cobaltstrike | 27c5b09a238d49db1d1612c80027aff9bad3d5bf4d38d7e35ca81ce87db11ef8

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/06/2024, 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

052d33dae6614a608ab999f145c1edde
SHA1

b23487765df3bdcabc42557f55598c07e6c3ba2c
SHA256

27c5b09a238d49db1d1612c80027aff9bad3d5bf4d38d7e35ca81ce87db11ef8
SHA512

56c26b5ca437a2e044f0ec73cb56b5981c56a364ce969db9c22f24412419b45d7efe215ea6fcc6b5ab8dec4c5521730fbff98bfa72c5146c1b5bee3b41c5771b
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU3:Q+856utgpPF8u/73

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000c000000012671-3.dat	cobalt_reflective_dll
behavioral1/files/0x0034000000015653-8.dat	cobalt_reflective_dll
behavioral1/files/0x000800000001567f-15.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015ca6-25.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015be6-31.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000015ce1-44.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015e3a-53.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016843-126.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016c4a-134.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016a9a-131.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001661c-121.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016572-116.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000164b2-111.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001630b-103.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000161e7-96.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016117-90.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015fe9-82.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015f6d-75.dat	cobalt_reflective_dll
behavioral1/files/0x0032000000015659-68.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015eaf-60.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015cba-37.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012671-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0034000000015653-8.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000800000001567f-15.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015ca6-25.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015be6-31.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000015ce1-44.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015e3a-53.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016843-126.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016c4a-134.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016a9a-131.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000600000001661c-121.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016572-116.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000164b2-111.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000600000001630b-103.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000161e7-96.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016117-90.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015fe9-82.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015f6d-75.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0032000000015659-68.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015eaf-60.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015cba-37.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 63 IoCs

resource	yara_rule
behavioral1/memory/1464-0-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	UPX
behavioral1/files/0x000c000000012671-3.dat	UPX
behavioral1/memory/1464-6-0x00000000023F0000-0x0000000002744000-memory.dmp	UPX
behavioral1/files/0x0034000000015653-8.dat	UPX
behavioral1/memory/636-14-0x000000013FC30000-0x000000013FF84000-memory.dmp	UPX
behavioral1/files/0x000800000001567f-15.dat	UPX
behavioral1/files/0x0007000000015ca6-25.dat	UPX
behavioral1/files/0x0007000000015be6-31.dat	UPX
behavioral1/memory/2568-43-0x000000013F9F0000-0x000000013FD44000-memory.dmp	UPX
behavioral1/memory/2648-40-0x000000013F070000-0x000000013F3C4000-memory.dmp	UPX
behavioral1/files/0x0009000000015ce1-44.dat	UPX
behavioral1/memory/2540-49-0x000000013F540000-0x000000013F894000-memory.dmp	UPX
behavioral1/memory/2588-55-0x000000013FF70000-0x00000001402C4000-memory.dmp	UPX
behavioral1/files/0x0007000000015e3a-53.dat	UPX
behavioral1/memory/2928-59-0x000000013F1C0000-0x000000013F514000-memory.dmp	UPX
behavioral1/memory/2416-65-0x000000013F020000-0x000000013F374000-memory.dmp	UPX
behavioral1/memory/2544-71-0x000000013F710000-0x000000013FA64000-memory.dmp	UPX
behavioral1/memory/1936-84-0x000000013FD70000-0x00000001400C4000-memory.dmp	UPX
behavioral1/files/0x0006000000016843-126.dat	UPX
behavioral1/files/0x0006000000016c4a-134.dat	UPX
behavioral1/files/0x0006000000016a9a-131.dat	UPX
behavioral1/files/0x000600000001661c-121.dat	UPX
behavioral1/files/0x0006000000016572-116.dat	UPX
behavioral1/memory/2540-138-0x000000013F540000-0x000000013F894000-memory.dmp	UPX
behavioral1/files/0x00060000000164b2-111.dat	UPX
behavioral1/memory/2568-105-0x000000013F9F0000-0x000000013FD44000-memory.dmp	UPX
behavioral1/memory/2648-104-0x000000013F070000-0x000000013F3C4000-memory.dmp	UPX
behavioral1/files/0x000600000001630b-103.dat	UPX
behavioral1/memory/2828-99-0x000000013F1E0000-0x000000013F534000-memory.dmp	UPX
behavioral1/memory/2696-92-0x000000013FF50000-0x00000001402A4000-memory.dmp	UPX
behavioral1/files/0x00060000000161e7-96.dat	UPX
behavioral1/files/0x0006000000016117-90.dat	UPX
behavioral1/memory/1928-86-0x000000013F730000-0x000000013FA84000-memory.dmp	UPX
behavioral1/files/0x0006000000015fe9-82.dat	UPX
behavioral1/memory/1236-77-0x000000013F350000-0x000000013F6A4000-memory.dmp	UPX
behavioral1/files/0x0006000000015f6d-75.dat	UPX
behavioral1/files/0x0032000000015659-68.dat	UPX
behavioral1/memory/2756-64-0x000000013F080000-0x000000013F3D4000-memory.dmp	UPX
behavioral1/memory/636-63-0x000000013FC30000-0x000000013FF84000-memory.dmp	UPX
behavioral1/files/0x0006000000015eaf-60.dat	UPX
behavioral1/memory/1464-48-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	UPX
behavioral1/files/0x0007000000015cba-37.dat	UPX
behavioral1/memory/1936-33-0x000000013FD70000-0x00000001400C4000-memory.dmp	UPX
behavioral1/memory/2756-24-0x000000013F080000-0x000000013F3D4000-memory.dmp	UPX
behavioral1/memory/2544-140-0x000000013F710000-0x000000013FA64000-memory.dmp	UPX
behavioral1/memory/1236-141-0x000000013F350000-0x000000013F6A4000-memory.dmp	UPX
behavioral1/memory/1928-144-0x000000013F730000-0x000000013FA84000-memory.dmp	UPX
behavioral1/memory/2696-145-0x000000013FF50000-0x00000001402A4000-memory.dmp	UPX
behavioral1/memory/2828-147-0x000000013F1E0000-0x000000013F534000-memory.dmp	UPX
behavioral1/memory/2928-148-0x000000013F1C0000-0x000000013F514000-memory.dmp	UPX
behavioral1/memory/636-149-0x000000013FC30000-0x000000013FF84000-memory.dmp	UPX
behavioral1/memory/2756-150-0x000000013F080000-0x000000013F3D4000-memory.dmp	UPX
behavioral1/memory/1936-151-0x000000013FD70000-0x00000001400C4000-memory.dmp	UPX
behavioral1/memory/2648-152-0x000000013F070000-0x000000013F3C4000-memory.dmp	UPX
behavioral1/memory/2568-153-0x000000013F9F0000-0x000000013FD44000-memory.dmp	UPX
behavioral1/memory/2540-154-0x000000013F540000-0x000000013F894000-memory.dmp	UPX
behavioral1/memory/2416-155-0x000000013F020000-0x000000013F374000-memory.dmp	UPX
behavioral1/memory/2544-156-0x000000013F710000-0x000000013FA64000-memory.dmp	UPX
behavioral1/memory/1236-157-0x000000013F350000-0x000000013F6A4000-memory.dmp	UPX
behavioral1/memory/1928-158-0x000000013F730000-0x000000013FA84000-memory.dmp	UPX
behavioral1/memory/2696-159-0x000000013FF50000-0x00000001402A4000-memory.dmp	UPX
behavioral1/memory/2828-160-0x000000013F1E0000-0x000000013F534000-memory.dmp	UPX
behavioral1/memory/2588-161-0x000000013FF70000-0x00000001402C4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral1/memory/1464-0-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	xmrig
behavioral1/files/0x000c000000012671-3.dat	xmrig
behavioral1/memory/1464-6-0x00000000023F0000-0x0000000002744000-memory.dmp	xmrig
behavioral1/files/0x0034000000015653-8.dat	xmrig
behavioral1/memory/636-14-0x000000013FC30000-0x000000013FF84000-memory.dmp	xmrig
behavioral1/files/0x000800000001567f-15.dat	xmrig
behavioral1/files/0x0007000000015ca6-25.dat	xmrig
behavioral1/files/0x0007000000015be6-31.dat	xmrig
behavioral1/memory/1464-29-0x000000013FD70000-0x00000001400C4000-memory.dmp	xmrig
behavioral1/memory/2568-43-0x000000013F9F0000-0x000000013FD44000-memory.dmp	xmrig
behavioral1/memory/2648-40-0x000000013F070000-0x000000013F3C4000-memory.dmp	xmrig
behavioral1/files/0x0009000000015ce1-44.dat	xmrig
behavioral1/memory/2540-49-0x000000013F540000-0x000000013F894000-memory.dmp	xmrig
behavioral1/memory/2588-55-0x000000013FF70000-0x00000001402C4000-memory.dmp	xmrig
behavioral1/files/0x0007000000015e3a-53.dat	xmrig
behavioral1/memory/2928-59-0x000000013F1C0000-0x000000013F514000-memory.dmp	xmrig
behavioral1/memory/2416-65-0x000000013F020000-0x000000013F374000-memory.dmp	xmrig
behavioral1/memory/2544-71-0x000000013F710000-0x000000013FA64000-memory.dmp	xmrig
behavioral1/memory/1936-84-0x000000013FD70000-0x00000001400C4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016843-126.dat	xmrig
behavioral1/files/0x0006000000016c4a-134.dat	xmrig
behavioral1/files/0x0006000000016a9a-131.dat	xmrig
behavioral1/files/0x000600000001661c-121.dat	xmrig
behavioral1/files/0x0006000000016572-116.dat	xmrig
behavioral1/memory/2540-138-0x000000013F540000-0x000000013F894000-memory.dmp	xmrig
behavioral1/files/0x00060000000164b2-111.dat	xmrig
behavioral1/memory/1464-106-0x00000000023F0000-0x0000000002744000-memory.dmp	xmrig
behavioral1/memory/2568-105-0x000000013F9F0000-0x000000013FD44000-memory.dmp	xmrig
behavioral1/memory/2648-104-0x000000013F070000-0x000000013F3C4000-memory.dmp	xmrig
behavioral1/files/0x000600000001630b-103.dat	xmrig
behavioral1/memory/2828-99-0x000000013F1E0000-0x000000013F534000-memory.dmp	xmrig
behavioral1/memory/2696-92-0x000000013FF50000-0x00000001402A4000-memory.dmp	xmrig
behavioral1/files/0x00060000000161e7-96.dat	xmrig
behavioral1/files/0x0006000000016117-90.dat	xmrig
behavioral1/memory/1928-86-0x000000013F730000-0x000000013FA84000-memory.dmp	xmrig
behavioral1/files/0x0006000000015fe9-82.dat	xmrig
behavioral1/memory/1236-77-0x000000013F350000-0x000000013F6A4000-memory.dmp	xmrig
behavioral1/files/0x0006000000015f6d-75.dat	xmrig
behavioral1/files/0x0032000000015659-68.dat	xmrig
behavioral1/memory/2756-64-0x000000013F080000-0x000000013F3D4000-memory.dmp	xmrig
behavioral1/memory/636-63-0x000000013FC30000-0x000000013FF84000-memory.dmp	xmrig
behavioral1/files/0x0006000000015eaf-60.dat	xmrig
behavioral1/memory/1464-48-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	xmrig
behavioral1/files/0x0007000000015cba-37.dat	xmrig
behavioral1/memory/1936-33-0x000000013FD70000-0x00000001400C4000-memory.dmp	xmrig
behavioral1/memory/2756-24-0x000000013F080000-0x000000013F3D4000-memory.dmp	xmrig
behavioral1/memory/2544-140-0x000000013F710000-0x000000013FA64000-memory.dmp	xmrig
behavioral1/memory/1236-141-0x000000013F350000-0x000000013F6A4000-memory.dmp	xmrig
behavioral1/memory/1928-144-0x000000013F730000-0x000000013FA84000-memory.dmp	xmrig
behavioral1/memory/2696-145-0x000000013FF50000-0x00000001402A4000-memory.dmp	xmrig
behavioral1/memory/2828-147-0x000000013F1E0000-0x000000013F534000-memory.dmp	xmrig
behavioral1/memory/2928-148-0x000000013F1C0000-0x000000013F514000-memory.dmp	xmrig
behavioral1/memory/636-149-0x000000013FC30000-0x000000013FF84000-memory.dmp	xmrig
behavioral1/memory/2756-150-0x000000013F080000-0x000000013F3D4000-memory.dmp	xmrig
behavioral1/memory/1936-151-0x000000013FD70000-0x00000001400C4000-memory.dmp	xmrig
behavioral1/memory/2648-152-0x000000013F070000-0x000000013F3C4000-memory.dmp	xmrig
behavioral1/memory/2568-153-0x000000013F9F0000-0x000000013FD44000-memory.dmp	xmrig
behavioral1/memory/2540-154-0x000000013F540000-0x000000013F894000-memory.dmp	xmrig
behavioral1/memory/2416-155-0x000000013F020000-0x000000013F374000-memory.dmp	xmrig
behavioral1/memory/2544-156-0x000000013F710000-0x000000013FA64000-memory.dmp	xmrig
behavioral1/memory/1236-157-0x000000013F350000-0x000000013F6A4000-memory.dmp	xmrig
behavioral1/memory/1928-158-0x000000013F730000-0x000000013FA84000-memory.dmp	xmrig
behavioral1/memory/2696-159-0x000000013FF50000-0x00000001402A4000-memory.dmp	xmrig
behavioral1/memory/2828-160-0x000000013F1E0000-0x000000013F534000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2928	awpdUWP.exe
636	iZjZPWB.exe
2756	EPxTDdy.exe
1936	CevPuLX.exe
2648	MgRbedl.exe
2568	eSSfCBu.exe
2540	ZQcDmpq.exe
2588	fQJooND.exe
2416	McWIhvx.exe
2544	cDfTOfq.exe
1236	OlwnRqH.exe
1928	doTODZq.exe
2696	DSeDILC.exe
2828	jFBeZjN.exe
2896	AXZpuIG.exe
2328	uRNpgZU.exe
1076	Givcypn.exe
1980	kcINOCX.exe
1120	qwMMLQB.exe
1776	PPUPtMF.exe
1664	mLjMxxq.exe

Loads dropped DLL 21 IoCs

pid	Process
1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe

UPX packed file 63 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1464-0-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	upx
behavioral1/files/0x000c000000012671-3.dat	upx
behavioral1/memory/1464-6-0x00000000023F0000-0x0000000002744000-memory.dmp	upx
behavioral1/files/0x0034000000015653-8.dat	upx
behavioral1/memory/636-14-0x000000013FC30000-0x000000013FF84000-memory.dmp	upx
behavioral1/files/0x000800000001567f-15.dat	upx
behavioral1/files/0x0007000000015ca6-25.dat	upx
behavioral1/files/0x0007000000015be6-31.dat	upx
behavioral1/memory/2568-43-0x000000013F9F0000-0x000000013FD44000-memory.dmp	upx
behavioral1/memory/2648-40-0x000000013F070000-0x000000013F3C4000-memory.dmp	upx
behavioral1/files/0x0009000000015ce1-44.dat	upx
behavioral1/memory/2540-49-0x000000013F540000-0x000000013F894000-memory.dmp	upx
behavioral1/memory/2588-55-0x000000013FF70000-0x00000001402C4000-memory.dmp	upx
behavioral1/files/0x0007000000015e3a-53.dat	upx
behavioral1/memory/2928-59-0x000000013F1C0000-0x000000013F514000-memory.dmp	upx
behavioral1/memory/2416-65-0x000000013F020000-0x000000013F374000-memory.dmp	upx
behavioral1/memory/2544-71-0x000000013F710000-0x000000013FA64000-memory.dmp	upx
behavioral1/memory/1936-84-0x000000013FD70000-0x00000001400C4000-memory.dmp	upx
behavioral1/files/0x0006000000016843-126.dat	upx
behavioral1/files/0x0006000000016c4a-134.dat	upx
behavioral1/files/0x0006000000016a9a-131.dat	upx
behavioral1/files/0x000600000001661c-121.dat	upx
behavioral1/files/0x0006000000016572-116.dat	upx
behavioral1/memory/2540-138-0x000000013F540000-0x000000013F894000-memory.dmp	upx
behavioral1/files/0x00060000000164b2-111.dat	upx
behavioral1/memory/2568-105-0x000000013F9F0000-0x000000013FD44000-memory.dmp	upx
behavioral1/memory/2648-104-0x000000013F070000-0x000000013F3C4000-memory.dmp	upx
behavioral1/files/0x000600000001630b-103.dat	upx
behavioral1/memory/2828-99-0x000000013F1E0000-0x000000013F534000-memory.dmp	upx
behavioral1/memory/2696-92-0x000000013FF50000-0x00000001402A4000-memory.dmp	upx
behavioral1/files/0x00060000000161e7-96.dat	upx
behavioral1/files/0x0006000000016117-90.dat	upx
behavioral1/memory/1928-86-0x000000013F730000-0x000000013FA84000-memory.dmp	upx
behavioral1/files/0x0006000000015fe9-82.dat	upx
behavioral1/memory/1236-77-0x000000013F350000-0x000000013F6A4000-memory.dmp	upx
behavioral1/files/0x0006000000015f6d-75.dat	upx
behavioral1/files/0x0032000000015659-68.dat	upx
behavioral1/memory/2756-64-0x000000013F080000-0x000000013F3D4000-memory.dmp	upx
behavioral1/memory/636-63-0x000000013FC30000-0x000000013FF84000-memory.dmp	upx
behavioral1/files/0x0006000000015eaf-60.dat	upx
behavioral1/memory/1464-48-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	upx
behavioral1/files/0x0007000000015cba-37.dat	upx
behavioral1/memory/1936-33-0x000000013FD70000-0x00000001400C4000-memory.dmp	upx
behavioral1/memory/2756-24-0x000000013F080000-0x000000013F3D4000-memory.dmp	upx
behavioral1/memory/2544-140-0x000000013F710000-0x000000013FA64000-memory.dmp	upx
behavioral1/memory/1236-141-0x000000013F350000-0x000000013F6A4000-memory.dmp	upx
behavioral1/memory/1928-144-0x000000013F730000-0x000000013FA84000-memory.dmp	upx
behavioral1/memory/2696-145-0x000000013FF50000-0x00000001402A4000-memory.dmp	upx
behavioral1/memory/2828-147-0x000000013F1E0000-0x000000013F534000-memory.dmp	upx
behavioral1/memory/2928-148-0x000000013F1C0000-0x000000013F514000-memory.dmp	upx
behavioral1/memory/636-149-0x000000013FC30000-0x000000013FF84000-memory.dmp	upx
behavioral1/memory/2756-150-0x000000013F080000-0x000000013F3D4000-memory.dmp	upx
behavioral1/memory/1936-151-0x000000013FD70000-0x00000001400C4000-memory.dmp	upx
behavioral1/memory/2648-152-0x000000013F070000-0x000000013F3C4000-memory.dmp	upx
behavioral1/memory/2568-153-0x000000013F9F0000-0x000000013FD44000-memory.dmp	upx
behavioral1/memory/2540-154-0x000000013F540000-0x000000013F894000-memory.dmp	upx
behavioral1/memory/2416-155-0x000000013F020000-0x000000013F374000-memory.dmp	upx
behavioral1/memory/2544-156-0x000000013F710000-0x000000013FA64000-memory.dmp	upx
behavioral1/memory/1236-157-0x000000013F350000-0x000000013F6A4000-memory.dmp	upx
behavioral1/memory/1928-158-0x000000013F730000-0x000000013FA84000-memory.dmp	upx
behavioral1/memory/2696-159-0x000000013FF50000-0x00000001402A4000-memory.dmp	upx
behavioral1/memory/2828-160-0x000000013F1E0000-0x000000013F534000-memory.dmp	upx
behavioral1/memory/2588-161-0x000000013FF70000-0x00000001402C4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\PPUPtMF.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DSeDILC.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cDfTOfq.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uRNpgZU.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mLjMxxq.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EPxTDdy.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eSSfCBu.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MgRbedl.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZQcDmpq.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\McWIhvx.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\doTODZq.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jFBeZjN.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\Givcypn.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iZjZPWB.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qwMMLQB.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CevPuLX.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fQJooND.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OlwnRqH.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AXZpuIG.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kcINOCX.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\awpdUWP.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 2928	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	29
PID 1464 wrote to memory of 2928	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	29
PID 1464 wrote to memory of 2928	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	29
PID 1464 wrote to memory of 636	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	30
PID 1464 wrote to memory of 636	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	30
PID 1464 wrote to memory of 636	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	30
PID 1464 wrote to memory of 2756	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	31
PID 1464 wrote to memory of 2756	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	31
PID 1464 wrote to memory of 2756	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	31
PID 1464 wrote to memory of 1936	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	32
PID 1464 wrote to memory of 1936	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	32
PID 1464 wrote to memory of 1936	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	32
PID 1464 wrote to memory of 2568	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	33
PID 1464 wrote to memory of 2568	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	33
PID 1464 wrote to memory of 2568	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	33
PID 1464 wrote to memory of 2648	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	34
PID 1464 wrote to memory of 2648	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	34
PID 1464 wrote to memory of 2648	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	34
PID 1464 wrote to memory of 2540	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	35
PID 1464 wrote to memory of 2540	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	35
PID 1464 wrote to memory of 2540	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	35
PID 1464 wrote to memory of 2588	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	36
PID 1464 wrote to memory of 2588	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	36
PID 1464 wrote to memory of 2588	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	36
PID 1464 wrote to memory of 2416	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	37
PID 1464 wrote to memory of 2416	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	37
PID 1464 wrote to memory of 2416	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	37
PID 1464 wrote to memory of 2544	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	38
PID 1464 wrote to memory of 2544	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	38
PID 1464 wrote to memory of 2544	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	38
PID 1464 wrote to memory of 1236	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	39
PID 1464 wrote to memory of 1236	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	39
PID 1464 wrote to memory of 1236	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	39
PID 1464 wrote to memory of 1928	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	40
PID 1464 wrote to memory of 1928	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	40
PID 1464 wrote to memory of 1928	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	40
PID 1464 wrote to memory of 2696	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	41
PID 1464 wrote to memory of 2696	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	41
PID 1464 wrote to memory of 2696	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	41
PID 1464 wrote to memory of 2828	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	42
PID 1464 wrote to memory of 2828	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	42
PID 1464 wrote to memory of 2828	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	42
PID 1464 wrote to memory of 2896	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	43
PID 1464 wrote to memory of 2896	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	43
PID 1464 wrote to memory of 2896	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	43
PID 1464 wrote to memory of 2328	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	44
PID 1464 wrote to memory of 2328	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	44
PID 1464 wrote to memory of 2328	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	44
PID 1464 wrote to memory of 1076	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	45
PID 1464 wrote to memory of 1076	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	45
PID 1464 wrote to memory of 1076	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	45
PID 1464 wrote to memory of 1980	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	46
PID 1464 wrote to memory of 1980	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	46
PID 1464 wrote to memory of 1980	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	46
PID 1464 wrote to memory of 1120	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	47
PID 1464 wrote to memory of 1120	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	47
PID 1464 wrote to memory of 1120	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	47
PID 1464 wrote to memory of 1776	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	48
PID 1464 wrote to memory of 1776	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	48
PID 1464 wrote to memory of 1776	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	48
PID 1464 wrote to memory of 1664	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	49
PID 1464 wrote to memory of 1664	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	49
PID 1464 wrote to memory of 1664	1464	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Windows\System\awpdUWP.exe
  C:\Windows\System\awpdUWP.exe
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\System\iZjZPWB.exe
  C:\Windows\System\iZjZPWB.exe
  2⤵
  - Executes dropped EXE
  PID:636
- C:\Windows\System\EPxTDdy.exe
  C:\Windows\System\EPxTDdy.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\System\CevPuLX.exe
  C:\Windows\System\CevPuLX.exe
  2⤵
  - Executes dropped EXE
  PID:1936
- C:\Windows\System\eSSfCBu.exe
  C:\Windows\System\eSSfCBu.exe
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\System\MgRbedl.exe
  C:\Windows\System\MgRbedl.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System\ZQcDmpq.exe
  C:\Windows\System\ZQcDmpq.exe
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\System\fQJooND.exe
  C:\Windows\System\fQJooND.exe
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\System\McWIhvx.exe
  C:\Windows\System\McWIhvx.exe
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\System\cDfTOfq.exe
  C:\Windows\System\cDfTOfq.exe
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\System\OlwnRqH.exe
  C:\Windows\System\OlwnRqH.exe
  2⤵
  - Executes dropped EXE
  PID:1236
- C:\Windows\System\doTODZq.exe
  C:\Windows\System\doTODZq.exe
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\System\DSeDILC.exe
  C:\Windows\System\DSeDILC.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System\jFBeZjN.exe
  C:\Windows\System\jFBeZjN.exe
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\System\AXZpuIG.exe
  C:\Windows\System\AXZpuIG.exe
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\System\uRNpgZU.exe
  C:\Windows\System\uRNpgZU.exe
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\System\Givcypn.exe
  C:\Windows\System\Givcypn.exe
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\Windows\System\kcINOCX.exe
  C:\Windows\System\kcINOCX.exe
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\System\qwMMLQB.exe
  C:\Windows\System\qwMMLQB.exe
  2⤵
  - Executes dropped EXE
  PID:1120
- C:\Windows\System\PPUPtMF.exe
  C:\Windows\System\PPUPtMF.exe
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\System\mLjMxxq.exe
  C:\Windows\System\mLjMxxq.exe
  2⤵
  - Executes dropped EXE
  PID:1664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AXZpuIG.exe

Filesize
5.9MB

MD5
da81daed24206ca7354ef198077ed05a

SHA1
94b4ef3a8624c7759791d23c8a44d8d316963f32

SHA256
720927d16922d49f23ccdc8a225c5ca4a099751dfc919b6c18496efc821be165

SHA512
4bb304f45d615f119da7d4aeaf4fb4e907d7bf0b797dbc6f39695b69b51dec1060e11ee5fe4de5a6526692bc4e6e35ca5e341ef80bf88873dcf111d2de1eae27

Download Submit
C:\Windows\system\CevPuLX.exe

Filesize
5.9MB

MD5
107f6bfb56bf42e910eb6a9ed3cf1986

SHA1
3e800f966dd64e3cf9da8d71d85ec8894a9f54ac

SHA256
3f5fd63772dc8954264111154bad42b059ab660c5c343ed6918d4dc3f98057e3

SHA512
196e9d8257be18150ec351c26fa589338a1cb1d81b1241b842202815e818961209da9ad85e6e374149d425bffd2e85efc431629e2aeb9397975f935f3211d8c6

Download Submit
C:\Windows\system\DSeDILC.exe

Filesize
5.9MB

MD5
528066938a5b3bd6c01825518fb53517

SHA1
f5cd630d652efa88fb0a064b7e7fa6428bdc2b1f

SHA256
ead8e59c2832fb1a9ba47badb7bdca0008fae1179807b76838d7d00b33ad97d6

SHA512
9bb51a1752af495eb139cf3912aa0d9ad5a82c9d82652a9cdd27694822790234212606a91b2194bab54a0dbc1907d2bcb69f0d342c4343410734f2e23281b80b

Download Submit
C:\Windows\system\Givcypn.exe

Filesize
5.9MB

MD5
c5210d357c3f795831427510344dd633

SHA1
64e6932f62cb4da36b73b059ba7c03521ca39009

SHA256
3eb77e15884965a5854a78b33a323fce16fdefcbe900a828e44278f52cd41ec6

SHA512
e8b3b43582b011a995097f7be993884ee80815656e683b63b1ae837346aa2bd244a84e25e6789989495321b426fb248f8a3a8eb056a6de9eaa1b40401024af91

Download Submit
C:\Windows\system\McWIhvx.exe

Filesize
5.9MB

MD5
cb34830d4cfa21400df70d08ddded230

SHA1
aef22432f472dee55375a4ed930a9a96caa716d7

SHA256
ca6c5bb4038efe23b2a17efaec93b7ba2e2926d320685db5c9e8df135eb64b63

SHA512
be1480a44f1f765a9b6118ad4b798c80a6f1bf8300ff77f11b33fdbf1eed72af89e8a49e45faf6776bdc4cd0c4f82ea676d689131baaa5fcb04af28266de772e

Download Submit
C:\Windows\system\MgRbedl.exe

Filesize
5.9MB

MD5
27824af6f67c38eb5062127c8920c81c

SHA1
e791bbb8177f132ef17a15a4f3cdeaca468dbf36

SHA256
86c2367db8cf61f2f4ee525c93d63c05b55553db57bb79d8ed11bf0042f21640

SHA512
681ec05b963558c59ab543620bbd0b2634c9372b455e35fcb00f7dd6ad88dfb42a5014a874415bc784b2868d29f9df9f1a1bda02fcbb555d9651f148c8f38fe9

Download Submit
C:\Windows\system\OlwnRqH.exe

Filesize
5.9MB

MD5
394c05f825c15c9856a4c8626d017d06

SHA1
6329cc88e8a52ba202a808f8daf06376a6899707

SHA256
bc5f0019e9dbd831a6acab0d4dd4348d1fcc38803cfae873b335708db8ac131e

SHA512
283b63871690e9d0c2ef787468bc0e0743f3811f18c96db0099e76a1a782c2d9aa634d5e300d7af1d5013cde7aa3a688b5a862c206744dc3ade1f36c77f9e8a9

Download Submit
C:\Windows\system\PPUPtMF.exe

Filesize
5.9MB

MD5
509c1a22b62ea2b517379f6e6441c276

SHA1
d5d89b44166715ac7fccd2673e0d21c373b26351

SHA256
685a288baf9260c53148494dd5e849011cc1af694d2b098b69a179ec3f12c29a

SHA512
2158cd46b1a676e65d860d07f980f1d9f72101484f2161d6bf9bbeb4e0d60cbb1906230a4ebe60d7d15ded0cd6b30c015246b2c94096fa5d2927f13f1b745b6f

Download Submit
C:\Windows\system\cDfTOfq.exe

Filesize
5.9MB

MD5
516b0dcfc870b2286b3f235a13bb09ce

SHA1
6f91cbd75d4795cd90285221b6a98a564691c53c

SHA256
7108384c34c4ec4df5d0af83184c0260419d1e3047e847c4f989b971c66b1c3b

SHA512
57ee5e2d4e9da586937f2db8a857b197bb4501cb7ba5fedbf8c624014092c31a2ce85cab04bea0c431fdace44820cee957ad304fe86c19889e20221e316558d0

Download Submit
C:\Windows\system\doTODZq.exe

Filesize
5.9MB

MD5
36554a5531c2e607e54a2fcf43882d7e

SHA1
b0516fdb88e7396b38de55bb2fbba28329bd9bce

SHA256
ebfffe1dddf41b84d0829c453c045152c101871502570ed940f35057f3fa613f

SHA512
cc20eab739dd40961d83fd8ceb4c44f5ea1d0fd499e68589c584b8417718b6af41527f319a5472395303186e7ed4572916dae4df095ab85c3028202650a8b64d

Download Submit
C:\Windows\system\fQJooND.exe

Filesize
5.9MB

MD5
a57c0b3f5d4852dc983210a57bd9f447

SHA1
6d892d7d19e16edddd4c6414861ca952cebf4ddc

SHA256
a43c58dddbd3a1c09b7c1b114a8c7b8865dab385c1ad08d5518555523cf3858b

SHA512
e1b54d524fe5d4bd59e515e88a7665166023a6b1e45959e14752851d82a029c92ca30f25f804546592dbf07ba1d85f40afbea046b1ca291fbb9523ba31ff29b0

Download Submit
C:\Windows\system\jFBeZjN.exe

Filesize
5.9MB

MD5
772c11b53c3ce6570264c88d8bae8700

SHA1
4fe4fd76c370ad133c6d78b9d137c4c59cef9bc8

SHA256
357fd7231be2e1957b8cba8bbb53296308fe2a8a86cbf7a370f1f8776144f2e5

SHA512
cc5f491b56e0d6f702955a85ca79859320ced3f7e2d4bf74d3bc5d661cfd0edd5d420973f71ab25e9129f4769b94c5813e6d84bac5e04c5cfee801ec35e0fec1

Download Submit
C:\Windows\system\kcINOCX.exe

Filesize
5.9MB

MD5
51da0b9059dee55183346e6effaeb7dc

SHA1
ec6a9468ce8776876b1250ce2b593101cc9eebcd

SHA256
31ce5d558266365ea207707bda05549e5336998d4526ba4d99ed9c0da0bed13d

SHA512
63caca26553cf0346e56fdf9ba577cd7c444bbad39ccc60fb5634f08d082557d32a14a6a650995b4a84e46d158d3d5a05499c928f637e8d8b7d325f36dad7b67

Download Submit
C:\Windows\system\qwMMLQB.exe

Filesize
5.9MB

MD5
72688b0c0e95323579ce5d70e727162c

SHA1
eb3ac39599b74b2ab1e0054b87169dd2a8657857

SHA256
1e4227e4617fe89b36f53d709420fbef51aff828ddfa5383fa48c0467d11aca2

SHA512
a85d6ebff0840a32b420f39f9343e428ddab8293a09f53bbda4121c9e7aecd9b92223f2731abae85c48042d59740bd65bcbf6d40fe6e3f39dbb49f392616df91

Download Submit
C:\Windows\system\uRNpgZU.exe

Filesize
5.9MB

MD5
5a3cc804b8e2a4f796023ac59b1bd64c

SHA1
7de85f894fd3f0a319b5c6b203838f79bab7ecdb

SHA256
7e1b702b7cb9c8f605b7a3bad27f5400298fc6831beb42b51f878800ced1a177

SHA512
5848d16dbf1da20ae6a126804c0ccc137a8a3420e28f6a43f98930698cc40faaaf4e4d6a48f968515e3f726ae1b4498c9b1578600aedfc576c08a5c81bc628f8

Download Submit
\Windows\system\EPxTDdy.exe

Filesize
5.9MB

MD5
ebb6cc2952d86061967e33bc2aa029c1

SHA1
ed0e37f3e46b6fef2ee0086695ed93d759244b99

SHA256
c1710cc4e4cf1dd2ce0e92fe90424657fc4a983983e9ce8bee84746575e63590

SHA512
48c99f33f7e3a781b6065e1427cd40343dc17628874dfaa5f47c6944920b7973e760fd6a7381ba9c9a31bcb2217f92e9dc8e631c1ac595f2de7a83594f3d222e

Download Submit
\Windows\system\ZQcDmpq.exe

Filesize
5.9MB

MD5
98790673bbcb5694cd557d022f1ecb58

SHA1
d89cb51a6e3d89d31626f75e2cd281ed11f1ee39

SHA256
d39a1433e9998326e2a4a16ab81805610e775fb19c052cc6e343c2f0671af888

SHA512
108f9f88d85bb33ac0c9d260fe615fb8e5744ea3fbc3c278273b975130338d7baa54030caa054e3e9ff37fe2014b76fd4e211906f07d1ddc6d13597651a2d1ec

Download Submit
\Windows\system\awpdUWP.exe

Filesize
5.9MB

MD5
11521a2378a3c1cb993a96ae664f0945

SHA1
ee045753e597bceef35b88b631f2ac9306209a7a

SHA256
dcb6fa4a7fe16c367b1a3462d90c2e270d06d890aa433001b0851c42ced9c8f5

SHA512
738d205041fb7382b7656b51536c57dad4294aa53bc242937423157ed7c6fad33c0dced1ad931bdf1e7f341e0b49e90f603042980825e0813ac7a9482e305fcf

Download Submit
\Windows\system\eSSfCBu.exe

Filesize
5.9MB

MD5
ca1250e1474d8883bf982f93e2a813fb

SHA1
a56c246d0cb61361580fde6eafea948aa64a2abe

SHA256
e02b22b5cc2c333a5a98277f6370bc1b414527d9426befd416b08405da8654e5

SHA512
24d507e58af8542eb9ae74b3df455f70f35ef202317dcdcd09037f0b404b7d6e7e3fdb85e266f4e40ee989172fe91fcf5732da5f8553076cdb67b67d8532b90a

Download Submit
\Windows\system\iZjZPWB.exe

Filesize
5.9MB

MD5
d2de1753d58caf0569e778b6e2a95fe4

SHA1
38578a7da06b35c7788e1683cd04d55401e3c6f3

SHA256
4771550e308dc222293ae78fdd76e0b9d20f9561c36615f1ea3f51369f19f828

SHA512
f59380ea3699f65862138124ab8e13c62bdf561727aa50f56bd553a7973d92fdbf63b558b83baa6fa7bf93e68d7cc4480d3dce017f65a12ef74f051f4047fd95

Download Submit
\Windows\system\mLjMxxq.exe

Filesize
5.9MB

MD5
43cbcb0214802aaaf026520b7340a0d4

SHA1
ede0983916a6b005b72b1c27066489908e9796fb

SHA256
2344541e0a023c240fc87ccbae6b92fc6f542e7d1b52470639e5f97acacf27d3

SHA512
1197c753e079b1c6d8d9e4d733ebf9b91f4124d8a930789e94b701ccaa8341531235c866da015b0a58b47926f36d6950b3fa6eda8bcb7cc0efb05fea82d8eb46

Download Submit
memory/636-63-0x000000013FC30000-0x000000013FF84000-memory.dmp

Filesize
3.3MB

Download
memory/636-14-0x000000013FC30000-0x000000013FF84000-memory.dmp

Filesize
3.3MB

Download
memory/636-149-0x000000013FC30000-0x000000013FF84000-memory.dmp

Filesize
3.3MB

Download
memory/1236-77-0x000000013F350000-0x000000013F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/1236-141-0x000000013F350000-0x000000013F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/1236-157-0x000000013F350000-0x000000013F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/1464-139-0x000000013F710000-0x000000013FA64000-memory.dmp

Filesize
3.3MB

Download
memory/1464-70-0x000000013F710000-0x000000013FA64000-memory.dmp

Filesize
3.3MB

Download
memory/1464-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/1464-6-0x00000000023F0000-0x0000000002744000-memory.dmp

Filesize
3.3MB

Download
memory/1464-106-0x00000000023F0000-0x0000000002744000-memory.dmp

Filesize
3.3MB

Download
memory/1464-146-0x00000000023F0000-0x0000000002744000-memory.dmp

Filesize
3.3MB

Download
memory/1464-143-0x000000013F730000-0x000000013FA84000-memory.dmp

Filesize
3.3MB

Download
memory/1464-13-0x000000013FC30000-0x000000013FF84000-memory.dmp

Filesize
3.3MB

Download
memory/1464-0-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

Filesize
3.3MB

Download
memory/1464-36-0x00000000023F0000-0x0000000002744000-memory.dmp

Filesize
3.3MB

Download
memory/1464-20-0x00000000023F0000-0x0000000002744000-memory.dmp

Filesize
3.3MB

Download
memory/1464-48-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

Filesize
3.3MB

Download
memory/1464-98-0x00000000023F0000-0x0000000002744000-memory.dmp

Filesize
3.3MB

Download
memory/1464-85-0x000000013F730000-0x000000013FA84000-memory.dmp

Filesize
3.3MB

Download
memory/1464-30-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/1464-62-0x000000013FC30000-0x000000013FF84000-memory.dmp

Filesize
3.3MB

Download
memory/1464-76-0x00000000023F0000-0x0000000002744000-memory.dmp

Filesize
3.3MB

Download
memory/1464-29-0x000000013FD70000-0x00000001400C4000-memory.dmp

Filesize
3.3MB

Download
memory/1928-86-0x000000013F730000-0x000000013FA84000-memory.dmp

Filesize
3.3MB

Download
memory/1928-158-0x000000013F730000-0x000000013FA84000-memory.dmp

Filesize
3.3MB

Download
memory/1928-144-0x000000013F730000-0x000000013FA84000-memory.dmp

Filesize
3.3MB

Download
memory/1936-33-0x000000013FD70000-0x00000001400C4000-memory.dmp

Filesize
3.3MB

Download
memory/1936-151-0x000000013FD70000-0x00000001400C4000-memory.dmp

Filesize
3.3MB

Download
memory/1936-84-0x000000013FD70000-0x00000001400C4000-memory.dmp

Filesize
3.3MB

Download
memory/2416-155-0x000000013F020000-0x000000013F374000-memory.dmp

Filesize
3.3MB

Download
memory/2416-65-0x000000013F020000-0x000000013F374000-memory.dmp

Filesize
3.3MB

Download
memory/2540-154-0x000000013F540000-0x000000013F894000-memory.dmp

Filesize
3.3MB

Download
memory/2540-138-0x000000013F540000-0x000000013F894000-memory.dmp

Filesize
3.3MB

Download
memory/2540-49-0x000000013F540000-0x000000013F894000-memory.dmp

Filesize
3.3MB

Download
memory/2544-140-0x000000013F710000-0x000000013FA64000-memory.dmp

Filesize
3.3MB

Download
memory/2544-156-0x000000013F710000-0x000000013FA64000-memory.dmp

Filesize
3.3MB

Download
memory/2544-71-0x000000013F710000-0x000000013FA64000-memory.dmp

Filesize
3.3MB

Download
memory/2568-105-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/2568-43-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/2568-153-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/2588-55-0x000000013FF70000-0x00000001402C4000-memory.dmp

Filesize
3.3MB

Download
memory/2588-161-0x000000013FF70000-0x00000001402C4000-memory.dmp

Filesize
3.3MB

Download
memory/2648-104-0x000000013F070000-0x000000013F3C4000-memory.dmp

Filesize
3.3MB

Download
memory/2648-40-0x000000013F070000-0x000000013F3C4000-memory.dmp

Filesize
3.3MB

Download
memory/2648-152-0x000000013F070000-0x000000013F3C4000-memory.dmp

Filesize
3.3MB

Download
memory/2696-145-0x000000013FF50000-0x00000001402A4000-memory.dmp

Filesize
3.3MB

Download
memory/2696-159-0x000000013FF50000-0x00000001402A4000-memory.dmp

Filesize
3.3MB

Download
memory/2696-92-0x000000013FF50000-0x00000001402A4000-memory.dmp

Filesize
3.3MB

Download
memory/2756-150-0x000000013F080000-0x000000013F3D4000-memory.dmp

Filesize
3.3MB

Download
memory/2756-64-0x000000013F080000-0x000000013F3D4000-memory.dmp

Filesize
3.3MB

Download
memory/2756-24-0x000000013F080000-0x000000013F3D4000-memory.dmp

Filesize
3.3MB

Download
memory/2828-147-0x000000013F1E0000-0x000000013F534000-memory.dmp

Filesize
3.3MB

Download
memory/2828-99-0x000000013F1E0000-0x000000013F534000-memory.dmp

Filesize
3.3MB

Download
memory/2828-160-0x000000013F1E0000-0x000000013F534000-memory.dmp

Filesize
3.3MB

Download
memory/2928-148-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/2928-59-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download