cobaltstrike | 32b75bafe1661a770f8c2b1cacb8e46365891961a95aaef8e58b596cdf07626e

Analysis

max time kernel
145s
max time network
141s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-04-2024 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

8ca3bd3063896a8399abdd5ebb73bd09
SHA1

023aefe22b13f54f4331f9f3a701f5f6d8dd2b4b
SHA256

32b75bafe1661a770f8c2b1cacb8e46365891961a95aaef8e58b596cdf07626e
SHA512

59618a2fdcb0109aa4213a9df62b95a70582a99e705734ed7e37099a5ac420f1fe06232f98511cf1b3103b2fa4a0111496ec3888d2c67a2cfabe1e9b4ef018b1
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lq:RWWBibf56utgpPFotBER/mQ32lUm

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\aKqaqiU.exe	cobalt_reflective_dll
\Windows\system\XwaeYLQ.exe	cobalt_reflective_dll
C:\Windows\system\AvAFWVu.exe	cobalt_reflective_dll
C:\Windows\system\MFGgwoh.exe	cobalt_reflective_dll
C:\Windows\system\dNJSdvm.exe	cobalt_reflective_dll
C:\Windows\system\OdXzFwS.exe	cobalt_reflective_dll
\Windows\system\mkuiJAM.exe	cobalt_reflective_dll
\Windows\system\ijIFOBw.exe	cobalt_reflective_dll
C:\Windows\system\RNLRmNW.exe	cobalt_reflective_dll
C:\Windows\system\rroGmHu.exe	cobalt_reflective_dll
C:\Windows\system\ebGuOZH.exe	cobalt_reflective_dll
\Windows\system\xDOErzD.exe	cobalt_reflective_dll
\Windows\system\ojzXLZe.exe	cobalt_reflective_dll
C:\Windows\system\iRHyeqK.exe	cobalt_reflective_dll
\Windows\system\vTLcMhi.exe	cobalt_reflective_dll
\Windows\system\GAiakoN.exe	cobalt_reflective_dll
C:\Windows\system\aGkjxAe.exe	cobalt_reflective_dll
C:\Windows\system\OIDUxzm.exe	cobalt_reflective_dll
C:\Windows\system\WDvYMzb.exe	cobalt_reflective_dll
C:\Windows\system\MpGitGg.exe	cobalt_reflective_dll
C:\Windows\system\tgCrKsw.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\aKqaqiU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\XwaeYLQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\AvAFWVu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\MFGgwoh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\dNJSdvm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\OdXzFwS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\mkuiJAM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\ijIFOBw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\RNLRmNW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\rroGmHu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ebGuOZH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\xDOErzD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\ojzXLZe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\iRHyeqK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\vTLcMhi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\GAiakoN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\aGkjxAe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\OIDUxzm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\WDvYMzb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\MpGitGg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\tgCrKsw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 60 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2336-0-0x000000013F1C0000-0x000000013F511000-memory.dmp	UPX
\Windows\system\aKqaqiU.exe	UPX
\Windows\system\XwaeYLQ.exe	UPX
behavioral1/memory/2980-11-0x000000013F430000-0x000000013F781000-memory.dmp	UPX
C:\Windows\system\AvAFWVu.exe	UPX
C:\Windows\system\MFGgwoh.exe	UPX
C:\Windows\system\dNJSdvm.exe	UPX
C:\Windows\system\OdXzFwS.exe	UPX
\Windows\system\mkuiJAM.exe	UPX
behavioral1/memory/2336-129-0x000000013F1C0000-0x000000013F511000-memory.dmp	UPX
\Windows\system\ijIFOBw.exe	UPX
C:\Windows\system\RNLRmNW.exe	UPX
C:\Windows\system\rroGmHu.exe	UPX
C:\Windows\system\ebGuOZH.exe	UPX
\Windows\system\xDOErzD.exe	UPX
\Windows\system\ojzXLZe.exe	UPX
C:\Windows\system\iRHyeqK.exe	UPX
\Windows\system\vTLcMhi.exe	UPX
behavioral1/memory/2660-117-0x000000013F8C0000-0x000000013FC11000-memory.dmp	UPX
behavioral1/memory/1148-116-0x000000013F1F0000-0x000000013F541000-memory.dmp	UPX
behavioral1/memory/2504-114-0x000000013FBC0000-0x000000013FF11000-memory.dmp	UPX
behavioral1/memory/2780-111-0x000000013FEF0000-0x0000000140241000-memory.dmp	UPX
\Windows\system\GAiakoN.exe	UPX
behavioral1/memory/2512-109-0x000000013F8B0000-0x000000013FC01000-memory.dmp	UPX
behavioral1/memory/2240-107-0x000000013F6E0000-0x000000013FA31000-memory.dmp	UPX
behavioral1/memory/2732-103-0x000000013FDF0000-0x0000000140141000-memory.dmp	UPX
behavioral1/memory/2712-100-0x000000013F730000-0x000000013FA81000-memory.dmp	UPX
behavioral1/memory/2572-99-0x000000013F550000-0x000000013F8A1000-memory.dmp	UPX
behavioral1/memory/2440-98-0x000000013FE20000-0x0000000140171000-memory.dmp	UPX
behavioral1/memory/3004-97-0x000000013F950000-0x000000013FCA1000-memory.dmp	UPX
behavioral1/memory/2764-96-0x000000013F4F0000-0x000000013F841000-memory.dmp	UPX
behavioral1/memory/2496-95-0x000000013F1A0000-0x000000013F4F1000-memory.dmp	UPX
behavioral1/memory/3036-94-0x000000013F350000-0x000000013F6A1000-memory.dmp	UPX
C:\Windows\system\aGkjxAe.exe	UPX
C:\Windows\system\OIDUxzm.exe	UPX
C:\Windows\system\WDvYMzb.exe	UPX
C:\Windows\system\MpGitGg.exe	UPX
C:\Windows\system\tgCrKsw.exe	UPX
behavioral1/memory/2980-135-0x000000013F430000-0x000000013F781000-memory.dmp	UPX
behavioral1/memory/3036-136-0x000000013F350000-0x000000013F6A1000-memory.dmp	UPX
behavioral1/memory/2764-137-0x000000013F4F0000-0x000000013F841000-memory.dmp	UPX
behavioral1/memory/2440-140-0x000000013FE20000-0x0000000140171000-memory.dmp	UPX
behavioral1/memory/2732-142-0x000000013FDF0000-0x0000000140141000-memory.dmp	UPX
behavioral1/memory/2240-141-0x000000013F6E0000-0x000000013FA31000-memory.dmp	UPX
behavioral1/memory/2572-139-0x000000013F550000-0x000000013F8A1000-memory.dmp	UPX
behavioral1/memory/3004-138-0x000000013F950000-0x000000013FCA1000-memory.dmp	UPX
behavioral1/memory/2780-143-0x000000013FEF0000-0x0000000140241000-memory.dmp	UPX
behavioral1/memory/1148-144-0x000000013F1F0000-0x000000013F541000-memory.dmp	UPX
behavioral1/memory/2684-147-0x000000013F460000-0x000000013F7B1000-memory.dmp	UPX
behavioral1/memory/2660-146-0x000000013F8C0000-0x000000013FC11000-memory.dmp	UPX
behavioral1/memory/2504-145-0x000000013FBC0000-0x000000013FF11000-memory.dmp	UPX
behavioral1/memory/2712-148-0x000000013F730000-0x000000013FA81000-memory.dmp	UPX
behavioral1/memory/2944-149-0x000000013F8D0000-0x000000013FC21000-memory.dmp	UPX
behavioral1/memory/2928-150-0x000000013F7D0000-0x000000013FB21000-memory.dmp	UPX
behavioral1/memory/676-153-0x000000013FB30000-0x000000013FE81000-memory.dmp	UPX
behavioral1/memory/2496-151-0x000000013F1A0000-0x000000013F4F1000-memory.dmp	UPX
behavioral1/memory/2336-156-0x000000013F1C0000-0x000000013F511000-memory.dmp	UPX
behavioral1/memory/2312-155-0x000000013F1B0000-0x000000013F501000-memory.dmp	UPX
behavioral1/memory/2772-154-0x000000013F7E0000-0x000000013FB31000-memory.dmp	UPX
behavioral1/memory/2336-162-0x000000013F1C0000-0x000000013F511000-memory.dmp	UPX

XMRig Miner payload 36 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2980-11-0x000000013F430000-0x000000013F781000-memory.dmp	xmrig
behavioral1/memory/2336-129-0x000000013F1C0000-0x000000013F511000-memory.dmp	xmrig
behavioral1/memory/2780-111-0x000000013FEF0000-0x0000000140241000-memory.dmp	xmrig
behavioral1/memory/2512-109-0x000000013F8B0000-0x000000013FC01000-memory.dmp	xmrig
behavioral1/memory/2336-108-0x000000013FEF0000-0x0000000140241000-memory.dmp	xmrig
behavioral1/memory/2240-107-0x000000013F6E0000-0x000000013FA31000-memory.dmp	xmrig
behavioral1/memory/2732-103-0x000000013FDF0000-0x0000000140141000-memory.dmp	xmrig
behavioral1/memory/2712-100-0x000000013F730000-0x000000013FA81000-memory.dmp	xmrig
behavioral1/memory/2572-99-0x000000013F550000-0x000000013F8A1000-memory.dmp	xmrig
behavioral1/memory/2440-98-0x000000013FE20000-0x0000000140171000-memory.dmp	xmrig
behavioral1/memory/3004-97-0x000000013F950000-0x000000013FCA1000-memory.dmp	xmrig
behavioral1/memory/2764-96-0x000000013F4F0000-0x000000013F841000-memory.dmp	xmrig
behavioral1/memory/2496-95-0x000000013F1A0000-0x000000013F4F1000-memory.dmp	xmrig
behavioral1/memory/3036-94-0x000000013F350000-0x000000013F6A1000-memory.dmp	xmrig
behavioral1/memory/2980-135-0x000000013F430000-0x000000013F781000-memory.dmp	xmrig
behavioral1/memory/3036-136-0x000000013F350000-0x000000013F6A1000-memory.dmp	xmrig
behavioral1/memory/2764-137-0x000000013F4F0000-0x000000013F841000-memory.dmp	xmrig
behavioral1/memory/2440-140-0x000000013FE20000-0x0000000140171000-memory.dmp	xmrig
behavioral1/memory/2732-142-0x000000013FDF0000-0x0000000140141000-memory.dmp	xmrig
behavioral1/memory/2240-141-0x000000013F6E0000-0x000000013FA31000-memory.dmp	xmrig
behavioral1/memory/2572-139-0x000000013F550000-0x000000013F8A1000-memory.dmp	xmrig
behavioral1/memory/3004-138-0x000000013F950000-0x000000013FCA1000-memory.dmp	xmrig
behavioral1/memory/2780-143-0x000000013FEF0000-0x0000000140241000-memory.dmp	xmrig
behavioral1/memory/1148-144-0x000000013F1F0000-0x000000013F541000-memory.dmp	xmrig
behavioral1/memory/2684-147-0x000000013F460000-0x000000013F7B1000-memory.dmp	xmrig
behavioral1/memory/2660-146-0x000000013F8C0000-0x000000013FC11000-memory.dmp	xmrig
behavioral1/memory/2504-145-0x000000013FBC0000-0x000000013FF11000-memory.dmp	xmrig
behavioral1/memory/2712-148-0x000000013F730000-0x000000013FA81000-memory.dmp	xmrig
behavioral1/memory/2944-149-0x000000013F8D0000-0x000000013FC21000-memory.dmp	xmrig
behavioral1/memory/2928-150-0x000000013F7D0000-0x000000013FB21000-memory.dmp	xmrig
behavioral1/memory/676-153-0x000000013FB30000-0x000000013FE81000-memory.dmp	xmrig
behavioral1/memory/2496-151-0x000000013F1A0000-0x000000013F4F1000-memory.dmp	xmrig
behavioral1/memory/2336-156-0x000000013F1C0000-0x000000013F511000-memory.dmp	xmrig
behavioral1/memory/2312-155-0x000000013F1B0000-0x000000013F501000-memory.dmp	xmrig
behavioral1/memory/2772-154-0x000000013F7E0000-0x000000013FB31000-memory.dmp	xmrig
behavioral1/memory/2336-162-0x000000013F1C0000-0x000000013F511000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

aKqaqiU.exeOdXzFwS.exeMFGgwoh.exeAvAFWVu.exeXwaeYLQ.exetgCrKsw.exeMpGitGg.exedNJSdvm.exeWDvYMzb.exeiRHyeqK.exeOIDUxzm.exerroGmHu.exeebGuOZH.exeaGkjxAe.exeGAiakoN.exemkuiJAM.exeojzXLZe.exevTLcMhi.exexDOErzD.exeijIFOBw.exeRNLRmNW.exe

pid	process
2980	aKqaqiU.exe
3036	OdXzFwS.exe
2496	MFGgwoh.exe
2764	AvAFWVu.exe
3004	XwaeYLQ.exe
2440	tgCrKsw.exe
2572	MpGitGg.exe
2712	dNJSdvm.exe
2732	WDvYMzb.exe
2240	iRHyeqK.exe
2512	OIDUxzm.exe
2780	rroGmHu.exe
2504	ebGuOZH.exe
1148	aGkjxAe.exe
2660	GAiakoN.exe
2684	mkuiJAM.exe
676	ojzXLZe.exe
2944	vTLcMhi.exe
2928	xDOErzD.exe
2772	ijIFOBw.exe
2312	RNLRmNW.exe

Loads dropped DLL 21 IoCs

Processes:

2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe

pid	process
2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2336-0-0x000000013F1C0000-0x000000013F511000-memory.dmp	upx
\Windows\system\aKqaqiU.exe	upx
\Windows\system\XwaeYLQ.exe	upx
behavioral1/memory/2980-11-0x000000013F430000-0x000000013F781000-memory.dmp	upx
C:\Windows\system\AvAFWVu.exe	upx
C:\Windows\system\MFGgwoh.exe	upx
C:\Windows\system\dNJSdvm.exe	upx
C:\Windows\system\OdXzFwS.exe	upx
\Windows\system\mkuiJAM.exe	upx
behavioral1/memory/2336-129-0x000000013F1C0000-0x000000013F511000-memory.dmp	upx
\Windows\system\ijIFOBw.exe	upx
C:\Windows\system\RNLRmNW.exe	upx
C:\Windows\system\rroGmHu.exe	upx
C:\Windows\system\ebGuOZH.exe	upx
\Windows\system\xDOErzD.exe	upx
\Windows\system\ojzXLZe.exe	upx
C:\Windows\system\iRHyeqK.exe	upx
\Windows\system\vTLcMhi.exe	upx
behavioral1/memory/2660-117-0x000000013F8C0000-0x000000013FC11000-memory.dmp	upx
behavioral1/memory/1148-116-0x000000013F1F0000-0x000000013F541000-memory.dmp	upx
behavioral1/memory/2504-114-0x000000013FBC0000-0x000000013FF11000-memory.dmp	upx
behavioral1/memory/2780-111-0x000000013FEF0000-0x0000000140241000-memory.dmp	upx
\Windows\system\GAiakoN.exe	upx
behavioral1/memory/2512-109-0x000000013F8B0000-0x000000013FC01000-memory.dmp	upx
behavioral1/memory/2240-107-0x000000013F6E0000-0x000000013FA31000-memory.dmp	upx
behavioral1/memory/2732-103-0x000000013FDF0000-0x0000000140141000-memory.dmp	upx
behavioral1/memory/2712-100-0x000000013F730000-0x000000013FA81000-memory.dmp	upx
behavioral1/memory/2572-99-0x000000013F550000-0x000000013F8A1000-memory.dmp	upx
behavioral1/memory/2440-98-0x000000013FE20000-0x0000000140171000-memory.dmp	upx
behavioral1/memory/3004-97-0x000000013F950000-0x000000013FCA1000-memory.dmp	upx
behavioral1/memory/2764-96-0x000000013F4F0000-0x000000013F841000-memory.dmp	upx
behavioral1/memory/2496-95-0x000000013F1A0000-0x000000013F4F1000-memory.dmp	upx
behavioral1/memory/3036-94-0x000000013F350000-0x000000013F6A1000-memory.dmp	upx
C:\Windows\system\aGkjxAe.exe	upx
C:\Windows\system\OIDUxzm.exe	upx
C:\Windows\system\WDvYMzb.exe	upx
C:\Windows\system\MpGitGg.exe	upx
C:\Windows\system\tgCrKsw.exe	upx
behavioral1/memory/2980-135-0x000000013F430000-0x000000013F781000-memory.dmp	upx
behavioral1/memory/3036-136-0x000000013F350000-0x000000013F6A1000-memory.dmp	upx
behavioral1/memory/2764-137-0x000000013F4F0000-0x000000013F841000-memory.dmp	upx
behavioral1/memory/2440-140-0x000000013FE20000-0x0000000140171000-memory.dmp	upx
behavioral1/memory/2732-142-0x000000013FDF0000-0x0000000140141000-memory.dmp	upx
behavioral1/memory/2240-141-0x000000013F6E0000-0x000000013FA31000-memory.dmp	upx
behavioral1/memory/2572-139-0x000000013F550000-0x000000013F8A1000-memory.dmp	upx
behavioral1/memory/3004-138-0x000000013F950000-0x000000013FCA1000-memory.dmp	upx
behavioral1/memory/2780-143-0x000000013FEF0000-0x0000000140241000-memory.dmp	upx
behavioral1/memory/1148-144-0x000000013F1F0000-0x000000013F541000-memory.dmp	upx
behavioral1/memory/2684-147-0x000000013F460000-0x000000013F7B1000-memory.dmp	upx
behavioral1/memory/2660-146-0x000000013F8C0000-0x000000013FC11000-memory.dmp	upx
behavioral1/memory/2504-145-0x000000013FBC0000-0x000000013FF11000-memory.dmp	upx
behavioral1/memory/2712-148-0x000000013F730000-0x000000013FA81000-memory.dmp	upx
behavioral1/memory/2944-149-0x000000013F8D0000-0x000000013FC21000-memory.dmp	upx
behavioral1/memory/2928-150-0x000000013F7D0000-0x000000013FB21000-memory.dmp	upx
behavioral1/memory/676-153-0x000000013FB30000-0x000000013FE81000-memory.dmp	upx
behavioral1/memory/2496-151-0x000000013F1A0000-0x000000013F4F1000-memory.dmp	upx
behavioral1/memory/2336-156-0x000000013F1C0000-0x000000013F511000-memory.dmp	upx
behavioral1/memory/2312-155-0x000000013F1B0000-0x000000013F501000-memory.dmp	upx
behavioral1/memory/2772-154-0x000000013F7E0000-0x000000013FB31000-memory.dmp	upx
behavioral1/memory/2336-162-0x000000013F1C0000-0x000000013F511000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\MFGgwoh.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iRHyeqK.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ebGuOZH.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ijIFOBw.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OIDUxzm.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MpGitGg.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WDvYMzb.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vTLcMhi.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ojzXLZe.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aGkjxAe.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aKqaqiU.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dNJSdvm.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XwaeYLQ.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xDOErzD.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mkuiJAM.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rroGmHu.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RNLRmNW.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OdXzFwS.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AvAFWVu.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GAiakoN.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tgCrKsw.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2336 wrote to memory of 2980	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	aKqaqiU.exe
PID 2336 wrote to memory of 2980	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	aKqaqiU.exe
PID 2336 wrote to memory of 2980	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	aKqaqiU.exe
PID 2336 wrote to memory of 2496	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	MFGgwoh.exe
PID 2336 wrote to memory of 2496	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	MFGgwoh.exe
PID 2336 wrote to memory of 2496	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	MFGgwoh.exe
PID 2336 wrote to memory of 3036	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	OdXzFwS.exe
PID 2336 wrote to memory of 3036	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	OdXzFwS.exe
PID 2336 wrote to memory of 3036	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	OdXzFwS.exe
PID 2336 wrote to memory of 2712	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	dNJSdvm.exe
PID 2336 wrote to memory of 2712	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	dNJSdvm.exe
PID 2336 wrote to memory of 2712	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	dNJSdvm.exe
PID 2336 wrote to memory of 2764	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	AvAFWVu.exe
PID 2336 wrote to memory of 2764	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	AvAFWVu.exe
PID 2336 wrote to memory of 2764	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	AvAFWVu.exe
PID 2336 wrote to memory of 2512	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	OIDUxzm.exe
PID 2336 wrote to memory of 2512	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	OIDUxzm.exe
PID 2336 wrote to memory of 2512	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	OIDUxzm.exe
PID 2336 wrote to memory of 3004	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	XwaeYLQ.exe
PID 2336 wrote to memory of 3004	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	XwaeYLQ.exe
PID 2336 wrote to memory of 3004	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	XwaeYLQ.exe
PID 2336 wrote to memory of 2660	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	GAiakoN.exe
PID 2336 wrote to memory of 2660	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	GAiakoN.exe
PID 2336 wrote to memory of 2660	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	GAiakoN.exe
PID 2336 wrote to memory of 2440	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	tgCrKsw.exe
PID 2336 wrote to memory of 2440	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	tgCrKsw.exe
PID 2336 wrote to memory of 2440	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	tgCrKsw.exe
PID 2336 wrote to memory of 2684	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	mkuiJAM.exe
PID 2336 wrote to memory of 2684	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	mkuiJAM.exe
PID 2336 wrote to memory of 2684	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	mkuiJAM.exe
PID 2336 wrote to memory of 2572	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	MpGitGg.exe
PID 2336 wrote to memory of 2572	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	MpGitGg.exe
PID 2336 wrote to memory of 2572	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	MpGitGg.exe
PID 2336 wrote to memory of 2928	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	xDOErzD.exe
PID 2336 wrote to memory of 2928	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	xDOErzD.exe
PID 2336 wrote to memory of 2928	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	xDOErzD.exe
PID 2336 wrote to memory of 2732	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	WDvYMzb.exe
PID 2336 wrote to memory of 2732	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	WDvYMzb.exe
PID 2336 wrote to memory of 2732	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	WDvYMzb.exe
PID 2336 wrote to memory of 2944	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	vTLcMhi.exe
PID 2336 wrote to memory of 2944	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	vTLcMhi.exe
PID 2336 wrote to memory of 2944	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	vTLcMhi.exe
PID 2336 wrote to memory of 2240	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	iRHyeqK.exe
PID 2336 wrote to memory of 2240	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	iRHyeqK.exe
PID 2336 wrote to memory of 2240	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	iRHyeqK.exe
PID 2336 wrote to memory of 676	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	ojzXLZe.exe
PID 2336 wrote to memory of 676	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	ojzXLZe.exe
PID 2336 wrote to memory of 676	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	ojzXLZe.exe
PID 2336 wrote to memory of 2780	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	rroGmHu.exe
PID 2336 wrote to memory of 2780	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	rroGmHu.exe
PID 2336 wrote to memory of 2780	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	rroGmHu.exe
PID 2336 wrote to memory of 2772	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	ijIFOBw.exe
PID 2336 wrote to memory of 2772	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	ijIFOBw.exe
PID 2336 wrote to memory of 2772	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	ijIFOBw.exe
PID 2336 wrote to memory of 2504	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	ebGuOZH.exe
PID 2336 wrote to memory of 2504	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	ebGuOZH.exe
PID 2336 wrote to memory of 2504	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	ebGuOZH.exe
PID 2336 wrote to memory of 2312	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	RNLRmNW.exe
PID 2336 wrote to memory of 2312	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	RNLRmNW.exe
PID 2336 wrote to memory of 2312	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	RNLRmNW.exe
PID 2336 wrote to memory of 1148	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	aGkjxAe.exe
PID 2336 wrote to memory of 1148	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	aGkjxAe.exe
PID 2336 wrote to memory of 1148	2336	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	aGkjxAe.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\System\aKqaqiU.exe
C:\Windows\System\aKqaqiU.exe
2⤵
- Executes dropped EXE
PID:2980

C:\Windows\System\MFGgwoh.exe
C:\Windows\System\MFGgwoh.exe
2⤵
- Executes dropped EXE
PID:2496

C:\Windows\System\OdXzFwS.exe
C:\Windows\System\OdXzFwS.exe
2⤵
- Executes dropped EXE
PID:3036

C:\Windows\System\dNJSdvm.exe
C:\Windows\System\dNJSdvm.exe
2⤵
- Executes dropped EXE
PID:2712

C:\Windows\System\AvAFWVu.exe
C:\Windows\System\AvAFWVu.exe
2⤵
- Executes dropped EXE
PID:2764

C:\Windows\System\OIDUxzm.exe
C:\Windows\System\OIDUxzm.exe
2⤵
- Executes dropped EXE
PID:2512

C:\Windows\System\XwaeYLQ.exe
C:\Windows\System\XwaeYLQ.exe
2⤵
- Executes dropped EXE
PID:3004

C:\Windows\System\GAiakoN.exe
C:\Windows\System\GAiakoN.exe
2⤵
- Executes dropped EXE
PID:2660

C:\Windows\System\tgCrKsw.exe
C:\Windows\System\tgCrKsw.exe
2⤵
- Executes dropped EXE
PID:2440

C:\Windows\System\mkuiJAM.exe
C:\Windows\System\mkuiJAM.exe
2⤵
- Executes dropped EXE
PID:2684

C:\Windows\System\MpGitGg.exe
C:\Windows\System\MpGitGg.exe
2⤵
- Executes dropped EXE
PID:2572

C:\Windows\System\xDOErzD.exe
C:\Windows\System\xDOErzD.exe
2⤵
- Executes dropped EXE
PID:2928

C:\Windows\System\WDvYMzb.exe
C:\Windows\System\WDvYMzb.exe
2⤵
- Executes dropped EXE
PID:2732

C:\Windows\System\vTLcMhi.exe
C:\Windows\System\vTLcMhi.exe
2⤵
- Executes dropped EXE
PID:2944

C:\Windows\System\iRHyeqK.exe
C:\Windows\System\iRHyeqK.exe
2⤵
- Executes dropped EXE
PID:2240

C:\Windows\System\ojzXLZe.exe
C:\Windows\System\ojzXLZe.exe
2⤵
- Executes dropped EXE
PID:676

C:\Windows\System\rroGmHu.exe
C:\Windows\System\rroGmHu.exe
2⤵
- Executes dropped EXE
PID:2780

C:\Windows\System\ijIFOBw.exe
C:\Windows\System\ijIFOBw.exe
2⤵
- Executes dropped EXE
PID:2772

C:\Windows\System\ebGuOZH.exe
C:\Windows\System\ebGuOZH.exe
2⤵
- Executes dropped EXE
PID:2504

C:\Windows\System\RNLRmNW.exe
C:\Windows\System\RNLRmNW.exe
2⤵
- Executes dropped EXE
PID:2312

C:\Windows\System\aGkjxAe.exe
C:\Windows\System\aGkjxAe.exe
2⤵
- Executes dropped EXE
PID:1148

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AvAFWVu.exe
Filesize
5.2MB

MD5
d3608ad03fb2cbdafd78e89ade293d45

SHA1
b9efeaab8c98283e7c7dfc0f3ee6852a01f5c6bf

SHA256
bdb215264d1cbf7e6902246e32e0072bfcad9d2cb3865a2e0322f407f505490d

SHA512
8f1f52091994cc97dc18d2f229bd21ddc8237f3f74e4ec770b7f6c938572cef22e13504be18f8333895792c0f7078d172e6c5892187de90da6b3c9e9e17f7976

Download Submit
C:\Windows\system\MFGgwoh.exe
Filesize
5.2MB

MD5
999aab400c08507a4454b32658577056

SHA1
4ed863612f5749a39e73e4e4e1202edf0d448f5a

SHA256
78c335e4276e9049550a783fb45bd8ff25b9676cd9ecd9823fc7f41b8c73ae98

SHA512
40c4bd26c514e803ab36806cf901524f29b6ce4d1dd2e6ed8c08e982123e43c1ee70ed2f22ebf8cc8a8367f228a75ec029a39a48766ada4542c3f42f256bdc0c

Download Submit
C:\Windows\system\MpGitGg.exe
Filesize
5.2MB

MD5
dc6989f101328199a035f539b2ef9a07

SHA1
959a4ad331a4d6ffb56c9e4546a8a9c8cec3e526

SHA256
deca9b416543fded3a9e8d5524c692ee94332788d8b945c47b339a436b4807bf

SHA512
5efba58c054891013cdb1e2e98f2339f82b17a982cdf9e604ad0e0848f23cabe8dbb3bfde1313ad205e6068797b2fcd4a8670995fac887adeb1a494631f268c4

Download Submit
C:\Windows\system\OIDUxzm.exe
Filesize
5.2MB

MD5
f9287103c288bae5380cb3167eed3661

SHA1
e1bca8173c1f3ddc8b2211b74aadad9c08f5ca4c

SHA256
0494816bf93376f7df83119d8a3101c2b8290f9baf0acc535254c83409438b60

SHA512
f747d9ba6ad9242a48b5a46b79e7ad38cd02ed208ba2f9d6a271e0c55ddf3b97f6bda62cda874a4e176db3d1ec843d01540f9965a9b86b3a0500d1253e380ebe

Download Submit
C:\Windows\system\OdXzFwS.exe
Filesize
5.2MB

MD5
2a1e039e6527ceee5bb4dd963ddaf9c2

SHA1
262dd97a8898de362529f44463374e07212120ec

SHA256
b7af2f9df72f6bf856c16abd08c6f61083cab1d0ed7e2532843c586ca4a4faec

SHA512
f750c2a73a13047f8414bc7a459fbff89fab7989caac58d068c14eab6c04cf547d9c25dc21e8536ee916fa22c4202b986b5b5c45ee68d71bf6ce930d2c97e95b

Download Submit
C:\Windows\system\RNLRmNW.exe
Filesize
5.2MB

MD5
96c99200b7f0063c1a250ab8175a848b

SHA1
bbd33ee005d7a1fa59f146664a60f3683b90293a

SHA256
22a3a6f317f148d83c14d546bb49cb44bd577ce3a268d4025dce6c309dae6588

SHA512
e791e44c6021fd7cf4302a11c6ac1c981d88097ed9e527046582810865282f21bf777a19c94e10e3618dfaeefbf57aa04a65cd3b6e26baa8415b5a43a7aa5bb0

Download Submit
C:\Windows\system\WDvYMzb.exe
Filesize
5.2MB

MD5
cf6d96ec25def6d88cd7cfe1d5cc1aee

SHA1
a50f6f3554f3135bfc2e9cce68bfd40e44137993

SHA256
84940ec49305827190394bd800350baef3e724f3401a263481408d7d009b30de

SHA512
b584ceea93d38ff309b4e5b15a53f3bf077d4ca9cef2d2e6c0c18ad5db40740afd1d3b8f0dad1cc88d114b38bccd49e832183998efb9921401ae4875135b685b

Download Submit
C:\Windows\system\aGkjxAe.exe
Filesize
5.2MB

MD5
c76e87355e35dff72fdb8024c8b5bb1d

SHA1
de8d2b3d88d4c4002820daa7271272b0071ba926

SHA256
733211da0b1a81082e96e8dc70a58c4ade85c8486a01014382854aa7371fa90f

SHA512
de51127e35f34835be0a350d636ac30a020233d7ff09d28e72d3691fb37eaf50438688b246c312690c013240ff34c6b4cd131a364ff716c9ceb6eed074d7b81a

Download Submit
C:\Windows\system\dNJSdvm.exe
Filesize
5.2MB

MD5
67e2e1ab4f5cf2ca099702b22696780c

SHA1
cb3dc6e1a7cc3036bc0682ee67f35088361cb11c

SHA256
15327bcd288e04050f18175cb52e26ea6f1e84e290aeafd57c5c883cb93788a8

SHA512
0b263cf15045fa3572da325e2a46673ed62f1a08721f9d94f25f7a96a4bdbf465a41d7aed9b23fe0002941dc794b2b232aeb423b41bcaaa7943d9d63287f708e

Download Submit
C:\Windows\system\ebGuOZH.exe
Filesize
5.2MB

MD5
6a5cef83e7a4df7f82482f52fa165f66

SHA1
da5a393971f2d62b63dff4790771c24d62fd9212

SHA256
8b2459803b47d2b338b84a3f37e16adc96f6825cb80c45645dbbf349d0cc7103

SHA512
30092d7446d616b096cfa70d11f3b40d70c97a9394a23cc1609b4ef2803e546cce718e31bc21776f714a5de67ec62f8812bb633d98d0dde643885ab3a3b11dad

Download Submit
C:\Windows\system\iRHyeqK.exe
Filesize
5.2MB

MD5
06326fb709dc4fc99d47f0cc64d55b01

SHA1
e0488570052253169c54b6019a1033c2d05626d5

SHA256
43ea8dae146a5b721dc5d61014edfdfeb3e0d378f7542131d410f7e87b668467

SHA512
1b18c07fcfdc93fa4430f1e5c5d6461aa0d006f7652f593247b09139aa78793bdcdcb1631c69b3e4e15e2ad6a521f0d91d44fd2f6d5b1d171ba20922116cd55a

Download Submit
C:\Windows\system\rroGmHu.exe
Filesize
5.2MB

MD5
59cc85b8973ea56982aac7b0385a2c10

SHA1
deef88a4ec7d2e8606c847bbd71bcd2e143bbeab

SHA256
341fe6a963e8b57d45135f4d808b8cfa654172d96689447e012e8f7b8789dcf6

SHA512
7819cb9f0a79a4baa89fe74bdafc48861c81256fbee5d67a1cf9f4223699d34cfa96bad7594688e68f704e2bde12c4265f0d27a020c538099bfd3dddd2dd2871

Download Submit
C:\Windows\system\tgCrKsw.exe
Filesize
5.2MB

MD5
35da026eb6baf47b2056b1972f2b834a

SHA1
ac98e1ecea4bf64814893e9c3d6bc9dac6a7831a

SHA256
15da29d393bcbc84d2443931100de8f778a712f755c743bff371d0efe15b9048

SHA512
e6201d9f13bd5246bc727de0ce892e301c1a3815551129977d82add1d9945f0301b2119976edc0fe6dfe726d827ee9f406db6252218967693dd5e432cae9e562

Download Submit
\Windows\system\GAiakoN.exe
Filesize
5.2MB

MD5
a822bea56215130edf66949d8d6f407c

SHA1
6d7499dffa558ca1714d1f67cdeb03da44a8c675

SHA256
4a85314cf8bc6c6d2e3616ba3b63a7a60d24d195b67daa8f3c9edbafca6f13fa

SHA512
14b0a6d21f7adccfb09aff91dffd0794c6bc23c93efd3c8d6a9df913a8a42cc6196b5df50d2054f997aff7ddee948cd9718c1c098dca2e1ef10f6f5240c6b611

Download Submit
\Windows\system\XwaeYLQ.exe
Filesize
5.2MB

MD5
0f472f0925c46ff2f83d9d4523379337

SHA1
d4e142debff5eb3eaabd6ae79154beb05178abcd

SHA256
09e54459cea0b361124534073e06551394f1ed912d07c748c5f7c9f584e8223d

SHA512
145686cc86b5a8c9973660439017e18f770a78ec272a88954f0a9f6f2adac952389b553163e474c252d04bea71604118c37fce1c2dffa384e81602823fa64166

Download Submit
\Windows\system\aKqaqiU.exe
Filesize
5.2MB

MD5
57265eb612fd1b87fc83d4217b9b2281

SHA1
7d64c6046b801309846359ad7d609ddb34b7ad0d

SHA256
b1bcc1e156e49145763a53448f672d7faa45c06a2d550cec16278f06e0fc349b

SHA512
454065d4fb5ada7f6c1174b9d8b6859a0cd0e312f32d61a8cd899a83342fb1b48916821e50f1548fe24af5cc67701d9fd8f466831497c4ced1f89dbbbd5e70c2

Download Submit
\Windows\system\ijIFOBw.exe
Filesize
5.2MB

MD5
efd7fae6b4185f5d0ff874fedac8b84f

SHA1
7635288ea02c482153b35f4059e0f6e22d6801ff

SHA256
e64f975e7178b24653554be265b83f260466c007cc20503682c0f4347e3c2fb6

SHA512
66badf84674503944084c3bb59b3ba5ebbff1d829873cddbd327fda2453c84191f4627036a51fa847c5430019cef819ece093f8c7ea4db48f855a649e199a7a7

Download Submit
\Windows\system\mkuiJAM.exe
Filesize
5.2MB

MD5
132d8cf96e44605979e6b5eaf32be1cc

SHA1
16dff98cca31054f6558f8b4b88c4ba97917de11

SHA256
273ca449b7e7d2028f8fd4cbb88f87d678f70ffd176a8a1002f47de54b4f278f

SHA512
557083813ff2e76e135fc9ed35d4c4fae235efa30da06d09944a8068e973ed3fd70a43cdc18ceb5b0c500fad90a37c455cf556ae53988bf87bd8e9b19a75fd5b

Download Submit
\Windows\system\ojzXLZe.exe
Filesize
5.2MB

MD5
25a162912af493d5d99b8725e6f453ea

SHA1
9f6f5a78b6698c46fcf985c967d86b66358cf87b

SHA256
b67cab968c202ea0c48ed0e9e72c842e2b402cff96f145f667206451bd2a81f1

SHA512
3f980a2c526edd38781abbc25fd2025b47d3d0a2984507e11bc304fad54a05a8630411e711f5b4da1cf0fb51a78c390a6b2cb1b9bb9c3050cb376bf39a47dc0c

Download Submit
\Windows\system\vTLcMhi.exe
Filesize
5.2MB

MD5
2553761afc27c8e847db2d9cbe55a17c

SHA1
0dedea4006e812ac36c2ac6538f8c301a0352526

SHA256
0b0f2a082d5373da4a99c2bd2050c77eee70f29b33650dae14b908a281a7524d

SHA512
a80c7fe5608a661aaa41e49dfc58f471b58a3aa9e2091b6dc8bf2999f5f6b77e5784e7d8418b8bfa52de868fdeabf386febf39c9ba87a899604de26bbea5e688

Download Submit
\Windows\system\xDOErzD.exe
Filesize
5.2MB

MD5
8df675b52e10f1a0547d54e2990fd300

SHA1
01e517a6d81c4e5d89a25ce70cfbed054ec1ea51

SHA256
3a4425ee89276f7c561ddc44acbbf9d65989307d733cdc83d718d8ea87735641

SHA512
576d9d82caedaad820731d9f1721ff0674f57e6336da576a01c6db88ff35acb6ed7e93651d88201b714c35a0803c74cf707add1f6580febbe0fbcdf525906239

Download Submit
memory/676-153-0x000000013FB30000-0x000000013FE81000-memory.dmp

Filesize
3.3MB

Download
memory/1148-116-0x000000013F1F0000-0x000000013F541000-memory.dmp

Filesize
3.3MB

Download
memory/1148-144-0x000000013F1F0000-0x000000013F541000-memory.dmp

Filesize
3.3MB

Download
memory/2240-141-0x000000013F6E0000-0x000000013FA31000-memory.dmp

Filesize
3.3MB

Download
memory/2240-107-0x000000013F6E0000-0x000000013FA31000-memory.dmp

Filesize
3.3MB

Download
memory/2312-155-0x000000013F1B0000-0x000000013F501000-memory.dmp

Filesize
3.3MB

Download
memory/2336-102-0x000000013FDF0000-0x0000000140141000-memory.dmp

Filesize
3.3MB

Download
memory/2336-113-0x0000000002450000-0x00000000027A1000-memory.dmp

Filesize
3.3MB

Download
memory/2336-162-0x000000013F1C0000-0x000000013F511000-memory.dmp

Filesize
3.3MB

Download
memory/2336-129-0x000000013F1C0000-0x000000013F511000-memory.dmp

Filesize
3.3MB

Download
memory/2336-108-0x000000013FEF0000-0x0000000140241000-memory.dmp

Filesize
3.3MB

Download
memory/2336-112-0x000000013FBC0000-0x000000013FF11000-memory.dmp

Filesize
3.3MB

Download
memory/2336-106-0x000000013FB30000-0x000000013FE81000-memory.dmp

Filesize
3.3MB

Download
memory/2336-105-0x000000013F6E0000-0x000000013FA31000-memory.dmp

Filesize
3.3MB

Download
memory/2336-104-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Filesize
3.3MB

Download
memory/2336-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2336-0-0x000000013F1C0000-0x000000013F511000-memory.dmp

Filesize
3.3MB

Download
memory/2336-101-0x000000013F7D0000-0x000000013FB21000-memory.dmp

Filesize
3.3MB

Download
memory/2336-156-0x000000013F1C0000-0x000000013F511000-memory.dmp

Filesize
3.3MB

Download
memory/2336-110-0x000000013F7E0000-0x000000013FB31000-memory.dmp

Filesize
3.3MB

Download
memory/2336-29-0x0000000002450000-0x00000000027A1000-memory.dmp

Filesize
3.3MB

Download
memory/2336-115-0x0000000002450000-0x00000000027A1000-memory.dmp

Filesize
3.3MB

Download
memory/2336-118-0x000000013F950000-0x000000013FCA1000-memory.dmp

Filesize
3.3MB

Download
memory/2440-98-0x000000013FE20000-0x0000000140171000-memory.dmp

Filesize
3.3MB

Download
memory/2440-140-0x000000013FE20000-0x0000000140171000-memory.dmp

Filesize
3.3MB

Download
memory/2496-95-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

Filesize
3.3MB

Download
memory/2496-151-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

Filesize
3.3MB

Download
memory/2504-145-0x000000013FBC0000-0x000000013FF11000-memory.dmp

Filesize
3.3MB

Download
memory/2504-114-0x000000013FBC0000-0x000000013FF11000-memory.dmp

Filesize
3.3MB

Download
memory/2512-109-0x000000013F8B0000-0x000000013FC01000-memory.dmp

Filesize
3.3MB

Download
memory/2572-99-0x000000013F550000-0x000000013F8A1000-memory.dmp

Filesize
3.3MB

Download
memory/2572-139-0x000000013F550000-0x000000013F8A1000-memory.dmp

Filesize
3.3MB

Download
memory/2660-146-0x000000013F8C0000-0x000000013FC11000-memory.dmp

Filesize
3.3MB

Download
memory/2660-117-0x000000013F8C0000-0x000000013FC11000-memory.dmp

Filesize
3.3MB

Download
memory/2684-147-0x000000013F460000-0x000000013F7B1000-memory.dmp

Filesize
3.3MB

Download
memory/2712-100-0x000000013F730000-0x000000013FA81000-memory.dmp

Filesize
3.3MB

Download
memory/2712-148-0x000000013F730000-0x000000013FA81000-memory.dmp

Filesize
3.3MB

Download
memory/2732-142-0x000000013FDF0000-0x0000000140141000-memory.dmp

Filesize
3.3MB

Download
memory/2732-103-0x000000013FDF0000-0x0000000140141000-memory.dmp

Filesize
3.3MB

Download
memory/2764-96-0x000000013F4F0000-0x000000013F841000-memory.dmp

Filesize
3.3MB

Download
memory/2764-137-0x000000013F4F0000-0x000000013F841000-memory.dmp

Filesize
3.3MB

Download
memory/2772-154-0x000000013F7E0000-0x000000013FB31000-memory.dmp

Filesize
3.3MB

Download
memory/2780-143-0x000000013FEF0000-0x0000000140241000-memory.dmp

Filesize
3.3MB

Download
memory/2780-111-0x000000013FEF0000-0x0000000140241000-memory.dmp

Filesize
3.3MB

Download
memory/2928-150-0x000000013F7D0000-0x000000013FB21000-memory.dmp

Filesize
3.3MB

Download
memory/2944-149-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Filesize
3.3MB

Download
memory/2980-135-0x000000013F430000-0x000000013F781000-memory.dmp

Filesize
3.3MB

Download
memory/2980-11-0x000000013F430000-0x000000013F781000-memory.dmp

Filesize
3.3MB

Download
memory/3004-97-0x000000013F950000-0x000000013FCA1000-memory.dmp

Filesize
3.3MB

Download
memory/3004-138-0x000000013F950000-0x000000013FCA1000-memory.dmp

Filesize
3.3MB

Download
memory/3036-94-0x000000013F350000-0x000000013F6A1000-memory.dmp

Filesize
3.3MB

Download
memory/3036-136-0x000000013F350000-0x000000013F6A1000-memory.dmp

Filesize
3.3MB

Download