cobaltstrike | 43066b7f544a52df663693f265e6881bc8f5cafd7a7bea69bbc173bac4b695df

Resubmissions

11-06-2024 12:46

240611-pzqqwsxcna 10

11-06-2024 12:38

240611-pt2afaxeqj 10

Analysis

max time kernel
137s
max time network
147s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
11-06-2024 12:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

673d8b4bc5c4ae22db5852a3b922a1f5
SHA1

867e4c7e622b0b5e243ee61e9f08e6c1a6d7d9f9
SHA256

43066b7f544a52df663693f265e6881bc8f5cafd7a7bea69bbc173bac4b695df
SHA512

08e3c65c427284c8b93f079b4370f3aa6983b6932d55c66b6e17767c8e6e7cc1bfd24a5453523fa10197a6070866d20abd8c322d0d0849fdaf61db8f76d41d25
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUj:Q+856utgpPF8u/7j

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\oDlorub.exe	cobalt_reflective_dll
\Windows\system\aFtXEtw.exe	cobalt_reflective_dll
\Windows\system\WwftAmu.exe	cobalt_reflective_dll
\Windows\system\BotMlgX.exe	cobalt_reflective_dll
C:\Windows\system\sNvXWrm.exe	cobalt_reflective_dll
C:\Windows\system\VAQQdjT.exe	cobalt_reflective_dll
\Windows\system\MWtWSwY.exe	cobalt_reflective_dll
C:\Windows\system\UydxTKp.exe	cobalt_reflective_dll
C:\Windows\system\HyflIue.exe	cobalt_reflective_dll
C:\Windows\system\fxIfjLt.exe	cobalt_reflective_dll
C:\Windows\system\gTfKczO.exe	cobalt_reflective_dll
\Windows\system\MwBUuvD.exe	cobalt_reflective_dll
\Windows\system\PmNRAFO.exe	cobalt_reflective_dll
C:\Windows\system\uMuHajF.exe	cobalt_reflective_dll
\Windows\system\dssePQo.exe	cobalt_reflective_dll
\Windows\system\XVXLsEo.exe	cobalt_reflective_dll
C:\Windows\system\OedoADs.exe	cobalt_reflective_dll
C:\Windows\system\umBBzsy.exe	cobalt_reflective_dll
\Windows\system\rMqJHAv.exe	cobalt_reflective_dll
C:\Windows\system\cJqfDPF.exe	cobalt_reflective_dll
C:\Windows\system\QhbqCHy.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\oDlorub.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\aFtXEtw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\WwftAmu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\BotMlgX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\sNvXWrm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\VAQQdjT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\MWtWSwY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\UydxTKp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\HyflIue.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\fxIfjLt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\gTfKczO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\MwBUuvD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\PmNRAFO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\uMuHajF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\dssePQo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\XVXLsEo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\OedoADs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\umBBzsy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\rMqJHAv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\cJqfDPF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\QhbqCHy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 57 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1732-0-0x000000013FB20000-0x000000013FE74000-memory.dmp	UPX
\Windows\system\oDlorub.exe	UPX
behavioral1/memory/1732-8-0x0000000002460000-0x00000000027B4000-memory.dmp	UPX
behavioral1/memory/2672-9-0x000000013F820000-0x000000013FB74000-memory.dmp	UPX
\Windows\system\aFtXEtw.exe	UPX
\Windows\system\WwftAmu.exe	UPX
\Windows\system\BotMlgX.exe	UPX
C:\Windows\system\sNvXWrm.exe	UPX
behavioral1/memory/2636-33-0x000000013F4F0000-0x000000013F844000-memory.dmp	UPX
behavioral1/memory/2684-28-0x000000013FF50000-0x00000001402A4000-memory.dmp	UPX
behavioral1/memory/2292-18-0x000000013F980000-0x000000013FCD4000-memory.dmp	UPX
C:\Windows\system\VAQQdjT.exe	UPX
behavioral1/memory/3024-42-0x000000013F4E0000-0x000000013F834000-memory.dmp	UPX
\Windows\system\MWtWSwY.exe	UPX
behavioral1/memory/2380-54-0x000000013F2B0000-0x000000013F604000-memory.dmp	UPX
behavioral1/memory/2520-56-0x000000013F750000-0x000000013FAA4000-memory.dmp	UPX
C:\Windows\system\UydxTKp.exe	UPX
behavioral1/memory/1732-48-0x000000013FB20000-0x000000013FE74000-memory.dmp	UPX
behavioral1/memory/1600-67-0x000000013F2B0000-0x000000013F604000-memory.dmp	UPX
C:\Windows\system\HyflIue.exe	UPX
C:\Windows\system\fxIfjLt.exe	UPX
behavioral1/memory/2468-76-0x000000013FD20000-0x0000000140074000-memory.dmp	UPX
behavioral1/memory/2292-74-0x000000013F980000-0x000000013FCD4000-memory.dmp	UPX
behavioral1/memory/2504-61-0x000000013F2C0000-0x000000013F614000-memory.dmp	UPX
C:\Windows\system\gTfKczO.exe	UPX
\Windows\system\MwBUuvD.exe	UPX
\Windows\system\PmNRAFO.exe	UPX
C:\Windows\system\uMuHajF.exe	UPX
behavioral1/memory/2668-95-0x000000013F560000-0x000000013F8B4000-memory.dmp	UPX
\Windows\system\dssePQo.exe	UPX
\Windows\system\XVXLsEo.exe	UPX
C:\Windows\system\OedoADs.exe	UPX
C:\Windows\system\umBBzsy.exe	UPX
behavioral1/memory/1212-102-0x000000013F180000-0x000000013F4D4000-memory.dmp	UPX
behavioral1/memory/2712-106-0x000000013FB20000-0x000000013FE74000-memory.dmp	UPX
behavioral1/memory/2808-96-0x000000013F760000-0x000000013FAB4000-memory.dmp	UPX
\Windows\system\rMqJHAv.exe	UPX
C:\Windows\system\cJqfDPF.exe	UPX
C:\Windows\system\QhbqCHy.exe	UPX
behavioral1/memory/2636-136-0x000000013F4F0000-0x000000013F844000-memory.dmp	UPX
behavioral1/memory/2504-138-0x000000013F2C0000-0x000000013F614000-memory.dmp	UPX
behavioral1/memory/1600-140-0x000000013F2B0000-0x000000013F604000-memory.dmp	UPX
behavioral1/memory/2468-142-0x000000013FD20000-0x0000000140074000-memory.dmp	UPX
behavioral1/memory/2672-146-0x000000013F820000-0x000000013FB74000-memory.dmp	UPX
behavioral1/memory/2684-147-0x000000013FF50000-0x00000001402A4000-memory.dmp	UPX
behavioral1/memory/2292-148-0x000000013F980000-0x000000013FCD4000-memory.dmp	UPX
behavioral1/memory/2712-149-0x000000013FB20000-0x000000013FE74000-memory.dmp	UPX
behavioral1/memory/2636-151-0x000000013F4F0000-0x000000013F844000-memory.dmp	UPX
behavioral1/memory/3024-150-0x000000013F4E0000-0x000000013F834000-memory.dmp	UPX
behavioral1/memory/2520-153-0x000000013F750000-0x000000013FAA4000-memory.dmp	UPX
behavioral1/memory/2380-152-0x000000013F2B0000-0x000000013F604000-memory.dmp	UPX
behavioral1/memory/2504-154-0x000000013F2C0000-0x000000013F614000-memory.dmp	UPX
behavioral1/memory/1600-155-0x000000013F2B0000-0x000000013F604000-memory.dmp	UPX
behavioral1/memory/2468-156-0x000000013FD20000-0x0000000140074000-memory.dmp	UPX
behavioral1/memory/2668-157-0x000000013F560000-0x000000013F8B4000-memory.dmp	UPX
behavioral1/memory/1212-158-0x000000013F180000-0x000000013F4D4000-memory.dmp	UPX
behavioral1/memory/2808-159-0x000000013F760000-0x000000013FAB4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1732-0-0x000000013FB20000-0x000000013FE74000-memory.dmp	xmrig
\Windows\system\oDlorub.exe	xmrig
behavioral1/memory/1732-8-0x0000000002460000-0x00000000027B4000-memory.dmp	xmrig
behavioral1/memory/2672-9-0x000000013F820000-0x000000013FB74000-memory.dmp	xmrig
\Windows\system\aFtXEtw.exe	xmrig
\Windows\system\WwftAmu.exe	xmrig
\Windows\system\BotMlgX.exe	xmrig
C:\Windows\system\sNvXWrm.exe	xmrig
behavioral1/memory/2636-33-0x000000013F4F0000-0x000000013F844000-memory.dmp	xmrig
behavioral1/memory/2684-28-0x000000013FF50000-0x00000001402A4000-memory.dmp	xmrig
behavioral1/memory/2292-18-0x000000013F980000-0x000000013FCD4000-memory.dmp	xmrig
C:\Windows\system\VAQQdjT.exe	xmrig
behavioral1/memory/3024-42-0x000000013F4E0000-0x000000013F834000-memory.dmp	xmrig
\Windows\system\MWtWSwY.exe	xmrig
behavioral1/memory/2380-54-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
behavioral1/memory/1732-55-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
behavioral1/memory/2520-56-0x000000013F750000-0x000000013FAA4000-memory.dmp	xmrig
behavioral1/memory/1732-53-0x000000013F750000-0x000000013FAA4000-memory.dmp	xmrig
C:\Windows\system\UydxTKp.exe	xmrig
behavioral1/memory/1732-48-0x000000013FB20000-0x000000013FE74000-memory.dmp	xmrig
behavioral1/memory/1732-39-0x000000013F4E0000-0x000000013F834000-memory.dmp	xmrig
behavioral1/memory/1600-67-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
C:\Windows\system\HyflIue.exe	xmrig
C:\Windows\system\fxIfjLt.exe	xmrig
behavioral1/memory/2468-76-0x000000013FD20000-0x0000000140074000-memory.dmp	xmrig
behavioral1/memory/1732-75-0x0000000002460000-0x00000000027B4000-memory.dmp	xmrig
behavioral1/memory/2292-74-0x000000013F980000-0x000000013FCD4000-memory.dmp	xmrig
behavioral1/memory/2504-61-0x000000013F2C0000-0x000000013F614000-memory.dmp	xmrig
C:\Windows\system\gTfKczO.exe	xmrig
\Windows\system\MwBUuvD.exe	xmrig
\Windows\system\PmNRAFO.exe	xmrig
C:\Windows\system\uMuHajF.exe	xmrig
behavioral1/memory/2668-95-0x000000013F560000-0x000000013F8B4000-memory.dmp	xmrig
\Windows\system\dssePQo.exe	xmrig
\Windows\system\XVXLsEo.exe	xmrig
C:\Windows\system\OedoADs.exe	xmrig
C:\Windows\system\umBBzsy.exe	xmrig
behavioral1/memory/1732-109-0x000000013FF20000-0x0000000140274000-memory.dmp	xmrig
behavioral1/memory/1212-102-0x000000013F180000-0x000000013F4D4000-memory.dmp	xmrig
behavioral1/memory/2712-106-0x000000013FB20000-0x000000013FE74000-memory.dmp	xmrig
behavioral1/memory/2808-96-0x000000013F760000-0x000000013FAB4000-memory.dmp	xmrig
behavioral1/memory/1732-94-0x000000013F560000-0x000000013F8B4000-memory.dmp	xmrig
\Windows\system\rMqJHAv.exe	xmrig
C:\Windows\system\cJqfDPF.exe	xmrig
C:\Windows\system\QhbqCHy.exe	xmrig
behavioral1/memory/2636-136-0x000000013F4F0000-0x000000013F844000-memory.dmp	xmrig
behavioral1/memory/1732-137-0x000000013F750000-0x000000013FAA4000-memory.dmp	xmrig
behavioral1/memory/2504-138-0x000000013F2C0000-0x000000013F614000-memory.dmp	xmrig
behavioral1/memory/1600-140-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
behavioral1/memory/2468-142-0x000000013FD20000-0x0000000140074000-memory.dmp	xmrig
behavioral1/memory/1732-144-0x000000013F760000-0x000000013FAB4000-memory.dmp	xmrig
behavioral1/memory/1732-145-0x000000013FF20000-0x0000000140274000-memory.dmp	xmrig
behavioral1/memory/2672-146-0x000000013F820000-0x000000013FB74000-memory.dmp	xmrig
behavioral1/memory/2684-147-0x000000013FF50000-0x00000001402A4000-memory.dmp	xmrig
behavioral1/memory/2292-148-0x000000013F980000-0x000000013FCD4000-memory.dmp	xmrig
behavioral1/memory/2712-149-0x000000013FB20000-0x000000013FE74000-memory.dmp	xmrig
behavioral1/memory/2636-151-0x000000013F4F0000-0x000000013F844000-memory.dmp	xmrig
behavioral1/memory/3024-150-0x000000013F4E0000-0x000000013F834000-memory.dmp	xmrig
behavioral1/memory/2520-153-0x000000013F750000-0x000000013FAA4000-memory.dmp	xmrig
behavioral1/memory/2380-152-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
behavioral1/memory/2504-154-0x000000013F2C0000-0x000000013F614000-memory.dmp	xmrig
behavioral1/memory/1600-155-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
behavioral1/memory/2468-156-0x000000013FD20000-0x0000000140074000-memory.dmp	xmrig
behavioral1/memory/2668-157-0x000000013F560000-0x000000013F8B4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

oDlorub.exeaFtXEtw.exeWwftAmu.exeBotMlgX.exesNvXWrm.exeVAQQdjT.exeMWtWSwY.exeUydxTKp.exegTfKczO.exeHyflIue.exefxIfjLt.exeMwBUuvD.exePmNRAFO.exeuMuHajF.exeumBBzsy.exedssePQo.exeOedoADs.exeXVXLsEo.exeQhbqCHy.execJqfDPF.exerMqJHAv.exe

pid	process
2672	oDlorub.exe
2292	aFtXEtw.exe
2684	WwftAmu.exe
2712	BotMlgX.exe
2636	sNvXWrm.exe
3024	VAQQdjT.exe
2520	MWtWSwY.exe
2380	UydxTKp.exe
2504	gTfKczO.exe
1600	HyflIue.exe
2468	fxIfjLt.exe
2668	MwBUuvD.exe
2808	PmNRAFO.exe
1212	uMuHajF.exe
352	umBBzsy.exe
1580	dssePQo.exe
1224	OedoADs.exe
2288	XVXLsEo.exe
2444	QhbqCHy.exe
1892	cJqfDPF.exe
1172	rMqJHAv.exe

Loads dropped DLL 21 IoCs

Processes:

2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe

pid	process
1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1732-0-0x000000013FB20000-0x000000013FE74000-memory.dmp	upx
\Windows\system\oDlorub.exe	upx
behavioral1/memory/1732-8-0x0000000002460000-0x00000000027B4000-memory.dmp	upx
behavioral1/memory/2672-9-0x000000013F820000-0x000000013FB74000-memory.dmp	upx
\Windows\system\aFtXEtw.exe	upx
\Windows\system\WwftAmu.exe	upx
\Windows\system\BotMlgX.exe	upx
C:\Windows\system\sNvXWrm.exe	upx
behavioral1/memory/2636-33-0x000000013F4F0000-0x000000013F844000-memory.dmp	upx
behavioral1/memory/2684-28-0x000000013FF50000-0x00000001402A4000-memory.dmp	upx
behavioral1/memory/2292-18-0x000000013F980000-0x000000013FCD4000-memory.dmp	upx
C:\Windows\system\VAQQdjT.exe	upx
behavioral1/memory/3024-42-0x000000013F4E0000-0x000000013F834000-memory.dmp	upx
\Windows\system\MWtWSwY.exe	upx
behavioral1/memory/2380-54-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
behavioral1/memory/2520-56-0x000000013F750000-0x000000013FAA4000-memory.dmp	upx
C:\Windows\system\UydxTKp.exe	upx
behavioral1/memory/1732-48-0x000000013FB20000-0x000000013FE74000-memory.dmp	upx
behavioral1/memory/1600-67-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
C:\Windows\system\HyflIue.exe	upx
C:\Windows\system\fxIfjLt.exe	upx
behavioral1/memory/2468-76-0x000000013FD20000-0x0000000140074000-memory.dmp	upx
behavioral1/memory/2292-74-0x000000013F980000-0x000000013FCD4000-memory.dmp	upx
behavioral1/memory/2504-61-0x000000013F2C0000-0x000000013F614000-memory.dmp	upx
C:\Windows\system\gTfKczO.exe	upx
\Windows\system\MwBUuvD.exe	upx
\Windows\system\PmNRAFO.exe	upx
C:\Windows\system\uMuHajF.exe	upx
behavioral1/memory/2668-95-0x000000013F560000-0x000000013F8B4000-memory.dmp	upx
\Windows\system\dssePQo.exe	upx
\Windows\system\XVXLsEo.exe	upx
C:\Windows\system\OedoADs.exe	upx
C:\Windows\system\umBBzsy.exe	upx
behavioral1/memory/1212-102-0x000000013F180000-0x000000013F4D4000-memory.dmp	upx
behavioral1/memory/2712-106-0x000000013FB20000-0x000000013FE74000-memory.dmp	upx
behavioral1/memory/2808-96-0x000000013F760000-0x000000013FAB4000-memory.dmp	upx
\Windows\system\rMqJHAv.exe	upx
C:\Windows\system\cJqfDPF.exe	upx
C:\Windows\system\QhbqCHy.exe	upx
behavioral1/memory/2636-136-0x000000013F4F0000-0x000000013F844000-memory.dmp	upx
behavioral1/memory/2504-138-0x000000013F2C0000-0x000000013F614000-memory.dmp	upx
behavioral1/memory/1600-140-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
behavioral1/memory/2468-142-0x000000013FD20000-0x0000000140074000-memory.dmp	upx
behavioral1/memory/2672-146-0x000000013F820000-0x000000013FB74000-memory.dmp	upx
behavioral1/memory/2684-147-0x000000013FF50000-0x00000001402A4000-memory.dmp	upx
behavioral1/memory/2292-148-0x000000013F980000-0x000000013FCD4000-memory.dmp	upx
behavioral1/memory/2712-149-0x000000013FB20000-0x000000013FE74000-memory.dmp	upx
behavioral1/memory/2636-151-0x000000013F4F0000-0x000000013F844000-memory.dmp	upx
behavioral1/memory/3024-150-0x000000013F4E0000-0x000000013F834000-memory.dmp	upx
behavioral1/memory/2520-153-0x000000013F750000-0x000000013FAA4000-memory.dmp	upx
behavioral1/memory/2380-152-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
behavioral1/memory/2504-154-0x000000013F2C0000-0x000000013F614000-memory.dmp	upx
behavioral1/memory/1600-155-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
behavioral1/memory/2468-156-0x000000013FD20000-0x0000000140074000-memory.dmp	upx
behavioral1/memory/2668-157-0x000000013F560000-0x000000013F8B4000-memory.dmp	upx
behavioral1/memory/1212-158-0x000000013F180000-0x000000013F4D4000-memory.dmp	upx
behavioral1/memory/2808-159-0x000000013F760000-0x000000013FAB4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\HyflIue.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fxIfjLt.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dssePQo.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WwftAmu.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MWtWSwY.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UydxTKp.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uMuHajF.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\umBBzsy.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XVXLsEo.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oDlorub.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cJqfDPF.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PmNRAFO.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OedoADs.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aFtXEtw.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BotMlgX.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sNvXWrm.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VAQQdjT.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gTfKczO.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MwBUuvD.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QhbqCHy.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rMqJHAv.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 1732 wrote to memory of 2672	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	oDlorub.exe
PID 1732 wrote to memory of 2672	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	oDlorub.exe
PID 1732 wrote to memory of 2672	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	oDlorub.exe
PID 1732 wrote to memory of 2292	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	aFtXEtw.exe
PID 1732 wrote to memory of 2292	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	aFtXEtw.exe
PID 1732 wrote to memory of 2292	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	aFtXEtw.exe
PID 1732 wrote to memory of 2684	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	WwftAmu.exe
PID 1732 wrote to memory of 2684	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	WwftAmu.exe
PID 1732 wrote to memory of 2684	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	WwftAmu.exe
PID 1732 wrote to memory of 2712	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	BotMlgX.exe
PID 1732 wrote to memory of 2712	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	BotMlgX.exe
PID 1732 wrote to memory of 2712	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	BotMlgX.exe
PID 1732 wrote to memory of 2636	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	sNvXWrm.exe
PID 1732 wrote to memory of 2636	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	sNvXWrm.exe
PID 1732 wrote to memory of 2636	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	sNvXWrm.exe
PID 1732 wrote to memory of 3024	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	VAQQdjT.exe
PID 1732 wrote to memory of 3024	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	VAQQdjT.exe
PID 1732 wrote to memory of 3024	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	VAQQdjT.exe
PID 1732 wrote to memory of 2520	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	MWtWSwY.exe
PID 1732 wrote to memory of 2520	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	MWtWSwY.exe
PID 1732 wrote to memory of 2520	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	MWtWSwY.exe
PID 1732 wrote to memory of 2380	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	UydxTKp.exe
PID 1732 wrote to memory of 2380	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	UydxTKp.exe
PID 1732 wrote to memory of 2380	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	UydxTKp.exe
PID 1732 wrote to memory of 2504	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	gTfKczO.exe
PID 1732 wrote to memory of 2504	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	gTfKczO.exe
PID 1732 wrote to memory of 2504	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	gTfKczO.exe
PID 1732 wrote to memory of 1600	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	HyflIue.exe
PID 1732 wrote to memory of 1600	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	HyflIue.exe
PID 1732 wrote to memory of 1600	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	HyflIue.exe
PID 1732 wrote to memory of 2468	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	fxIfjLt.exe
PID 1732 wrote to memory of 2468	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	fxIfjLt.exe
PID 1732 wrote to memory of 2468	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	fxIfjLt.exe
PID 1732 wrote to memory of 2668	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	MwBUuvD.exe
PID 1732 wrote to memory of 2668	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	MwBUuvD.exe
PID 1732 wrote to memory of 2668	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	MwBUuvD.exe
PID 1732 wrote to memory of 2808	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	PmNRAFO.exe
PID 1732 wrote to memory of 2808	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	PmNRAFO.exe
PID 1732 wrote to memory of 2808	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	PmNRAFO.exe
PID 1732 wrote to memory of 1212	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	uMuHajF.exe
PID 1732 wrote to memory of 1212	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	uMuHajF.exe
PID 1732 wrote to memory of 1212	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	uMuHajF.exe
PID 1732 wrote to memory of 352	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	umBBzsy.exe
PID 1732 wrote to memory of 352	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	umBBzsy.exe
PID 1732 wrote to memory of 352	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	umBBzsy.exe
PID 1732 wrote to memory of 1580	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	dssePQo.exe
PID 1732 wrote to memory of 1580	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	dssePQo.exe
PID 1732 wrote to memory of 1580	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	dssePQo.exe
PID 1732 wrote to memory of 1224	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	OedoADs.exe
PID 1732 wrote to memory of 1224	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	OedoADs.exe
PID 1732 wrote to memory of 1224	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	OedoADs.exe
PID 1732 wrote to memory of 2288	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	XVXLsEo.exe
PID 1732 wrote to memory of 2288	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	XVXLsEo.exe
PID 1732 wrote to memory of 2288	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	XVXLsEo.exe
PID 1732 wrote to memory of 2444	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	QhbqCHy.exe
PID 1732 wrote to memory of 2444	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	QhbqCHy.exe
PID 1732 wrote to memory of 2444	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	QhbqCHy.exe
PID 1732 wrote to memory of 1892	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	cJqfDPF.exe
PID 1732 wrote to memory of 1892	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	cJqfDPF.exe
PID 1732 wrote to memory of 1892	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	cJqfDPF.exe
PID 1732 wrote to memory of 1172	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	rMqJHAv.exe
PID 1732 wrote to memory of 1172	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	rMqJHAv.exe
PID 1732 wrote to memory of 1172	1732	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	rMqJHAv.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\System\oDlorub.exe
C:\Windows\System\oDlorub.exe
2⤵
- Executes dropped EXE
PID:2672

C:\Windows\System\aFtXEtw.exe
C:\Windows\System\aFtXEtw.exe
2⤵
- Executes dropped EXE
PID:2292

C:\Windows\System\WwftAmu.exe
C:\Windows\System\WwftAmu.exe
2⤵
- Executes dropped EXE
PID:2684

C:\Windows\System\BotMlgX.exe
C:\Windows\System\BotMlgX.exe
2⤵
- Executes dropped EXE
PID:2712

C:\Windows\System\sNvXWrm.exe
C:\Windows\System\sNvXWrm.exe
2⤵
- Executes dropped EXE
PID:2636

C:\Windows\System\VAQQdjT.exe
C:\Windows\System\VAQQdjT.exe
2⤵
- Executes dropped EXE
PID:3024

C:\Windows\System\MWtWSwY.exe
C:\Windows\System\MWtWSwY.exe
2⤵
- Executes dropped EXE
PID:2520

C:\Windows\System\UydxTKp.exe
C:\Windows\System\UydxTKp.exe
2⤵
- Executes dropped EXE
PID:2380

C:\Windows\System\gTfKczO.exe
C:\Windows\System\gTfKczO.exe
2⤵
- Executes dropped EXE
PID:2504

C:\Windows\System\HyflIue.exe
C:\Windows\System\HyflIue.exe
2⤵
- Executes dropped EXE
PID:1600

C:\Windows\System\fxIfjLt.exe
C:\Windows\System\fxIfjLt.exe
2⤵
- Executes dropped EXE
PID:2468

C:\Windows\System\MwBUuvD.exe
C:\Windows\System\MwBUuvD.exe
2⤵
- Executes dropped EXE
PID:2668

C:\Windows\System\PmNRAFO.exe
C:\Windows\System\PmNRAFO.exe
2⤵
- Executes dropped EXE
PID:2808

C:\Windows\System\uMuHajF.exe
C:\Windows\System\uMuHajF.exe
2⤵
- Executes dropped EXE
PID:1212

C:\Windows\System\umBBzsy.exe
C:\Windows\System\umBBzsy.exe
2⤵
- Executes dropped EXE
PID:352

C:\Windows\System\dssePQo.exe
C:\Windows\System\dssePQo.exe
2⤵
- Executes dropped EXE
PID:1580

C:\Windows\System\OedoADs.exe
C:\Windows\System\OedoADs.exe
2⤵
- Executes dropped EXE
PID:1224

C:\Windows\System\XVXLsEo.exe
C:\Windows\System\XVXLsEo.exe
2⤵
- Executes dropped EXE
PID:2288

C:\Windows\System\QhbqCHy.exe
C:\Windows\System\QhbqCHy.exe
2⤵
- Executes dropped EXE
PID:2444

C:\Windows\System\cJqfDPF.exe
C:\Windows\System\cJqfDPF.exe
2⤵
- Executes dropped EXE
PID:1892

C:\Windows\System\rMqJHAv.exe
C:\Windows\System\rMqJHAv.exe
2⤵
- Executes dropped EXE
PID:1172

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\HyflIue.exe
Filesize
5.9MB

MD5
e72cea6c55becc0dcdc737b553f03eef

SHA1
862e557575714f3c42a6e39ed8f0f11358d37957

SHA256
bf40d7eb97a713c1547105c31cc611e08860eee0911ec1df0fd576842d2dd7b8

SHA512
6c914326d37b89c914fb56ef6e82f13b4bf5fa8bb006f9989b2f7d38e1f5f7c37f016c977845ea73f8bf9d201d6ae159d8e6f295bc5eddc693e1bfdd8fc11218

Download Submit
C:\Windows\system\OedoADs.exe
Filesize
5.9MB

MD5
e7ef0567d3c842b7b313b3e798b2f644

SHA1
9e88eb1cf19e7352e6a9df18b58fc440cc76ac9a

SHA256
4ee74b2eb7cc78ac69f7eefe09d0f00c009356087acbe7f2f1c0642d99046db7

SHA512
5516a1041ca0bece4e42c9aa384b478ea50c02f1eea39ca0aa13efbfe8976802074023558268b0382ca9a1e2934a14679f541b3bb68ee52f3e5810312bd79fb6

Download Submit
C:\Windows\system\QhbqCHy.exe
Filesize
5.9MB

MD5
f4e6be55ecf27f457f51ff2ee1ab3d5c

SHA1
e4ad83b7f81351ccf237e9a4c88842f0ae56b9b4

SHA256
6f22943fade5e324742f3e7568d40bd98b396e12de70591c4dc13c5cc2392a58

SHA512
54446174b69452b61d6379598222d39fbec5c05b8fb2938f76d5a19007394d5525d286339e2423fb0fc841233655e988385da84d9cf23a9d69152ae59ed16a29

Download Submit
C:\Windows\system\UydxTKp.exe
Filesize
5.9MB

MD5
5d13e154acfa5f6faf6ef9a25b547d82

SHA1
4cf03101f3529ddd6aa09aff3d735fe4b96d1232

SHA256
fce172ea9c8ed3e1a1fd894a873560bc5e19fd3bea7e021b2726cee4cdf54612

SHA512
035e307bbd5d6154ccc6c504aed6377b4dc025cd570b4f13c115b5d9ad662f2283853e080683f0c814851ec0fb1c0934f1975679a086517e15a0b52cb39261a6

Download Submit
C:\Windows\system\VAQQdjT.exe
Filesize
5.9MB

MD5
c1c7e7a359e699b968c138675c395174

SHA1
14bfb88b8cfd44de9c151a7b8775b8e2b0f071fd

SHA256
849a7810e6c38359c4f3b664209fe848c345f518ccfc2a9dd2642eb1b3910a49

SHA512
cf6eaef32372739107a94824756aeaf276b82b2d815443dfdbe7e41d60c5162737096ae9ccd81d27e3fe9f6b3db90ea0411f15fca81bedc2bb8c528e45c39e21

Download Submit
C:\Windows\system\cJqfDPF.exe
Filesize
5.9MB

MD5
5fc2e94d767632beb7e122786c2e1904

SHA1
c0e5da7f88ef58eb6ea38eb8b43a2d0aabe6af43

SHA256
fd998b0af83cd5764866a9092c50787a72c0a14548389b4f8b0caa4d535b0a03

SHA512
d4c8997bdf69dbbd3dd46ed00796a2ff159b05e359dceda2d31ea79eca702091b58acf4f4c2aac47cd0622590fe034ac216ba0a40835cedc9f40a3fb51c6804f

Download Submit
C:\Windows\system\fxIfjLt.exe
Filesize
5.9MB

MD5
6501205e24333b4a11fcd28c545f9d36

SHA1
6897c0011d96c1a7fbb40bcc1cca24d0db1fbcc3

SHA256
a7066a4d8b567dd9e6fe25c043d991a74e2e4cc12eee2d17e46a71d0337b2733

SHA512
ef211ab2bfd302ac4aea5e3be70f1cdcc6975a527896f6c635acf70fae2fd819471d48fd28047eb015dd58c490a87ec18a009e8e859986da8f1dec59202d96af

Download Submit
C:\Windows\system\gTfKczO.exe
Filesize
5.9MB

MD5
749191961ace039a1f6b81a1656b779d

SHA1
70e00f3e33abcbe72f40d796f1f1eef8e2bf8685

SHA256
d398be694397536e3f94a4ea49f02bee64499bcd9df80cfe1e798f79ff3c3183

SHA512
0ead39fe0451ea1aa92ace1568db9f496b85050389655ffa87edabdebd07e62a4c91b653f818baa5fac51aa075e828d456fa1169da9a8a29f8e2d2c79b2d6b6b

Download Submit
C:\Windows\system\sNvXWrm.exe
Filesize
5.9MB

MD5
000b657afde68166232f66e2af82d636

SHA1
afaed10b957f87072412a1b50afe727e2cf95fb6

SHA256
d5202e39df7f5cda384c4c331f328fcde925262c0e53362c0a800446e3d314d7

SHA512
98dad7226ea1593c88c9e898ddb7d8892929fcadd297c71296ede4a105cab114eeca4c5216467be45575435010620a34136927eaa94892c27fdcedbf968b7748

Download Submit
C:\Windows\system\uMuHajF.exe
Filesize
5.9MB

MD5
83c586adc19b174fb8715e73ba54c84a

SHA1
90eddb793f32987fe347bd782672906cee88070b

SHA256
92df75b06149ca40aa95dd18fe3843b7283209721f1e8b8307d7a9d777498bbb

SHA512
b860d72a19411b84368274b031a59541a17d98156ce466ea5e0f173c5f2dc292917c3eccaaf9b0fa55fe9b1141097971a95277a9afa647eaa4d458425b61ddc6

Download Submit
C:\Windows\system\umBBzsy.exe
Filesize
5.9MB

MD5
0ea158b6ce56c9a60ad98e91006832bd

SHA1
e740c78d63e03cadc6b66bf91b9f618486c83d34

SHA256
ab481c20f26c597c4761c8668f1ba137c740a1d24f9917635daab0f57174a26b

SHA512
c81e22e40f6e135ecd6c3fa97bb917c0241ec694452c84fe7c9df7653e6b3ed9f4cb8af27116d59c8f7d9fd3ac5fb1374d9401583b2c6a9143617263a51dc692

Download Submit
\Windows\system\BotMlgX.exe
Filesize
5.9MB

MD5
53745802350f392db5e3eb06daecbd33

SHA1
2c3a241d3ed023f0a6450588df586436e7540495

SHA256
ce25cbef51e402db530f0da3f473365c69c7148669c15e8ebbfb428d1d7fd8b9

SHA512
88ccfe815931ffb618cc7b21d6a14c6edd40a0ad6a1650dbf8d058b9e332e5d8875fb31caf63c094ef4759bf227333256ad230cdea7af2e65b67ae0364f89b74

Download Submit
\Windows\system\MWtWSwY.exe
Filesize
5.9MB

MD5
714f9d5d2a93aeecab457011d3dab89d

SHA1
150befa31034a72431feae4b793b4c0dc6044155

SHA256
c649a50a5a7b276f8cd2dcb24ddb6a9701acd3c951762b8f01fafead8dd297df

SHA512
804118f4126582e09f80c278c926e192cf9fc23486b8e3b7d1c78fa59d53ae92ff679406e4dee61b8ef93fbf1eddc1e1bbe89a148045d51a56aa609b637693e8

Download Submit
\Windows\system\MwBUuvD.exe
Filesize
5.9MB

MD5
3fe8c40adcdc247f3aee20b6a213ab57

SHA1
82c839d2dc4a0f71c5c3b3beee24e9b1e2c01a8c

SHA256
885479a7e25e70a300f3e8b877b1cf59029e147e558dbcb87c94ce13f4a4979c

SHA512
d713758c5ac93bcef028d3dc6a6867eaa8c566227d98fb53b3d2624436394fb94d32fdf004782622410009bd263154accc4a1ee2ae5efd13b71b4de10e96cfc3

Download Submit
\Windows\system\PmNRAFO.exe
Filesize
5.9MB

MD5
d68be436e4282b34d47d5337f8c1b742

SHA1
a5f340bdebbb001f5e69b45a96a5d6502950d2c1

SHA256
8483461360bc75582b69fe886822b8461e51f3abd83a502f3c6cdeb25e9c99de

SHA512
635339920526975b61b73f56e6aa8dc19df4fbf7c8f0ddf73c4712c762a51a47163753e317aed18169b1092c85ce39f8344d9db9fa69f57e5f18f7b5ea2baee7

Download Submit
\Windows\system\WwftAmu.exe
Filesize
5.9MB

MD5
a7139046724fbb25fe18d17c25e90c26

SHA1
b9d2eaf1f83794f104d60b54cfa41d175ec4e29f

SHA256
d0f13f6fab4333d5c1391cbda3edf747448a8a47d2b65a7a80875072ff43638f

SHA512
bc5cd072383cb07f0a7e57dba5a65667e34de8273e403fedfbca620c0426c43138c34cae10b7567dcb01a7c646dabb6af36d091e6b097993b6c91ab653d0a199

Download Submit
\Windows\system\XVXLsEo.exe
Filesize
5.9MB

MD5
a0ec7a31d0ec71b71ba60e44c164dc15

SHA1
1d4e9d184fa4a090c9153b0e44ca487442deee1e

SHA256
c4512afc62dd5f9a2a92131ec79dabd1fb07eaf5b3509e05c9283fbdab535655

SHA512
90240dc0f3e9419a89e1a8ccec97d5c1e42806ebd68999744ebb9d4edf31be517e6b0debd331605a19c183c67058bc0ee9da58cb219ec5863c0a884e06e664cc

Download Submit
\Windows\system\aFtXEtw.exe
Filesize
5.9MB

MD5
8cbba29d6b70e49b9ab4f1d0f4aa1433

SHA1
ab1ef63e698431bb5c406e6d80897f797348540f

SHA256
c31d7762b86b80b6d48fa3477dff3fa89fcaf34bf3d073df58f0fa1dfd46c2b9

SHA512
2cd865c81f615b5fd21a7c20ab1811aacb2788930f49acf80cf8b4a86f9f4641a2c561cb0973cdfd65bf560dda20978ab5c619c02687f94f6b59629e75ed3914

Download Submit
\Windows\system\dssePQo.exe
Filesize
5.9MB

MD5
db7543a755a068d21c8d08d8a55dba94

SHA1
6a09081ed1693b81777e7a2fb8da55eb2dbccc8f

SHA256
d3285dd5cfdaf14eeb11dab572477850cafd4b0ddfe5ab1b85811e8ef8727807

SHA512
6893b070d267120df05d750b68960866f50ef50cb5ffb3f43a484645d61720af221c643b57716edf998a998eb9fc6e0843f50e08037aa6cdf34002e53d23e372

Download Submit
\Windows\system\oDlorub.exe
Filesize
5.9MB

MD5
657c7b16bd0dbf1a35e2f19bcfb9284f

SHA1
ab06093e25606ef487c85f8159f26d222fb24e38

SHA256
97c549e10de938530319a834350647b5cb09a16d1abc02cc10270d8cafedb90b

SHA512
412faca307470ce7731a32256981a3e8aacd996cb0372c56c092283e842d0834e6abc60885ea7f64a8669eb7e1854624abd604497a9aba9e44e08cb381cd4041

Download Submit
\Windows\system\rMqJHAv.exe
Filesize
5.9MB

MD5
c28ed95aaae7c0fd609401024a4647da

SHA1
345f5fe221329ba24f902d10511cb19fcdd403f5

SHA256
4c8883337f2c4a53ffbeff495c02408b2d442256794d710b83e26ac26954cdcc

SHA512
0f9caf153467cd950627f4fcf264ba357331f84ad96430fd0a1c503dca55819d75f3e2423f2db8c2d6c15b2e5c13b71f5196749c6b7ddc89a6585ded137c0885

Download Submit
memory/1212-102-0x000000013F180000-0x000000013F4D4000-memory.dmp

Filesize
3.3MB

Download
memory/1212-158-0x000000013F180000-0x000000013F4D4000-memory.dmp

Filesize
3.3MB

Download
memory/1600-140-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/1600-155-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/1600-67-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/1732-53-0x000000013F750000-0x000000013FAA4000-memory.dmp

Filesize
3.3MB

Download
memory/1732-66-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/1732-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/1732-75-0x0000000002460000-0x00000000027B4000-memory.dmp

Filesize
3.3MB

Download
memory/1732-137-0x000000013F750000-0x000000013FAA4000-memory.dmp

Filesize
3.3MB

Download
memory/1732-8-0x0000000002460000-0x00000000027B4000-memory.dmp

Filesize
3.3MB

Download
memory/1732-39-0x000000013F4E0000-0x000000013F834000-memory.dmp

Filesize
3.3MB

Download
memory/1732-48-0x000000013FB20000-0x000000013FE74000-memory.dmp

Filesize
3.3MB

Download
memory/1732-0-0x000000013FB20000-0x000000013FE74000-memory.dmp

Filesize
3.3MB

Download
memory/1732-139-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/1732-90-0x000000013F4F0000-0x000000013F844000-memory.dmp

Filesize
3.3MB

Download
memory/1732-145-0x000000013FF20000-0x0000000140274000-memory.dmp

Filesize
3.3MB

Download
memory/1732-55-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/1732-21-0x000000013FF50000-0x00000001402A4000-memory.dmp

Filesize
3.3MB

Download
memory/1732-144-0x000000013F760000-0x000000013FAB4000-memory.dmp

Filesize
3.3MB

Download
memory/1732-13-0x0000000002460000-0x00000000027B4000-memory.dmp

Filesize
3.3MB

Download
memory/1732-109-0x000000013FF20000-0x0000000140274000-memory.dmp

Filesize
3.3MB

Download
memory/1732-94-0x000000013F560000-0x000000013F8B4000-memory.dmp

Filesize
3.3MB

Download
memory/1732-100-0x000000013F760000-0x000000013FAB4000-memory.dmp

Filesize
3.3MB

Download
memory/1732-143-0x000000013F560000-0x000000013F8B4000-memory.dmp

Filesize
3.3MB

Download
memory/1732-97-0x000000013F180000-0x000000013F4D4000-memory.dmp

Filesize
3.3MB

Download
memory/1732-141-0x0000000002460000-0x00000000027B4000-memory.dmp

Filesize
3.3MB

Download
memory/2292-18-0x000000013F980000-0x000000013FCD4000-memory.dmp

Filesize
3.3MB

Download
memory/2292-148-0x000000013F980000-0x000000013FCD4000-memory.dmp

Filesize
3.3MB

Download
memory/2292-74-0x000000013F980000-0x000000013FCD4000-memory.dmp

Filesize
3.3MB

Download
memory/2380-54-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2380-152-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2468-76-0x000000013FD20000-0x0000000140074000-memory.dmp

Filesize
3.3MB

Download
memory/2468-156-0x000000013FD20000-0x0000000140074000-memory.dmp

Filesize
3.3MB

Download
memory/2468-142-0x000000013FD20000-0x0000000140074000-memory.dmp

Filesize
3.3MB

Download
memory/2504-138-0x000000013F2C0000-0x000000013F614000-memory.dmp

Filesize
3.3MB

Download
memory/2504-61-0x000000013F2C0000-0x000000013F614000-memory.dmp

Filesize
3.3MB

Download
memory/2504-154-0x000000013F2C0000-0x000000013F614000-memory.dmp

Filesize
3.3MB

Download
memory/2520-56-0x000000013F750000-0x000000013FAA4000-memory.dmp

Filesize
3.3MB

Download
memory/2520-153-0x000000013F750000-0x000000013FAA4000-memory.dmp

Filesize
3.3MB

Download
memory/2636-136-0x000000013F4F0000-0x000000013F844000-memory.dmp

Filesize
3.3MB

Download
memory/2636-33-0x000000013F4F0000-0x000000013F844000-memory.dmp

Filesize
3.3MB

Download
memory/2636-151-0x000000013F4F0000-0x000000013F844000-memory.dmp

Filesize
3.3MB

Download
memory/2668-95-0x000000013F560000-0x000000013F8B4000-memory.dmp

Filesize
3.3MB

Download
memory/2668-157-0x000000013F560000-0x000000013F8B4000-memory.dmp

Filesize
3.3MB

Download
memory/2672-146-0x000000013F820000-0x000000013FB74000-memory.dmp

Filesize
3.3MB

Download
memory/2672-9-0x000000013F820000-0x000000013FB74000-memory.dmp

Filesize
3.3MB

Download
memory/2684-28-0x000000013FF50000-0x00000001402A4000-memory.dmp

Filesize
3.3MB

Download
memory/2684-147-0x000000013FF50000-0x00000001402A4000-memory.dmp

Filesize
3.3MB

Download
memory/2712-149-0x000000013FB20000-0x000000013FE74000-memory.dmp

Filesize
3.3MB

Download
memory/2712-106-0x000000013FB20000-0x000000013FE74000-memory.dmp

Filesize
3.3MB

Download
memory/2808-96-0x000000013F760000-0x000000013FAB4000-memory.dmp

Filesize
3.3MB

Download
memory/2808-159-0x000000013F760000-0x000000013FAB4000-memory.dmp

Filesize
3.3MB

Download
memory/3024-150-0x000000013F4E0000-0x000000013F834000-memory.dmp

Filesize
3.3MB

Download
memory/3024-42-0x000000013F4E0000-0x000000013F834000-memory.dmp

Filesize
3.3MB

Download