cobaltstrike | e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e

Analysis

max time kernel
140s
max time network
150s
platform
windows10_x64
resource
win10v20201028
submitted
09-11-2020 12:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe
Size

5.2MB
MD5

1d63a449c8a45fab97d1e4d404e9f670
SHA1

d321ab304a1cb356d2176464be0bfe96681e524c
SHA256

e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e
SHA512

0b5b589f631c896e44825f0ba82b85087bce0d47a589e64c5da7b927f27207c9160e0c0afee4f3ef232d0682f3a9ccae3e23d35e7c1d139890e8c52e8723afef

Score

10^/10

cobaltstrike backdoor trojan upx

Malware Config

Signatures

Cobalt Strike reflective loader 42 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\cOvpMAO.exe	cobalt_reflective_dll
C:\Windows\System\xQXNsSL.exe	cobalt_reflective_dll
C:\Windows\System\xQXNsSL.exe	cobalt_reflective_dll
C:\Windows\System\cOvpMAO.exe	cobalt_reflective_dll
C:\Windows\System\JVANeYg.exe	cobalt_reflective_dll
C:\Windows\System\JVANeYg.exe	cobalt_reflective_dll
C:\Windows\System\UPEwqRY.exe	cobalt_reflective_dll
C:\Windows\System\UPEwqRY.exe	cobalt_reflective_dll
C:\Windows\System\FsPEfRC.exe	cobalt_reflective_dll
C:\Windows\System\FsPEfRC.exe	cobalt_reflective_dll
C:\Windows\System\YgdIJOn.exe	cobalt_reflective_dll
C:\Windows\System\YgdIJOn.exe	cobalt_reflective_dll
C:\Windows\System\FdzxNGM.exe	cobalt_reflective_dll
C:\Windows\System\FdzxNGM.exe	cobalt_reflective_dll
C:\Windows\System\XAGlylB.exe	cobalt_reflective_dll
C:\Windows\System\XAGlylB.exe	cobalt_reflective_dll
C:\Windows\System\IVvPVCc.exe	cobalt_reflective_dll
C:\Windows\System\IVvPVCc.exe	cobalt_reflective_dll
C:\Windows\System\xNVdPum.exe	cobalt_reflective_dll
C:\Windows\System\SQQCqpJ.exe	cobalt_reflective_dll
C:\Windows\System\xNVdPum.exe	cobalt_reflective_dll
C:\Windows\System\coYXxaZ.exe	cobalt_reflective_dll
C:\Windows\System\SQQCqpJ.exe	cobalt_reflective_dll
C:\Windows\System\inukEJo.exe	cobalt_reflective_dll
C:\Windows\System\coYXxaZ.exe	cobalt_reflective_dll
C:\Windows\System\inukEJo.exe	cobalt_reflective_dll
C:\Windows\System\cSIWNmh.exe	cobalt_reflective_dll
C:\Windows\System\GBVTUZk.exe	cobalt_reflective_dll
C:\Windows\System\cSIWNmh.exe	cobalt_reflective_dll
C:\Windows\System\fhldEvP.exe	cobalt_reflective_dll
C:\Windows\System\GBVTUZk.exe	cobalt_reflective_dll
C:\Windows\System\LAeYvfZ.exe	cobalt_reflective_dll
C:\Windows\System\LAeYvfZ.exe	cobalt_reflective_dll
C:\Windows\System\ALgveCX.exe	cobalt_reflective_dll
C:\Windows\System\fhldEvP.exe	cobalt_reflective_dll
C:\Windows\System\vwxtOHG.exe	cobalt_reflective_dll
C:\Windows\System\lGSpxht.exe	cobalt_reflective_dll
C:\Windows\System\ALgveCX.exe	cobalt_reflective_dll
C:\Windows\System\vwxtOHG.exe	cobalt_reflective_dll
C:\Windows\System\yRxQWkf.exe	cobalt_reflective_dll
C:\Windows\System\yRxQWkf.exe	cobalt_reflective_dll
C:\Windows\System\lGSpxht.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Executes dropped EXE 21 IoCs

Processes:

cOvpMAO.exexQXNsSL.exeJVANeYg.exeUPEwqRY.exeFsPEfRC.exeYgdIJOn.exeFdzxNGM.exeXAGlylB.exeIVvPVCc.exexNVdPum.exeSQQCqpJ.execoYXxaZ.exeinukEJo.exefhldEvP.execSIWNmh.exeGBVTUZk.exeLAeYvfZ.exeALgveCX.exevwxtOHG.exelGSpxht.exeyRxQWkf.exe

pid	process
648	cOvpMAO.exe
1004	xQXNsSL.exe
1220	JVANeYg.exe
3912	UPEwqRY.exe
184	FsPEfRC.exe
2160	YgdIJOn.exe
2500	FdzxNGM.exe
2696	XAGlylB.exe
2704	IVvPVCc.exe
3508	xNVdPum.exe
3684	SQQCqpJ.exe
4032	coYXxaZ.exe
2216	inukEJo.exe
1268	fhldEvP.exe
2148	cSIWNmh.exe
2124	GBVTUZk.exe
1508	LAeYvfZ.exe
1632	ALgveCX.exe
3808	vwxtOHG.exe
1000	lGSpxht.exe
1244	yRxQWkf.exe

UPX packed file 42 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\System\cOvpMAO.exe	upx
C:\Windows\System\xQXNsSL.exe	upx
C:\Windows\System\xQXNsSL.exe	upx
C:\Windows\System\cOvpMAO.exe	upx
C:\Windows\System\JVANeYg.exe	upx
C:\Windows\System\JVANeYg.exe	upx
C:\Windows\System\UPEwqRY.exe	upx
C:\Windows\System\UPEwqRY.exe	upx
C:\Windows\System\FsPEfRC.exe	upx
C:\Windows\System\FsPEfRC.exe	upx
C:\Windows\System\YgdIJOn.exe	upx
C:\Windows\System\YgdIJOn.exe	upx
C:\Windows\System\FdzxNGM.exe	upx
C:\Windows\System\FdzxNGM.exe	upx
C:\Windows\System\XAGlylB.exe	upx
C:\Windows\System\XAGlylB.exe	upx
C:\Windows\System\IVvPVCc.exe	upx
C:\Windows\System\IVvPVCc.exe	upx
C:\Windows\System\xNVdPum.exe	upx
C:\Windows\System\SQQCqpJ.exe	upx
C:\Windows\System\xNVdPum.exe	upx
C:\Windows\System\coYXxaZ.exe	upx
C:\Windows\System\SQQCqpJ.exe	upx
C:\Windows\System\inukEJo.exe	upx
C:\Windows\System\coYXxaZ.exe	upx
C:\Windows\System\inukEJo.exe	upx
C:\Windows\System\cSIWNmh.exe	upx
C:\Windows\System\GBVTUZk.exe	upx
C:\Windows\System\cSIWNmh.exe	upx
C:\Windows\System\fhldEvP.exe	upx
C:\Windows\System\GBVTUZk.exe	upx
C:\Windows\System\LAeYvfZ.exe	upx
C:\Windows\System\LAeYvfZ.exe	upx
C:\Windows\System\ALgveCX.exe	upx
C:\Windows\System\fhldEvP.exe	upx
C:\Windows\System\vwxtOHG.exe	upx
C:\Windows\System\lGSpxht.exe	upx
C:\Windows\System\ALgveCX.exe	upx
C:\Windows\System\vwxtOHG.exe	upx
C:\Windows\System\yRxQWkf.exe	upx
C:\Windows\System\yRxQWkf.exe	upx
C:\Windows\System\lGSpxht.exe	upx

JavaScript code in executable 42 IoCs

Processes:

resource	yara_rule
C:\Windows\System\cOvpMAO.exe	js
C:\Windows\System\xQXNsSL.exe	js
C:\Windows\System\xQXNsSL.exe	js
C:\Windows\System\cOvpMAO.exe	js
C:\Windows\System\JVANeYg.exe	js
C:\Windows\System\JVANeYg.exe	js
C:\Windows\System\UPEwqRY.exe	js
C:\Windows\System\UPEwqRY.exe	js
C:\Windows\System\FsPEfRC.exe	js
C:\Windows\System\FsPEfRC.exe	js
C:\Windows\System\YgdIJOn.exe	js
C:\Windows\System\YgdIJOn.exe	js
C:\Windows\System\FdzxNGM.exe	js
C:\Windows\System\FdzxNGM.exe	js
C:\Windows\System\XAGlylB.exe	js
C:\Windows\System\XAGlylB.exe	js
C:\Windows\System\IVvPVCc.exe	js
C:\Windows\System\IVvPVCc.exe	js
C:\Windows\System\xNVdPum.exe	js
C:\Windows\System\SQQCqpJ.exe	js
C:\Windows\System\xNVdPum.exe	js
C:\Windows\System\coYXxaZ.exe	js
C:\Windows\System\SQQCqpJ.exe	js
C:\Windows\System\inukEJo.exe	js
C:\Windows\System\coYXxaZ.exe	js
C:\Windows\System\inukEJo.exe	js
C:\Windows\System\cSIWNmh.exe	js
C:\Windows\System\GBVTUZk.exe	js
C:\Windows\System\cSIWNmh.exe	js
C:\Windows\System\fhldEvP.exe	js
C:\Windows\System\GBVTUZk.exe	js
C:\Windows\System\LAeYvfZ.exe	js
C:\Windows\System\LAeYvfZ.exe	js
C:\Windows\System\ALgveCX.exe	js
C:\Windows\System\fhldEvP.exe	js
C:\Windows\System\vwxtOHG.exe	js
C:\Windows\System\lGSpxht.exe	js
C:\Windows\System\ALgveCX.exe	js
C:\Windows\System\vwxtOHG.exe	js
C:\Windows\System\yRxQWkf.exe	js
C:\Windows\System\yRxQWkf.exe	js
C:\Windows\System\lGSpxht.exe	js

Drops file in Windows directory 21 IoCs

Processes:

e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe

description	ioc	process
File created	C:\Windows\System\xNVdPum.exe	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe
File created	C:\Windows\System\LAeYvfZ.exe	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe
File created	C:\Windows\System\yRxQWkf.exe	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe
File created	C:\Windows\System\xQXNsSL.exe	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe
File created	C:\Windows\System\XAGlylB.exe	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe
File created	C:\Windows\System\vwxtOHG.exe	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe
File created	C:\Windows\System\lGSpxht.exe	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe
File created	C:\Windows\System\UPEwqRY.exe	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe
File created	C:\Windows\System\IVvPVCc.exe	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe
File created	C:\Windows\System\YgdIJOn.exe	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe
File created	C:\Windows\System\FdzxNGM.exe	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe
File created	C:\Windows\System\SQQCqpJ.exe	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe
File created	C:\Windows\System\coYXxaZ.exe	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe
File created	C:\Windows\System\GBVTUZk.exe	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe
File created	C:\Windows\System\cOvpMAO.exe	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe
File created	C:\Windows\System\FsPEfRC.exe	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe
File created	C:\Windows\System\fhldEvP.exe	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe
File created	C:\Windows\System\cSIWNmh.exe	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe
File created	C:\Windows\System\ALgveCX.exe	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe
File created	C:\Windows\System\JVANeYg.exe	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe
File created	C:\Windows\System\inukEJo.exe	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe

description	pid	process
Token: SeLockMemoryPrivilege	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe
Token: SeLockMemoryPrivilege	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe

description	pid	process	target process
PID 3856 wrote to memory of 648	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	cOvpMAO.exe
PID 3856 wrote to memory of 648	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	cOvpMAO.exe
PID 3856 wrote to memory of 1004	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	xQXNsSL.exe
PID 3856 wrote to memory of 1004	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	xQXNsSL.exe
PID 3856 wrote to memory of 1220	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	JVANeYg.exe
PID 3856 wrote to memory of 1220	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	JVANeYg.exe
PID 3856 wrote to memory of 3912	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	UPEwqRY.exe
PID 3856 wrote to memory of 3912	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	UPEwqRY.exe
PID 3856 wrote to memory of 184	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	FsPEfRC.exe
PID 3856 wrote to memory of 184	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	FsPEfRC.exe
PID 3856 wrote to memory of 2160	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	YgdIJOn.exe
PID 3856 wrote to memory of 2160	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	YgdIJOn.exe
PID 3856 wrote to memory of 2500	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	FdzxNGM.exe
PID 3856 wrote to memory of 2500	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	FdzxNGM.exe
PID 3856 wrote to memory of 2696	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	XAGlylB.exe
PID 3856 wrote to memory of 2696	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	XAGlylB.exe
PID 3856 wrote to memory of 2704	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	IVvPVCc.exe
PID 3856 wrote to memory of 2704	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	IVvPVCc.exe
PID 3856 wrote to memory of 3508	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	xNVdPum.exe
PID 3856 wrote to memory of 3508	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	xNVdPum.exe
PID 3856 wrote to memory of 3684	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	SQQCqpJ.exe
PID 3856 wrote to memory of 3684	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	SQQCqpJ.exe
PID 3856 wrote to memory of 4032	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	coYXxaZ.exe
PID 3856 wrote to memory of 4032	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	coYXxaZ.exe
PID 3856 wrote to memory of 2216	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	inukEJo.exe
PID 3856 wrote to memory of 2216	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	inukEJo.exe
PID 3856 wrote to memory of 1268	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	fhldEvP.exe
PID 3856 wrote to memory of 1268	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	fhldEvP.exe
PID 3856 wrote to memory of 2148	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	cSIWNmh.exe
PID 3856 wrote to memory of 2148	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	cSIWNmh.exe
PID 3856 wrote to memory of 2124	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	GBVTUZk.exe
PID 3856 wrote to memory of 2124	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	GBVTUZk.exe
PID 3856 wrote to memory of 1508	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	LAeYvfZ.exe
PID 3856 wrote to memory of 1508	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	LAeYvfZ.exe
PID 3856 wrote to memory of 1632	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	ALgveCX.exe
PID 3856 wrote to memory of 1632	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	ALgveCX.exe
PID 3856 wrote to memory of 3808	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	vwxtOHG.exe
PID 3856 wrote to memory of 3808	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	vwxtOHG.exe
PID 3856 wrote to memory of 1000	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	lGSpxht.exe
PID 3856 wrote to memory of 1000	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	lGSpxht.exe
PID 3856 wrote to memory of 1244	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	yRxQWkf.exe
PID 3856 wrote to memory of 1244	3856	e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe	yRxQWkf.exe

C:\Users\Admin\AppData\Local\Temp\e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe
"C:\Users\Admin\AppData\Local\Temp\e1abf4d331dd2af334504363eb1b23988c904f7c778866916f80882739cc425e.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3856

C:\Windows\System\cOvpMAO.exe
C:\Windows\System\cOvpMAO.exe
2⤵
- Executes dropped EXE
PID:648

C:\Windows\System\xQXNsSL.exe
C:\Windows\System\xQXNsSL.exe
2⤵
- Executes dropped EXE
PID:1004

C:\Windows\System\JVANeYg.exe
C:\Windows\System\JVANeYg.exe
2⤵
- Executes dropped EXE
PID:1220

C:\Windows\System\UPEwqRY.exe
C:\Windows\System\UPEwqRY.exe
2⤵
- Executes dropped EXE
PID:3912

C:\Windows\System\FsPEfRC.exe
C:\Windows\System\FsPEfRC.exe
2⤵
- Executes dropped EXE
PID:184

C:\Windows\System\YgdIJOn.exe
C:\Windows\System\YgdIJOn.exe
2⤵
- Executes dropped EXE
PID:2160

C:\Windows\System\FdzxNGM.exe
C:\Windows\System\FdzxNGM.exe
2⤵
- Executes dropped EXE
PID:2500

C:\Windows\System\XAGlylB.exe
C:\Windows\System\XAGlylB.exe
2⤵
- Executes dropped EXE
PID:2696

C:\Windows\System\IVvPVCc.exe
C:\Windows\System\IVvPVCc.exe
2⤵
- Executes dropped EXE
PID:2704

C:\Windows\System\xNVdPum.exe
C:\Windows\System\xNVdPum.exe
2⤵
- Executes dropped EXE
PID:3508

C:\Windows\System\SQQCqpJ.exe
C:\Windows\System\SQQCqpJ.exe
2⤵
- Executes dropped EXE
PID:3684

C:\Windows\System\coYXxaZ.exe
C:\Windows\System\coYXxaZ.exe
2⤵
- Executes dropped EXE
PID:4032

C:\Windows\System\inukEJo.exe
C:\Windows\System\inukEJo.exe
2⤵
- Executes dropped EXE
PID:2216

C:\Windows\System\fhldEvP.exe
C:\Windows\System\fhldEvP.exe
2⤵
- Executes dropped EXE
PID:1268

C:\Windows\System\cSIWNmh.exe
C:\Windows\System\cSIWNmh.exe
2⤵
- Executes dropped EXE
PID:2148

C:\Windows\System\GBVTUZk.exe
C:\Windows\System\GBVTUZk.exe
2⤵
- Executes dropped EXE
PID:2124

C:\Windows\System\LAeYvfZ.exe
C:\Windows\System\LAeYvfZ.exe
2⤵
- Executes dropped EXE
PID:1508

C:\Windows\System\ALgveCX.exe
C:\Windows\System\ALgveCX.exe
2⤵
- Executes dropped EXE
PID:1632

C:\Windows\System\vwxtOHG.exe
C:\Windows\System\vwxtOHG.exe
2⤵
- Executes dropped EXE
PID:3808

C:\Windows\System\lGSpxht.exe
C:\Windows\System\lGSpxht.exe
2⤵
- Executes dropped EXE
PID:1000

C:\Windows\System\yRxQWkf.exe
C:\Windows\System\yRxQWkf.exe
2⤵
- Executes dropped EXE
PID:1244

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ALgveCX.exe

MD5
b7a43300c9b6cb9ab25892b7d4b5303f

SHA1
1abe7d253f32be844687d7a36e7e348463c095b5

SHA256
970ccbcdf3d436746626b20b2b562066ed32410e45ea008b1c372efac3c3b71f

SHA512
205b58316747365395ff7f9eb6be6a9a1c0bdd91e6d62aa2c0135dcd55246b3fd3825d3bbfe25cb756c5d3ad8ab08efdc3a268502900e009562a954d97d97290

Download Submit
C:\Windows\System\ALgveCX.exe

MD5
b7a43300c9b6cb9ab25892b7d4b5303f

SHA1
1abe7d253f32be844687d7a36e7e348463c095b5

SHA256
970ccbcdf3d436746626b20b2b562066ed32410e45ea008b1c372efac3c3b71f

SHA512
205b58316747365395ff7f9eb6be6a9a1c0bdd91e6d62aa2c0135dcd55246b3fd3825d3bbfe25cb756c5d3ad8ab08efdc3a268502900e009562a954d97d97290

Download Submit
C:\Windows\System\FdzxNGM.exe

MD5
ef7f743c0361d8363c094fbef66fca87

SHA1
6878d2083f23900e3d6c9dfe4748b6439c9fef14

SHA256
092ff2d783619304be131380bbab605469b3cde10f8b0e8bf6b6ccec888d66c4

SHA512
e92c33382ebef057a9d6246666ed7c1194c1387d99f0bde1e8eb656b16325d1b614edd719385d497bacb2d553fba323135b1bd905d1d376ba7d09e7de3e8c0f8

Download Submit
C:\Windows\System\FdzxNGM.exe

MD5
ef7f743c0361d8363c094fbef66fca87

SHA1
6878d2083f23900e3d6c9dfe4748b6439c9fef14

SHA256
092ff2d783619304be131380bbab605469b3cde10f8b0e8bf6b6ccec888d66c4

SHA512
e92c33382ebef057a9d6246666ed7c1194c1387d99f0bde1e8eb656b16325d1b614edd719385d497bacb2d553fba323135b1bd905d1d376ba7d09e7de3e8c0f8

Download Submit
C:\Windows\System\FsPEfRC.exe

MD5
7b8cb432157faba848991ab2314d9f0b

SHA1
cb487f6916862d5775f0863bedb3c58c8f418baa

SHA256
9d609010ae3eed4fb4a452cfc18a2d974e4bdf039d0abe90a0776c67798dde6b

SHA512
1cbbc45311a7b9afa4ffcee48c44bf60a63e096d39a22a7c5c95e25407675101543e5d9bc0be06fee5f9d88a33abb5bfa68aa94f7467bf74b307ebad35a53f3a

Download Submit
C:\Windows\System\FsPEfRC.exe

MD5
7b8cb432157faba848991ab2314d9f0b

SHA1
cb487f6916862d5775f0863bedb3c58c8f418baa

SHA256
9d609010ae3eed4fb4a452cfc18a2d974e4bdf039d0abe90a0776c67798dde6b

SHA512
1cbbc45311a7b9afa4ffcee48c44bf60a63e096d39a22a7c5c95e25407675101543e5d9bc0be06fee5f9d88a33abb5bfa68aa94f7467bf74b307ebad35a53f3a

Download Submit
C:\Windows\System\GBVTUZk.exe

MD5
7d69d84acea97b447806a0e10de92276

SHA1
02a2b6c652c3fd0585f02a4ffd8bf32fa5a5efc5

SHA256
6795405e870ba58db705458d4142d824dda2fb3ba97346cdfa7bcd012d15dd7a

SHA512
a57ee782051e178acf693a57326ce411daa8b9cf08e6385304f1564238f66762023306baaccd7c07be9e475b576b96ae15f2972c1502cb7f959d70c66c85457c

Download Submit
C:\Windows\System\GBVTUZk.exe

MD5
7d69d84acea97b447806a0e10de92276

SHA1
02a2b6c652c3fd0585f02a4ffd8bf32fa5a5efc5

SHA256
6795405e870ba58db705458d4142d824dda2fb3ba97346cdfa7bcd012d15dd7a

SHA512
a57ee782051e178acf693a57326ce411daa8b9cf08e6385304f1564238f66762023306baaccd7c07be9e475b576b96ae15f2972c1502cb7f959d70c66c85457c

Download Submit
C:\Windows\System\IVvPVCc.exe

MD5
43c97feefdf79eaf2b02b7b082bbce7c

SHA1
11267b723a2486ba7ad3233d9c043975fee4f4ac

SHA256
666f6a37ce38aa2648e36813355bdd83be49ef76c2f836fb1f4d6cb51e45cfdd

SHA512
ef9f98f57d7a7befbdd78776546a643144ca34a4f90de809048236d192a315b812cea5e794417268812cee764cad270c8d5b32cd7f166c88ddd69322d7baa423

Download Submit
C:\Windows\System\IVvPVCc.exe

MD5
43c97feefdf79eaf2b02b7b082bbce7c

SHA1
11267b723a2486ba7ad3233d9c043975fee4f4ac

SHA256
666f6a37ce38aa2648e36813355bdd83be49ef76c2f836fb1f4d6cb51e45cfdd

SHA512
ef9f98f57d7a7befbdd78776546a643144ca34a4f90de809048236d192a315b812cea5e794417268812cee764cad270c8d5b32cd7f166c88ddd69322d7baa423

Download Submit
C:\Windows\System\JVANeYg.exe

MD5
e8f03129e76ee4d136a78990b6ea04a3

SHA1
4ecc22dc832632f27bd1a1665f0c1edb8a7f92e7

SHA256
25f034f910da919eb14ce31d6bcc21bc7e404c016642b5ebc1f9f5e03457da0c

SHA512
39ba4bc8f40b1b5791027c68396cbd772cd135dabfe060453b05c60da712ce3dd11a2b6e2f767ac84ba1f2e2829b4b5f812af25b6973858527673950ec0ac2c9

Download Submit
C:\Windows\System\JVANeYg.exe

MD5
e8f03129e76ee4d136a78990b6ea04a3

SHA1
4ecc22dc832632f27bd1a1665f0c1edb8a7f92e7

SHA256
25f034f910da919eb14ce31d6bcc21bc7e404c016642b5ebc1f9f5e03457da0c

SHA512
39ba4bc8f40b1b5791027c68396cbd772cd135dabfe060453b05c60da712ce3dd11a2b6e2f767ac84ba1f2e2829b4b5f812af25b6973858527673950ec0ac2c9

Download Submit
C:\Windows\System\LAeYvfZ.exe

MD5
82d9135ed83999f875479460f5fa45bb

SHA1
734bbe2588236916a11d24d28f1dcb17560836c3

SHA256
9e65f28570db2de305924db5816b03e19d480ee87d79f9a53d7e4ef2cc69610c

SHA512
af10394207bd4d4af1f88b261a8ed4337e65191ef6e2dbaf69b35705f88372d459975387548fe20c6b6b2d7b9712821899631b72a313d4b1cca57c3d344d39cb

Download Submit
C:\Windows\System\LAeYvfZ.exe

MD5
82d9135ed83999f875479460f5fa45bb

SHA1
734bbe2588236916a11d24d28f1dcb17560836c3

SHA256
9e65f28570db2de305924db5816b03e19d480ee87d79f9a53d7e4ef2cc69610c

SHA512
af10394207bd4d4af1f88b261a8ed4337e65191ef6e2dbaf69b35705f88372d459975387548fe20c6b6b2d7b9712821899631b72a313d4b1cca57c3d344d39cb

Download Submit
C:\Windows\System\SQQCqpJ.exe

MD5
b0d5a6d07e55bc9f6f345c37189428a1

SHA1
f07ca1d293c4635db846a54defbab98ad45cde7e

SHA256
ddf4209fde636e1ba8f9f599f63e1e7728a252b8b1c9b5f7d59a8d5564d242b9

SHA512
2520e8a10c9cb66304f11e99aaf2e20d284c97c0fe76d9dcd94f23f3ee857abd1dbb0bf4f4665d5a55c0bf34849f351fb4b4084ca4fe5266ddb97ed0e528eaac

Download Submit
C:\Windows\System\SQQCqpJ.exe

MD5
b0d5a6d07e55bc9f6f345c37189428a1

SHA1
f07ca1d293c4635db846a54defbab98ad45cde7e

SHA256
ddf4209fde636e1ba8f9f599f63e1e7728a252b8b1c9b5f7d59a8d5564d242b9

SHA512
2520e8a10c9cb66304f11e99aaf2e20d284c97c0fe76d9dcd94f23f3ee857abd1dbb0bf4f4665d5a55c0bf34849f351fb4b4084ca4fe5266ddb97ed0e528eaac

Download Submit
C:\Windows\System\UPEwqRY.exe

MD5
6d388d52b673c343160b580f2b6b7987

SHA1
27dbf7476b420793adcb4198a7ca99406bf86de5

SHA256
4d8a37529c11520ea1ab3a58abdcd3cfe89f1eda4e76646f12e27233f8f7120a

SHA512
dcba53ffdee9b695f6930e96c0be16b1653cf73a5c1bc61c496aa9f24aaed069c290e3d36c9af6d0937493ee7f4b9744195840fe5dfb3c47d61f6a3e2141b01d

Download Submit
C:\Windows\System\UPEwqRY.exe

MD5
6d388d52b673c343160b580f2b6b7987

SHA1
27dbf7476b420793adcb4198a7ca99406bf86de5

SHA256
4d8a37529c11520ea1ab3a58abdcd3cfe89f1eda4e76646f12e27233f8f7120a

SHA512
dcba53ffdee9b695f6930e96c0be16b1653cf73a5c1bc61c496aa9f24aaed069c290e3d36c9af6d0937493ee7f4b9744195840fe5dfb3c47d61f6a3e2141b01d

Download Submit
C:\Windows\System\XAGlylB.exe

MD5
02e016883cc2cb6fb95c5609316fd086

SHA1
f64e7fce992cbe56ae64a5d3f5b2cabcf5af586f

SHA256
485595478adaaa26e732e6f5171b42c48a34fea06e516d9cf1ce43389c297462

SHA512
2e8f70a2c0621b681094ad2f497bc2686218af02034ffb6f6637c54d234799c6486c8d2de5670df65c9448dc68264f6cfa575c279922425b3fbe2e88020352f2

Download Submit
C:\Windows\System\XAGlylB.exe

MD5
02e016883cc2cb6fb95c5609316fd086

SHA1
f64e7fce992cbe56ae64a5d3f5b2cabcf5af586f

SHA256
485595478adaaa26e732e6f5171b42c48a34fea06e516d9cf1ce43389c297462

SHA512
2e8f70a2c0621b681094ad2f497bc2686218af02034ffb6f6637c54d234799c6486c8d2de5670df65c9448dc68264f6cfa575c279922425b3fbe2e88020352f2

Download Submit
C:\Windows\System\YgdIJOn.exe

MD5
b1abaf6df0fbb468ff92fc1e2baf251e

SHA1
93945e41998afe90ffc3424145fa6fe28ff1859d

SHA256
d0e0e1a9efd2b754c0ab15d50afc09e5ac8ea40e2f67cda5c8f1c5eba1c30b43

SHA512
ba54ed4699956a92ce56eb317150de7fea063d5298a6fcf3f0b560c10ae6df81ba7b7a2ffd424b5b4df2bff7297a6f10a014e773029d675aa807ca9b5f7309a0

Download Submit
C:\Windows\System\YgdIJOn.exe

MD5
b1abaf6df0fbb468ff92fc1e2baf251e

SHA1
93945e41998afe90ffc3424145fa6fe28ff1859d

SHA256
d0e0e1a9efd2b754c0ab15d50afc09e5ac8ea40e2f67cda5c8f1c5eba1c30b43

SHA512
ba54ed4699956a92ce56eb317150de7fea063d5298a6fcf3f0b560c10ae6df81ba7b7a2ffd424b5b4df2bff7297a6f10a014e773029d675aa807ca9b5f7309a0

Download Submit
C:\Windows\System\cOvpMAO.exe

MD5
9664059112d189dd991ce196abd4e308

SHA1
f06eb616d4b057141b370b3f9980e11e9c409a8e

SHA256
d7614264dcb16956ecff5a077f1279cf903589978998ca5cafa64897c6fa1cb6

SHA512
3663afe6a8f9cd13246c3937cebbf73747406b2e7935a4826c88c4f7aafb18c1935f90d5e66ee7c690204f8b0321caa5a8b87a6154dd24e0be89faaa982a4f63

Download Submit
C:\Windows\System\cOvpMAO.exe

MD5
9664059112d189dd991ce196abd4e308

SHA1
f06eb616d4b057141b370b3f9980e11e9c409a8e

SHA256
d7614264dcb16956ecff5a077f1279cf903589978998ca5cafa64897c6fa1cb6

SHA512
3663afe6a8f9cd13246c3937cebbf73747406b2e7935a4826c88c4f7aafb18c1935f90d5e66ee7c690204f8b0321caa5a8b87a6154dd24e0be89faaa982a4f63

Download Submit
C:\Windows\System\cSIWNmh.exe

MD5
cc4756d3e5429300b532649d7f37425d

SHA1
7943d33a96f6ffdb48e49cdcb201e5f70790add8

SHA256
0fc37d6b5466eb51d315699f9c50dca8046abdbd9cd8f7da2ab3225205d5daaf

SHA512
a44d3b92608d260f2d02358e3c42edca5f33c74899c9f14eccd82f0011c319b2984f4d4b2957591e42287c51e05aa22712b55986b8be20e40672bd27f6b08785

Download Submit
C:\Windows\System\cSIWNmh.exe

MD5
cc4756d3e5429300b532649d7f37425d

SHA1
7943d33a96f6ffdb48e49cdcb201e5f70790add8

SHA256
0fc37d6b5466eb51d315699f9c50dca8046abdbd9cd8f7da2ab3225205d5daaf

SHA512
a44d3b92608d260f2d02358e3c42edca5f33c74899c9f14eccd82f0011c319b2984f4d4b2957591e42287c51e05aa22712b55986b8be20e40672bd27f6b08785

Download Submit
C:\Windows\System\coYXxaZ.exe

MD5
af3a9d5d0ec3d005e52be0ecba51348a

SHA1
20b2fd9f818f0daf8ff581665c80efcc4de32b15

SHA256
ea8cf979e1c84be8323eec0368bb1a6bff455924e49393a10f2cecde723a1cbd

SHA512
efaf388b19cedee860ab4fd863c8ac2f3b2f61bc8ee53b994ec352e74df4aa84374e2158d0e9ce2f06048a33abf14074af88f75765d3e1aa3ff43ac8b7043c36

Download Submit
C:\Windows\System\coYXxaZ.exe

MD5
af3a9d5d0ec3d005e52be0ecba51348a

SHA1
20b2fd9f818f0daf8ff581665c80efcc4de32b15

SHA256
ea8cf979e1c84be8323eec0368bb1a6bff455924e49393a10f2cecde723a1cbd

SHA512
efaf388b19cedee860ab4fd863c8ac2f3b2f61bc8ee53b994ec352e74df4aa84374e2158d0e9ce2f06048a33abf14074af88f75765d3e1aa3ff43ac8b7043c36

Download Submit
C:\Windows\System\fhldEvP.exe

MD5
6f1d947117c461176acc57df3ecea954

SHA1
e7d4b48ec10f6f120ba905b9161ae1d0cda47f0d

SHA256
084269a5aeaa6b2e4d7720c9f9993f62eb5f4dc9ad9e4cb5643b8b40062e8fa8

SHA512
80ae9ac0d78ef6e27299743032db43a4d77eb354a163b56d2f507eac027c7b068f0b1478d9c78853eb496aaad76f5e11dbbf60848c61938972a2611642bca21c

Download Submit
C:\Windows\System\fhldEvP.exe

MD5
6f1d947117c461176acc57df3ecea954

SHA1
e7d4b48ec10f6f120ba905b9161ae1d0cda47f0d

SHA256
084269a5aeaa6b2e4d7720c9f9993f62eb5f4dc9ad9e4cb5643b8b40062e8fa8

SHA512
80ae9ac0d78ef6e27299743032db43a4d77eb354a163b56d2f507eac027c7b068f0b1478d9c78853eb496aaad76f5e11dbbf60848c61938972a2611642bca21c

Download Submit
C:\Windows\System\inukEJo.exe

MD5
56a802e87ac4a381ff625ae1fb9b137d

SHA1
e846544b01bfb52d0e41bab57569c00a6b516810

SHA256
7bbe8cc86fc2010b0abc19ffa71ff815d040a2cf391ddc082a8011d6eae1f654

SHA512
31ec1f9437fa19481cdac3ccae60b0cad0a508eec50adc6067de05b50444b4c22a7360934595d0e765f85ea2de4f9996f9857ac30c0c4b60ff6820edd763d7d6

Download Submit
C:\Windows\System\inukEJo.exe

MD5
56a802e87ac4a381ff625ae1fb9b137d

SHA1
e846544b01bfb52d0e41bab57569c00a6b516810

SHA256
7bbe8cc86fc2010b0abc19ffa71ff815d040a2cf391ddc082a8011d6eae1f654

SHA512
31ec1f9437fa19481cdac3ccae60b0cad0a508eec50adc6067de05b50444b4c22a7360934595d0e765f85ea2de4f9996f9857ac30c0c4b60ff6820edd763d7d6

Download Submit
C:\Windows\System\lGSpxht.exe

MD5
6dd2eb9eefa53c90751523f297537bb5

SHA1
56a29203bfc67c474cbd21406bb1eba4d7243a4c

SHA256
230bfbd0efb04fd0fb23389a7f4ec4f1341a1ef0753f7228892b19b0ea01a317

SHA512
42223237bddbd48d2bf697e4745479e1139d6a68d3220d2618dddb4fb318a226ea9290ec61151699c316fcb3504e75b6e9124c2e321b029f6c590b0bfa10ffbe

Download Submit
C:\Windows\System\lGSpxht.exe

MD5
6dd2eb9eefa53c90751523f297537bb5

SHA1
56a29203bfc67c474cbd21406bb1eba4d7243a4c

SHA256
230bfbd0efb04fd0fb23389a7f4ec4f1341a1ef0753f7228892b19b0ea01a317

SHA512
42223237bddbd48d2bf697e4745479e1139d6a68d3220d2618dddb4fb318a226ea9290ec61151699c316fcb3504e75b6e9124c2e321b029f6c590b0bfa10ffbe

Download Submit
C:\Windows\System\vwxtOHG.exe

MD5
e2592d15805a69bcffe3f5e93e7ba11f

SHA1
56f19ad37daa04a0e5f318c9be19a331b7352ca0

SHA256
285723a708fcb0cb3faabd484f2ddbbb01605662f7b32bf6a8cf1a3db4455a46

SHA512
1c62c3ec1a43463093f07e547dab3f5ff422a039731ce62fbcb63e75cfeb09f89c56e9fa327148f0a59cb80b41a2c32a0d866d4bbd9553a7e1f418c65b8d1bd7

Download Submit
C:\Windows\System\vwxtOHG.exe

MD5
e2592d15805a69bcffe3f5e93e7ba11f

SHA1
56f19ad37daa04a0e5f318c9be19a331b7352ca0

SHA256
285723a708fcb0cb3faabd484f2ddbbb01605662f7b32bf6a8cf1a3db4455a46

SHA512
1c62c3ec1a43463093f07e547dab3f5ff422a039731ce62fbcb63e75cfeb09f89c56e9fa327148f0a59cb80b41a2c32a0d866d4bbd9553a7e1f418c65b8d1bd7

Download Submit
C:\Windows\System\xNVdPum.exe

MD5
a9cc0387b11bc73a8736a610f1de913b

SHA1
cabd11c79aaadaef97f463a50a58d0c3d2d40894

SHA256
f514567bddf4a6f063b016a35100773df4262c602cdd08576969e6c6e9bad836

SHA512
f846bd228c9610fb325bb6ead4ddb5c6a1efa802e060033cafb9e22b1a27846c4d4633c4020bb5f0f22e73f5b98d036c3a5fb65be11473f75bfee6bc595904fe

Download Submit
C:\Windows\System\xNVdPum.exe

MD5
a9cc0387b11bc73a8736a610f1de913b

SHA1
cabd11c79aaadaef97f463a50a58d0c3d2d40894

SHA256
f514567bddf4a6f063b016a35100773df4262c602cdd08576969e6c6e9bad836

SHA512
f846bd228c9610fb325bb6ead4ddb5c6a1efa802e060033cafb9e22b1a27846c4d4633c4020bb5f0f22e73f5b98d036c3a5fb65be11473f75bfee6bc595904fe

Download Submit
C:\Windows\System\xQXNsSL.exe

MD5
18f3551de23aa9f8dd5742c228a2e65a

SHA1
64d49bc12f7ba2623bb8d0396973f310561887b6

SHA256
34444f1873b781ed8880f4cd2ef783606c6b3ad868eef7c29cfdc5cea904f256

SHA512
6b0d99d115442b1ce778a5ffa4de7bb86041918f915553fba4bce7437fd6433016007a04b95df56966663769ac76e00f9096b5cee7837f758b0b89471f932e29

Download Submit
C:\Windows\System\xQXNsSL.exe

MD5
18f3551de23aa9f8dd5742c228a2e65a

SHA1
64d49bc12f7ba2623bb8d0396973f310561887b6

SHA256
34444f1873b781ed8880f4cd2ef783606c6b3ad868eef7c29cfdc5cea904f256

SHA512
6b0d99d115442b1ce778a5ffa4de7bb86041918f915553fba4bce7437fd6433016007a04b95df56966663769ac76e00f9096b5cee7837f758b0b89471f932e29

Download Submit
C:\Windows\System\yRxQWkf.exe

MD5
bfa7fa03571e82b7185aa99b578f8dfc

SHA1
f1523eee5f1b123e0d0a52ea67ba45c59759311c

SHA256
20f3805b87bf4c27ed7304040e5b6d12de51d30c1ffab363efeac3e4faf12c1f

SHA512
386e48bada7fd748fce945c5a4a03942e62fe2983655234ae5b0a5fdc66ff43289286de49b80cfb417781511fe1b9d32d0931ca7149a633fddfe034852a788f5

Download Submit
C:\Windows\System\yRxQWkf.exe

MD5
bfa7fa03571e82b7185aa99b578f8dfc

SHA1
f1523eee5f1b123e0d0a52ea67ba45c59759311c

SHA256
20f3805b87bf4c27ed7304040e5b6d12de51d30c1ffab363efeac3e4faf12c1f

SHA512
386e48bada7fd748fce945c5a4a03942e62fe2983655234ae5b0a5fdc66ff43289286de49b80cfb417781511fe1b9d32d0931ca7149a633fddfe034852a788f5

Download Submit
memory/184-12-0x0000000000000000-mapping.dmp

Download
memory/648-0-0x0000000000000000-mapping.dmp

Download
memory/1000-55-0x0000000000000000-mapping.dmp

Download
memory/1004-1-0x0000000000000000-mapping.dmp

Download
memory/1220-5-0x0000000000000000-mapping.dmp

Download
memory/1244-58-0x0000000000000000-mapping.dmp

Download
memory/1268-39-0x0000000000000000-mapping.dmp

Download
memory/1508-47-0x0000000000000000-mapping.dmp

Download
memory/1632-49-0x0000000000000000-mapping.dmp

Download
memory/2124-43-0x0000000000000000-mapping.dmp

Download
memory/2148-41-0x0000000000000000-mapping.dmp

Download
memory/2160-15-0x0000000000000000-mapping.dmp

Download
memory/2216-34-0x0000000000000000-mapping.dmp

Download
memory/2500-18-0x0000000000000000-mapping.dmp

Download
memory/2696-21-0x0000000000000000-mapping.dmp

Download
memory/2704-23-0x0000000000000000-mapping.dmp

Download
memory/3508-27-0x0000000000000000-mapping.dmp

Download
memory/3684-28-0x0000000000000000-mapping.dmp

Download
memory/3808-53-0x0000000000000000-mapping.dmp

Download
memory/3912-9-0x0000000000000000-mapping.dmp

Download
memory/4032-32-0x0000000000000000-mapping.dmp

Download