	xmrig
behavioral1/memory/1668-59-0x000000013FA20000-0x000000013FD74000-memory.dmp	xmrig
behavioral1/memory/3048-45-0x000000013F550000-0x000000013F8A4000-memory.dmp	xmrig
behavioral1/memory/1208-58-0x000000013FFF0000-0x0000000140344000-memory.dmp	xmrig
behavioral1/files/0x0008000000014509-56.dat	xmrig
behavioral1/memory/2932-55-0x000000013FE10000-0x0000000140164000-memory.dmp	xmrig
behavioral1/files/0x0007000000014f41-61.dat	xmrig
behavioral1/files/0x0006000000015424-81.dat	xmrig
behavioral1/files/0x0006000000015406-70.dat	xmrig
behavioral1/memory/3028-83-0x000000013F340000-0x000000013F694000-memory.dmp	xmrig
behavioral1/memory/2600-82-0x000000013F2E0000-0x000000013F634000-memory.dmp	xmrig
behavioral1/files/0x000600000001552d-91.dat	xmrig
behavioral1/memory/2704-93-0x000000013FCE0000-0x0000000140034000-memory.dmp	xmrig
behavioral1/files/0x000600000001562a-99.dat	xmrig
behavioral1/memory/2176-101-0x000000013FDE0000-0x0000000140134000-memory.dmp	xmrig
behavioral1/files/0x0006000000015678-105.dat	xmrig
behavioral1/files/0x0006000000015ca2-132.dat	xmrig
behavioral1/files/0x0006000000015cb8-135.dat	xmrig
behavioral1/files/0x0006000000015c93-127.dat	xmrig
behavioral1/files/0x0006000000015c7f-122.dat	xmrig
behavioral1/files/0x0006000000015c6f-117.dat	xmrig
behavioral1/files/0x0006000000015682-111.dat	xmrig
behavioral1/memory/2756-92-0x000000013FA40000-0x000000013FD94000-memory.dmp	xmrig
behavioral1/memory/3064-90-0x000000013FFA0000-0x00000001402F4000-memory.dmp	xmrig
behavioral1/memory/2792-89-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
behavioral1/files/0x0006000000015122-69.dat	xmrig
behavioral1/memory/2716-64-0x000000013F9E0000-0x000000013FD34000-memory.dmp	xmrig
behavioral1/memory/1668-139-0x000000013FA20000-0x000000013FD74000-memory.dmp	xmrig
behavioral1/memory/2380-140-0x000000013F2E0000-0x000000013F634000-memory.dmp	xmrig
behavioral1/memory/2380-142-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
behavioral1/memory/3064-144-0x000000013FFA0000-0x00000001402F4000-memory.dmp	xmrig
behavioral1/memory/2704-145-0x000000013FCE0000-0x0000000140034000-memory.dmp	xmrig
behavioral1/memory/2176-146-0x000000013FDE0000-0x0000000140134000-memory.dmp	xmrig
behavioral1/memory/3048-148-0x000000013F550000-0x000000013F8A4000-memory.dmp	xmrig
behavioral1/memory/2932-149-0x000000013FE10000-0x0000000140164000-memory.dmp	xmrig
behavioral1/memory/1208-150-0x000000013FFF0000-0x0000000140344000-memory.dmp	xmrig
behavioral1/memory/2716-151-0x000000013F9E0000-0x000000013FD34000-memory.dmp	xmrig
behavioral1/memory/2148-152-0x000000013FE10000-0x0000000140164000-memory.dmp	xmrig
behavioral1/memory/2756-153-0x000000013FA40000-0x000000013FD94000-memory.dmp	xmrig
behavioral1/memory/2344-154-0x000000013F910000-0x000000013FC64000-memory.dmp	xmrig
behavioral1/memory/1668-155-0x000000013FA20000-0x000000013FD74000-memory.dmp	xmrig
behavioral1/memory/3028-156-0x000000013F340000-0x000000013F694000-memory.dmp	xmrig
behavioral1/memory/2792-158-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
behavioral1/memory/2600-157-0x000000013F2E0000-0x000000013F634000-memory.dmp	xmrig
behavioral1/memory/3064-159-0x000000013FFA0000-0x00000001402F4000-memory.dmp	xmrig
behavioral1/memory/2704-160-0x000000013FCE0000-0x0000000140034000-memory.dmp	xmrig
behavioral1/memory/2176-161-0x000000013FDE0000-0x0000000140134000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3048	qaFQoUZ.exe
2932	GplJdOq.exe
1208	PXsMjRv.exe
2716	zYAOxMo.exe
2148	GBwTjPO.exe
2756	VwAnCST.exe
2344	JWPrWOT.exe
1668	PKycaQY.exe
3028	mkayeoI.exe
2600	aiENEak.exe
2792	unkwGQk.exe
3064	ZsInDNu.exe
2704	BHlHQqQ.exe
2176	lABenGK.exe
1920	GiRqgam.exe
2328	ApbndBA.exe
348	kTldAPm.exe
1936	lMpPblu.exe
2592	eDVFBCT.exe
2508	rxfVXcX.exe
1684	kTcphYE.exe

Loads dropped DLL 21 IoCs

pid	Process
2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2380-0-0x000000013FA90000-0x000000013FDE4000-memory.dmp	upx
behavioral1/files/0x000d00000001227e-3.dat	upx
behavioral1/memory/3048-8-0x000000013F550000-0x000000013F8A4000-memory.dmp	upx
behavioral1/files/0x00380000000141ab-9.dat	upx
behavioral1/memory/2932-14-0x000000013FE10000-0x0000000140164000-memory.dmp	upx
behavioral1/files/0x000a00000001429a-11.dat	upx
behavioral1/files/0x0008000000014345-22.dat	upx
behavioral1/memory/1208-21-0x000000013FFF0000-0x0000000140344000-memory.dmp	upx
behavioral1/memory/2716-26-0x000000013F9E0000-0x000000013FD34000-memory.dmp	upx
behavioral1/files/0x0007000000014353-34.dat	upx
behavioral1/memory/2148-36-0x000000013FE10000-0x0000000140164000-memory.dmp	upx
behavioral1/files/0x0007000000014415-40.dat	upx
behavioral1/memory/2756-41-0x000000013FA40000-0x000000013FD94000-memory.dmp	upx
behavioral1/memory/2380-38-0x000000013FA90000-0x000000013FDE4000-memory.dmp	upx
behavioral1/files/0x0007000000014471-44.dat	upx
behavioral1/memory/2344-52-0x000000013F910000-0x000000013FC64000-memory.dmp	upx
behavioral1/memory/1668-59-0x000000013FA20000-0x000000013FD74000-memory.dmp	upx
behavioral1/memory/3048-45-0x000000013F550000-0x000000013F8A4000-memory.dmp	upx
behavioral1/memory/1208-58-0x000000013FFF0000-0x0000000140344000-memory.dmp	upx
behavioral1/files/0x0008000000014509-56.dat	upx
behavioral1/memory/2932-55-0x000000013FE10000-0x0000000140164000-memory.dmp	upx
behavioral1/files/0x0007000000014f41-61.dat	upx
behavioral1/files/0x0006000000015424-81.dat	upx
behavioral1/files/0x0006000000015406-70.dat	upx
behavioral1/memory/3028-83-0x000000013F340000-0x000000013F694000-memory.dmp	upx
behavioral1/memory/2600-82-0x000000013F2E0000-0x000000013F634000-memory.dmp	upx
behavioral1/files/0x000600000001552d-91.dat	upx
behavioral1/memory/2704-93-0x000000013FCE0000-0x0000000140034000-memory.dmp	upx
behavioral1/files/0x000600000001562a-99.dat	upx
behavioral1/memory/2176-101-0x000000013FDE0000-0x0000000140134000-memory.dmp	upx
behavioral1/files/0x0006000000015678-105.dat	upx
behavioral1/files/0x0006000000015ca2-132.dat	upx
behavioral1/files/0x0006000000015cb8-135.dat	upx
behavioral1/files/0x0006000000015c93-127.dat	upx
behavioral1/files/0x0006000000015c7f-122.dat	upx
behavioral1/files/0x0006000000015c6f-117.dat	upx
behavioral1/files/0x0006000000015682-111.dat	upx
behavioral1/memory/2756-92-0x000000013FA40000-0x000000013FD94000-memory.dmp	upx
behavioral1/memory/3064-90-0x000000013FFA0000-0x00000001402F4000-memory.dmp	upx
behavioral1/memory/2792-89-0x000000013FF90000-0x00000001402E4000-memory.dmp	upx
behavioral1/files/0x0006000000015122-69.dat	upx
behavioral1/memory/2716-64-0x000000013F9E0000-0x000000013FD34000-memory.dmp	upx
behavioral1/memory/1668-139-0x000000013FA20000-0x000000013FD74000-memory.dmp	upx
behavioral1/memory/3064-144-0x000000013FFA0000-0x00000001402F4000-memory.dmp	upx
behavioral1/memory/2704-145-0x000000013FCE0000-0x0000000140034000-memory.dmp	upx
behavioral1/memory/2176-146-0x000000013FDE0000-0x0000000140134000-memory.dmp	upx
behavioral1/memory/3048-148-0x000000013F550000-0x000000013F8A4000-memory.dmp	upx
behavioral1/memory/2932-149-0x000000013FE10000-0x0000000140164000-memory.dmp	upx
behavioral1/memory/1208-150-0x000000013FFF0000-0x0000000140344000-memory.dmp	upx
behavioral1/memory/2716-151-0x000000013F9E0000-0x000000013FD34000-memory.dmp	upx
behavioral1/memory/2148-152-0x000000013FE10000-0x0000000140164000-memory.dmp	upx
behavioral1/memory/2756-153-0x000000013FA40000-0x000000013FD94000-memory.dmp	upx
behavioral1/memory/2344-154-0x000000013F910000-0x000000013FC64000-memory.dmp	upx
behavioral1/memory/1668-155-0x000000013FA20000-0x000000013FD74000-memory.dmp	upx
behavioral1/memory/3028-156-0x000000013F340000-0x000000013F694000-memory.dmp	upx
behavioral1/memory/2792-158-0x000000013FF90000-0x00000001402E4000-memory.dmp	upx
behavioral1/memory/2600-157-0x000000013F2E0000-0x000000013F634000-memory.dmp	upx
behavioral1/memory/3064-159-0x000000013FFA0000-0x00000001402F4000-memory.dmp	upx
behavioral1/memory/2704-160-0x000000013FCE0000-0x0000000140034000-memory.dmp	upx
behavioral1/memory/2176-161-0x000000013FDE0000-0x0000000140134000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\kTcphYE.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PXsMjRv.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZsInDNu.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\unkwGQk.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GiRqgam.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lMpPblu.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eDVFBCT.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zYAOxMo.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GBwTjPO.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PKycaQY.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BHlHQqQ.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GplJdOq.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VwAnCST.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kTldAPm.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lABenGK.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ApbndBA.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rxfVXcX.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qaFQoUZ.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JWPrWOT.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aiENEak.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mkayeoI.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 3048	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	29
PID 2380 wrote to memory of 3048	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	29
PID 2380 wrote to memory of 3048	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	29
PID 2380 wrote to memory of 2932	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	30
PID 2380 wrote to memory of 2932	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	30
PID 2380 wrote to memory of 2932	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	30
PID 2380 wrote to memory of 1208	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	31
PID 2380 wrote to memory of 1208	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	31
PID 2380 wrote to memory of 1208	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	31
PID 2380 wrote to memory of 2716	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	32
PID 2380 wrote to memory of 2716	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	32
PID 2380 wrote to memory of 2716	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	32
PID 2380 wrote to memory of 2148	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	33
PID 2380 wrote to memory of 2148	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	33
PID 2380 wrote to memory of 2148	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	33
PID 2380 wrote to memory of 2756	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	34
PID 2380 wrote to memory of 2756	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	34
PID 2380 wrote to memory of 2756	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	34
PID 2380 wrote to memory of 2344	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	35
PID 2380 wrote to memory of 2344	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	35
PID 2380 wrote to memory of 2344	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	35
PID 2380 wrote to memory of 1668	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	36
PID 2380 wrote to memory of 1668	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	36
PID 2380 wrote to memory of 1668	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	36
PID 2380 wrote to memory of 2600	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	37
PID 2380 wrote to memory of 2600	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	37
PID 2380 wrote to memory of 2600	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	37
PID 2380 wrote to memory of 3028	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	38
PID 2380 wrote to memory of 3028	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	38
PID 2380 wrote to memory of 3028	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	38
PID 2380 wrote to memory of 3064	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	39
PID 2380 wrote to memory of 3064	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	39
PID 2380 wrote to memory of 3064	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	39
PID 2380 wrote to memory of 2792	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	40
PID 2380 wrote to memory of 2792	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	40
PID 2380 wrote to memory of 2792	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	40
PID 2380 wrote to memory of 2704	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	41
PID 2380 wrote to memory of 2704	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	41
PID 2380 wrote to memory of 2704	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	41
PID 2380 wrote to memory of 2176	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	42
PID 2380 wrote to memory of 2176	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	42
PID 2380 wrote to memory of 2176	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	42
PID 2380 wrote to memory of 1920	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	43
PID 2380 wrote to memory of 1920	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	43
PID 2380 wrote to memory of 1920	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	43
PID 2380 wrote to memory of 2328	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	44
PID 2380 wrote to memory of 2328	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	44
PID 2380 wrote to memory of 2328	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	44
PID 2380 wrote to memory of 348	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	45
PID 2380 wrote to memory of 348	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	45
PID 2380 wrote to memory of 348	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	45
PID 2380 wrote to memory of 1936	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	46
PID 2380 wrote to memory of 1936	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	46
PID 2380 wrote to memory of 1936	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	46
PID 2380 wrote to memory of 2592	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	47
PID 2380 wrote to memory of 2592	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	47
PID 2380 wrote to memory of 2592	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	47
PID 2380 wrote to memory of 2508	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	48
PID 2380 wrote to memory of 2508	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	48
PID 2380 wrote to memory of 2508	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	48
PID 2380 wrote to memory of 1684	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	49
PID 2380 wrote to memory of 1684	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	49
PID 2380 wrote to memory of 1684	2380	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\System\qaFQoUZ.exe
  C:\Windows\System\qaFQoUZ.exe
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\System\GplJdOq.exe
  C:\Windows\System\GplJdOq.exe
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\System\PXsMjRv.exe
  C:\Windows\System\PXsMjRv.exe
  2⤵
  - Executes dropped EXE
  PID:1208
- C:\Windows\System\zYAOxMo.exe
  C:\Windows\System\zYAOxMo.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System\GBwTjPO.exe
  C:\Windows\System\GBwTjPO.exe
  2⤵
  - Executes dropped EXE
  PID:2148
- C:\Windows\System\VwAnCST.exe
  C:\Windows\System\VwAnCST.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\System\JWPrWOT.exe
  C:\Windows\System\JWPrWOT.exe
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\System\PKycaQY.exe
  C:\Windows\System\PKycaQY.exe
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\System\aiENEak.exe
  C:\Windows\System\aiENEak.exe
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\System\mkayeoI.exe
  C:\Windows\System\mkayeoI.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System\ZsInDNu.exe
  C:\Windows\System\ZsInDNu.exe
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Windows\System\unkwGQk.exe
  C:\Windows\System\unkwGQk.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System\BHlHQqQ.exe
  C:\Windows\System\BHlHQqQ.exe
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\System\lABenGK.exe
  C:\Windows\System\lABenGK.exe
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\System\GiRqgam.exe
  C:\Windows\System\GiRqgam.exe
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\System\ApbndBA.exe
  C:\Windows\System\ApbndBA.exe
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\System\kTldAPm.exe
  C:\Windows\System\kTldAPm.exe
  2⤵
  - Executes dropped EXE
  PID:348
- C:\Windows\System\lMpPblu.exe
  C:\Windows\System\lMpPblu.exe
  2⤵
  - Executes dropped EXE
  PID:1936
- C:\Windows\System\eDVFBCT.exe
  C:\Windows\System\eDVFBCT.exe
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\System\rxfVXcX.exe
  C:\Windows\System\rxfVXcX.exe
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\System\kTcphYE.exe
  C:\Windows\System\kTcphYE.exe
  2⤵
  - Executes dropped EXE
  PID:1684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\ApbndBA.exe

Filesize
5.9MB

MD5
09132c294df432f7f6053c7de0fba3d7

SHA1
e439d8bf52465f78cba7d84564bdb7b38b21351d

SHA256
d11ca35d0fe2b9fd80e9d1ab3e05884f057389feba34b9e8069ac6817a191676

SHA512
6a6ad9bd713b707f9b74c3d10ede12d32d207f15d19dad24650b9e13106d882642fb66727901a598fb5ae81e0b79a4736daddf8eb6ecec6bd35c8f9a99b95195

Download Submit
C:\Windows\system\BHlHQqQ.exe

Filesize
5.9MB

MD5
343fc9ad15531115f3d1ccf8bf7abd1d

SHA1
1eb4dded9da8ffdfe388b0bc2dc4f21f9c103755

SHA256
7670244036d4b50b51fc4cf3b0608c65fcd9db1907af283012baecdd3311f018

SHA512
83fa96f0d07c15b02facf505004443fddec35df964a37909bf7be042cb0279fbaa4db1f57884e6d9e91dc13b50e08d80bf614451c073305585fee370ca47e4c0

Download Submit
C:\Windows\system\GBwTjPO.exe

Filesize
5.9MB

MD5
ad5ff85a9661ee4c479953b0b9ae74b9

SHA1
c8467781634c572a534cdfe7bff33200cd5635d8

SHA256
f1a318ab19a534c62e7798d0e8c02bfa36ba9c86d7c9c76f61ca9134da0359b2

SHA512
23db6109a2fd2daa0918da5a33f7f8d168c35ebd8c85d21af6744ff15addb41b8b85e7dfa236d1a33b9323ce0f97e3b23733d3189ef21164c885fe4778fa7909

Download Submit
C:\Windows\system\GiRqgam.exe

Filesize
5.9MB

MD5
d9dfdf5d1f13dd3ed95878b43af4fb3d

SHA1
712fc66953d71151b9b4ad8c558d476eae94bccf

SHA256
c6ce4facda1dd65525183c3fb5e71997de7e95d553652357ffd94d8bc8276490

SHA512
39532e8bb6f1f2d14d091d52cb7a410fe77e5dd73ea6e43bf9e7966b6e7be46958f2678286dacf5c60168c70f830d542b29cdc1b60c1a35f84189b6f3369ff18

Download Submit
C:\Windows\system\PKycaQY.exe

Filesize
5.9MB

MD5
a7d8e152bb668cd8deae0291eba7dbec

SHA1
aeaadb5f03c216663252f865dd3c20ccbd2ffdbc

SHA256
99db29209a8e16bf39dac9e2160c0c9a900a2a3ebadbe4dad023d5080fc00523

SHA512
0b7e94460a05a302fb7b2cd9e6486928bbecaa65278b807a066a4830d3b0b0e321bced4062b89392136a966b4ec0d88994d977f9f2157153c8c310e9405a0914

Download Submit
C:\Windows\system\PXsMjRv.exe

Filesize
5.9MB

MD5
ec1fc1740164be463bb4831d4ea37ff7

SHA1
810159a3344e278925e8c88486cf3902f5e600a1

SHA256
42115993b25aff50c5e8c7b7f86afc9bf1279b200f67f1229ea627bce9e1f169

SHA512
1a2731b5ad29741813cc93a16b8dd37d43ca5c22eff2add1d427bbc45deae4960256490cbfbc6a5a81899030343252a0fe4366c6933ba09fb3989d18a2da477d

Download Submit
C:\Windows\system\VwAnCST.exe

Filesize
5.9MB

MD5
e4ceac14845b9c1250dac39b1cc521a8

SHA1
53995527d8ab0ee7dc46104564225d482212720a

SHA256
4574313e3e7cf97cc21d57f6642eaa27ff8764f2b6ce3142ff44eda168daac6c

SHA512
2c989e7326a0c3fcd60174da252e21bfd0cec063e6d8510eff1bab5b98185eb22cf1ef632da92057107fc38f67003c235518510b95c085abd4f76c1f8bae8dab

Download Submit
C:\Windows\system\eDVFBCT.exe

Filesize
5.9MB

MD5
63a2b3476b96515bdd9e97b4dd1c9713

SHA1
4aa4eaa4ee01657c5f98bff5d75fa72b7f607957

SHA256
5ad84a77ce9f2c9f655516c22d226cf02641fec18adf55677e8b49972dd76c46

SHA512
b67ec08972741771324b5667545025b395ea9617075eeb7de6d89dd7046de644e81551c2c714811e0f6985399e7aff7bfc7c564030164a7574d0d86f1e3203af

Download Submit
C:\Windows\system\kTldAPm.exe

Filesize
5.9MB

MD5
4664fa838a4464fa8803e37cbfbd073b

SHA1
26e0bb7b952111acfad8a0c416980a75affe9def

SHA256
53418513d5921a2d8393b26aefb688348a19f031fe4147949faca908905d3971

SHA512
60844f41c0578ea0670e9d424ad306b88d445bc069529764cabdfcc6a2b31ce4fc4e6fc556d2bfb7e435782ebb6f903d789f112906bbcd78b8270659958e65e1

Download Submit
C:\Windows\system\lABenGK.exe

Filesize
5.9MB

MD5
06bc7824ec07a0ee9c378e1a4872f7d2

SHA1
6b4e06225596f8c2a433c283daf34c624ae0c74e

SHA256
cba0c60561f3e4eae97e19aae5d870cf2fa2a7ac9bd4d67e42a70707249955a0

SHA512
f044b57fd06228a41cbf1910ff308fff42577ee98a039c30dbb1738f61fb5a3427523bb04c888fb505e0906c6e19dd7805450356788589916b743d772751c3c0

Download Submit
C:\Windows\system\lMpPblu.exe

Filesize
5.9MB

MD5
0506721ecb75a3bf80dba982c8509d2e

SHA1
6a256dac38a57f864607c186fcc7244e27d97369

SHA256
1231299ee41582e2eb4df2ba6a15542ce11aee90ab797746374cf3b223ba22eb

SHA512
78bf865a3fe0dc07a4e90d39a6989a5548b78971e60d5ee1f9cd3aa39d652c87f5cd4dbe74cf5b07e44e0fe146233a02b849eef340d23a3ee0e2f6a71810f1ed

Download Submit
C:\Windows\system\mkayeoI.exe

Filesize
5.9MB

MD5
bab4e3e2f8e4e8c6cc92d6189d6ea8d2

SHA1
3a602f8f96f00ce0a53603e02b0a65d10cec6b89

SHA256
85ad0a2a15978d0a33adedea37a2b8c2c18f607230170089328b9380cce29807

SHA512
3bf0a78304fb376deb59b7b8d7d8374337c7beed52c3f85c473126dd4261fd45db1821df9da6a4586dfd6ac50d5e3dbb5f68aa84493bda4cd29d7b8d8b2147a9

Download Submit
C:\Windows\system\rxfVXcX.exe

Filesize
5.9MB

MD5
58a54f897fce528bb763cdbcc04281cc

SHA1
28c6643078234d105a24728bb46944ae1484f27e

SHA256
19b8e6c207427787768e81aa8b69554ee2ab63999b7533e317eba5207f867e0d

SHA512
b192f18c33ba5515638666b738410a25764a885b8e7d35b6a2c6c6af43f5e36258fa2c5a53e97ce7ac1f8a320220d839a8fe4266f420bd03afa2e594075e22e3

Download Submit
C:\Windows\system\unkwGQk.exe

Filesize
5.9MB

MD5
a52fee08a7ab5fd3b9aa270c63e50aad

SHA1
e273b4eceff366953d5d9c58eac664e806675efb

SHA256
8f2a0df6e62e0eb64270b31e3d6e595707974badf73c6d9a76253a3f7e07e4ad

SHA512
30ec494dc45741675c502329643e396d576e37410e550149426c0c9a82a445fa9cc9a91e1548a73b9411841649b05f0779a7f25c6b29ad52d677eb91adb08a13

Download Submit
\Windows\system\GplJdOq.exe

Filesize
5.9MB

MD5
70c0704938303ae5ae2d8e90397b70dd

SHA1
f78ab13db879223776ae3bbb7e9131d7221b911c

SHA256
a20812f5ae4c28ed22201e64fdd78c433f8aca2b6b115d326a65f9074aef4852

SHA512
55f35475c38b44331804cbb3b6fae4b95c291c7e54d558e5c3dfd88e2517b3832b8549853c8056d2e06cb47ea5cf86fbf15bff3eb447029ee22604e624a770b2

Download Submit
\Windows\system\JWPrWOT.exe

Filesize
5.9MB

MD5
610ebe78bdf2045d9d88b5593bdadffc

SHA1
7f19d15f4e18ad9804b850d5c176d4ecd5758c05

SHA256
c367a533fd34c3ca63ca2075eb9c10392fa50738aed09ae175ebf644bafef3e9

SHA512
76858309698cfdecfddde0be68fc657c2accd72891e3013ae550daafc17ecf41d93e15138c13aaa7f806941913810335e6a5fccba0d0cc89ed81ec52da0e2ac5

Download Submit
\Windows\system\ZsInDNu.exe

Filesize
5.9MB

MD5
1f635c9af23ada8f1348e3f6747c4088

SHA1
bb6c6de6fcc25a4c4179ed8e544a88e5a44a5cd6

SHA256
4fe925f383aac23fe3bf66418d01f4f84144e926ed1ae61e99a242446d99ff1d

SHA512
d643e3ac0fa8e5b46f188c29a377f85eda7039c110c0f2892ec5a45f3cbe43b28770ed84297cfd3909e280227d8afdcb64ada05765f3ad71c5fd5f07168e45a3

Download Submit
\Windows\system\aiENEak.exe

Filesize
5.9MB

MD5
dd7bf1d36f46c70c942ccb99d94a53eb

SHA1
da6265f3eb542b02ee60f605bedefca02a41fec8

SHA256
bd6c2a1c12508347f09b2c485c3ff9b170e1176106fe6936d90467a0528c0cc5

SHA512
cf5ffc8d85a91702a0b4dc7b83323f4add2765eb1ae82ea114d14e778ca92c82279ed854ce88c6ac1351310ec20909628c129b49cea87a98d58337b12bb039e5

Download Submit
\Windows\system\kTcphYE.exe

Filesize
5.9MB

MD5
9cc3b8c88b5a364f1ef8cd4a04a6ec21

SHA1
73764f1f7c382b89f4d4de85bc1cf99572e4ab68

SHA256
0a3313e42fc4e0b1b824b02777440121d28a022cf667423ac79824c7357aa25a

SHA512
63a262d5af5ee20691e92b8fa11c2a648511421707319a16d513e04c269045642a59782eede2ccc816430fcb67262e374c5b3ce2650e34af319585013a012de5

Download Submit
\Windows\system\qaFQoUZ.exe

Filesize
5.9MB

MD5
9b537eb38417138508ba8d23c5290f66

SHA1
b71b4728665f9f7dd451652d8caf039a3a509448

SHA256
e9319de42494b169a89a1703d078375715414306548f9617f63bde3a7ac195b7

SHA512
b7edb2e87e51096a57969c86581d79ba2115ca6cfe3b5b87cf76c06d49d36cca5f3d91f01eed350347f760e971ea7f4a56aac71801f1e0b9285d9fe8ecfaaf8b

Download Submit
\Windows\system\zYAOxMo.exe

Filesize
5.9MB

MD5
3d749b00abe37443fdbf8354e4008ad0

SHA1
f15c3ae420e693aab35a62d5835e554249258ce2

SHA256
29a2cd97c2141fba88e4407487d38d4fac5183d930cd9f3fb611362e3d2d3e6e

SHA512
732c95872291b0f8e194b53d68594e39c0af05be4f46186ff7fbec9fe21a16a02f58a438763d6200a74c4ae3c61e4d64ed7f7cb683e4107191c2dd6629dd0334

Download Submit
memory/1208-58-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/1208-21-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/1208-150-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/1668-59-0x000000013FA20000-0x000000013FD74000-memory.dmp

Filesize
3.3MB

Download
memory/1668-139-0x000000013FA20000-0x000000013FD74000-memory.dmp

Filesize
3.3MB

Download
memory/1668-155-0x000000013FA20000-0x000000013FD74000-memory.dmp

Filesize
3.3MB

Download
memory/2148-36-0x000000013FE10000-0x0000000140164000-memory.dmp

Filesize
3.3MB

Download
memory/2148-152-0x000000013FE10000-0x0000000140164000-memory.dmp

Filesize
3.3MB

Download
memory/2176-146-0x000000013FDE0000-0x0000000140134000-memory.dmp

Filesize
3.3MB

Download
memory/2176-101-0x000000013FDE0000-0x0000000140134000-memory.dmp

Filesize
3.3MB

Download
memory/2176-161-0x000000013FDE0000-0x0000000140134000-memory.dmp

Filesize
3.3MB

Download
memory/2344-52-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/2344-154-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/2380-75-0x000000013F340000-0x000000013F694000-memory.dmp

Filesize
3.3MB

Download
memory/2380-80-0x000000013FFA0000-0x00000001402F4000-memory.dmp

Filesize
3.3MB

Download
memory/2380-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2380-31-0x000000013FE10000-0x0000000140164000-memory.dmp

Filesize
3.3MB

Download
memory/2380-142-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2380-141-0x000000013F340000-0x000000013F694000-memory.dmp

Filesize
3.3MB

Download
memory/2380-50-0x000000013FE10000-0x0000000140164000-memory.dmp

Filesize
3.3MB

Download
memory/2380-57-0x0000000002380000-0x00000000026D4000-memory.dmp

Filesize
3.3MB

Download
memory/2380-0-0x000000013FA90000-0x000000013FDE4000-memory.dmp

Filesize
3.3MB

Download
memory/2380-38-0x000000013FA90000-0x000000013FDE4000-memory.dmp

Filesize
3.3MB

Download
memory/2380-108-0x000000013FFA0000-0x00000001402F4000-memory.dmp

Filesize
3.3MB

Download
memory/2380-140-0x000000013F2E0000-0x000000013F634000-memory.dmp

Filesize
3.3MB

Download
memory/2380-12-0x000000013FE10000-0x0000000140164000-memory.dmp

Filesize
3.3MB

Download
memory/2380-147-0x000000013FFA0000-0x00000001402F4000-memory.dmp

Filesize
3.3MB

Download
memory/2380-107-0x0000000002380000-0x00000000026D4000-memory.dmp

Filesize
3.3MB

Download
memory/2380-19-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/2380-88-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2380-143-0x0000000002380000-0x00000000026D4000-memory.dmp

Filesize
3.3MB

Download
memory/2380-23-0x0000000002380000-0x00000000026D4000-memory.dmp

Filesize
3.3MB

Download
memory/2380-67-0x000000013F2E0000-0x000000013F634000-memory.dmp

Filesize
3.3MB

Download
memory/2600-82-0x000000013F2E0000-0x000000013F634000-memory.dmp

Filesize
3.3MB

Download
memory/2600-157-0x000000013F2E0000-0x000000013F634000-memory.dmp

Filesize
3.3MB

Download
memory/2704-145-0x000000013FCE0000-0x0000000140034000-memory.dmp

Filesize
3.3MB

Download
memory/2704-93-0x000000013FCE0000-0x0000000140034000-memory.dmp

Filesize
3.3MB

Download
memory/2704-160-0x000000013FCE0000-0x0000000140034000-memory.dmp

Filesize
3.3MB

Download
memory/2716-26-0x000000013F9E0000-0x000000013FD34000-memory.dmp

Filesize
3.3MB

Download
memory/2716-64-0x000000013F9E0000-0x000000013FD34000-memory.dmp

Filesize
3.3MB

Download
memory/2716-151-0x000000013F9E0000-0x000000013FD34000-memory.dmp

Filesize
3.3MB

Download
memory/2756-41-0x000000013FA40000-0x000000013FD94000-memory.dmp

Filesize
3.3MB

Download
memory/2756-92-0x000000013FA40000-0x000000013FD94000-memory.dmp

Filesize
3.3MB

Download
memory/2756-153-0x000000013FA40000-0x000000013FD94000-memory.dmp

Filesize
3.3MB

Download
memory/2792-89-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2792-158-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2932-55-0x000000013FE10000-0x0000000140164000-memory.dmp

Filesize
3.3MB

Download
memory/2932-149-0x000000013FE10000-0x0000000140164000-memory.dmp

Filesize
3.3MB

Download
memory/2932-14-0x000000013FE10000-0x0000000140164000-memory.dmp

Filesize
3.3MB

Download
memory/3028-156-0x000000013F340000-0x000000013F694000-memory.dmp

Filesize
3.3MB

Download
memory/3028-83-0x000000013F340000-0x000000013F694000-memory.dmp

Filesize
3.3MB

Download
memory/3048-8-0x000000013F550000-0x000000013F8A4000-memory.dmp

Filesize
3.3MB

Download
memory/3048-148-0x000000013F550000-0x000000013F8A4000-memory.dmp

Filesize
3.3MB

Download
memory/3048-45-0x000000013F550000-0x000000013F8A4000-memory.dmp

Filesize
3.3MB

Download
memory/3064-144-0x000000013FFA0000-0x00000001402F4000-memory.dmp

Filesize
3.3MB

Download
memory/3064-159-0x000000013FFA0000-0x00000001402F4000-memory.dmp

Filesize
3.3MB

Download
memory/3064-90-0x000000013FFA0000-0x00000001402F4000-memory.dmp

Filesize
3.3MB

Download