cobaltstrike | 52d752e3cc30846183834db469e1a10fc0f6a4eadc2067beb56b2a1eb6bedfdb

Analysis

max time kernel
124s
max time network
138s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06-06-2024 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

a0ed2bc68870deef7158d26cc205fe30
SHA1

02f128b87e20442f0c9607154c85b84519543d2c
SHA256

52d752e3cc30846183834db469e1a10fc0f6a4eadc2067beb56b2a1eb6bedfdb
SHA512

2e94ee73408be4f5f7fe1ee0a2c9f94a664c95db60090b761f37741f548c64eae762f59d3caff383f925a5bf1e698182b400db9895a30bfe9fde5b8bbdccdeb8
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUv:Q+856utgpPF8u/7v

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000b000000014b6d-3.dat	cobalt_reflective_dll
behavioral1/files/0x002e000000015364-11.dat	cobalt_reflective_dll
behavioral1/files/0x000800000001560a-10.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015a2d-22.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d55-82.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001868c-119.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000186a0-129.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018ae2-132.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018698-124.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017090-114.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016e56-105.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001704f-109.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d89-97.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d84-90.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d4f-75.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d4a-66.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d41-59.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000015c0d-46.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000015e5b-50.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015a98-32.dat	cobalt_reflective_dll
behavioral1/files/0x000f0000000155d4-37.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000b000000014b6d-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x002e000000015364-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000800000001560a-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015a2d-22.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d55-82.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000500000001868c-119.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00050000000186a0-129.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000018ae2-132.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0005000000018698-124.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000017090-114.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016e56-105.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000600000001704f-109.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d89-97.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d84-90.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d4f-75.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d4a-66.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d41-59.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000015c0d-46.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000015e5b-50.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015a98-32.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000f0000000155d4-37.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral1/memory/1308-0-0x000000013FBF0000-0x000000013FF44000-memory.dmp	UPX
behavioral1/files/0x000b000000014b6d-3.dat	UPX
behavioral1/memory/2608-7-0x000000013F460000-0x000000013F7B4000-memory.dmp	UPX
behavioral1/files/0x002e000000015364-11.dat	UPX
behavioral1/files/0x000800000001560a-10.dat	UPX
behavioral1/memory/2528-21-0x000000013FF70000-0x00000001402C4000-memory.dmp	UPX
behavioral1/files/0x0007000000015a2d-22.dat	UPX
behavioral1/memory/2780-27-0x000000013F900000-0x000000013FC54000-memory.dmp	UPX
behavioral1/memory/2992-18-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	UPX
behavioral1/memory/2740-39-0x000000013F7C0000-0x000000013FB14000-memory.dmp	UPX
behavioral1/memory/2704-33-0x000000013FAD0000-0x000000013FE24000-memory.dmp	UPX
behavioral1/memory/2608-52-0x000000013F460000-0x000000013F7B4000-memory.dmp	UPX
behavioral1/memory/2596-54-0x000000013FA80000-0x000000013FDD4000-memory.dmp	UPX
behavioral1/memory/2544-68-0x000000013F740000-0x000000013FA94000-memory.dmp	UPX
behavioral1/files/0x0006000000016d55-82.dat	UPX
behavioral1/memory/2352-84-0x000000013F460000-0x000000013F7B4000-memory.dmp	UPX
behavioral1/files/0x000500000001868c-119.dat	UPX
behavioral1/files/0x00050000000186a0-129.dat	UPX
behavioral1/files/0x0006000000018ae2-132.dat	UPX
behavioral1/files/0x0005000000018698-124.dat	UPX
behavioral1/memory/2596-136-0x000000013FA80000-0x000000013FDD4000-memory.dmp	UPX
behavioral1/files/0x0006000000017090-114.dat	UPX
behavioral1/files/0x0006000000016e56-105.dat	UPX
behavioral1/memory/2616-103-0x000000013FBB0000-0x000000013FF04000-memory.dmp	UPX
behavioral1/files/0x000600000001704f-109.dat	UPX
behavioral1/memory/2436-138-0x000000013FF90000-0x00000001402E4000-memory.dmp	UPX
behavioral1/memory/1608-93-0x000000013FC40000-0x000000013FF94000-memory.dmp	UPX
behavioral1/memory/2648-99-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	UPX
behavioral1/memory/2740-92-0x000000013F7C0000-0x000000013FB14000-memory.dmp	UPX
behavioral1/files/0x0006000000016d89-97.dat	UPX
behavioral1/files/0x0006000000016d84-90.dat	UPX
behavioral1/memory/1308-88-0x0000000002290000-0x00000000025E4000-memory.dmp	UPX
behavioral1/memory/2704-87-0x000000013FAD0000-0x000000013FE24000-memory.dmp	UPX
behavioral1/memory/3044-77-0x000000013FBB0000-0x000000013FF04000-memory.dmp	UPX
behavioral1/memory/2780-76-0x000000013F900000-0x000000013FC54000-memory.dmp	UPX
behavioral1/files/0x0006000000016d4f-75.dat	UPX
behavioral1/memory/2544-140-0x000000013F740000-0x000000013FA94000-memory.dmp	UPX
behavioral1/memory/2528-72-0x000000013FF70000-0x00000001402C4000-memory.dmp	UPX
behavioral1/files/0x0006000000016d4a-66.dat	UPX
behavioral1/memory/2436-62-0x000000013FF90000-0x00000001402E4000-memory.dmp	UPX
behavioral1/files/0x0006000000016d41-59.dat	UPX
behavioral1/memory/2616-47-0x000000013FBB0000-0x000000013FF04000-memory.dmp	UPX
behavioral1/files/0x0009000000015c0d-46.dat	UPX
behavioral1/memory/1308-45-0x000000013FBF0000-0x000000013FF44000-memory.dmp	UPX
behavioral1/files/0x0009000000015e5b-50.dat	UPX
behavioral1/files/0x0007000000015a98-32.dat	UPX
behavioral1/files/0x000f0000000155d4-37.dat	UPX
behavioral1/memory/3044-141-0x000000013FBB0000-0x000000013FF04000-memory.dmp	UPX
behavioral1/memory/2352-144-0x000000013F460000-0x000000013F7B4000-memory.dmp	UPX
behavioral1/memory/1608-145-0x000000013FC40000-0x000000013FF94000-memory.dmp	UPX
behavioral1/memory/2648-147-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	UPX
behavioral1/memory/2992-150-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	UPX
behavioral1/memory/2608-149-0x000000013F460000-0x000000013F7B4000-memory.dmp	UPX
behavioral1/memory/2780-151-0x000000013F900000-0x000000013FC54000-memory.dmp	UPX
behavioral1/memory/2704-152-0x000000013FAD0000-0x000000013FE24000-memory.dmp	UPX
behavioral1/memory/2740-153-0x000000013F7C0000-0x000000013FB14000-memory.dmp	UPX
behavioral1/memory/2616-154-0x000000013FBB0000-0x000000013FF04000-memory.dmp	UPX
behavioral1/memory/2596-155-0x000000013FA80000-0x000000013FDD4000-memory.dmp	UPX
behavioral1/memory/2436-156-0x000000013FF90000-0x00000001402E4000-memory.dmp	UPX
behavioral1/memory/2544-157-0x000000013F740000-0x000000013FA94000-memory.dmp	UPX
behavioral1/memory/3044-158-0x000000013FBB0000-0x000000013FF04000-memory.dmp	UPX
behavioral1/memory/2352-159-0x000000013F460000-0x000000013F7B4000-memory.dmp	UPX
behavioral1/memory/1608-160-0x000000013FC40000-0x000000013FF94000-memory.dmp	UPX
behavioral1/memory/2648-161-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral1/memory/1308-0-0x000000013FBF0000-0x000000013FF44000-memory.dmp	xmrig
behavioral1/files/0x000b000000014b6d-3.dat	xmrig
behavioral1/memory/2608-7-0x000000013F460000-0x000000013F7B4000-memory.dmp	xmrig
behavioral1/files/0x002e000000015364-11.dat	xmrig
behavioral1/files/0x000800000001560a-10.dat	xmrig
behavioral1/memory/2528-21-0x000000013FF70000-0x00000001402C4000-memory.dmp	xmrig
behavioral1/files/0x0007000000015a2d-22.dat	xmrig
behavioral1/memory/2780-27-0x000000013F900000-0x000000013FC54000-memory.dmp	xmrig
behavioral1/memory/1308-19-0x000000013FF70000-0x00000001402C4000-memory.dmp	xmrig
behavioral1/memory/2992-18-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	xmrig
behavioral1/memory/2740-39-0x000000013F7C0000-0x000000013FB14000-memory.dmp	xmrig
behavioral1/memory/2704-33-0x000000013FAD0000-0x000000013FE24000-memory.dmp	xmrig
behavioral1/memory/2608-52-0x000000013F460000-0x000000013F7B4000-memory.dmp	xmrig
behavioral1/memory/2596-54-0x000000013FA80000-0x000000013FDD4000-memory.dmp	xmrig
behavioral1/memory/2544-68-0x000000013F740000-0x000000013FA94000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d55-82.dat	xmrig
behavioral1/memory/2352-84-0x000000013F460000-0x000000013F7B4000-memory.dmp	xmrig
behavioral1/files/0x000500000001868c-119.dat	xmrig
behavioral1/files/0x00050000000186a0-129.dat	xmrig
behavioral1/files/0x0006000000018ae2-132.dat	xmrig
behavioral1/files/0x0005000000018698-124.dat	xmrig
behavioral1/memory/2596-136-0x000000013FA80000-0x000000013FDD4000-memory.dmp	xmrig
behavioral1/files/0x0006000000017090-114.dat	xmrig
behavioral1/files/0x0006000000016e56-105.dat	xmrig
behavioral1/memory/2616-103-0x000000013FBB0000-0x000000013FF04000-memory.dmp	xmrig
behavioral1/files/0x000600000001704f-109.dat	xmrig
behavioral1/memory/2436-138-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
behavioral1/memory/1308-137-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
behavioral1/memory/1608-93-0x000000013FC40000-0x000000013FF94000-memory.dmp	xmrig
behavioral1/memory/2648-99-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	xmrig
behavioral1/memory/2740-92-0x000000013F7C0000-0x000000013FB14000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d89-97.dat	xmrig
behavioral1/files/0x0006000000016d84-90.dat	xmrig
behavioral1/memory/1308-88-0x0000000002290000-0x00000000025E4000-memory.dmp	xmrig
behavioral1/memory/2704-87-0x000000013FAD0000-0x000000013FE24000-memory.dmp	xmrig
behavioral1/memory/3044-77-0x000000013FBB0000-0x000000013FF04000-memory.dmp	xmrig
behavioral1/memory/2780-76-0x000000013F900000-0x000000013FC54000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d4f-75.dat	xmrig
behavioral1/memory/1308-73-0x0000000002290000-0x00000000025E4000-memory.dmp	xmrig
behavioral1/memory/2544-140-0x000000013F740000-0x000000013FA94000-memory.dmp	xmrig
behavioral1/memory/2528-72-0x000000013FF70000-0x00000001402C4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d4a-66.dat	xmrig
behavioral1/memory/2436-62-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d41-59.dat	xmrig
behavioral1/memory/2616-47-0x000000013FBB0000-0x000000013FF04000-memory.dmp	xmrig
behavioral1/files/0x0009000000015c0d-46.dat	xmrig
behavioral1/memory/1308-45-0x000000013FBF0000-0x000000013FF44000-memory.dmp	xmrig
behavioral1/files/0x0009000000015e5b-50.dat	xmrig
behavioral1/files/0x0007000000015a98-32.dat	xmrig
behavioral1/files/0x000f0000000155d4-37.dat	xmrig
behavioral1/memory/3044-141-0x000000013FBB0000-0x000000013FF04000-memory.dmp	xmrig
behavioral1/memory/2352-144-0x000000013F460000-0x000000013F7B4000-memory.dmp	xmrig
behavioral1/memory/1608-145-0x000000013FC40000-0x000000013FF94000-memory.dmp	xmrig
behavioral1/memory/2648-147-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	xmrig
behavioral1/memory/2992-150-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	xmrig
behavioral1/memory/2608-149-0x000000013F460000-0x000000013F7B4000-memory.dmp	xmrig
behavioral1/memory/2780-151-0x000000013F900000-0x000000013FC54000-memory.dmp	xmrig
behavioral1/memory/2704-152-0x000000013FAD0000-0x000000013FE24000-memory.dmp	xmrig
behavioral1/memory/2740-153-0x000000013F7C0000-0x000000013FB14000-memory.dmp	xmrig
behavioral1/memory/2616-154-0x000000013FBB0000-0x000000013FF04000-memory.dmp	xmrig
behavioral1/memory/2596-155-0x000000013FA80000-0x000000013FDD4000-memory.dmp	xmrig
behavioral1/memory/2436-156-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
behavioral1/memory/2544-157-0x000000013F740000-0x000000013FA94000-memory.dmp	xmrig
behavioral1/memory/3044-158-0x000000013FBB0000-0x000000013FF04000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2608	vtYbHqT.exe
2992	rAnUVsu.exe
2528	yWGcbCU.exe
2780	OQgBAdp.exe
2704	GPlHqMa.exe
2740	ZjdaIwo.exe
2616	dWXRCqp.exe
2596	wsGfVFL.exe
2436	rPgzAWJ.exe
2544	aagsbna.exe
3044	iIkdcsM.exe
2352	NTKqSDj.exe
1608	sUpKPer.exe
2648	tUhBOlf.exe
1984	bTcgXEn.exe
928	lWNhQmh.exe
2216	RwgxqEs.exe
2068	vQWivIS.exe
2116	gEtczKu.exe
1480	kvmIPxP.exe
2180	kTLAMnb.exe

Loads dropped DLL 21 IoCs

pid	Process
1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1308-0-0x000000013FBF0000-0x000000013FF44000-memory.dmp	upx
behavioral1/files/0x000b000000014b6d-3.dat	upx
behavioral1/memory/2608-7-0x000000013F460000-0x000000013F7B4000-memory.dmp	upx
behavioral1/files/0x002e000000015364-11.dat	upx
behavioral1/files/0x000800000001560a-10.dat	upx
behavioral1/memory/2528-21-0x000000013FF70000-0x00000001402C4000-memory.dmp	upx
behavioral1/files/0x0007000000015a2d-22.dat	upx
behavioral1/memory/2780-27-0x000000013F900000-0x000000013FC54000-memory.dmp	upx
behavioral1/memory/2992-18-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	upx
behavioral1/memory/2740-39-0x000000013F7C0000-0x000000013FB14000-memory.dmp	upx
behavioral1/memory/2704-33-0x000000013FAD0000-0x000000013FE24000-memory.dmp	upx
behavioral1/memory/2608-52-0x000000013F460000-0x000000013F7B4000-memory.dmp	upx
behavioral1/memory/2596-54-0x000000013FA80000-0x000000013FDD4000-memory.dmp	upx
behavioral1/memory/2544-68-0x000000013F740000-0x000000013FA94000-memory.dmp	upx
behavioral1/files/0x0006000000016d55-82.dat	upx
behavioral1/memory/2352-84-0x000000013F460000-0x000000013F7B4000-memory.dmp	upx
behavioral1/files/0x000500000001868c-119.dat	upx
behavioral1/files/0x00050000000186a0-129.dat	upx
behavioral1/files/0x0006000000018ae2-132.dat	upx
behavioral1/files/0x0005000000018698-124.dat	upx
behavioral1/memory/2596-136-0x000000013FA80000-0x000000013FDD4000-memory.dmp	upx
behavioral1/files/0x0006000000017090-114.dat	upx
behavioral1/files/0x0006000000016e56-105.dat	upx
behavioral1/memory/2616-103-0x000000013FBB0000-0x000000013FF04000-memory.dmp	upx
behavioral1/files/0x000600000001704f-109.dat	upx
behavioral1/memory/2436-138-0x000000013FF90000-0x00000001402E4000-memory.dmp	upx
behavioral1/memory/1608-93-0x000000013FC40000-0x000000013FF94000-memory.dmp	upx
behavioral1/memory/2648-99-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	upx
behavioral1/memory/2740-92-0x000000013F7C0000-0x000000013FB14000-memory.dmp	upx
behavioral1/files/0x0006000000016d89-97.dat	upx
behavioral1/files/0x0006000000016d84-90.dat	upx
behavioral1/memory/1308-88-0x0000000002290000-0x00000000025E4000-memory.dmp	upx
behavioral1/memory/2704-87-0x000000013FAD0000-0x000000013FE24000-memory.dmp	upx
behavioral1/memory/3044-77-0x000000013FBB0000-0x000000013FF04000-memory.dmp	upx
behavioral1/memory/2780-76-0x000000013F900000-0x000000013FC54000-memory.dmp	upx
behavioral1/files/0x0006000000016d4f-75.dat	upx
behavioral1/memory/2544-140-0x000000013F740000-0x000000013FA94000-memory.dmp	upx
behavioral1/memory/2528-72-0x000000013FF70000-0x00000001402C4000-memory.dmp	upx
behavioral1/files/0x0006000000016d4a-66.dat	upx
behavioral1/memory/2436-62-0x000000013FF90000-0x00000001402E4000-memory.dmp	upx
behavioral1/files/0x0006000000016d41-59.dat	upx
behavioral1/memory/2616-47-0x000000013FBB0000-0x000000013FF04000-memory.dmp	upx
behavioral1/files/0x0009000000015c0d-46.dat	upx
behavioral1/memory/1308-45-0x000000013FBF0000-0x000000013FF44000-memory.dmp	upx
behavioral1/files/0x0009000000015e5b-50.dat	upx
behavioral1/files/0x0007000000015a98-32.dat	upx
behavioral1/files/0x000f0000000155d4-37.dat	upx
behavioral1/memory/3044-141-0x000000013FBB0000-0x000000013FF04000-memory.dmp	upx
behavioral1/memory/2352-144-0x000000013F460000-0x000000013F7B4000-memory.dmp	upx
behavioral1/memory/1608-145-0x000000013FC40000-0x000000013FF94000-memory.dmp	upx
behavioral1/memory/2648-147-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	upx
behavioral1/memory/2992-150-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	upx
behavioral1/memory/2608-149-0x000000013F460000-0x000000013F7B4000-memory.dmp	upx
behavioral1/memory/2780-151-0x000000013F900000-0x000000013FC54000-memory.dmp	upx
behavioral1/memory/2704-152-0x000000013FAD0000-0x000000013FE24000-memory.dmp	upx
behavioral1/memory/2740-153-0x000000013F7C0000-0x000000013FB14000-memory.dmp	upx
behavioral1/memory/2616-154-0x000000013FBB0000-0x000000013FF04000-memory.dmp	upx
behavioral1/memory/2596-155-0x000000013FA80000-0x000000013FDD4000-memory.dmp	upx
behavioral1/memory/2436-156-0x000000013FF90000-0x00000001402E4000-memory.dmp	upx
behavioral1/memory/2544-157-0x000000013F740000-0x000000013FA94000-memory.dmp	upx
behavioral1/memory/3044-158-0x000000013FBB0000-0x000000013FF04000-memory.dmp	upx
behavioral1/memory/2352-159-0x000000013F460000-0x000000013F7B4000-memory.dmp	upx
behavioral1/memory/1608-160-0x000000013FC40000-0x000000013FF94000-memory.dmp	upx
behavioral1/memory/2648-161-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\lWNhQmh.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kTLAMnb.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZjdaIwo.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dWXRCqp.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wsGfVFL.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tUhBOlf.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RwgxqEs.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gEtczKu.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rAnUVsu.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rPgzAWJ.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aagsbna.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iIkdcsM.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bTcgXEn.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vQWivIS.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kvmIPxP.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vtYbHqT.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yWGcbCU.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GPlHqMa.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OQgBAdp.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NTKqSDj.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sUpKPer.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 2608	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	29
PID 1308 wrote to memory of 2608	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	29
PID 1308 wrote to memory of 2608	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	29
PID 1308 wrote to memory of 2992	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	30
PID 1308 wrote to memory of 2992	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	30
PID 1308 wrote to memory of 2992	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	30
PID 1308 wrote to memory of 2528	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	31
PID 1308 wrote to memory of 2528	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	31
PID 1308 wrote to memory of 2528	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	31
PID 1308 wrote to memory of 2780	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	32
PID 1308 wrote to memory of 2780	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	32
PID 1308 wrote to memory of 2780	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	32
PID 1308 wrote to memory of 2704	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	33
PID 1308 wrote to memory of 2704	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	33
PID 1308 wrote to memory of 2704	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	33
PID 1308 wrote to memory of 2740	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	34
PID 1308 wrote to memory of 2740	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	34
PID 1308 wrote to memory of 2740	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	34
PID 1308 wrote to memory of 2616	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	35
PID 1308 wrote to memory of 2616	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	35
PID 1308 wrote to memory of 2616	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	35
PID 1308 wrote to memory of 2596	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	36
PID 1308 wrote to memory of 2596	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	36
PID 1308 wrote to memory of 2596	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	36
PID 1308 wrote to memory of 2436	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	37
PID 1308 wrote to memory of 2436	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	37
PID 1308 wrote to memory of 2436	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	37
PID 1308 wrote to memory of 2544	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	38
PID 1308 wrote to memory of 2544	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	38
PID 1308 wrote to memory of 2544	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	38
PID 1308 wrote to memory of 3044	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	39
PID 1308 wrote to memory of 3044	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	39
PID 1308 wrote to memory of 3044	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	39
PID 1308 wrote to memory of 2352	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	40
PID 1308 wrote to memory of 2352	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	40
PID 1308 wrote to memory of 2352	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	40
PID 1308 wrote to memory of 1608	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	41
PID 1308 wrote to memory of 1608	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	41
PID 1308 wrote to memory of 1608	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	41
PID 1308 wrote to memory of 2648	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	42
PID 1308 wrote to memory of 2648	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	42
PID 1308 wrote to memory of 2648	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	42
PID 1308 wrote to memory of 1984	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	43
PID 1308 wrote to memory of 1984	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	43
PID 1308 wrote to memory of 1984	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	43
PID 1308 wrote to memory of 928	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	44
PID 1308 wrote to memory of 928	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	44
PID 1308 wrote to memory of 928	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	44
PID 1308 wrote to memory of 2216	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	45
PID 1308 wrote to memory of 2216	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	45
PID 1308 wrote to memory of 2216	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	45
PID 1308 wrote to memory of 2068	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	46
PID 1308 wrote to memory of 2068	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	46
PID 1308 wrote to memory of 2068	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	46
PID 1308 wrote to memory of 2116	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	47
PID 1308 wrote to memory of 2116	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	47
PID 1308 wrote to memory of 2116	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	47
PID 1308 wrote to memory of 1480	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	48
PID 1308 wrote to memory of 1480	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	48
PID 1308 wrote to memory of 1480	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	48
PID 1308 wrote to memory of 2180	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	49
PID 1308 wrote to memory of 2180	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	49
PID 1308 wrote to memory of 2180	1308	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Windows\System\vtYbHqT.exe
  C:\Windows\System\vtYbHqT.exe
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\System\rAnUVsu.exe
  C:\Windows\System\rAnUVsu.exe
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\System\yWGcbCU.exe
  C:\Windows\System\yWGcbCU.exe
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\System\OQgBAdp.exe
  C:\Windows\System\OQgBAdp.exe
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\System\GPlHqMa.exe
  C:\Windows\System\GPlHqMa.exe
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\System\ZjdaIwo.exe
  C:\Windows\System\ZjdaIwo.exe
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\System\dWXRCqp.exe
  C:\Windows\System\dWXRCqp.exe
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\System\wsGfVFL.exe
  C:\Windows\System\wsGfVFL.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System\rPgzAWJ.exe
  C:\Windows\System\rPgzAWJ.exe
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\System\aagsbna.exe
  C:\Windows\System\aagsbna.exe
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\System\iIkdcsM.exe
  C:\Windows\System\iIkdcsM.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System\NTKqSDj.exe
  C:\Windows\System\NTKqSDj.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System\sUpKPer.exe
  C:\Windows\System\sUpKPer.exe
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\System\tUhBOlf.exe
  C:\Windows\System\tUhBOlf.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System\bTcgXEn.exe
  C:\Windows\System\bTcgXEn.exe
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\System\lWNhQmh.exe
  C:\Windows\System\lWNhQmh.exe
  2⤵
  - Executes dropped EXE
  PID:928
- C:\Windows\System\RwgxqEs.exe
  C:\Windows\System\RwgxqEs.exe
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\System\vQWivIS.exe
  C:\Windows\System\vQWivIS.exe
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\System\gEtczKu.exe
  C:\Windows\System\gEtczKu.exe
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Windows\System\kvmIPxP.exe
  C:\Windows\System\kvmIPxP.exe
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\Windows\System\kTLAMnb.exe
  C:\Windows\System\kTLAMnb.exe
  2⤵
  - Executes dropped EXE
  PID:2180

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\GPlHqMa.exe

Filesize
5.9MB

MD5
6b213771c91c75ad5598370fe43b554f

SHA1
751f14949fefd00db6a30126a8240ce16f827acd

SHA256
9fb7a4a3688f08fb772c0fe622baf93cd665c64fa4854970398cac5d9c36df77

SHA512
3e161f4a0b15add89fbe4bad788dc2658f7f34b5e1e543c307697f0e6ccbb1f5cd0ddd7fffa6e44aa58f56c5725692c2c2e4373310244c64088819d8a620d352

Download Submit
C:\Windows\system\NTKqSDj.exe

Filesize
5.9MB

MD5
1213b477527f8a18b2012b62ebd8ecf4

SHA1
7349e31464027e5893ccd19cb5e55ec6c49adc16

SHA256
44c3e638c4dc8a3e6a0ebbc655463a41d56b72f188e2ccee45e99f385d9e6358

SHA512
ff70ab08945bfaf93e2102c288c84ab151417f5d0180dcea200bc503192ae8e310c791b9a3e0cb7c53b6f692cba3f040f9d964539405d1ac0fc2a7c3936dcc7c

Download Submit
C:\Windows\system\RwgxqEs.exe

Filesize
5.9MB

MD5
021ea0acf669809552ab6e0513591a08

SHA1
0b2d9700e064b3e24d7810948aca89683542d230

SHA256
1a50160c750262271d855aaa70597fcc1f0dc35399b510ae87ba1054b2cc0904

SHA512
3441fe58f85c4c6702b1caa5ed080267965af19cf5ae421d6c508e722073faf3e292c2a5202f1998c18b204cfe16df6bc13d52b132539e391dbd5e3e049694ca

Download Submit
C:\Windows\system\ZjdaIwo.exe

Filesize
5.9MB

MD5
7622df357215a7ebaab664a63dc4e364

SHA1
8cc691fea821a522e25ae7068d4a5e870f7fc2cd

SHA256
96e7f18209906339a5933b460bb14eb7855f8d6fc103bdd55fecdbcfb1c44d82

SHA512
a91ba1ca8ce8cd2559065c3f75ec60b229985fe8578d8bae108438a47241d7155de1d7342cdf49c0f26c555b0dc02681d8f1fba94e449d75d2bc8f2e2c22cf65

Download Submit
C:\Windows\system\aagsbna.exe

Filesize
5.9MB

MD5
2c0170e64afa8b9bc6d203c89f0043c5

SHA1
5834469b55cba7744f338a51e9a648700be2b5fc

SHA256
7fa2293333151be32c78c11669e07dbc8e988642aa80ff2ddc6a8476eae52e9e

SHA512
1deb511b23b0d4b20ab22cb7f12b0b416079855e7665ef7433161e3426c25648167149e85960c42eabea68c2ef6b020cf5262185f6123b919aa6344a4f5d123a

Download Submit
C:\Windows\system\bTcgXEn.exe

Filesize
5.9MB

MD5
b18cb5cadf3c9ae935e1aa3f7c6bb912

SHA1
6d483554ecbb3f8c56f3ad47086cedd83b5439f0

SHA256
35fc1d324f4e90810f664e53e942e9836b84ad8753cbdddb2c245511a80ddbb5

SHA512
b523f21d6d44118633606bf6e8269381399193dafbb125e863687cd6fff4bbb1ffede530da0f79d3fd2e6655c618a0c44bf2385f45ac877af278485062261e74

Download Submit
C:\Windows\system\dWXRCqp.exe

Filesize
5.9MB

MD5
d9fefe11505fbd0dcb2f565e8d17f787

SHA1
c9799e0868c94ed015d53f4b3a25fe9bd094b2fa

SHA256
1595239049bf9eae4e00f1088be13c8a8fa493de1762671169557f3ac515c221

SHA512
549fe76c952aa44497efc2ef647da37fef5b0a4900c2304de129b4b44f96d43512cb5a7cae480bfa2cc000aba232411f2a005420af67cb4bba9c278363b2074c

Download Submit
C:\Windows\system\gEtczKu.exe

Filesize
5.9MB

MD5
ab4d325e5e8a30bd1de4052cdc4a42c4

SHA1
e374793015a6137c650bfec01dcba6ce33f4570b

SHA256
9f796a278ed0a4e096b74e5b4d20d842e46e4ff145885a39763aa372c522c9c4

SHA512
529982566befb4a7378f5c815e01734f4b5765468ee6d1e3ca66a033458987b879f129c968acd5c0e887bb66b80c05f4d4c8c5be63adc392aa0c7b6a9c283f59

Download Submit
C:\Windows\system\iIkdcsM.exe

Filesize
5.9MB

MD5
e2f806e3cde7878e789e85353e37ad53

SHA1
1be9d0d2b978b8e201ffc87a12c082c45616def7

SHA256
b2c056ac95fedbf27f8a1ca57c59d51d4085601a44c9735f29f3ccdcb5f31cfa

SHA512
48f19fbdaa10c6f93c14908ecba28c24d3f64bc85a18889b0c62fa1b239a39a58a0e5562402c411624fc56d2de0c0a769f5842484408d586c433962be3970624

Download Submit
C:\Windows\system\kvmIPxP.exe

Filesize
5.9MB

MD5
1764c096f510a5a9df34147be3cc1df6

SHA1
8556f219b6e80adfd7079bf173a74b56e2f11c47

SHA256
ad84472f76ddde6b853462b0f36a2fd54ed63d629e60b7f8727cec66a7c8ea35

SHA512
2978559dbcf04dcf0bf03f07948a4efc1e52a76de6bfd49c12f58a6c23ca2eeb9cdeb7eff7feea58c9dedbc1b6f93aeb232efac859273df0bea1b13769ba7ea1

Download Submit
C:\Windows\system\lWNhQmh.exe

Filesize
5.9MB

MD5
d50152f1e62e21c8a5054281052e4b5b

SHA1
78a2047418d32de096777106acb78763dfe5e1d0

SHA256
092e99a1e83ace6898c77840e5250b55a2fe0f16c2659a5a24358105e3e971a8

SHA512
5718766186ff2c72e384e035d448df01278c5ebd9f4d0f4f565b21772eaef7a60256b69512072a1eddc8044ba1e1bd160dc13d4df32fa54ec32adb0e13e9a215

Download Submit
C:\Windows\system\rAnUVsu.exe

Filesize
5.9MB

MD5
22cf2b946f4bb14985242146266f568c

SHA1
5b6d4e9ba7fe390dce7b5fed7e989ea5d39cfc3a

SHA256
d018d75e4999bcae2ef4b17fc4cbdd342b49e2fe33979b1a39e97a2ce2b382f7

SHA512
9ed523a3da0365d2331f7a2ec87bf0a8d0e57801aafb7f0c9f68ea3ce6078d2970e8921bf2cf078c993edb558f4286789e7a9003e37f5d87321d0153e2ac3ca3

Download Submit
C:\Windows\system\rPgzAWJ.exe

Filesize
5.9MB

MD5
8d0bb5e0aaff70458c1778fa8f48266c

SHA1
8cc7c5d463b12f65c8d97858b3ab7edff7f0b130

SHA256
8bf06df7715bf43a2710f5bb96204f7d8e9de52285ce3bdcbe67782f94c4f56a

SHA512
bd1b63158a7648efc3a284035cc2cccf1518539a8034a3cbdd58e421565d42af162873fb5cfd827326ffd7e98115b7b656559fbdba403c7e120bf234c9e39e70

Download Submit
C:\Windows\system\sUpKPer.exe

Filesize
5.9MB

MD5
2e8f71de4b87360ccc60e1a9b2c5c158

SHA1
4f374940cfbf1d4c6e1b04b0f4ad8844700fdfa0

SHA256
a73a72f00bbbaa9e09cfcc39f7265e0d422f6bc4513da3e45b6f5c12894ce3cb

SHA512
a14c58f2b823124a6cf972c18211aa7c5db03c95084264e9d06b2765691205f653449249283e3562b9c9e31f6082091fabe89380aa85e1d48955f81be45c583d

Download Submit
C:\Windows\system\tUhBOlf.exe

Filesize
5.9MB

MD5
7d2c2a0a9eaa5176bfeacabdd6db56d4

SHA1
2abff5682e81d78cf281687c309ae2d26819754f

SHA256
2783d8e1cb682735beb187bdc42b04c2b888eea71c1108ec06342edcf7f4125f

SHA512
4df5f6c34c4a30be57739951e6ab60034e1e21684ada07999afef3d4cdc7bad9c11ab2d3cd9747918254d73807b34ad3c1f5e47b52601a3746fb5ad9208a0e51

Download Submit
C:\Windows\system\vQWivIS.exe

Filesize
5.9MB

MD5
8ec86004c84518a3e202d61642627370

SHA1
65aee13d8f57773e7bd6884348669d490aa4dd24

SHA256
b476ad6af83c569bddde3365a567c63d794ce94084d85c038f6de8343507448e

SHA512
1b9cada5ade42c734ee31aa236fde2f952cddf845dede48f79b5f8b2a0772c03ddac5270cb72763b4261bb6d03591d8dd4a2c883cd0e1a6daa69a5c222ca244e

Download Submit
C:\Windows\system\wsGfVFL.exe

Filesize
5.9MB

MD5
cbe2a8e4330f12a6f54778e05470b701

SHA1
7054f4bc257c959cf8091aad6a86b603851b106f

SHA256
e60a5647c9109295771db00892e6990f2be7f5999d0fbe46cad6b347a3fb65e9

SHA512
304a23d5d068dc70c9a30529d323ee9111e49828d33a99df22dd03c33937422ef708dec1ac414da56aa0cc089639af2baaf7e9cf245a77fd5be921986ff792db

Download Submit
C:\Windows\system\yWGcbCU.exe

Filesize
5.9MB

MD5
1b67e4346b728454325ead75f52f4a4f

SHA1
d693bfb7eddef250e24bf9b5eb61f3216a9af949

SHA256
1c20bfcab578d793262e7151a81ea896cb5939065a85ad2ad97887425521dd8b

SHA512
53f67dcc32a3915276819366094d4323c9e2f1b6e582997b1507cca6867c6eec6d9aee1eaa13dda1623c5ebe49888f4cb56b845f6a59809f4e503acee641012a

Download Submit
\Windows\system\OQgBAdp.exe

Filesize
5.9MB

MD5
745632bb05bc8022aa61cb64263335e4

SHA1
c5a2d83a1afef44c5f519178da5892bfcb7671af

SHA256
60bed4eca7eb488c707234b17e45ec4b61e653060c704fb822d28a3f7d20f051

SHA512
46c2ad7bf98cd536b157e2d96f917336cd3b3e955c90836272ddeef2719c092ceca5d0b1ec9344da4d9f6de984e5bc8b087efdd9030f956c42e2b691f282a95b

Download Submit
\Windows\system\kTLAMnb.exe

Filesize
5.9MB

MD5
caa257145b34bb5574ed64aaf7a6d2b8

SHA1
465d224f2fe164d05a4d0ab71fada1d39dd81a5a

SHA256
4c3157e975a7e7f7def3d0d8e7334e19c8f79c312575df88cf31b359ee71061b

SHA512
734116eb69a4f3c1d0b2fd759294dcdf16df2175c36fa575d06711e866dd7301d72a092c7b3d0adf7c689ac1f4e66c5494eb3e56a3e0a194a80784e6e07b1585

Download Submit
\Windows\system\vtYbHqT.exe

Filesize
5.9MB

MD5
8d2365b5cb5c2acfd4af6e173ded261b

SHA1
7243b914a898dc803f02b44fb084a2b1e3028887

SHA256
a1dd2430176fd5a1ced3d5bfbcede6a710045e263919923dd0d0721bb4ae4f72

SHA512
5f3750394bbfab9be9c095f778947e9cef848ec44adf9ef749ef788f69c81d8fca3bfdb075726206f959dca8cfa95ee85af6427a82e150d7761fdfba97ef0e30

Download Submit
memory/1308-15-0x0000000002290000-0x00000000025E4000-memory.dmp

Filesize
3.3MB

Download
memory/1308-148-0x0000000002290000-0x00000000025E4000-memory.dmp

Filesize
3.3MB

Download
memory/1308-67-0x000000013F740000-0x000000013FA94000-memory.dmp

Filesize
3.3MB

Download
memory/1308-142-0x000000013F460000-0x000000013F7B4000-memory.dmp

Filesize
3.3MB

Download
memory/1308-0-0x000000013FBF0000-0x000000013FF44000-memory.dmp

Filesize
3.3MB

Download
memory/1308-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/1308-53-0x0000000002290000-0x00000000025E4000-memory.dmp

Filesize
3.3MB

Download
memory/1308-45-0x000000013FBF0000-0x000000013FF44000-memory.dmp

Filesize
3.3MB

Download
memory/1308-26-0x0000000002290000-0x00000000025E4000-memory.dmp

Filesize
3.3MB

Download
memory/1308-61-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/1308-137-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/1308-19-0x000000013FF70000-0x00000001402C4000-memory.dmp

Filesize
3.3MB

Download
memory/1308-139-0x000000013F740000-0x000000013FA94000-memory.dmp

Filesize
3.3MB

Download
memory/1308-73-0x0000000002290000-0x00000000025E4000-memory.dmp

Filesize
3.3MB

Download
memory/1308-146-0x0000000002290000-0x00000000025E4000-memory.dmp

Filesize
3.3MB

Download
memory/1308-38-0x000000013F7C0000-0x000000013FB14000-memory.dmp

Filesize
3.3MB

Download
memory/1308-88-0x0000000002290000-0x00000000025E4000-memory.dmp

Filesize
3.3MB

Download
memory/1608-93-0x000000013FC40000-0x000000013FF94000-memory.dmp

Filesize
3.3MB

Download
memory/1608-160-0x000000013FC40000-0x000000013FF94000-memory.dmp

Filesize
3.3MB

Download
memory/1608-145-0x000000013FC40000-0x000000013FF94000-memory.dmp

Filesize
3.3MB

Download
memory/2352-144-0x000000013F460000-0x000000013F7B4000-memory.dmp

Filesize
3.3MB

Download
memory/2352-84-0x000000013F460000-0x000000013F7B4000-memory.dmp

Filesize
3.3MB

Download
memory/2352-159-0x000000013F460000-0x000000013F7B4000-memory.dmp

Filesize
3.3MB

Download
memory/2436-138-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2436-62-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2436-156-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2528-21-0x000000013FF70000-0x00000001402C4000-memory.dmp

Filesize
3.3MB

Download
memory/2528-72-0x000000013FF70000-0x00000001402C4000-memory.dmp

Filesize
3.3MB

Download
memory/2528-162-0x000000013FF70000-0x00000001402C4000-memory.dmp

Filesize
3.3MB

Download
memory/2544-140-0x000000013F740000-0x000000013FA94000-memory.dmp

Filesize
3.3MB

Download
memory/2544-157-0x000000013F740000-0x000000013FA94000-memory.dmp

Filesize
3.3MB

Download
memory/2544-68-0x000000013F740000-0x000000013FA94000-memory.dmp

Filesize
3.3MB

Download
memory/2596-155-0x000000013FA80000-0x000000013FDD4000-memory.dmp

Filesize
3.3MB

Download
memory/2596-54-0x000000013FA80000-0x000000013FDD4000-memory.dmp

Filesize
3.3MB

Download
memory/2596-136-0x000000013FA80000-0x000000013FDD4000-memory.dmp

Filesize
3.3MB

Download
memory/2608-52-0x000000013F460000-0x000000013F7B4000-memory.dmp

Filesize
3.3MB

Download
memory/2608-7-0x000000013F460000-0x000000013F7B4000-memory.dmp

Filesize
3.3MB

Download
memory/2608-149-0x000000013F460000-0x000000013F7B4000-memory.dmp

Filesize
3.3MB

Download
memory/2616-47-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download
memory/2616-103-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download
memory/2616-154-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download
memory/2648-161-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

Filesize
3.3MB

Download
memory/2648-147-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

Filesize
3.3MB

Download
memory/2648-99-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

Filesize
3.3MB

Download
memory/2704-152-0x000000013FAD0000-0x000000013FE24000-memory.dmp

Filesize
3.3MB

Download
memory/2704-33-0x000000013FAD0000-0x000000013FE24000-memory.dmp

Filesize
3.3MB

Download
memory/2704-87-0x000000013FAD0000-0x000000013FE24000-memory.dmp

Filesize
3.3MB

Download
memory/2740-39-0x000000013F7C0000-0x000000013FB14000-memory.dmp

Filesize
3.3MB

Download
memory/2740-153-0x000000013F7C0000-0x000000013FB14000-memory.dmp

Filesize
3.3MB

Download
memory/2740-92-0x000000013F7C0000-0x000000013FB14000-memory.dmp

Filesize
3.3MB

Download
memory/2780-151-0x000000013F900000-0x000000013FC54000-memory.dmp

Filesize
3.3MB

Download
memory/2780-76-0x000000013F900000-0x000000013FC54000-memory.dmp

Filesize
3.3MB

Download
memory/2780-27-0x000000013F900000-0x000000013FC54000-memory.dmp

Filesize
3.3MB

Download
memory/2992-150-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

Filesize
3.3MB

Download
memory/2992-18-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

Filesize
3.3MB

Download
memory/3044-77-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download
memory/3044-141-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download
memory/3044-158-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download