cobaltstrike | 4328bc94b5d8f62eb0293efc1ab857275220b8b564cd7038f54a6251bd925147

Analysis

max time kernel
143s
max time network
147s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
01-06-2024 11:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

819fbca4de80f7d4c58e7b60e7d0e4fc
SHA1

3bd6cf84de0a0c38ab98ffde17ad94f81508e0e2
SHA256

4328bc94b5d8f62eb0293efc1ab857275220b8b564cd7038f54a6251bd925147
SHA512

4802e39d247c9f34532d2575176067312e405d54fcd09769b2d4dac7552dc129172af46c6c70ac8c401d17bf218d5b8bab9523f4ffd02eb022b6289672857a0c
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUm:Q+856utgpPF8u/7m

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0007000000012120-3.dat	cobalt_reflective_dll
behavioral1/files/0x002f00000001325f-8.dat	cobalt_reflective_dll
behavioral1/files/0x000900000001344f-10.dat	cobalt_reflective_dll
behavioral1/files/0x00090000000134f5-22.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000013a15-33.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000013a65-38.dat	cobalt_reflective_dll
behavioral1/files/0x00300000000132f2-46.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000013a85-54.dat	cobalt_reflective_dll
behavioral1/files/0x000a000000013b02-61.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000013f4b-68.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000145d4-74.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000146a7-78.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000014730-92.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000148af-123.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000014a29-130.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015077-134.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000014d0f-113.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001474b-101.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001475f-97.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000014fac-125.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000014c0b-124.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x0007000000012120-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x002f00000001325f-8.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000900000001344f-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00090000000134f5-22.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000013a15-33.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000013a65-38.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00300000000132f2-46.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000013a85-54.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000a000000013b02-61.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000013f4b-68.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000145d4-74.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000146a7-78.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000014730-92.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000148af-123.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000014a29-130.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015077-134.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000014d0f-113.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000600000001474b-101.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000600000001475f-97.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000014fac-125.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000014c0b-124.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 57 IoCs

resource	yara_rule
behavioral1/memory/1008-2-0x000000013F280000-0x000000013F5D4000-memory.dmp	UPX
behavioral1/files/0x0007000000012120-3.dat	UPX
behavioral1/files/0x002f00000001325f-8.dat	UPX
behavioral1/memory/2056-11-0x000000013F8B0000-0x000000013FC04000-memory.dmp	UPX
behavioral1/memory/2424-15-0x000000013F480000-0x000000013F7D4000-memory.dmp	UPX
behavioral1/files/0x000900000001344f-10.dat	UPX
behavioral1/files/0x00090000000134f5-22.dat	UPX
behavioral1/memory/2756-29-0x000000013FA40000-0x000000013FD94000-memory.dmp	UPX
behavioral1/memory/2572-23-0x000000013F300000-0x000000013F654000-memory.dmp	UPX
behavioral1/files/0x0008000000013a15-33.dat	UPX
behavioral1/files/0x0008000000013a65-38.dat	UPX
behavioral1/memory/2740-37-0x000000013F6E0000-0x000000013FA34000-memory.dmp	UPX
behavioral1/memory/1008-40-0x000000013F280000-0x000000013F5D4000-memory.dmp	UPX
behavioral1/memory/2488-45-0x000000013FFA0000-0x00000001402F4000-memory.dmp	UPX
behavioral1/files/0x00300000000132f2-46.dat	UPX
behavioral1/memory/2580-53-0x000000013FCC0000-0x0000000140014000-memory.dmp	UPX
behavioral1/memory/2056-49-0x000000013F8B0000-0x000000013FC04000-memory.dmp	UPX
behavioral1/files/0x0008000000013a85-54.dat	UPX
behavioral1/memory/2424-59-0x000000013F480000-0x000000013F7D4000-memory.dmp	UPX
behavioral1/memory/2496-60-0x000000013FED0000-0x0000000140224000-memory.dmp	UPX
behavioral1/files/0x000a000000013b02-61.dat	UPX
behavioral1/memory/3016-67-0x000000013F230000-0x000000013F584000-memory.dmp	UPX
behavioral1/memory/2572-66-0x000000013F300000-0x000000013F654000-memory.dmp	UPX
behavioral1/files/0x0008000000013f4b-68.dat	UPX
behavioral1/files/0x00060000000145d4-74.dat	UPX
behavioral1/files/0x00060000000146a7-78.dat	UPX
behavioral1/memory/2756-82-0x000000013FA40000-0x000000013FD94000-memory.dmp	UPX
behavioral1/memory/1228-89-0x000000013F960000-0x000000013FCB4000-memory.dmp	UPX
behavioral1/memory/2720-88-0x000000013F2C0000-0x000000013F614000-memory.dmp	UPX
behavioral1/memory/2524-86-0x000000013F3C0000-0x000000013F714000-memory.dmp	UPX
behavioral1/files/0x0006000000014730-92.dat	UPX
behavioral1/files/0x00060000000148af-123.dat	UPX
behavioral1/files/0x0006000000014a29-130.dat	UPX
behavioral1/files/0x0006000000015077-134.dat	UPX
behavioral1/memory/1412-122-0x000000013F410000-0x000000013F764000-memory.dmp	UPX
behavioral1/files/0x0006000000014d0f-113.dat	UPX
behavioral1/files/0x000600000001474b-101.dat	UPX
behavioral1/files/0x000600000001475f-97.dat	UPX
behavioral1/files/0x0006000000014fac-125.dat	UPX
behavioral1/files/0x0006000000014c0b-124.dat	UPX
behavioral1/memory/2568-106-0x000000013F960000-0x000000013FCB4000-memory.dmp	UPX
behavioral1/memory/2488-137-0x000000013FFA0000-0x00000001402F4000-memory.dmp	UPX
behavioral1/memory/2568-141-0x000000013F960000-0x000000013FCB4000-memory.dmp	UPX
behavioral1/memory/2056-142-0x000000013F8B0000-0x000000013FC04000-memory.dmp	UPX
behavioral1/memory/2424-143-0x000000013F480000-0x000000013F7D4000-memory.dmp	UPX
behavioral1/memory/2756-144-0x000000013FA40000-0x000000013FD94000-memory.dmp	UPX
behavioral1/memory/2740-145-0x000000013F6E0000-0x000000013FA34000-memory.dmp	UPX
behavioral1/memory/2572-146-0x000000013F300000-0x000000013F654000-memory.dmp	UPX
behavioral1/memory/2488-147-0x000000013FFA0000-0x00000001402F4000-memory.dmp	UPX
behavioral1/memory/2580-148-0x000000013FCC0000-0x0000000140014000-memory.dmp	UPX
behavioral1/memory/2496-149-0x000000013FED0000-0x0000000140224000-memory.dmp	UPX
behavioral1/memory/3016-150-0x000000013F230000-0x000000013F584000-memory.dmp	UPX
behavioral1/memory/2524-152-0x000000013F3C0000-0x000000013F714000-memory.dmp	UPX
behavioral1/memory/1228-151-0x000000013F960000-0x000000013FCB4000-memory.dmp	UPX
behavioral1/memory/2720-153-0x000000013F2C0000-0x000000013F614000-memory.dmp	UPX
behavioral1/memory/1412-154-0x000000013F410000-0x000000013F764000-memory.dmp	UPX
behavioral1/memory/2568-155-0x000000013F960000-0x000000013FCB4000-memory.dmp	UPX

XMRig Miner payload 60 IoCs

miner

resource	yara_rule
behavioral1/memory/1008-2-0x000000013F280000-0x000000013F5D4000-memory.dmp	xmrig
behavioral1/files/0x0007000000012120-3.dat	xmrig
behavioral1/files/0x002f00000001325f-8.dat	xmrig
behavioral1/memory/2056-11-0x000000013F8B0000-0x000000013FC04000-memory.dmp	xmrig
behavioral1/memory/2424-15-0x000000013F480000-0x000000013F7D4000-memory.dmp	xmrig
behavioral1/memory/1008-6-0x000000013F8B0000-0x000000013FC04000-memory.dmp	xmrig
behavioral1/files/0x000900000001344f-10.dat	xmrig
behavioral1/files/0x00090000000134f5-22.dat	xmrig
behavioral1/memory/2756-29-0x000000013FA40000-0x000000013FD94000-memory.dmp	xmrig
behavioral1/memory/2572-23-0x000000013F300000-0x000000013F654000-memory.dmp	xmrig
behavioral1/files/0x0008000000013a15-33.dat	xmrig
behavioral1/files/0x0008000000013a65-38.dat	xmrig
behavioral1/memory/2740-37-0x000000013F6E0000-0x000000013FA34000-memory.dmp	xmrig
behavioral1/memory/1008-40-0x000000013F280000-0x000000013F5D4000-memory.dmp	xmrig
behavioral1/memory/2488-45-0x000000013FFA0000-0x00000001402F4000-memory.dmp	xmrig
behavioral1/files/0x00300000000132f2-46.dat	xmrig
behavioral1/memory/2580-53-0x000000013FCC0000-0x0000000140014000-memory.dmp	xmrig
behavioral1/memory/2056-49-0x000000013F8B0000-0x000000013FC04000-memory.dmp	xmrig
behavioral1/files/0x0008000000013a85-54.dat	xmrig
behavioral1/memory/2424-59-0x000000013F480000-0x000000013F7D4000-memory.dmp	xmrig
behavioral1/memory/2496-60-0x000000013FED0000-0x0000000140224000-memory.dmp	xmrig
behavioral1/files/0x000a000000013b02-61.dat	xmrig
behavioral1/memory/3016-67-0x000000013F230000-0x000000013F584000-memory.dmp	xmrig
behavioral1/memory/2572-66-0x000000013F300000-0x000000013F654000-memory.dmp	xmrig
behavioral1/files/0x0008000000013f4b-68.dat	xmrig
behavioral1/files/0x00060000000145d4-74.dat	xmrig
behavioral1/files/0x00060000000146a7-78.dat	xmrig
behavioral1/memory/2756-82-0x000000013FA40000-0x000000013FD94000-memory.dmp	xmrig
behavioral1/memory/1228-89-0x000000013F960000-0x000000013FCB4000-memory.dmp	xmrig
behavioral1/memory/2720-88-0x000000013F2C0000-0x000000013F614000-memory.dmp	xmrig
behavioral1/memory/1008-87-0x00000000023C0000-0x0000000002714000-memory.dmp	xmrig
behavioral1/memory/2524-86-0x000000013F3C0000-0x000000013F714000-memory.dmp	xmrig
behavioral1/files/0x0006000000014730-92.dat	xmrig
behavioral1/files/0x00060000000148af-123.dat	xmrig
behavioral1/files/0x0006000000014a29-130.dat	xmrig
behavioral1/files/0x0006000000015077-134.dat	xmrig
behavioral1/memory/1412-122-0x000000013F410000-0x000000013F764000-memory.dmp	xmrig
behavioral1/files/0x0006000000014d0f-113.dat	xmrig
behavioral1/files/0x000600000001474b-101.dat	xmrig
behavioral1/files/0x000600000001475f-97.dat	xmrig
behavioral1/files/0x0006000000014fac-125.dat	xmrig
behavioral1/files/0x0006000000014c0b-124.dat	xmrig
behavioral1/memory/2568-106-0x000000013F960000-0x000000013FCB4000-memory.dmp	xmrig
behavioral1/memory/2488-137-0x000000013FFA0000-0x00000001402F4000-memory.dmp	xmrig
behavioral1/memory/1008-138-0x000000013FED0000-0x0000000140224000-memory.dmp	xmrig
behavioral1/memory/2568-141-0x000000013F960000-0x000000013FCB4000-memory.dmp	xmrig
behavioral1/memory/2056-142-0x000000013F8B0000-0x000000013FC04000-memory.dmp	xmrig
behavioral1/memory/2424-143-0x000000013F480000-0x000000013F7D4000-memory.dmp	xmrig
behavioral1/memory/2756-144-0x000000013FA40000-0x000000013FD94000-memory.dmp	xmrig
behavioral1/memory/2740-145-0x000000013F6E0000-0x000000013FA34000-memory.dmp	xmrig
behavioral1/memory/2572-146-0x000000013F300000-0x000000013F654000-memory.dmp	xmrig
behavioral1/memory/2488-147-0x000000013FFA0000-0x00000001402F4000-memory.dmp	xmrig
behavioral1/memory/2580-148-0x000000013FCC0000-0x0000000140014000-memory.dmp	xmrig
behavioral1/memory/2496-149-0x000000013FED0000-0x0000000140224000-memory.dmp	xmrig
behavioral1/memory/3016-150-0x000000013F230000-0x000000013F584000-memory.dmp	xmrig
behavioral1/memory/2524-152-0x000000013F3C0000-0x000000013F714000-memory.dmp	xmrig
behavioral1/memory/1228-151-0x000000013F960000-0x000000013FCB4000-memory.dmp	xmrig
behavioral1/memory/2720-153-0x000000013F2C0000-0x000000013F614000-memory.dmp	xmrig
behavioral1/memory/1412-154-0x000000013F410000-0x000000013F764000-memory.dmp	xmrig
behavioral1/memory/2568-155-0x000000013F960000-0x000000013FCB4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2056	gdwqpgN.exe
2424	qmLEylZ.exe
2572	CulpRoX.exe
2756	QZUWHSS.exe
2740	rrqZtus.exe
2488	hilekFY.exe
2580	RblfDVc.exe
2496	xbLkiNZ.exe
3016	jvQxwEK.exe
1228	SJVcSyg.exe
2524	nRCSwSp.exe
2720	bBiVbwx.exe
2568	TekStts.exe
1412	YpwNqvd.exe
2108	LcFjjlf.exe
108	xeeFdcK.exe
624	lmXjgip.exe
984	OAUJTME.exe
836	qZKfDjA.exe
996	KJQxfBX.exe
1356	rcnvBuC.exe

Loads dropped DLL 21 IoCs

pid	Process
1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1008-2-0x000000013F280000-0x000000013F5D4000-memory.dmp	upx
behavioral1/files/0x0007000000012120-3.dat	upx
behavioral1/files/0x002f00000001325f-8.dat	upx
behavioral1/memory/2056-11-0x000000013F8B0000-0x000000013FC04000-memory.dmp	upx
behavioral1/memory/2424-15-0x000000013F480000-0x000000013F7D4000-memory.dmp	upx
behavioral1/memory/1008-6-0x000000013F8B0000-0x000000013FC04000-memory.dmp	upx
behavioral1/files/0x000900000001344f-10.dat	upx
behavioral1/files/0x00090000000134f5-22.dat	upx
behavioral1/memory/2756-29-0x000000013FA40000-0x000000013FD94000-memory.dmp	upx
behavioral1/memory/2572-23-0x000000013F300000-0x000000013F654000-memory.dmp	upx
behavioral1/files/0x0008000000013a15-33.dat	upx
behavioral1/files/0x0008000000013a65-38.dat	upx
behavioral1/memory/2740-37-0x000000013F6E0000-0x000000013FA34000-memory.dmp	upx
behavioral1/memory/1008-40-0x000000013F280000-0x000000013F5D4000-memory.dmp	upx
behavioral1/memory/2488-45-0x000000013FFA0000-0x00000001402F4000-memory.dmp	upx
behavioral1/files/0x00300000000132f2-46.dat	upx
behavioral1/memory/2580-53-0x000000013FCC0000-0x0000000140014000-memory.dmp	upx
behavioral1/memory/2056-49-0x000000013F8B0000-0x000000013FC04000-memory.dmp	upx
behavioral1/files/0x0008000000013a85-54.dat	upx
behavioral1/memory/2424-59-0x000000013F480000-0x000000013F7D4000-memory.dmp	upx
behavioral1/memory/2496-60-0x000000013FED0000-0x0000000140224000-memory.dmp	upx
behavioral1/files/0x000a000000013b02-61.dat	upx
behavioral1/memory/3016-67-0x000000013F230000-0x000000013F584000-memory.dmp	upx
behavioral1/memory/2572-66-0x000000013F300000-0x000000013F654000-memory.dmp	upx
behavioral1/files/0x0008000000013f4b-68.dat	upx
behavioral1/files/0x00060000000145d4-74.dat	upx
behavioral1/files/0x00060000000146a7-78.dat	upx
behavioral1/memory/2756-82-0x000000013FA40000-0x000000013FD94000-memory.dmp	upx
behavioral1/memory/1228-89-0x000000013F960000-0x000000013FCB4000-memory.dmp	upx
behavioral1/memory/2720-88-0x000000013F2C0000-0x000000013F614000-memory.dmp	upx
behavioral1/memory/2524-86-0x000000013F3C0000-0x000000013F714000-memory.dmp	upx
behavioral1/files/0x0006000000014730-92.dat	upx
behavioral1/files/0x00060000000148af-123.dat	upx
behavioral1/files/0x0006000000014a29-130.dat	upx
behavioral1/files/0x0006000000015077-134.dat	upx
behavioral1/memory/1412-122-0x000000013F410000-0x000000013F764000-memory.dmp	upx
behavioral1/files/0x0006000000014d0f-113.dat	upx
behavioral1/files/0x000600000001474b-101.dat	upx
behavioral1/files/0x000600000001475f-97.dat	upx
behavioral1/files/0x0006000000014fac-125.dat	upx
behavioral1/files/0x0006000000014c0b-124.dat	upx
behavioral1/memory/2568-106-0x000000013F960000-0x000000013FCB4000-memory.dmp	upx
behavioral1/memory/2488-137-0x000000013FFA0000-0x00000001402F4000-memory.dmp	upx
behavioral1/memory/2568-141-0x000000013F960000-0x000000013FCB4000-memory.dmp	upx
behavioral1/memory/2056-142-0x000000013F8B0000-0x000000013FC04000-memory.dmp	upx
behavioral1/memory/2424-143-0x000000013F480000-0x000000013F7D4000-memory.dmp	upx
behavioral1/memory/2756-144-0x000000013FA40000-0x000000013FD94000-memory.dmp	upx
behavioral1/memory/2740-145-0x000000013F6E0000-0x000000013FA34000-memory.dmp	upx
behavioral1/memory/2572-146-0x000000013F300000-0x000000013F654000-memory.dmp	upx
behavioral1/memory/2488-147-0x000000013FFA0000-0x00000001402F4000-memory.dmp	upx
behavioral1/memory/2580-148-0x000000013FCC0000-0x0000000140014000-memory.dmp	upx
behavioral1/memory/2496-149-0x000000013FED0000-0x0000000140224000-memory.dmp	upx
behavioral1/memory/3016-150-0x000000013F230000-0x000000013F584000-memory.dmp	upx
behavioral1/memory/2524-152-0x000000013F3C0000-0x000000013F714000-memory.dmp	upx
behavioral1/memory/1228-151-0x000000013F960000-0x000000013FCB4000-memory.dmp	upx
behavioral1/memory/2720-153-0x000000013F2C0000-0x000000013F614000-memory.dmp	upx
behavioral1/memory/1412-154-0x000000013F410000-0x000000013F764000-memory.dmp	upx
behavioral1/memory/2568-155-0x000000013F960000-0x000000013FCB4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\KJQxfBX.exe	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gdwqpgN.exe	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hilekFY.exe	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RblfDVc.exe	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xeeFdcK.exe	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QZUWHSS.exe	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xbLkiNZ.exe	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rcnvBuC.exe	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qmLEylZ.exe	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SJVcSyg.exe	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TekStts.exe	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YpwNqvd.exe	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bBiVbwx.exe	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OAUJTME.exe	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LcFjjlf.exe	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qZKfDjA.exe	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CulpRoX.exe	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rrqZtus.exe	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jvQxwEK.exe	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nRCSwSp.exe	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lmXjgip.exe	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 2056	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	29
PID 1008 wrote to memory of 2056	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	29
PID 1008 wrote to memory of 2056	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	29
PID 1008 wrote to memory of 2424	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	30
PID 1008 wrote to memory of 2424	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	30
PID 1008 wrote to memory of 2424	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	30
PID 1008 wrote to memory of 2572	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	31
PID 1008 wrote to memory of 2572	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	31
PID 1008 wrote to memory of 2572	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	31
PID 1008 wrote to memory of 2756	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	32
PID 1008 wrote to memory of 2756	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	32
PID 1008 wrote to memory of 2756	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	32
PID 1008 wrote to memory of 2740	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	33
PID 1008 wrote to memory of 2740	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	33
PID 1008 wrote to memory of 2740	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	33
PID 1008 wrote to memory of 2488	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	34
PID 1008 wrote to memory of 2488	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	34
PID 1008 wrote to memory of 2488	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	34
PID 1008 wrote to memory of 2580	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	35
PID 1008 wrote to memory of 2580	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	35
PID 1008 wrote to memory of 2580	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	35
PID 1008 wrote to memory of 2496	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	36
PID 1008 wrote to memory of 2496	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	36
PID 1008 wrote to memory of 2496	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	36
PID 1008 wrote to memory of 3016	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	37
PID 1008 wrote to memory of 3016	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	37
PID 1008 wrote to memory of 3016	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	37
PID 1008 wrote to memory of 1228	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	38
PID 1008 wrote to memory of 1228	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	38
PID 1008 wrote to memory of 1228	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	38
PID 1008 wrote to memory of 2524	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	39
PID 1008 wrote to memory of 2524	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	39
PID 1008 wrote to memory of 2524	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	39
PID 1008 wrote to memory of 2720	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	40
PID 1008 wrote to memory of 2720	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	40
PID 1008 wrote to memory of 2720	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	40
PID 1008 wrote to memory of 2568	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	41
PID 1008 wrote to memory of 2568	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	41
PID 1008 wrote to memory of 2568	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	41
PID 1008 wrote to memory of 1412	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	42
PID 1008 wrote to memory of 1412	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	42
PID 1008 wrote to memory of 1412	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	42
PID 1008 wrote to memory of 984	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	43
PID 1008 wrote to memory of 984	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	43
PID 1008 wrote to memory of 984	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	43
PID 1008 wrote to memory of 2108	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	44
PID 1008 wrote to memory of 2108	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	44
PID 1008 wrote to memory of 2108	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	44
PID 1008 wrote to memory of 836	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	45
PID 1008 wrote to memory of 836	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	45
PID 1008 wrote to memory of 836	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	45
PID 1008 wrote to memory of 108	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	46
PID 1008 wrote to memory of 108	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	46
PID 1008 wrote to memory of 108	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	46
PID 1008 wrote to memory of 996	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	47
PID 1008 wrote to memory of 996	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	47
PID 1008 wrote to memory of 996	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	47
PID 1008 wrote to memory of 624	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	48
PID 1008 wrote to memory of 624	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	48
PID 1008 wrote to memory of 624	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	48
PID 1008 wrote to memory of 1356	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	49
PID 1008 wrote to memory of 1356	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	49
PID 1008 wrote to memory of 1356	1008	2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Windows\System\gdwqpgN.exe
  C:\Windows\System\gdwqpgN.exe
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\System\qmLEylZ.exe
  C:\Windows\System\qmLEylZ.exe
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\System\CulpRoX.exe
  C:\Windows\System\CulpRoX.exe
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\System\QZUWHSS.exe
  C:\Windows\System\QZUWHSS.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\System\rrqZtus.exe
  C:\Windows\System\rrqZtus.exe
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\System\hilekFY.exe
  C:\Windows\System\hilekFY.exe
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\System\RblfDVc.exe
  C:\Windows\System\RblfDVc.exe
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\System\xbLkiNZ.exe
  C:\Windows\System\xbLkiNZ.exe
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\System\jvQxwEK.exe
  C:\Windows\System\jvQxwEK.exe
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\System\SJVcSyg.exe
  C:\Windows\System\SJVcSyg.exe
  2⤵
  - Executes dropped EXE
  PID:1228
- C:\Windows\System\nRCSwSp.exe
  C:\Windows\System\nRCSwSp.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\System\bBiVbwx.exe
  C:\Windows\System\bBiVbwx.exe
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\System\TekStts.exe
  C:\Windows\System\TekStts.exe
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\System\YpwNqvd.exe
  C:\Windows\System\YpwNqvd.exe
  2⤵
  - Executes dropped EXE
  PID:1412
- C:\Windows\System\OAUJTME.exe
  C:\Windows\System\OAUJTME.exe
  2⤵
  - Executes dropped EXE
  PID:984
- C:\Windows\System\LcFjjlf.exe
  C:\Windows\System\LcFjjlf.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\System\qZKfDjA.exe
  C:\Windows\System\qZKfDjA.exe
  2⤵
  - Executes dropped EXE
  PID:836
- C:\Windows\System\xeeFdcK.exe
  C:\Windows\System\xeeFdcK.exe
  2⤵
  - Executes dropped EXE
  PID:108
- C:\Windows\System\KJQxfBX.exe
  C:\Windows\System\KJQxfBX.exe
  2⤵
  - Executes dropped EXE
  PID:996
- C:\Windows\System\lmXjgip.exe
  C:\Windows\System\lmXjgip.exe
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\System\rcnvBuC.exe
  C:\Windows\System\rcnvBuC.exe
  2⤵
  - Executes dropped EXE
  PID:1356

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\CulpRoX.exe

Filesize
5.9MB

MD5
1507cb440086891c82dd289e1072825a

SHA1
0f8ec2b3cd0f2c02920af175229eb79ed58b3197

SHA256
31b681ef1a57dc70825172b38aa097912b6af50efb2d0f2b375afe180a1543f3

SHA512
4c28ba0e2b23d25e977735d44348ee9f3d8022d83763641c59ef7beee49dd58227f711c905f889e82bda38ecc6a92dff5e821b743507ef8f4e393f54d12a2894

Download Submit
C:\Windows\system\LcFjjlf.exe

Filesize
5.9MB

MD5
a8a16c96fc5fe98c53b42c38751fff0f

SHA1
b253b583b25f431ccae605f5343d8bdba916e67c

SHA256
096d7f006e93fa4135d688b80e209bfb17840b7356775a996f2433718e0580b3

SHA512
6105a19853655aeae715338befe5a5e1c2fa80bd6a5af316091a537ad8adc489bf9fa17488f8a2eee416b6b5b9f623d534f05ab13121224b8b0cfe3f9151e542

Download Submit
C:\Windows\system\TekStts.exe

Filesize
5.9MB

MD5
50bacb4dcd3ce3c401f92e0a08a2facc

SHA1
9f30d499a92a41d1275f38f1eae02913917b5023

SHA256
5379ab893258d88dfbfa96fabe79a3fa31766395eca0b52475cee1f5c538e644

SHA512
516c8623b31c976fe303753249e30d9e2ab0b41e0537c5472308ea158d59a0945b4d8c38ac76d7331f959e4acc258b7cfbf95f087acfa721d30fb31ab099e567

Download Submit
C:\Windows\system\YpwNqvd.exe

Filesize
5.9MB

MD5
f88ee1966b7abdfdd355cf3b1103baf4

SHA1
7098673e540499f1295d0fb291885e657b881774

SHA256
ef4f772a5d4e39cc3d1cf6309e8f1ac702bd150c11c7b6ceeab84d1668470223

SHA512
f62c459fa7f9efbef4f719bfecf148b564de52aed90ef6e6f915ee4e3b48d3fed26c78fa3eb7262b0fa8aa8c2d40c1ce0e765b996e98bb83244b101efb1a6c92

Download Submit
C:\Windows\system\lmXjgip.exe

Filesize
5.9MB

MD5
ade61fe7f5cf9c366723389dfeed1658

SHA1
24e35097518400222df58ed967a38ecb07c42f40

SHA256
3c915ae6e450793c767dbd13db1778280f86c063da61772c072a7b9a95bffe88

SHA512
1d7ed4c46b05901b2e16cfa992b9260ed415e6ee5d0a66e51552d678d686a92d2488d3bf5a39a33ed059e8ab136a8f37970dd22964ead06e18db5a76917a8bae

Download Submit
C:\Windows\system\nRCSwSp.exe

Filesize
5.9MB

MD5
abaaadeb577e7228e3f6d9d08ba6d67b

SHA1
91e56f89e117d443ff1cec984a9be28a1495eacc

SHA256
f9deca587a0f8a2c7cf999334687ce88916be899161cf19dcd83cb9a8710b7e6

SHA512
60ed82ffa8e643a3bc632ee2d20ab069a9fe76a588432d3a6fff2f8bcd5027b54c1b114b0301071ba458eb090c43dccf032fbac68826c2ad0ec44b63f3e37b04

Download Submit
C:\Windows\system\qZKfDjA.exe

Filesize
5.9MB

MD5
2aee9922cb20dbb8bf9dacc28ebac99d

SHA1
a796341b2876cffe95b6bc9029f77dfb089f0543

SHA256
f49a9984ad3c3c5e4f5efabe984a5b077c02a013cc0a9b1413694fc68f96e734

SHA512
3efefa571160209f10b029ae029d4438891118deb190e132116c5a4c64dada5afa796a92237c9c84f9cec8277017d72c614b850f83de2037122cb32311b3da40

Download Submit
C:\Windows\system\rcnvBuC.exe

Filesize
5.9MB

MD5
6155add31e2340b06bec8b50c85a4972

SHA1
4a1762fbc632e5f8b6e65c1d84087a71a102c5fe

SHA256
cd1b65d147cd07c6ef18300323f70904418a93401ca8a7c2b5fbbd8843d5828b

SHA512
5e9b35f8595df42565ac7218237ee8ec90693d9d77a23ed8da9840920d200f9391b414e4f6fad37663172da60083780410c82e55237f604ebd61c890376e6846

Download Submit
C:\Windows\system\rrqZtus.exe

Filesize
5.9MB

MD5
e7ba8a5b47b01706bff5c0c8ee698c66

SHA1
cb8b18824e76b4f8dd376e9e677d98b4bf9901dc

SHA256
16cb9149db6e718d060b3c586c9701ae3c13af755a7bc770539be41132cbf0ae

SHA512
3d49e981f50d7c3164792e7ec31119d5e8751243998fef0788fdc2f69da89a5f6de13913f45749a032cd12bbd15050aab875c64290e6ca60dde2c364d96f1038

Download Submit
C:\Windows\system\xeeFdcK.exe

Filesize
5.9MB

MD5
3fe60a864a3070ccebd44fba0cadfffe

SHA1
d5335030664a41a653a5ead530d5f6fb618e4a8b

SHA256
018d461c30224bf74475976d7dc27bcbbece166d3e66e6a11a8728a624de9d9b

SHA512
691ef5e547df395651df9ca13976764edb12a25ec6be296616360712b1b9d18275fb8731dbdfbfccd4877477f1992bbe5a27090aad5aa469d2cc39ed040a603a

Download Submit
\Windows\system\KJQxfBX.exe

Filesize
5.9MB

MD5
846489f1092fc18c26b69e4484755562

SHA1
bc23159da14e385a186d1f07509cb95627e1efdf

SHA256
226a5998f559d7ee607c9b6941447389ed5df919858a02fee6edbaedbfbcd224

SHA512
e731039723baf7286243bd0ebcc73cadf1c68ffebd86c36eef4503ceb5f55a577e11047043a037fbc7a2c6f0622352a001b226d4b381662540aee150a5f9d593

Download Submit
\Windows\system\OAUJTME.exe

Filesize
5.9MB

MD5
95cf2eab1180b7b7e8093b7cf8937191

SHA1
c278a880c69a264291e6836d4839bdb9d3e0f70a

SHA256
9363a33641b7684e139b9419a28df141f00819a1a393edcbc4fbb8111c72765a

SHA512
cec6480a82b8b350c4d245555798caa9203be277614ff1f56c4f06a7034440d9001cdc81107f357265d14744dff27dbf8176ed420b4e20fae0390955c5124caa

Download Submit
\Windows\system\QZUWHSS.exe

Filesize
5.9MB

MD5
fa8016ae588cd9b18c33e04f8f84e0d2

SHA1
0d6c7d4f9343907dc259325d02c75ec7b4cf9110

SHA256
7d60badbed7387d9b1693758666fb0dc0cdc285b1cd3bb24cf7d3abf454ebfcd

SHA512
fd9539085018dff6ad7823e3f2f87476cc6999420a34ec94a143045641b17e7e29085fc347c784a32d0a9b16bbfd3e8cb941adc00ff7d4129c109ce634a73040

Download Submit
\Windows\system\RblfDVc.exe

Filesize
5.9MB

MD5
336f4065171d218069b95cfd10f7b62e

SHA1
5ae3662ced1ebea644017f8c4ac7ee80e36b27d7

SHA256
2acd9820745e9742e6ded9625bbe5c231c33d7082be3124ee1eb57f51eb5e4e8

SHA512
ef393d2e1244b79bb61b6f45022b6d15c610a50dd8393290c96db38f0f9872adede5664a5ae79fadff16f5ec321a666ea6e1564405c47b5a561c81f861c4b993

Download Submit
\Windows\system\SJVcSyg.exe

Filesize
5.9MB

MD5
59ab2097497cd9fb65e193010aef402b

SHA1
149d8546a0f047efdb5837eb21b76a8134ec272f

SHA256
9bc564c3c80684147d91f1361d77f996425e2569c7dc820411e864b9e7106214

SHA512
ac02aa1a2a215ad7ce979ceb08238c5a46f602062b57f86df6c598abf783e5c04b21d8e345cfa2575157841ed4d1dc31abe072c3dfa473256d1e15eb568d565c

Download Submit
\Windows\system\bBiVbwx.exe

Filesize
5.9MB

MD5
215e42b083c4e448cecd11b3ca00daa7

SHA1
2a93bf35994c80233b83684d97527530038d2384

SHA256
068288b620a738a3e65ec0677084ef87d9df231f68ab0ce1439b5bc8ca4edb4e

SHA512
38d24587f1f0b8b47f8a60f8bc5926d16973c244b38ff565787f37a4e6fbe3f8ce59710992fc757d651de55e7c54801d1546566e375e0481f86422d413c253b0

Download Submit
\Windows\system\gdwqpgN.exe

Filesize
5.9MB

MD5
ec9f12562dbdbc8bddcfa1877bb8426c

SHA1
ae815a8b204213b92bdc9b2c515617c13a8805ce

SHA256
6f4371ef2eb798d39b84efe5c6ec7180d3d8adb24a37a31b212f981e3559d078

SHA512
4f26eae23f0f4bf365544c2d0383077751587b8eb72d8d47fe8c0712597cbd9e881fbc09f81701a8bbea89e00e0b5c6561d9df1459b317cfe3b21b89e8d44f70

Download Submit
\Windows\system\hilekFY.exe

Filesize
5.9MB

MD5
7b4736cbde479bf4568888e035e32625

SHA1
db2b87d0820bef7b65a544d14a7c822fb9db393b

SHA256
f2c64cdb9f4813941a05be6c0a7b97172babea0fce553c3ecddf12d4b3fc69fe

SHA512
e7f1ff32c09a9e06a44652db563c9ec48f7613d8e2f322dae3478f0e3d5fc37142ed25a3e947054f0b575f74383d6edc8ead4e49203df4bd065ed4385b86faad

Download Submit
\Windows\system\jvQxwEK.exe

Filesize
5.9MB

MD5
f71a3cce15b821cc5f2e847a6edcc56b

SHA1
372b8ecda31b27e94fcab1e73657ef6d8c81f67e

SHA256
b6c5a4b12d11104317b0d8df62f4af9aa61c2db02cad25c2912432da22e6e2d3

SHA512
0e6a8a55c67b583cf4851b47673ccb0873dfadaf376970696ff678bdb1113e47360d271e51ed2050f87a6ea622866ea512009942d57492870ba0fcec1c47de9a

Download Submit
\Windows\system\qmLEylZ.exe

Filesize
5.9MB

MD5
e5f30c4046e37fc3cf603ca9c9edb54d

SHA1
2692638f3e2cfddc7c3805261d1626f44042bd32

SHA256
2b59227ab3e60c7c7f21bf8e48b412845cd47e4f826f81235212217644d56510

SHA512
9e338f1129f12aff92832394aa67f1b530678d515d8538474d4afa7ccd52d471642592cc4c9711e07d0f20bc1570674540dfcc2a12c2a367d1dfb8fa9a6e8344

Download Submit
\Windows\system\xbLkiNZ.exe

Filesize
5.9MB

MD5
61d67de1638d7ea411458f3498cadf13

SHA1
def0d4b887887b5d1ee6c9031eae86dd3baf488e

SHA256
8da47192788feca6f395f1ba157109b60cb0ce2d1a49459d4408946eeded1436

SHA512
51bf0041f47c3d1bbdb0c9aa5a626abb29d4db9a6135ddabfa09e2ccdefe955dfe40acb0423d21cb7d1e08ccb31f9e4aaf2e55de07c16bc7cb7362019a4fc41f

Download Submit
memory/1008-139-0x00000000023C0000-0x0000000002714000-memory.dmp

Filesize
3.3MB

Download
memory/1008-13-0x00000000023C0000-0x0000000002714000-memory.dmp

Filesize
3.3MB

Download
memory/1008-85-0x00000000023C0000-0x0000000002714000-memory.dmp

Filesize
3.3MB

Download
memory/1008-140-0x000000013F960000-0x000000013FCB4000-memory.dmp

Filesize
3.3MB

Download
memory/1008-40-0x000000013F280000-0x000000013F5D4000-memory.dmp

Filesize
3.3MB

Download
memory/1008-0-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/1008-138-0x000000013FED0000-0x0000000140224000-memory.dmp

Filesize
3.3MB

Download
memory/1008-41-0x000000013F8B0000-0x000000013FC04000-memory.dmp

Filesize
3.3MB

Download
memory/1008-2-0x000000013F280000-0x000000013F5D4000-memory.dmp

Filesize
3.3MB

Download
memory/1008-84-0x000000013F960000-0x000000013FCB4000-memory.dmp

Filesize
3.3MB

Download
memory/1008-36-0x000000013F6E0000-0x000000013FA34000-memory.dmp

Filesize
3.3MB

Download
memory/1008-100-0x000000013F960000-0x000000013FCB4000-memory.dmp

Filesize
3.3MB

Download
memory/1008-39-0x000000013FFA0000-0x00000001402F4000-memory.dmp

Filesize
3.3MB

Download
memory/1008-6-0x000000013F8B0000-0x000000013FC04000-memory.dmp

Filesize
3.3MB

Download
memory/1008-20-0x00000000023C0000-0x0000000002714000-memory.dmp

Filesize
3.3MB

Download
memory/1008-27-0x000000013FA40000-0x000000013FD94000-memory.dmp

Filesize
3.3MB

Download
memory/1008-87-0x00000000023C0000-0x0000000002714000-memory.dmp

Filesize
3.3MB

Download
memory/1228-89-0x000000013F960000-0x000000013FCB4000-memory.dmp

Filesize
3.3MB

Download
memory/1228-151-0x000000013F960000-0x000000013FCB4000-memory.dmp

Filesize
3.3MB

Download
memory/1412-122-0x000000013F410000-0x000000013F764000-memory.dmp

Filesize
3.3MB

Download
memory/1412-154-0x000000013F410000-0x000000013F764000-memory.dmp

Filesize
3.3MB

Download
memory/2056-11-0x000000013F8B0000-0x000000013FC04000-memory.dmp

Filesize
3.3MB

Download
memory/2056-49-0x000000013F8B0000-0x000000013FC04000-memory.dmp

Filesize
3.3MB

Download
memory/2056-142-0x000000013F8B0000-0x000000013FC04000-memory.dmp

Filesize
3.3MB

Download
memory/2424-59-0x000000013F480000-0x000000013F7D4000-memory.dmp

Filesize
3.3MB

Download
memory/2424-143-0x000000013F480000-0x000000013F7D4000-memory.dmp

Filesize
3.3MB

Download
memory/2424-15-0x000000013F480000-0x000000013F7D4000-memory.dmp

Filesize
3.3MB

Download
memory/2488-45-0x000000013FFA0000-0x00000001402F4000-memory.dmp

Filesize
3.3MB

Download
memory/2488-147-0x000000013FFA0000-0x00000001402F4000-memory.dmp

Filesize
3.3MB

Download
memory/2488-137-0x000000013FFA0000-0x00000001402F4000-memory.dmp

Filesize
3.3MB

Download
memory/2496-149-0x000000013FED0000-0x0000000140224000-memory.dmp

Filesize
3.3MB

Download
memory/2496-60-0x000000013FED0000-0x0000000140224000-memory.dmp

Filesize
3.3MB

Download
memory/2524-152-0x000000013F3C0000-0x000000013F714000-memory.dmp

Filesize
3.3MB

Download
memory/2524-86-0x000000013F3C0000-0x000000013F714000-memory.dmp

Filesize
3.3MB

Download
memory/2568-106-0x000000013F960000-0x000000013FCB4000-memory.dmp

Filesize
3.3MB

Download
memory/2568-155-0x000000013F960000-0x000000013FCB4000-memory.dmp

Filesize
3.3MB

Download
memory/2568-141-0x000000013F960000-0x000000013FCB4000-memory.dmp

Filesize
3.3MB

Download
memory/2572-146-0x000000013F300000-0x000000013F654000-memory.dmp

Filesize
3.3MB

Download
memory/2572-23-0x000000013F300000-0x000000013F654000-memory.dmp

Filesize
3.3MB

Download
memory/2572-66-0x000000013F300000-0x000000013F654000-memory.dmp

Filesize
3.3MB

Download
memory/2580-53-0x000000013FCC0000-0x0000000140014000-memory.dmp

Filesize
3.3MB

Download
memory/2580-148-0x000000013FCC0000-0x0000000140014000-memory.dmp

Filesize
3.3MB

Download
memory/2720-153-0x000000013F2C0000-0x000000013F614000-memory.dmp

Filesize
3.3MB

Download
memory/2720-88-0x000000013F2C0000-0x000000013F614000-memory.dmp

Filesize
3.3MB

Download
memory/2740-145-0x000000013F6E0000-0x000000013FA34000-memory.dmp

Filesize
3.3MB

Download
memory/2740-37-0x000000013F6E0000-0x000000013FA34000-memory.dmp

Filesize
3.3MB

Download
memory/2756-144-0x000000013FA40000-0x000000013FD94000-memory.dmp

Filesize
3.3MB

Download
memory/2756-82-0x000000013FA40000-0x000000013FD94000-memory.dmp

Filesize
3.3MB

Download
memory/2756-29-0x000000013FA40000-0x000000013FD94000-memory.dmp

Filesize
3.3MB

Download
memory/3016-150-0x000000013F230000-0x000000013F584000-memory.dmp

Filesize
3.3MB

Download
memory/3016-67-0x000000013F230000-0x000000013F584000-memory.dmp

Filesize
3.3MB

Download