cobaltstrike | a214f0d5f1ac086d59f8f00ae6932bef5d0d3c862b1c61d99a28670018c4a867

Analysis

max time kernel
140s
max time network
144s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/06/2024, 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

d019a83b5d82dfd5b43a37c2e9167272
SHA1

54c0bcdcc31e109f9448fce9f369f512b85b7904
SHA256

a214f0d5f1ac086d59f8f00ae6932bef5d0d3c862b1c61d99a28670018c4a867
SHA512

77820c23b25f914971d9a6abb49779c4451079e660e69632b4249f112ff35b934f8af75b8a471550d0d8f1ff7c01c5cada4237ef75173a4bf9235bc5e28c6b45
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUa:Q+856utgpPF8u/7a

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000b000000014230-3.dat	cobalt_reflective_dll
behavioral1/files/0x00340000000144e4-17.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014857-34.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001568c-53.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015be6-60.dat	cobalt_reflective_dll
behavioral1/files/0x00340000000144f0-74.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015ce1-91.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d28-110.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d67-124.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d5e-122.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d56-118.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d4a-114.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d07-106.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015ceb-102.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cd5-87.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cba-79.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015ca6-69.dat	cobalt_reflective_dll
behavioral1/files/0x000a000000014aa2-46.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014726-24.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014708-18.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001471d-33.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000b000000014230-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00340000000144e4-17.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014857-34.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000700000001568c-53.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015be6-60.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00340000000144f0-74.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015ce1-91.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d28-110.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d67-124.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d5e-122.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d56-118.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d4a-114.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d07-106.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015ceb-102.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015cd5-87.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015cba-79.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015ca6-69.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000a000000014aa2-46.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014726-24.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014708-18.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000700000001471d-33.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 62 IoCs

resource	yara_rule
behavioral1/memory/2344-1-0x000000013FE30000-0x0000000140184000-memory.dmp	UPX
behavioral1/files/0x000b000000014230-3.dat	UPX
behavioral1/files/0x00340000000144e4-17.dat	UPX
behavioral1/files/0x0007000000014857-34.dat	UPX
behavioral1/memory/2696-36-0x000000013F470000-0x000000013F7C4000-memory.dmp	UPX
behavioral1/memory/2344-38-0x000000013FE30000-0x0000000140184000-memory.dmp	UPX
behavioral1/files/0x000700000001568c-53.dat	UPX
behavioral1/memory/1664-55-0x000000013FCF0000-0x0000000140044000-memory.dmp	UPX
behavioral1/files/0x0006000000015be6-60.dat	UPX
behavioral1/memory/2432-63-0x000000013F910000-0x000000013FC64000-memory.dmp	UPX
behavioral1/memory/2504-70-0x000000013F900000-0x000000013FC54000-memory.dmp	UPX
behavioral1/files/0x00340000000144f0-74.dat	UPX
behavioral1/files/0x0006000000015ce1-91.dat	UPX
behavioral1/memory/2944-98-0x000000013F9D0000-0x000000013FD24000-memory.dmp	UPX
behavioral1/files/0x0006000000015d28-110.dat	UPX
behavioral1/files/0x0006000000015d67-124.dat	UPX
behavioral1/files/0x0006000000015d5e-122.dat	UPX
behavioral1/files/0x0006000000015d56-118.dat	UPX
behavioral1/files/0x0006000000015d4a-114.dat	UPX
behavioral1/files/0x0006000000015d07-106.dat	UPX
behavioral1/files/0x0006000000015ceb-102.dat	UPX
behavioral1/memory/2820-90-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	UPX
behavioral1/memory/2564-89-0x000000013F4B0000-0x000000013F804000-memory.dmp	UPX
behavioral1/memory/1664-93-0x000000013FCF0000-0x0000000140044000-memory.dmp	UPX
behavioral1/files/0x0006000000015cd5-87.dat	UPX
behavioral1/memory/1588-84-0x000000013F320000-0x000000013F674000-memory.dmp	UPX
behavioral1/memory/2052-76-0x000000013F640000-0x000000013F994000-memory.dmp	UPX
behavioral1/memory/2696-82-0x000000013F470000-0x000000013F7C4000-memory.dmp	UPX
behavioral1/memory/2376-81-0x000000013F240000-0x000000013F594000-memory.dmp	UPX
behavioral1/files/0x0006000000015cba-79.dat	UPX
behavioral1/files/0x0006000000015ca6-69.dat	UPX
behavioral1/memory/1280-65-0x000000013F6E0000-0x000000013FA34000-memory.dmp	UPX
behavioral1/memory/3068-62-0x000000013F960000-0x000000013FCB4000-memory.dmp	UPX
behavioral1/memory/2564-49-0x000000013F4B0000-0x000000013F804000-memory.dmp	UPX
behavioral1/memory/2128-48-0x000000013FBC0000-0x000000013FF14000-memory.dmp	UPX
behavioral1/files/0x000a000000014aa2-46.dat	UPX
behavioral1/files/0x0007000000014726-24.dat	UPX
behavioral1/memory/2576-39-0x000000013FD40000-0x0000000140094000-memory.dmp	UPX
behavioral1/memory/1280-19-0x000000013F6E0000-0x000000013FA34000-memory.dmp	UPX
behavioral1/files/0x0007000000014708-18.dat	UPX
behavioral1/memory/2376-35-0x000000013F240000-0x000000013F594000-memory.dmp	UPX
behavioral1/files/0x000700000001471d-33.dat	UPX
behavioral1/memory/3068-23-0x000000013F960000-0x000000013FCB4000-memory.dmp	UPX
behavioral1/memory/2128-7-0x000000013FBC0000-0x000000013FF14000-memory.dmp	UPX
behavioral1/memory/2052-143-0x000000013F640000-0x000000013F994000-memory.dmp	UPX
behavioral1/memory/1588-145-0x000000013F320000-0x000000013F674000-memory.dmp	UPX
behavioral1/memory/2820-146-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	UPX
behavioral1/memory/2944-148-0x000000013F9D0000-0x000000013FD24000-memory.dmp	UPX
behavioral1/memory/2128-150-0x000000013FBC0000-0x000000013FF14000-memory.dmp	UPX
behavioral1/memory/3068-151-0x000000013F960000-0x000000013FCB4000-memory.dmp	UPX
behavioral1/memory/2696-153-0x000000013F470000-0x000000013F7C4000-memory.dmp	UPX
behavioral1/memory/1280-152-0x000000013F6E0000-0x000000013FA34000-memory.dmp	UPX
behavioral1/memory/2564-154-0x000000013F4B0000-0x000000013F804000-memory.dmp	UPX
behavioral1/memory/2376-155-0x000000013F240000-0x000000013F594000-memory.dmp	UPX
behavioral1/memory/1664-156-0x000000013FCF0000-0x0000000140044000-memory.dmp	UPX
behavioral1/memory/2576-158-0x000000013FD40000-0x0000000140094000-memory.dmp	UPX
behavioral1/memory/2504-157-0x000000013F900000-0x000000013FC54000-memory.dmp	UPX
behavioral1/memory/2432-160-0x000000013F910000-0x000000013FC64000-memory.dmp	UPX
behavioral1/memory/2052-162-0x000000013F640000-0x000000013F994000-memory.dmp	UPX
behavioral1/memory/1588-161-0x000000013F320000-0x000000013F674000-memory.dmp	UPX
behavioral1/memory/2944-159-0x000000013F9D0000-0x000000013FD24000-memory.dmp	UPX
behavioral1/memory/2820-163-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral1/memory/2344-1-0x000000013FE30000-0x0000000140184000-memory.dmp	xmrig
behavioral1/files/0x000b000000014230-3.dat	xmrig
behavioral1/files/0x00340000000144e4-17.dat	xmrig
behavioral1/files/0x0007000000014857-34.dat	xmrig
behavioral1/memory/2696-36-0x000000013F470000-0x000000013F7C4000-memory.dmp	xmrig
behavioral1/memory/2344-38-0x000000013FE30000-0x0000000140184000-memory.dmp	xmrig
behavioral1/files/0x000700000001568c-53.dat	xmrig
behavioral1/memory/1664-55-0x000000013FCF0000-0x0000000140044000-memory.dmp	xmrig
behavioral1/files/0x0006000000015be6-60.dat	xmrig
behavioral1/memory/2432-63-0x000000013F910000-0x000000013FC64000-memory.dmp	xmrig
behavioral1/memory/2504-70-0x000000013F900000-0x000000013FC54000-memory.dmp	xmrig
behavioral1/files/0x00340000000144f0-74.dat	xmrig
behavioral1/files/0x0006000000015ce1-91.dat	xmrig
behavioral1/memory/2944-98-0x000000013F9D0000-0x000000013FD24000-memory.dmp	xmrig
behavioral1/files/0x0006000000015d28-110.dat	xmrig
behavioral1/files/0x0006000000015d67-124.dat	xmrig
behavioral1/files/0x0006000000015d5e-122.dat	xmrig
behavioral1/files/0x0006000000015d56-118.dat	xmrig
behavioral1/files/0x0006000000015d4a-114.dat	xmrig
behavioral1/files/0x0006000000015d07-106.dat	xmrig
behavioral1/memory/2344-127-0x000000013F900000-0x000000013FC54000-memory.dmp	xmrig
behavioral1/files/0x0006000000015ceb-102.dat	xmrig
behavioral1/memory/2344-100-0x000000013F5B0000-0x000000013F904000-memory.dmp	xmrig
behavioral1/memory/2820-90-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	xmrig
behavioral1/memory/2564-89-0x000000013F4B0000-0x000000013F804000-memory.dmp	xmrig
behavioral1/memory/1664-93-0x000000013FCF0000-0x0000000140044000-memory.dmp	xmrig
behavioral1/files/0x0006000000015cd5-87.dat	xmrig
behavioral1/memory/1588-84-0x000000013F320000-0x000000013F674000-memory.dmp	xmrig
behavioral1/memory/2344-83-0x000000013F320000-0x000000013F674000-memory.dmp	xmrig
behavioral1/memory/2052-76-0x000000013F640000-0x000000013F994000-memory.dmp	xmrig
behavioral1/memory/2696-82-0x000000013F470000-0x000000013F7C4000-memory.dmp	xmrig
behavioral1/memory/2376-81-0x000000013F240000-0x000000013F594000-memory.dmp	xmrig
behavioral1/files/0x0006000000015cba-79.dat	xmrig
behavioral1/files/0x0006000000015ca6-69.dat	xmrig
behavioral1/memory/2344-66-0x000000013F900000-0x000000013FC54000-memory.dmp	xmrig
behavioral1/memory/1280-65-0x000000013F6E0000-0x000000013FA34000-memory.dmp	xmrig
behavioral1/memory/3068-62-0x000000013F960000-0x000000013FCB4000-memory.dmp	xmrig
behavioral1/memory/2564-49-0x000000013F4B0000-0x000000013F804000-memory.dmp	xmrig
behavioral1/memory/2128-48-0x000000013FBC0000-0x000000013FF14000-memory.dmp	xmrig
behavioral1/files/0x000a000000014aa2-46.dat	xmrig
behavioral1/files/0x0007000000014726-24.dat	xmrig
behavioral1/memory/2576-39-0x000000013FD40000-0x0000000140094000-memory.dmp	xmrig
behavioral1/memory/1280-19-0x000000013F6E0000-0x000000013FA34000-memory.dmp	xmrig
behavioral1/files/0x0007000000014708-18.dat	xmrig
behavioral1/memory/2376-35-0x000000013F240000-0x000000013F594000-memory.dmp	xmrig
behavioral1/files/0x000700000001471d-33.dat	xmrig
behavioral1/memory/3068-23-0x000000013F960000-0x000000013FCB4000-memory.dmp	xmrig
behavioral1/memory/2128-7-0x000000013FBC0000-0x000000013FF14000-memory.dmp	xmrig
behavioral1/memory/2052-143-0x000000013F640000-0x000000013F994000-memory.dmp	xmrig
behavioral1/memory/2344-144-0x000000013F320000-0x000000013F674000-memory.dmp	xmrig
behavioral1/memory/1588-145-0x000000013F320000-0x000000013F674000-memory.dmp	xmrig
behavioral1/memory/2820-146-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	xmrig
behavioral1/memory/2944-148-0x000000013F9D0000-0x000000013FD24000-memory.dmp	xmrig
behavioral1/memory/2344-149-0x000000013F5B0000-0x000000013F904000-memory.dmp	xmrig
behavioral1/memory/2128-150-0x000000013FBC0000-0x000000013FF14000-memory.dmp	xmrig
behavioral1/memory/3068-151-0x000000013F960000-0x000000013FCB4000-memory.dmp	xmrig
behavioral1/memory/2696-153-0x000000013F470000-0x000000013F7C4000-memory.dmp	xmrig
behavioral1/memory/1280-152-0x000000013F6E0000-0x000000013FA34000-memory.dmp	xmrig
behavioral1/memory/2564-154-0x000000013F4B0000-0x000000013F804000-memory.dmp	xmrig
behavioral1/memory/2376-155-0x000000013F240000-0x000000013F594000-memory.dmp	xmrig
behavioral1/memory/1664-156-0x000000013FCF0000-0x0000000140044000-memory.dmp	xmrig
behavioral1/memory/2576-158-0x000000013FD40000-0x0000000140094000-memory.dmp	xmrig
behavioral1/memory/2504-157-0x000000013F900000-0x000000013FC54000-memory.dmp	xmrig
behavioral1/memory/2432-160-0x000000013F910000-0x000000013FC64000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2128	euSDsTM.exe
1280	tGLJPuo.exe
3068	xBWHmtz.exe
2376	xnGgNlt.exe
2696	OrIFZQf.exe
2576	BNhUSiu.exe
2564	qqBFNmt.exe
1664	rhsKlMz.exe
2432	OVBQstc.exe
2504	QRufNDW.exe
2052	MRsuXyj.exe
1588	bEGNIIy.exe
2820	JzYdaof.exe
2944	HHkwbtg.exe
3008	aNgMOxF.exe
1932	xKcOsVg.exe
1296	OiFSrjK.exe
2664	ExHaRPZ.exe
2608	VkpgEJy.exe
1644	eiuKNUO.exe
1688	WnFxRnI.exe

Loads dropped DLL 21 IoCs

pid	Process
2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe

UPX packed file 62 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2344-1-0x000000013FE30000-0x0000000140184000-memory.dmp	upx
behavioral1/files/0x000b000000014230-3.dat	upx
behavioral1/files/0x00340000000144e4-17.dat	upx
behavioral1/files/0x0007000000014857-34.dat	upx
behavioral1/memory/2696-36-0x000000013F470000-0x000000013F7C4000-memory.dmp	upx
behavioral1/memory/2344-38-0x000000013FE30000-0x0000000140184000-memory.dmp	upx
behavioral1/files/0x000700000001568c-53.dat	upx
behavioral1/memory/1664-55-0x000000013FCF0000-0x0000000140044000-memory.dmp	upx
behavioral1/files/0x0006000000015be6-60.dat	upx
behavioral1/memory/2432-63-0x000000013F910000-0x000000013FC64000-memory.dmp	upx
behavioral1/memory/2504-70-0x000000013F900000-0x000000013FC54000-memory.dmp	upx
behavioral1/files/0x00340000000144f0-74.dat	upx
behavioral1/files/0x0006000000015ce1-91.dat	upx
behavioral1/memory/2944-98-0x000000013F9D0000-0x000000013FD24000-memory.dmp	upx
behavioral1/files/0x0006000000015d28-110.dat	upx
behavioral1/files/0x0006000000015d67-124.dat	upx
behavioral1/files/0x0006000000015d5e-122.dat	upx
behavioral1/files/0x0006000000015d56-118.dat	upx
behavioral1/files/0x0006000000015d4a-114.dat	upx
behavioral1/files/0x0006000000015d07-106.dat	upx
behavioral1/files/0x0006000000015ceb-102.dat	upx
behavioral1/memory/2820-90-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	upx
behavioral1/memory/2564-89-0x000000013F4B0000-0x000000013F804000-memory.dmp	upx
behavioral1/memory/1664-93-0x000000013FCF0000-0x0000000140044000-memory.dmp	upx
behavioral1/files/0x0006000000015cd5-87.dat	upx
behavioral1/memory/1588-84-0x000000013F320000-0x000000013F674000-memory.dmp	upx
behavioral1/memory/2052-76-0x000000013F640000-0x000000013F994000-memory.dmp	upx
behavioral1/memory/2696-82-0x000000013F470000-0x000000013F7C4000-memory.dmp	upx
behavioral1/memory/2376-81-0x000000013F240000-0x000000013F594000-memory.dmp	upx
behavioral1/files/0x0006000000015cba-79.dat	upx
behavioral1/files/0x0006000000015ca6-69.dat	upx
behavioral1/memory/1280-65-0x000000013F6E0000-0x000000013FA34000-memory.dmp	upx
behavioral1/memory/3068-62-0x000000013F960000-0x000000013FCB4000-memory.dmp	upx
behavioral1/memory/2564-49-0x000000013F4B0000-0x000000013F804000-memory.dmp	upx
behavioral1/memory/2128-48-0x000000013FBC0000-0x000000013FF14000-memory.dmp	upx
behavioral1/files/0x000a000000014aa2-46.dat	upx
behavioral1/files/0x0007000000014726-24.dat	upx
behavioral1/memory/2576-39-0x000000013FD40000-0x0000000140094000-memory.dmp	upx
behavioral1/memory/1280-19-0x000000013F6E0000-0x000000013FA34000-memory.dmp	upx
behavioral1/files/0x0007000000014708-18.dat	upx
behavioral1/memory/2376-35-0x000000013F240000-0x000000013F594000-memory.dmp	upx
behavioral1/files/0x000700000001471d-33.dat	upx
behavioral1/memory/3068-23-0x000000013F960000-0x000000013FCB4000-memory.dmp	upx
behavioral1/memory/2128-7-0x000000013FBC0000-0x000000013FF14000-memory.dmp	upx
behavioral1/memory/2052-143-0x000000013F640000-0x000000013F994000-memory.dmp	upx
behavioral1/memory/1588-145-0x000000013F320000-0x000000013F674000-memory.dmp	upx
behavioral1/memory/2820-146-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	upx
behavioral1/memory/2944-148-0x000000013F9D0000-0x000000013FD24000-memory.dmp	upx
behavioral1/memory/2128-150-0x000000013FBC0000-0x000000013FF14000-memory.dmp	upx
behavioral1/memory/3068-151-0x000000013F960000-0x000000013FCB4000-memory.dmp	upx
behavioral1/memory/2696-153-0x000000013F470000-0x000000013F7C4000-memory.dmp	upx
behavioral1/memory/1280-152-0x000000013F6E0000-0x000000013FA34000-memory.dmp	upx
behavioral1/memory/2564-154-0x000000013F4B0000-0x000000013F804000-memory.dmp	upx
behavioral1/memory/2376-155-0x000000013F240000-0x000000013F594000-memory.dmp	upx
behavioral1/memory/1664-156-0x000000013FCF0000-0x0000000140044000-memory.dmp	upx
behavioral1/memory/2576-158-0x000000013FD40000-0x0000000140094000-memory.dmp	upx
behavioral1/memory/2504-157-0x000000013F900000-0x000000013FC54000-memory.dmp	upx
behavioral1/memory/2432-160-0x000000013F910000-0x000000013FC64000-memory.dmp	upx
behavioral1/memory/2052-162-0x000000013F640000-0x000000013F994000-memory.dmp	upx
behavioral1/memory/1588-161-0x000000013F320000-0x000000013F674000-memory.dmp	upx
behavioral1/memory/2944-159-0x000000013F9D0000-0x000000013FD24000-memory.dmp	upx
behavioral1/memory/2820-163-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\xKcOsVg.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OiFSrjK.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\euSDsTM.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QRufNDW.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MRsuXyj.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aNgMOxF.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bEGNIIy.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JzYdaof.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tGLJPuo.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xnGgNlt.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qqBFNmt.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OVBQstc.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BNhUSiu.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OrIFZQf.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HHkwbtg.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eiuKNUO.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WnFxRnI.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xBWHmtz.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rhsKlMz.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ExHaRPZ.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VkpgEJy.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2128	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	29
PID 2344 wrote to memory of 2128	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	29
PID 2344 wrote to memory of 2128	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	29
PID 2344 wrote to memory of 1280	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	30
PID 2344 wrote to memory of 1280	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	30
PID 2344 wrote to memory of 1280	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	30
PID 2344 wrote to memory of 3068	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	31
PID 2344 wrote to memory of 3068	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	31
PID 2344 wrote to memory of 3068	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	31
PID 2344 wrote to memory of 2376	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	32
PID 2344 wrote to memory of 2376	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	32
PID 2344 wrote to memory of 2376	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	32
PID 2344 wrote to memory of 2576	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	33
PID 2344 wrote to memory of 2576	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	33
PID 2344 wrote to memory of 2576	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	33
PID 2344 wrote to memory of 2696	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	34
PID 2344 wrote to memory of 2696	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	34
PID 2344 wrote to memory of 2696	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	34
PID 2344 wrote to memory of 2564	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	35
PID 2344 wrote to memory of 2564	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	35
PID 2344 wrote to memory of 2564	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	35
PID 2344 wrote to memory of 1664	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	36
PID 2344 wrote to memory of 1664	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	36
PID 2344 wrote to memory of 1664	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	36
PID 2344 wrote to memory of 2432	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	37
PID 2344 wrote to memory of 2432	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	37
PID 2344 wrote to memory of 2432	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	37
PID 2344 wrote to memory of 2504	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	38
PID 2344 wrote to memory of 2504	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	38
PID 2344 wrote to memory of 2504	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	38
PID 2344 wrote to memory of 2052	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	39
PID 2344 wrote to memory of 2052	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	39
PID 2344 wrote to memory of 2052	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	39
PID 2344 wrote to memory of 1588	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	40
PID 2344 wrote to memory of 1588	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	40
PID 2344 wrote to memory of 1588	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	40
PID 2344 wrote to memory of 2820	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	41
PID 2344 wrote to memory of 2820	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	41
PID 2344 wrote to memory of 2820	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	41
PID 2344 wrote to memory of 2944	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	42
PID 2344 wrote to memory of 2944	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	42
PID 2344 wrote to memory of 2944	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	42
PID 2344 wrote to memory of 3008	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	43
PID 2344 wrote to memory of 3008	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	43
PID 2344 wrote to memory of 3008	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	43
PID 2344 wrote to memory of 1932	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	44
PID 2344 wrote to memory of 1932	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	44
PID 2344 wrote to memory of 1932	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	44
PID 2344 wrote to memory of 1296	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	45
PID 2344 wrote to memory of 1296	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	45
PID 2344 wrote to memory of 1296	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	45
PID 2344 wrote to memory of 2664	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	46
PID 2344 wrote to memory of 2664	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	46
PID 2344 wrote to memory of 2664	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	46
PID 2344 wrote to memory of 2608	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	47
PID 2344 wrote to memory of 2608	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	47
PID 2344 wrote to memory of 2608	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	47
PID 2344 wrote to memory of 1644	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	48
PID 2344 wrote to memory of 1644	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	48
PID 2344 wrote to memory of 1644	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	48
PID 2344 wrote to memory of 1688	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	49
PID 2344 wrote to memory of 1688	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	49
PID 2344 wrote to memory of 1688	2344	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\System\euSDsTM.exe
  C:\Windows\System\euSDsTM.exe
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\System\tGLJPuo.exe
  C:\Windows\System\tGLJPuo.exe
  2⤵
  - Executes dropped EXE
  PID:1280
- C:\Windows\System\xBWHmtz.exe
  C:\Windows\System\xBWHmtz.exe
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\System\xnGgNlt.exe
  C:\Windows\System\xnGgNlt.exe
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\System\BNhUSiu.exe
  C:\Windows\System\BNhUSiu.exe
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\System\OrIFZQf.exe
  C:\Windows\System\OrIFZQf.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System\qqBFNmt.exe
  C:\Windows\System\qqBFNmt.exe
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\System\rhsKlMz.exe
  C:\Windows\System\rhsKlMz.exe
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\System\OVBQstc.exe
  C:\Windows\System\OVBQstc.exe
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\System\QRufNDW.exe
  C:\Windows\System\QRufNDW.exe
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\System\MRsuXyj.exe
  C:\Windows\System\MRsuXyj.exe
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\System\bEGNIIy.exe
  C:\Windows\System\bEGNIIy.exe
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\System\JzYdaof.exe
  C:\Windows\System\JzYdaof.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System\HHkwbtg.exe
  C:\Windows\System\HHkwbtg.exe
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\System\aNgMOxF.exe
  C:\Windows\System\aNgMOxF.exe
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Windows\System\xKcOsVg.exe
  C:\Windows\System\xKcOsVg.exe
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\System\OiFSrjK.exe
  C:\Windows\System\OiFSrjK.exe
  2⤵
  - Executes dropped EXE
  PID:1296
- C:\Windows\System\ExHaRPZ.exe
  C:\Windows\System\ExHaRPZ.exe
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\System\VkpgEJy.exe
  C:\Windows\System\VkpgEJy.exe
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\System\eiuKNUO.exe
  C:\Windows\System\eiuKNUO.exe
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\System\WnFxRnI.exe
  C:\Windows\System\WnFxRnI.exe
  2⤵
  - Executes dropped EXE
  PID:1688

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\ExHaRPZ.exe

Filesize
5.9MB

MD5
fce92d8c689fe18894558292c534f89f

SHA1
a81f05d7f44690fe1d6805fef003d4459c8dcc80

SHA256
86d7c32cda53f38a1045ecffd1fb3472c65f839e4a79eaf72342a65a0d055e39

SHA512
f804784c7d57f2f68aba287c9cae3118c629d4370711e0a80229d57116c3f88c54e50ec8e187acfd1ec0bcae38e54531b9df07ff84af63a3929fe28509afeb04

Download Submit
C:\Windows\system\JzYdaof.exe

Filesize
5.9MB

MD5
44052311c1dbc5173464f42f0e509d5c

SHA1
260a07d3db6ea6df95cdd8dafa267e6d7738cb5c

SHA256
a51c33828481429728e248249999f1667cfaca52fb095ac1054f7fc6727ebbd6

SHA512
dbfc68e996c8241190654738639d26909bfc615ea592e7812c7e640eb81dd7d94fa76a069c8fbc065fa01c421b891d1966b82f47fc37bf31b65b3c66fd14886b

Download Submit
C:\Windows\system\MRsuXyj.exe

Filesize
5.9MB

MD5
2e38b85351b3cfb93fbf7e9e8aace321

SHA1
6b65454a623fd755f6c72bce15c4560912f81a63

SHA256
7c2bc36585569309268398639a6cdae696f90331a1fd40175b16189fd8f3f201

SHA512
bf299b5efdc2f29f70c78adda1289e1676b61ed638c5d45c108d064f93488e532cef796d8c3ef5313ed56da1e0cc1b396e7d323f9d170c9ced2393f2621becfb

Download Submit
C:\Windows\system\OVBQstc.exe

Filesize
5.9MB

MD5
80b70f2b85eb88879ea08b60eaf689a0

SHA1
cf3507278c789eeeaa0ee0f1c8a4b2bb3e8216bc

SHA256
d155fdd7f04424b84370a1faf0a05a65401b482cdf5924c53d88ec51bd95de1f

SHA512
3282325de9ca90273d25bf42e984e0290ffff33c81967eef609b08a29c308e9a586969620315ce6da810ccac78b687df77f3afeafd03c4405cabb016d1672ccc

Download Submit
C:\Windows\system\OiFSrjK.exe

Filesize
5.9MB

MD5
b78185a209156c29565f1bb3f62607ea

SHA1
690c5516af728bc962640bac256f9759be183589

SHA256
07f5e4a09626608f640e08abee417d5d307c2c72bf900df568b8ad18773fa4e2

SHA512
b1e8da3fa409fc81f075e35c537f82d9fbc54ce3c6271caa4b41d3acb8cfbdd5bb3d2a15ede2e6ff63562e2ae985dd9acaacc32c549ae876514f1ce9c10e6ad3

Download Submit
C:\Windows\system\OrIFZQf.exe

Filesize
5.9MB

MD5
2e1cf2e6f65befa35436c7db628cf883

SHA1
d67c5f6f597bd417042864965863c5459d0436f8

SHA256
92e27d1a5239318c76bf238105edbca3a817f27d5683edd58eedb0658455159e

SHA512
cf8569b94611e25ab8e712fada39e1af7f7497c8a3e3836994790d79ba5d1547fe4da6856946703872f9962fcccc45ff85633e4051f04ca4639b7ba236c4eb0f

Download Submit
C:\Windows\system\QRufNDW.exe

Filesize
5.9MB

MD5
796647431a625bc54c72940526be801a

SHA1
0d3c45a72dc2d06d5ad0b320f7b1a441693496dd

SHA256
678b177537fbad81a01e6404403cc93a36c47691c3fa06cf7d8518e3358ac052

SHA512
fa3a317676302771f4f8629045a1799761e33ff8b74ef35a617704db098cc881067f2b47464b005133c3e9035416b64a57020f868c7e1d345fd72a0d0611bddf

Download Submit
C:\Windows\system\VkpgEJy.exe

Filesize
5.9MB

MD5
ef3c10d928f5b6e6f164ef63d00ef12f

SHA1
29b558e19652ce0c72742e57e7bdb13415394ba8

SHA256
3a63d16bf1ddac07e72335a0d50c1781481173c5ce83696745a6a1900099ed4a

SHA512
f13dff4c1ba20b1263df1d4da1710a99be8316472dca92940c3b784fbfedfe180cab2861a8f2832f8a60fc0db0cdf6df2c0c0e370305c22f896e1b3d0954cf92

Download Submit
C:\Windows\system\aNgMOxF.exe

Filesize
5.9MB

MD5
6afd80d7e3f7b391351672036be23224

SHA1
07938afc2a8116467470bdb92c5fba5b472559e0

SHA256
5b36a5cf6c73fde252e95b0add650d929494d43344efbe4bdf5d1f85c691ce62

SHA512
1aa3ac49370f7d8fd16e1e6296467981f8ed904d5e3931005f01ce2b753ebed7480479cf742de4938cc8edc49f8c98de0b9f1b804af42e4ecf6e5dd96877976d

Download Submit
C:\Windows\system\bEGNIIy.exe

Filesize
5.9MB

MD5
79c6688c9b4282d7b3db10d6a885f825

SHA1
5005f2c211f96b94b72e5046528d532ac3029b6a

SHA256
8390a242637cb4f5c8a06634a4dd55868f577c60fbb130a006cd5014bcede1d7

SHA512
8b3157881bdf7b901064cf06b21b1c4e75aaee9cd7b75fee467302f448804b184666aeefc8e87b945cacd01d2a4069ec3263a9d371ee0152b5c29efd466bd5e4

Download Submit
C:\Windows\system\eiuKNUO.exe

Filesize
5.9MB

MD5
c1615c52a3c8d4156b660df35c240720

SHA1
a219b460a7a3fb7c0012505daffad142f1b03322

SHA256
8e83bcfebd445d7399764e777a30072b555a708378dc9e0b1239f87a7b516721

SHA512
617bf7c57cfc5c88cec9c1ead213613bdcfb2e597cbdb6c5713d70056a1b959f2260648010c282b2d105a7f965d03942f2651e794d43857f06bdb65f66a66208

Download Submit
C:\Windows\system\qqBFNmt.exe

Filesize
5.9MB

MD5
69c7566c37c1c1b72bca1bb032605b5e

SHA1
408346f4f4a079ac17d1decb154dfcd6a1f05580

SHA256
d6c6f4e25264a9ecf3b4ac73b5389910bb91917c87a1274abe8954568b00b2de

SHA512
e43b8b38d689f53a0c635cfa12d7b4cd88ca4a4bb836b68fb8e5601dd5d483f1afec55b89f5758693b8ada9f11cab6e23e71b01a4c1050200ca614f5ecd77f07

Download Submit
C:\Windows\system\rhsKlMz.exe

Filesize
5.9MB

MD5
819d8aa20c162e599530a16b49fb9293

SHA1
1eb162f235279302b8d682a8deeb7bf4a569fd88

SHA256
11be1cc358a7d389c96f8012d9a8c43844492d2a1a9b88baba258215c3693419

SHA512
93e475092afe90b1ebddeef3da75544660e8e513f651294d7f53726f80e87ea0cb965aeff3bce791aad38f6c1d32115e946fe340e5cf8b40f7b340d20cae8ff1

Download Submit
C:\Windows\system\tGLJPuo.exe

Filesize
5.9MB

MD5
6a7f60bd2e314483d0547bd46206d485

SHA1
90c3347f77dd64144905d9c3158eb89dae43ef9c

SHA256
4a7b428dd8ebf517002088569b895816eec8024464670b6bd03be846af742e9a

SHA512
b615a2f5ff41d4aeee6510b7d54a968f89003b3b704e8ce2fb47dec1a5dfdd25e6bd871065db77b3841391737bd44224c7178a71b446e3e39af5674342f960fc

Download Submit
C:\Windows\system\xBWHmtz.exe

Filesize
5.9MB

MD5
f91af26d422d01667900c923b38dcc3f

SHA1
b4f3aa430a2f2ec8a5fcd65d7852398d9eca396b

SHA256
4aa394d972bd50fb4865fa8dfd35689ffc8f31d65b57f3d839734c3fee1d6589

SHA512
a2a8690634918a7748b48c34ae4eecb7ccf85a9da2a7118ed231778df1b0bb425c5f566fb673f05bcb941167b4dc9ba21beb48dc8c8f1a16a1f02897b796d960

Download Submit
C:\Windows\system\xKcOsVg.exe

Filesize
5.9MB

MD5
7ba0349bb28108cd08db67ac34f84858

SHA1
8b3ade0142d49f1fc45acaf9f8a085dc5e2a56d9

SHA256
89c3a3e955d6c1b404499674e0b0eb9971f9d69dd06ab80a31893f77eedd06c8

SHA512
633a42781a216ff4c3e0a7a3d5f24a18b37236aa81f45f77cee3f5cf76fe22009f62fbe2329653b9f317118db7a1ca5767158b47da0eb19f1044a575be970fc3

Download Submit
C:\Windows\system\xnGgNlt.exe

Filesize
5.9MB

MD5
72a66043cc61c2109f1a112b1441b9e1

SHA1
62ecbd83ecc8d7aa9023e75cbb439920a65f1914

SHA256
9b14d2e24a05983df131419f101c0fe5d0fc15ada7a16a64e4599d831169cdac

SHA512
c85ff6415925ff476bd0c2de515687fb4489451645e09354a2e112a57b49a732e217d0cf54eb5f731b1b2fbfdd0adfc49e36a312754118d893d7650cff7d5890

Download Submit
\Windows\system\BNhUSiu.exe

Filesize
5.9MB

MD5
909d334f72d7ebe10a340730ec9d6b75

SHA1
3868cb642026818e5fcb40ae0691dc36e8e7a3ac

SHA256
d926e1cc8b8ad92a986fcb4934474a6a999a695a2d9f7103c3c9586891a8ee1b

SHA512
1ccd1aa086094283fb207ad2b3cd7fab6698f3dd0c7b0e6d1a611b4a16630f1c616a71303779030e59ac31bd0e103b43848368f01dd76f199fe58eda4793e233

Download Submit
\Windows\system\HHkwbtg.exe

Filesize
5.9MB

MD5
00139605bfd2794f5efd01b84f5d5b5a

SHA1
202cefd5abdfbb13ab8cc5ee34384676851909cc

SHA256
d9cee547ad8c5404912490536bc9d5c3ad9ad5754383baf2d75c9ea799c545dd

SHA512
c1804344abfc45c56cc793ff195c5494e368e30184338a06235c944bccfbe20744a37f3984e76eb3bc627c02f7380c0303b93f300c47d26bc378f72065cd5037

Download Submit
\Windows\system\WnFxRnI.exe

Filesize
5.9MB

MD5
8958f45f5f3b7aaaf9b08a8297e3451b

SHA1
b769449ee29be5fe80b44a07817752d9304c976b

SHA256
b1c6cbfd845c7d358409565ed286bc8f18736d1f52e9ac80ce3b2e7b8118af61

SHA512
14ab385cc696533424e0e8b324fbbeade86a2269c06282861d1d000d39de1d0d614b98543c4d4eeb1f03a17ffd32ddbc744b98e2b9b866fe0d998b0ecb2e7b4c

Download Submit
\Windows\system\euSDsTM.exe

Filesize
5.9MB

MD5
6686d4bee1a296feab229448ea1e9447

SHA1
8a7a99aaec79c4356eeae9c4238d594019810c4a

SHA256
24d0b056fba531a865bf599fe7154cbb7217624751ac9e330fd870895cc831b8

SHA512
cbea9e2d5d6f6962007a360d6b2b6079cffafdc864f1d284370b056edefe1b9e53cf4f2d3a20546375ffaab98ea97ce32b79601e3bae369bb270a71ffb79f44b

Download Submit
memory/1280-65-0x000000013F6E0000-0x000000013FA34000-memory.dmp

Filesize
3.3MB

Download
memory/1280-19-0x000000013F6E0000-0x000000013FA34000-memory.dmp

Filesize
3.3MB

Download
memory/1280-152-0x000000013F6E0000-0x000000013FA34000-memory.dmp

Filesize
3.3MB

Download
memory/1588-145-0x000000013F320000-0x000000013F674000-memory.dmp

Filesize
3.3MB

Download
memory/1588-161-0x000000013F320000-0x000000013F674000-memory.dmp

Filesize
3.3MB

Download
memory/1588-84-0x000000013F320000-0x000000013F674000-memory.dmp

Filesize
3.3MB

Download
memory/1664-156-0x000000013FCF0000-0x0000000140044000-memory.dmp

Filesize
3.3MB

Download
memory/1664-93-0x000000013FCF0000-0x0000000140044000-memory.dmp

Filesize
3.3MB

Download
memory/1664-55-0x000000013FCF0000-0x0000000140044000-memory.dmp

Filesize
3.3MB

Download
memory/2052-143-0x000000013F640000-0x000000013F994000-memory.dmp

Filesize
3.3MB

Download
memory/2052-162-0x000000013F640000-0x000000013F994000-memory.dmp

Filesize
3.3MB

Download
memory/2052-76-0x000000013F640000-0x000000013F994000-memory.dmp

Filesize
3.3MB

Download
memory/2128-150-0x000000013FBC0000-0x000000013FF14000-memory.dmp

Filesize
3.3MB

Download
memory/2128-7-0x000000013FBC0000-0x000000013FF14000-memory.dmp

Filesize
3.3MB

Download
memory/2128-48-0x000000013FBC0000-0x000000013FF14000-memory.dmp

Filesize
3.3MB

Download
memory/2344-149-0x000000013F5B0000-0x000000013F904000-memory.dmp

Filesize
3.3MB

Download
memory/2344-38-0x000000013FE30000-0x0000000140184000-memory.dmp

Filesize
3.3MB

Download
memory/2344-72-0x000000013F640000-0x000000013F994000-memory.dmp

Filesize
3.3MB

Download
memory/2344-26-0x000000013F240000-0x000000013F594000-memory.dmp

Filesize
3.3MB

Download
memory/2344-66-0x000000013F900000-0x000000013FC54000-memory.dmp

Filesize
3.3MB

Download
memory/2344-1-0x000000013FE30000-0x0000000140184000-memory.dmp

Filesize
3.3MB

Download
memory/2344-127-0x000000013F900000-0x000000013FC54000-memory.dmp

Filesize
3.3MB

Download
memory/2344-58-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/2344-100-0x000000013F5B0000-0x000000013F904000-memory.dmp

Filesize
3.3MB

Download
memory/2344-140-0x000000013F640000-0x000000013F994000-memory.dmp

Filesize
3.3MB

Download
memory/2344-47-0x00000000022E0000-0x0000000002634000-memory.dmp

Filesize
3.3MB

Download
memory/2344-92-0x00000000022E0000-0x0000000002634000-memory.dmp

Filesize
3.3MB

Download
memory/2344-94-0x000000013F9D0000-0x000000013FD24000-memory.dmp

Filesize
3.3MB

Download
memory/2344-147-0x000000013F9D0000-0x000000013FD24000-memory.dmp

Filesize
3.3MB

Download
memory/2344-83-0x000000013F320000-0x000000013F674000-memory.dmp

Filesize
3.3MB

Download
memory/2344-12-0x000000013F6E0000-0x000000013FA34000-memory.dmp

Filesize
3.3MB

Download
memory/2344-16-0x000000013F960000-0x000000013FCB4000-memory.dmp

Filesize
3.3MB

Download
memory/2344-0-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2344-32-0x000000013F470000-0x000000013F7C4000-memory.dmp

Filesize
3.3MB

Download
memory/2344-144-0x000000013F320000-0x000000013F674000-memory.dmp

Filesize
3.3MB

Download
memory/2376-35-0x000000013F240000-0x000000013F594000-memory.dmp

Filesize
3.3MB

Download
memory/2376-81-0x000000013F240000-0x000000013F594000-memory.dmp

Filesize
3.3MB

Download
memory/2376-155-0x000000013F240000-0x000000013F594000-memory.dmp

Filesize
3.3MB

Download
memory/2432-63-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/2432-160-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/2504-157-0x000000013F900000-0x000000013FC54000-memory.dmp

Filesize
3.3MB

Download
memory/2504-70-0x000000013F900000-0x000000013FC54000-memory.dmp

Filesize
3.3MB

Download
memory/2564-154-0x000000013F4B0000-0x000000013F804000-memory.dmp

Filesize
3.3MB

Download
memory/2564-89-0x000000013F4B0000-0x000000013F804000-memory.dmp

Filesize
3.3MB

Download
memory/2564-49-0x000000013F4B0000-0x000000013F804000-memory.dmp

Filesize
3.3MB

Download
memory/2576-39-0x000000013FD40000-0x0000000140094000-memory.dmp

Filesize
3.3MB

Download
memory/2576-158-0x000000013FD40000-0x0000000140094000-memory.dmp

Filesize
3.3MB

Download
memory/2696-82-0x000000013F470000-0x000000013F7C4000-memory.dmp

Filesize
3.3MB

Download
memory/2696-153-0x000000013F470000-0x000000013F7C4000-memory.dmp

Filesize
3.3MB

Download
memory/2696-36-0x000000013F470000-0x000000013F7C4000-memory.dmp

Filesize
3.3MB

Download
memory/2820-146-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

Filesize
3.3MB

Download
memory/2820-90-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

Filesize
3.3MB

Download
memory/2820-163-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

Filesize
3.3MB

Download
memory/2944-98-0x000000013F9D0000-0x000000013FD24000-memory.dmp

Filesize
3.3MB

Download
memory/2944-148-0x000000013F9D0000-0x000000013FD24000-memory.dmp

Filesize
3.3MB

Download
memory/2944-159-0x000000013F9D0000-0x000000013FD24000-memory.dmp

Filesize
3.3MB

Download
memory/3068-23-0x000000013F960000-0x000000013FCB4000-memory.dmp

Filesize
3.3MB

Download
memory/3068-151-0x000000013F960000-0x000000013FCB4000-memory.dmp

Filesize
3.3MB

Download
memory/3068-62-0x000000013F960000-0x000000013FCB4000-memory.dmp

Filesize
3.3MB

Download