cobaltstrike | b57bb5ca23ad49f559d991a33a26f345b1c0e96898797f1e170471d64bd11f8e

Analysis

max time kernel
132s
max time network
147s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-06-2024 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

35b73ecca35a7da5e3a498b246f3f7b6
SHA1

30d1ac09ae46daf08617b1c7994e00d92a4f56f5
SHA256

b57bb5ca23ad49f559d991a33a26f345b1c0e96898797f1e170471d64bd11f8e
SHA512

f956d4c025607f4f3dc2c72b4cf9cca6c581d99184258300b3d403e3b845c4bb1047f1152a4e6de949cc1b6a5206771d3543553fb7e102b7d922b15b2f8e6f21
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUa:T+856utgpPF8u/7a

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000c00000001441e-3.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000014a94-10.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000014e3d-12.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014ec4-24.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014fe1-34.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015264-39.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015c7c-47.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000014aec-52.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016cd4-62.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d01-70.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016ccf-56.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d11-90.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d36-106.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d89-135.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d55-125.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d84-130.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d4a-115.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d4f-120.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d41-110.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d24-97.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016cf0-85.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001441e-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000014a94-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000014e3d-12.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014ec4-24.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014fe1-34.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015264-39.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015c7c-47.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000014aec-52.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016cd4-62.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d01-70.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016ccf-56.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d11-90.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d36-106.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d89-135.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d55-125.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d84-130.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d4a-115.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d4f-120.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d41-110.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d24-97.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016cf0-85.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 63 IoCs

resource	yara_rule
behavioral1/memory/1152-0-0x000000013F980000-0x000000013FCD4000-memory.dmp	UPX
behavioral1/files/0x000c00000001441e-3.dat	UPX
behavioral1/memory/1152-6-0x00000000022E0000-0x0000000002634000-memory.dmp	UPX
behavioral1/memory/2228-9-0x000000013F8B0000-0x000000013FC04000-memory.dmp	UPX
behavioral1/files/0x0009000000014a94-10.dat	UPX
behavioral1/files/0x0008000000014e3d-12.dat	UPX
behavioral1/files/0x0007000000014ec4-24.dat	UPX
behavioral1/memory/1680-35-0x000000013F310000-0x000000013F664000-memory.dmp	UPX
behavioral1/files/0x0007000000014fe1-34.dat	UPX
behavioral1/memory/2776-32-0x000000013FE50000-0x00000001401A4000-memory.dmp	UPX
behavioral1/memory/2884-27-0x000000013F100000-0x000000013F454000-memory.dmp	UPX
behavioral1/memory/2244-19-0x000000013F020000-0x000000013F374000-memory.dmp	UPX
behavioral1/memory/1152-38-0x000000013F980000-0x000000013FCD4000-memory.dmp	UPX
behavioral1/files/0x0007000000015264-39.dat	UPX
behavioral1/files/0x0007000000015c7c-47.dat	UPX
behavioral1/memory/2728-51-0x000000013F160000-0x000000013F4B4000-memory.dmp	UPX
behavioral1/files/0x0009000000014aec-52.dat	UPX
behavioral1/memory/2228-55-0x000000013F8B0000-0x000000013FC04000-memory.dmp	UPX
behavioral1/files/0x0006000000016cd4-62.dat	UPX
behavioral1/memory/2524-65-0x000000013F1E0000-0x000000013F534000-memory.dmp	UPX
behavioral1/files/0x0006000000016d01-70.dat	UPX
behavioral1/memory/2512-72-0x000000013F670000-0x000000013F9C4000-memory.dmp	UPX
behavioral1/memory/1152-73-0x00000000022E0000-0x0000000002634000-memory.dmp	UPX
behavioral1/memory/2596-63-0x000000013FBC0000-0x000000013FF14000-memory.dmp	UPX
behavioral1/memory/2724-77-0x000000013FAE0000-0x000000013FE34000-memory.dmp	UPX
behavioral1/files/0x0006000000016ccf-56.dat	UPX
behavioral1/files/0x0006000000016d11-90.dat	UPX
behavioral1/memory/2600-92-0x000000013FE00000-0x0000000140154000-memory.dmp	UPX
behavioral1/memory/2856-100-0x000000013FB00000-0x000000013FE54000-memory.dmp	UPX
behavioral1/files/0x0006000000016d36-106.dat	UPX
behavioral1/files/0x0006000000016d89-135.dat	UPX
behavioral1/files/0x0006000000016d55-125.dat	UPX
behavioral1/files/0x0006000000016d84-130.dat	UPX
behavioral1/files/0x0006000000016d4a-115.dat	UPX
behavioral1/files/0x0006000000016d4f-120.dat	UPX
behavioral1/files/0x0006000000016d41-110.dat	UPX
behavioral1/memory/1680-91-0x000000013F310000-0x000000013F664000-memory.dmp	UPX
behavioral1/files/0x0006000000016d24-97.dat	UPX
behavioral1/memory/2612-87-0x000000013FC80000-0x000000013FFD4000-memory.dmp	UPX
behavioral1/memory/2776-86-0x000000013FE50000-0x00000001401A4000-memory.dmp	UPX
behavioral1/files/0x0006000000016cf0-85.dat	UPX
behavioral1/memory/2772-83-0x000000013F450000-0x000000013F7A4000-memory.dmp	UPX
behavioral1/memory/1152-82-0x000000013FE00000-0x0000000140154000-memory.dmp	UPX
behavioral1/memory/2884-81-0x000000013F100000-0x000000013F454000-memory.dmp	UPX
behavioral1/memory/2724-138-0x000000013FAE0000-0x000000013FE34000-memory.dmp	UPX
behavioral1/memory/2772-139-0x000000013F450000-0x000000013F7A4000-memory.dmp	UPX
behavioral1/memory/2612-140-0x000000013FC80000-0x000000013FFD4000-memory.dmp	UPX
behavioral1/memory/2600-141-0x000000013FE00000-0x0000000140154000-memory.dmp	UPX
behavioral1/memory/2856-142-0x000000013FB00000-0x000000013FE54000-memory.dmp	UPX
behavioral1/memory/2228-143-0x000000013F8B0000-0x000000013FC04000-memory.dmp	UPX
behavioral1/memory/2244-144-0x000000013F020000-0x000000013F374000-memory.dmp	UPX
behavioral1/memory/2884-145-0x000000013F100000-0x000000013F454000-memory.dmp	UPX
behavioral1/memory/1680-146-0x000000013F310000-0x000000013F664000-memory.dmp	UPX
behavioral1/memory/2776-147-0x000000013FE50000-0x00000001401A4000-memory.dmp	UPX
behavioral1/memory/2728-148-0x000000013F160000-0x000000013F4B4000-memory.dmp	UPX
behavioral1/memory/2596-150-0x000000013FBC0000-0x000000013FF14000-memory.dmp	UPX
behavioral1/memory/2524-149-0x000000013F1E0000-0x000000013F534000-memory.dmp	UPX
behavioral1/memory/2512-151-0x000000013F670000-0x000000013F9C4000-memory.dmp	UPX
behavioral1/memory/2724-152-0x000000013FAE0000-0x000000013FE34000-memory.dmp	UPX
behavioral1/memory/2772-153-0x000000013F450000-0x000000013F7A4000-memory.dmp	UPX
behavioral1/memory/2612-154-0x000000013FC80000-0x000000013FFD4000-memory.dmp	UPX
behavioral1/memory/2600-155-0x000000013FE00000-0x0000000140154000-memory.dmp	UPX
behavioral1/memory/2856-156-0x000000013FB00000-0x000000013FE54000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral1/memory/1152-0-0x000000013F980000-0x000000013FCD4000-memory.dmp	xmrig
behavioral1/files/0x000c00000001441e-3.dat	xmrig
behavioral1/memory/1152-6-0x00000000022E0000-0x0000000002634000-memory.dmp	xmrig
behavioral1/memory/2228-9-0x000000013F8B0000-0x000000013FC04000-memory.dmp	xmrig
behavioral1/files/0x0009000000014a94-10.dat	xmrig
behavioral1/files/0x0008000000014e3d-12.dat	xmrig
behavioral1/files/0x0007000000014ec4-24.dat	xmrig
behavioral1/memory/1680-35-0x000000013F310000-0x000000013F664000-memory.dmp	xmrig
behavioral1/files/0x0007000000014fe1-34.dat	xmrig
behavioral1/memory/1152-33-0x000000013F310000-0x000000013F664000-memory.dmp	xmrig
behavioral1/memory/2776-32-0x000000013FE50000-0x00000001401A4000-memory.dmp	xmrig
behavioral1/memory/2884-27-0x000000013F100000-0x000000013F454000-memory.dmp	xmrig
behavioral1/memory/1152-20-0x000000013FE50000-0x00000001401A4000-memory.dmp	xmrig
behavioral1/memory/2244-19-0x000000013F020000-0x000000013F374000-memory.dmp	xmrig
behavioral1/memory/1152-38-0x000000013F980000-0x000000013FCD4000-memory.dmp	xmrig
behavioral1/files/0x0007000000015264-39.dat	xmrig
behavioral1/files/0x0007000000015c7c-47.dat	xmrig
behavioral1/memory/2728-51-0x000000013F160000-0x000000013F4B4000-memory.dmp	xmrig
behavioral1/files/0x0009000000014aec-52.dat	xmrig
behavioral1/memory/2228-55-0x000000013F8B0000-0x000000013FC04000-memory.dmp	xmrig
behavioral1/files/0x0006000000016cd4-62.dat	xmrig
behavioral1/memory/2524-65-0x000000013F1E0000-0x000000013F534000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d01-70.dat	xmrig
behavioral1/memory/2512-72-0x000000013F670000-0x000000013F9C4000-memory.dmp	xmrig
behavioral1/memory/1152-73-0x00000000022E0000-0x0000000002634000-memory.dmp	xmrig
behavioral1/memory/2596-63-0x000000013FBC0000-0x000000013FF14000-memory.dmp	xmrig
behavioral1/memory/2724-77-0x000000013FAE0000-0x000000013FE34000-memory.dmp	xmrig
behavioral1/files/0x0006000000016ccf-56.dat	xmrig
behavioral1/files/0x0006000000016d11-90.dat	xmrig
behavioral1/memory/2600-92-0x000000013FE00000-0x0000000140154000-memory.dmp	xmrig
behavioral1/memory/2856-100-0x000000013FB00000-0x000000013FE54000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d36-106.dat	xmrig
behavioral1/files/0x0006000000016d89-135.dat	xmrig
behavioral1/files/0x0006000000016d55-125.dat	xmrig
behavioral1/files/0x0006000000016d84-130.dat	xmrig
behavioral1/files/0x0006000000016d4a-115.dat	xmrig
behavioral1/files/0x0006000000016d4f-120.dat	xmrig
behavioral1/files/0x0006000000016d41-110.dat	xmrig
behavioral1/memory/1152-104-0x000000013F160000-0x000000013F4B4000-memory.dmp	xmrig
behavioral1/memory/1680-91-0x000000013F310000-0x000000013F664000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d24-97.dat	xmrig
behavioral1/memory/2612-87-0x000000013FC80000-0x000000013FFD4000-memory.dmp	xmrig
behavioral1/memory/2776-86-0x000000013FE50000-0x00000001401A4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016cf0-85.dat	xmrig
behavioral1/memory/2772-83-0x000000013F450000-0x000000013F7A4000-memory.dmp	xmrig
behavioral1/memory/1152-82-0x000000013FE00000-0x0000000140154000-memory.dmp	xmrig
behavioral1/memory/2884-81-0x000000013F100000-0x000000013F454000-memory.dmp	xmrig
behavioral1/memory/1152-69-0x000000013F450000-0x000000013F7A4000-memory.dmp	xmrig
behavioral1/memory/2724-138-0x000000013FAE0000-0x000000013FE34000-memory.dmp	xmrig
behavioral1/memory/2772-139-0x000000013F450000-0x000000013F7A4000-memory.dmp	xmrig
behavioral1/memory/2612-140-0x000000013FC80000-0x000000013FFD4000-memory.dmp	xmrig
behavioral1/memory/2600-141-0x000000013FE00000-0x0000000140154000-memory.dmp	xmrig
behavioral1/memory/2856-142-0x000000013FB00000-0x000000013FE54000-memory.dmp	xmrig
behavioral1/memory/2228-143-0x000000013F8B0000-0x000000013FC04000-memory.dmp	xmrig
behavioral1/memory/2244-144-0x000000013F020000-0x000000013F374000-memory.dmp	xmrig
behavioral1/memory/2884-145-0x000000013F100000-0x000000013F454000-memory.dmp	xmrig
behavioral1/memory/1680-146-0x000000013F310000-0x000000013F664000-memory.dmp	xmrig
behavioral1/memory/2776-147-0x000000013FE50000-0x00000001401A4000-memory.dmp	xmrig
behavioral1/memory/2728-148-0x000000013F160000-0x000000013F4B4000-memory.dmp	xmrig
behavioral1/memory/2596-150-0x000000013FBC0000-0x000000013FF14000-memory.dmp	xmrig
behavioral1/memory/2524-149-0x000000013F1E0000-0x000000013F534000-memory.dmp	xmrig
behavioral1/memory/2512-151-0x000000013F670000-0x000000013F9C4000-memory.dmp	xmrig
behavioral1/memory/2724-152-0x000000013FAE0000-0x000000013FE34000-memory.dmp	xmrig
behavioral1/memory/2772-153-0x000000013F450000-0x000000013F7A4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2228	rgFlxTI.exe
2244	TjUnwAA.exe
2884	QdJFOsD.exe
2776	XcvBJBO.exe
1680	YiHAsEr.exe
2728	yVCNmyn.exe
2596	fROssNf.exe
2524	cIwmuOE.exe
2512	tsrTwdi.exe
2724	hKtvyhY.exe
2772	RszohnB.exe
2612	AgBVRzE.exe
2600	OvuEcKA.exe
2856	nTQNQzP.exe
1904	PAqGlUI.exe
1668	njNwxDr.exe
2012	GtTYNDS.exe
1568	fsosfAN.exe
1664	EMRYzwL.exe
1916	tBCADFZ.exe
1736	lIUGpuT.exe

Loads dropped DLL 21 IoCs

pid	Process
1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe

UPX packed file 63 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1152-0-0x000000013F980000-0x000000013FCD4000-memory.dmp	upx
behavioral1/files/0x000c00000001441e-3.dat	upx
behavioral1/memory/1152-6-0x00000000022E0000-0x0000000002634000-memory.dmp	upx
behavioral1/memory/2228-9-0x000000013F8B0000-0x000000013FC04000-memory.dmp	upx
behavioral1/files/0x0009000000014a94-10.dat	upx
behavioral1/files/0x0008000000014e3d-12.dat	upx
behavioral1/files/0x0007000000014ec4-24.dat	upx
behavioral1/memory/1680-35-0x000000013F310000-0x000000013F664000-memory.dmp	upx
behavioral1/files/0x0007000000014fe1-34.dat	upx
behavioral1/memory/2776-32-0x000000013FE50000-0x00000001401A4000-memory.dmp	upx
behavioral1/memory/2884-27-0x000000013F100000-0x000000013F454000-memory.dmp	upx
behavioral1/memory/2244-19-0x000000013F020000-0x000000013F374000-memory.dmp	upx
behavioral1/memory/1152-38-0x000000013F980000-0x000000013FCD4000-memory.dmp	upx
behavioral1/files/0x0007000000015264-39.dat	upx
behavioral1/files/0x0007000000015c7c-47.dat	upx
behavioral1/memory/2728-51-0x000000013F160000-0x000000013F4B4000-memory.dmp	upx
behavioral1/files/0x0009000000014aec-52.dat	upx
behavioral1/memory/2228-55-0x000000013F8B0000-0x000000013FC04000-memory.dmp	upx
behavioral1/files/0x0006000000016cd4-62.dat	upx
behavioral1/memory/2524-65-0x000000013F1E0000-0x000000013F534000-memory.dmp	upx
behavioral1/files/0x0006000000016d01-70.dat	upx
behavioral1/memory/2512-72-0x000000013F670000-0x000000013F9C4000-memory.dmp	upx
behavioral1/memory/1152-73-0x00000000022E0000-0x0000000002634000-memory.dmp	upx
behavioral1/memory/2596-63-0x000000013FBC0000-0x000000013FF14000-memory.dmp	upx
behavioral1/memory/2724-77-0x000000013FAE0000-0x000000013FE34000-memory.dmp	upx
behavioral1/files/0x0006000000016ccf-56.dat	upx
behavioral1/files/0x0006000000016d11-90.dat	upx
behavioral1/memory/2600-92-0x000000013FE00000-0x0000000140154000-memory.dmp	upx
behavioral1/memory/2856-100-0x000000013FB00000-0x000000013FE54000-memory.dmp	upx
behavioral1/files/0x0006000000016d36-106.dat	upx
behavioral1/files/0x0006000000016d89-135.dat	upx
behavioral1/files/0x0006000000016d55-125.dat	upx
behavioral1/files/0x0006000000016d84-130.dat	upx
behavioral1/files/0x0006000000016d4a-115.dat	upx
behavioral1/files/0x0006000000016d4f-120.dat	upx
behavioral1/files/0x0006000000016d41-110.dat	upx
behavioral1/memory/1680-91-0x000000013F310000-0x000000013F664000-memory.dmp	upx
behavioral1/files/0x0006000000016d24-97.dat	upx
behavioral1/memory/2612-87-0x000000013FC80000-0x000000013FFD4000-memory.dmp	upx
behavioral1/memory/2776-86-0x000000013FE50000-0x00000001401A4000-memory.dmp	upx
behavioral1/files/0x0006000000016cf0-85.dat	upx
behavioral1/memory/2772-83-0x000000013F450000-0x000000013F7A4000-memory.dmp	upx
behavioral1/memory/1152-82-0x000000013FE00000-0x0000000140154000-memory.dmp	upx
behavioral1/memory/2884-81-0x000000013F100000-0x000000013F454000-memory.dmp	upx
behavioral1/memory/2724-138-0x000000013FAE0000-0x000000013FE34000-memory.dmp	upx
behavioral1/memory/2772-139-0x000000013F450000-0x000000013F7A4000-memory.dmp	upx
behavioral1/memory/2612-140-0x000000013FC80000-0x000000013FFD4000-memory.dmp	upx
behavioral1/memory/2600-141-0x000000013FE00000-0x0000000140154000-memory.dmp	upx
behavioral1/memory/2856-142-0x000000013FB00000-0x000000013FE54000-memory.dmp	upx
behavioral1/memory/2228-143-0x000000013F8B0000-0x000000013FC04000-memory.dmp	upx
behavioral1/memory/2244-144-0x000000013F020000-0x000000013F374000-memory.dmp	upx
behavioral1/memory/2884-145-0x000000013F100000-0x000000013F454000-memory.dmp	upx
behavioral1/memory/1680-146-0x000000013F310000-0x000000013F664000-memory.dmp	upx
behavioral1/memory/2776-147-0x000000013FE50000-0x00000001401A4000-memory.dmp	upx
behavioral1/memory/2728-148-0x000000013F160000-0x000000013F4B4000-memory.dmp	upx
behavioral1/memory/2596-150-0x000000013FBC0000-0x000000013FF14000-memory.dmp	upx
behavioral1/memory/2524-149-0x000000013F1E0000-0x000000013F534000-memory.dmp	upx
behavioral1/memory/2512-151-0x000000013F670000-0x000000013F9C4000-memory.dmp	upx
behavioral1/memory/2724-152-0x000000013FAE0000-0x000000013FE34000-memory.dmp	upx
behavioral1/memory/2772-153-0x000000013F450000-0x000000013F7A4000-memory.dmp	upx
behavioral1/memory/2612-154-0x000000013FC80000-0x000000013FFD4000-memory.dmp	upx
behavioral1/memory/2600-155-0x000000013FE00000-0x0000000140154000-memory.dmp	upx
behavioral1/memory/2856-156-0x000000013FB00000-0x000000013FE54000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\hKtvyhY.exe	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OvuEcKA.exe	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tBCADFZ.exe	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lIUGpuT.exe	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TjUnwAA.exe	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YiHAsEr.exe	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yVCNmyn.exe	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RszohnB.exe	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XcvBJBO.exe	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QdJFOsD.exe	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fsosfAN.exe	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EMRYzwL.exe	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nTQNQzP.exe	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cIwmuOE.exe	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fROssNf.exe	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tsrTwdi.exe	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AgBVRzE.exe	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rgFlxTI.exe	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PAqGlUI.exe	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\njNwxDr.exe	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GtTYNDS.exe	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2228	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	29
PID 1152 wrote to memory of 2228	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	29
PID 1152 wrote to memory of 2228	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	29
PID 1152 wrote to memory of 2244	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	30
PID 1152 wrote to memory of 2244	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	30
PID 1152 wrote to memory of 2244	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	30
PID 1152 wrote to memory of 2776	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	31
PID 1152 wrote to memory of 2776	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	31
PID 1152 wrote to memory of 2776	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	31
PID 1152 wrote to memory of 2884	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	32
PID 1152 wrote to memory of 2884	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	32
PID 1152 wrote to memory of 2884	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	32
PID 1152 wrote to memory of 1680	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	33
PID 1152 wrote to memory of 1680	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	33
PID 1152 wrote to memory of 1680	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	33
PID 1152 wrote to memory of 2728	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	34
PID 1152 wrote to memory of 2728	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	34
PID 1152 wrote to memory of 2728	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	34
PID 1152 wrote to memory of 2524	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	35
PID 1152 wrote to memory of 2524	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	35
PID 1152 wrote to memory of 2524	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	35
PID 1152 wrote to memory of 2596	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	36
PID 1152 wrote to memory of 2596	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	36
PID 1152 wrote to memory of 2596	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	36
PID 1152 wrote to memory of 2772	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	37
PID 1152 wrote to memory of 2772	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	37
PID 1152 wrote to memory of 2772	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	37
PID 1152 wrote to memory of 2512	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	38
PID 1152 wrote to memory of 2512	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	38
PID 1152 wrote to memory of 2512	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	38
PID 1152 wrote to memory of 2612	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	39
PID 1152 wrote to memory of 2612	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	39
PID 1152 wrote to memory of 2612	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	39
PID 1152 wrote to memory of 2724	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	40
PID 1152 wrote to memory of 2724	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	40
PID 1152 wrote to memory of 2724	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	40
PID 1152 wrote to memory of 2600	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	41
PID 1152 wrote to memory of 2600	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	41
PID 1152 wrote to memory of 2600	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	41
PID 1152 wrote to memory of 2856	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	42
PID 1152 wrote to memory of 2856	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	42
PID 1152 wrote to memory of 2856	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	42
PID 1152 wrote to memory of 1904	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	43
PID 1152 wrote to memory of 1904	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	43
PID 1152 wrote to memory of 1904	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	43
PID 1152 wrote to memory of 1668	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	44
PID 1152 wrote to memory of 1668	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	44
PID 1152 wrote to memory of 1668	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	44
PID 1152 wrote to memory of 2012	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	45
PID 1152 wrote to memory of 2012	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	45
PID 1152 wrote to memory of 2012	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	45
PID 1152 wrote to memory of 1568	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	46
PID 1152 wrote to memory of 1568	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	46
PID 1152 wrote to memory of 1568	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	46
PID 1152 wrote to memory of 1664	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	47
PID 1152 wrote to memory of 1664	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	47
PID 1152 wrote to memory of 1664	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	47
PID 1152 wrote to memory of 1916	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	48
PID 1152 wrote to memory of 1916	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	48
PID 1152 wrote to memory of 1916	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	48
PID 1152 wrote to memory of 1736	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	49
PID 1152 wrote to memory of 1736	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	49
PID 1152 wrote to memory of 1736	1152	2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_35b73ecca35a7da5e3a498b246f3f7b6_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\System\rgFlxTI.exe
  C:\Windows\System\rgFlxTI.exe
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\System\TjUnwAA.exe
  C:\Windows\System\TjUnwAA.exe
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\System\XcvBJBO.exe
  C:\Windows\System\XcvBJBO.exe
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\System\QdJFOsD.exe
  C:\Windows\System\QdJFOsD.exe
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\System\YiHAsEr.exe
  C:\Windows\System\YiHAsEr.exe
  2⤵
  - Executes dropped EXE
  PID:1680
- C:\Windows\System\yVCNmyn.exe
  C:\Windows\System\yVCNmyn.exe
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\System\cIwmuOE.exe
  C:\Windows\System\cIwmuOE.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\System\fROssNf.exe
  C:\Windows\System\fROssNf.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System\RszohnB.exe
  C:\Windows\System\RszohnB.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\System\tsrTwdi.exe
  C:\Windows\System\tsrTwdi.exe
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\System\AgBVRzE.exe
  C:\Windows\System\AgBVRzE.exe
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\System\hKtvyhY.exe
  C:\Windows\System\hKtvyhY.exe
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\System\OvuEcKA.exe
  C:\Windows\System\OvuEcKA.exe
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\System\nTQNQzP.exe
  C:\Windows\System\nTQNQzP.exe
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\System\PAqGlUI.exe
  C:\Windows\System\PAqGlUI.exe
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\System\njNwxDr.exe
  C:\Windows\System\njNwxDr.exe
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\System\GtTYNDS.exe
  C:\Windows\System\GtTYNDS.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\System\fsosfAN.exe
  C:\Windows\System\fsosfAN.exe
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\System\EMRYzwL.exe
  C:\Windows\System\EMRYzwL.exe
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\System\tBCADFZ.exe
  C:\Windows\System\tBCADFZ.exe
  2⤵
  - Executes dropped EXE
  PID:1916
- C:\Windows\System\lIUGpuT.exe
  C:\Windows\System\lIUGpuT.exe
  2⤵
  - Executes dropped EXE
  PID:1736

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AgBVRzE.exe

Filesize
5.9MB

MD5
d93abea563fcca97486e75f6846a0d50

SHA1
79cc6b780101b0f3ad7008dc8bfd780d94139508

SHA256
a709f7057c199d667e3eecdaaaef7e2ae39584995f0b0bd246edcad80be35455

SHA512
7caead3887bd4326d2ff994a7ac903dd82bb431951ec1c8f8bdf6d5d2b85c0486fa0011b689c0e21358faa64e92faff817c221fb040c3ab205ef26074a73e188

Download Submit
C:\Windows\system\EMRYzwL.exe

Filesize
5.9MB

MD5
4288cd293bd82a09f3967bdf5cfc55fc

SHA1
177733b42ac25230a0b698c769a310466d38f39f

SHA256
6e247860f9d53996d577937cd83c95e604422d188fe033652c57a0a9dc5c60c6

SHA512
2fb08a26f9170a8ab8df25dbc8a6175e23705679d7c228c68ab847ee6e2b3bbbe5c6b7832be0718cd408b4a7736491ec68587c9996a4682ca2c86e2a45ec715d

Download Submit
C:\Windows\system\GtTYNDS.exe

Filesize
5.9MB

MD5
7bbcdc07691afa4194d075371e13e7a9

SHA1
1e51cabc03fc4b23f344ea5fe801aba0cee59092

SHA256
100a95e990c76a5bd30f21b7ff941f2b973278dd4e20af2d6dc1565789d24de2

SHA512
152e3c88e4d83a05dc4e0a374bd5bd6df889c4aed24ef7260d5711ed5b9ccaaf67a8f42e650632252e10dc67422ffd120d25b4574b1e838b656398bd1b6685c8

Download Submit
C:\Windows\system\OvuEcKA.exe

Filesize
5.9MB

MD5
6f0b09df801d2a35b41a5f6a5236cabf

SHA1
a4a0f73b5ba4bf96952d78ae565c7ccb70862ef7

SHA256
4485f58caa53b463fca547ba59b838839e1a24c951c484c391d9525640e770ef

SHA512
ae8eaff57af53a304f42dc47827d509910559b80dccff697f3d95ea301599607096dbce94c8ab39c83f611c49626dcd76558a912e363e2578b2f64c33ea70332

Download Submit
C:\Windows\system\PAqGlUI.exe

Filesize
5.9MB

MD5
a02251a077eaa0058f218489208687f5

SHA1
c9576dc396b7aaf555dfc7daa8ddf519f6ffebd6

SHA256
3f7a1cbb7a26062023af8958f3c50978bd5713a4bf704a33598c07c873c5090e

SHA512
b6f737e61d4c3e319bd9ba617bc9f3aa9e521b19838bfbd961f653d9ed38bbbc3fc35024cf15ace1b93cb0254b90d03dba65bba38e367b2c8e4abfef9f8222b5

Download Submit
C:\Windows\system\QdJFOsD.exe

Filesize
5.9MB

MD5
3b06c1229c9f9a8bb538859c58067f9c

SHA1
e4d2c5a81b92231015d580db304ceb1acb8bdb21

SHA256
40f7758382062371ff1381331da24be4138c3a03a1f7530fe369484be994d743

SHA512
0755cd2e3338a68c6f70c8bc502285780f3472687ce594c0956b3b1652d285c25b8a938a6a0d130c2e69148318b7e9dc92dcc3461f53a29d8838e0c0f8ea81e4

Download Submit
C:\Windows\system\XcvBJBO.exe

Filesize
5.9MB

MD5
51aed2620d65875d7deeee4ad81c30ab

SHA1
789e47f41e82b471d66305e31553813f23673c10

SHA256
ac2de0f1f9549a4ee766224ed18f3604964a127831fc3933020e68c8dc484ceb

SHA512
5eec0490ddc082d786045604518a1dab13d1a598dfeed5b7d83f94308fa70c32ec83ea0140f80c7e41ee05012a56e4e9763ce4bbdc67e6c0a1abd54eda0ec4b9

Download Submit
C:\Windows\system\YiHAsEr.exe

Filesize
5.9MB

MD5
0f78f4631f0a333328bd0a86f0077ea3

SHA1
db2da10dfbbe6a25ba9ef9263d10cd1434f2cbe5

SHA256
e28d8db2deb4ce3f9ed7a79e05f7ae42e4e4cfe960349a0f793ffb5f3d68035d

SHA512
0b75f572f2a2e4a5fc67a33e988243e75a0497a9d0b8e12268822151fd669e43043bd41ab2b704ac134c775e3c1c921d06f149852e46f5229fa843ebf72b30ee

Download Submit
C:\Windows\system\cIwmuOE.exe

Filesize
5.9MB

MD5
e1b4e5f964abdf8a847b903f743e249d

SHA1
fad0258d3f2de3337768cb2d8adec5f01bc10815

SHA256
94c96aba3c933eb42efc68f3cee8c073648e51d65b2ca21385f82ed4b67759b5

SHA512
868897e44dcbb3049c01782a47016b35aaa8ac45bdd0a48f1c0ca6caf8098bfc0a4c2573280ca696b9a2bae26c164bfa95e53d280fcd083f1656e9ada796de9d

Download Submit
C:\Windows\system\fsosfAN.exe

Filesize
5.9MB

MD5
bcc3a40e50acc580adf3cc485b32c97a

SHA1
ac4692664e0cd4073a1e9719a9d0542a3284a6cd

SHA256
e7722869b0c146aa3eaf123010f9da26b48ad56587e7330925d52fe6ff1e5d83

SHA512
ec4869221408dfdaf2d6f812a65978ca920beba7a721e6d20d1517782e9ab304fe90cd76c44df31c4cbbf79cf5ceacd48da403b762b55b561d899a996ac6e313

Download Submit
C:\Windows\system\lIUGpuT.exe

Filesize
5.9MB

MD5
38d403780a1c001f01947672901ee863

SHA1
1c8388b638ed85e29eeafebe97c0ccc2790e2241

SHA256
6fc2250cabcdbd36ade89e55cd8069d9cb26c1b660896c9a94246c85ad16a8a7

SHA512
9d135b7c8fd78fc5c0b12a1f4a48697a8815cf0367e734789077724df638bbe0b56202778b06a954b451704e04735f4fbb34e3711e1804120607004860b3bdb6

Download Submit
C:\Windows\system\nTQNQzP.exe

Filesize
5.9MB

MD5
85569dbc8fdb930c69aa3017860eb0f1

SHA1
0eb9bd096626fc229391531d79981171a61d6702

SHA256
e20095c72b37f0e6e1edaabf84b91a72772053cd8f93b00c5f86520bcc29e4a1

SHA512
5ddf8b6ce2e586eb0762e2a63763864fc47231902ed6ee7a3abdfdc24e5a45631cd57d1e5032062c64ba48897085b8b16e89ea13696fc3a54f6cd77c6f9b9fdd

Download Submit
C:\Windows\system\njNwxDr.exe

Filesize
5.9MB

MD5
b67f2c33f47bed43f0a64a43b742235a

SHA1
03bab1326f27feef060f0d6b346e709903ce982a

SHA256
e5a46404b06840abdd05cea6196bbdb72368c5773579a0e766f47f448d969fff

SHA512
53d58293aefcd6aba19509e891f2adc55c96457777bdccef08f11148a86058d87462110288f1bac07e10993a6eefb776da565baf674823e8354cb3d77792b2c5

Download Submit
C:\Windows\system\tBCADFZ.exe

Filesize
5.9MB

MD5
c23e52d0eb5e9499026d30732c1e9d94

SHA1
76edbd47e357f91a080bffff946c5c7e85cc3d26

SHA256
49f719c2f28550a652bb2dc6f0136159278a3964529cb058ee25c00b4af42880

SHA512
7de29fe5043ba10f943183294b0fe882da00e728de1937656ce9b9240b26847a046aa7814ebbf5671d02514c1b47e8bb9674e75d1b88bbf7ad2f63ee96066dce

Download Submit
C:\Windows\system\tsrTwdi.exe

Filesize
5.9MB

MD5
5927c68be4d3a452a4d8e27add659e1d

SHA1
6b6b8f1a8c760843561fe8b97d84dc2c6c923194

SHA256
0be4e06f57f33213f8524cccd5cc08acff9799abdb1527a6425aa4ba1a95b5da

SHA512
ecea6a63f65afefbcedbe434217e8bc4df927d8cc81a01d63c6fa43d3d2a5202e849d896d7c3bcd5628c3ffc4484d41a4cc9ccc15f87c6072ba3e3104924249e

Download Submit
\Windows\system\RszohnB.exe

Filesize
5.9MB

MD5
c984c2dffb9215ab31268409ae6ac812

SHA1
d4afcb4590a2563c4a8f75b6f3eb86ca6f10d197

SHA256
c5e3cedbe9d3b6943926ad8986fe8f13636eeab0969ec08d35c7ab45e1d0b3b3

SHA512
dbfeead86c6d56b76b0d03661d4c35308f315d9292839548cb43a742fad89f02fe2e1c1c4d05d1187100f61b17100b9382f50ae486e16138f97bb556daf1a5db

Download Submit
\Windows\system\TjUnwAA.exe

Filesize
5.9MB

MD5
829173ebd6cd5c03d4903e4b601630cc

SHA1
d3bc1dd0e2ddc9708003acac4093dd9c874dd200

SHA256
5c4c14989982ea11006896fc0bcf2321c79f6b0cb8acf4d0d70c5ae91e66f23f

SHA512
fd94c8432677e20823f709847b507c71179ff5f584b6cda7c4fd57106ba17481fc3c7ae9bd4a90561b3e4b1e6af1cd8d30a3d0d78d3c48b445862890027a61b5

Download Submit
\Windows\system\fROssNf.exe

Filesize
5.9MB

MD5
cf232c8379562b460e2a2966d1083843

SHA1
68e9fbe46ab64b7f4a55e3484fc77c3f6f1c5f99

SHA256
1e1d6573cbac1db1db2d09fdc68b186a750f0e4e43c2dc715589b151a9068bdd

SHA512
52b64065d51fad3b3875e0da8a6918eed1f66cd17eff290495e38ec54f347e21d6661a2866da72512f5a29f413145f48e6b17ea3276406d1c8ce8c20260808ad

Download Submit
\Windows\system\hKtvyhY.exe

Filesize
5.9MB

MD5
115d6c13c756b763c2f94505d4fda426

SHA1
bab0abf4a389952a315c15f78947a64f9cd28c00

SHA256
3f46aec0ff45982afbf9e906eaf782fd75b332774c719f117f44ef4090b5fea8

SHA512
f9c7be2df762e501230041ec25f860fb8cdcc16d11c6311aafda1c89b02a3458d6c86003aef607dbd473b396c30ed9a490c27da073fff8cbf81a0e60fba3af29

Download Submit
\Windows\system\rgFlxTI.exe

Filesize
5.9MB

MD5
33b6a3d8b0f7fb5a214926e2a042397a

SHA1
37ec1614652e81bce7d77427aa23dca933adf482

SHA256
fd40e6fb5d0ab40e3442bbf7b291df3708623e87e2fec7cf14de6d79adb667a3

SHA512
1684e995b2ac9786eb51f9ff7a525ef9c7d80c841b0b4d316fd5bf986eca711f9cf9c07a14e001dcb8a72a1ea1089ac2673970137e74d37728bbaf89a27658db

Download Submit
\Windows\system\yVCNmyn.exe

Filesize
5.9MB

MD5
51803d0a9144d534ad6dea8d43a8de61

SHA1
b246c40751d39f2b8b31e63a24c826c00a3e60d7

SHA256
96910ba66326bb6e47b543b20acb15f1acbeb57256c7a509a0685052309bc5ca

SHA512
00a0f76539b14e1597f62cbeb39e72f892ffd79e12da9eca4b2fca6826eedfc640ab9be801f264c443bc9575a8a6b410c21c25c5174a885d3aea461347577649

Download Submit
memory/1152-20-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download
memory/1152-99-0x00000000022E0000-0x0000000002634000-memory.dmp

Filesize
3.3MB

Download
memory/1152-82-0x000000013FE00000-0x0000000140154000-memory.dmp

Filesize
3.3MB

Download
memory/1152-137-0x000000013F450000-0x000000013F7A4000-memory.dmp

Filesize
3.3MB

Download
memory/1152-1-0x0000000000100000-0x0000000000110000-memory.dmp

Filesize
64KB

Download
memory/1152-69-0x000000013F450000-0x000000013F7A4000-memory.dmp

Filesize
3.3MB

Download
memory/1152-73-0x00000000022E0000-0x0000000002634000-memory.dmp

Filesize
3.3MB

Download
memory/1152-71-0x00000000022E0000-0x0000000002634000-memory.dmp

Filesize
3.3MB

Download
memory/1152-6-0x00000000022E0000-0x0000000002634000-memory.dmp

Filesize
3.3MB

Download
memory/1152-104-0x000000013F160000-0x000000013F4B4000-memory.dmp

Filesize
3.3MB

Download
memory/1152-16-0x000000013F020000-0x000000013F374000-memory.dmp

Filesize
3.3MB

Download
memory/1152-25-0x000000013F100000-0x000000013F454000-memory.dmp

Filesize
3.3MB

Download
memory/1152-33-0x000000013F310000-0x000000013F664000-memory.dmp

Filesize
3.3MB

Download
memory/1152-38-0x000000013F980000-0x000000013FCD4000-memory.dmp

Filesize
3.3MB

Download
memory/1152-0-0x000000013F980000-0x000000013FCD4000-memory.dmp

Filesize
3.3MB

Download
memory/1680-35-0x000000013F310000-0x000000013F664000-memory.dmp

Filesize
3.3MB

Download
memory/1680-146-0x000000013F310000-0x000000013F664000-memory.dmp

Filesize
3.3MB

Download
memory/1680-91-0x000000013F310000-0x000000013F664000-memory.dmp

Filesize
3.3MB

Download
memory/2228-55-0x000000013F8B0000-0x000000013FC04000-memory.dmp

Filesize
3.3MB

Download
memory/2228-9-0x000000013F8B0000-0x000000013FC04000-memory.dmp

Filesize
3.3MB

Download
memory/2228-143-0x000000013F8B0000-0x000000013FC04000-memory.dmp

Filesize
3.3MB

Download
memory/2244-144-0x000000013F020000-0x000000013F374000-memory.dmp

Filesize
3.3MB

Download
memory/2244-19-0x000000013F020000-0x000000013F374000-memory.dmp

Filesize
3.3MB

Download
memory/2512-151-0x000000013F670000-0x000000013F9C4000-memory.dmp

Filesize
3.3MB

Download
memory/2512-72-0x000000013F670000-0x000000013F9C4000-memory.dmp

Filesize
3.3MB

Download
memory/2524-149-0x000000013F1E0000-0x000000013F534000-memory.dmp

Filesize
3.3MB

Download
memory/2524-65-0x000000013F1E0000-0x000000013F534000-memory.dmp

Filesize
3.3MB

Download
memory/2596-150-0x000000013FBC0000-0x000000013FF14000-memory.dmp

Filesize
3.3MB

Download
memory/2596-63-0x000000013FBC0000-0x000000013FF14000-memory.dmp

Filesize
3.3MB

Download
memory/2600-92-0x000000013FE00000-0x0000000140154000-memory.dmp

Filesize
3.3MB

Download
memory/2600-155-0x000000013FE00000-0x0000000140154000-memory.dmp

Filesize
3.3MB

Download
memory/2600-141-0x000000013FE00000-0x0000000140154000-memory.dmp

Filesize
3.3MB

Download
memory/2612-87-0x000000013FC80000-0x000000013FFD4000-memory.dmp

Filesize
3.3MB

Download
memory/2612-154-0x000000013FC80000-0x000000013FFD4000-memory.dmp

Filesize
3.3MB

Download
memory/2612-140-0x000000013FC80000-0x000000013FFD4000-memory.dmp

Filesize
3.3MB

Download
memory/2724-138-0x000000013FAE0000-0x000000013FE34000-memory.dmp

Filesize
3.3MB

Download
memory/2724-152-0x000000013FAE0000-0x000000013FE34000-memory.dmp

Filesize
3.3MB

Download
memory/2724-77-0x000000013FAE0000-0x000000013FE34000-memory.dmp

Filesize
3.3MB

Download
memory/2728-51-0x000000013F160000-0x000000013F4B4000-memory.dmp

Filesize
3.3MB

Download
memory/2728-148-0x000000013F160000-0x000000013F4B4000-memory.dmp

Filesize
3.3MB

Download
memory/2772-83-0x000000013F450000-0x000000013F7A4000-memory.dmp

Filesize
3.3MB

Download
memory/2772-153-0x000000013F450000-0x000000013F7A4000-memory.dmp

Filesize
3.3MB

Download
memory/2772-139-0x000000013F450000-0x000000013F7A4000-memory.dmp

Filesize
3.3MB

Download
memory/2776-147-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download
memory/2776-32-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download
memory/2776-86-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download
memory/2856-100-0x000000013FB00000-0x000000013FE54000-memory.dmp

Filesize
3.3MB

Download
memory/2856-142-0x000000013FB00000-0x000000013FE54000-memory.dmp

Filesize
3.3MB

Download
memory/2856-156-0x000000013FB00000-0x000000013FE54000-memory.dmp

Filesize
3.3MB

Download
memory/2884-81-0x000000013F100000-0x000000013F454000-memory.dmp

Filesize
3.3MB

Download
memory/2884-27-0x000000013F100000-0x000000013F454000-memory.dmp

Filesize
3.3MB

Download
memory/2884-145-0x000000013F100000-0x000000013F454000-memory.dmp

Filesize
3.3MB

Download