cobaltstrike | 868636caf19f355b3fab98425b82af5869e74b14100297874a91e71b22367858

Analysis

max time kernel
140s
max time network
147s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
11-06-2024 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

f1b3c7ff6bde5452b8f3e12a9b9a240e
SHA1

b15d2898559a2de610e19819f4f6f071beba7135
SHA256

868636caf19f355b3fab98425b82af5869e74b14100297874a91e71b22367858
SHA512

d044f34de1d350e8a14fc1330989913ac7359e25bab1db467406b038e15964cea2c6aa98bb74c225d9658c3015a46b67e00e9a14259ca7f4edecf9b0733f29bb
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUT:Q+856utgpPF8u/7T

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\crWmVdX.exe	cobalt_reflective_dll
\Windows\system\BHMvSIf.exe	cobalt_reflective_dll
C:\Windows\system\cCoIROi.exe	cobalt_reflective_dll
\Windows\system\oOZeKmR.exe	cobalt_reflective_dll
\Windows\system\zKNcjiu.exe	cobalt_reflective_dll
\Windows\system\ekmfMbD.exe	cobalt_reflective_dll
C:\Windows\system\kFzsgrX.exe	cobalt_reflective_dll
\Windows\system\EoijjXt.exe	cobalt_reflective_dll
C:\Windows\system\rkcpiUP.exe	cobalt_reflective_dll
\Windows\system\DIKakwl.exe	cobalt_reflective_dll
C:\Windows\system\znOyXtw.exe	cobalt_reflective_dll
C:\Windows\system\sDZSQTe.exe	cobalt_reflective_dll
C:\Windows\system\MHuvfpC.exe	cobalt_reflective_dll
C:\Windows\system\aohCFdi.exe	cobalt_reflective_dll
C:\Windows\system\DQXlKLA.exe	cobalt_reflective_dll
C:\Windows\system\qbnmOMD.exe	cobalt_reflective_dll
C:\Windows\system\qGJJsbM.exe	cobalt_reflective_dll
C:\Windows\system\FrxYnYU.exe	cobalt_reflective_dll
C:\Windows\system\lAXmjra.exe	cobalt_reflective_dll
C:\Windows\system\ogoCYtc.exe	cobalt_reflective_dll
C:\Windows\system\alhNVvu.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\crWmVdX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\BHMvSIf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\cCoIROi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\oOZeKmR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\zKNcjiu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\ekmfMbD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\kFzsgrX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\EoijjXt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\rkcpiUP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\DIKakwl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\znOyXtw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\sDZSQTe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\MHuvfpC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\aohCFdi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\DQXlKLA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\qbnmOMD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\qGJJsbM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\FrxYnYU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\lAXmjra.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ogoCYtc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\alhNVvu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 61 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1972-0-0x000000013FB70000-0x000000013FEC4000-memory.dmp	UPX
\Windows\system\crWmVdX.exe	UPX
behavioral1/memory/1972-6-0x0000000002420000-0x0000000002774000-memory.dmp	UPX
\Windows\system\BHMvSIf.exe	UPX
C:\Windows\system\cCoIROi.exe	UPX
\Windows\system\oOZeKmR.exe	UPX
behavioral1/memory/2560-40-0x000000013FBF0000-0x000000013FF44000-memory.dmp	UPX
\Windows\system\zKNcjiu.exe	UPX
behavioral1/memory/2208-31-0x000000013F7F0000-0x000000013FB44000-memory.dmp	UPX
behavioral1/memory/2724-58-0x000000013F800000-0x000000013FB54000-memory.dmp	UPX
behavioral1/memory/2388-64-0x000000013F940000-0x000000013FC94000-memory.dmp	UPX
\Windows\system\ekmfMbD.exe	UPX
behavioral1/memory/2308-63-0x000000013FA00000-0x000000013FD54000-memory.dmp	UPX
C:\Windows\system\kFzsgrX.exe	UPX
behavioral1/memory/1048-71-0x000000013FE30000-0x0000000140184000-memory.dmp	UPX
behavioral1/memory/3032-86-0x000000013F8D0000-0x000000013FC24000-memory.dmp	UPX
behavioral1/memory/764-93-0x000000013FDF0000-0x0000000140144000-memory.dmp	UPX
\Windows\system\EoijjXt.exe	UPX
C:\Windows\system\rkcpiUP.exe	UPX
\Windows\system\DIKakwl.exe	UPX
C:\Windows\system\znOyXtw.exe	UPX
C:\Windows\system\sDZSQTe.exe	UPX
C:\Windows\system\MHuvfpC.exe	UPX
C:\Windows\system\aohCFdi.exe	UPX
behavioral1/memory/2388-137-0x000000013F940000-0x000000013FC94000-memory.dmp	UPX
behavioral1/memory/2680-101-0x000000013FE00000-0x0000000140154000-memory.dmp	UPX
behavioral1/memory/2524-91-0x000000013FCC0000-0x0000000140014000-memory.dmp	UPX
C:\Windows\system\DQXlKLA.exe	UPX
behavioral1/memory/2584-100-0x000000013F970000-0x000000013FCC4000-memory.dmp	UPX
C:\Windows\system\qbnmOMD.exe	UPX
behavioral1/memory/2560-85-0x000000013FBF0000-0x000000013FF44000-memory.dmp	UPX
behavioral1/memory/1820-79-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	UPX
C:\Windows\system\qGJJsbM.exe	UPX
C:\Windows\system\FrxYnYU.exe	UPX
C:\Windows\system\lAXmjra.exe	UPX
behavioral1/memory/2584-49-0x000000013F970000-0x000000013FCC4000-memory.dmp	UPX
behavioral1/memory/1972-48-0x000000013FB70000-0x000000013FEC4000-memory.dmp	UPX
C:\Windows\system\ogoCYtc.exe	UPX
behavioral1/memory/2524-43-0x000000013FCC0000-0x0000000140014000-memory.dmp	UPX
behavioral1/memory/1764-34-0x000000013FAF0000-0x000000013FE44000-memory.dmp	UPX
behavioral1/memory/1892-27-0x000000013F600000-0x000000013F954000-memory.dmp	UPX
C:\Windows\system\alhNVvu.exe	UPX
behavioral1/memory/2308-11-0x000000013FA00000-0x000000013FD54000-memory.dmp	UPX
behavioral1/memory/1048-139-0x000000013FE30000-0x0000000140184000-memory.dmp	UPX
behavioral1/memory/3032-141-0x000000013F8D0000-0x000000013FC24000-memory.dmp	UPX
behavioral1/memory/764-142-0x000000013FDF0000-0x0000000140144000-memory.dmp	UPX
behavioral1/memory/2680-143-0x000000013FE00000-0x0000000140154000-memory.dmp	UPX
behavioral1/memory/2308-144-0x000000013FA00000-0x000000013FD54000-memory.dmp	UPX
behavioral1/memory/1892-145-0x000000013F600000-0x000000013F954000-memory.dmp	UPX
behavioral1/memory/1764-146-0x000000013FAF0000-0x000000013FE44000-memory.dmp	UPX
behavioral1/memory/2208-147-0x000000013F7F0000-0x000000013FB44000-memory.dmp	UPX
behavioral1/memory/2560-148-0x000000013FBF0000-0x000000013FF44000-memory.dmp	UPX
behavioral1/memory/2584-150-0x000000013F970000-0x000000013FCC4000-memory.dmp	UPX
behavioral1/memory/2524-149-0x000000013FCC0000-0x0000000140014000-memory.dmp	UPX
behavioral1/memory/2724-151-0x000000013F800000-0x000000013FB54000-memory.dmp	UPX
behavioral1/memory/2388-152-0x000000013F940000-0x000000013FC94000-memory.dmp	UPX
behavioral1/memory/1048-153-0x000000013FE30000-0x0000000140184000-memory.dmp	UPX
behavioral1/memory/1820-154-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	UPX
behavioral1/memory/3032-155-0x000000013F8D0000-0x000000013FC24000-memory.dmp	UPX
behavioral1/memory/764-156-0x000000013FDF0000-0x0000000140144000-memory.dmp	UPX
behavioral1/memory/2680-157-0x000000013FE00000-0x0000000140154000-memory.dmp	UPX

XMRig Miner payload 63 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1972-0-0x000000013FB70000-0x000000013FEC4000-memory.dmp	xmrig
\Windows\system\crWmVdX.exe	xmrig
behavioral1/memory/1972-6-0x0000000002420000-0x0000000002774000-memory.dmp	xmrig
\Windows\system\BHMvSIf.exe	xmrig
C:\Windows\system\cCoIROi.exe	xmrig
\Windows\system\oOZeKmR.exe	xmrig
behavioral1/memory/2560-40-0x000000013FBF0000-0x000000013FF44000-memory.dmp	xmrig
\Windows\system\zKNcjiu.exe	xmrig
behavioral1/memory/2208-31-0x000000013F7F0000-0x000000013FB44000-memory.dmp	xmrig
behavioral1/memory/2724-58-0x000000013F800000-0x000000013FB54000-memory.dmp	xmrig
behavioral1/memory/2388-64-0x000000013F940000-0x000000013FC94000-memory.dmp	xmrig
\Windows\system\ekmfMbD.exe	xmrig
behavioral1/memory/2308-63-0x000000013FA00000-0x000000013FD54000-memory.dmp	xmrig
C:\Windows\system\kFzsgrX.exe	xmrig
behavioral1/memory/1048-71-0x000000013FE30000-0x0000000140184000-memory.dmp	xmrig
behavioral1/memory/3032-86-0x000000013F8D0000-0x000000013FC24000-memory.dmp	xmrig
behavioral1/memory/764-93-0x000000013FDF0000-0x0000000140144000-memory.dmp	xmrig
\Windows\system\EoijjXt.exe	xmrig
C:\Windows\system\rkcpiUP.exe	xmrig
\Windows\system\DIKakwl.exe	xmrig
C:\Windows\system\znOyXtw.exe	xmrig
C:\Windows\system\sDZSQTe.exe	xmrig
C:\Windows\system\MHuvfpC.exe	xmrig
C:\Windows\system\aohCFdi.exe	xmrig
behavioral1/memory/2388-137-0x000000013F940000-0x000000013FC94000-memory.dmp	xmrig
behavioral1/memory/2680-101-0x000000013FE00000-0x0000000140154000-memory.dmp	xmrig
behavioral1/memory/1972-92-0x0000000002420000-0x0000000002774000-memory.dmp	xmrig
behavioral1/memory/2524-91-0x000000013FCC0000-0x0000000140014000-memory.dmp	xmrig
C:\Windows\system\DQXlKLA.exe	xmrig
behavioral1/memory/2584-100-0x000000013F970000-0x000000013FCC4000-memory.dmp	xmrig
C:\Windows\system\qbnmOMD.exe	xmrig
behavioral1/memory/2560-85-0x000000013FBF0000-0x000000013FF44000-memory.dmp	xmrig
behavioral1/memory/1820-79-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	xmrig
C:\Windows\system\qGJJsbM.exe	xmrig
behavioral1/memory/1972-76-0x0000000002420000-0x0000000002774000-memory.dmp	xmrig
C:\Windows\system\FrxYnYU.exe	xmrig
C:\Windows\system\lAXmjra.exe	xmrig
behavioral1/memory/2584-49-0x000000013F970000-0x000000013FCC4000-memory.dmp	xmrig
behavioral1/memory/1972-48-0x000000013FB70000-0x000000013FEC4000-memory.dmp	xmrig
C:\Windows\system\ogoCYtc.exe	xmrig
behavioral1/memory/2524-43-0x000000013FCC0000-0x0000000140014000-memory.dmp	xmrig
behavioral1/memory/1764-34-0x000000013FAF0000-0x000000013FE44000-memory.dmp	xmrig
behavioral1/memory/1892-27-0x000000013F600000-0x000000013F954000-memory.dmp	xmrig
C:\Windows\system\alhNVvu.exe	xmrig
behavioral1/memory/2308-11-0x000000013FA00000-0x000000013FD54000-memory.dmp	xmrig
behavioral1/memory/1048-139-0x000000013FE30000-0x0000000140184000-memory.dmp	xmrig
behavioral1/memory/3032-141-0x000000013F8D0000-0x000000013FC24000-memory.dmp	xmrig
behavioral1/memory/764-142-0x000000013FDF0000-0x0000000140144000-memory.dmp	xmrig
behavioral1/memory/2680-143-0x000000013FE00000-0x0000000140154000-memory.dmp	xmrig
behavioral1/memory/2308-144-0x000000013FA00000-0x000000013FD54000-memory.dmp	xmrig
behavioral1/memory/1892-145-0x000000013F600000-0x000000013F954000-memory.dmp	xmrig
behavioral1/memory/1764-146-0x000000013FAF0000-0x000000013FE44000-memory.dmp	xmrig
behavioral1/memory/2208-147-0x000000013F7F0000-0x000000013FB44000-memory.dmp	xmrig
behavioral1/memory/2560-148-0x000000013FBF0000-0x000000013FF44000-memory.dmp	xmrig
behavioral1/memory/2584-150-0x000000013F970000-0x000000013FCC4000-memory.dmp	xmrig
behavioral1/memory/2524-149-0x000000013FCC0000-0x0000000140014000-memory.dmp	xmrig
behavioral1/memory/2724-151-0x000000013F800000-0x000000013FB54000-memory.dmp	xmrig
behavioral1/memory/2388-152-0x000000013F940000-0x000000013FC94000-memory.dmp	xmrig
behavioral1/memory/1048-153-0x000000013FE30000-0x0000000140184000-memory.dmp	xmrig
behavioral1/memory/1820-154-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	xmrig
behavioral1/memory/3032-155-0x000000013F8D0000-0x000000013FC24000-memory.dmp	xmrig
behavioral1/memory/764-156-0x000000013FDF0000-0x0000000140144000-memory.dmp	xmrig
behavioral1/memory/2680-157-0x000000013FE00000-0x0000000140154000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

crWmVdX.execCoIROi.exeBHMvSIf.exealhNVvu.exeoOZeKmR.exezKNcjiu.exeogoCYtc.exelAXmjra.exekFzsgrX.exeekmfMbD.exeqGJJsbM.exeFrxYnYU.exeDQXlKLA.exeqbnmOMD.exeEoijjXt.exeaohCFdi.exeMHuvfpC.exesDZSQTe.exerkcpiUP.exeznOyXtw.exeDIKakwl.exe

pid	process
2308	crWmVdX.exe
1892	cCoIROi.exe
1764	BHMvSIf.exe
2208	alhNVvu.exe
2560	oOZeKmR.exe
2524	zKNcjiu.exe
2584	ogoCYtc.exe
2724	lAXmjra.exe
2388	kFzsgrX.exe
1048	ekmfMbD.exe
1820	qGJJsbM.exe
3032	FrxYnYU.exe
764	DQXlKLA.exe
2680	qbnmOMD.exe
1976	EoijjXt.exe
2688	aohCFdi.exe
2304	MHuvfpC.exe
2408	sDZSQTe.exe
2692	rkcpiUP.exe
2732	znOyXtw.exe
1468	DIKakwl.exe

Loads dropped DLL 21 IoCs

Processes:

2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe

pid	process
1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe

UPX packed file 62 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1972-0-0x000000013FB70000-0x000000013FEC4000-memory.dmp	upx
\Windows\system\crWmVdX.exe	upx
behavioral1/memory/1972-6-0x0000000002420000-0x0000000002774000-memory.dmp	upx
\Windows\system\BHMvSIf.exe	upx
C:\Windows\system\cCoIROi.exe	upx
\Windows\system\oOZeKmR.exe	upx
behavioral1/memory/2560-40-0x000000013FBF0000-0x000000013FF44000-memory.dmp	upx
\Windows\system\zKNcjiu.exe	upx
behavioral1/memory/2208-31-0x000000013F7F0000-0x000000013FB44000-memory.dmp	upx
behavioral1/memory/1972-57-0x0000000002420000-0x0000000002774000-memory.dmp	upx
behavioral1/memory/2724-58-0x000000013F800000-0x000000013FB54000-memory.dmp	upx
behavioral1/memory/2388-64-0x000000013F940000-0x000000013FC94000-memory.dmp	upx
\Windows\system\ekmfMbD.exe	upx
behavioral1/memory/2308-63-0x000000013FA00000-0x000000013FD54000-memory.dmp	upx
C:\Windows\system\kFzsgrX.exe	upx
behavioral1/memory/1048-71-0x000000013FE30000-0x0000000140184000-memory.dmp	upx
behavioral1/memory/3032-86-0x000000013F8D0000-0x000000013FC24000-memory.dmp	upx
behavioral1/memory/764-93-0x000000013FDF0000-0x0000000140144000-memory.dmp	upx
\Windows\system\EoijjXt.exe	upx
C:\Windows\system\rkcpiUP.exe	upx
\Windows\system\DIKakwl.exe	upx
C:\Windows\system\znOyXtw.exe	upx
C:\Windows\system\sDZSQTe.exe	upx
C:\Windows\system\MHuvfpC.exe	upx
C:\Windows\system\aohCFdi.exe	upx
behavioral1/memory/2388-137-0x000000013F940000-0x000000013FC94000-memory.dmp	upx
behavioral1/memory/2680-101-0x000000013FE00000-0x0000000140154000-memory.dmp	upx
behavioral1/memory/2524-91-0x000000013FCC0000-0x0000000140014000-memory.dmp	upx
C:\Windows\system\DQXlKLA.exe	upx
behavioral1/memory/2584-100-0x000000013F970000-0x000000013FCC4000-memory.dmp	upx
C:\Windows\system\qbnmOMD.exe	upx
behavioral1/memory/2560-85-0x000000013FBF0000-0x000000013FF44000-memory.dmp	upx
behavioral1/memory/1820-79-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	upx
C:\Windows\system\qGJJsbM.exe	upx
C:\Windows\system\FrxYnYU.exe	upx
C:\Windows\system\lAXmjra.exe	upx
behavioral1/memory/2584-49-0x000000013F970000-0x000000013FCC4000-memory.dmp	upx
behavioral1/memory/1972-48-0x000000013FB70000-0x000000013FEC4000-memory.dmp	upx
C:\Windows\system\ogoCYtc.exe	upx
behavioral1/memory/2524-43-0x000000013FCC0000-0x0000000140014000-memory.dmp	upx
behavioral1/memory/1764-34-0x000000013FAF0000-0x000000013FE44000-memory.dmp	upx
behavioral1/memory/1892-27-0x000000013F600000-0x000000013F954000-memory.dmp	upx
C:\Windows\system\alhNVvu.exe	upx
behavioral1/memory/2308-11-0x000000013FA00000-0x000000013FD54000-memory.dmp	upx
behavioral1/memory/1048-139-0x000000013FE30000-0x0000000140184000-memory.dmp	upx
behavioral1/memory/3032-141-0x000000013F8D0000-0x000000013FC24000-memory.dmp	upx
behavioral1/memory/764-142-0x000000013FDF0000-0x0000000140144000-memory.dmp	upx
behavioral1/memory/2680-143-0x000000013FE00000-0x0000000140154000-memory.dmp	upx
behavioral1/memory/2308-144-0x000000013FA00000-0x000000013FD54000-memory.dmp	upx
behavioral1/memory/1892-145-0x000000013F600000-0x000000013F954000-memory.dmp	upx
behavioral1/memory/1764-146-0x000000013FAF0000-0x000000013FE44000-memory.dmp	upx
behavioral1/memory/2208-147-0x000000013F7F0000-0x000000013FB44000-memory.dmp	upx
behavioral1/memory/2560-148-0x000000013FBF0000-0x000000013FF44000-memory.dmp	upx
behavioral1/memory/2584-150-0x000000013F970000-0x000000013FCC4000-memory.dmp	upx
behavioral1/memory/2524-149-0x000000013FCC0000-0x0000000140014000-memory.dmp	upx
behavioral1/memory/2724-151-0x000000013F800000-0x000000013FB54000-memory.dmp	upx
behavioral1/memory/2388-152-0x000000013F940000-0x000000013FC94000-memory.dmp	upx
behavioral1/memory/1048-153-0x000000013FE30000-0x0000000140184000-memory.dmp	upx
behavioral1/memory/1820-154-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	upx
behavioral1/memory/3032-155-0x000000013F8D0000-0x000000013FC24000-memory.dmp	upx
behavioral1/memory/764-156-0x000000013FDF0000-0x0000000140144000-memory.dmp	upx
behavioral1/memory/2680-157-0x000000013FE00000-0x0000000140154000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\cCoIROi.exe	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zKNcjiu.exe	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MHuvfpC.exe	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rkcpiUP.exe	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\crWmVdX.exe	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ekmfMbD.exe	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aohCFdi.exe	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sDZSQTe.exe	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BHMvSIf.exe	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ogoCYtc.exe	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qGJJsbM.exe	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qbnmOMD.exe	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FrxYnYU.exe	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DQXlKLA.exe	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EoijjXt.exe	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\znOyXtw.exe	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\alhNVvu.exe	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oOZeKmR.exe	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lAXmjra.exe	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kFzsgrX.exe	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DIKakwl.exe	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 1972 wrote to memory of 2308	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	crWmVdX.exe
PID 1972 wrote to memory of 2308	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	crWmVdX.exe
PID 1972 wrote to memory of 2308	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	crWmVdX.exe
PID 1972 wrote to memory of 1892	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	cCoIROi.exe
PID 1972 wrote to memory of 1892	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	cCoIROi.exe
PID 1972 wrote to memory of 1892	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	cCoIROi.exe
PID 1972 wrote to memory of 1764	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	BHMvSIf.exe
PID 1972 wrote to memory of 1764	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	BHMvSIf.exe
PID 1972 wrote to memory of 1764	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	BHMvSIf.exe
PID 1972 wrote to memory of 2208	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	alhNVvu.exe
PID 1972 wrote to memory of 2208	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	alhNVvu.exe
PID 1972 wrote to memory of 2208	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	alhNVvu.exe
PID 1972 wrote to memory of 2524	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	zKNcjiu.exe
PID 1972 wrote to memory of 2524	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	zKNcjiu.exe
PID 1972 wrote to memory of 2524	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	zKNcjiu.exe
PID 1972 wrote to memory of 2560	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	oOZeKmR.exe
PID 1972 wrote to memory of 2560	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	oOZeKmR.exe
PID 1972 wrote to memory of 2560	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	oOZeKmR.exe
PID 1972 wrote to memory of 2584	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	ogoCYtc.exe
PID 1972 wrote to memory of 2584	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	ogoCYtc.exe
PID 1972 wrote to memory of 2584	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	ogoCYtc.exe
PID 1972 wrote to memory of 2724	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	lAXmjra.exe
PID 1972 wrote to memory of 2724	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	lAXmjra.exe
PID 1972 wrote to memory of 2724	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	lAXmjra.exe
PID 1972 wrote to memory of 2388	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	kFzsgrX.exe
PID 1972 wrote to memory of 2388	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	kFzsgrX.exe
PID 1972 wrote to memory of 2388	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	kFzsgrX.exe
PID 1972 wrote to memory of 1048	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	ekmfMbD.exe
PID 1972 wrote to memory of 1048	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	ekmfMbD.exe
PID 1972 wrote to memory of 1048	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	ekmfMbD.exe
PID 1972 wrote to memory of 1820	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	qGJJsbM.exe
PID 1972 wrote to memory of 1820	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	qGJJsbM.exe
PID 1972 wrote to memory of 1820	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	qGJJsbM.exe
PID 1972 wrote to memory of 3032	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	FrxYnYU.exe
PID 1972 wrote to memory of 3032	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	FrxYnYU.exe
PID 1972 wrote to memory of 3032	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	FrxYnYU.exe
PID 1972 wrote to memory of 764	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	DQXlKLA.exe
PID 1972 wrote to memory of 764	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	DQXlKLA.exe
PID 1972 wrote to memory of 764	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	DQXlKLA.exe
PID 1972 wrote to memory of 2680	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	qbnmOMD.exe
PID 1972 wrote to memory of 2680	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	qbnmOMD.exe
PID 1972 wrote to memory of 2680	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	qbnmOMD.exe
PID 1972 wrote to memory of 1976	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	EoijjXt.exe
PID 1972 wrote to memory of 1976	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	EoijjXt.exe
PID 1972 wrote to memory of 1976	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	EoijjXt.exe
PID 1972 wrote to memory of 2688	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	aohCFdi.exe
PID 1972 wrote to memory of 2688	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	aohCFdi.exe
PID 1972 wrote to memory of 2688	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	aohCFdi.exe
PID 1972 wrote to memory of 2304	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	MHuvfpC.exe
PID 1972 wrote to memory of 2304	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	MHuvfpC.exe
PID 1972 wrote to memory of 2304	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	MHuvfpC.exe
PID 1972 wrote to memory of 2408	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	sDZSQTe.exe
PID 1972 wrote to memory of 2408	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	sDZSQTe.exe
PID 1972 wrote to memory of 2408	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	sDZSQTe.exe
PID 1972 wrote to memory of 2692	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	rkcpiUP.exe
PID 1972 wrote to memory of 2692	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	rkcpiUP.exe
PID 1972 wrote to memory of 2692	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	rkcpiUP.exe
PID 1972 wrote to memory of 2732	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	znOyXtw.exe
PID 1972 wrote to memory of 2732	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	znOyXtw.exe
PID 1972 wrote to memory of 2732	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	znOyXtw.exe
PID 1972 wrote to memory of 1468	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	DIKakwl.exe
PID 1972 wrote to memory of 1468	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	DIKakwl.exe
PID 1972 wrote to memory of 1468	1972	2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe	DIKakwl.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\System\crWmVdX.exe
C:\Windows\System\crWmVdX.exe
2⤵
- Executes dropped EXE
PID:2308

C:\Windows\System\cCoIROi.exe
C:\Windows\System\cCoIROi.exe
2⤵
- Executes dropped EXE
PID:1892

C:\Windows\System\BHMvSIf.exe
C:\Windows\System\BHMvSIf.exe
2⤵
- Executes dropped EXE
PID:1764

C:\Windows\System\alhNVvu.exe
C:\Windows\System\alhNVvu.exe
2⤵
- Executes dropped EXE
PID:2208

C:\Windows\System\zKNcjiu.exe
C:\Windows\System\zKNcjiu.exe
2⤵
- Executes dropped EXE
PID:2524

C:\Windows\System\oOZeKmR.exe
C:\Windows\System\oOZeKmR.exe
2⤵
- Executes dropped EXE
PID:2560

C:\Windows\System\ogoCYtc.exe
C:\Windows\System\ogoCYtc.exe
2⤵
- Executes dropped EXE
PID:2584

C:\Windows\System\lAXmjra.exe
C:\Windows\System\lAXmjra.exe
2⤵
- Executes dropped EXE
PID:2724

C:\Windows\System\kFzsgrX.exe
C:\Windows\System\kFzsgrX.exe
2⤵
- Executes dropped EXE
PID:2388

C:\Windows\System\ekmfMbD.exe
C:\Windows\System\ekmfMbD.exe
2⤵
- Executes dropped EXE
PID:1048

C:\Windows\System\qGJJsbM.exe
C:\Windows\System\qGJJsbM.exe
2⤵
- Executes dropped EXE
PID:1820

C:\Windows\System\FrxYnYU.exe
C:\Windows\System\FrxYnYU.exe
2⤵
- Executes dropped EXE
PID:3032

C:\Windows\System\DQXlKLA.exe
C:\Windows\System\DQXlKLA.exe
2⤵
- Executes dropped EXE
PID:764

C:\Windows\System\qbnmOMD.exe
C:\Windows\System\qbnmOMD.exe
2⤵
- Executes dropped EXE
PID:2680

C:\Windows\System\EoijjXt.exe
C:\Windows\System\EoijjXt.exe
2⤵
- Executes dropped EXE
PID:1976

C:\Windows\System\aohCFdi.exe
C:\Windows\System\aohCFdi.exe
2⤵
- Executes dropped EXE
PID:2688

C:\Windows\System\MHuvfpC.exe
C:\Windows\System\MHuvfpC.exe
2⤵
- Executes dropped EXE
PID:2304

C:\Windows\System\sDZSQTe.exe
C:\Windows\System\sDZSQTe.exe
2⤵
- Executes dropped EXE
PID:2408

C:\Windows\System\rkcpiUP.exe
C:\Windows\System\rkcpiUP.exe
2⤵
- Executes dropped EXE
PID:2692

C:\Windows\System\znOyXtw.exe
C:\Windows\System\znOyXtw.exe
2⤵
- Executes dropped EXE
PID:2732

C:\Windows\System\DIKakwl.exe
C:\Windows\System\DIKakwl.exe
2⤵
- Executes dropped EXE
PID:1468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\DQXlKLA.exe
Filesize
5.9MB

MD5
99a53451fc6d7c4f7c08f55f3793668e

SHA1
bdc2eec2b6c62d5bbea562e87593b7b0b275dea3

SHA256
2fcb5c0cfd85b35126d2ad8b2b87bd78b7d18c53c25e09c66d368b0f6f6b4852

SHA512
f4b59e1768689192738fbb945b715a3ac319b38497217d6274582f8e25127a366ce3da9126a142f6b1c42d8f1ef820e00db61334a00b77c8e47e86550d7038f6

Download Submit
C:\Windows\system\FrxYnYU.exe
Filesize
5.9MB

MD5
6444c0630a2f97f4921a51ea9b4ba144

SHA1
6b26e7a6b99793a4ab100279b3e4ca1d8199331e

SHA256
8731a3e59e723ca3d6e33d0648a5e3d3a5993ac5f6e1bf741c02ea33802e3d03

SHA512
2eb4492d89b0f03896dbc87794c209c29c82c51f01a14e6397126916fe165d87b30b152d65e911bf5dde20c666502bfe94994ba7d75f8db87867cf1fb62cdde3

Download Submit
C:\Windows\system\MHuvfpC.exe
Filesize
5.9MB

MD5
7d542986e5ca9eefd2d51ab574ab1b02

SHA1
c82361293537a32bdc975514f1bfdb77609b049b

SHA256
ea2ef4ef3a572cd20aff8cfe8bc86823d4df873fbb3decb28d8cbd3ab7e426b8

SHA512
7726716a99eb8453177d74ccf5625a0036f80bafe38a51e8329bcbb92a710347ebcd731f03d4a0334389c17b9c85fb0a3d9fc4381f2f2f141c540234b0d931d6

Download Submit
C:\Windows\system\alhNVvu.exe
Filesize
5.9MB

MD5
4dd1b8b267b45d98aa1d7026b9d84b97

SHA1
3192f8ebe634ebe8abda4abc3443699961337816

SHA256
7efe6fc4e3ddbb4c67df63572c56a92c548c5e6630ef350768d1fa174c9fdcf0

SHA512
a5fe4b5e3877cec639b521717b8d1df7ac7fcfe04f3c3f22edbf71fb336d70f74a83baba7b8075b4756d5fc7969b28290ffea712f2f2327d3bdc7780ba075899

Download Submit
C:\Windows\system\aohCFdi.exe
Filesize
5.9MB

MD5
4bc791a74c96a0840773761b8ad58b61

SHA1
f2973d6f8cbb78fae5830c693ed8c11419609e72

SHA256
9ecb98f806a8d3653ec6ae3c95d860c9aa93b4a7f4c98f41963e04be568e4b89

SHA512
2323f52a068b3a6442c572b547b4e09acc259885dd5300caf96cebd6e3b8dcfea2eb3e1b1c0a664f431c70df81a4f6c9cbafae7d6f122f4efe76648b28f37f41

Download Submit
C:\Windows\system\cCoIROi.exe
Filesize
5.9MB

MD5
c356b603e10bf8cbe04875064aec21e3

SHA1
a669917cb74bcf536e4eefa29323a943b92f49a8

SHA256
88bc7aad6732768305eb9db8850e509ee458ce11b2dcb73aff6d4efb444d0d9c

SHA512
fcb806cd5c9c29b1b24d6cf33dedcdf011f3a3039c68ef895ec6f6c3cb804e95af670de949530947b7bc34db04578e15e24a5e13e8614d517bfcd45ebe25dd97

Download Submit
C:\Windows\system\kFzsgrX.exe
Filesize
5.9MB

MD5
6d8d73ea98689a60a0d51a8a7a29d868

SHA1
25ac23e81355bbea77b36c606e23ba0287ee0185

SHA256
7200e73f95c85b6d3abd019c740d4b0481b0727ad0f2d3063878b693de277c3b

SHA512
9481500c2a27d916d9cd7c7c712151cf6940b025972c2f4a731ab15469fb3d4e39eca98f4fd339e2fa1a71538584344557d3d0dfed1b4a155b783f492fe42f86

Download Submit
C:\Windows\system\lAXmjra.exe
Filesize
5.9MB

MD5
35ca4853124be72a33e87b1e96c7f824

SHA1
8cad4d72cbf888800436b376e34f28cdf6aad52e

SHA256
d2bd85a20fc07e39860b7861b7e0d0ce3bd971d3d0f8f0dbde9678c5c6250efd

SHA512
33f8f9e232697fbf9ed3a7b8e037217dce01f96342d133992cf1c90b8c08f7bf62e2c2b39dedd7d0f748a1ea38d34d872e2deb09c62806a966716e457d31a77b

Download Submit
C:\Windows\system\ogoCYtc.exe
Filesize
5.9MB

MD5
1c21d5a8d8c99075bba2fb923f228e39

SHA1
d9fecbae10e9c56ebec397930476f2c040a543a9

SHA256
6bf5f9bd9643f0cb04d8abb118e3fe1de230d9bdad18fa0c657e2222a805500d

SHA512
5046f916e31611bf71d0d085983baa0302f4cb655a133b205e4e214b7e4f930a97791a2ecdf3fead816065f6366177073241850a091cc9f3fcf82716415e2e05

Download Submit
C:\Windows\system\qGJJsbM.exe
Filesize
5.9MB

MD5
c9cc683dc25c5ceffabcdb447d504af7

SHA1
b896939d0c68138d0b590b011cb800499a8eacfc

SHA256
71a2aa28b5cd25a5d1f86c4cbc16dc4adff3e304410d3da05202cc09dbd26829

SHA512
6abadbb23c9459f9647efe480fc36f45f174b8063fbf60239b9439eb55a9074937bc96da6dadf9784e3ace57e6ea78df1d6ae0a24043f2ed16e5a2b87907cafc

Download Submit
C:\Windows\system\qbnmOMD.exe
Filesize
5.9MB

MD5
ac17aa36cd35413f8f6ea818b946737f

SHA1
d8d0a7e4da3a715bbf97b08060033a8d8ecc84ab

SHA256
a2d4b1712d666d26b4cd9ca6659342c9579627ac8c6bda654a56158fceeac800

SHA512
ef271b1e6300e39039872a5a3092f1aad4e2ebdb032bb51458965d2317495a539e166d68a65f752a1b068e88765ed600da0a2f746363e2046c598daae4fe3f4b

Download Submit
C:\Windows\system\rkcpiUP.exe
Filesize
5.9MB

MD5
7b14e2b2936f84d22daf36cbf8e2a4bf

SHA1
c86884b44c7547c7f2cded177c444dd7f9b2b562

SHA256
76a727bcf9d5d6337b8d7e051105d5aa7374df4a264a57272adc15400d98abc4

SHA512
551cc0e39f5261f2564d60c2da3298d1437f8084f75cd9b0e7fecd6f83a49a8634112cf3dbafd715b4eb47fb83c4de44ebe38befa4fdb3cd85991e99e307983b

Download Submit
C:\Windows\system\sDZSQTe.exe
Filesize
5.9MB

MD5
2d049440c9b6e32aa520ef85aeefeeb8

SHA1
fc41776c3f6fb9727f24e546313ccbc5062260f4

SHA256
519a3313ffa0a182c8c118c6cb94de3068da79fc005c6770c193437a78dc22cc

SHA512
07709aa09281de7a757bf4cbf27b4bf47ac1a9374043ef5615dbbc8352a3d1fad954d794725600a06e92977bdbd900d3d44ef0670b815fe8d3b6b0ff957ac3c8

Download Submit
C:\Windows\system\znOyXtw.exe
Filesize
5.9MB

MD5
82bcf6b9777bc3976e7e42b9afd64676

SHA1
9fbc2aba67ca457cfbdb14e508862fd97bfbb0b7

SHA256
93c53446ed9a5b23dff9632686f378639c1b37f0e4a946885c5b94192e264cdb

SHA512
eb9fa2234fce253546bd18d7850cef0d75bb03622b0324ba319a64d8ffa494611fdcfabb1d06300ad5240b42468f259471f483009d45e666ee05ea308f86faa4

Download Submit
\Windows\system\BHMvSIf.exe
Filesize
5.9MB

MD5
9b1ee778194f5072600fde71e4134be3

SHA1
a7b9e9bed5a2a5679385f633adb4f8ccf5dee5e1

SHA256
9fca7ac9185ace2ce2c01d489740db67319460123923c93604f95141dddb5d3e

SHA512
508dc064be28561f4ea8be7c6db554a80801d6ea0ebb1d6570bce716b8f89a281f09168abfadf3e27319bbad890c49e9e86024a239b877a9a68480e93dc6b485

Download Submit
\Windows\system\DIKakwl.exe
Filesize
5.9MB

MD5
6f5bdf26500c3ed0715b2e3f3305ab8e

SHA1
7fabe88ddccf6c9d2494b356e2b1aa1d373bc311

SHA256
94ef5c6c8ef1a3728394188c73770b1a82a018b0637eb5d0055fb0d8eaea490b

SHA512
91d5c2abae2ea94b7a295c48d7195f1928dcc7f758a10041fed2b39214b332433990684a2347cf108dccd84e49d46b2313441c5e72cc84cf55395438b1bbe011

Download Submit
\Windows\system\EoijjXt.exe
Filesize
5.9MB

MD5
3eaaf6169520f8d67aa467d28144383a

SHA1
3afb4476ea9c0b4f205f1a8c245015f803a888bd

SHA256
f34876c7e0568cacfeec25e2bf93bcda5b49c499d74489e2566b092e94fdb9d4

SHA512
02d6f2b91a966ccd78679bbfb7843b140804af7b54694fe9b9bcce0c83bf2ec194e181ca081ee206ca397b7219b69048a1f98c66e478474ef07825f3a7c5918a

Download Submit
\Windows\system\crWmVdX.exe
Filesize
5.9MB

MD5
c71639c1c635f01b27a4ecaceda5a8dc

SHA1
320b780544c768a07fcc1d75e256b53bcac3b76b

SHA256
d56632f014d922faff71e4bddba003acc16963f0f2f3d7f36a2b0dc6c06a67c0

SHA512
3d1bed6bc6d2291853714ff57abddef7369d595795c633edf600c7cc8de6b0715e83125015728f0a8bbc7a84e3bcc83245e743f895c0800c71943618c6fa06cb

Download Submit
\Windows\system\ekmfMbD.exe
Filesize
5.9MB

MD5
190d58acb493cfefbedc3c023541503a

SHA1
6c1f4ed6239d166ae7996a1e8e7a97193619d70b

SHA256
3ecd9824e6ae4f353b9578ff2be399eb9dc7871aa6f3a9fd0bda19d922091778

SHA512
0f22c0b211263f488cfa775d36132197b687c60f603b0abdca5fee5b86c6dcbef55afaf136fc530bd0c412fd2e8844be7d23bf89a58081e3566f65743644fe78

Download Submit
\Windows\system\oOZeKmR.exe
Filesize
5.9MB

MD5
599929f807018592ccfc20fdc1bfbb18

SHA1
734e39e392b0da36e70a97fcae2714265223d3e9

SHA256
53ac79174401e92a604693bdd4afd675921baa46c1ae6953604db15c29681f92

SHA512
33d41ba0526b4d8284b0d2c858b8a0d0633b71b41920062101cb4607faaf222fb0cbd5ccb2d7f52daf78ae847de3b8bee383f91720de860212661e173dd0327d

Download Submit
\Windows\system\zKNcjiu.exe
Filesize
5.9MB

MD5
e8642ee9a1c1c19c1d0810a941a8116a

SHA1
3e881f5147071559749ffcda6f34a04d97008cf5

SHA256
4d3e27746de87044ccc6a0757f50957bcc18691aa77d7cfb414271780bf084c3

SHA512
f78bdf6ce089cb140035fc849759c0d502075add10daff487812a19e5a5d097297a89efcd1db85bd073e9e8261fd71a11168e2e95bc8b5ce94415f923bc8b77e

Download Submit
memory/764-93-0x000000013FDF0000-0x0000000140144000-memory.dmp

Filesize
3.3MB

Download
memory/764-142-0x000000013FDF0000-0x0000000140144000-memory.dmp

Filesize
3.3MB

Download
memory/764-156-0x000000013FDF0000-0x0000000140144000-memory.dmp

Filesize
3.3MB

Download
memory/1048-71-0x000000013FE30000-0x0000000140184000-memory.dmp

Filesize
3.3MB

Download
memory/1048-139-0x000000013FE30000-0x0000000140184000-memory.dmp

Filesize
3.3MB

Download
memory/1048-153-0x000000013FE30000-0x0000000140184000-memory.dmp

Filesize
3.3MB

Download
memory/1764-34-0x000000013FAF0000-0x000000013FE44000-memory.dmp

Filesize
3.3MB

Download
memory/1764-146-0x000000013FAF0000-0x000000013FE44000-memory.dmp

Filesize
3.3MB

Download
memory/1820-79-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

Filesize
3.3MB

Download
memory/1820-154-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

Filesize
3.3MB

Download
memory/1892-145-0x000000013F600000-0x000000013F954000-memory.dmp

Filesize
3.3MB

Download
memory/1892-27-0x000000013F600000-0x000000013F954000-memory.dmp

Filesize
3.3MB

Download
memory/1972-76-0x0000000002420000-0x0000000002774000-memory.dmp

Filesize
3.3MB

Download
memory/1972-81-0x0000000002420000-0x0000000002774000-memory.dmp

Filesize
3.3MB

Download
memory/1972-37-0x0000000002420000-0x0000000002774000-memory.dmp

Filesize
3.3MB

Download
memory/1972-0-0x000000013FB70000-0x000000013FEC4000-memory.dmp

Filesize
3.3MB

Download
memory/1972-6-0x0000000002420000-0x0000000002774000-memory.dmp

Filesize
3.3MB

Download
memory/1972-28-0x000000013F7F0000-0x000000013FB44000-memory.dmp

Filesize
3.3MB

Download
memory/1972-67-0x0000000002420000-0x0000000002774000-memory.dmp

Filesize
3.3MB

Download
memory/1972-92-0x0000000002420000-0x0000000002774000-memory.dmp

Filesize
3.3MB

Download
memory/1972-140-0x0000000002420000-0x0000000002774000-memory.dmp

Filesize
3.3MB

Download
memory/1972-19-0x000000013F600000-0x000000013F954000-memory.dmp

Filesize
3.3MB

Download
memory/1972-48-0x000000013FB70000-0x000000013FEC4000-memory.dmp

Filesize
3.3MB

Download
memory/1972-138-0x0000000002420000-0x0000000002774000-memory.dmp

Filesize
3.3MB

Download
memory/1972-57-0x0000000002420000-0x0000000002774000-memory.dmp

Filesize
3.3MB

Download
memory/1972-25-0x0000000002420000-0x0000000002774000-memory.dmp

Filesize
3.3MB

Download
memory/1972-39-0x0000000002420000-0x0000000002774000-memory.dmp

Filesize
3.3MB

Download
memory/1972-1-0x0000000000180000-0x0000000000190000-memory.dmp

Filesize
64KB

Download
memory/2208-147-0x000000013F7F0000-0x000000013FB44000-memory.dmp

Filesize
3.3MB

Download
memory/2208-31-0x000000013F7F0000-0x000000013FB44000-memory.dmp

Filesize
3.3MB

Download
memory/2308-11-0x000000013FA00000-0x000000013FD54000-memory.dmp

Filesize
3.3MB

Download
memory/2308-144-0x000000013FA00000-0x000000013FD54000-memory.dmp

Filesize
3.3MB

Download
memory/2308-63-0x000000013FA00000-0x000000013FD54000-memory.dmp

Filesize
3.3MB

Download
memory/2388-152-0x000000013F940000-0x000000013FC94000-memory.dmp

Filesize
3.3MB

Download
memory/2388-64-0x000000013F940000-0x000000013FC94000-memory.dmp

Filesize
3.3MB

Download
memory/2388-137-0x000000013F940000-0x000000013FC94000-memory.dmp

Filesize
3.3MB

Download
memory/2524-149-0x000000013FCC0000-0x0000000140014000-memory.dmp

Filesize
3.3MB

Download
memory/2524-91-0x000000013FCC0000-0x0000000140014000-memory.dmp

Filesize
3.3MB

Download
memory/2524-43-0x000000013FCC0000-0x0000000140014000-memory.dmp

Filesize
3.3MB

Download
memory/2560-40-0x000000013FBF0000-0x000000013FF44000-memory.dmp

Filesize
3.3MB

Download
memory/2560-85-0x000000013FBF0000-0x000000013FF44000-memory.dmp

Filesize
3.3MB

Download
memory/2560-148-0x000000013FBF0000-0x000000013FF44000-memory.dmp

Filesize
3.3MB

Download
memory/2584-49-0x000000013F970000-0x000000013FCC4000-memory.dmp

Filesize
3.3MB

Download
memory/2584-100-0x000000013F970000-0x000000013FCC4000-memory.dmp

Filesize
3.3MB

Download
memory/2584-150-0x000000013F970000-0x000000013FCC4000-memory.dmp

Filesize
3.3MB

Download
memory/2680-143-0x000000013FE00000-0x0000000140154000-memory.dmp

Filesize
3.3MB

Download
memory/2680-101-0x000000013FE00000-0x0000000140154000-memory.dmp

Filesize
3.3MB

Download
memory/2680-157-0x000000013FE00000-0x0000000140154000-memory.dmp

Filesize
3.3MB

Download
memory/2724-151-0x000000013F800000-0x000000013FB54000-memory.dmp

Filesize
3.3MB

Download
memory/2724-58-0x000000013F800000-0x000000013FB54000-memory.dmp

Filesize
3.3MB

Download
memory/3032-86-0x000000013F8D0000-0x000000013FC24000-memory.dmp

Filesize
3.3MB

Download
memory/3032-155-0x000000013F8D0000-0x000000013FC24000-memory.dmp

Filesize
3.3MB

Download
memory/3032-141-0x000000013F8D0000-0x000000013FC24000-memory.dmp

Filesize
3.3MB

Download