cobaltstrike | ced7da8e2735bfad357afdc80f1650e4642aeb57919d03dc3d828ba1cbe506b2

Analysis

max time kernel
148s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-25_ee522e31edab93ffe567aee988b90e86_cobalt-strike_cobaltstrike.exe
Size

6.0MB
MD5

ee522e31edab93ffe567aee988b90e86
SHA1

bf81913b4c9a0947c030214a05cdd6715d6d4e29
SHA256

ced7da8e2735bfad357afdc80f1650e4642aeb57919d03dc3d828ba1cbe506b2
SHA512

72a66d570d2de77cd4cef66950ca1dd13ebb32c0e8c2e518288bed7a8b3e057fb30ab5c06f5ee675767647633b3e5f2d742ea899b77af032eba78f8eda6457fe
SSDEEP

98304:EniLf9FdfE0pZB156utgpPFotBER/mQ32lU7:eOl56utgpPF8u/77

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 15 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\system\dZmrdZA.exe	cobalt_reflective_dll
\Windows\system\UJFoTEG.exe	cobalt_reflective_dll
C:\Windows\system\vXxoYXX.exe	cobalt_reflective_dll
\Windows\system\LsxRdds.exe	cobalt_reflective_dll
\Windows\system\zmrbldV.exe	cobalt_reflective_dll
C:\Windows\system\TRhcQhQ.exe	cobalt_reflective_dll
C:\Windows\system\EdlaZSC.exe	cobalt_reflective_dll
\Windows\system\QETWqsJ.exe	cobalt_reflective_dll
C:\Windows\system\sSvBkGD.exe	cobalt_reflective_dll
\Windows\system\drhSpES.exe	cobalt_reflective_dll
C:\Windows\system\dxnkExD.exe	cobalt_reflective_dll
\Windows\system\uXFNbLI.exe	cobalt_reflective_dll
C:\Windows\system\gJCLKun.exe	cobalt_reflective_dll
\Windows\system\meTEMJh.exe	cobalt_reflective_dll
C:\Windows\system\wwlbUBF.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 15 IoCs

Processes:

resource	yara_rule
C:\Windows\system\dZmrdZA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\UJFoTEG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\vXxoYXX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\LsxRdds.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\zmrbldV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\TRhcQhQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\EdlaZSC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\QETWqsJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\sSvBkGD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\drhSpES.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\dxnkExD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\uXFNbLI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\gJCLKun.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\meTEMJh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\wwlbUBF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 36 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2188-0-0x000000013FE50000-0x00000001401A4000-memory.dmp	UPX
C:\Windows\system\dZmrdZA.exe	UPX
\Windows\system\UJFoTEG.exe	UPX
C:\Windows\system\vXxoYXX.exe	UPX
behavioral1/memory/2644-19-0x000000013F570000-0x000000013F8C4000-memory.dmp	UPX
behavioral1/memory/868-20-0x000000013FE70000-0x00000001401C4000-memory.dmp	UPX
behavioral1/memory/2080-22-0x000000013F8D0000-0x000000013FC24000-memory.dmp	UPX
\Windows\system\LsxRdds.exe	UPX
behavioral1/memory/2572-28-0x000000013F670000-0x000000013F9C4000-memory.dmp	UPX
\Windows\system\zmrbldV.exe	UPX
behavioral1/memory/2676-35-0x000000013F2D0000-0x000000013F624000-memory.dmp	UPX
C:\Windows\system\TRhcQhQ.exe	UPX
behavioral1/memory/2620-42-0x000000013F460000-0x000000013F7B4000-memory.dmp	UPX
C:\Windows\system\EdlaZSC.exe	UPX
behavioral1/memory/2828-49-0x000000013FB50000-0x000000013FEA4000-memory.dmp	UPX
\Windows\system\QETWqsJ.exe	UPX
behavioral1/memory/2188-55-0x000000013FE50000-0x00000001401A4000-memory.dmp	UPX
behavioral1/memory/1888-56-0x000000013F6B0000-0x000000013FA04000-memory.dmp	UPX
C:\Windows\system\sSvBkGD.exe	UPX
behavioral1/memory/2468-62-0x000000013FC10000-0x000000013FF64000-memory.dmp	UPX
\Windows\system\drhSpES.exe	UPX
C:\Windows\system\dxnkExD.exe	UPX
\Windows\system\uXFNbLI.exe	UPX
C:\Windows\system\gJCLKun.exe	UPX
\Windows\system\meTEMJh.exe	UPX
behavioral1/memory/2536-190-0x000000013F590000-0x000000013F8E4000-memory.dmp	UPX
C:\Windows\system\wwlbUBF.exe	UPX
behavioral1/memory/1500-228-0x000000013FC60000-0x000000013FFB4000-memory.dmp	UPX
behavioral1/memory/2924-230-0x000000013F830000-0x000000013FB84000-memory.dmp	UPX
behavioral1/memory/2416-275-0x000000013F180000-0x000000013F4D4000-memory.dmp	UPX
behavioral1/memory/1240-294-0x000000013F840000-0x000000013FB94000-memory.dmp	UPX
behavioral1/memory/1896-577-0x000000013F110000-0x000000013F464000-memory.dmp	UPX
behavioral1/memory/1916-578-0x000000013F5E0000-0x000000013F934000-memory.dmp	UPX
behavioral1/memory/2348-589-0x000000013F940000-0x000000013FC94000-memory.dmp	UPX
behavioral1/memory/2640-610-0x000000013FCC0000-0x0000000140014000-memory.dmp	UPX
behavioral1/memory/2564-636-0x000000013F2B0000-0x000000013F604000-memory.dmp	UPX

XMRig Miner payload 38 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2188-0-0x000000013FE50000-0x00000001401A4000-memory.dmp	xmrig
C:\Windows\system\dZmrdZA.exe	xmrig
\Windows\system\UJFoTEG.exe	xmrig
C:\Windows\system\vXxoYXX.exe	xmrig
behavioral1/memory/2644-19-0x000000013F570000-0x000000013F8C4000-memory.dmp	xmrig
behavioral1/memory/868-20-0x000000013FE70000-0x00000001401C4000-memory.dmp	xmrig
behavioral1/memory/2188-21-0x00000000022B0000-0x0000000002604000-memory.dmp	xmrig
behavioral1/memory/2080-22-0x000000013F8D0000-0x000000013FC24000-memory.dmp	xmrig
\Windows\system\LsxRdds.exe	xmrig
behavioral1/memory/2572-28-0x000000013F670000-0x000000013F9C4000-memory.dmp	xmrig
behavioral1/memory/2188-29-0x000000013F670000-0x000000013F9C4000-memory.dmp	xmrig
\Windows\system\zmrbldV.exe	xmrig
behavioral1/memory/2676-35-0x000000013F2D0000-0x000000013F624000-memory.dmp	xmrig
C:\Windows\system\TRhcQhQ.exe	xmrig
behavioral1/memory/2620-42-0x000000013F460000-0x000000013F7B4000-memory.dmp	xmrig
C:\Windows\system\EdlaZSC.exe	xmrig
behavioral1/memory/2828-49-0x000000013FB50000-0x000000013FEA4000-memory.dmp	xmrig
\Windows\system\QETWqsJ.exe	xmrig
behavioral1/memory/2188-55-0x000000013FE50000-0x00000001401A4000-memory.dmp	xmrig
behavioral1/memory/1888-56-0x000000013F6B0000-0x000000013FA04000-memory.dmp	xmrig
C:\Windows\system\sSvBkGD.exe	xmrig
behavioral1/memory/2468-62-0x000000013FC10000-0x000000013FF64000-memory.dmp	xmrig
\Windows\system\drhSpES.exe	xmrig
C:\Windows\system\dxnkExD.exe	xmrig
\Windows\system\uXFNbLI.exe	xmrig
C:\Windows\system\gJCLKun.exe	xmrig
\Windows\system\meTEMJh.exe	xmrig
behavioral1/memory/2536-190-0x000000013F590000-0x000000013F8E4000-memory.dmp	xmrig
C:\Windows\system\wwlbUBF.exe	xmrig
behavioral1/memory/1500-228-0x000000013FC60000-0x000000013FFB4000-memory.dmp	xmrig
behavioral1/memory/2924-230-0x000000013F830000-0x000000013FB84000-memory.dmp	xmrig
behavioral1/memory/2416-275-0x000000013F180000-0x000000013F4D4000-memory.dmp	xmrig
behavioral1/memory/1240-294-0x000000013F840000-0x000000013FB94000-memory.dmp	xmrig
behavioral1/memory/1896-577-0x000000013F110000-0x000000013F464000-memory.dmp	xmrig
behavioral1/memory/1916-578-0x000000013F5E0000-0x000000013F934000-memory.dmp	xmrig
behavioral1/memory/2348-589-0x000000013F940000-0x000000013FC94000-memory.dmp	xmrig
behavioral1/memory/2640-610-0x000000013FCC0000-0x0000000140014000-memory.dmp	xmrig
behavioral1/memory/2564-636-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig

UPX packed file 36 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2188-0-0x000000013FE50000-0x00000001401A4000-memory.dmp	upx
C:\Windows\system\dZmrdZA.exe	upx
\Windows\system\UJFoTEG.exe	upx
C:\Windows\system\vXxoYXX.exe	upx
behavioral1/memory/2644-19-0x000000013F570000-0x000000013F8C4000-memory.dmp	upx
behavioral1/memory/868-20-0x000000013FE70000-0x00000001401C4000-memory.dmp	upx
behavioral1/memory/2080-22-0x000000013F8D0000-0x000000013FC24000-memory.dmp	upx
\Windows\system\LsxRdds.exe	upx
behavioral1/memory/2572-28-0x000000013F670000-0x000000013F9C4000-memory.dmp	upx
\Windows\system\zmrbldV.exe	upx
behavioral1/memory/2676-35-0x000000013F2D0000-0x000000013F624000-memory.dmp	upx
C:\Windows\system\TRhcQhQ.exe	upx
behavioral1/memory/2620-42-0x000000013F460000-0x000000013F7B4000-memory.dmp	upx
C:\Windows\system\EdlaZSC.exe	upx
behavioral1/memory/2828-49-0x000000013FB50000-0x000000013FEA4000-memory.dmp	upx
\Windows\system\QETWqsJ.exe	upx
behavioral1/memory/2188-55-0x000000013FE50000-0x00000001401A4000-memory.dmp	upx
behavioral1/memory/1888-56-0x000000013F6B0000-0x000000013FA04000-memory.dmp	upx
C:\Windows\system\sSvBkGD.exe	upx
behavioral1/memory/2468-62-0x000000013FC10000-0x000000013FF64000-memory.dmp	upx
\Windows\system\drhSpES.exe	upx
C:\Windows\system\dxnkExD.exe	upx
\Windows\system\uXFNbLI.exe	upx
C:\Windows\system\gJCLKun.exe	upx
\Windows\system\meTEMJh.exe	upx
behavioral1/memory/2536-190-0x000000013F590000-0x000000013F8E4000-memory.dmp	upx
C:\Windows\system\wwlbUBF.exe	upx
behavioral1/memory/1500-228-0x000000013FC60000-0x000000013FFB4000-memory.dmp	upx
behavioral1/memory/2924-230-0x000000013F830000-0x000000013FB84000-memory.dmp	upx
behavioral1/memory/2416-275-0x000000013F180000-0x000000013F4D4000-memory.dmp	upx
behavioral1/memory/1240-294-0x000000013F840000-0x000000013FB94000-memory.dmp	upx
behavioral1/memory/1896-577-0x000000013F110000-0x000000013F464000-memory.dmp	upx
behavioral1/memory/1916-578-0x000000013F5E0000-0x000000013F934000-memory.dmp	upx
behavioral1/memory/2348-589-0x000000013F940000-0x000000013FC94000-memory.dmp	upx
behavioral1/memory/2640-610-0x000000013FCC0000-0x0000000140014000-memory.dmp	upx
behavioral1/memory/2564-636-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

Processes:

2024-04-25_ee522e31edab93ffe567aee988b90e86_cobalt-strike_cobaltstrike.exe

description ioc process

File created C:\Windows\System\dZmrdZA.exe 2024-04-25_ee522e31edab93ffe567aee988b90e86_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\dZmrdZA.exe	2024-04-25_ee522e31edab93ffe567aee988b90e86_cobalt-strike_cobaltstrike.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-25_ee522e31edab93ffe567aee988b90e86_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-25_ee522e31edab93ffe567aee988b90e86_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
PID:2188

C:\Windows\System\dZmrdZA.exe
C:\Windows\System\dZmrdZA.exe
2⤵
PID:2644

C:\Windows\System\vXxoYXX.exe
C:\Windows\System\vXxoYXX.exe
2⤵
PID:868

C:\Windows\System\UJFoTEG.exe
C:\Windows\System\UJFoTEG.exe
2⤵
PID:2080

C:\Windows\System\LsxRdds.exe
C:\Windows\System\LsxRdds.exe
2⤵
PID:2572

C:\Windows\System\zmrbldV.exe
C:\Windows\System\zmrbldV.exe
2⤵
PID:2676

C:\Windows\System\TRhcQhQ.exe
C:\Windows\System\TRhcQhQ.exe
2⤵
PID:2620

C:\Windows\System\EdlaZSC.exe
C:\Windows\System\EdlaZSC.exe
2⤵
PID:2828

C:\Windows\System\QETWqsJ.exe
C:\Windows\System\QETWqsJ.exe
2⤵
PID:1888

C:\Windows\System\udEDBlS.exe
C:\Windows\System\udEDBlS.exe
2⤵
PID:1500

C:\Windows\System\rfobyZv.exe
C:\Windows\System\rfobyZv.exe
2⤵
PID:820

C:\Windows\System\mTHqBXu.exe
C:\Windows\System\mTHqBXu.exe
2⤵
PID:2204

C:\Windows\System\zGPBdnu.exe
C:\Windows\System\zGPBdnu.exe
2⤵
PID:2728

C:\Windows\System\hrZvHcf.exe
C:\Windows\System\hrZvHcf.exe
2⤵
PID:2568

C:\Windows\System\JSFJNGP.exe
C:\Windows\System\JSFJNGP.exe
2⤵
PID:2740

C:\Windows\System\ggAdXMb.exe
C:\Windows\System\ggAdXMb.exe
2⤵
PID:2576

C:\Windows\System\qyjhoLQ.exe
C:\Windows\System\qyjhoLQ.exe
2⤵
PID:1868

C:\Windows\System\NeChKgO.exe
C:\Windows\System\NeChKgO.exe
2⤵
PID:1100

C:\Windows\System\kzYEDpO.exe
C:\Windows\System\kzYEDpO.exe
2⤵
PID:3140

C:\Windows\System\LkvFLba.exe
C:\Windows\System\LkvFLba.exe
2⤵
PID:3476

C:\Windows\System\OWAIzsG.exe
C:\Windows\System\OWAIzsG.exe
2⤵
PID:3728

C:\Windows\System\OAaqpve.exe
C:\Windows\System\OAaqpve.exe
2⤵
PID:3940

C:\Windows\System\iSxYter.exe
C:\Windows\System\iSxYter.exe
2⤵
PID:3956

C:\Windows\System\arYFCuV.exe
C:\Windows\System\arYFCuV.exe
2⤵
PID:3972

C:\Windows\System\WOjvFCl.exe
C:\Windows\System\WOjvFCl.exe
2⤵
PID:3036

C:\Windows\System\QgjxzEi.exe
C:\Windows\System\QgjxzEi.exe
2⤵
PID:2544

C:\Windows\System\MWXbITH.exe
C:\Windows\System\MWXbITH.exe
2⤵
PID:1064

C:\Windows\System\XIoJaTA.exe
C:\Windows\System\XIoJaTA.exe
2⤵
PID:3520

C:\Windows\System\tSVRCGS.exe
C:\Windows\System\tSVRCGS.exe
2⤵
PID:2932

C:\Windows\System\EHNoNsA.exe
C:\Windows\System\EHNoNsA.exe
2⤵
PID:3772

C:\Windows\System\wqMKVMJ.exe
C:\Windows\System\wqMKVMJ.exe
2⤵
PID:4036

C:\Windows\System\Zklvfkb.exe
C:\Windows\System\Zklvfkb.exe
2⤵
PID:4232

C:\Windows\System\iPgjpzb.exe
C:\Windows\System\iPgjpzb.exe
2⤵
PID:4248

C:\Windows\System\FpFBrnR.exe
C:\Windows\System\FpFBrnR.exe
2⤵
PID:4280

C:\Windows\System\vWaMhRw.exe
C:\Windows\System\vWaMhRw.exe
2⤵
PID:4296

C:\Windows\System\jAbVqXy.exe
C:\Windows\System\jAbVqXy.exe
2⤵
PID:4608

C:\Windows\System\icmpGxi.exe
C:\Windows\System\icmpGxi.exe
2⤵
PID:4624

C:\Windows\System\AciVSjt.exe
C:\Windows\System\AciVSjt.exe
2⤵
PID:4920

C:\Windows\System\EmFAPlv.exe
C:\Windows\System\EmFAPlv.exe
2⤵
PID:4936

C:\Windows\System\sYouQLf.exe
C:\Windows\System\sYouQLf.exe
2⤵
PID:3320

C:\Windows\System\lUENGGl.exe
C:\Windows\System\lUENGGl.exe
2⤵
PID:3244

C:\Windows\System\SJQDuKG.exe
C:\Windows\System\SJQDuKG.exe
2⤵
PID:4384

C:\Windows\System\JNtdacz.exe
C:\Windows\System\JNtdacz.exe
2⤵
PID:1544

C:\Windows\System\musqnqF.exe
C:\Windows\System\musqnqF.exe
2⤵
PID:4308

C:\Windows\System\dhHWSbU.exe
C:\Windows\System\dhHWSbU.exe
2⤵
PID:4092

C:\Windows\System\Miukydt.exe
C:\Windows\System\Miukydt.exe
2⤵
PID:4444

C:\Windows\System\OuLxuUk.exe
C:\Windows\System\OuLxuUk.exe
2⤵
PID:5160

C:\Windows\System\GVXuLuK.exe
C:\Windows\System\GVXuLuK.exe
2⤵
PID:5264

C:\Windows\System\TGkZJBj.exe
C:\Windows\System\TGkZJBj.exe
2⤵
PID:5424

C:\Windows\System\lgwkniK.exe
C:\Windows\System\lgwkniK.exe
2⤵
PID:5704

C:\Windows\System\RBCRjmV.exe
C:\Windows\System\RBCRjmV.exe
2⤵
PID:5928

C:\Windows\System\iETUCGa.exe
C:\Windows\System\iETUCGa.exe
2⤵
PID:4968

C:\Windows\System\uXiEOFU.exe
C:\Windows\System\uXiEOFU.exe
2⤵
PID:5076

C:\Windows\System\ZYYbNPB.exe
C:\Windows\System\ZYYbNPB.exe
2⤵
PID:3840

C:\Windows\System\EawoQQA.exe
C:\Windows\System\EawoQQA.exe
2⤵
PID:5500

C:\Windows\System\IGuPGoq.exe
C:\Windows\System\IGuPGoq.exe
2⤵
PID:5568

C:\Windows\System\kNyESYS.exe
C:\Windows\System\kNyESYS.exe
2⤵
PID:6024

C:\Windows\System\zmEwvIu.exe
C:\Windows\System\zmEwvIu.exe
2⤵
PID:6036

C:\Windows\System\ilwwYsJ.exe
C:\Windows\System\ilwwYsJ.exe
2⤵
PID:5200

C:\Windows\System\NlqJcKh.exe
C:\Windows\System\NlqJcKh.exe
2⤵
PID:5216

C:\Windows\System\GIKDmDR.exe
C:\Windows\System\GIKDmDR.exe
2⤵
PID:6160

C:\Windows\System\hruLfzF.exe
C:\Windows\System\hruLfzF.exe
2⤵
PID:6176

C:\Windows\System\PyWDoGJ.exe
C:\Windows\System\PyWDoGJ.exe
2⤵
PID:7072

C:\Windows\System\LGbPsvh.exe
C:\Windows\System\LGbPsvh.exe
2⤵
PID:6152

C:\Windows\System\BNpQmZv.exe
C:\Windows\System\BNpQmZv.exe
2⤵
PID:3980

C:\Windows\System\oZDeDAK.exe
C:\Windows\System\oZDeDAK.exe
2⤵
PID:6564

C:\Windows\System\CzUKDVo.exe
C:\Windows\System\CzUKDVo.exe
2⤵
PID:7164

C:\Windows\System\FelEfKO.exe
C:\Windows\System\FelEfKO.exe
2⤵
PID:7148

C:\Windows\System\pGmDYKr.exe
C:\Windows\System\pGmDYKr.exe
2⤵
PID:6740

C:\Windows\System\zHicnzX.exe
C:\Windows\System\zHicnzX.exe
2⤵
PID:3684

C:\Windows\System\sPZVGiL.exe
C:\Windows\System\sPZVGiL.exe
2⤵
PID:7384

C:\Windows\System\fAWTVLr.exe
C:\Windows\System\fAWTVLr.exe
2⤵
PID:7988

C:\Windows\System\hPpfuwD.exe
C:\Windows\System\hPpfuwD.exe
2⤵
PID:3344

C:\Windows\System\SSfkPJG.exe
C:\Windows\System\SSfkPJG.exe
2⤵
PID:7344

C:\Windows\System\JVHYXqA.exe
C:\Windows\System\JVHYXqA.exe
2⤵
PID:7672

C:\Windows\System\uVEIvft.exe
C:\Windows\System\uVEIvft.exe
2⤵
PID:7736

C:\Windows\System\NBEBRQA.exe
C:\Windows\System\NBEBRQA.exe
2⤵
PID:7756

C:\Windows\System\HKzltdU.exe
C:\Windows\System\HKzltdU.exe
2⤵
PID:8048

C:\Windows\System\mDVrvIJ.exe
C:\Windows\System\mDVrvIJ.exe
2⤵
PID:2500

C:\Windows\System\idGWXew.exe
C:\Windows\System\idGWXew.exe
2⤵
PID:4112

C:\Windows\System\MZMAuOC.exe
C:\Windows\System\MZMAuOC.exe
2⤵
PID:7132

C:\Windows\System\ycQWejV.exe
C:\Windows\System\ycQWejV.exe
2⤵
PID:7464

C:\Windows\System\iijljdV.exe
C:\Windows\System\iijljdV.exe
2⤵
PID:8252

C:\Windows\System\vvXYIZO.exe
C:\Windows\System\vvXYIZO.exe
2⤵
PID:8448

C:\Windows\System\aliMjxc.exe
C:\Windows\System\aliMjxc.exe
2⤵
PID:8644

C:\Windows\System\DYkZPVQ.exe
C:\Windows\System\DYkZPVQ.exe
2⤵
PID:8840

C:\Windows\System\MamPxaI.exe
C:\Windows\System\MamPxaI.exe
2⤵
PID:9036

C:\Windows\System\KrJPCPk.exe
C:\Windows\System\KrJPCPk.exe
2⤵
PID:9196

C:\Windows\System\EAXmbOS.exe
C:\Windows\System\EAXmbOS.exe
2⤵
PID:2776

C:\Windows\System\Fvbjdba.exe
C:\Windows\System\Fvbjdba.exe
2⤵
PID:7184

C:\Windows\System\SMadrUU.exe
C:\Windows\System\SMadrUU.exe
2⤵
PID:8392

C:\Windows\System\jUUcHdr.exe
C:\Windows\System\jUUcHdr.exe
2⤵
PID:8592

C:\Windows\System\xSUYlcz.exe
C:\Windows\System\xSUYlcz.exe
2⤵
PID:8948

C:\Windows\System\XjWdWMv.exe
C:\Windows\System\XjWdWMv.exe
2⤵
PID:7088

C:\Windows\System\yCDIyeq.exe
C:\Windows\System\yCDIyeq.exe
2⤵
PID:9220

C:\Windows\System\FfArzlH.exe
C:\Windows\System\FfArzlH.exe
2⤵
PID:9404

C:\Windows\System\AbdvmNw.exe
C:\Windows\System\AbdvmNw.exe
2⤵
PID:9600

C:\Windows\System\FvcyIni.exe
C:\Windows\System\FvcyIni.exe
2⤵
PID:9796

C:\Windows\System\dIsqVEm.exe
C:\Windows\System\dIsqVEm.exe
2⤵
PID:9976

C:\Windows\System\QnNoNXk.exe
C:\Windows\System\QnNoNXk.exe
2⤵
PID:10060

C:\Windows\System\GGAbruQ.exe
C:\Windows\System\GGAbruQ.exe
2⤵
PID:10220

C:\Windows\System\RSAvsxK.exe
C:\Windows\System\RSAvsxK.exe
2⤵
PID:9616

C:\Windows\System\TRqtnSZ.exe
C:\Windows\System\TRqtnSZ.exe
2⤵
PID:7400

C:\Windows\System\ACpuhkj.exe
C:\Windows\System\ACpuhkj.exe
2⤵
PID:9608

C:\Windows\System\oAxUmQW.exe
C:\Windows\System\oAxUmQW.exe
2⤵
PID:10184

C:\Windows\System\gZfKNhY.exe
C:\Windows\System\gZfKNhY.exe
2⤵
PID:9632

C:\Windows\System\AIyGBej.exe
C:\Windows\System\AIyGBej.exe
2⤵
PID:10100

C:\Windows\System\JtwdKjV.exe
C:\Windows\System\JtwdKjV.exe
2⤵
PID:10296

C:\Windows\System\IKkCtiP.exe
C:\Windows\System\IKkCtiP.exe
2⤵
PID:10444

C:\Windows\System\WNaMARE.exe
C:\Windows\System\WNaMARE.exe
2⤵
PID:10460

C:\Windows\System\TLUvAij.exe
C:\Windows\System\TLUvAij.exe
2⤵
PID:10624

C:\Windows\System\HASiIuQ.exe
C:\Windows\System\HASiIuQ.exe
2⤵
PID:10804

C:\Windows\System\MWRhzrG.exe
C:\Windows\System\MWRhzrG.exe
2⤵
PID:10964

C:\Windows\System\ZcQNFQd.exe
C:\Windows\System\ZcQNFQd.exe
2⤵
PID:10984

C:\Windows\System\RVNLwGk.exe
C:\Windows\System\RVNLwGk.exe
2⤵
PID:11116

C:\Windows\System\QDzUqSH.exe
C:\Windows\System\QDzUqSH.exe
2⤵
PID:11132

C:\Windows\System\OmfdiMC.exe
C:\Windows\System\OmfdiMC.exe
2⤵
PID:9176

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\EdlaZSC.exe
Filesize
6.0MB

MD5
a25428ff1bf6f08a83a971eab60428b7

SHA1
8de97b9e34ea31254e48f8923d3e450ee45da70d

SHA256
99b8f44e2789295e206e7f33183fdee869afdb60ded75072fad915a39969086a

SHA512
e88748b55c3b63f79d6c2479a09ea4fd3ef23201e151eccedf61aad4803eeca5e24347985070e53e3744240de3f67402d1fb4392cff93798d0f68df40237efe9

Download Submit
C:\Windows\system\TRhcQhQ.exe
Filesize
6.0MB

MD5
1e26365b6f11a2cf32188db2a140385f

SHA1
805aa72bd6c1140e7e06b948a2f1667341f1b5e5

SHA256
9e76e2df15ec97eb9ad7a0a3c95088a3947753f2075f34a7f3e14468328d16d2

SHA512
12a9e720fdee3243a8e9ce9d0670a0e1ed0676d2777207f004c11eab5b751f9cdc52e2d0a2074f535fa62bf058b2b543c2de9a4f937dca846f7ad02cd5d294ba

Download Submit
C:\Windows\system\dZmrdZA.exe
Filesize
6.0MB

MD5
65c5818c13418759d89ea7bde1a1c90e

SHA1
2057e1993f1a4b8bf6d2ce73d4d6c7518355f573

SHA256
4e6b73ddbce968f733632ad8c01bf18a5862d818d3ec6e618d1fda8079e48c99

SHA512
85582903691742d95f5e84f4ec4c201cd4b90cafa0fa574484a04bf0fe127cfc765189aaf66904880d33621f35b2e9c0973368e7bc767eadff60c85e84c00d11

Download Submit
C:\Windows\system\dxnkExD.exe
Filesize
6.0MB

MD5
0f9668ab29f2a08f62d312fb2baf697d

SHA1
9184c6d185f833a96a7df93ba02e1a302417136b

SHA256
a14aaf5d40157fceea19d3cfa8118ad1ccf4bead705d2db150777201a527b537

SHA512
d8bd81c9a5d62c55da7e03a93d21246f785244617a2e0d4420f1de4caf0be1c9f64cbc05bdc27de4316c93c621cb112ac4615783e687b424a654a2d63d25c4cb

Download Submit
C:\Windows\system\gJCLKun.exe
Filesize
6.0MB

MD5
f21c1fdf988cd8f67a51cc30489c5f9c

SHA1
cbe542c0d86f11816e88adbec5a0e5846ab76fe6

SHA256
4467e8aa409eae4197a6f157c338aabf5bac86960807270bde9894cb0ecdaa06

SHA512
512e48fa97e20edb312f11a141263f67581d95203471cec45bbfbc53cf74bac5ff14f2b9efd23d046ee027c5846cefc29cd7d2af663b8844f5abcce71048fa4e

Download Submit
C:\Windows\system\sSvBkGD.exe
Filesize
6.0MB

MD5
1431a6df28fe34db39b8f3c7b5ecbd28

SHA1
478be905f1ef8cc0e634950089bfe4b1eaaec7bd

SHA256
73b830acff33b08b23d2e335744f96e132c9b909f6485ae1ea9001c93820fbdf

SHA512
9ef877c9f0b94c875c2fc8386ad07aa6fe03ec69cd0a3d667d88322eded815340fbb00e543dd6cb64dfcbcb4613329c7543cbf0e4dc417f569b69e75bddc88c8

Download Submit
C:\Windows\system\vXxoYXX.exe
Filesize
6.0MB

MD5
7ebed2fea475229a58410349bbf580b1

SHA1
873b14894c9b2edf5fecaf199820d45662c485c5

SHA256
31c046905c813b67671a045f1edc5e6e6b46bdb294bf1c820373406f09d0013d

SHA512
b5c957fb9632cb70cdf3ab2e68d9b60ed2e0b8410215a81cb7b33626df6392ff230eb3002394511886e1c8ba24b8cafe924c7d3d66820382164d6bd46a64978c

Download Submit
C:\Windows\system\wwlbUBF.exe
Filesize
6.0MB

MD5
523968c2df96f72de1e24d3e86c7fef7

SHA1
0119c5880beb9c8fce37b1e35284504bf0fba835

SHA256
029c942d434051a9d501685f0ccf06700eb88780aef86426823727e426dd33fd

SHA512
0e241ba7f47ede7faeaf1294bef9daf607d7ec1f3507d6d39f0adfeb83e2b8d4296df49cb11d6e4ea7bd9ac4ba62fb9bd0a0cf0568f43eeb0815ec2e7fffc454

Download Submit
\Windows\system\LsxRdds.exe
Filesize
6.0MB

MD5
d76d22c82943f58ed8c9de0b6899d0e9

SHA1
881d37b904001bb1909ec6ab8958128d0b262b0f

SHA256
88c6090727ff96003217329c61aadcbc2ddbe058c7154c27e86a1dacb3580793

SHA512
5ab4904dacb63ae6535a182e3a7187fdd1fac3116b7f007e26a55e2f268a1a855bf2e59c4cf559ef9e7ed70e00d415b3811986899b8d1d383f76afa6a9df86ea

Download Submit
\Windows\system\QETWqsJ.exe
Filesize
6.0MB

MD5
26002c4ce8182d614e6dea4efc5a74ac

SHA1
9afd6c0180a69a20f7fa72b0cbfa07e9a65856a5

SHA256
51ed675ecba4289f42ac614a6dd1a60572483d1ae10e0d2c2f21acbf0798778d

SHA512
f31c572638a9527347bd2653bb094caceba6355aaf43b3e598899c847f9aec52b122b8ef0a6b798795a80bf944e0875846d85f9f528080abd03e5526523b6a7c

Download Submit
\Windows\system\UJFoTEG.exe
Filesize
6.0MB

MD5
1efa2b73f24be5d10077f22aecb8c372

SHA1
9ca2ecc165ae6189bba23feb267d184521bc0947

SHA256
c202f45ae0cea0882e0b447268de83227744a57950b7a7e89d88418ef54d7d1d

SHA512
6f702bccefb0dc13935f747e03aafefb82b4d59fae2c55262bbe59c3a612e2b26c265dc5838932743a8b441a6d15a5d53439c7a1b749ae8eb237bb9ea7f9662f

Download Submit
\Windows\system\drhSpES.exe
Filesize
6.0MB

MD5
ea7f32e969cd92748c5885a8846a6add

SHA1
f9da68adfbddf9fdfd5ae912cb4e654dd613c13b

SHA256
e12d514995c7a5c1fcf00a3564cb159d72cd19299f6a6b5f1eb9c85652feca8c

SHA512
199db97c9082f40556bff898d08ae5e3141ed7223ec20be3293962c97104df3e27b337a10b816ee87bfc2f96a36060c8a2e0ee25f2eb1eddde8cac51e3a2d58c

Download Submit
\Windows\system\meTEMJh.exe
Filesize
6.0MB

MD5
9652fcb4a78f89b3f6b467f7579cef0b

SHA1
3abc41317e1e846002b709125fd16c9ec5641344

SHA256
796b35b57998cef8363fc1a77adf69c1bb435e767cb3a52b80aefc701beea271

SHA512
911a924f52d5d2f69c088fa93f969c98d981a062077787708d1094f3d6e74a4daea6fc294fbf65ffcfa487f7ec18aa6f4d233002e1957d9639ca98b2b69e6804

Download Submit
\Windows\system\uXFNbLI.exe
Filesize
6.0MB

MD5
9d5b6f476b214c67cea6d414569d7a69

SHA1
302ec17e2db00422a81408f18951744e1889d327

SHA256
f53b64f9f6a0d7558ddc097abab0a45720f2b0ecfa8e3a23175c9e4088771985

SHA512
cb77ae7c1a0f060c06f30638da99faaec6cdccb6cd11dace43203a2c8f4ba8fe7c01b1c2af7296c127f6ff9bf0b3ac9531f9a4ff79430aea4a64b59486589aa1

Download Submit
\Windows\system\zmrbldV.exe
Filesize
6.0MB

MD5
ed907bed5e4f79886fb9cb951e675cc7

SHA1
e80c9ab9086f72ccdc007d95c445b2f5384e9ae1

SHA256
312820a8eb43661ee01c1774c667cfd0308ae4932c24ed6151b4efb1eee89a54

SHA512
88476f522aab3a1c1e9400168e58dc774cfef35989d50892451ad2bcc514c2627e27c87747c7d8a3fcdb073d453c3d8255c9fb93568f68d72a9a47f7795cbf80

Download Submit
memory/868-20-0x000000013FE70000-0x00000001401C4000-memory.dmp

Filesize
3.3MB

Download
memory/1240-294-0x000000013F840000-0x000000013FB94000-memory.dmp

Filesize
3.3MB

Download
memory/1500-228-0x000000013FC60000-0x000000013FFB4000-memory.dmp

Filesize
3.3MB

Download
memory/1888-56-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Filesize
3.3MB

Download
memory/1896-577-0x000000013F110000-0x000000013F464000-memory.dmp

Filesize
3.3MB

Download
memory/1916-578-0x000000013F5E0000-0x000000013F934000-memory.dmp

Filesize
3.3MB

Download
memory/2080-22-0x000000013F8D0000-0x000000013FC24000-memory.dmp

Filesize
3.3MB

Download
memory/2188-8-0x000000013F570000-0x000000013F8C4000-memory.dmp

Filesize
3.3MB

Download
memory/2188-471-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Filesize
3.3MB

Download
memory/2188-1-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2188-567-0x000000013F1E0000-0x000000013F534000-memory.dmp

Filesize
3.3MB

Download
memory/2188-48-0x00000000022B0000-0x0000000002604000-memory.dmp

Filesize
3.3MB

Download
memory/2188-484-0x000000013F9E0000-0x000000013FD34000-memory.dmp

Filesize
3.3MB

Download
memory/2188-39-0x000000013F460000-0x000000013F7B4000-memory.dmp

Filesize
3.3MB

Download
memory/2188-0-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download
memory/2188-55-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download
memory/2188-469-0x000000013F840000-0x000000013FB94000-memory.dmp

Filesize
3.3MB

Download
memory/2188-29-0x000000013F670000-0x000000013F9C4000-memory.dmp

Filesize
3.3MB

Download
memory/2188-468-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/2188-460-0x000000013F5B0000-0x000000013F904000-memory.dmp

Filesize
3.3MB

Download
memory/2188-233-0x000000013F840000-0x000000013FB94000-memory.dmp

Filesize
3.3MB

Download
memory/2188-234-0x000000013F5E0000-0x000000013F934000-memory.dmp

Filesize
3.3MB

Download
memory/2188-237-0x00000000022B0000-0x0000000002604000-memory.dmp

Filesize
3.3MB

Download
memory/2188-424-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2188-21-0x00000000022B0000-0x0000000002604000-memory.dmp

Filesize
3.3MB

Download
memory/2188-383-0x000000013F940000-0x000000013FC94000-memory.dmp

Filesize
3.3MB

Download
memory/2188-410-0x00000000022B0000-0x0000000002604000-memory.dmp

Filesize
3.3MB

Download
memory/2188-415-0x000000013F630000-0x000000013F984000-memory.dmp

Filesize
3.3MB

Download
memory/2348-589-0x000000013F940000-0x000000013FC94000-memory.dmp

Filesize
3.3MB

Download
memory/2416-275-0x000000013F180000-0x000000013F4D4000-memory.dmp

Filesize
3.3MB

Download
memory/2468-62-0x000000013FC10000-0x000000013FF64000-memory.dmp

Filesize
3.3MB

Download
memory/2536-190-0x000000013F590000-0x000000013F8E4000-memory.dmp

Filesize
3.3MB

Download
memory/2564-636-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2572-28-0x000000013F670000-0x000000013F9C4000-memory.dmp

Filesize
3.3MB

Download
memory/2620-42-0x000000013F460000-0x000000013F7B4000-memory.dmp

Filesize
3.3MB

Download
memory/2640-610-0x000000013FCC0000-0x0000000140014000-memory.dmp

Filesize
3.3MB

Download
memory/2644-19-0x000000013F570000-0x000000013F8C4000-memory.dmp

Filesize
3.3MB

Download
memory/2676-35-0x000000013F2D0000-0x000000013F624000-memory.dmp

Filesize
3.3MB

Download
memory/2828-49-0x000000013FB50000-0x000000013FEA4000-memory.dmp

Filesize
3.3MB

Download
memory/2924-230-0x000000013F830000-0x000000013FB84000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads