cobaltstrike | 4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444

Analysis

max time kernel
102s
max time network
104s
platform
windows7_x64
resource
win7v20201028
submitted
10-11-2020 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe
Size

5.9MB
MD5

b15b737b05e2de3d2918ad47cc6e1ecd
SHA1

56bc83fa073d3fd15f850fe29c29c094545e42e1
SHA256

4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444
SHA512

035ddd522087d9b15499f61d34d4594934ac97e69886f30f4273e36701af24d2b6c8d94d2a349f12944e6fcdcc40f73b2e2de7425b145c686e6d775404cd489c

Score

10^/10

cobaltstrike backdoor trojan upx

Malware Config

Signatures

Cobalt Strike reflective loader 35 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\RRlwYop.exe	cobalt_reflective_dll
C:\Windows\system\RRlwYop.exe	cobalt_reflective_dll
\Windows\system\Xwqsvml.exe	cobalt_reflective_dll
C:\Windows\system\Xwqsvml.exe	cobalt_reflective_dll
\Windows\system\ziCtTqO.exe	cobalt_reflective_dll
C:\Windows\system\ziCtTqO.exe	cobalt_reflective_dll
\Windows\system\VsGmIrV.exe	cobalt_reflective_dll
C:\Windows\system\VsGmIrV.exe	cobalt_reflective_dll
\Windows\system\CbPnnEI.exe	cobalt_reflective_dll
C:\Windows\system\CbPnnEI.exe	cobalt_reflective_dll
\Windows\system\TYEFsMU.exe	cobalt_reflective_dll
C:\Windows\system\TYEFsMU.exe	cobalt_reflective_dll
\Windows\system\XRKRrRk.exe	cobalt_reflective_dll
C:\Windows\system\XRKRrRk.exe	cobalt_reflective_dll
\Windows\system\rIEqGdA.exe	cobalt_reflective_dll
C:\Windows\system\rIEqGdA.exe	cobalt_reflective_dll
\Windows\system\bCKCfaH.exe	cobalt_reflective_dll
C:\Windows\system\bCKCfaH.exe	cobalt_reflective_dll
\Windows\system\oGqOamt.exe	cobalt_reflective_dll
C:\Windows\system\oGqOamt.exe	cobalt_reflective_dll
\Windows\system\iciZFSS.exe	cobalt_reflective_dll
C:\Windows\system\iciZFSS.exe	cobalt_reflective_dll
\Windows\system\oKASEqa.exe	cobalt_reflective_dll
C:\Windows\system\oKASEqa.exe	cobalt_reflective_dll
\Windows\system\zzBfjCM.exe	cobalt_reflective_dll
C:\Windows\system\zzBfjCM.exe	cobalt_reflective_dll
\Windows\system\HdAayFF.exe	cobalt_reflective_dll
C:\Windows\system\HdAayFF.exe	cobalt_reflective_dll
\Windows\system\MNLzhbB.exe	cobalt_reflective_dll
C:\Windows\system\MNLzhbB.exe	cobalt_reflective_dll
\Windows\system\bVgUdBX.exe	cobalt_reflective_dll
C:\Windows\system\bVgUdBX.exe	cobalt_reflective_dll
C:\Windows\system\cybYWYl.exe	cobalt_reflective_dll
\Windows\system\cybYWYl.exe	cobalt_reflective_dll
\Windows\system\ohJwpdt.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Executes dropped EXE 17 IoCs

Processes:

RRlwYop.exeXwqsvml.exeziCtTqO.exeVsGmIrV.exeCbPnnEI.exeTYEFsMU.exeXRKRrRk.exerIEqGdA.exebCKCfaH.exeoGqOamt.exeiciZFSS.exeoKASEqa.exezzBfjCM.exeHdAayFF.exeMNLzhbB.exebVgUdBX.execybYWYl.exe

pid	process
1504	RRlwYop.exe
1112	Xwqsvml.exe
1212	ziCtTqO.exe
1376	VsGmIrV.exe
2032	CbPnnEI.exe
1960	TYEFsMU.exe
668	XRKRrRk.exe
1808	rIEqGdA.exe
1748	bCKCfaH.exe
1792	oGqOamt.exe
1736	iciZFSS.exe
980	oKASEqa.exe
1220	zzBfjCM.exe
1432	HdAayFF.exe
1620	MNLzhbB.exe
1728	bVgUdBX.exe
1624	cybYWYl.exe

UPX packed file 35 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\system\RRlwYop.exe	upx
C:\Windows\system\RRlwYop.exe	upx
\Windows\system\Xwqsvml.exe	upx
C:\Windows\system\Xwqsvml.exe	upx
\Windows\system\ziCtTqO.exe	upx
C:\Windows\system\ziCtTqO.exe	upx
\Windows\system\VsGmIrV.exe	upx
C:\Windows\system\VsGmIrV.exe	upx
\Windows\system\CbPnnEI.exe	upx
C:\Windows\system\CbPnnEI.exe	upx
\Windows\system\TYEFsMU.exe	upx
C:\Windows\system\TYEFsMU.exe	upx
\Windows\system\XRKRrRk.exe	upx
C:\Windows\system\XRKRrRk.exe	upx
\Windows\system\rIEqGdA.exe	upx
C:\Windows\system\rIEqGdA.exe	upx
\Windows\system\bCKCfaH.exe	upx
C:\Windows\system\bCKCfaH.exe	upx
\Windows\system\oGqOamt.exe	upx
C:\Windows\system\oGqOamt.exe	upx
\Windows\system\iciZFSS.exe	upx
C:\Windows\system\iciZFSS.exe	upx
\Windows\system\oKASEqa.exe	upx
C:\Windows\system\oKASEqa.exe	upx
\Windows\system\zzBfjCM.exe	upx
C:\Windows\system\zzBfjCM.exe	upx
\Windows\system\HdAayFF.exe	upx
C:\Windows\system\HdAayFF.exe	upx
\Windows\system\MNLzhbB.exe	upx
C:\Windows\system\MNLzhbB.exe	upx
\Windows\system\bVgUdBX.exe	upx
C:\Windows\system\bVgUdBX.exe	upx
C:\Windows\system\cybYWYl.exe	upx
\Windows\system\cybYWYl.exe	upx
\Windows\system\ohJwpdt.exe	upx

Loads dropped DLL 18 IoCs

Processes:

4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe

pid	process
1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe
1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe
1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe
1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe
1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe
1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe
1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe
1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe
1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe
1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe
1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe
1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe
1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe
1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe
1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe
1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe
1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe
1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe

JavaScript code in executable 35 IoCs

Processes:

resource	yara_rule
\Windows\system\RRlwYop.exe	js
C:\Windows\system\RRlwYop.exe	js
\Windows\system\Xwqsvml.exe	js
C:\Windows\system\Xwqsvml.exe	js
\Windows\system\ziCtTqO.exe	js
C:\Windows\system\ziCtTqO.exe	js
\Windows\system\VsGmIrV.exe	js
C:\Windows\system\VsGmIrV.exe	js
\Windows\system\CbPnnEI.exe	js
C:\Windows\system\CbPnnEI.exe	js
\Windows\system\TYEFsMU.exe	js
C:\Windows\system\TYEFsMU.exe	js
\Windows\system\XRKRrRk.exe	js
C:\Windows\system\XRKRrRk.exe	js
\Windows\system\rIEqGdA.exe	js
C:\Windows\system\rIEqGdA.exe	js
\Windows\system\bCKCfaH.exe	js
C:\Windows\system\bCKCfaH.exe	js
\Windows\system\oGqOamt.exe	js
C:\Windows\system\oGqOamt.exe	js
\Windows\system\iciZFSS.exe	js
C:\Windows\system\iciZFSS.exe	js
\Windows\system\oKASEqa.exe	js
C:\Windows\system\oKASEqa.exe	js
\Windows\system\zzBfjCM.exe	js
C:\Windows\system\zzBfjCM.exe	js
\Windows\system\HdAayFF.exe	js
C:\Windows\system\HdAayFF.exe	js
\Windows\system\MNLzhbB.exe	js
C:\Windows\system\MNLzhbB.exe	js
\Windows\system\bVgUdBX.exe	js
C:\Windows\system\bVgUdBX.exe	js
C:\Windows\system\cybYWYl.exe	js
\Windows\system\cybYWYl.exe	js
\Windows\system\ohJwpdt.exe	js

Drops file in Windows directory 18 IoCs

Processes:

4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe

description	ioc	process
File created	C:\Windows\System\oKASEqa.exe	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe
File created	C:\Windows\System\MNLzhbB.exe	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe
File created	C:\Windows\System\RRlwYop.exe	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe
File created	C:\Windows\System\Xwqsvml.exe	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe
File created	C:\Windows\System\VsGmIrV.exe	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe
File created	C:\Windows\System\CbPnnEI.exe	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe
File created	C:\Windows\System\TYEFsMU.exe	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe
File created	C:\Windows\System\oGqOamt.exe	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe
File created	C:\Windows\System\bVgUdBX.exe	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe
File created	C:\Windows\System\ohJwpdt.exe	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe
File created	C:\Windows\System\ziCtTqO.exe	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe
File created	C:\Windows\System\XRKRrRk.exe	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe
File created	C:\Windows\System\rIEqGdA.exe	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe
File created	C:\Windows\System\bCKCfaH.exe	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe
File created	C:\Windows\System\zzBfjCM.exe	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe
File created	C:\Windows\System\iciZFSS.exe	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe
File created	C:\Windows\System\HdAayFF.exe	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe
File created	C:\Windows\System\cybYWYl.exe	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe

description	pid	process	target process
PID 1688 wrote to memory of 1504	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	RRlwYop.exe
PID 1688 wrote to memory of 1504	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	RRlwYop.exe
PID 1688 wrote to memory of 1504	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	RRlwYop.exe
PID 1688 wrote to memory of 1112	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	Xwqsvml.exe
PID 1688 wrote to memory of 1112	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	Xwqsvml.exe
PID 1688 wrote to memory of 1112	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	Xwqsvml.exe
PID 1688 wrote to memory of 1212	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	ziCtTqO.exe
PID 1688 wrote to memory of 1212	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	ziCtTqO.exe
PID 1688 wrote to memory of 1212	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	ziCtTqO.exe
PID 1688 wrote to memory of 1376	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	VsGmIrV.exe
PID 1688 wrote to memory of 1376	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	VsGmIrV.exe
PID 1688 wrote to memory of 1376	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	VsGmIrV.exe
PID 1688 wrote to memory of 2032	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	CbPnnEI.exe
PID 1688 wrote to memory of 2032	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	CbPnnEI.exe
PID 1688 wrote to memory of 2032	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	CbPnnEI.exe
PID 1688 wrote to memory of 1960	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	TYEFsMU.exe
PID 1688 wrote to memory of 1960	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	TYEFsMU.exe
PID 1688 wrote to memory of 1960	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	TYEFsMU.exe
PID 1688 wrote to memory of 668	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	XRKRrRk.exe
PID 1688 wrote to memory of 668	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	XRKRrRk.exe
PID 1688 wrote to memory of 668	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	XRKRrRk.exe
PID 1688 wrote to memory of 1808	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	rIEqGdA.exe
PID 1688 wrote to memory of 1808	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	rIEqGdA.exe
PID 1688 wrote to memory of 1808	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	rIEqGdA.exe
PID 1688 wrote to memory of 1748	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	bCKCfaH.exe
PID 1688 wrote to memory of 1748	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	bCKCfaH.exe
PID 1688 wrote to memory of 1748	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	bCKCfaH.exe
PID 1688 wrote to memory of 1792	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	oGqOamt.exe
PID 1688 wrote to memory of 1792	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	oGqOamt.exe
PID 1688 wrote to memory of 1792	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	oGqOamt.exe
PID 1688 wrote to memory of 1736	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	iciZFSS.exe
PID 1688 wrote to memory of 1736	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	iciZFSS.exe
PID 1688 wrote to memory of 1736	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	iciZFSS.exe
PID 1688 wrote to memory of 980	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	oKASEqa.exe
PID 1688 wrote to memory of 980	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	oKASEqa.exe
PID 1688 wrote to memory of 980	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	oKASEqa.exe
PID 1688 wrote to memory of 1220	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	zzBfjCM.exe
PID 1688 wrote to memory of 1220	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	zzBfjCM.exe
PID 1688 wrote to memory of 1220	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	zzBfjCM.exe
PID 1688 wrote to memory of 1432	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	HdAayFF.exe
PID 1688 wrote to memory of 1432	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	HdAayFF.exe
PID 1688 wrote to memory of 1432	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	HdAayFF.exe
PID 1688 wrote to memory of 1620	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	MNLzhbB.exe
PID 1688 wrote to memory of 1620	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	MNLzhbB.exe
PID 1688 wrote to memory of 1620	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	MNLzhbB.exe
PID 1688 wrote to memory of 1728	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	bVgUdBX.exe
PID 1688 wrote to memory of 1728	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	bVgUdBX.exe
PID 1688 wrote to memory of 1728	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	bVgUdBX.exe
PID 1688 wrote to memory of 1624	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	cybYWYl.exe
PID 1688 wrote to memory of 1624	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	cybYWYl.exe
PID 1688 wrote to memory of 1624	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	cybYWYl.exe
PID 1688 wrote to memory of 1036	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	ohJwpdt.exe
PID 1688 wrote to memory of 1036	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	ohJwpdt.exe
PID 1688 wrote to memory of 1036	1688	4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe	ohJwpdt.exe

C:\Users\Admin\AppData\Local\Temp\4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe
"C:\Users\Admin\AppData\Local\Temp\4d71680d49f755936d9e08b7893cb0122411318712eb19bd7be5db7664c9e444.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\System\RRlwYop.exe
C:\Windows\System\RRlwYop.exe
2⤵
- Executes dropped EXE
PID:1504

C:\Windows\System\Xwqsvml.exe
C:\Windows\System\Xwqsvml.exe
2⤵
- Executes dropped EXE
PID:1112

C:\Windows\System\ziCtTqO.exe
C:\Windows\System\ziCtTqO.exe
2⤵
- Executes dropped EXE
PID:1212

C:\Windows\System\VsGmIrV.exe
C:\Windows\System\VsGmIrV.exe
2⤵
- Executes dropped EXE
PID:1376

C:\Windows\System\CbPnnEI.exe
C:\Windows\System\CbPnnEI.exe
2⤵
- Executes dropped EXE
PID:2032

C:\Windows\System\TYEFsMU.exe
C:\Windows\System\TYEFsMU.exe
2⤵
- Executes dropped EXE
PID:1960

C:\Windows\System\XRKRrRk.exe
C:\Windows\System\XRKRrRk.exe
2⤵
- Executes dropped EXE
PID:668

C:\Windows\System\rIEqGdA.exe
C:\Windows\System\rIEqGdA.exe
2⤵
- Executes dropped EXE
PID:1808

C:\Windows\System\bCKCfaH.exe
C:\Windows\System\bCKCfaH.exe
2⤵
- Executes dropped EXE
PID:1748

C:\Windows\System\oGqOamt.exe
C:\Windows\System\oGqOamt.exe
2⤵
- Executes dropped EXE
PID:1792

C:\Windows\System\iciZFSS.exe
C:\Windows\System\iciZFSS.exe
2⤵
- Executes dropped EXE
PID:1736

C:\Windows\System\oKASEqa.exe
C:\Windows\System\oKASEqa.exe
2⤵
- Executes dropped EXE
PID:980

C:\Windows\System\zzBfjCM.exe
C:\Windows\System\zzBfjCM.exe
2⤵
- Executes dropped EXE
PID:1220

C:\Windows\System\HdAayFF.exe
C:\Windows\System\HdAayFF.exe
2⤵
- Executes dropped EXE
PID:1432

C:\Windows\System\MNLzhbB.exe
C:\Windows\System\MNLzhbB.exe
2⤵
- Executes dropped EXE
PID:1620

C:\Windows\System\bVgUdBX.exe
C:\Windows\System\bVgUdBX.exe
2⤵
- Executes dropped EXE
PID:1728

C:\Windows\System\cybYWYl.exe
C:\Windows\System\cybYWYl.exe
2⤵
- Executes dropped EXE
PID:1624

C:\Windows\System\ohJwpdt.exe
C:\Windows\System\ohJwpdt.exe
2⤵
PID:1036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\CbPnnEI.exe

MD5
ba8776cc21afbba3897a124a4173f536

SHA1
3a74f6009892e39ba8a86ef0df55a3fb89057043

SHA256
ca15717239e7f35b81ac6f4d056a6dcb73040999427723c6a5830a9470467b81

SHA512
57c9633ac481f14f6e1fdce4560fb17d391c5541d6af04be86fa2b21356bcc4684d02bfb5993313f86f90ccbc43e5f91e6efd47e4f61fd7febcf3ed43ae706df

Download Submit
C:\Windows\system\HdAayFF.exe

MD5
c9112c02f10ef90b51f500292c432148

SHA1
adf519e8e6725ed7e449f754d1443c410220dc2a

SHA256
9beab6a957519dfdf7732070cf8af7183ccc272ef82b787b85fb307f851e1a3f

SHA512
0d35a07a256a1dd0e7e932f0eee2705275d7e795c8cc81b529f274283f7e9deeffcea70ad0760880970a433ba36f2057f691c06869c707b9faf6d101d2e47175

Download Submit
C:\Windows\system\MNLzhbB.exe

MD5
b8430937b513390e4d3d07caf83531ca

SHA1
7c87a71e82c3a01f5ee5ab4e8eadb97fdb04d05a

SHA256
ec13a3547cebfa6948dda1ac846acfa70cbb395c4d54b419b5cdb506cbbe1a94

SHA512
4f75f6db6fdecd2836e54f3551b839118cacd83bd053938054812ca34e2369d72c08f92479f1fe9dddc489ca6f8456ddc194b3641280a738f6ca368f57bb64b6

Download Submit
C:\Windows\system\RRlwYop.exe

MD5
ff8e3e77960986e25d25986905c5c385

SHA1
f6d08a95e3aa66e986ee1766bfaa0f291c0c7487

SHA256
7ecd738f1314b750f2ac20aa9ed5b011fd2338338e1792448abe77c2b897e6b7

SHA512
65d3ee235f1b2aaf2d0c54fef0f1044b81869433be9996050ec8f20f07c38b6fc4609b6a950c4cd7f82d41a6cced5ba75b27acca41bcde1b2cc0c8232f9beebf

Download Submit
C:\Windows\system\TYEFsMU.exe

MD5
eaad76e30c1cadc18e0783d7952efefd

SHA1
a4533aafef8777a762f255ae29a7b8474e5b52f5

SHA256
124b53897ed04634605f6d4521936a5c029750880d279eed033c821f80c48cfb

SHA512
e69115c97a7f6a80c05cee6ac500452b8006d62220cce7726bf7a268fa5e60824a5807e7ebce9c3a851a6cc17ac2cec5d960c61cc03f58f666da076e65106c13

Download Submit
C:\Windows\system\VsGmIrV.exe

MD5
399fc5eb2c2c6a1ca64d1a9b3923b12b

SHA1
67e5425b90c01e279b16cb466ddd861d038ffc1b

SHA256
c51c285d4769130715461f2bf8862daccde64cfb199df585bf10dfb4c5314cee

SHA512
78af1a17fc66bab91b7dc46030064ae38e067a79f5bf592a236af2e78d8497ca042b30afbc30f4d3a8094c7515d9326f3752399ba1c4a899eadee2511e04bee2

Download Submit
C:\Windows\system\XRKRrRk.exe

MD5
f90e482739c8ffc018300ff0156b5e2b

SHA1
d531fb9da6d5cf641207616323c8486fee8b1e7d

SHA256
17563315a760cada03b1628b8468e4a45081f29b8fbe2721b91fa59f2fe7eb6b

SHA512
4ed5cc738794d0e8fc4dd8489e97ec0c68b90b06ab71ed80db64384d5daaddf59f9f8306408b2eefc3eb3c3e495f0055da191644afd29cf5b810bcd1f8df4a85

Download Submit
C:\Windows\system\Xwqsvml.exe

MD5
d06fbcac54724c026f7f6c67394dd536

SHA1
5cc7b4e91356247286c335534db71e0fff02f248

SHA256
b9f772643dcbf41b4b1b7ef81698ed1a092905a363f85861f90703f0d8b4bd11

SHA512
5e353c3d3f64b38317f2272fc7ed594d5c6c3d2dedf7a313b07aef5d05e05a4c877d692bdcc8ffb7f8a18cd901d58ba3ffe64713e0a2907b370f29411ddba01c

Download Submit
C:\Windows\system\bCKCfaH.exe

MD5
adadb4279873a6112707d5ba2ad321dd

SHA1
0bbd2e181001d371aed5ee1ea6a609712cee9b11

SHA256
66f10cadb33c7bbbaeafe2e23353f6aae1660236b626e50db04995165e575d28

SHA512
9f728db6e7272d4c1c34c150f5e7ac53e4deba18de7c7722794995308075825b4b396c3a261fdc354cc7fff54f995b0294b94ba17c05d1669470a4b3c0ed8bc2

Download Submit
C:\Windows\system\bVgUdBX.exe

MD5
708dfdc673409cc6ca0e9d2deec0661f

SHA1
e9d8a1cc12577fd4d749abe6abc8b7b9216c8c37

SHA256
11a241ed37bae64368f30b6993c0a5196ffd7ebfd8daef008a9f6dada06a6f01

SHA512
3d6ef1459a45a2e873cbdf987bad17f385554f45add01beed1fcf814438ca3ab181c757fc747c8e0b4b313537eef66289ab937459df9f95844a62d8442915fa6

Download Submit
C:\Windows\system\cybYWYl.exe

MD5
62b6086b768af64bda907bb754928af9

SHA1
7357369d3b4e4c5681ab02705f32eef442826a9d

SHA256
c1f14ff2af26e17d4774af3f2e07c6c9fac3808d6cdb6b9cf35a7f01a55aaad3

SHA512
1013a2170bb9af0891f3e0a885c0c2e6ba2cad00f67a3d86a1129beb7235098d9693e7784061f3cc5a75634929355b4886246234790cdfa3d7299445a0448c5d

Download Submit
C:\Windows\system\iciZFSS.exe

MD5
dacbe7e823ea1a6248a38054098c6724

SHA1
2262cd93a9212d9b555ffb245fd51fb1827481a0

SHA256
3ff207762563233af7736922f14d3e367cccba066f93b5ba1cdef5fe911aa895

SHA512
316d26f39d8671bd7ade86c5d5a0d7daf8377ee73887ee1e4737abf87ebe38b71e2c646c5793c3407aa8e6ab3163267a98ad71b22f8ec119aaf1e87e4ccd1155

Download Submit
C:\Windows\system\oGqOamt.exe

MD5
55cce2c05657e587511f94f2210e4569

SHA1
49da62533cda1692a14bb3a1fde2c1945350a19f

SHA256
3a15580b94c80720f84f4f0446174330ec6fc7a1f5537bdcc5cf8ec0a050ce40

SHA512
bbaec4d0b2e4ac30d0eda9afd6fed877f114232f64f75caac83d0c60f6d9a501821380ff30f0152af73aec7b37d17fb90cf4113bb71a28d4106f1a98bbf7f76f

Download Submit
C:\Windows\system\oKASEqa.exe

MD5
a2297ab83bf1aff784896a9379b67e6e

SHA1
46908c0ed41fef45bb1c2c59e48d063758cf4b04

SHA256
607e9069d026aef224dee8ff98c8fd7760252f03e646e05d60edb47a13bca79c

SHA512
c8989ba930fab1fc359143b7e0d08a017684ddb16667ecbd1c02000faf406af6da882edf14e58e6c1ae06b4872297b597e235def5430f2882fc5c93a0d4b9422

Download Submit
C:\Windows\system\rIEqGdA.exe

MD5
16a804247257a4d3f213a5075d027491

SHA1
b423423e313753b9f0b02c651e1e6611bc307753

SHA256
d42eb30f84da37013dd843d581282e3449b2e08d800c272bc587633d1fb9085e

SHA512
fd4355152e1be604548b2dd8aa73f135e69ac7675f0df696d5384acd148b7026f4e9c75cf66bb90a9b4772cb55bc9ece63cbab16d3f155ed7368c64b8bf61f8b

Download Submit
C:\Windows\system\ziCtTqO.exe

MD5
f3022b1b09f6488a6fc4aa6e5f69d67f

SHA1
7999dec2070a58ad252b5bfc9249dda2eecc4a90

SHA256
683325807c9fc5a793c14f00fc493542842532d9e5e38e17063a49159c1dfa45

SHA512
43e18142b97fb70f31c74afbd585134fb622d7aaf9cd38d723dc0367e91fe8f93769712cbbb7297e05713c9acd92014bfe34ff6054365a89b32c8b0cd9c17ccd

Download Submit
C:\Windows\system\zzBfjCM.exe

MD5
90189e2119bbd6b04c419cd4c0fbf3aa

SHA1
9e124a1d0925a8894f0b085c726b99e68e4d4ce6

SHA256
5855879537fbcef710b64550f475d5e75660d3bf5fcd2f76a80f04500346ec1b

SHA512
be8870695910ea5ae09e8babb185d072701cf3ca75b2d6e146eaf5b2679509a4d22afc9f8987dab854063426248bf909878640435037347d492c0290f2c505ba

Download Submit
\Windows\system\CbPnnEI.exe

MD5
ba8776cc21afbba3897a124a4173f536

SHA1
3a74f6009892e39ba8a86ef0df55a3fb89057043

SHA256
ca15717239e7f35b81ac6f4d056a6dcb73040999427723c6a5830a9470467b81

SHA512
57c9633ac481f14f6e1fdce4560fb17d391c5541d6af04be86fa2b21356bcc4684d02bfb5993313f86f90ccbc43e5f91e6efd47e4f61fd7febcf3ed43ae706df

Download Submit
\Windows\system\HdAayFF.exe

MD5
c9112c02f10ef90b51f500292c432148

SHA1
adf519e8e6725ed7e449f754d1443c410220dc2a

SHA256
9beab6a957519dfdf7732070cf8af7183ccc272ef82b787b85fb307f851e1a3f

SHA512
0d35a07a256a1dd0e7e932f0eee2705275d7e795c8cc81b529f274283f7e9deeffcea70ad0760880970a433ba36f2057f691c06869c707b9faf6d101d2e47175

Download Submit
\Windows\system\MNLzhbB.exe

MD5
b8430937b513390e4d3d07caf83531ca

SHA1
7c87a71e82c3a01f5ee5ab4e8eadb97fdb04d05a

SHA256
ec13a3547cebfa6948dda1ac846acfa70cbb395c4d54b419b5cdb506cbbe1a94

SHA512
4f75f6db6fdecd2836e54f3551b839118cacd83bd053938054812ca34e2369d72c08f92479f1fe9dddc489ca6f8456ddc194b3641280a738f6ca368f57bb64b6

Download Submit
\Windows\system\RRlwYop.exe

MD5
ff8e3e77960986e25d25986905c5c385

SHA1
f6d08a95e3aa66e986ee1766bfaa0f291c0c7487

SHA256
7ecd738f1314b750f2ac20aa9ed5b011fd2338338e1792448abe77c2b897e6b7

SHA512
65d3ee235f1b2aaf2d0c54fef0f1044b81869433be9996050ec8f20f07c38b6fc4609b6a950c4cd7f82d41a6cced5ba75b27acca41bcde1b2cc0c8232f9beebf

Download Submit
\Windows\system\TYEFsMU.exe

MD5
eaad76e30c1cadc18e0783d7952efefd

SHA1
a4533aafef8777a762f255ae29a7b8474e5b52f5

SHA256
124b53897ed04634605f6d4521936a5c029750880d279eed033c821f80c48cfb

SHA512
e69115c97a7f6a80c05cee6ac500452b8006d62220cce7726bf7a268fa5e60824a5807e7ebce9c3a851a6cc17ac2cec5d960c61cc03f58f666da076e65106c13

Download Submit
\Windows\system\VsGmIrV.exe

MD5
399fc5eb2c2c6a1ca64d1a9b3923b12b

SHA1
67e5425b90c01e279b16cb466ddd861d038ffc1b

SHA256
c51c285d4769130715461f2bf8862daccde64cfb199df585bf10dfb4c5314cee

SHA512
78af1a17fc66bab91b7dc46030064ae38e067a79f5bf592a236af2e78d8497ca042b30afbc30f4d3a8094c7515d9326f3752399ba1c4a899eadee2511e04bee2

Download Submit
\Windows\system\XRKRrRk.exe

MD5
f90e482739c8ffc018300ff0156b5e2b

SHA1
d531fb9da6d5cf641207616323c8486fee8b1e7d

SHA256
17563315a760cada03b1628b8468e4a45081f29b8fbe2721b91fa59f2fe7eb6b

SHA512
4ed5cc738794d0e8fc4dd8489e97ec0c68b90b06ab71ed80db64384d5daaddf59f9f8306408b2eefc3eb3c3e495f0055da191644afd29cf5b810bcd1f8df4a85

Download Submit
\Windows\system\Xwqsvml.exe

MD5
d06fbcac54724c026f7f6c67394dd536

SHA1
5cc7b4e91356247286c335534db71e0fff02f248

SHA256
b9f772643dcbf41b4b1b7ef81698ed1a092905a363f85861f90703f0d8b4bd11

SHA512
5e353c3d3f64b38317f2272fc7ed594d5c6c3d2dedf7a313b07aef5d05e05a4c877d692bdcc8ffb7f8a18cd901d58ba3ffe64713e0a2907b370f29411ddba01c

Download Submit
\Windows\system\bCKCfaH.exe

MD5
adadb4279873a6112707d5ba2ad321dd

SHA1
0bbd2e181001d371aed5ee1ea6a609712cee9b11

SHA256
66f10cadb33c7bbbaeafe2e23353f6aae1660236b626e50db04995165e575d28

SHA512
9f728db6e7272d4c1c34c150f5e7ac53e4deba18de7c7722794995308075825b4b396c3a261fdc354cc7fff54f995b0294b94ba17c05d1669470a4b3c0ed8bc2

Download Submit
\Windows\system\bVgUdBX.exe

MD5
708dfdc673409cc6ca0e9d2deec0661f

SHA1
e9d8a1cc12577fd4d749abe6abc8b7b9216c8c37

SHA256
11a241ed37bae64368f30b6993c0a5196ffd7ebfd8daef008a9f6dada06a6f01

SHA512
3d6ef1459a45a2e873cbdf987bad17f385554f45add01beed1fcf814438ca3ab181c757fc747c8e0b4b313537eef66289ab937459df9f95844a62d8442915fa6

Download Submit
\Windows\system\cybYWYl.exe

MD5
62b6086b768af64bda907bb754928af9

SHA1
7357369d3b4e4c5681ab02705f32eef442826a9d

SHA256
c1f14ff2af26e17d4774af3f2e07c6c9fac3808d6cdb6b9cf35a7f01a55aaad3

SHA512
1013a2170bb9af0891f3e0a885c0c2e6ba2cad00f67a3d86a1129beb7235098d9693e7784061f3cc5a75634929355b4886246234790cdfa3d7299445a0448c5d

Download Submit
\Windows\system\iciZFSS.exe

MD5
dacbe7e823ea1a6248a38054098c6724

SHA1
2262cd93a9212d9b555ffb245fd51fb1827481a0

SHA256
3ff207762563233af7736922f14d3e367cccba066f93b5ba1cdef5fe911aa895

SHA512
316d26f39d8671bd7ade86c5d5a0d7daf8377ee73887ee1e4737abf87ebe38b71e2c646c5793c3407aa8e6ab3163267a98ad71b22f8ec119aaf1e87e4ccd1155

Download Submit
\Windows\system\oGqOamt.exe

MD5
55cce2c05657e587511f94f2210e4569

SHA1
49da62533cda1692a14bb3a1fde2c1945350a19f

SHA256
3a15580b94c80720f84f4f0446174330ec6fc7a1f5537bdcc5cf8ec0a050ce40

SHA512
bbaec4d0b2e4ac30d0eda9afd6fed877f114232f64f75caac83d0c60f6d9a501821380ff30f0152af73aec7b37d17fb90cf4113bb71a28d4106f1a98bbf7f76f

Download Submit
\Windows\system\oKASEqa.exe

MD5
a2297ab83bf1aff784896a9379b67e6e

SHA1
46908c0ed41fef45bb1c2c59e48d063758cf4b04

SHA256
607e9069d026aef224dee8ff98c8fd7760252f03e646e05d60edb47a13bca79c

SHA512
c8989ba930fab1fc359143b7e0d08a017684ddb16667ecbd1c02000faf406af6da882edf14e58e6c1ae06b4872297b597e235def5430f2882fc5c93a0d4b9422

Download Submit
\Windows\system\ohJwpdt.exe

MD5
09c134f0776eb89af43252203a80ea53

SHA1
844887cdcf4e720552b7a5be1514c727f4e06469

SHA256
3f4920031084137dfc2ff1001b74ea7ad826f8403a53488980d2fa2860bb8f43

SHA512
d062c560d45b2bdfe89f63b60d4a4f93afd9326f26e2e381c9f8c4f4c40d829cb193eaa31b5e1f6d035812fbb8e59e2f7b4a41bcae986b00bbc5b87e4a2c09bb

Download Submit
\Windows\system\rIEqGdA.exe

MD5
16a804247257a4d3f213a5075d027491

SHA1
b423423e313753b9f0b02c651e1e6611bc307753

SHA256
d42eb30f84da37013dd843d581282e3449b2e08d800c272bc587633d1fb9085e

SHA512
fd4355152e1be604548b2dd8aa73f135e69ac7675f0df696d5384acd148b7026f4e9c75cf66bb90a9b4772cb55bc9ece63cbab16d3f155ed7368c64b8bf61f8b

Download Submit
\Windows\system\ziCtTqO.exe

MD5
f3022b1b09f6488a6fc4aa6e5f69d67f

SHA1
7999dec2070a58ad252b5bfc9249dda2eecc4a90

SHA256
683325807c9fc5a793c14f00fc493542842532d9e5e38e17063a49159c1dfa45

SHA512
43e18142b97fb70f31c74afbd585134fb622d7aaf9cd38d723dc0367e91fe8f93769712cbbb7297e05713c9acd92014bfe34ff6054365a89b32c8b0cd9c17ccd

Download Submit
\Windows\system\zzBfjCM.exe

MD5
90189e2119bbd6b04c419cd4c0fbf3aa

SHA1
9e124a1d0925a8894f0b085c726b99e68e4d4ce6

SHA256
5855879537fbcef710b64550f475d5e75660d3bf5fcd2f76a80f04500346ec1b

SHA512
be8870695910ea5ae09e8babb185d072701cf3ca75b2d6e146eaf5b2679509a4d22afc9f8987dab854063426248bf909878640435037347d492c0290f2c505ba

Download Submit
memory/668-19-0x0000000000000000-mapping.dmp

Download
memory/980-34-0x0000000000000000-mapping.dmp

Download
memory/1036-52-0x0000000000000000-mapping.dmp

Download
memory/1112-4-0x0000000000000000-mapping.dmp

Download
memory/1212-7-0x0000000000000000-mapping.dmp

Download
memory/1220-37-0x0000000000000000-mapping.dmp

Download
memory/1376-10-0x0000000000000000-mapping.dmp

Download
memory/1432-40-0x0000000000000000-mapping.dmp

Download
memory/1504-1-0x0000000000000000-mapping.dmp

Download
memory/1620-43-0x0000000000000000-mapping.dmp

Download
memory/1624-49-0x0000000000000000-mapping.dmp

Download
memory/1728-46-0x0000000000000000-mapping.dmp

Download
memory/1736-31-0x0000000000000000-mapping.dmp

Download
memory/1748-25-0x0000000000000000-mapping.dmp

Download
memory/1792-28-0x0000000000000000-mapping.dmp

Download
memory/1808-22-0x0000000000000000-mapping.dmp

Download
memory/1960-16-0x0000000000000000-mapping.dmp

Download
memory/2032-13-0x0000000000000000-mapping.dmp

Download