cobaltstrike | 3148240785e61a6511717a76db1320fd4181865a0a5e4047aea73f430d33bd33

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
05/06/2024, 13:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

bd2501406eadb7d2df65bd23bb783b2f
SHA1

f60652171dbf597722ab980557aa8a9c6883bc5e
SHA256

3148240785e61a6511717a76db1320fd4181865a0a5e4047aea73f430d33bd33
SHA512

62835e6b7273028d91411695d8b0894d5fb0fd741ad9b07433f283e5d74d684c96f45c3fdb5cb557f083eea90772fd778da8b411d8ed585c92e9f9c431c2166f
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUa:Q+856utgpPF8u/7a

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000c00000001227b-3.dat	cobalt_reflective_dll
behavioral1/files/0x0036000000015d02-7.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d89-15.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016020-38.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d3e-82.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d46-88.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016fa9-132.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001708c-135.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d7d-127.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d79-122.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d73-117.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d5f-112.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d57-105.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d4f-97.dat	cobalt_reflective_dll
behavioral1/files/0x0036000000015d13-75.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d36-69.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d2d-60.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016126-47.dat	cobalt_reflective_dll
behavioral1/files/0x000900000001640f-54.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015fbb-33.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d99-26.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001227b-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0036000000015d02-7.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015d89-15.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000016020-38.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d3e-82.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d46-88.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016fa9-132.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000600000001708c-135.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d7d-127.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d79-122.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d73-117.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d5f-112.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d57-105.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d4f-97.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0036000000015d13-75.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d36-69.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000016d2d-60.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000016126-47.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000900000001640f-54.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015fbb-33.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015d99-26.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 63 IoCs

resource	yara_rule
behavioral1/memory/2124-0-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	UPX
behavioral1/files/0x000c00000001227b-3.dat	UPX
behavioral1/files/0x0036000000015d02-7.dat	UPX
behavioral1/files/0x0008000000015d89-15.dat	UPX
behavioral1/memory/2820-14-0x000000013FF90000-0x00000001402E4000-memory.dmp	UPX
behavioral1/memory/3032-12-0x000000013FFE0000-0x0000000140334000-memory.dmp	UPX
behavioral1/memory/2596-22-0x000000013F9F0000-0x000000013FD44000-memory.dmp	UPX
behavioral1/files/0x0007000000016020-38.dat	UPX
behavioral1/memory/2680-56-0x000000013F5D0000-0x000000013F924000-memory.dmp	UPX
behavioral1/memory/2820-70-0x000000013FF90000-0x00000001402E4000-memory.dmp	UPX
behavioral1/files/0x0006000000016d3e-82.dat	UPX
behavioral1/files/0x0006000000016d46-88.dat	UPX
behavioral1/memory/2868-92-0x000000013F720000-0x000000013FA74000-memory.dmp	UPX
behavioral1/files/0x0006000000016fa9-132.dat	UPX
behavioral1/files/0x000600000001708c-135.dat	UPX
behavioral1/files/0x0006000000016d7d-127.dat	UPX
behavioral1/files/0x0006000000016d79-122.dat	UPX
behavioral1/files/0x0006000000016d73-117.dat	UPX
behavioral1/files/0x0006000000016d5f-112.dat	UPX
behavioral1/memory/2904-107-0x000000013F570000-0x000000013F8C4000-memory.dmp	UPX
behavioral1/files/0x0006000000016d57-105.dat	UPX
behavioral1/memory/2544-101-0x000000013FFE0000-0x0000000140334000-memory.dmp	UPX
behavioral1/memory/2692-99-0x000000013F410000-0x000000013F764000-memory.dmp	UPX
behavioral1/files/0x0006000000016d4f-97.dat	UPX
behavioral1/memory/2680-139-0x000000013F5D0000-0x000000013F924000-memory.dmp	UPX
behavioral1/memory/2836-86-0x000000013FD90000-0x00000001400E4000-memory.dmp	UPX
behavioral1/memory/2596-84-0x000000013F9F0000-0x000000013FD44000-memory.dmp	UPX
behavioral1/memory/1796-78-0x000000013F470000-0x000000013F7C4000-memory.dmp	UPX
behavioral1/files/0x0036000000015d13-75.dat	UPX
behavioral1/memory/2516-71-0x000000013F6E0000-0x000000013FA34000-memory.dmp	UPX
behavioral1/files/0x0006000000016d36-69.dat	UPX
behavioral1/memory/3032-66-0x000000013FFE0000-0x0000000140334000-memory.dmp	UPX
behavioral1/memory/2672-140-0x000000013F220000-0x000000013F574000-memory.dmp	UPX
behavioral1/memory/2672-62-0x000000013F220000-0x000000013F574000-memory.dmp	UPX
behavioral1/memory/2124-61-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	UPX
behavioral1/files/0x0008000000016d2d-60.dat	UPX
behavioral1/memory/2812-50-0x000000013FA60000-0x000000013FDB4000-memory.dmp	UPX
behavioral1/files/0x0007000000016126-47.dat	UPX
behavioral1/files/0x000900000001640f-54.dat	UPX
behavioral1/memory/2904-41-0x000000013F570000-0x000000013F8C4000-memory.dmp	UPX
behavioral1/memory/2692-35-0x000000013F410000-0x000000013F764000-memory.dmp	UPX
behavioral1/files/0x0007000000015fbb-33.dat	UPX
behavioral1/memory/2696-29-0x000000013FE70000-0x00000001401C4000-memory.dmp	UPX
behavioral1/files/0x0008000000015d99-26.dat	UPX
behavioral1/memory/2516-141-0x000000013F6E0000-0x000000013FA34000-memory.dmp	UPX
behavioral1/memory/1796-142-0x000000013F470000-0x000000013F7C4000-memory.dmp	UPX
behavioral1/memory/2836-144-0x000000013FD90000-0x00000001400E4000-memory.dmp	UPX
behavioral1/memory/2868-146-0x000000013F720000-0x000000013FA74000-memory.dmp	UPX
behavioral1/memory/2544-148-0x000000013FFE0000-0x0000000140334000-memory.dmp	UPX
behavioral1/memory/3032-149-0x000000013FFE0000-0x0000000140334000-memory.dmp	UPX
behavioral1/memory/2820-150-0x000000013FF90000-0x00000001402E4000-memory.dmp	UPX
behavioral1/memory/2596-151-0x000000013F9F0000-0x000000013FD44000-memory.dmp	UPX
behavioral1/memory/2696-152-0x000000013FE70000-0x00000001401C4000-memory.dmp	UPX
behavioral1/memory/2692-153-0x000000013F410000-0x000000013F764000-memory.dmp	UPX
behavioral1/memory/2904-154-0x000000013F570000-0x000000013F8C4000-memory.dmp	UPX
behavioral1/memory/2812-155-0x000000013FA60000-0x000000013FDB4000-memory.dmp	UPX
behavioral1/memory/2680-156-0x000000013F5D0000-0x000000013F924000-memory.dmp	UPX
behavioral1/memory/2672-157-0x000000013F220000-0x000000013F574000-memory.dmp	UPX
behavioral1/memory/2516-158-0x000000013F6E0000-0x000000013FA34000-memory.dmp	UPX
behavioral1/memory/1796-159-0x000000013F470000-0x000000013F7C4000-memory.dmp	UPX
behavioral1/memory/2836-160-0x000000013FD90000-0x00000001400E4000-memory.dmp	UPX
behavioral1/memory/2868-161-0x000000013F720000-0x000000013FA74000-memory.dmp	UPX
behavioral1/memory/2544-162-0x000000013FFE0000-0x0000000140334000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral1/memory/2124-0-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	xmrig
behavioral1/files/0x000c00000001227b-3.dat	xmrig
behavioral1/files/0x0036000000015d02-7.dat	xmrig
behavioral1/files/0x0008000000015d89-15.dat	xmrig
behavioral1/memory/2820-14-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
behavioral1/memory/3032-12-0x000000013FFE0000-0x0000000140334000-memory.dmp	xmrig
behavioral1/memory/2596-22-0x000000013F9F0000-0x000000013FD44000-memory.dmp	xmrig
behavioral1/files/0x0007000000016020-38.dat	xmrig
behavioral1/memory/2680-56-0x000000013F5D0000-0x000000013F924000-memory.dmp	xmrig
behavioral1/memory/2820-70-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d3e-82.dat	xmrig
behavioral1/files/0x0006000000016d46-88.dat	xmrig
behavioral1/memory/2868-92-0x000000013F720000-0x000000013FA74000-memory.dmp	xmrig
behavioral1/files/0x0006000000016fa9-132.dat	xmrig
behavioral1/files/0x000600000001708c-135.dat	xmrig
behavioral1/files/0x0006000000016d7d-127.dat	xmrig
behavioral1/files/0x0006000000016d79-122.dat	xmrig
behavioral1/files/0x0006000000016d73-117.dat	xmrig
behavioral1/files/0x0006000000016d5f-112.dat	xmrig
behavioral1/memory/2904-107-0x000000013F570000-0x000000013F8C4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d57-105.dat	xmrig
behavioral1/memory/2544-101-0x000000013FFE0000-0x0000000140334000-memory.dmp	xmrig
behavioral1/memory/2692-99-0x000000013F410000-0x000000013F764000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d4f-97.dat	xmrig
behavioral1/memory/2680-139-0x000000013F5D0000-0x000000013F924000-memory.dmp	xmrig
behavioral1/memory/2836-86-0x000000013FD90000-0x00000001400E4000-memory.dmp	xmrig
behavioral1/memory/2124-85-0x00000000022E0000-0x0000000002634000-memory.dmp	xmrig
behavioral1/memory/2596-84-0x000000013F9F0000-0x000000013FD44000-memory.dmp	xmrig
behavioral1/memory/1796-78-0x000000013F470000-0x000000013F7C4000-memory.dmp	xmrig
behavioral1/files/0x0036000000015d13-75.dat	xmrig
behavioral1/memory/2516-71-0x000000013F6E0000-0x000000013FA34000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d36-69.dat	xmrig
behavioral1/memory/3032-66-0x000000013FFE0000-0x0000000140334000-memory.dmp	xmrig
behavioral1/memory/2672-140-0x000000013F220000-0x000000013F574000-memory.dmp	xmrig
behavioral1/memory/2672-62-0x000000013F220000-0x000000013F574000-memory.dmp	xmrig
behavioral1/memory/2124-61-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	xmrig
behavioral1/files/0x0008000000016d2d-60.dat	xmrig
behavioral1/memory/2812-50-0x000000013FA60000-0x000000013FDB4000-memory.dmp	xmrig
behavioral1/files/0x0007000000016126-47.dat	xmrig
behavioral1/files/0x000900000001640f-54.dat	xmrig
behavioral1/memory/2904-41-0x000000013F570000-0x000000013F8C4000-memory.dmp	xmrig
behavioral1/memory/2692-35-0x000000013F410000-0x000000013F764000-memory.dmp	xmrig
behavioral1/files/0x0007000000015fbb-33.dat	xmrig
behavioral1/memory/2696-29-0x000000013FE70000-0x00000001401C4000-memory.dmp	xmrig
behavioral1/files/0x0008000000015d99-26.dat	xmrig
behavioral1/memory/2516-141-0x000000013F6E0000-0x000000013FA34000-memory.dmp	xmrig
behavioral1/memory/1796-142-0x000000013F470000-0x000000013F7C4000-memory.dmp	xmrig
behavioral1/memory/2836-144-0x000000013FD90000-0x00000001400E4000-memory.dmp	xmrig
behavioral1/memory/2868-146-0x000000013F720000-0x000000013FA74000-memory.dmp	xmrig
behavioral1/memory/2124-147-0x000000013FFE0000-0x0000000140334000-memory.dmp	xmrig
behavioral1/memory/2544-148-0x000000013FFE0000-0x0000000140334000-memory.dmp	xmrig
behavioral1/memory/3032-149-0x000000013FFE0000-0x0000000140334000-memory.dmp	xmrig
behavioral1/memory/2820-150-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
behavioral1/memory/2596-151-0x000000013F9F0000-0x000000013FD44000-memory.dmp	xmrig
behavioral1/memory/2696-152-0x000000013FE70000-0x00000001401C4000-memory.dmp	xmrig
behavioral1/memory/2692-153-0x000000013F410000-0x000000013F764000-memory.dmp	xmrig
behavioral1/memory/2904-154-0x000000013F570000-0x000000013F8C4000-memory.dmp	xmrig
behavioral1/memory/2812-155-0x000000013FA60000-0x000000013FDB4000-memory.dmp	xmrig
behavioral1/memory/2680-156-0x000000013F5D0000-0x000000013F924000-memory.dmp	xmrig
behavioral1/memory/2672-157-0x000000013F220000-0x000000013F574000-memory.dmp	xmrig
behavioral1/memory/2516-158-0x000000013F6E0000-0x000000013FA34000-memory.dmp	xmrig
behavioral1/memory/1796-159-0x000000013F470000-0x000000013F7C4000-memory.dmp	xmrig
behavioral1/memory/2836-160-0x000000013FD90000-0x00000001400E4000-memory.dmp	xmrig
behavioral1/memory/2868-161-0x000000013F720000-0x000000013FA74000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3032	iAMCHJR.exe
2820	cvuIwYU.exe
2596	mnfmnFn.exe
2696	yhfubUm.exe
2692	SIwYrhs.exe
2904	ClsiwuQ.exe
2812	MvfUxoZ.exe
2680	wSLNZkC.exe
2672	WoECASI.exe
2516	hLwzFDt.exe
1796	mNDRuky.exe
2836	kcoXUVf.exe
2868	IQLEwRo.exe
2544	XvKitwP.exe
1312	RsAItqw.exe
1236	uMccuqF.exe
1680	iJSzsMV.exe
1652	tPRcJiW.exe
1740	YvTxsFM.exe
2760	PQSKlCZ.exe
2564	BRexmJe.exe

Loads dropped DLL 21 IoCs

pid	Process
2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe

UPX packed file 63 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2124-0-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	upx
behavioral1/files/0x000c00000001227b-3.dat	upx
behavioral1/files/0x0036000000015d02-7.dat	upx
behavioral1/files/0x0008000000015d89-15.dat	upx
behavioral1/memory/2820-14-0x000000013FF90000-0x00000001402E4000-memory.dmp	upx
behavioral1/memory/3032-12-0x000000013FFE0000-0x0000000140334000-memory.dmp	upx
behavioral1/memory/2596-22-0x000000013F9F0000-0x000000013FD44000-memory.dmp	upx
behavioral1/files/0x0007000000016020-38.dat	upx
behavioral1/memory/2680-56-0x000000013F5D0000-0x000000013F924000-memory.dmp	upx
behavioral1/memory/2820-70-0x000000013FF90000-0x00000001402E4000-memory.dmp	upx
behavioral1/files/0x0006000000016d3e-82.dat	upx
behavioral1/files/0x0006000000016d46-88.dat	upx
behavioral1/memory/2868-92-0x000000013F720000-0x000000013FA74000-memory.dmp	upx
behavioral1/files/0x0006000000016fa9-132.dat	upx
behavioral1/files/0x000600000001708c-135.dat	upx
behavioral1/files/0x0006000000016d7d-127.dat	upx
behavioral1/files/0x0006000000016d79-122.dat	upx
behavioral1/files/0x0006000000016d73-117.dat	upx
behavioral1/files/0x0006000000016d5f-112.dat	upx
behavioral1/memory/2904-107-0x000000013F570000-0x000000013F8C4000-memory.dmp	upx
behavioral1/files/0x0006000000016d57-105.dat	upx
behavioral1/memory/2544-101-0x000000013FFE0000-0x0000000140334000-memory.dmp	upx
behavioral1/memory/2692-99-0x000000013F410000-0x000000013F764000-memory.dmp	upx
behavioral1/files/0x0006000000016d4f-97.dat	upx
behavioral1/memory/2680-139-0x000000013F5D0000-0x000000013F924000-memory.dmp	upx
behavioral1/memory/2836-86-0x000000013FD90000-0x00000001400E4000-memory.dmp	upx
behavioral1/memory/2596-84-0x000000013F9F0000-0x000000013FD44000-memory.dmp	upx
behavioral1/memory/1796-78-0x000000013F470000-0x000000013F7C4000-memory.dmp	upx
behavioral1/files/0x0036000000015d13-75.dat	upx
behavioral1/memory/2516-71-0x000000013F6E0000-0x000000013FA34000-memory.dmp	upx
behavioral1/files/0x0006000000016d36-69.dat	upx
behavioral1/memory/3032-66-0x000000013FFE0000-0x0000000140334000-memory.dmp	upx
behavioral1/memory/2672-140-0x000000013F220000-0x000000013F574000-memory.dmp	upx
behavioral1/memory/2672-62-0x000000013F220000-0x000000013F574000-memory.dmp	upx
behavioral1/memory/2124-61-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	upx
behavioral1/files/0x0008000000016d2d-60.dat	upx
behavioral1/memory/2812-50-0x000000013FA60000-0x000000013FDB4000-memory.dmp	upx
behavioral1/files/0x0007000000016126-47.dat	upx
behavioral1/files/0x000900000001640f-54.dat	upx
behavioral1/memory/2904-41-0x000000013F570000-0x000000013F8C4000-memory.dmp	upx
behavioral1/memory/2692-35-0x000000013F410000-0x000000013F764000-memory.dmp	upx
behavioral1/files/0x0007000000015fbb-33.dat	upx
behavioral1/memory/2696-29-0x000000013FE70000-0x00000001401C4000-memory.dmp	upx
behavioral1/files/0x0008000000015d99-26.dat	upx
behavioral1/memory/2516-141-0x000000013F6E0000-0x000000013FA34000-memory.dmp	upx
behavioral1/memory/1796-142-0x000000013F470000-0x000000013F7C4000-memory.dmp	upx
behavioral1/memory/2836-144-0x000000013FD90000-0x00000001400E4000-memory.dmp	upx
behavioral1/memory/2868-146-0x000000013F720000-0x000000013FA74000-memory.dmp	upx
behavioral1/memory/2544-148-0x000000013FFE0000-0x0000000140334000-memory.dmp	upx
behavioral1/memory/3032-149-0x000000013FFE0000-0x0000000140334000-memory.dmp	upx
behavioral1/memory/2820-150-0x000000013FF90000-0x00000001402E4000-memory.dmp	upx
behavioral1/memory/2596-151-0x000000013F9F0000-0x000000013FD44000-memory.dmp	upx
behavioral1/memory/2696-152-0x000000013FE70000-0x00000001401C4000-memory.dmp	upx
behavioral1/memory/2692-153-0x000000013F410000-0x000000013F764000-memory.dmp	upx
behavioral1/memory/2904-154-0x000000013F570000-0x000000013F8C4000-memory.dmp	upx
behavioral1/memory/2812-155-0x000000013FA60000-0x000000013FDB4000-memory.dmp	upx
behavioral1/memory/2680-156-0x000000013F5D0000-0x000000013F924000-memory.dmp	upx
behavioral1/memory/2672-157-0x000000013F220000-0x000000013F574000-memory.dmp	upx
behavioral1/memory/2516-158-0x000000013F6E0000-0x000000013FA34000-memory.dmp	upx
behavioral1/memory/1796-159-0x000000013F470000-0x000000013F7C4000-memory.dmp	upx
behavioral1/memory/2836-160-0x000000013FD90000-0x00000001400E4000-memory.dmp	upx
behavioral1/memory/2868-161-0x000000013F720000-0x000000013FA74000-memory.dmp	upx
behavioral1/memory/2544-162-0x000000013FFE0000-0x0000000140334000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\WoECASI.exe	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hLwzFDt.exe	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mNDRuky.exe	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kcoXUVf.exe	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PQSKlCZ.exe	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ClsiwuQ.exe	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wSLNZkC.exe	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tPRcJiW.exe	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mnfmnFn.exe	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IQLEwRo.exe	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iJSzsMV.exe	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YvTxsFM.exe	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iAMCHJR.exe	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XvKitwP.exe	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SIwYrhs.exe	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MvfUxoZ.exe	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RsAItqw.exe	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uMccuqF.exe	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BRexmJe.exe	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cvuIwYU.exe	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yhfubUm.exe	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 3032	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	29
PID 2124 wrote to memory of 3032	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	29
PID 2124 wrote to memory of 3032	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	29
PID 2124 wrote to memory of 2820	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	30
PID 2124 wrote to memory of 2820	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	30
PID 2124 wrote to memory of 2820	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	30
PID 2124 wrote to memory of 2596	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	31
PID 2124 wrote to memory of 2596	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	31
PID 2124 wrote to memory of 2596	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	31
PID 2124 wrote to memory of 2696	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	32
PID 2124 wrote to memory of 2696	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	32
PID 2124 wrote to memory of 2696	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	32
PID 2124 wrote to memory of 2692	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	33
PID 2124 wrote to memory of 2692	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	33
PID 2124 wrote to memory of 2692	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	33
PID 2124 wrote to memory of 2904	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	34
PID 2124 wrote to memory of 2904	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	34
PID 2124 wrote to memory of 2904	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	34
PID 2124 wrote to memory of 2812	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	35
PID 2124 wrote to memory of 2812	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	35
PID 2124 wrote to memory of 2812	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	35
PID 2124 wrote to memory of 2680	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	36
PID 2124 wrote to memory of 2680	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	36
PID 2124 wrote to memory of 2680	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	36
PID 2124 wrote to memory of 2672	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	37
PID 2124 wrote to memory of 2672	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	37
PID 2124 wrote to memory of 2672	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	37
PID 2124 wrote to memory of 2516	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	38
PID 2124 wrote to memory of 2516	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	38
PID 2124 wrote to memory of 2516	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	38
PID 2124 wrote to memory of 1796	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	39
PID 2124 wrote to memory of 1796	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	39
PID 2124 wrote to memory of 1796	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	39
PID 2124 wrote to memory of 2836	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	40
PID 2124 wrote to memory of 2836	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	40
PID 2124 wrote to memory of 2836	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	40
PID 2124 wrote to memory of 2868	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	41
PID 2124 wrote to memory of 2868	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	41
PID 2124 wrote to memory of 2868	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	41
PID 2124 wrote to memory of 2544	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	42
PID 2124 wrote to memory of 2544	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	42
PID 2124 wrote to memory of 2544	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	42
PID 2124 wrote to memory of 1312	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	43
PID 2124 wrote to memory of 1312	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	43
PID 2124 wrote to memory of 1312	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	43
PID 2124 wrote to memory of 1236	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	44
PID 2124 wrote to memory of 1236	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	44
PID 2124 wrote to memory of 1236	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	44
PID 2124 wrote to memory of 1680	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	45
PID 2124 wrote to memory of 1680	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	45
PID 2124 wrote to memory of 1680	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	45
PID 2124 wrote to memory of 1652	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	46
PID 2124 wrote to memory of 1652	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	46
PID 2124 wrote to memory of 1652	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	46
PID 2124 wrote to memory of 1740	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	47
PID 2124 wrote to memory of 1740	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	47
PID 2124 wrote to memory of 1740	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	47
PID 2124 wrote to memory of 2760	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	48
PID 2124 wrote to memory of 2760	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	48
PID 2124 wrote to memory of 2760	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	48
PID 2124 wrote to memory of 2564	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	49
PID 2124 wrote to memory of 2564	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	49
PID 2124 wrote to memory of 2564	2124	2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-05_bd2501406eadb7d2df65bd23bb783b2f_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\System\iAMCHJR.exe
  C:\Windows\System\iAMCHJR.exe
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\System\cvuIwYU.exe
  C:\Windows\System\cvuIwYU.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System\mnfmnFn.exe
  C:\Windows\System\mnfmnFn.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System\yhfubUm.exe
  C:\Windows\System\yhfubUm.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System\SIwYrhs.exe
  C:\Windows\System\SIwYrhs.exe
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\System\ClsiwuQ.exe
  C:\Windows\System\ClsiwuQ.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System\MvfUxoZ.exe
  C:\Windows\System\MvfUxoZ.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\System\wSLNZkC.exe
  C:\Windows\System\wSLNZkC.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System\WoECASI.exe
  C:\Windows\System\WoECASI.exe
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\System\hLwzFDt.exe
  C:\Windows\System\hLwzFDt.exe
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\System\mNDRuky.exe
  C:\Windows\System\mNDRuky.exe
  2⤵
  - Executes dropped EXE
  PID:1796
- C:\Windows\System\kcoXUVf.exe
  C:\Windows\System\kcoXUVf.exe
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\System\IQLEwRo.exe
  C:\Windows\System\IQLEwRo.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\System\XvKitwP.exe
  C:\Windows\System\XvKitwP.exe
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\System\RsAItqw.exe
  C:\Windows\System\RsAItqw.exe
  2⤵
  - Executes dropped EXE
  PID:1312
- C:\Windows\System\uMccuqF.exe
  C:\Windows\System\uMccuqF.exe
  2⤵
  - Executes dropped EXE
  PID:1236
- C:\Windows\System\iJSzsMV.exe
  C:\Windows\System\iJSzsMV.exe
  2⤵
  - Executes dropped EXE
  PID:1680
- C:\Windows\System\tPRcJiW.exe
  C:\Windows\System\tPRcJiW.exe
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\System\YvTxsFM.exe
  C:\Windows\System\YvTxsFM.exe
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\System\PQSKlCZ.exe
  C:\Windows\System\PQSKlCZ.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System\BRexmJe.exe
  C:\Windows\System\BRexmJe.exe
  2⤵
  - Executes dropped EXE
  PID:2564

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\ClsiwuQ.exe

Filesize
5.9MB

MD5
c8376409caa2f3ba7a9ee23e023bef7d

SHA1
1f64c8d65343a4d932455921080dd70f5dea1b91

SHA256
8251be57d3435b18c346e8524f6a0529ae1f367b1e5be95fddc1d6690d0b2733

SHA512
44c57ab9ce6a6ef5cfef0dde57b9343cbd3ff1f3fc60bc9c9e1b474b3406f4fd613d4a8b13ca190bcc972cacf0aaa990016ca2b44c032bd91ea64e81de933881

Download Submit
C:\Windows\system\MvfUxoZ.exe

Filesize
5.9MB

MD5
c84a384fa7a6528bc94985721aa8eebf

SHA1
9509c8a3d945eedd8b7f50ca756df14281fcffbd

SHA256
d15db59575712cb2810b0b0897ce751d205d860ea4b616238289ea257f53101f

SHA512
787ca90b4741f2c814e1fec484a10007066523286fa92a868f539818db3e62a6e325990bff18372ce049a9f6d010ef0841beb9d8d7a76238f07ae4e7e024c2e2

Download Submit
C:\Windows\system\PQSKlCZ.exe

Filesize
5.9MB

MD5
1ec1eae26a6edc0339615a5a4fcb41dd

SHA1
58d0d232a03afe6a5245456b8dad12cdb1bca0f8

SHA256
1ac1af35fed002ab44da5fe5f834abbb7c77a580127f7416ef971cb51a7b9987

SHA512
f90f77e9b17bd040b8f34926414d125c7859b422405f39a50c655a065465df7eb91c6003442d8cc1a7be4dc41e6024bda3041e04f9b66973b59181af7f19c3e0

Download Submit
C:\Windows\system\RsAItqw.exe

Filesize
5.9MB

MD5
e3636d771a93e6135c41c94965fa3813

SHA1
2d68e2a4f703ea0687a644bb2328d0a3a04c6017

SHA256
27e7701fc057d682a8b20da432e2d4dad00312dcd939eef340aad43ea097e014

SHA512
8f23961e1980c94b8bcdc69093372a0df24648a44b71a909858e526db29c2014822aa29bc64c044b19882377ee9e808894a9cc87a33360c94f3e4c3e841b6101

Download Submit
C:\Windows\system\SIwYrhs.exe

Filesize
5.9MB

MD5
c43749484f5f46cfdf1dcf10cb257ffb

SHA1
47510a9a2a9056cf7115076bbe0c0cba6d16dfe8

SHA256
2742750985308f035e395e4513e40bcc0281a6e3337a0a9faf8050caf76063ac

SHA512
22108512f1782166ca2c4807a75d13174a3b5f92987dc726959c6fba9ec55dbce91c640d0b263df41dbe8188e7f0e0260c007a1a03406ed59633279800681e9f

Download Submit
C:\Windows\system\WoECASI.exe

Filesize
5.9MB

MD5
02685000e9d785182d4eadf5d3d7962e

SHA1
b255cef713fe58eb9a95a86ea68c82f0c9665005

SHA256
a97f2ffd8bae669d20b58516a173a1ca66703a98f5d73bc7c5cf7521675da84f

SHA512
1705d6b69b5f6a6abe132208fba14a84453142da13f8ee3946b70f24e6a333dee61115b582f276bd04622ad40c85d7c39c14e14e19ba1f2619c5e246eac81946

Download Submit
C:\Windows\system\XvKitwP.exe

Filesize
5.9MB

MD5
dd11c604ce9be93e7cb62874f87da3f4

SHA1
1f8cf2d1f92543921a279e677bc1586c82656631

SHA256
1dd085ef42995209363a602c808de0cb93ced926b689cb2661c9daba37e2dbf5

SHA512
3ffb4d2688db037dbde17b9c8178f4e4cebcaca73a2a99be6d44d16288a3a81400c819f3a142e038b33a0a41ceaf6cafa8d35376eca94190bb811b177faef3a5

Download Submit
C:\Windows\system\YvTxsFM.exe

Filesize
5.9MB

MD5
8762f130a01ac34309f26249f052f335

SHA1
65ee8f70f6e52b7775659e18f4cf7cbee58cbec4

SHA256
af51c85e688af0cf9a05ba5265f3f0e38b9f9070e09b50e0dd831f4e6d41be82

SHA512
b448d87a0e9eae89e24e7d9f53016d65f9e25a4765d2c13270d02e78e454448ba239912e716d761b727b3b0c79b3e4aa7b3477cbae32e253b008c252f50a9ee6

Download Submit
C:\Windows\system\hLwzFDt.exe

Filesize
5.9MB

MD5
1246c6abcd9d649ba8d1b3f1832321a1

SHA1
9d7ba0df6831d7a158943f462b26946bab0bea22

SHA256
63fe1efb7811a77fedbbd132aee1ce42d90c7154c08a0e89c15633afe703bc5d

SHA512
25a4af8e9f222d705c77fced471f2b98ba9dd344768942b4aac6c671ce6d48ccb81d061b6d49227d376b99f819da587ba22c19e9345f4f43dfdde9af4736fbf3

Download Submit
C:\Windows\system\iJSzsMV.exe

Filesize
5.9MB

MD5
5edbdc24ba174c281e31d3aee38f3274

SHA1
d1ce416391bdd3b07e186009a18ded34b68c769d

SHA256
cf3977288ab232f2013823998654b9413eeb54ad59fd0ba5bdf48ef1df19b80e

SHA512
9f6b673cef7640d9aad40e1bf225ad96f7b134ad607c7a9bd850e94feabb54ae2f79bf7b718e06f8df43227066d9d228db7706cf3fe993e001b758d7035b3307

Download Submit
C:\Windows\system\kcoXUVf.exe

Filesize
5.9MB

MD5
b62488860b120cb896b78f7d8fcc3092

SHA1
d093d090a3d7b428a19ccbc087caf3759017adbb

SHA256
b61ba83921aa8fbba14d421746b422eccda5e8e531348bc6526b636e5f839581

SHA512
558b622cb6ce9a54d3d0f0d4bd433f62fca37a249d6884289e82945750cc7d7d100a9e88565806d86ccbaaae187b88b95154d32ba2aec79741d5b1f7aa126803

Download Submit
C:\Windows\system\mNDRuky.exe

Filesize
5.9MB

MD5
bd598772844bafb118f194e919017770

SHA1
8754d511432ca968f7446d9b5b2bcefd7571b0f0

SHA256
915acc591a5433f71451a792079e1f39c6e509dbd5559a3ccb25dedd91ce02e2

SHA512
37cd5f83dc019fda3fb27c0a42fa56c3038c0275acd3ca482470377603f7f77354737d49c59ef76d77686e2aff6ad2cbffc1cb91a9a8ab5a269caa7a0472c48f

Download Submit
C:\Windows\system\tPRcJiW.exe

Filesize
5.9MB

MD5
7aee416578af9fb3de68703ade5346da

SHA1
ef37445ddb50359998164a6b94390ac3f7276908

SHA256
f58197e3706a3d1948d98be881f5f2c4dc0677ea666933c947ae30cb3646ebd1

SHA512
adbba8e9107d68083bd49911bfaef3ce777fb881edfd5828545e1876052985542ce8b3d6acc3674ae2ff27daa3e8d613422e0a66508286d2a4ec7b38be707c24

Download Submit
C:\Windows\system\uMccuqF.exe

Filesize
5.9MB

MD5
953ad39eb7f5d470a5575f117787e5c0

SHA1
cf7a138dc5f405c4a4ba0505fcae6ee905c771c3

SHA256
dd36cf84e7eddcbc15f7ed04558276e26ad6083481d746e95e1500e94c68fb7c

SHA512
9bbf045270778deed7ad7d0ebc6723f95f0d8e8ba70cc485c6546109b6358bf4503bcc33c411f5cbd899d6bd1b36fcba85a4831bcdc66360122783b13df2af0b

Download Submit
C:\Windows\system\wSLNZkC.exe

Filesize
5.9MB

MD5
272a5e32e8ba7fa360db48251939be52

SHA1
26b4b4080947b4bada38dd1edc26c8d3c7dcb326

SHA256
646a3c07b05db4771fb20f7c60d1fbf0cc9a26b74755fa2ca4c1f8908b04e9e2

SHA512
c8ec15f43c2c423a15939088c4ff1619d70e0d35a2d0804cc708a62c177ae50f73c18868e95c617dde3628937d63dfe32c8ba6f8ec7cde162421e8039d05eba7

Download Submit
C:\Windows\system\yhfubUm.exe

Filesize
5.9MB

MD5
9ccbd80f7fcc9bcc05674d6ac32f0b72

SHA1
1a463ae33cd56540c4e5d755b3d5edaf31c9a61d

SHA256
508152efb87fc6f0611ecdbcb89826e62188952c1679d46033f6aa06c444f42a

SHA512
a32d4232fd45106c2f53c016cea06581111564d6674ade1aca30c67ff0b124831ca16eb056d2ad3737fc091f8ef8932de1a4ce08a6bddd7fe5218e311148041b

Download Submit
\Windows\system\BRexmJe.exe

Filesize
5.9MB

MD5
6551371d46d3f6d14d626db67930ea47

SHA1
949744b2bd7083d18ef6d90bb6655c125dcce5ac

SHA256
bd9c7b00c88e0e5939c477578ea98a8e19c32bfa4e13032b52ec9fdfb07d05a3

SHA512
5cf8c96f51b99e13983ef601cba3745e983b2bde584910a615154f061c8d429aa58f8c34d320a2a958cb7932e844ca30da59c346655bca5847df6cac064d043b

Download Submit
\Windows\system\IQLEwRo.exe

Filesize
5.9MB

MD5
14a2c8c9a862b273fd2727092bec94f9

SHA1
6a6c8ebc5139300610e0e1c895307b85e0aa9ccb

SHA256
383d177bfb6c4bfb9b0fd7e9bd390a11b29c3cd8e76870646b7166bde0215776

SHA512
b6ab59f60ebf2cfb23f44da388b883ea10cd788ca161354bff3a5bb4003fa220e5dd2cae6e12f7405511103fad78ca9b5c51b095ef071e94e37db819628208fd

Download Submit
\Windows\system\cvuIwYU.exe

Filesize
5.9MB

MD5
52682b964991acd60b008fbe70a68055

SHA1
10efba6710e000587cd4f4f7a8b4b09f6eca74d9

SHA256
9e268e9d082ea6ebc29acb868ea8df240028fe12c8401b36e5c51be338acc455

SHA512
e172f895972a8e2c56b9e620e2b78b8aa56f5faa238ec3b54e6e27cf6f3b0c9d729549db43e908e164f2f48554163d4de5485db65349e451d9bef600d4c78030

Download Submit
\Windows\system\iAMCHJR.exe

Filesize
5.9MB

MD5
f51b02ef5e5c853d2207a4ff79b4512e

SHA1
4374ee0367c68afedeeb68e53d95b5511df36b51

SHA256
9effb10e88fd95707be8707e0f40c9682a0f06f52c1de0b6ddae0c133065f9c8

SHA512
87af53b612608d5782b19f20ae29734d3e841e5dcc84ea80ba9ba19e8eaf3ac52d46498dd75bd58bab48f7587b8f3a769104553128cc4a83f0cbf8934a3dcec1

Download Submit
\Windows\system\mnfmnFn.exe

Filesize
5.9MB

MD5
73a7695c0745670c6655ff28fc72cc84

SHA1
acfae8f5d06f8ffd37dc197a3c51484f8a66570c

SHA256
edb0b25a46666d6abf079835edb38de5cac64f2d06cb733d85a2db6e5243e2ac

SHA512
230e47cd0e980f592cfc3f23e984c2d5c68315cfadac67b3dafbdd5fe771709b636814d7fafd9057d26f833b4bed2a2c76386dfb0942d4dd2f67753395373a73

Download Submit
memory/1796-78-0x000000013F470000-0x000000013F7C4000-memory.dmp

Filesize
3.3MB

Download
memory/1796-142-0x000000013F470000-0x000000013F7C4000-memory.dmp

Filesize
3.3MB

Download
memory/1796-159-0x000000013F470000-0x000000013F7C4000-memory.dmp

Filesize
3.3MB

Download
memory/2124-55-0x000000013F5D0000-0x000000013F924000-memory.dmp

Filesize
3.3MB

Download
memory/2124-85-0x00000000022E0000-0x0000000002634000-memory.dmp

Filesize
3.3MB

Download
memory/2124-147-0x000000013FFE0000-0x0000000140334000-memory.dmp

Filesize
3.3MB

Download
memory/2124-61-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

Filesize
3.3MB

Download
memory/2124-145-0x000000013F720000-0x000000013FA74000-memory.dmp

Filesize
3.3MB

Download
memory/2124-100-0x000000013FFE0000-0x0000000140334000-memory.dmp

Filesize
3.3MB

Download
memory/2124-143-0x00000000022E0000-0x0000000002634000-memory.dmp

Filesize
3.3MB

Download
memory/2124-40-0x000000013F570000-0x000000013F8C4000-memory.dmp

Filesize
3.3MB

Download
memory/2124-20-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2124-91-0x000000013F720000-0x000000013FA74000-memory.dmp

Filesize
3.3MB

Download
memory/2124-49-0x00000000022E0000-0x0000000002634000-memory.dmp

Filesize
3.3MB

Download
memory/2124-108-0x00000000022E0000-0x0000000002634000-memory.dmp

Filesize
3.3MB

Download
memory/2124-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2124-0-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

Filesize
3.3MB

Download
memory/2124-77-0x000000013F470000-0x000000013F7C4000-memory.dmp

Filesize
3.3MB

Download
memory/2124-28-0x00000000022E0000-0x0000000002634000-memory.dmp

Filesize
3.3MB

Download
memory/2124-34-0x000000013F410000-0x000000013F764000-memory.dmp

Filesize
3.3MB

Download
memory/2124-18-0x00000000022E0000-0x0000000002634000-memory.dmp

Filesize
3.3MB

Download
memory/2516-71-0x000000013F6E0000-0x000000013FA34000-memory.dmp

Filesize
3.3MB

Download
memory/2516-141-0x000000013F6E0000-0x000000013FA34000-memory.dmp

Filesize
3.3MB

Download
memory/2516-158-0x000000013F6E0000-0x000000013FA34000-memory.dmp

Filesize
3.3MB

Download
memory/2544-148-0x000000013FFE0000-0x0000000140334000-memory.dmp

Filesize
3.3MB

Download
memory/2544-162-0x000000013FFE0000-0x0000000140334000-memory.dmp

Filesize
3.3MB

Download
memory/2544-101-0x000000013FFE0000-0x0000000140334000-memory.dmp

Filesize
3.3MB

Download
memory/2596-84-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/2596-151-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/2596-22-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/2672-140-0x000000013F220000-0x000000013F574000-memory.dmp

Filesize
3.3MB

Download
memory/2672-157-0x000000013F220000-0x000000013F574000-memory.dmp

Filesize
3.3MB

Download
memory/2672-62-0x000000013F220000-0x000000013F574000-memory.dmp

Filesize
3.3MB

Download
memory/2680-139-0x000000013F5D0000-0x000000013F924000-memory.dmp

Filesize
3.3MB

Download
memory/2680-156-0x000000013F5D0000-0x000000013F924000-memory.dmp

Filesize
3.3MB

Download
memory/2680-56-0x000000013F5D0000-0x000000013F924000-memory.dmp

Filesize
3.3MB

Download
memory/2692-153-0x000000013F410000-0x000000013F764000-memory.dmp

Filesize
3.3MB

Download
memory/2692-99-0x000000013F410000-0x000000013F764000-memory.dmp

Filesize
3.3MB

Download
memory/2692-35-0x000000013F410000-0x000000013F764000-memory.dmp

Filesize
3.3MB

Download
memory/2696-152-0x000000013FE70000-0x00000001401C4000-memory.dmp

Filesize
3.3MB

Download
memory/2696-29-0x000000013FE70000-0x00000001401C4000-memory.dmp

Filesize
3.3MB

Download
memory/2812-155-0x000000013FA60000-0x000000013FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/2812-50-0x000000013FA60000-0x000000013FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/2820-70-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2820-150-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2820-14-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2836-160-0x000000013FD90000-0x00000001400E4000-memory.dmp

Filesize
3.3MB

Download
memory/2836-144-0x000000013FD90000-0x00000001400E4000-memory.dmp

Filesize
3.3MB

Download
memory/2836-86-0x000000013FD90000-0x00000001400E4000-memory.dmp

Filesize
3.3MB

Download
memory/2868-146-0x000000013F720000-0x000000013FA74000-memory.dmp

Filesize
3.3MB

Download
memory/2868-92-0x000000013F720000-0x000000013FA74000-memory.dmp

Filesize
3.3MB

Download
memory/2868-161-0x000000013F720000-0x000000013FA74000-memory.dmp

Filesize
3.3MB

Download
memory/2904-154-0x000000013F570000-0x000000013F8C4000-memory.dmp

Filesize
3.3MB

Download
memory/2904-107-0x000000013F570000-0x000000013F8C4000-memory.dmp

Filesize
3.3MB

Download
memory/2904-41-0x000000013F570000-0x000000013F8C4000-memory.dmp

Filesize
3.3MB

Download
memory/3032-149-0x000000013FFE0000-0x0000000140334000-memory.dmp

Filesize
3.3MB

Download
memory/3032-66-0x000000013FFE0000-0x0000000140334000-memory.dmp

Filesize
3.3MB

Download
memory/3032-12-0x000000013FFE0000-0x0000000140334000-memory.dmp

Filesize
3.3MB

Download