cobaltstrike | 810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5

Analysis

max time kernel
149s
max time network
12s
platform
windows7_x64
resource
win7v20201028
submitted
10-11-2020 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe
Size

5.2MB
MD5

a4326d2e99c9bb3d714cb707c4e8933e
SHA1

abdb75775916f1491ed7f2183ce71afc4155292c
SHA256

810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5
SHA512

ec900cb3006f8f6f9dcbb790491ef728b83f7428d76774cca4abe5ef0c34d5db8d1c0321f0013e0aa451d5353b7ca266a60c56f35bc3e6d4180e7f0be870684a

Score

10^/10

cobaltstrike backdoor trojan upx

Malware Config

Signatures

Cobalt Strike reflective loader 7 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\SBsGRxf.exe	cobalt_reflective_dll
C:\Windows\system\SBsGRxf.exe	cobalt_reflective_dll
\Windows\system\veGWLDz.exe	cobalt_reflective_dll
C:\Windows\system\veGWLDz.exe	cobalt_reflective_dll
\Windows\system\lPpiOob.exe	cobalt_reflective_dll
C:\Windows\system\lPpiOob.exe	cobalt_reflective_dll
\Windows\system\AeLrmUG.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Executes dropped EXE 18 IoCs

Processes:

SBsGRxf.exeveGWLDz.exelPpiOob.exeqIusWes.exewRJQwBy.exeAeLrmUG.exelRCTyRx.exeDcyQQyg.exeJbckZUC.exeIdgzMfs.exeIxQdhpb.exejFhxXYn.exeOdNOSQj.exeSOZAUio.exevvHiNRa.exeksXRdnM.exeHVTZkiP.exeFDFtOUS.exe

pid	process
1440	SBsGRxf.exe
1520	veGWLDz.exe
1972	lPpiOob.exe
360	qIusWes.exe
1120	wRJQwBy.exe
284	AeLrmUG.exe
676	lRCTyRx.exe
540	DcyQQyg.exe
1368	JbckZUC.exe
916	IdgzMfs.exe
960	IxQdhpb.exe
1196	jFhxXYn.exe
1932	OdNOSQj.exe
1916	SOZAUio.exe
1068	vvHiNRa.exe
1072	ksXRdnM.exe
1984	HVTZkiP.exe
1712	FDFtOUS.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\system\SBsGRxf.exe	upx
C:\Windows\system\SBsGRxf.exe	upx
\Windows\system\veGWLDz.exe	upx
C:\Windows\system\veGWLDz.exe	upx
\Windows\system\lPpiOob.exe	upx
C:\Windows\system\lPpiOob.exe	upx
\Windows\system\qIusWes.exe	upx
C:\Windows\system\qIusWes.exe	upx
\Windows\system\AeLrmUG.exe	upx
\Windows\system\wRJQwBy.exe	upx
C:\Windows\system\wRJQwBy.exe	upx
C:\Windows\system\AeLrmUG.exe	upx
C:\Windows\system\lRCTyRx.exe	upx
\Windows\system\lRCTyRx.exe	upx
\Windows\system\DcyQQyg.exe	upx
C:\Windows\system\DcyQQyg.exe	upx
\Windows\system\JbckZUC.exe	upx
C:\Windows\system\JbckZUC.exe	upx
\Windows\system\IdgzMfs.exe	upx
C:\Windows\system\IdgzMfs.exe	upx
\Windows\system\IxQdhpb.exe	upx
C:\Windows\system\IxQdhpb.exe	upx
\Windows\system\jFhxXYn.exe	upx
C:\Windows\system\jFhxXYn.exe	upx
\Windows\system\OdNOSQj.exe	upx
C:\Windows\system\OdNOSQj.exe	upx
\Windows\system\SOZAUio.exe	upx
C:\Windows\system\SOZAUio.exe	upx
\Windows\system\vvHiNRa.exe	upx
C:\Windows\system\vvHiNRa.exe	upx
\Windows\system\ksXRdnM.exe	upx
C:\Windows\system\ksXRdnM.exe	upx
\Windows\system\HVTZkiP.exe	upx
C:\Windows\system\HVTZkiP.exe	upx
C:\Windows\system\FDFtOUS.exe	upx
\Windows\system\FDFtOUS.exe	upx
\Windows\system\CHPnzfL.exe	upx

Loads dropped DLL 19 IoCs

Processes:

810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe

pid	process
1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe
1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe
1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe
1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe
1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe
1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe
1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe
1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe
1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe
1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe
1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe
1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe
1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe
1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe
1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe
1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe
1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe
1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe
1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe

JavaScript code in executable 29 IoCs

Processes:

resource	yara_rule
\Windows\system\SBsGRxf.exe	js
C:\Windows\system\SBsGRxf.exe	js
\Windows\system\veGWLDz.exe	js
C:\Windows\system\veGWLDz.exe	js
\Windows\system\lPpiOob.exe	js
C:\Windows\system\lPpiOob.exe	js
\Windows\system\qIusWes.exe	js
C:\Windows\system\qIusWes.exe	js
\Windows\system\AeLrmUG.exe	js
\Windows\system\wRJQwBy.exe	js
C:\Windows\system\wRJQwBy.exe	js
C:\Windows\system\AeLrmUG.exe	js
C:\Windows\system\lRCTyRx.exe	js
\Windows\system\lRCTyRx.exe	js
\Windows\system\DcyQQyg.exe	js
C:\Windows\system\DcyQQyg.exe	js
\Windows\system\JbckZUC.exe	js
C:\Windows\system\JbckZUC.exe	js
\Windows\system\IdgzMfs.exe	js
C:\Windows\system\IdgzMfs.exe	js
\Windows\system\IxQdhpb.exe	js
C:\Windows\system\IxQdhpb.exe	js
\Windows\system\jFhxXYn.exe	js
C:\Windows\system\jFhxXYn.exe	js
\Windows\system\OdNOSQj.exe	js
C:\Windows\system\OdNOSQj.exe	js
\Windows\system\SOZAUio.exe	js
C:\Windows\system\SOZAUio.exe	js
\Windows\system\vvHiNRa.exe	js

Drops file in Windows directory 19 IoCs

Processes:

810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe

description	ioc	process
File created	C:\Windows\System\AeLrmUG.exe	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe
File created	C:\Windows\System\JbckZUC.exe	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe
File created	C:\Windows\System\IdgzMfs.exe	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe
File created	C:\Windows\System\IxQdhpb.exe	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe
File created	C:\Windows\System\veGWLDz.exe	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe
File created	C:\Windows\System\wRJQwBy.exe	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe
File created	C:\Windows\System\jFhxXYn.exe	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe
File created	C:\Windows\System\SOZAUio.exe	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe
File created	C:\Windows\System\ksXRdnM.exe	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe
File created	C:\Windows\System\lPpiOob.exe	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe
File created	C:\Windows\System\lRCTyRx.exe	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe
File created	C:\Windows\System\DcyQQyg.exe	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe
File created	C:\Windows\System\OdNOSQj.exe	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe
File created	C:\Windows\System\SBsGRxf.exe	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe
File created	C:\Windows\System\qIusWes.exe	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe
File created	C:\Windows\System\vvHiNRa.exe	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe
File created	C:\Windows\System\HVTZkiP.exe	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe
File created	C:\Windows\System\FDFtOUS.exe	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe
File created	C:\Windows\System\CHPnzfL.exe	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe

description	pid	process	target process
PID 1408 wrote to memory of 1440	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	SBsGRxf.exe
PID 1408 wrote to memory of 1440	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	SBsGRxf.exe
PID 1408 wrote to memory of 1440	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	SBsGRxf.exe
PID 1408 wrote to memory of 1520	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	veGWLDz.exe
PID 1408 wrote to memory of 1520	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	veGWLDz.exe
PID 1408 wrote to memory of 1520	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	veGWLDz.exe
PID 1408 wrote to memory of 1972	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	lPpiOob.exe
PID 1408 wrote to memory of 1972	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	lPpiOob.exe
PID 1408 wrote to memory of 1972	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	lPpiOob.exe
PID 1408 wrote to memory of 360	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	qIusWes.exe
PID 1408 wrote to memory of 360	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	qIusWes.exe
PID 1408 wrote to memory of 360	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	qIusWes.exe
PID 1408 wrote to memory of 284	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	AeLrmUG.exe
PID 1408 wrote to memory of 284	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	AeLrmUG.exe
PID 1408 wrote to memory of 284	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	AeLrmUG.exe
PID 1408 wrote to memory of 1120	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	wRJQwBy.exe
PID 1408 wrote to memory of 1120	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	wRJQwBy.exe
PID 1408 wrote to memory of 1120	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	wRJQwBy.exe
PID 1408 wrote to memory of 676	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	lRCTyRx.exe
PID 1408 wrote to memory of 676	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	lRCTyRx.exe
PID 1408 wrote to memory of 676	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	lRCTyRx.exe
PID 1408 wrote to memory of 540	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	DcyQQyg.exe
PID 1408 wrote to memory of 540	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	DcyQQyg.exe
PID 1408 wrote to memory of 540	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	DcyQQyg.exe
PID 1408 wrote to memory of 1368	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	JbckZUC.exe
PID 1408 wrote to memory of 1368	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	JbckZUC.exe
PID 1408 wrote to memory of 1368	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	JbckZUC.exe
PID 1408 wrote to memory of 916	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	IdgzMfs.exe
PID 1408 wrote to memory of 916	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	IdgzMfs.exe
PID 1408 wrote to memory of 916	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	IdgzMfs.exe
PID 1408 wrote to memory of 960	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	IxQdhpb.exe
PID 1408 wrote to memory of 960	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	IxQdhpb.exe
PID 1408 wrote to memory of 960	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	IxQdhpb.exe
PID 1408 wrote to memory of 1196	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	jFhxXYn.exe
PID 1408 wrote to memory of 1196	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	jFhxXYn.exe
PID 1408 wrote to memory of 1196	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	jFhxXYn.exe
PID 1408 wrote to memory of 1932	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	OdNOSQj.exe
PID 1408 wrote to memory of 1932	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	OdNOSQj.exe
PID 1408 wrote to memory of 1932	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	OdNOSQj.exe
PID 1408 wrote to memory of 1916	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	SOZAUio.exe
PID 1408 wrote to memory of 1916	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	SOZAUio.exe
PID 1408 wrote to memory of 1916	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	SOZAUio.exe
PID 1408 wrote to memory of 1068	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	vvHiNRa.exe
PID 1408 wrote to memory of 1068	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	vvHiNRa.exe
PID 1408 wrote to memory of 1068	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	vvHiNRa.exe
PID 1408 wrote to memory of 1072	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	ksXRdnM.exe
PID 1408 wrote to memory of 1072	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	ksXRdnM.exe
PID 1408 wrote to memory of 1072	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	ksXRdnM.exe
PID 1408 wrote to memory of 1984	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	HVTZkiP.exe
PID 1408 wrote to memory of 1984	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	HVTZkiP.exe
PID 1408 wrote to memory of 1984	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	HVTZkiP.exe
PID 1408 wrote to memory of 1712	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	FDFtOUS.exe
PID 1408 wrote to memory of 1712	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	FDFtOUS.exe
PID 1408 wrote to memory of 1712	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	FDFtOUS.exe
PID 1408 wrote to memory of 1832	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	CHPnzfL.exe
PID 1408 wrote to memory of 1832	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	CHPnzfL.exe
PID 1408 wrote to memory of 1832	1408	810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe	CHPnzfL.exe

C:\Users\Admin\AppData\Local\Temp\810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe
"C:\Users\Admin\AppData\Local\Temp\810e88b5a8fdc28c9d3a617b3ff06a6f40f7a09e968010c03fa44d145f2a4da5.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\System\SBsGRxf.exe
C:\Windows\System\SBsGRxf.exe
2⤵
- Executes dropped EXE
PID:1440

C:\Windows\System\veGWLDz.exe
C:\Windows\System\veGWLDz.exe
2⤵
- Executes dropped EXE
PID:1520

C:\Windows\System\lPpiOob.exe
C:\Windows\System\lPpiOob.exe
2⤵
- Executes dropped EXE
PID:1972

C:\Windows\System\qIusWes.exe
C:\Windows\System\qIusWes.exe
2⤵
- Executes dropped EXE
PID:360

C:\Windows\System\AeLrmUG.exe
C:\Windows\System\AeLrmUG.exe
2⤵
- Executes dropped EXE
PID:284

C:\Windows\System\wRJQwBy.exe
C:\Windows\System\wRJQwBy.exe
2⤵
- Executes dropped EXE
PID:1120

C:\Windows\System\lRCTyRx.exe
C:\Windows\System\lRCTyRx.exe
2⤵
- Executes dropped EXE
PID:676

C:\Windows\System\DcyQQyg.exe
C:\Windows\System\DcyQQyg.exe
2⤵
- Executes dropped EXE
PID:540

C:\Windows\System\JbckZUC.exe
C:\Windows\System\JbckZUC.exe
2⤵
- Executes dropped EXE
PID:1368

C:\Windows\System\IdgzMfs.exe
C:\Windows\System\IdgzMfs.exe
2⤵
- Executes dropped EXE
PID:916

C:\Windows\System\IxQdhpb.exe
C:\Windows\System\IxQdhpb.exe
2⤵
- Executes dropped EXE
PID:960

C:\Windows\System\jFhxXYn.exe
C:\Windows\System\jFhxXYn.exe
2⤵
- Executes dropped EXE
PID:1196

C:\Windows\System\OdNOSQj.exe
C:\Windows\System\OdNOSQj.exe
2⤵
- Executes dropped EXE
PID:1932

C:\Windows\System\SOZAUio.exe
C:\Windows\System\SOZAUio.exe
2⤵
- Executes dropped EXE
PID:1916

C:\Windows\System\vvHiNRa.exe
C:\Windows\System\vvHiNRa.exe
2⤵
- Executes dropped EXE
PID:1068

C:\Windows\System\ksXRdnM.exe
C:\Windows\System\ksXRdnM.exe
2⤵
- Executes dropped EXE
PID:1072

C:\Windows\System\HVTZkiP.exe
C:\Windows\System\HVTZkiP.exe
2⤵
- Executes dropped EXE
PID:1984

C:\Windows\System\FDFtOUS.exe
C:\Windows\System\FDFtOUS.exe
2⤵
- Executes dropped EXE
PID:1712

C:\Windows\System\CHPnzfL.exe
C:\Windows\System\CHPnzfL.exe
2⤵
PID:1832

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AeLrmUG.exe
MD5
a99290a2063862fc07abc37a725a7384

SHA1
9661aa60185c2b4e2c2b3ea0dd75117d8f22d4ad

SHA256
a417f9720e37a5270c7f59fe2ef067dcec6418c3c820e11aa140ff1f05da8d69

SHA512
4bb2e7d4eb10476a262c537af5c6400cff07adc60874c57b922629780011483b1eb5009cec938cd4f91938b4eb34bf842b696bb53ca00bbfa3f8ec58cd3ba782

Download Submit
C:\Windows\system\DcyQQyg.exe
MD5
acbe917b28482ec4dac113f77f6ebd80

SHA1
65f85718b913d5e66aeec0be8cda5e030c5acc46

SHA256
6093b933f12872a60ab079b43f3ab77c6b3e21c2a7f49cfcd7014deb95e5af98

SHA512
fe275620d733cc7466e0d2d402c8cd0e9bb51c665cb0935f81814d3ee98bd643a7d6449d7d5edb6651d8c44627c213e2fb6f086a9da428fa62340583321c32db

Download Submit
C:\Windows\system\FDFtOUS.exe
MD5
6ef454d974e6e2060aa3ffd227f166ff

SHA1
c49f177b440e154cf990a465ec68a382d3fae410

SHA256
6bf574c3f8b314238504694215823d39452ac1da9fff11269abc7950122c8305

SHA512
4d8c2bcbee18976f18d5b3b91c88dc2ee6d67a82c17328f81febd7082d7ed9fef21f2b090f5a425d24ac4d4e31695ac5ac614874cbc421fabbe7c8f8a10fab97

Download Submit
C:\Windows\system\HVTZkiP.exe
MD5
b1c63445b20aa79baf661eea336bc476

SHA1
8384717ee286be8258bf9dfaffee2811af482f22

SHA256
c97a5c2ec9e3b50d0252c710126a47c652b73fd7c3aaa2f48ec127a92ccd8a1e

SHA512
539a821d9cdc0c3836ca2367ca79cea3db8c5f550ba0d93c68ff859ecee2b82c0589d1e548f4ed01ca52c66e1d6eabae8651702ffecee4ec2bf636de1347daf0

Download Submit
C:\Windows\system\IdgzMfs.exe
MD5
55ebc3f91b8a7bbdd16cb6565ed0855d

SHA1
87122c73c501a66258893f47d9476d047bde5784

SHA256
209f5a23538a734b803bb7824a8f0d08dcb517ff603651f8ad15eeb2c685dd43

SHA512
258ebae4df20184523abe590646456d520c74e2db7e8682e8fab04d3cdda6d51ed8e55eb9a95d991139ce65b416706a8bee46f8e5a7728cbf6d55ccf70e27695

Download Submit
C:\Windows\system\IxQdhpb.exe
MD5
1d7cd8fe6c8d76a4829f4f037aa7e948

SHA1
22937d8347b72d0bfc722786513c30b061229878

SHA256
b71867e3cc8fa6a40fdea38ab90d7590dee9d211a2fca9f9fff30af693923d8a

SHA512
169288dd7fbb7e3cf34768df5f19b15988d1caae8626bf861c5947401682347612710b598b851695b0afc4eaab9bf179929c63399170fe94ffe442f2d822fb61

Download Submit
C:\Windows\system\JbckZUC.exe
MD5
ba7a04452500e7d0bdfde75c446ddefa

SHA1
30796bc4b175efbfd69b00c9dec2ba25a0cdbcf2

SHA256
210c4053f6c96b2f88c5f499cc49fd18aa86c8758367ce2b405381d3a528eac9

SHA512
941623cddfe6b0f7aefeb89e66fdd63a1a2484df8cd19ccf145a067221b78a8f6b17c0760708d495065df08e332ce577b1cc9ba11cca5230b700535dea050ce3

Download Submit
C:\Windows\system\OdNOSQj.exe
MD5
fca86e87196e281a2160d5aca3355811

SHA1
f39dd02eff11ce7c88eee1ab7ce880928f5a2ea9

SHA256
978b1fcbdbfb76de11f7abd77736ee6a25d113ac5141d4eab31151e9ef8ec163

SHA512
a59787f14dbcb090c3eb2021706d1b9be7d5bf1c2d3e624069add5ac7eebac38c0abd1cf3b70adbca1224a65b8057dea56754e3e1f8ea4c9c032a31a630851cf

Download Submit
C:\Windows\system\SBsGRxf.exe
MD5
e45707f5066fcf3c6093a1bc1ef26c72

SHA1
00bce590c1823c3e3508198825a105e8b05cc108

SHA256
ce5a035a8b2d2655d3e0d2efbe1460bc913284c62b2c75c481b4152bf5640c1a

SHA512
9e6e645776684b4069ae7ecd74ba199d121db8f702efb35bffbfc3957fdc3a0b56c1b96b766f25246ad9202ff8f8826803536c0d1f0944a318d2892a5604bddb

Download Submit
C:\Windows\system\SOZAUio.exe
MD5
3ad7e18931e1f3d0c036a9be53069028

SHA1
12cb12419b34cb618cfe72a24d39c0d0b3e0e997

SHA256
7116fd7a8459cd8ca17f6087e03527beb9e9e142895ef5e7d98bf3553ca9bb54

SHA512
f5585f1837300ec65380b648db026ef91adfe95773a02b0199a8cc94664771d4ac9b6dd3176d00e6d1247107e7a730779803f06b17b1e9eafda1dbcca32cc806

Download Submit
C:\Windows\system\jFhxXYn.exe
MD5
ae6a0951efb07276e794af4f44bde29a

SHA1
53cac33c9ce747c499a8be7305d770221ce5c836

SHA256
9a3d276c8b777366eb4e55caec4d95f4aa235f690b9fcdfb45f1c2899dddce58

SHA512
c3d5dde7bab418bd9dfeafa2ca704b209c6f1dca15dd4366acf089116f13dcc96b4481e8fa518589921172dc70927924d9f07c0305b19169914d26a94937ae63

Download Submit
C:\Windows\system\ksXRdnM.exe
MD5
7a83d130e544767c495e81799217e45f

SHA1
8ce0e8400baa823addec3e276cff21222a650502

SHA256
467e3ff8eebffef16ae08238b6397a5928157552dcd066db7ed7ef1669548ce0

SHA512
f556938baa2f510e01711e80eb42598e0e2140eec8aa67b3e202846cd552af4002c64b3872acd36458c3307ccf902d895a74478aec93cb399875b227324fa8f9

Download Submit
C:\Windows\system\lPpiOob.exe
MD5
0c03ae9b419c216054194130bc8ba6e4

SHA1
627801340877ff798c4316ca88dc041a3e416b38

SHA256
addd5506d5eced1a9baaa1017d3d3928614a67b77b4009fb2ec4aa46636c77de

SHA512
c04486905c78de2764edac56a17f5b1b4b131db12b5b7c112880acfdbe28381c5bd0e94a885649ab6adb30583803a1a24713916639d226ccc679e61a1ad8eb07

Download Submit
C:\Windows\system\lRCTyRx.exe
MD5
6c1c99baf7c6bd1241dc732a6525a30e

SHA1
31c313586839b2c199de19c2488d57a76d5c8431

SHA256
85b3a2a39836e511758f2f3bca7eafb004caf6eb18ae3a97a76a375980f06403

SHA512
e91cac88c594a4ce7bfb00350511a20c8c1529ef19e09e6b76ccc29ffa989dc6fd22cd3a5b0dd2cae198c2382f18d751f309040fc0ecb29eb6372d0d8a3cb498

Download Submit
C:\Windows\system\qIusWes.exe
MD5
8821a978a6c89d45770736a55ef3a6b7

SHA1
3de69d3d30767d96da1324bb934c0b892fe027d3

SHA256
c9835836f2e0b9313adff44f0e7156ce6e832bc147beb4db2428f0d6f7ffee7e

SHA512
f8ab39746204bbb4e3ab16692fc447983c33b7a4d9a210f09c2289e50b91174ddbc0f576b01f1be38b5296f74af7cdf4ff14563363d05ae2489b76b2a16d4c56

Download Submit
C:\Windows\system\veGWLDz.exe
MD5
b6f1377f80e57136269c2459288e8d95

SHA1
30db0f593b346ffaafa15985792c9539a5c75907

SHA256
3361004ff32455b3a4ec922bd13efb3ef632ecd32b4410824cecbd5baf5a6534

SHA512
df698c9289b42d11b158195d5149dc47fb74241c56beac68db73b8f7ee564d503038d40a55cfd4ddad5aa6e04e7f926bcd2e2d9cdc0690cb073a220a7c6ecfa1

Download Submit
C:\Windows\system\vvHiNRa.exe
MD5
5dad72d9b6e75901521709c52f0cdfc4

SHA1
9aa68495b54ea7b776470c4e23a88383b8231e69

SHA256
a8a3d80447e991dc612cae44875717f51a1ee7115f1799ac89d9f84eeda440a2

SHA512
bc4823b128ee714d783b49d2161a6c74667c8a1e1cf1681031bb516459f0463914e88fe77bab13d81c2a74890665224d2bc30e23407279ac25d39e38bab95765

Download Submit
C:\Windows\system\wRJQwBy.exe
MD5
1d5d5a252964829978b830a7099abb4b

SHA1
5e00e7ffd2aa783e123eaf27e6767676b408f7da

SHA256
8ff4a83504f2a3ad5746257af7c0565c4e04d2f6c5e7b7defc1b0fd6f0a7c3bd

SHA512
cb6f0714af64c282a191839fe520e75ea857caa094c71502158c129ba35819eaa9fbcf6698bf5a707b20f4e263d2067cbadd64fb919b1a432bc73e653807f57c

Download Submit
\Windows\system\AeLrmUG.exe
MD5
9fec7c81ad4dcb422e16676f91752de5

SHA1
1f15db7686b29b7f0974efa5b0fd72662dd78d56

SHA256
a05abd5036c0c05cfe10a673fd9a02e712a19e8089671439a069c50a074b9702

SHA512
1a4910c0fe4396ea166bad2c40350127bbf38c8f058a7bea57cb54fae5fb766332c4d08ae28462b60be153b307226e704d800d8377c3ec7ed82f877dafcc2f0a

Download Submit
\Windows\system\CHPnzfL.exe
MD5
70044f214df282f146a0e395f45a18de

SHA1
ec1ee9f9952315dde527b70471a55850468a7a8b

SHA256
29e09978eebb17493c8ce9c79b603f69a2a0f75f9f6838e6f874420ca9e9d9b7

SHA512
604fce1694183ac96ee8d5428885eae9e9619ed9b60157f23d61dffae133145e3e4359e340c9c9be925013f0d22b31d927a83c4809338d746f14b701e13fd796

Download Submit
\Windows\system\DcyQQyg.exe
MD5
fa6ec6210a9c9e4ea30f69f9daba5289

SHA1
b70bde15e91a1387bafad8ba18eabecccb197c9f

SHA256
f38ac284f7436d43db76becb287564700d3a0e3bffa3d95dfbf90021a9f606f6

SHA512
a279d30b353afbbc6e9b9b9404de0a001b5584250e0af29a82ef19c285e2f70feac4bc2352d910db11ed0be6fd80af70d7566284938b7340bd88663562978557

Download Submit
\Windows\system\FDFtOUS.exe
MD5
b6b837c1b2bbc3b0d949bb93f6ce33f4

SHA1
68b628f268565ee8e685339c4b410a54c2505847

SHA256
9277b69d8402c8fba9eb6d0fb2153350df0ff46d79b309df04bfff6cf81c99ac

SHA512
c4450ad761466a16f42de01065c0043595d22ae251d2cacb412d1e9cfd227bcd829767a055e01e671f64b9d925e8133b4df3db02c13979c627959822ed7d8b38

Download Submit
\Windows\system\HVTZkiP.exe
MD5
00e9f7f678dd44d381c125f339b2768d

SHA1
ee099320a5528b3b97e32b9259b3cf2a85ddd812

SHA256
c00e6b026bbb0e9ce6a5ec1d4948329b30071f94e789e1ac42f2b7cf135110ea

SHA512
80d226d22b806542876efd64fdfbcf54d28b88e2f0ea61d8694d812de0a4bc2e035b6aacf2f6395f77e8e351ea5090829526b15537da5fee864291e415252cb6

Download Submit
\Windows\system\IdgzMfs.exe
MD5
dd1b0a805b90a45940185a8f4bf3f151

SHA1
0e3fb39e4c6665b98ae5d1fa700bbf6848294cee

SHA256
d10fa2ae4c128ece843463aa97a665134d9fa9dfceaa654c50f96d409ab7b34b

SHA512
18c3d66cc0b5beae67ddf76f052a08777d9199ff3ec8608ac251c4b50634f4fe51e717b76d093d0d6ebf3260745fae5c7bbcb864cb9e1564cba189ce64a13bf0

Download Submit
\Windows\system\IxQdhpb.exe
MD5
5444accaad3bd41a1f7a91215705cc2e

SHA1
262bb2590b4568d0822b39728882b58e8aa12832

SHA256
e76f564e65d537525998982a5c098ec6aa3c5e5c9eec1b8df657806638611aec

SHA512
6c924db316465c8e4481b5280566fe459a93c947f6972993c92bc8f077d48773a5a6a86ce9210167dc01eef92ab3a018cc6b572372ca71c0704960c65e7898fb

Download Submit
\Windows\system\JbckZUC.exe
MD5
872adc52c8ea7f12f15c64a5aa72da9d

SHA1
a9fd4a5c7c2ca12bc1918f14963a98d5c63a10c5

SHA256
9116e66b6f6ecedf11910b1182a8d9edb00c9478a45dcfc1946e56a0add7d4d1

SHA512
04efdd7dd8527c287b474f989a6b6e1826837d2aad33359f24a9254dec4e52fd5b967d39107560dfc21aaed6c56454545e9fbcb3611e0edfe16c06e300e6423d

Download Submit
\Windows\system\OdNOSQj.exe
MD5
705a908b9f61f016018c40a17c12cea4

SHA1
1a2e5969de43d9f306769584ec8ceab9e90c68ab

SHA256
c6d3dbc1d792423aed6d00fc7bf56530740930a3c90f44234f57a1bbd25cece9

SHA512
5c870f787a44ef0e113fbbec1c255dcccddfc6782be7c695f16ff327b19f93e2129b97fa26727eb0c17baedae5e4dfcc3c64194c8d67a6b7e10bc52b47d0791b

Download Submit
\Windows\system\SBsGRxf.exe
MD5
e45707f5066fcf3c6093a1bc1ef26c72

SHA1
00bce590c1823c3e3508198825a105e8b05cc108

SHA256
ce5a035a8b2d2655d3e0d2efbe1460bc913284c62b2c75c481b4152bf5640c1a

SHA512
9e6e645776684b4069ae7ecd74ba199d121db8f702efb35bffbfc3957fdc3a0b56c1b96b766f25246ad9202ff8f8826803536c0d1f0944a318d2892a5604bddb

Download Submit
\Windows\system\SOZAUio.exe
MD5
da1b0637c3f6c1a5938f2f0bd02090b3

SHA1
11c2f639cbca773393eeaa9c3c1710a4a2edd454

SHA256
b3ca7b1b15bf797befc3ba25357919eabe8faa2c6eebeaa73deed1aef2bde968

SHA512
fbdc94815205957429ae9cc57572d3a4e59ba6488d622c2d021c7e32f7c86afa1bf69638f7815f5d58993b1aa5926ca7b0ecaffb70c86331a8f7b3b174c4d3f7

Download Submit
\Windows\system\jFhxXYn.exe
MD5
4dd9894f06617e61cf0eb47b91cd06b5

SHA1
0afc88ebbba2b9f0c2679d6c02e1985110728785

SHA256
988de53d900cdc3388691ead3599c1c02c741e1fecd02633dd69c747e318bb09

SHA512
c961a674f9cb2fa368e88d828d1274b6aa944ac44186ab9e14179b0186c729f635c635475c6b471bd527a9e7ad529935d3a94204b49401b6a18021ae1d79ae79

Download Submit
\Windows\system\ksXRdnM.exe
MD5
2e44725441f8e71ce50224e46d56321f

SHA1
f6d1fddddf151c06a11e11824b7a0bcc8532a50d

SHA256
902eecde43e7580a9317732b8f301e8b9540158b23895bb8b9db0fdbe47fdb3d

SHA512
f88d6402c6ecd4e531a18572c731c585831c0b7ceb5b884abe2a4481951b7aacd76d354cae376a3672c13c96fb81f61a01b6074f3f98c1a8be1f03c88dc4f554

Download Submit
\Windows\system\lPpiOob.exe
MD5
0c03ae9b419c216054194130bc8ba6e4

SHA1
627801340877ff798c4316ca88dc041a3e416b38

SHA256
addd5506d5eced1a9baaa1017d3d3928614a67b77b4009fb2ec4aa46636c77de

SHA512
c04486905c78de2764edac56a17f5b1b4b131db12b5b7c112880acfdbe28381c5bd0e94a885649ab6adb30583803a1a24713916639d226ccc679e61a1ad8eb07

Download Submit
\Windows\system\lRCTyRx.exe
MD5
ac8a28a16fa36b9f25c5048479488fbc

SHA1
6f85f6dbafc000581cd1028cc4b67e42bfcd12a6

SHA256
747c87d4f0c66da8b32a3a22a9c72be4e51f0a41c164d0bc7d3a878536bc6862

SHA512
63868b0c90dcd3bbb6d0392db393242a16ae5a5375e80604679a2c036db0b933a1b6f16b510253d0d70ca1a4b81567b2e460d84effaad9524d520087e7ec783e

Download Submit
\Windows\system\qIusWes.exe
MD5
5819b1c3109aee2fa8899f997e075041

SHA1
f5fd02b41d0b2ac5166b5e33ed2b24138441fa92

SHA256
61f9244216971f51f2ba57739a33be773ae023df9cfada09c144b42ad7f0a507

SHA512
bcc2b3b0b7aa1f5ead760ae7032261f543a3e82f3d6f68c83f3f201a52e5a5d6b9d6a03057bec51173eeb10f096b2f5db879cc39e5eff02ae6a158d92dfc41f8

Download Submit
\Windows\system\veGWLDz.exe
MD5
b6f1377f80e57136269c2459288e8d95

SHA1
30db0f593b346ffaafa15985792c9539a5c75907

SHA256
3361004ff32455b3a4ec922bd13efb3ef632ecd32b4410824cecbd5baf5a6534

SHA512
df698c9289b42d11b158195d5149dc47fb74241c56beac68db73b8f7ee564d503038d40a55cfd4ddad5aa6e04e7f926bcd2e2d9cdc0690cb073a220a7c6ecfa1

Download Submit
\Windows\system\vvHiNRa.exe
MD5
a5dfaab6ab3e933f43d64d965447e697

SHA1
f84abfcc71681aae32ae4062e58a7069f18f8043

SHA256
6040261b3a95cfd8a8371d856cdfd2b0c66c1927995ad0cfde2aadad5744603c

SHA512
6215e52bd6a8992a4be0641c4dc6db3f8bb6ed8e92ce53a2a96ca31ded055958f4e0b47c1d1ce92b6adac292e0ab5d91107ec962b41ec67d49f2349e9fa59893

Download Submit
\Windows\system\wRJQwBy.exe
MD5
1d5d5a252964829978b830a7099abb4b

SHA1
5e00e7ffd2aa783e123eaf27e6767676b408f7da

SHA256
8ff4a83504f2a3ad5746257af7c0565c4e04d2f6c5e7b7defc1b0fd6f0a7c3bd

SHA512
cb6f0714af64c282a191839fe520e75ea857caa094c71502158c129ba35819eaa9fbcf6698bf5a707b20f4e263d2067cbadd64fb919b1a432bc73e653807f57c

Download Submit
memory/284-13-0x0000000000000000-mapping.dmp

Download
memory/360-10-0x0000000000000000-mapping.dmp

Download
memory/540-22-0x0000000000000000-mapping.dmp

Download
memory/676-19-0x0000000000000000-mapping.dmp

Download
memory/916-28-0x0000000000000000-mapping.dmp

Download
memory/960-31-0x0000000000000000-mapping.dmp

Download
memory/1068-42-0x0000000000000000-mapping.dmp

Download
memory/1072-46-0x0000000000000000-mapping.dmp

Download
memory/1120-15-0x0000000000000000-mapping.dmp

Download
memory/1196-34-0x0000000000000000-mapping.dmp

Download
memory/1368-25-0x0000000000000000-mapping.dmp

Download
memory/1440-1-0x0000000000000000-mapping.dmp

Download
memory/1520-4-0x0000000000000000-mapping.dmp

Download
memory/1712-52-0x0000000000000000-mapping.dmp

Download
memory/1832-55-0x0000000000000000-mapping.dmp

Download
memory/1916-40-0x0000000000000000-mapping.dmp

Download
memory/1932-37-0x0000000000000000-mapping.dmp

Download
memory/1972-7-0x0000000000000000-mapping.dmp

Download
memory/1984-49-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads