cobaltstrike | 81e589a541c667206447663c273808799e7398eba57987bacebc9347a3214d21

Analysis

max time kernel
145s
max time network
148s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20-05-2024 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

8e3c634227dc0306df558907ca1a4488
SHA1

6cfb101b3996dc47de2d97568334a11245f256e2
SHA256

81e589a541c667206447663c273808799e7398eba57987bacebc9347a3214d21
SHA512

ba63d0c9e61849385d0476ac4f720dde382dd6791d7de15934375f600dd0c80110bc6a9b57f83fab3379a1a46ded283a3387c4419fa06ade10c1176aff2f597e
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lj:RWWBibf56utgpPFotBER/mQ32lUP

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\RegFRdT.exe	cobalt_reflective_dll
C:\Windows\system\pffzxnA.exe	cobalt_reflective_dll
\Windows\system\HBfxMkp.exe	cobalt_reflective_dll
C:\Windows\system\xDGhLQq.exe	cobalt_reflective_dll
C:\Windows\system\OPxVpgg.exe	cobalt_reflective_dll
C:\Windows\system\Tyksigy.exe	cobalt_reflective_dll
C:\Windows\system\JxNMrRs.exe	cobalt_reflective_dll
C:\Windows\system\hPqcJbC.exe	cobalt_reflective_dll
C:\Windows\system\gVnqzJG.exe	cobalt_reflective_dll
\Windows\system\psaJZrp.exe	cobalt_reflective_dll
\Windows\system\flRyoba.exe	cobalt_reflective_dll
C:\Windows\system\MNSSKIt.exe	cobalt_reflective_dll
C:\Windows\system\hkOTkvM.exe	cobalt_reflective_dll
\Windows\system\lnWZYyF.exe	cobalt_reflective_dll
C:\Windows\system\IXpWbQR.exe	cobalt_reflective_dll
C:\Windows\system\xPKfiyd.exe	cobalt_reflective_dll
\Windows\system\lfAxFtN.exe	cobalt_reflective_dll
C:\Windows\system\JvUYXzR.exe	cobalt_reflective_dll
C:\Windows\system\cJSTOwf.exe	cobalt_reflective_dll
C:\Windows\system\aqlNMUK.exe	cobalt_reflective_dll
C:\Windows\system\lFFiaKm.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\RegFRdT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\pffzxnA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\HBfxMkp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\xDGhLQq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\OPxVpgg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\Tyksigy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\JxNMrRs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\hPqcJbC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\gVnqzJG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\psaJZrp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\flRyoba.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\MNSSKIt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\hkOTkvM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\lnWZYyF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\IXpWbQR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\xPKfiyd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\lfAxFtN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\JvUYXzR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\cJSTOwf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\aqlNMUK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\lFFiaKm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2056-0-0x000000013FAA0000-0x000000013FDF1000-memory.dmp	UPX
\Windows\system\RegFRdT.exe	UPX
C:\Windows\system\pffzxnA.exe	UPX
\Windows\system\HBfxMkp.exe	UPX
behavioral1/memory/2952-14-0x000000013FAD0000-0x000000013FE21000-memory.dmp	UPX
C:\Windows\system\xDGhLQq.exe	UPX
behavioral1/memory/2256-37-0x000000013F570000-0x000000013F8C1000-memory.dmp	UPX
behavioral1/memory/2684-32-0x000000013FBD0000-0x000000013FF21000-memory.dmp	UPX
C:\Windows\system\OPxVpgg.exe	UPX
behavioral1/memory/2984-30-0x000000013F630000-0x000000013F981000-memory.dmp	UPX
behavioral1/memory/2616-29-0x000000013F7E0000-0x000000013FB31000-memory.dmp	UPX
behavioral1/memory/2704-27-0x000000013F8A0000-0x000000013FBF1000-memory.dmp	UPX
C:\Windows\system\Tyksigy.exe	UPX
C:\Windows\system\JxNMrRs.exe	UPX
behavioral1/memory/2496-50-0x000000013F080000-0x000000013F3D1000-memory.dmp	UPX
C:\Windows\system\hPqcJbC.exe	UPX
behavioral1/memory/2056-61-0x000000013FAA0000-0x000000013FDF1000-memory.dmp	UPX
behavioral1/memory/2472-62-0x000000013FBC0000-0x000000013FF11000-memory.dmp	UPX
C:\Windows\system\gVnqzJG.exe	UPX
behavioral1/memory/2916-74-0x000000013F9F0000-0x000000013FD41000-memory.dmp	UPX
\Windows\system\psaJZrp.exe	UPX
\Windows\system\flRyoba.exe	UPX
behavioral1/memory/2540-68-0x000000013F190000-0x000000013F4E1000-memory.dmp	UPX
C:\Windows\system\MNSSKIt.exe	UPX
C:\Windows\system\hkOTkvM.exe	UPX
\Windows\system\lnWZYyF.exe	UPX
C:\Windows\system\IXpWbQR.exe	UPX
C:\Windows\system\xPKfiyd.exe	UPX
behavioral1/memory/2984-102-0x000000013F630000-0x000000013F981000-memory.dmp	UPX
behavioral1/memory/2684-134-0x000000013FBD0000-0x000000013FF21000-memory.dmp	UPX
behavioral1/memory/2616-76-0x000000013F7E0000-0x000000013FB31000-memory.dmp	UPX
\Windows\system\lfAxFtN.exe	UPX
C:\Windows\system\JvUYXzR.exe	UPX
behavioral1/memory/2952-67-0x000000013FAD0000-0x000000013FE21000-memory.dmp	UPX
behavioral1/memory/2256-135-0x000000013F570000-0x000000013F8C1000-memory.dmp	UPX
C:\Windows\system\cJSTOwf.exe	UPX
behavioral1/memory/2584-56-0x000000013FAE0000-0x000000013FE31000-memory.dmp	UPX
C:\Windows\system\aqlNMUK.exe	UPX
behavioral1/memory/2632-44-0x000000013FC70000-0x000000013FFC1000-memory.dmp	UPX
C:\Windows\system\lFFiaKm.exe	UPX
behavioral1/memory/2632-136-0x000000013FC70000-0x000000013FFC1000-memory.dmp	UPX
behavioral1/memory/2056-137-0x000000013FAA0000-0x000000013FDF1000-memory.dmp	UPX
behavioral1/memory/2584-146-0x000000013FAE0000-0x000000013FE31000-memory.dmp	UPX
behavioral1/memory/2472-148-0x000000013FBC0000-0x000000013FF11000-memory.dmp	UPX
behavioral1/memory/2496-145-0x000000013F080000-0x000000013F3D1000-memory.dmp	UPX
behavioral1/memory/2984-140-0x000000013F630000-0x000000013F981000-memory.dmp	UPX
behavioral1/memory/1860-153-0x000000013FA10000-0x000000013FD61000-memory.dmp	UPX
behavioral1/memory/2756-154-0x000000013FD20000-0x0000000140071000-memory.dmp	UPX
behavioral1/memory/1648-159-0x000000013F090000-0x000000013F3E1000-memory.dmp	UPX
behavioral1/memory/664-158-0x000000013F210000-0x000000013F561000-memory.dmp	UPX
behavioral1/memory/1956-157-0x000000013FC50000-0x000000013FFA1000-memory.dmp	UPX
behavioral1/memory/1948-156-0x000000013FB00000-0x000000013FE51000-memory.dmp	UPX
behavioral1/memory/2788-155-0x000000013F9F0000-0x000000013FD41000-memory.dmp	UPX
behavioral1/memory/2000-152-0x000000013FC00000-0x000000013FF51000-memory.dmp	UPX
behavioral1/memory/2936-151-0x000000013FE60000-0x00000001401B1000-memory.dmp	UPX
behavioral1/memory/2916-150-0x000000013F9F0000-0x000000013FD41000-memory.dmp	UPX
behavioral1/memory/2540-149-0x000000013F190000-0x000000013F4E1000-memory.dmp	UPX
behavioral1/memory/2056-161-0x000000013FAA0000-0x000000013FDF1000-memory.dmp	UPX
behavioral1/memory/2632-168-0x000000013FC70000-0x000000013FFC1000-memory.dmp	UPX
behavioral1/memory/2952-206-0x000000013FAD0000-0x000000013FE21000-memory.dmp	UPX
behavioral1/memory/2704-208-0x000000013F8A0000-0x000000013FBF1000-memory.dmp	UPX
behavioral1/memory/2616-210-0x000000013F7E0000-0x000000013FB31000-memory.dmp	UPX
behavioral1/memory/2256-231-0x000000013F570000-0x000000013F8C1000-memory.dmp	UPX
behavioral1/memory/2684-235-0x000000013FBD0000-0x000000013FF21000-memory.dmp	UPX

XMRig Miner payload 36 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2704-27-0x000000013F8A0000-0x000000013FBF1000-memory.dmp	xmrig
behavioral1/memory/2056-61-0x000000013FAA0000-0x000000013FDF1000-memory.dmp	xmrig
behavioral1/memory/2684-134-0x000000013FBD0000-0x000000013FF21000-memory.dmp	xmrig
behavioral1/memory/2616-76-0x000000013F7E0000-0x000000013FB31000-memory.dmp	xmrig
behavioral1/memory/2952-67-0x000000013FAD0000-0x000000013FE21000-memory.dmp	xmrig
behavioral1/memory/2256-135-0x000000013F570000-0x000000013F8C1000-memory.dmp	xmrig
behavioral1/memory/2056-137-0x000000013FAA0000-0x000000013FDF1000-memory.dmp	xmrig
behavioral1/memory/2584-146-0x000000013FAE0000-0x000000013FE31000-memory.dmp	xmrig
behavioral1/memory/2472-148-0x000000013FBC0000-0x000000013FF11000-memory.dmp	xmrig
behavioral1/memory/2496-145-0x000000013F080000-0x000000013F3D1000-memory.dmp	xmrig
behavioral1/memory/2984-140-0x000000013F630000-0x000000013F981000-memory.dmp	xmrig
behavioral1/memory/1860-153-0x000000013FA10000-0x000000013FD61000-memory.dmp	xmrig
behavioral1/memory/2756-154-0x000000013FD20000-0x0000000140071000-memory.dmp	xmrig
behavioral1/memory/1648-159-0x000000013F090000-0x000000013F3E1000-memory.dmp	xmrig
behavioral1/memory/664-158-0x000000013F210000-0x000000013F561000-memory.dmp	xmrig
behavioral1/memory/1956-157-0x000000013FC50000-0x000000013FFA1000-memory.dmp	xmrig
behavioral1/memory/1948-156-0x000000013FB00000-0x000000013FE51000-memory.dmp	xmrig
behavioral1/memory/2788-155-0x000000013F9F0000-0x000000013FD41000-memory.dmp	xmrig
behavioral1/memory/2000-152-0x000000013FC00000-0x000000013FF51000-memory.dmp	xmrig
behavioral1/memory/2936-151-0x000000013FE60000-0x00000001401B1000-memory.dmp	xmrig
behavioral1/memory/2916-150-0x000000013F9F0000-0x000000013FD41000-memory.dmp	xmrig
behavioral1/memory/2540-149-0x000000013F190000-0x000000013F4E1000-memory.dmp	xmrig
behavioral1/memory/2056-161-0x000000013FAA0000-0x000000013FDF1000-memory.dmp	xmrig
behavioral1/memory/2632-168-0x000000013FC70000-0x000000013FFC1000-memory.dmp	xmrig
behavioral1/memory/2952-206-0x000000013FAD0000-0x000000013FE21000-memory.dmp	xmrig
behavioral1/memory/2704-208-0x000000013F8A0000-0x000000013FBF1000-memory.dmp	xmrig
behavioral1/memory/2616-210-0x000000013F7E0000-0x000000013FB31000-memory.dmp	xmrig
behavioral1/memory/2256-231-0x000000013F570000-0x000000013F8C1000-memory.dmp	xmrig
behavioral1/memory/2684-235-0x000000013FBD0000-0x000000013FF21000-memory.dmp	xmrig
behavioral1/memory/2472-237-0x000000013FBC0000-0x000000013FF11000-memory.dmp	xmrig
behavioral1/memory/2916-241-0x000000013F9F0000-0x000000013FD41000-memory.dmp	xmrig
behavioral1/memory/2984-240-0x000000013F630000-0x000000013F981000-memory.dmp	xmrig
behavioral1/memory/2496-234-0x000000013F080000-0x000000013F3D1000-memory.dmp	xmrig
behavioral1/memory/2584-246-0x000000013FAE0000-0x000000013FE31000-memory.dmp	xmrig
behavioral1/memory/2540-248-0x000000013F190000-0x000000013F4E1000-memory.dmp	xmrig
behavioral1/memory/2632-258-0x000000013FC70000-0x000000013FFC1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

RegFRdT.exepffzxnA.exeTyksigy.exeHBfxMkp.exeOPxVpgg.exexDGhLQq.exelFFiaKm.exeJxNMrRs.exehPqcJbC.exeaqlNMUK.exegVnqzJG.execJSTOwf.exeflRyoba.exepsaJZrp.exeJvUYXzR.exelfAxFtN.exeMNSSKIt.exexPKfiyd.exeIXpWbQR.exehkOTkvM.exelnWZYyF.exe

pid	process
2952	RegFRdT.exe
2704	pffzxnA.exe
2984	Tyksigy.exe
2616	HBfxMkp.exe
2684	OPxVpgg.exe
2256	xDGhLQq.exe
2632	lFFiaKm.exe
2496	JxNMrRs.exe
2584	hPqcJbC.exe
2472	aqlNMUK.exe
2540	gVnqzJG.exe
2916	cJSTOwf.exe
2000	flRyoba.exe
2756	psaJZrp.exe
1948	JvUYXzR.exe
2936	lfAxFtN.exe
1860	MNSSKIt.exe
2788	xPKfiyd.exe
1956	IXpWbQR.exe
664	hkOTkvM.exe
1648	lnWZYyF.exe

Loads dropped DLL 21 IoCs

Processes:

2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe

pid	process
2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2056-0-0x000000013FAA0000-0x000000013FDF1000-memory.dmp	upx
\Windows\system\RegFRdT.exe	upx
C:\Windows\system\pffzxnA.exe	upx
\Windows\system\HBfxMkp.exe	upx
behavioral1/memory/2952-14-0x000000013FAD0000-0x000000013FE21000-memory.dmp	upx
C:\Windows\system\xDGhLQq.exe	upx
behavioral1/memory/2256-37-0x000000013F570000-0x000000013F8C1000-memory.dmp	upx
behavioral1/memory/2684-32-0x000000013FBD0000-0x000000013FF21000-memory.dmp	upx
C:\Windows\system\OPxVpgg.exe	upx
behavioral1/memory/2984-30-0x000000013F630000-0x000000013F981000-memory.dmp	upx
behavioral1/memory/2616-29-0x000000013F7E0000-0x000000013FB31000-memory.dmp	upx
behavioral1/memory/2704-27-0x000000013F8A0000-0x000000013FBF1000-memory.dmp	upx
C:\Windows\system\Tyksigy.exe	upx
C:\Windows\system\JxNMrRs.exe	upx
behavioral1/memory/2496-50-0x000000013F080000-0x000000013F3D1000-memory.dmp	upx
C:\Windows\system\hPqcJbC.exe	upx
behavioral1/memory/2056-61-0x000000013FAA0000-0x000000013FDF1000-memory.dmp	upx
behavioral1/memory/2472-62-0x000000013FBC0000-0x000000013FF11000-memory.dmp	upx
C:\Windows\system\gVnqzJG.exe	upx
behavioral1/memory/2916-74-0x000000013F9F0000-0x000000013FD41000-memory.dmp	upx
\Windows\system\psaJZrp.exe	upx
\Windows\system\flRyoba.exe	upx
behavioral1/memory/2540-68-0x000000013F190000-0x000000013F4E1000-memory.dmp	upx
C:\Windows\system\MNSSKIt.exe	upx
C:\Windows\system\hkOTkvM.exe	upx
\Windows\system\lnWZYyF.exe	upx
C:\Windows\system\IXpWbQR.exe	upx
C:\Windows\system\xPKfiyd.exe	upx
behavioral1/memory/2984-102-0x000000013F630000-0x000000013F981000-memory.dmp	upx
behavioral1/memory/2684-134-0x000000013FBD0000-0x000000013FF21000-memory.dmp	upx
behavioral1/memory/2616-76-0x000000013F7E0000-0x000000013FB31000-memory.dmp	upx
\Windows\system\lfAxFtN.exe	upx
C:\Windows\system\JvUYXzR.exe	upx
behavioral1/memory/2952-67-0x000000013FAD0000-0x000000013FE21000-memory.dmp	upx
behavioral1/memory/2256-135-0x000000013F570000-0x000000013F8C1000-memory.dmp	upx
C:\Windows\system\cJSTOwf.exe	upx
behavioral1/memory/2584-56-0x000000013FAE0000-0x000000013FE31000-memory.dmp	upx
C:\Windows\system\aqlNMUK.exe	upx
behavioral1/memory/2632-44-0x000000013FC70000-0x000000013FFC1000-memory.dmp	upx
C:\Windows\system\lFFiaKm.exe	upx
behavioral1/memory/2632-136-0x000000013FC70000-0x000000013FFC1000-memory.dmp	upx
behavioral1/memory/2056-137-0x000000013FAA0000-0x000000013FDF1000-memory.dmp	upx
behavioral1/memory/2584-146-0x000000013FAE0000-0x000000013FE31000-memory.dmp	upx
behavioral1/memory/2472-148-0x000000013FBC0000-0x000000013FF11000-memory.dmp	upx
behavioral1/memory/2496-145-0x000000013F080000-0x000000013F3D1000-memory.dmp	upx
behavioral1/memory/2984-140-0x000000013F630000-0x000000013F981000-memory.dmp	upx
behavioral1/memory/1860-153-0x000000013FA10000-0x000000013FD61000-memory.dmp	upx
behavioral1/memory/2756-154-0x000000013FD20000-0x0000000140071000-memory.dmp	upx
behavioral1/memory/1648-159-0x000000013F090000-0x000000013F3E1000-memory.dmp	upx
behavioral1/memory/664-158-0x000000013F210000-0x000000013F561000-memory.dmp	upx
behavioral1/memory/1956-157-0x000000013FC50000-0x000000013FFA1000-memory.dmp	upx
behavioral1/memory/1948-156-0x000000013FB00000-0x000000013FE51000-memory.dmp	upx
behavioral1/memory/2788-155-0x000000013F9F0000-0x000000013FD41000-memory.dmp	upx
behavioral1/memory/2000-152-0x000000013FC00000-0x000000013FF51000-memory.dmp	upx
behavioral1/memory/2936-151-0x000000013FE60000-0x00000001401B1000-memory.dmp	upx
behavioral1/memory/2916-150-0x000000013F9F0000-0x000000013FD41000-memory.dmp	upx
behavioral1/memory/2540-149-0x000000013F190000-0x000000013F4E1000-memory.dmp	upx
behavioral1/memory/2056-161-0x000000013FAA0000-0x000000013FDF1000-memory.dmp	upx
behavioral1/memory/2632-168-0x000000013FC70000-0x000000013FFC1000-memory.dmp	upx
behavioral1/memory/2952-206-0x000000013FAD0000-0x000000013FE21000-memory.dmp	upx
behavioral1/memory/2704-208-0x000000013F8A0000-0x000000013FBF1000-memory.dmp	upx
behavioral1/memory/2616-210-0x000000013F7E0000-0x000000013FB31000-memory.dmp	upx
behavioral1/memory/2256-231-0x000000013F570000-0x000000013F8C1000-memory.dmp	upx
behavioral1/memory/2684-235-0x000000013FBD0000-0x000000013FF21000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\RegFRdT.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xDGhLQq.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JvUYXzR.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lFFiaKm.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IXpWbQR.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lnWZYyF.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cJSTOwf.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lfAxFtN.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MNSSKIt.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\Tyksigy.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HBfxMkp.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hPqcJbC.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aqlNMUK.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gVnqzJG.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\psaJZrp.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hkOTkvM.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pffzxnA.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OPxVpgg.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JxNMrRs.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\flRyoba.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xPKfiyd.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2056 wrote to memory of 2952	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	RegFRdT.exe
PID 2056 wrote to memory of 2952	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	RegFRdT.exe
PID 2056 wrote to memory of 2952	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	RegFRdT.exe
PID 2056 wrote to memory of 2704	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	pffzxnA.exe
PID 2056 wrote to memory of 2704	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	pffzxnA.exe
PID 2056 wrote to memory of 2704	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	pffzxnA.exe
PID 2056 wrote to memory of 2984	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	Tyksigy.exe
PID 2056 wrote to memory of 2984	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	Tyksigy.exe
PID 2056 wrote to memory of 2984	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	Tyksigy.exe
PID 2056 wrote to memory of 2616	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	HBfxMkp.exe
PID 2056 wrote to memory of 2616	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	HBfxMkp.exe
PID 2056 wrote to memory of 2616	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	HBfxMkp.exe
PID 2056 wrote to memory of 2684	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	OPxVpgg.exe
PID 2056 wrote to memory of 2684	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	OPxVpgg.exe
PID 2056 wrote to memory of 2684	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	OPxVpgg.exe
PID 2056 wrote to memory of 2256	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	xDGhLQq.exe
PID 2056 wrote to memory of 2256	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	xDGhLQq.exe
PID 2056 wrote to memory of 2256	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	xDGhLQq.exe
PID 2056 wrote to memory of 2632	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	lFFiaKm.exe
PID 2056 wrote to memory of 2632	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	lFFiaKm.exe
PID 2056 wrote to memory of 2632	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	lFFiaKm.exe
PID 2056 wrote to memory of 2496	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	JxNMrRs.exe
PID 2056 wrote to memory of 2496	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	JxNMrRs.exe
PID 2056 wrote to memory of 2496	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	JxNMrRs.exe
PID 2056 wrote to memory of 2584	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	hPqcJbC.exe
PID 2056 wrote to memory of 2584	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	hPqcJbC.exe
PID 2056 wrote to memory of 2584	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	hPqcJbC.exe
PID 2056 wrote to memory of 2472	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	aqlNMUK.exe
PID 2056 wrote to memory of 2472	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	aqlNMUK.exe
PID 2056 wrote to memory of 2472	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	aqlNMUK.exe
PID 2056 wrote to memory of 2540	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	gVnqzJG.exe
PID 2056 wrote to memory of 2540	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	gVnqzJG.exe
PID 2056 wrote to memory of 2540	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	gVnqzJG.exe
PID 2056 wrote to memory of 2916	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	cJSTOwf.exe
PID 2056 wrote to memory of 2916	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	cJSTOwf.exe
PID 2056 wrote to memory of 2916	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	cJSTOwf.exe
PID 2056 wrote to memory of 2936	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	lfAxFtN.exe
PID 2056 wrote to memory of 2936	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	lfAxFtN.exe
PID 2056 wrote to memory of 2936	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	lfAxFtN.exe
PID 2056 wrote to memory of 2000	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	flRyoba.exe
PID 2056 wrote to memory of 2000	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	flRyoba.exe
PID 2056 wrote to memory of 2000	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	flRyoba.exe
PID 2056 wrote to memory of 1860	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	MNSSKIt.exe
PID 2056 wrote to memory of 1860	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	MNSSKIt.exe
PID 2056 wrote to memory of 1860	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	MNSSKIt.exe
PID 2056 wrote to memory of 2756	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	psaJZrp.exe
PID 2056 wrote to memory of 2756	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	psaJZrp.exe
PID 2056 wrote to memory of 2756	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	psaJZrp.exe
PID 2056 wrote to memory of 2788	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	xPKfiyd.exe
PID 2056 wrote to memory of 2788	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	xPKfiyd.exe
PID 2056 wrote to memory of 2788	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	xPKfiyd.exe
PID 2056 wrote to memory of 1948	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	JvUYXzR.exe
PID 2056 wrote to memory of 1948	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	JvUYXzR.exe
PID 2056 wrote to memory of 1948	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	JvUYXzR.exe
PID 2056 wrote to memory of 1956	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	IXpWbQR.exe
PID 2056 wrote to memory of 1956	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	IXpWbQR.exe
PID 2056 wrote to memory of 1956	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	IXpWbQR.exe
PID 2056 wrote to memory of 664	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	hkOTkvM.exe
PID 2056 wrote to memory of 664	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	hkOTkvM.exe
PID 2056 wrote to memory of 664	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	hkOTkvM.exe
PID 2056 wrote to memory of 1648	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	lnWZYyF.exe
PID 2056 wrote to memory of 1648	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	lnWZYyF.exe
PID 2056 wrote to memory of 1648	2056	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	lnWZYyF.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\System\RegFRdT.exe
C:\Windows\System\RegFRdT.exe
2⤵
- Executes dropped EXE
PID:2952

C:\Windows\System\pffzxnA.exe
C:\Windows\System\pffzxnA.exe
2⤵
- Executes dropped EXE
PID:2704

C:\Windows\System\Tyksigy.exe
C:\Windows\System\Tyksigy.exe
2⤵
- Executes dropped EXE
PID:2984

C:\Windows\System\HBfxMkp.exe
C:\Windows\System\HBfxMkp.exe
2⤵
- Executes dropped EXE
PID:2616

C:\Windows\System\OPxVpgg.exe
C:\Windows\System\OPxVpgg.exe
2⤵
- Executes dropped EXE
PID:2684

C:\Windows\System\xDGhLQq.exe
C:\Windows\System\xDGhLQq.exe
2⤵
- Executes dropped EXE
PID:2256

C:\Windows\System\lFFiaKm.exe
C:\Windows\System\lFFiaKm.exe
2⤵
- Executes dropped EXE
PID:2632

C:\Windows\System\JxNMrRs.exe
C:\Windows\System\JxNMrRs.exe
2⤵
- Executes dropped EXE
PID:2496

C:\Windows\System\hPqcJbC.exe
C:\Windows\System\hPqcJbC.exe
2⤵
- Executes dropped EXE
PID:2584

C:\Windows\System\aqlNMUK.exe
C:\Windows\System\aqlNMUK.exe
2⤵
- Executes dropped EXE
PID:2472

C:\Windows\System\gVnqzJG.exe
C:\Windows\System\gVnqzJG.exe
2⤵
- Executes dropped EXE
PID:2540

C:\Windows\System\cJSTOwf.exe
C:\Windows\System\cJSTOwf.exe
2⤵
- Executes dropped EXE
PID:2916

C:\Windows\System\lfAxFtN.exe
C:\Windows\System\lfAxFtN.exe
2⤵
- Executes dropped EXE
PID:2936

C:\Windows\System\flRyoba.exe
C:\Windows\System\flRyoba.exe
2⤵
- Executes dropped EXE
PID:2000

C:\Windows\System\MNSSKIt.exe
C:\Windows\System\MNSSKIt.exe
2⤵
- Executes dropped EXE
PID:1860

C:\Windows\System\psaJZrp.exe
C:\Windows\System\psaJZrp.exe
2⤵
- Executes dropped EXE
PID:2756

C:\Windows\System\xPKfiyd.exe
C:\Windows\System\xPKfiyd.exe
2⤵
- Executes dropped EXE
PID:2788

C:\Windows\System\JvUYXzR.exe
C:\Windows\System\JvUYXzR.exe
2⤵
- Executes dropped EXE
PID:1948

C:\Windows\System\IXpWbQR.exe
C:\Windows\System\IXpWbQR.exe
2⤵
- Executes dropped EXE
PID:1956

C:\Windows\System\hkOTkvM.exe
C:\Windows\System\hkOTkvM.exe
2⤵
- Executes dropped EXE
PID:664

C:\Windows\System\lnWZYyF.exe
C:\Windows\System\lnWZYyF.exe
2⤵
- Executes dropped EXE
PID:1648

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\IXpWbQR.exe

Filesize
5.2MB

MD5
234cd8cb3fc08bdc707bfef77358c4a5

SHA1
a7f4235c32c09d848996af14ec9c5ea45a8bb90f

SHA256
53324b7224e97705af9de2dfde0ee511622f744459f0590a8fe7a993e68321be

SHA512
b1362e8f9b7767345243ed62989bf08f10435182f9c83f0aabcf23ac651aa0ca96147bf27b03c14c3366e9cf0fe071d15956403ea69a0636c6b7e78f8cf950dd

Download Submit
C:\Windows\system\JvUYXzR.exe

Filesize
5.2MB

MD5
2b436a9a385f50c866f2f1252c4bde71

SHA1
0b6bdffd01921afdcef671efd0b054edf0e5a7a5

SHA256
b9738b9c7ddffa6e403a2ae16899b3ba48758b1eab3aff377994b23c51b35d73

SHA512
be1cc00ad0dc8181339f8a22283247d5ac1c096ced86043a9d47a8b735199a8da1ed6477dc427db07d6c41ee466bba51518e6a81855caec3b73c9cc4b15a2fb7

Download Submit
C:\Windows\system\JxNMrRs.exe

Filesize
5.2MB

MD5
ebf8b2a9f20f5e6c6698a070ac422f34

SHA1
df34fcdcb78d2b4436f276fe7defc649c35c4309

SHA256
f26d26a82b18e53b0eddd967180ba5d595d420bd42e266c0929699af2661a9ba

SHA512
c6487aea9abd89847989c0bbbe5a93030db0780041eb73bf849dabaedc82091d2579e3c4620dbd4132dc21b48e9caeb28db4c10b02dafee32eabcd13a0cb8ccb

Download Submit
C:\Windows\system\MNSSKIt.exe

Filesize
5.2MB

MD5
6b48c4bd99bbdce8ca25d958d2ae6717

SHA1
35f735d434eef5d597f08c7acaa13e1978f665a2

SHA256
00fdf35388b3c1ca60ab6df9f90a3132597a0cdb292556f2898499959d75e51e

SHA512
88d9c861e84e10347c4fb25b9e16bcdf17beafded1f5f42a79b7a16a818930728aa6817a9901dcca1a8ce0d7ca45bc6ec46cf10d45b0dfc2349562dee9abc1fd

Download Submit
C:\Windows\system\OPxVpgg.exe

Filesize
5.2MB

MD5
19feda8ea5f2034c8fe38cde95b4ee56

SHA1
2bbad782e5ce00b9ebd28bb6ed120c8e4d898c9c

SHA256
d2835a1d0dfa10b98afbb03c920973e433a5771f0885651e132be5e1ab0f8336

SHA512
cdebd5f15c25c7508f65ba1235a08f325a8c6c8f5b95a9878beea0d0b15d43c39c9103279e33257c10a0a84d06408be04fc0341bb7942a99d78ee2b2a682493b

Download Submit
C:\Windows\system\Tyksigy.exe

Filesize
5.2MB

MD5
2f0d592d6b449154206d89541883dac6

SHA1
d107e4e483972d4ed635df78fde2f48174f39777

SHA256
ba9e4a91626921b6c2128caf6cc9735832764c11bbb05114919089f34483f0d3

SHA512
5bc7a3beb9a6659d6ebbfa8acc6bfe97ca142a8c5d8db4cee399739964f38d20778754874bdfc4031bd09f5284fdb474bf6ef7385eb7d10579eaa165744e803b

Download Submit
C:\Windows\system\aqlNMUK.exe

Filesize
5.2MB

MD5
fbe7857e8c4617acee4436ce310c158f

SHA1
f2aeb1eb1a7098c5f1324bc81676ff86d156edd0

SHA256
c1c84d6076445e92360fda70c99c8cbf359f524f204c9563b0e3823f7d2f7024

SHA512
a3d133fb8de207743378dfeca0deb5aa0c1c7db9c449e6fa9bebca374f2627448617fc1624bcd054ce1905008953508e4c18a2bf66e79eb75035f8a74111e8d4

Download Submit
C:\Windows\system\cJSTOwf.exe

Filesize
5.2MB

MD5
ae46a1f8ae2f4d19040678d75e5223ef

SHA1
aad0eabf428e0f2ddd34442d771f37b08f8b335c

SHA256
2eb4aa0946ed7abaf226fb44e79e48eb4ae7e99e08246560ca0452084dbbe13e

SHA512
91aa13c5c772118a723cbfaa5a16ba847b26dc5d52b3ee70e2d08c51b4a4682d9891f0da2f604297f8508188005d35fee02d379fc59dfc27ba5490d5f8c6b906

Download Submit
C:\Windows\system\gVnqzJG.exe

Filesize
5.2MB

MD5
531a27e188c828f46f1b4f04d8437e6d

SHA1
8e13bc26bf31ee320f1179e299932db1de023a68

SHA256
600189dbc9234cd9d972a4d0e188f1b10c726fa47f901c51e269ac556e29753d

SHA512
9a010d175b34eb7fe1affdabac9db85082ec10dffc650f90356ea5dbdd8e51fc3d1df2ec046b19f58b1312f2e77aaa96e18f6a82d43934eb29ddc86e63f20148

Download Submit
C:\Windows\system\hPqcJbC.exe

Filesize
5.2MB

MD5
944f9d065cfd7c32008c52f32396041d

SHA1
cb1467a372a6d80bb6fefbf316406340a94920fc

SHA256
2ad5032a9a1916714246566ab3cb92c40726bcbeb78835e60237337ed5a56485

SHA512
2a7add215dd86f9a28b6ee4f50e0519fd9f103cc8850e068ef3fa0dae83bb61b76f92ce8cf99a77e2430d936fd75e178ee9c272429312d4fba07960abaef8208

Download Submit
C:\Windows\system\hkOTkvM.exe

Filesize
5.2MB

MD5
1fbdf646a77d1a07b1f5048dcaeff8f3

SHA1
81c10874357df4f8e3079aac0d15521bc23c2a8d

SHA256
e2ffba79edfb145d27b76ce0ebf77759877c9129d38e5a64a65fa4858b8d55e3

SHA512
bea30e5511c1183cebf978712f819ac5ad4684ca6e430b2210a63f27b3d060d4879b2cab311853ba1e3d61229b77a208241cdf2c20a97a890e3ae7602a249090

Download Submit
C:\Windows\system\lFFiaKm.exe

Filesize
5.2MB

MD5
40792d906484ab2ab3b889d69e9fc11d

SHA1
0f44d8ab1ba90c2d8f5b59cd68a89b4c9350e919

SHA256
0958f2e11142babaf8c108e945574a0a4132b472b1234f457be5f0f131a74985

SHA512
2ae091acb555dcb43117d0b1bfb674d22725a3ce1a3c9b758a2ebef8b4eb553667199cb545a718ba94f35345e48003c0b7fbd7b76ced8f3d8c68976fafa7039b

Download Submit
C:\Windows\system\pffzxnA.exe

Filesize
5.2MB

MD5
66a25675f6101337e3e14f670a2ba9b0

SHA1
78c15ab8a7909e1ae3774326fae0ed7b1a8a07fc

SHA256
9d5198cd980bc62e7eb3a40db9a4425bbeb7e336169033b2c391ca8b35095087

SHA512
50869dd403145fc32e71ba625e4f8ac6e88e878436d34c549144475991147e6cac8392e87650e237ff2be69be19c06fe84488b5034b13c84cd07d914cd325d23

Download Submit
C:\Windows\system\xDGhLQq.exe

Filesize
5.2MB

MD5
67670dd8c01a7665c8199e252291a5b2

SHA1
653dc2c266086b87bbd7176b09f6f10edfc433f8

SHA256
7414c61e9e7b0a47ba2856ae3e17fa7367048867594f0d4671505dca1b3b8cd5

SHA512
efe1b928f407086e15d48bdad3f9decbaeb20f3e321a32f4ed9ecf2c5668d2bca9bf3cf5f5d86030f3211516ef6e92d74aa77ff31a73a6a191185da6a0410c60

Download Submit
C:\Windows\system\xPKfiyd.exe

Filesize
5.2MB

MD5
04e303dd49d0c6ff171fa885d72af6b6

SHA1
6ac0b81c29466f7c84eb660ae30ce0f6cc7950c0

SHA256
8658fb4450058d44cb16841e19cd62c27292e067e31521d44e21e25661666357

SHA512
ce13f0a6dcc2b450ed37ae97a9450cf6ccaefbc2f0eda8643a2a986354d1a2a2632e701bedf4ffdfaa1aaaf28fd95ba1d6ac8ac249e2dd1ebecd55d3a7591e4f

Download Submit
\Windows\system\HBfxMkp.exe

Filesize
5.2MB

MD5
6aaacbe73829601cd675f381e9ef6915

SHA1
4bc40cb7c29861d21b856e43e6dc328249c4399f

SHA256
b369ac0b47f904c0211dedfdf8ff8301750bbebeab8249cb136a43b35e833726

SHA512
afa1fee304d96db0be5b5b7542c64aaa1fe073335fed04d8ec52228d5198e2819368014092c120bfe7598c6bbb71a97ff2f60d344c6e49e8c7f2e02fe0153c66

Download Submit
\Windows\system\RegFRdT.exe

Filesize
5.2MB

MD5
608e50804115288e098c2bc10483a7a0

SHA1
82b637f79ad9cc83d7d0c374dfe24c036991976b

SHA256
f7733964d4b1191f4130c59d049a73118479c15a5dda76158dbbead15e4daa16

SHA512
451e83c8051c54c5d523f6fdc2b35cdbefe4f35e2e774386f6d1de3a5c1d1dcbcb2be91bd914b44707263e9e00c5663e5af29b2918067d2df3d6f227f2ffa05c

Download Submit
\Windows\system\flRyoba.exe

Filesize
5.2MB

MD5
524ae37773bcf1471a944c473c5fc22e

SHA1
1653f1e4f6a8f27fda7c1ea07623d1c0c1472166

SHA256
a7ec93a756ba25351ac250adce04cc4ec8fcf4bbabe29a033e3245b8e85a6eae

SHA512
0bbf7615d36aef7a2d923935c9652ecfa5b17594bbecacba51d3ba8a60f98a1d47bfd9a42b4afb321b77ce6d9038d1156f0268953d881236c93966d7ab26613b

Download Submit
\Windows\system\lfAxFtN.exe

Filesize
5.2MB

MD5
7ddc6ca3e000377a4a5c8c41c77653d1

SHA1
f7bdd3f77e757a65d71cd3a9b0c4c915be031541

SHA256
8f6c655022dca782bb50f9c4144a73887efc82a3eca1e6727feccefec27bcac0

SHA512
492a84c796fd3654e0b44718448452e1414a55d101b8cf44be874dc89f57903814fd067ca401d8bfff5656e3d2d5b7423978d17c3a89e8ee05c9263b8d563bb3

Download Submit
\Windows\system\lnWZYyF.exe

Filesize
5.2MB

MD5
0e443db07c9b52523dd5c12aa2c8b86f

SHA1
5e251135ad195d06fe310f9c5b3f8a6eb0ace1fa

SHA256
55cf4db37586d32e8b3fd61883f0bfcffd0e4f329777ab0f0a92c2317db55f90

SHA512
b2491973ee74ceaf582e91705cf16cd4603dc8acaf825553d933f98cbe0feb0f0b39b4635da15381d52c83ce1cb868ce4ed72d5f09551dee10dd413ff36ad68e

Download Submit
\Windows\system\psaJZrp.exe

Filesize
5.2MB

MD5
97e0f26b3eb693c60320665873c9a5b2

SHA1
846a4eea3c5083b9fb5fa249a6cc7cca2f3ee990

SHA256
3cd57464400d9b557d44bf3a1f0f78f67ccb6f0a718f2cee6d16752320a8e9c2

SHA512
88b1ff339427022c7ffe7af17472bc0c453b0d1df4eeaaf3da3b6ff85a819fa410a26f29d0b652ab46453a1a23a5c0d91f8b0dee3ce8a400cd4ce1b321cb1b76

Download Submit
memory/664-158-0x000000013F210000-0x000000013F561000-memory.dmp

Filesize
3.3MB

Download
memory/1648-159-0x000000013F090000-0x000000013F3E1000-memory.dmp

Filesize
3.3MB

Download
memory/1860-153-0x000000013FA10000-0x000000013FD61000-memory.dmp

Filesize
3.3MB

Download
memory/1948-156-0x000000013FB00000-0x000000013FE51000-memory.dmp

Filesize
3.3MB

Download
memory/1956-157-0x000000013FC50000-0x000000013FFA1000-memory.dmp

Filesize
3.3MB

Download
memory/2000-152-0x000000013FC00000-0x000000013FF51000-memory.dmp

Filesize
3.3MB

Download
memory/2056-101-0x0000000002170000-0x00000000024C1000-memory.dmp

Filesize
3.3MB

Download
memory/2056-160-0x0000000002170000-0x00000000024C1000-memory.dmp

Filesize
3.3MB

Download
memory/2056-99-0x000000013FE60000-0x00000001401B1000-memory.dmp

Filesize
3.3MB

Download
memory/2056-43-0x0000000002170000-0x00000000024C1000-memory.dmp

Filesize
3.3MB

Download
memory/2056-104-0x0000000002170000-0x00000000024C1000-memory.dmp

Filesize
3.3MB

Download
memory/2056-103-0x0000000002170000-0x00000000024C1000-memory.dmp

Filesize
3.3MB

Download
memory/2056-55-0x0000000002170000-0x00000000024C1000-memory.dmp

Filesize
3.3MB

Download
memory/2056-6-0x0000000002170000-0x00000000024C1000-memory.dmp

Filesize
3.3MB

Download
memory/2056-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2056-61-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

Filesize
3.3MB

Download
memory/2056-24-0x0000000002170000-0x00000000024C1000-memory.dmp

Filesize
3.3MB

Download
memory/2056-49-0x000000013F080000-0x000000013F3D1000-memory.dmp

Filesize
3.3MB

Download
memory/2056-137-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

Filesize
3.3MB

Download
memory/2056-36-0x000000013F570000-0x000000013F8C1000-memory.dmp

Filesize
3.3MB

Download
memory/2056-161-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

Filesize
3.3MB

Download
memory/2056-73-0x0000000002170000-0x00000000024C1000-memory.dmp

Filesize
3.3MB

Download
memory/2056-0-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

Filesize
3.3MB

Download
memory/2056-100-0x0000000002170000-0x00000000024C1000-memory.dmp

Filesize
3.3MB

Download
memory/2256-135-0x000000013F570000-0x000000013F8C1000-memory.dmp

Filesize
3.3MB

Download
memory/2256-37-0x000000013F570000-0x000000013F8C1000-memory.dmp

Filesize
3.3MB

Download
memory/2256-231-0x000000013F570000-0x000000013F8C1000-memory.dmp

Filesize
3.3MB

Download
memory/2472-237-0x000000013FBC0000-0x000000013FF11000-memory.dmp

Filesize
3.3MB

Download
memory/2472-62-0x000000013FBC0000-0x000000013FF11000-memory.dmp

Filesize
3.3MB

Download
memory/2472-148-0x000000013FBC0000-0x000000013FF11000-memory.dmp

Filesize
3.3MB

Download
memory/2496-145-0x000000013F080000-0x000000013F3D1000-memory.dmp

Filesize
3.3MB

Download
memory/2496-234-0x000000013F080000-0x000000013F3D1000-memory.dmp

Filesize
3.3MB

Download
memory/2496-50-0x000000013F080000-0x000000013F3D1000-memory.dmp

Filesize
3.3MB

Download
memory/2540-248-0x000000013F190000-0x000000013F4E1000-memory.dmp

Filesize
3.3MB

Download
memory/2540-68-0x000000013F190000-0x000000013F4E1000-memory.dmp

Filesize
3.3MB

Download
memory/2540-149-0x000000013F190000-0x000000013F4E1000-memory.dmp

Filesize
3.3MB

Download
memory/2584-246-0x000000013FAE0000-0x000000013FE31000-memory.dmp

Filesize
3.3MB

Download
memory/2584-146-0x000000013FAE0000-0x000000013FE31000-memory.dmp

Filesize
3.3MB

Download
memory/2584-56-0x000000013FAE0000-0x000000013FE31000-memory.dmp

Filesize
3.3MB

Download
memory/2616-29-0x000000013F7E0000-0x000000013FB31000-memory.dmp

Filesize
3.3MB

Download
memory/2616-76-0x000000013F7E0000-0x000000013FB31000-memory.dmp

Filesize
3.3MB

Download
memory/2616-210-0x000000013F7E0000-0x000000013FB31000-memory.dmp

Filesize
3.3MB

Download
memory/2632-136-0x000000013FC70000-0x000000013FFC1000-memory.dmp

Filesize
3.3MB

Download
memory/2632-44-0x000000013FC70000-0x000000013FFC1000-memory.dmp

Filesize
3.3MB

Download
memory/2632-258-0x000000013FC70000-0x000000013FFC1000-memory.dmp

Filesize
3.3MB

Download
memory/2632-168-0x000000013FC70000-0x000000013FFC1000-memory.dmp

Filesize
3.3MB

Download
memory/2684-235-0x000000013FBD0000-0x000000013FF21000-memory.dmp

Filesize
3.3MB

Download
memory/2684-134-0x000000013FBD0000-0x000000013FF21000-memory.dmp

Filesize
3.3MB

Download
memory/2684-32-0x000000013FBD0000-0x000000013FF21000-memory.dmp

Filesize
3.3MB

Download
memory/2704-27-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

Filesize
3.3MB

Download
memory/2704-208-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

Filesize
3.3MB

Download
memory/2756-154-0x000000013FD20000-0x0000000140071000-memory.dmp

Filesize
3.3MB

Download
memory/2788-155-0x000000013F9F0000-0x000000013FD41000-memory.dmp

Filesize
3.3MB

Download
memory/2916-241-0x000000013F9F0000-0x000000013FD41000-memory.dmp

Filesize
3.3MB

Download
memory/2916-150-0x000000013F9F0000-0x000000013FD41000-memory.dmp

Filesize
3.3MB

Download
memory/2916-74-0x000000013F9F0000-0x000000013FD41000-memory.dmp

Filesize
3.3MB

Download
memory/2936-151-0x000000013FE60000-0x00000001401B1000-memory.dmp

Filesize
3.3MB

Download
memory/2952-206-0x000000013FAD0000-0x000000013FE21000-memory.dmp

Filesize
3.3MB

Download
memory/2952-14-0x000000013FAD0000-0x000000013FE21000-memory.dmp

Filesize
3.3MB

Download
memory/2952-67-0x000000013FAD0000-0x000000013FE21000-memory.dmp

Filesize
3.3MB

Download
memory/2984-240-0x000000013F630000-0x000000013F981000-memory.dmp

Filesize
3.3MB

Download
memory/2984-30-0x000000013F630000-0x000000013F981000-memory.dmp

Filesize
3.3MB

Download
memory/2984-140-0x000000013F630000-0x000000013F981000-memory.dmp

Filesize
3.3MB

Download
memory/2984-102-0x000000013F630000-0x000000013F981000-memory.dmp

Filesize
3.3MB

Download