cobaltstrike | 12257de66964e2675ff29adb54eb651be4aaacbc09c88d9a100a6aefbf309cc9

Analysis

max time kernel
142s
max time network
147s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
08/06/2024, 19:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

4cfc29f6c35a40f53f43a1ef2b43e2c3
SHA1

12e4c3db94261393540de7386d541656f76c6681
SHA256

12257de66964e2675ff29adb54eb651be4aaacbc09c88d9a100a6aefbf309cc9
SHA512

baebda461946c26128ca25cf95444c4b373618716c61dd5f812b4d955467c6f543aa9e0086bd57e0c1c4200202ef157878d2718f3408550b7faabc3f0374a463
SSDEEP

98304:demTLkNdfE0pZ3u56utgpPFotBER/mQ32lUF:E+b56utgpPF8u/7F

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000d00000001226b-3.dat	cobalt_reflective_dll
behavioral1/files/0x0038000000014415-8.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014721-19.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000014574-10.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001472c-31.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001473f-38.dat	cobalt_reflective_dll
behavioral1/files/0x0038000000014471-43.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000014b19-50.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015c7f-66.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015ca2-74.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015c6f-56.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cb8-84.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cc7-91.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d02-118.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d19-130.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d28-133.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d0c-125.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cf0-115.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015ce3-110.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015ccf-103.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015c93-83.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001226b-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0038000000014415-8.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014721-19.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000014574-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000700000001472c-31.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000700000001473f-38.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0038000000014471-43.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000014b19-50.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015c7f-66.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015ca2-74.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015c6f-56.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015cb8-84.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015cc7-91.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d02-118.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d19-130.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d28-133.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d0c-125.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015cf0-115.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015ce3-110.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015ccf-103.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015c93-83.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral1/memory/2848-1-0x000000013FE60000-0x00000001401B4000-memory.dmp	UPX
behavioral1/files/0x000d00000001226b-3.dat	UPX
behavioral1/memory/2848-6-0x00000000022B0000-0x0000000002604000-memory.dmp	UPX
behavioral1/files/0x0038000000014415-8.dat	UPX
behavioral1/files/0x0007000000014721-19.dat	UPX
behavioral1/memory/2136-20-0x000000013FC60000-0x000000013FFB4000-memory.dmp	UPX
behavioral1/memory/3036-14-0x000000013FEF0000-0x0000000140244000-memory.dmp	UPX
behavioral1/files/0x0008000000014574-10.dat	UPX
behavioral1/memory/2732-34-0x000000013F690000-0x000000013F9E4000-memory.dmp	UPX
behavioral1/memory/3048-32-0x000000013F100000-0x000000013F454000-memory.dmp	UPX
behavioral1/files/0x000700000001472c-31.dat	UPX
behavioral1/memory/2664-28-0x000000013FC30000-0x000000013FF84000-memory.dmp	UPX
behavioral1/files/0x000700000001473f-38.dat	UPX
behavioral1/memory/2792-40-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	UPX
behavioral1/memory/2656-51-0x000000013F450000-0x000000013F7A4000-memory.dmp	UPX
behavioral1/files/0x0038000000014471-43.dat	UPX
behavioral1/memory/2572-53-0x000000013F3D0000-0x000000013F724000-memory.dmp	UPX
behavioral1/files/0x0009000000014b19-50.dat	UPX
behavioral1/files/0x0006000000015c7f-66.dat	UPX
behavioral1/memory/3036-69-0x000000013FEF0000-0x0000000140244000-memory.dmp	UPX
behavioral1/files/0x0006000000015ca2-74.dat	UPX
behavioral1/files/0x0007000000015c6f-56.dat	UPX
behavioral1/files/0x0006000000015cb8-84.dat	UPX
behavioral1/files/0x0006000000015cc7-91.dat	UPX
behavioral1/memory/3032-98-0x000000013F370000-0x000000013F6C4000-memory.dmp	UPX
behavioral1/files/0x0006000000015d02-118.dat	UPX
behavioral1/files/0x0006000000015d19-130.dat	UPX
behavioral1/files/0x0006000000015d28-133.dat	UPX
behavioral1/files/0x0006000000015d0c-125.dat	UPX
behavioral1/files/0x0006000000015cf0-115.dat	UPX
behavioral1/files/0x0006000000015ce3-110.dat	UPX
behavioral1/memory/2792-104-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	UPX
behavioral1/files/0x0006000000015ccf-103.dat	UPX
behavioral1/memory/2732-96-0x000000013F690000-0x000000013F9E4000-memory.dmp	UPX
behavioral1/memory/3048-95-0x000000013F100000-0x000000013F454000-memory.dmp	UPX
behavioral1/memory/2512-88-0x000000013F9B0000-0x000000013FD04000-memory.dmp	UPX
behavioral1/memory/1644-87-0x000000013F590000-0x000000013F8E4000-memory.dmp	UPX
behavioral1/memory/2664-86-0x000000013FC30000-0x000000013FF84000-memory.dmp	UPX
behavioral1/files/0x0006000000015c93-83.dat	UPX
behavioral1/memory/2848-81-0x000000013F9B0000-0x000000013FD04000-memory.dmp	UPX
behavioral1/memory/2500-79-0x000000013F540000-0x000000013F894000-memory.dmp	UPX
behavioral1/memory/2940-71-0x000000013F140000-0x000000013F494000-memory.dmp	UPX
behavioral1/memory/2848-61-0x000000013FE60000-0x00000001401B4000-memory.dmp	UPX
behavioral1/memory/2568-63-0x000000013FDD0000-0x0000000140124000-memory.dmp	UPX
behavioral1/memory/2572-138-0x000000013F3D0000-0x000000013F724000-memory.dmp	UPX
behavioral1/memory/2656-137-0x000000013F450000-0x000000013F7A4000-memory.dmp	UPX
behavioral1/memory/2500-141-0x000000013F540000-0x000000013F894000-memory.dmp	UPX
behavioral1/memory/1644-142-0x000000013F590000-0x000000013F8E4000-memory.dmp	UPX
behavioral1/memory/2512-143-0x000000013F9B0000-0x000000013FD04000-memory.dmp	UPX
behavioral1/memory/3032-145-0x000000013F370000-0x000000013F6C4000-memory.dmp	UPX
behavioral1/memory/2136-147-0x000000013FC60000-0x000000013FFB4000-memory.dmp	UPX
behavioral1/memory/3036-148-0x000000013FEF0000-0x0000000140244000-memory.dmp	UPX
behavioral1/memory/2664-149-0x000000013FC30000-0x000000013FF84000-memory.dmp	UPX
behavioral1/memory/2732-150-0x000000013F690000-0x000000013F9E4000-memory.dmp	UPX
behavioral1/memory/3048-151-0x000000013F100000-0x000000013F454000-memory.dmp	UPX
behavioral1/memory/2792-152-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	UPX
behavioral1/memory/2572-153-0x000000013F3D0000-0x000000013F724000-memory.dmp	UPX
behavioral1/memory/2656-154-0x000000013F450000-0x000000013F7A4000-memory.dmp	UPX
behavioral1/memory/2568-155-0x000000013FDD0000-0x0000000140124000-memory.dmp	UPX
behavioral1/memory/2940-156-0x000000013F140000-0x000000013F494000-memory.dmp	UPX
behavioral1/memory/2500-157-0x000000013F540000-0x000000013F894000-memory.dmp	UPX
behavioral1/memory/2512-158-0x000000013F9B0000-0x000000013FD04000-memory.dmp	UPX
behavioral1/memory/1644-159-0x000000013F590000-0x000000013F8E4000-memory.dmp	UPX
behavioral1/memory/3032-160-0x000000013F370000-0x000000013F6C4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral1/memory/2848-1-0x000000013FE60000-0x00000001401B4000-memory.dmp	xmrig
behavioral1/files/0x000d00000001226b-3.dat	xmrig
behavioral1/memory/2848-6-0x00000000022B0000-0x0000000002604000-memory.dmp	xmrig
behavioral1/files/0x0038000000014415-8.dat	xmrig
behavioral1/files/0x0007000000014721-19.dat	xmrig
behavioral1/memory/2136-20-0x000000013FC60000-0x000000013FFB4000-memory.dmp	xmrig
behavioral1/memory/3036-14-0x000000013FEF0000-0x0000000140244000-memory.dmp	xmrig
behavioral1/files/0x0008000000014574-10.dat	xmrig
behavioral1/memory/2732-34-0x000000013F690000-0x000000013F9E4000-memory.dmp	xmrig
behavioral1/memory/3048-32-0x000000013F100000-0x000000013F454000-memory.dmp	xmrig
behavioral1/files/0x000700000001472c-31.dat	xmrig
behavioral1/memory/2664-28-0x000000013FC30000-0x000000013FF84000-memory.dmp	xmrig
behavioral1/files/0x000700000001473f-38.dat	xmrig
behavioral1/memory/2792-40-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	xmrig
behavioral1/memory/2656-51-0x000000013F450000-0x000000013F7A4000-memory.dmp	xmrig
behavioral1/memory/2848-52-0x000000013F3D0000-0x000000013F724000-memory.dmp	xmrig
behavioral1/files/0x0038000000014471-43.dat	xmrig
behavioral1/memory/2572-53-0x000000013F3D0000-0x000000013F724000-memory.dmp	xmrig
behavioral1/files/0x0009000000014b19-50.dat	xmrig
behavioral1/files/0x0006000000015c7f-66.dat	xmrig
behavioral1/memory/3036-69-0x000000013FEF0000-0x0000000140244000-memory.dmp	xmrig
behavioral1/files/0x0006000000015ca2-74.dat	xmrig
behavioral1/files/0x0007000000015c6f-56.dat	xmrig
behavioral1/files/0x0006000000015cb8-84.dat	xmrig
behavioral1/files/0x0006000000015cc7-91.dat	xmrig
behavioral1/memory/3032-98-0x000000013F370000-0x000000013F6C4000-memory.dmp	xmrig
behavioral1/files/0x0006000000015d02-118.dat	xmrig
behavioral1/files/0x0006000000015d19-130.dat	xmrig
behavioral1/files/0x0006000000015d28-133.dat	xmrig
behavioral1/files/0x0006000000015d0c-125.dat	xmrig
behavioral1/files/0x0006000000015cf0-115.dat	xmrig
behavioral1/files/0x0006000000015ce3-110.dat	xmrig
behavioral1/memory/2792-104-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	xmrig
behavioral1/files/0x0006000000015ccf-103.dat	xmrig
behavioral1/memory/2732-96-0x000000013F690000-0x000000013F9E4000-memory.dmp	xmrig
behavioral1/memory/3048-95-0x000000013F100000-0x000000013F454000-memory.dmp	xmrig
behavioral1/memory/2512-88-0x000000013F9B0000-0x000000013FD04000-memory.dmp	xmrig
behavioral1/memory/1644-87-0x000000013F590000-0x000000013F8E4000-memory.dmp	xmrig
behavioral1/memory/2664-86-0x000000013FC30000-0x000000013FF84000-memory.dmp	xmrig
behavioral1/files/0x0006000000015c93-83.dat	xmrig
behavioral1/memory/2848-81-0x000000013F9B0000-0x000000013FD04000-memory.dmp	xmrig
behavioral1/memory/2848-80-0x000000013F540000-0x000000013F894000-memory.dmp	xmrig
behavioral1/memory/2500-79-0x000000013F540000-0x000000013F894000-memory.dmp	xmrig
behavioral1/memory/2940-71-0x000000013F140000-0x000000013F494000-memory.dmp	xmrig
behavioral1/memory/2848-61-0x000000013FE60000-0x00000001401B4000-memory.dmp	xmrig
behavioral1/memory/2848-67-0x00000000022B0000-0x0000000002604000-memory.dmp	xmrig
behavioral1/memory/2568-63-0x000000013FDD0000-0x0000000140124000-memory.dmp	xmrig
behavioral1/memory/2572-138-0x000000013F3D0000-0x000000013F724000-memory.dmp	xmrig
behavioral1/memory/2656-137-0x000000013F450000-0x000000013F7A4000-memory.dmp	xmrig
behavioral1/memory/2848-139-0x000000013F140000-0x000000013F494000-memory.dmp	xmrig
behavioral1/memory/2500-141-0x000000013F540000-0x000000013F894000-memory.dmp	xmrig
behavioral1/memory/1644-142-0x000000013F590000-0x000000013F8E4000-memory.dmp	xmrig
behavioral1/memory/2512-143-0x000000013F9B0000-0x000000013FD04000-memory.dmp	xmrig
behavioral1/memory/2848-144-0x000000013F370000-0x000000013F6C4000-memory.dmp	xmrig
behavioral1/memory/3032-145-0x000000013F370000-0x000000013F6C4000-memory.dmp	xmrig
behavioral1/memory/2136-147-0x000000013FC60000-0x000000013FFB4000-memory.dmp	xmrig
behavioral1/memory/3036-148-0x000000013FEF0000-0x0000000140244000-memory.dmp	xmrig
behavioral1/memory/2664-149-0x000000013FC30000-0x000000013FF84000-memory.dmp	xmrig
behavioral1/memory/2732-150-0x000000013F690000-0x000000013F9E4000-memory.dmp	xmrig
behavioral1/memory/3048-151-0x000000013F100000-0x000000013F454000-memory.dmp	xmrig
behavioral1/memory/2792-152-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	xmrig
behavioral1/memory/2572-153-0x000000013F3D0000-0x000000013F724000-memory.dmp	xmrig
behavioral1/memory/2656-154-0x000000013F450000-0x000000013F7A4000-memory.dmp	xmrig
behavioral1/memory/2568-155-0x000000013FDD0000-0x0000000140124000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3036	rDOptzm.exe
2136	UrGzXYJ.exe
2664	gBzxhlJ.exe
3048	jjqJTZt.exe
2732	PebxNfs.exe
2792	PiVFsRg.exe
2656	LMKnYUz.exe
2572	hhEGjdy.exe
2568	NtwUCkw.exe
2940	HYGsSap.exe
2500	vbfGWoA.exe
1644	CmtdfJa.exe
2512	skmpPLz.exe
3032	NIEsfgM.exe
2428	qhkvjXQ.exe
2012	TFaaLOh.exe
1636	hRTdNUb.exe
2160	wwlKWFK.exe
852	krjnZZN.exe
1420	JMWUmev.exe
1728	xFSXunD.exe

Loads dropped DLL 21 IoCs

pid	Process
2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2848-1-0x000000013FE60000-0x00000001401B4000-memory.dmp	upx
behavioral1/files/0x000d00000001226b-3.dat	upx
behavioral1/memory/2848-6-0x00000000022B0000-0x0000000002604000-memory.dmp	upx
behavioral1/files/0x0038000000014415-8.dat	upx
behavioral1/files/0x0007000000014721-19.dat	upx
behavioral1/memory/2136-20-0x000000013FC60000-0x000000013FFB4000-memory.dmp	upx
behavioral1/memory/3036-14-0x000000013FEF0000-0x0000000140244000-memory.dmp	upx
behavioral1/files/0x0008000000014574-10.dat	upx
behavioral1/memory/2732-34-0x000000013F690000-0x000000013F9E4000-memory.dmp	upx
behavioral1/memory/3048-32-0x000000013F100000-0x000000013F454000-memory.dmp	upx
behavioral1/files/0x000700000001472c-31.dat	upx
behavioral1/memory/2664-28-0x000000013FC30000-0x000000013FF84000-memory.dmp	upx
behavioral1/files/0x000700000001473f-38.dat	upx
behavioral1/memory/2792-40-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	upx
behavioral1/memory/2656-51-0x000000013F450000-0x000000013F7A4000-memory.dmp	upx
behavioral1/files/0x0038000000014471-43.dat	upx
behavioral1/memory/2572-53-0x000000013F3D0000-0x000000013F724000-memory.dmp	upx
behavioral1/files/0x0009000000014b19-50.dat	upx
behavioral1/files/0x0006000000015c7f-66.dat	upx
behavioral1/memory/3036-69-0x000000013FEF0000-0x0000000140244000-memory.dmp	upx
behavioral1/files/0x0006000000015ca2-74.dat	upx
behavioral1/files/0x0007000000015c6f-56.dat	upx
behavioral1/files/0x0006000000015cb8-84.dat	upx
behavioral1/files/0x0006000000015cc7-91.dat	upx
behavioral1/memory/3032-98-0x000000013F370000-0x000000013F6C4000-memory.dmp	upx
behavioral1/files/0x0006000000015d02-118.dat	upx
behavioral1/files/0x0006000000015d19-130.dat	upx
behavioral1/files/0x0006000000015d28-133.dat	upx
behavioral1/files/0x0006000000015d0c-125.dat	upx
behavioral1/files/0x0006000000015cf0-115.dat	upx
behavioral1/files/0x0006000000015ce3-110.dat	upx
behavioral1/memory/2792-104-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	upx
behavioral1/files/0x0006000000015ccf-103.dat	upx
behavioral1/memory/2732-96-0x000000013F690000-0x000000013F9E4000-memory.dmp	upx
behavioral1/memory/3048-95-0x000000013F100000-0x000000013F454000-memory.dmp	upx
behavioral1/memory/2512-88-0x000000013F9B0000-0x000000013FD04000-memory.dmp	upx
behavioral1/memory/1644-87-0x000000013F590000-0x000000013F8E4000-memory.dmp	upx
behavioral1/memory/2664-86-0x000000013FC30000-0x000000013FF84000-memory.dmp	upx
behavioral1/files/0x0006000000015c93-83.dat	upx
behavioral1/memory/2848-81-0x000000013F9B0000-0x000000013FD04000-memory.dmp	upx
behavioral1/memory/2500-79-0x000000013F540000-0x000000013F894000-memory.dmp	upx
behavioral1/memory/2940-71-0x000000013F140000-0x000000013F494000-memory.dmp	upx
behavioral1/memory/2848-61-0x000000013FE60000-0x00000001401B4000-memory.dmp	upx
behavioral1/memory/2848-67-0x00000000022B0000-0x0000000002604000-memory.dmp	upx
behavioral1/memory/2568-63-0x000000013FDD0000-0x0000000140124000-memory.dmp	upx
behavioral1/memory/2572-138-0x000000013F3D0000-0x000000013F724000-memory.dmp	upx
behavioral1/memory/2656-137-0x000000013F450000-0x000000013F7A4000-memory.dmp	upx
behavioral1/memory/2500-141-0x000000013F540000-0x000000013F894000-memory.dmp	upx
behavioral1/memory/1644-142-0x000000013F590000-0x000000013F8E4000-memory.dmp	upx
behavioral1/memory/2512-143-0x000000013F9B0000-0x000000013FD04000-memory.dmp	upx
behavioral1/memory/3032-145-0x000000013F370000-0x000000013F6C4000-memory.dmp	upx
behavioral1/memory/2136-147-0x000000013FC60000-0x000000013FFB4000-memory.dmp	upx
behavioral1/memory/3036-148-0x000000013FEF0000-0x0000000140244000-memory.dmp	upx
behavioral1/memory/2664-149-0x000000013FC30000-0x000000013FF84000-memory.dmp	upx
behavioral1/memory/2732-150-0x000000013F690000-0x000000013F9E4000-memory.dmp	upx
behavioral1/memory/3048-151-0x000000013F100000-0x000000013F454000-memory.dmp	upx
behavioral1/memory/2792-152-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	upx
behavioral1/memory/2572-153-0x000000013F3D0000-0x000000013F724000-memory.dmp	upx
behavioral1/memory/2656-154-0x000000013F450000-0x000000013F7A4000-memory.dmp	upx
behavioral1/memory/2568-155-0x000000013FDD0000-0x0000000140124000-memory.dmp	upx
behavioral1/memory/2940-156-0x000000013F140000-0x000000013F494000-memory.dmp	upx
behavioral1/memory/2500-157-0x000000013F540000-0x000000013F894000-memory.dmp	upx
behavioral1/memory/2512-158-0x000000013F9B0000-0x000000013FD04000-memory.dmp	upx
behavioral1/memory/1644-159-0x000000013F590000-0x000000013F8E4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\hRTdNUb.exe	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JMWUmev.exe	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HYGsSap.exe	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\skmpPLz.exe	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gBzxhlJ.exe	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PiVFsRg.exe	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hhEGjdy.exe	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NIEsfgM.exe	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qhkvjXQ.exe	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xFSXunD.exe	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UrGzXYJ.exe	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jjqJTZt.exe	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CmtdfJa.exe	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TFaaLOh.exe	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wwlKWFK.exe	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PebxNfs.exe	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LMKnYUz.exe	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vbfGWoA.exe	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\krjnZZN.exe	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rDOptzm.exe	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NtwUCkw.exe	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 3036	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	29
PID 2848 wrote to memory of 3036	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	29
PID 2848 wrote to memory of 3036	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	29
PID 2848 wrote to memory of 2136	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	30
PID 2848 wrote to memory of 2136	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	30
PID 2848 wrote to memory of 2136	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	30
PID 2848 wrote to memory of 3048	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	31
PID 2848 wrote to memory of 3048	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	31
PID 2848 wrote to memory of 3048	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	31
PID 2848 wrote to memory of 2664	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	32
PID 2848 wrote to memory of 2664	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	32
PID 2848 wrote to memory of 2664	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	32
PID 2848 wrote to memory of 2732	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	33
PID 2848 wrote to memory of 2732	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	33
PID 2848 wrote to memory of 2732	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	33
PID 2848 wrote to memory of 2792	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	34
PID 2848 wrote to memory of 2792	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	34
PID 2848 wrote to memory of 2792	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	34
PID 2848 wrote to memory of 2656	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	35
PID 2848 wrote to memory of 2656	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	35
PID 2848 wrote to memory of 2656	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	35
PID 2848 wrote to memory of 2572	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	36
PID 2848 wrote to memory of 2572	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	36
PID 2848 wrote to memory of 2572	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	36
PID 2848 wrote to memory of 2568	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	37
PID 2848 wrote to memory of 2568	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	37
PID 2848 wrote to memory of 2568	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	37
PID 2848 wrote to memory of 2940	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	38
PID 2848 wrote to memory of 2940	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	38
PID 2848 wrote to memory of 2940	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	38
PID 2848 wrote to memory of 1644	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	39
PID 2848 wrote to memory of 1644	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	39
PID 2848 wrote to memory of 1644	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	39
PID 2848 wrote to memory of 2500	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	40
PID 2848 wrote to memory of 2500	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	40
PID 2848 wrote to memory of 2500	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	40
PID 2848 wrote to memory of 2512	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	41
PID 2848 wrote to memory of 2512	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	41
PID 2848 wrote to memory of 2512	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	41
PID 2848 wrote to memory of 3032	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	42
PID 2848 wrote to memory of 3032	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	42
PID 2848 wrote to memory of 3032	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	42
PID 2848 wrote to memory of 2428	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	43
PID 2848 wrote to memory of 2428	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	43
PID 2848 wrote to memory of 2428	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	43
PID 2848 wrote to memory of 2012	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	44
PID 2848 wrote to memory of 2012	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	44
PID 2848 wrote to memory of 2012	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	44
PID 2848 wrote to memory of 1636	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	45
PID 2848 wrote to memory of 1636	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	45
PID 2848 wrote to memory of 1636	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	45
PID 2848 wrote to memory of 2160	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	46
PID 2848 wrote to memory of 2160	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	46
PID 2848 wrote to memory of 2160	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	46
PID 2848 wrote to memory of 852	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	47
PID 2848 wrote to memory of 852	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	47
PID 2848 wrote to memory of 852	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	47
PID 2848 wrote to memory of 1420	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	48
PID 2848 wrote to memory of 1420	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	48
PID 2848 wrote to memory of 1420	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	48
PID 2848 wrote to memory of 1728	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	49
PID 2848 wrote to memory of 1728	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	49
PID 2848 wrote to memory of 1728	2848	2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_4cfc29f6c35a40f53f43a1ef2b43e2c3_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\System\rDOptzm.exe
  C:\Windows\System\rDOptzm.exe
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\System\UrGzXYJ.exe
  C:\Windows\System\UrGzXYJ.exe
  2⤵
  - Executes dropped EXE
  PID:2136
- C:\Windows\System\jjqJTZt.exe
  C:\Windows\System\jjqJTZt.exe
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\System\gBzxhlJ.exe
  C:\Windows\System\gBzxhlJ.exe
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\System\PebxNfs.exe
  C:\Windows\System\PebxNfs.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System\PiVFsRg.exe
  C:\Windows\System\PiVFsRg.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System\LMKnYUz.exe
  C:\Windows\System\LMKnYUz.exe
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\System\hhEGjdy.exe
  C:\Windows\System\hhEGjdy.exe
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\System\NtwUCkw.exe
  C:\Windows\System\NtwUCkw.exe
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\System\HYGsSap.exe
  C:\Windows\System\HYGsSap.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System\CmtdfJa.exe
  C:\Windows\System\CmtdfJa.exe
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\System\vbfGWoA.exe
  C:\Windows\System\vbfGWoA.exe
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\System\skmpPLz.exe
  C:\Windows\System\skmpPLz.exe
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\System\NIEsfgM.exe
  C:\Windows\System\NIEsfgM.exe
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\System\qhkvjXQ.exe
  C:\Windows\System\qhkvjXQ.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System\TFaaLOh.exe
  C:\Windows\System\TFaaLOh.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\System\hRTdNUb.exe
  C:\Windows\System\hRTdNUb.exe
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\System\wwlKWFK.exe
  C:\Windows\System\wwlKWFK.exe
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\System\krjnZZN.exe
  C:\Windows\System\krjnZZN.exe
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Windows\System\JMWUmev.exe
  C:\Windows\System\JMWUmev.exe
  2⤵
  - Executes dropped EXE
  PID:1420
- C:\Windows\System\xFSXunD.exe
  C:\Windows\System\xFSXunD.exe
  2⤵
  - Executes dropped EXE
  PID:1728

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\CmtdfJa.exe

Filesize
5.9MB

MD5
04803263de6a98ec8bdf94551c738ed6

SHA1
a012aeee601d22e3e90cb6af75bc2a8e3bde51bd

SHA256
741e0197fae9d26fcfca09f09ab25788bc170e6f5c2477c8dd1a056d470ae985

SHA512
48f6701ff59e0d01fe89dfa3a79ae07ae97f93b685dac1a98214b566d334ae3a8aae787d547f7f750a0923c187861a4bcbe1daf92fbbe30a613fbf90a091ebb7

Download Submit
C:\Windows\system\HYGsSap.exe

Filesize
5.9MB

MD5
8316d07967304388ba63e05c1a36cda3

SHA1
409dcfe6b696040084bea7c988ac2fc858f6d3a9

SHA256
05db63b2994e06bba477940aef82865dae03a3162295c34a3ec1f54540061092

SHA512
df0c2f28f7f0118ba26962d198e51143d2f8c5b16fb8ab82d8196681771640a5eac1891561a0f4525d4f56fe88a40a98d4c4f81a155b9ae15d07275fd882b1dd

Download Submit
C:\Windows\system\JMWUmev.exe

Filesize
5.9MB

MD5
a4b0a880151d24ab8004cd072b6551ce

SHA1
7f5c77750e62921f6877d51fbf88f7df64b77ac0

SHA256
7126300f2a8572ead04245c15d1ae249ff30be416849c96919a2f2cfb12ef55f

SHA512
daa6361529f4eb127847b49ac8c441de9d8d5ee84241b7b951df5096480551446d84249d92a94b996f8589bdf69fe49097766091b42fd95fd68537e2ade9853b

Download Submit
C:\Windows\system\PebxNfs.exe

Filesize
5.9MB

MD5
4c1ca2f3218882be36aecae98274ef07

SHA1
999620ef11221658ec04732efb897d6429d6d4a5

SHA256
b8a8be9f648d0ed0d29a21d1ef4ec8b4f36874813f087a83c5351de8aead2c88

SHA512
0122f136ba4efe7559d6893ffd2d1dffe590c5a8e0f6286791db3ec5f7e4f584136031f9ccadf01e53bb9faee78639b02fd6b4ed3f4496877db44c6824060252

Download Submit
C:\Windows\system\PiVFsRg.exe

Filesize
5.9MB

MD5
17749cbe0be35298386793058fd8b7c6

SHA1
8e78a3c4c9951c5e242fa3e6a6d1b27cbcad0df4

SHA256
7d416ae913167ab64a8effee84336b4bfd1bb69f056f59d9c63f08ee70305f64

SHA512
4060dbdef16a4b1c1daf927061fae3e35c69d1169c50c0c233c5e9b6378d9f126b95068986b270b816d131795196eade8a7b4580f86c838c9a8698039e1a9629

Download Submit
C:\Windows\system\TFaaLOh.exe

Filesize
5.9MB

MD5
56b55e5f0c1f98c939d3bbe210cc4683

SHA1
8fcc92e30be4271482b814d6bc2113e232d07ce6

SHA256
65ffd7002d671d517e58f0c17c078ec18971d807cd3df6d8644e3ee503293cf5

SHA512
a614785a511cff19873439829b90ab929f084860a224f09a55cc120d35bf714af129170eed405138f9d5a477f0220e590c00bab982e66f0c29c1b28098776fb9

Download Submit
C:\Windows\system\hRTdNUb.exe

Filesize
5.9MB

MD5
2c0de3a6766dd05dd94eba3682507b33

SHA1
ab953e1f03acf897637b23b1b9cdd4fbffc16047

SHA256
35ff3b846c11913bf41c80cd88448feb46596204c6fd32e91ee11a8647c054b6

SHA512
ab2b407047df32b57c8b8afac7aa910fa3777737417c0e13535bafb5d8f6ed53c17e193ff550dad9e0d02453e2be21ba86b6af1b74bef94b952a5c6feaa3ce4a

Download Submit
C:\Windows\system\hhEGjdy.exe

Filesize
5.9MB

MD5
212b38c6bbb6eacb39df0c1bf13b55d0

SHA1
ac6d4861eb4ea1040638e34db54b431d44281e4d

SHA256
f891b1b268ad41e0fb3607e909bee04e6be6c81258cef635b0ee5e5bfbd4cc8c

SHA512
68467d8d2a7af9460f6f3d4d2462ee238fcf516a9e45253571b69f19ea5f34c2e06a3e95814390ec9e9d2f87afad3322b9d693e7f3a39ed19eb0dbfe6299a655

Download Submit
C:\Windows\system\jjqJTZt.exe

Filesize
5.9MB

MD5
386e21ed08ad6ea65e0c4fd0d71bcc89

SHA1
ff40c78b6a9a4b10583ae73584d0b1df5b07eec3

SHA256
244027ae4859d906ac9b6a7ba1816d4b543c0b319d76df8bf16e6d0c826fc246

SHA512
6375c58301c18b3ae23a22b6793f2d0745feee06107769f0fcbdaa1c7c436cddd8df96ac637af810a87f76d7150d7c77510abb71c34fca0f419cf23f41f9ab4a

Download Submit
C:\Windows\system\krjnZZN.exe

Filesize
5.9MB

MD5
48c08412a84c439194515dd3e800b2ca

SHA1
aaec3de3bc519b1265f05d4bbd972098d4c5a0cb

SHA256
233adfae46f0b3ed2b2d160f164056781be18f8a780e5f62f4f7b3520837780e

SHA512
4bad19dad39d849efb2ea38a0cdd9afa09b10298db6dc19dcc7a5014652ef99d44205c145cf6abb601e415b5774ae112c7afadc76106b9d431d4a36688a7521e

Download Submit
C:\Windows\system\qhkvjXQ.exe

Filesize
5.9MB

MD5
eb6920c560d0ade2a115d34015efd85a

SHA1
c7bebe4f7a236d2918862d4203909ef26a5192ed

SHA256
9b0a3ceff7fbfcf526ff741f87897a0456d347969da27b6169b1a4bb644cdf44

SHA512
8889c72a6bac557523d5194add122595ecf8ed928f91ef51d91c82f73186de1e588ceee7814a3cf87f13f268a06418111988c40d166f572c346cd2f3e3d43aa6

Download Submit
C:\Windows\system\skmpPLz.exe

Filesize
5.9MB

MD5
cca4361e561f3313ad8df4125c1cc024

SHA1
e81748e430f0ec6d95ae3d5041a74439b19ec17a

SHA256
d6054165207a82e1e118364843594b500497315f542fe8ac774a4caad04cf8fd

SHA512
99bd04ffa3a4818c73f74e5a80156ff6b0cacb1fbc9565ac001a428cb1ac8a03a27d227748fb7ca6e61c46438e9fa863a1a382f3319e27634e30b58f6ff94f7f

Download Submit
\Windows\system\LMKnYUz.exe

Filesize
5.9MB

MD5
62d06c8678afb4ea9aaab3dadc931aab

SHA1
72bb386cf5d8b08818ad86990270993fba410314

SHA256
668ee1ce76eda9d3dc5a1439266b747101766b11f901bf9a7bbba118ff312018

SHA512
0d851eee759aac7ec4a2ced78ce56e02c1ca72df5562478ef6fc7b96d6aa3d97835400a131076d4e4ca93394cef60fa2870ddd3aa523fbed438f2175865d8ab1

Download Submit
\Windows\system\NIEsfgM.exe

Filesize
5.9MB

MD5
49054d0cb25c2173cde387aa2d876d11

SHA1
98e1ddba9d996b3de8c7388c0c3e4d029b777b72

SHA256
de39a2d3f0667d8830aecc1fe1caa364947ed49d254c99970cf3b3d58cc1d684

SHA512
3da48309b48e7b8daf6d22c5c978dd3f3201981b8b0e9d14f65a66f271e677fb3ad0377ad078521105c7f86feb2fb905cce3599a2492ecd488d1fb30d77f0116

Download Submit
\Windows\system\NtwUCkw.exe

Filesize
5.9MB

MD5
52ae4b6dd4f8e570ea9d5345e4267a6e

SHA1
b075bfa919cdffbeb4d45f8ebd3473745c90a548

SHA256
7ca9bd19daa28e9bd57bf4bb54d250951c47f98dcc6307f715e8d09c3151412b

SHA512
1748f24256ac7a32d55ebfa069231d400e4c2c6fcfc4f571cdc0f95d88f8c43ee55b2e8191568bc9f120a78addaeb2bc2a4ad8c6d7e829641902dececb6257b5

Download Submit
\Windows\system\UrGzXYJ.exe

Filesize
5.9MB

MD5
8f512e81b951b00f5d246f9eb81fba84

SHA1
300e494ab3115d80bc2fdfe4707af1ba8758c664

SHA256
7c7843c264b6f24eb55c4ff51a526f76bcb35f99867363737fc7c15fb921613e

SHA512
99d584ed25c20962c55f43918d8762c884d85b0c5790883d965fb91c362254b3a50876a93594c73124a0ade70bf86aba969317b22736f0c7445e333fb1c7ed44

Download Submit
\Windows\system\gBzxhlJ.exe

Filesize
5.9MB

MD5
11f4e2b53f1dfe769e7f36003192a29e

SHA1
5e0f986ec279b1d73574a17ac55ef3ff18008561

SHA256
33d920e7191edd3144c4c9577a3e4a900acc84dc10d2082c71deabfae3f225d4

SHA512
b7c695f497a42de00c0ac5ddc69cfaa09a9ea24da0805fbb96d76151ac508a0b32b01ab2871844ea0d162673e8a768ef948513f86f7f320fb0eeeb24555855af

Download Submit
\Windows\system\rDOptzm.exe

Filesize
5.9MB

MD5
0d5458fca48281934eb0de0bd2169055

SHA1
325f8cfa7aafaa73df5556396678be3b85d71239

SHA256
98949dd6858e7ccb9b4000ec5fa87eaca36f93ec523966763feb1de815930e70

SHA512
3d3424bf58d8748d7222a10bdee2d9aef0f12b19718130b3027b461730791035480135ffaffe776b98b30cfe3c19d6227397864e136ca149098caa163364d139

Download Submit
\Windows\system\vbfGWoA.exe

Filesize
5.9MB

MD5
199e82d3ecee840e5b1e24aa1d4a65de

SHA1
10e001f84a72fe011dda92edda7cda3705c26cd3

SHA256
8c5ed86738e2ad230990ea632129646c574e066d629116f86dfa5d48c638a8c1

SHA512
9726cd954e8c8eab48ff6f0cf63af159b0e11180b15795b561abc93996c111896bb404bd1f9a534f84e62aace8d769024103054f67fa8de6d98ebc5abfa73b5d

Download Submit
\Windows\system\wwlKWFK.exe

Filesize
5.9MB

MD5
ccf2072afdd666349c7a5470951a86e0

SHA1
09d5c9be7ee46c59da268a78f2c6bb797310a98e

SHA256
12a9a2b4d87bd776011cc6d58da190b5656cd09b0ca448a7cd7dba3881de5ec6

SHA512
8eee66b2560aa52bc0dc3b793ef9bbdb6f63874ad6ab2c4990ca6afcbb03b6b651d2a18de7cd3a57a48bb7faa6482958b1e833c3eed22f9a6b4e6df30b7300a4

Download Submit
\Windows\system\xFSXunD.exe

Filesize
5.9MB

MD5
9f135d16b62bc068c7c1cb82f8e80740

SHA1
7b18ced1bb904cceb18e65e3557b7d8d18b24774

SHA256
d48ad0d1a570d6707c0a44260fbae8b6fb06aed7d810e57c1f214fe46f4b919f

SHA512
18489db84b19111f0d8db5c28e614b9aa2e92bdb37c998bd7ac429a3c076f139af16858ed6fe1ad981f6ccdab2e19c1806c0af83435d18ebbfc32c140bbd353d

Download Submit
memory/1644-159-0x000000013F590000-0x000000013F8E4000-memory.dmp

Filesize
3.3MB

Download
memory/1644-87-0x000000013F590000-0x000000013F8E4000-memory.dmp

Filesize
3.3MB

Download
memory/1644-142-0x000000013F590000-0x000000013F8E4000-memory.dmp

Filesize
3.3MB

Download
memory/2136-20-0x000000013FC60000-0x000000013FFB4000-memory.dmp

Filesize
3.3MB

Download
memory/2136-147-0x000000013FC60000-0x000000013FFB4000-memory.dmp

Filesize
3.3MB

Download
memory/2500-157-0x000000013F540000-0x000000013F894000-memory.dmp

Filesize
3.3MB

Download
memory/2500-79-0x000000013F540000-0x000000013F894000-memory.dmp

Filesize
3.3MB

Download
memory/2500-141-0x000000013F540000-0x000000013F894000-memory.dmp

Filesize
3.3MB

Download
memory/2512-143-0x000000013F9B0000-0x000000013FD04000-memory.dmp

Filesize
3.3MB

Download
memory/2512-158-0x000000013F9B0000-0x000000013FD04000-memory.dmp

Filesize
3.3MB

Download
memory/2512-88-0x000000013F9B0000-0x000000013FD04000-memory.dmp

Filesize
3.3MB

Download
memory/2568-155-0x000000013FDD0000-0x0000000140124000-memory.dmp

Filesize
3.3MB

Download
memory/2568-63-0x000000013FDD0000-0x0000000140124000-memory.dmp

Filesize
3.3MB

Download
memory/2572-53-0x000000013F3D0000-0x000000013F724000-memory.dmp

Filesize
3.3MB

Download
memory/2572-138-0x000000013F3D0000-0x000000013F724000-memory.dmp

Filesize
3.3MB

Download
memory/2572-153-0x000000013F3D0000-0x000000013F724000-memory.dmp

Filesize
3.3MB

Download
memory/2656-51-0x000000013F450000-0x000000013F7A4000-memory.dmp

Filesize
3.3MB

Download
memory/2656-154-0x000000013F450000-0x000000013F7A4000-memory.dmp

Filesize
3.3MB

Download
memory/2656-137-0x000000013F450000-0x000000013F7A4000-memory.dmp

Filesize
3.3MB

Download
memory/2664-149-0x000000013FC30000-0x000000013FF84000-memory.dmp

Filesize
3.3MB

Download
memory/2664-86-0x000000013FC30000-0x000000013FF84000-memory.dmp

Filesize
3.3MB

Download
memory/2664-28-0x000000013FC30000-0x000000013FF84000-memory.dmp

Filesize
3.3MB

Download
memory/2732-96-0x000000013F690000-0x000000013F9E4000-memory.dmp

Filesize
3.3MB

Download
memory/2732-150-0x000000013F690000-0x000000013F9E4000-memory.dmp

Filesize
3.3MB

Download
memory/2732-34-0x000000013F690000-0x000000013F9E4000-memory.dmp

Filesize
3.3MB

Download
memory/2792-40-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

Filesize
3.3MB

Download
memory/2792-152-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

Filesize
3.3MB

Download
memory/2792-104-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

Filesize
3.3MB

Download
memory/2848-80-0x000000013F540000-0x000000013F894000-memory.dmp

Filesize
3.3MB

Download
memory/2848-146-0x000000013F220000-0x000000013F574000-memory.dmp

Filesize
3.3MB

Download
memory/2848-67-0x00000000022B0000-0x0000000002604000-memory.dmp

Filesize
3.3MB

Download
memory/2848-0-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2848-1-0x000000013FE60000-0x00000001401B4000-memory.dmp

Filesize
3.3MB

Download
memory/2848-52-0x000000013F3D0000-0x000000013F724000-memory.dmp

Filesize
3.3MB

Download
memory/2848-139-0x000000013F140000-0x000000013F494000-memory.dmp

Filesize
3.3MB

Download
memory/2848-140-0x000000013F590000-0x000000013F8E4000-memory.dmp

Filesize
3.3MB

Download
memory/2848-39-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

Filesize
3.3MB

Download
memory/2848-81-0x000000013F9B0000-0x000000013FD04000-memory.dmp

Filesize
3.3MB

Download
memory/2848-6-0x00000000022B0000-0x0000000002604000-memory.dmp

Filesize
3.3MB

Download
memory/2848-144-0x000000013F370000-0x000000013F6C4000-memory.dmp

Filesize
3.3MB

Download
memory/2848-23-0x000000013F100000-0x000000013F454000-memory.dmp

Filesize
3.3MB

Download
memory/2848-61-0x000000013FE60000-0x00000001401B4000-memory.dmp

Filesize
3.3MB

Download
memory/2848-97-0x000000013F370000-0x000000013F6C4000-memory.dmp

Filesize
3.3MB

Download
memory/2848-18-0x00000000022B0000-0x0000000002604000-memory.dmp

Filesize
3.3MB

Download
memory/2848-105-0x000000013F220000-0x000000013F574000-memory.dmp

Filesize
3.3MB

Download
memory/2940-156-0x000000013F140000-0x000000013F494000-memory.dmp

Filesize
3.3MB

Download
memory/2940-71-0x000000013F140000-0x000000013F494000-memory.dmp

Filesize
3.3MB

Download
memory/3032-98-0x000000013F370000-0x000000013F6C4000-memory.dmp

Filesize
3.3MB

Download
memory/3032-145-0x000000013F370000-0x000000013F6C4000-memory.dmp

Filesize
3.3MB

Download
memory/3032-160-0x000000013F370000-0x000000013F6C4000-memory.dmp

Filesize
3.3MB

Download
memory/3036-148-0x000000013FEF0000-0x0000000140244000-memory.dmp

Filesize
3.3MB

Download
memory/3036-69-0x000000013FEF0000-0x0000000140244000-memory.dmp

Filesize
3.3MB

Download
memory/3036-14-0x000000013FEF0000-0x0000000140244000-memory.dmp

Filesize
3.3MB

Download
memory/3048-151-0x000000013F100000-0x000000013F454000-memory.dmp

Filesize
3.3MB

Download
memory/3048-95-0x000000013F100000-0x000000013F454000-memory.dmp

Filesize
3.3MB

Download
memory/3048-32-0x000000013F100000-0x000000013F454000-memory.dmp

Filesize
3.3MB

Download