cobaltstrike | aa4855f0a01b3ef441b1feb3987a2effcfbccf2e66b7606b231f857494efbe4a

Analysis

max time kernel
140s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-05-2024 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

a9d0f8891ed9235c0883644623749ac8
SHA1

59d4c48109875c092abda81a1570335962e6b5e5
SHA256

aa4855f0a01b3ef441b1feb3987a2effcfbccf2e66b7606b231f857494efbe4a
SHA512

9d245f632ea75a1438e2c801abfd753a66f4d19aba023edd9b49bd06c43cd1eb78bb285186b76586d87db90f046380355370d172ea9d7946d572c12a7652e744
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lt:RWWBibf56utgpPFotBER/mQ32lUJ

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\IppqZMf.exe	cobalt_reflective_dll
C:\Windows\system\XxWJOfb.exe	cobalt_reflective_dll
C:\Windows\system\VvMpGYl.exe	cobalt_reflective_dll
C:\Windows\system\dChGlFr.exe	cobalt_reflective_dll
C:\Windows\system\NvvtRan.exe	cobalt_reflective_dll
C:\Windows\system\AIaFbVy.exe	cobalt_reflective_dll
C:\Windows\system\lyWVIJf.exe	cobalt_reflective_dll
C:\Windows\system\hnacIHg.exe	cobalt_reflective_dll
C:\Windows\system\JZJPCjF.exe	cobalt_reflective_dll
C:\Windows\system\mVDHGHV.exe	cobalt_reflective_dll
C:\Windows\system\bgxXXCz.exe	cobalt_reflective_dll
C:\Windows\system\lMFMweP.exe	cobalt_reflective_dll
C:\Windows\system\EVisljr.exe	cobalt_reflective_dll
C:\Windows\system\xfDMUpe.exe	cobalt_reflective_dll
C:\Windows\system\JZJmYLA.exe	cobalt_reflective_dll
C:\Windows\system\pVIyvMd.exe	cobalt_reflective_dll
C:\Windows\system\PdphLBf.exe	cobalt_reflective_dll
\Windows\system\lPfEdkB.exe	cobalt_reflective_dll
C:\Windows\system\tPnugGP.exe	cobalt_reflective_dll
C:\Windows\system\TqmvrQd.exe	cobalt_reflective_dll
C:\Windows\system\XlBVCYI.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\IppqZMf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\XxWJOfb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\VvMpGYl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\dChGlFr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\NvvtRan.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\AIaFbVy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\lyWVIJf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\hnacIHg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\JZJPCjF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\mVDHGHV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\bgxXXCz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\lMFMweP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\EVisljr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\xfDMUpe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\JZJmYLA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\pVIyvMd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\PdphLBf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\lPfEdkB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\tPnugGP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\TqmvrQd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\XlBVCYI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 61 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1640-0-0x000000013FD40000-0x0000000140091000-memory.dmp	UPX
\Windows\system\IppqZMf.exe	UPX
C:\Windows\system\XxWJOfb.exe	UPX
C:\Windows\system\VvMpGYl.exe	UPX
C:\Windows\system\dChGlFr.exe	UPX
C:\Windows\system\NvvtRan.exe	UPX
C:\Windows\system\AIaFbVy.exe	UPX
C:\Windows\system\lyWVIJf.exe	UPX
C:\Windows\system\hnacIHg.exe	UPX
C:\Windows\system\JZJPCjF.exe	UPX
behavioral1/memory/2404-105-0x000000013F420000-0x000000013F771000-memory.dmp	UPX
behavioral1/memory/2504-104-0x000000013F900000-0x000000013FC51000-memory.dmp	UPX
C:\Windows\system\mVDHGHV.exe	UPX
behavioral1/memory/2888-96-0x000000013F170000-0x000000013F4C1000-memory.dmp	UPX
behavioral1/memory/1752-95-0x000000013F150000-0x000000013F4A1000-memory.dmp	UPX
behavioral1/memory/1688-94-0x000000013F2C0000-0x000000013F611000-memory.dmp	UPX
behavioral1/memory/2440-93-0x000000013FE70000-0x00000001401C1000-memory.dmp	UPX
behavioral1/memory/2360-92-0x000000013FA10000-0x000000013FD61000-memory.dmp	UPX
C:\Windows\system\bgxXXCz.exe	UPX
behavioral1/memory/2644-89-0x000000013FD10000-0x0000000140061000-memory.dmp	UPX
behavioral1/memory/2648-88-0x000000013F4A0000-0x000000013F7F1000-memory.dmp	UPX
behavioral1/memory/2388-86-0x000000013F510000-0x000000013F861000-memory.dmp	UPX
behavioral1/memory/2088-85-0x000000013F120000-0x000000013F471000-memory.dmp	UPX
C:\Windows\system\lMFMweP.exe	UPX
behavioral1/memory/2580-80-0x000000013FF30000-0x0000000140281000-memory.dmp	UPX
C:\Windows\system\EVisljr.exe	UPX
behavioral1/memory/2632-77-0x000000013F370000-0x000000013F6C1000-memory.dmp	UPX
C:\Windows\system\xfDMUpe.exe	UPX
C:\Windows\system\JZJmYLA.exe	UPX
C:\Windows\system\pVIyvMd.exe	UPX
C:\Windows\system\PdphLBf.exe	UPX
behavioral1/memory/2080-59-0x000000013FBD0000-0x000000013FF21000-memory.dmp	UPX
\Windows\system\lPfEdkB.exe	UPX
C:\Windows\system\tPnugGP.exe	UPX
C:\Windows\system\TqmvrQd.exe	UPX
C:\Windows\system\XlBVCYI.exe	UPX
behavioral1/memory/1640-135-0x000000013FD40000-0x0000000140091000-memory.dmp	UPX
behavioral1/memory/2404-147-0x000000013F420000-0x000000013F771000-memory.dmp	UPX
behavioral1/memory/2804-149-0x000000013FB70000-0x000000013FEC1000-memory.dmp	UPX
behavioral1/memory/1800-151-0x000000013F1C0000-0x000000013F511000-memory.dmp	UPX
behavioral1/memory/1588-155-0x000000013FBC0000-0x000000013FF11000-memory.dmp	UPX
behavioral1/memory/2152-152-0x000000013F370000-0x000000013F6C1000-memory.dmp	UPX
behavioral1/memory/1764-156-0x000000013F9D0000-0x000000013FD21000-memory.dmp	UPX
behavioral1/memory/1580-154-0x000000013F4A0000-0x000000013F7F1000-memory.dmp	UPX
behavioral1/memory/2136-153-0x000000013F130000-0x000000013F481000-memory.dmp	UPX
behavioral1/memory/1640-157-0x000000013FD40000-0x0000000140091000-memory.dmp	UPX
behavioral1/memory/1640-158-0x000000013FD40000-0x0000000140091000-memory.dmp	UPX
behavioral1/memory/1752-204-0x000000013F150000-0x000000013F4A1000-memory.dmp	UPX
behavioral1/memory/2888-206-0x000000013F170000-0x000000013F4C1000-memory.dmp	UPX
behavioral1/memory/2580-208-0x000000013FF30000-0x0000000140281000-memory.dmp	UPX
behavioral1/memory/2632-212-0x000000013F370000-0x000000013F6C1000-memory.dmp	UPX
behavioral1/memory/2080-211-0x000000013FBD0000-0x000000013FF21000-memory.dmp	UPX
behavioral1/memory/2088-214-0x000000013F120000-0x000000013F471000-memory.dmp	UPX
behavioral1/memory/2648-218-0x000000013F4A0000-0x000000013F7F1000-memory.dmp	UPX
behavioral1/memory/2388-217-0x000000013F510000-0x000000013F861000-memory.dmp	UPX
behavioral1/memory/2440-220-0x000000013FE70000-0x00000001401C1000-memory.dmp	UPX
behavioral1/memory/2644-224-0x000000013FD10000-0x0000000140061000-memory.dmp	UPX
behavioral1/memory/2504-228-0x000000013F900000-0x000000013FC51000-memory.dmp	UPX
behavioral1/memory/2360-227-0x000000013FA10000-0x000000013FD61000-memory.dmp	UPX
behavioral1/memory/1688-223-0x000000013F2C0000-0x000000013F611000-memory.dmp	UPX
behavioral1/memory/2404-242-0x000000013F420000-0x000000013F771000-memory.dmp	UPX

XMRig Miner payload 38 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2504-104-0x000000013F900000-0x000000013FC51000-memory.dmp	xmrig
behavioral1/memory/2888-96-0x000000013F170000-0x000000013F4C1000-memory.dmp	xmrig
behavioral1/memory/1752-95-0x000000013F150000-0x000000013F4A1000-memory.dmp	xmrig
behavioral1/memory/1688-94-0x000000013F2C0000-0x000000013F611000-memory.dmp	xmrig
behavioral1/memory/2440-93-0x000000013FE70000-0x00000001401C1000-memory.dmp	xmrig
behavioral1/memory/2360-92-0x000000013FA10000-0x000000013FD61000-memory.dmp	xmrig
behavioral1/memory/2644-89-0x000000013FD10000-0x0000000140061000-memory.dmp	xmrig
behavioral1/memory/2648-88-0x000000013F4A0000-0x000000013F7F1000-memory.dmp	xmrig
behavioral1/memory/2388-86-0x000000013F510000-0x000000013F861000-memory.dmp	xmrig
behavioral1/memory/2088-85-0x000000013F120000-0x000000013F471000-memory.dmp	xmrig
behavioral1/memory/2580-80-0x000000013FF30000-0x0000000140281000-memory.dmp	xmrig
behavioral1/memory/2632-77-0x000000013F370000-0x000000013F6C1000-memory.dmp	xmrig
behavioral1/memory/2080-59-0x000000013FBD0000-0x000000013FF21000-memory.dmp	xmrig
behavioral1/memory/1640-135-0x000000013FD40000-0x0000000140091000-memory.dmp	xmrig
behavioral1/memory/2404-147-0x000000013F420000-0x000000013F771000-memory.dmp	xmrig
behavioral1/memory/2804-149-0x000000013FB70000-0x000000013FEC1000-memory.dmp	xmrig
behavioral1/memory/1800-151-0x000000013F1C0000-0x000000013F511000-memory.dmp	xmrig
behavioral1/memory/1588-155-0x000000013FBC0000-0x000000013FF11000-memory.dmp	xmrig
behavioral1/memory/2152-152-0x000000013F370000-0x000000013F6C1000-memory.dmp	xmrig
behavioral1/memory/1764-156-0x000000013F9D0000-0x000000013FD21000-memory.dmp	xmrig
behavioral1/memory/1580-154-0x000000013F4A0000-0x000000013F7F1000-memory.dmp	xmrig
behavioral1/memory/2136-153-0x000000013F130000-0x000000013F481000-memory.dmp	xmrig
behavioral1/memory/1640-157-0x000000013FD40000-0x0000000140091000-memory.dmp	xmrig
behavioral1/memory/1640-158-0x000000013FD40000-0x0000000140091000-memory.dmp	xmrig
behavioral1/memory/1752-204-0x000000013F150000-0x000000013F4A1000-memory.dmp	xmrig
behavioral1/memory/2888-206-0x000000013F170000-0x000000013F4C1000-memory.dmp	xmrig
behavioral1/memory/2580-208-0x000000013FF30000-0x0000000140281000-memory.dmp	xmrig
behavioral1/memory/2632-212-0x000000013F370000-0x000000013F6C1000-memory.dmp	xmrig
behavioral1/memory/2080-211-0x000000013FBD0000-0x000000013FF21000-memory.dmp	xmrig
behavioral1/memory/2088-214-0x000000013F120000-0x000000013F471000-memory.dmp	xmrig
behavioral1/memory/2648-218-0x000000013F4A0000-0x000000013F7F1000-memory.dmp	xmrig
behavioral1/memory/2388-217-0x000000013F510000-0x000000013F861000-memory.dmp	xmrig
behavioral1/memory/2440-220-0x000000013FE70000-0x00000001401C1000-memory.dmp	xmrig
behavioral1/memory/2644-224-0x000000013FD10000-0x0000000140061000-memory.dmp	xmrig
behavioral1/memory/2504-228-0x000000013F900000-0x000000013FC51000-memory.dmp	xmrig
behavioral1/memory/2360-227-0x000000013FA10000-0x000000013FD61000-memory.dmp	xmrig
behavioral1/memory/1688-223-0x000000013F2C0000-0x000000013F611000-memory.dmp	xmrig
behavioral1/memory/2404-242-0x000000013F420000-0x000000013F771000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

XlBVCYI.exeTqmvrQd.exeIppqZMf.exetPnugGP.exelPfEdkB.exePdphLBf.exelMFMweP.exemVDHGHV.exeXxWJOfb.exepVIyvMd.exeJZJmYLA.exexfDMUpe.exeEVisljr.exebgxXXCz.exeJZJPCjF.exehnacIHg.exelyWVIJf.exeAIaFbVy.exeNvvtRan.exeVvMpGYl.exedChGlFr.exe

pid	process
1752	XlBVCYI.exe
2888	TqmvrQd.exe
2080	IppqZMf.exe
2632	tPnugGP.exe
2580	lPfEdkB.exe
2088	PdphLBf.exe
2388	lMFMweP.exe
2648	mVDHGHV.exe
2644	XxWJOfb.exe
2360	pVIyvMd.exe
2440	JZJmYLA.exe
1688	xfDMUpe.exe
2504	EVisljr.exe
2404	bgxXXCz.exe
2804	JZJPCjF.exe
1800	hnacIHg.exe
2152	lyWVIJf.exe
2136	AIaFbVy.exe
1580	NvvtRan.exe
1588	VvMpGYl.exe
1764	dChGlFr.exe

Loads dropped DLL 21 IoCs

Processes:

2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe

pid	process
1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe

UPX packed file 61 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1640-0-0x000000013FD40000-0x0000000140091000-memory.dmp	upx
\Windows\system\IppqZMf.exe	upx
C:\Windows\system\XxWJOfb.exe	upx
C:\Windows\system\VvMpGYl.exe	upx
C:\Windows\system\dChGlFr.exe	upx
C:\Windows\system\NvvtRan.exe	upx
C:\Windows\system\AIaFbVy.exe	upx
C:\Windows\system\lyWVIJf.exe	upx
C:\Windows\system\hnacIHg.exe	upx
C:\Windows\system\JZJPCjF.exe	upx
behavioral1/memory/2404-105-0x000000013F420000-0x000000013F771000-memory.dmp	upx
behavioral1/memory/2504-104-0x000000013F900000-0x000000013FC51000-memory.dmp	upx
C:\Windows\system\mVDHGHV.exe	upx
behavioral1/memory/2888-96-0x000000013F170000-0x000000013F4C1000-memory.dmp	upx
behavioral1/memory/1752-95-0x000000013F150000-0x000000013F4A1000-memory.dmp	upx
behavioral1/memory/1688-94-0x000000013F2C0000-0x000000013F611000-memory.dmp	upx
behavioral1/memory/2440-93-0x000000013FE70000-0x00000001401C1000-memory.dmp	upx
behavioral1/memory/2360-92-0x000000013FA10000-0x000000013FD61000-memory.dmp	upx
C:\Windows\system\bgxXXCz.exe	upx
behavioral1/memory/2644-89-0x000000013FD10000-0x0000000140061000-memory.dmp	upx
behavioral1/memory/2648-88-0x000000013F4A0000-0x000000013F7F1000-memory.dmp	upx
behavioral1/memory/2388-86-0x000000013F510000-0x000000013F861000-memory.dmp	upx
behavioral1/memory/2088-85-0x000000013F120000-0x000000013F471000-memory.dmp	upx
C:\Windows\system\lMFMweP.exe	upx
behavioral1/memory/2580-80-0x000000013FF30000-0x0000000140281000-memory.dmp	upx
C:\Windows\system\EVisljr.exe	upx
behavioral1/memory/2632-77-0x000000013F370000-0x000000013F6C1000-memory.dmp	upx
C:\Windows\system\xfDMUpe.exe	upx
C:\Windows\system\JZJmYLA.exe	upx
C:\Windows\system\pVIyvMd.exe	upx
C:\Windows\system\PdphLBf.exe	upx
behavioral1/memory/2080-59-0x000000013FBD0000-0x000000013FF21000-memory.dmp	upx
\Windows\system\lPfEdkB.exe	upx
C:\Windows\system\tPnugGP.exe	upx
C:\Windows\system\TqmvrQd.exe	upx
C:\Windows\system\XlBVCYI.exe	upx
behavioral1/memory/1640-135-0x000000013FD40000-0x0000000140091000-memory.dmp	upx
behavioral1/memory/2404-147-0x000000013F420000-0x000000013F771000-memory.dmp	upx
behavioral1/memory/2804-149-0x000000013FB70000-0x000000013FEC1000-memory.dmp	upx
behavioral1/memory/1800-151-0x000000013F1C0000-0x000000013F511000-memory.dmp	upx
behavioral1/memory/1588-155-0x000000013FBC0000-0x000000013FF11000-memory.dmp	upx
behavioral1/memory/2152-152-0x000000013F370000-0x000000013F6C1000-memory.dmp	upx
behavioral1/memory/1764-156-0x000000013F9D0000-0x000000013FD21000-memory.dmp	upx
behavioral1/memory/1580-154-0x000000013F4A0000-0x000000013F7F1000-memory.dmp	upx
behavioral1/memory/2136-153-0x000000013F130000-0x000000013F481000-memory.dmp	upx
behavioral1/memory/1640-157-0x000000013FD40000-0x0000000140091000-memory.dmp	upx
behavioral1/memory/1640-158-0x000000013FD40000-0x0000000140091000-memory.dmp	upx
behavioral1/memory/1752-204-0x000000013F150000-0x000000013F4A1000-memory.dmp	upx
behavioral1/memory/2888-206-0x000000013F170000-0x000000013F4C1000-memory.dmp	upx
behavioral1/memory/2580-208-0x000000013FF30000-0x0000000140281000-memory.dmp	upx
behavioral1/memory/2632-212-0x000000013F370000-0x000000013F6C1000-memory.dmp	upx
behavioral1/memory/2080-211-0x000000013FBD0000-0x000000013FF21000-memory.dmp	upx
behavioral1/memory/2088-214-0x000000013F120000-0x000000013F471000-memory.dmp	upx
behavioral1/memory/2648-218-0x000000013F4A0000-0x000000013F7F1000-memory.dmp	upx
behavioral1/memory/2388-217-0x000000013F510000-0x000000013F861000-memory.dmp	upx
behavioral1/memory/2440-220-0x000000013FE70000-0x00000001401C1000-memory.dmp	upx
behavioral1/memory/2644-224-0x000000013FD10000-0x0000000140061000-memory.dmp	upx
behavioral1/memory/2504-228-0x000000013F900000-0x000000013FC51000-memory.dmp	upx
behavioral1/memory/2360-227-0x000000013FA10000-0x000000013FD61000-memory.dmp	upx
behavioral1/memory/1688-223-0x000000013F2C0000-0x000000013F611000-memory.dmp	upx
behavioral1/memory/2404-242-0x000000013F420000-0x000000013F771000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\mVDHGHV.exe	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bgxXXCz.exe	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lPfEdkB.exe	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tPnugGP.exe	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NvvtRan.exe	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XlBVCYI.exe	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TqmvrQd.exe	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XxWJOfb.exe	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lMFMweP.exe	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JZJPCjF.exe	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xfDMUpe.exe	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AIaFbVy.exe	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VvMpGYl.exe	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IppqZMf.exe	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PdphLBf.exe	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dChGlFr.exe	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JZJmYLA.exe	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hnacIHg.exe	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lyWVIJf.exe	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EVisljr.exe	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pVIyvMd.exe	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 1640 wrote to memory of 1752	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	XlBVCYI.exe
PID 1640 wrote to memory of 1752	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	XlBVCYI.exe
PID 1640 wrote to memory of 1752	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	XlBVCYI.exe
PID 1640 wrote to memory of 2080	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	IppqZMf.exe
PID 1640 wrote to memory of 2080	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	IppqZMf.exe
PID 1640 wrote to memory of 2080	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	IppqZMf.exe
PID 1640 wrote to memory of 2888	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	TqmvrQd.exe
PID 1640 wrote to memory of 2888	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	TqmvrQd.exe
PID 1640 wrote to memory of 2888	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	TqmvrQd.exe
PID 1640 wrote to memory of 2580	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	lPfEdkB.exe
PID 1640 wrote to memory of 2580	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	lPfEdkB.exe
PID 1640 wrote to memory of 2580	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	lPfEdkB.exe
PID 1640 wrote to memory of 2632	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	tPnugGP.exe
PID 1640 wrote to memory of 2632	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	tPnugGP.exe
PID 1640 wrote to memory of 2632	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	tPnugGP.exe
PID 1640 wrote to memory of 2648	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	mVDHGHV.exe
PID 1640 wrote to memory of 2648	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	mVDHGHV.exe
PID 1640 wrote to memory of 2648	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	mVDHGHV.exe
PID 1640 wrote to memory of 2088	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	PdphLBf.exe
PID 1640 wrote to memory of 2088	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	PdphLBf.exe
PID 1640 wrote to memory of 2088	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	PdphLBf.exe
PID 1640 wrote to memory of 2644	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	XxWJOfb.exe
PID 1640 wrote to memory of 2644	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	XxWJOfb.exe
PID 1640 wrote to memory of 2644	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	XxWJOfb.exe
PID 1640 wrote to memory of 2388	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	lMFMweP.exe
PID 1640 wrote to memory of 2388	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	lMFMweP.exe
PID 1640 wrote to memory of 2388	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	lMFMweP.exe
PID 1640 wrote to memory of 2504	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	EVisljr.exe
PID 1640 wrote to memory of 2504	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	EVisljr.exe
PID 1640 wrote to memory of 2504	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	EVisljr.exe
PID 1640 wrote to memory of 2360	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	pVIyvMd.exe
PID 1640 wrote to memory of 2360	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	pVIyvMd.exe
PID 1640 wrote to memory of 2360	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	pVIyvMd.exe
PID 1640 wrote to memory of 2404	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	bgxXXCz.exe
PID 1640 wrote to memory of 2404	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	bgxXXCz.exe
PID 1640 wrote to memory of 2404	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	bgxXXCz.exe
PID 1640 wrote to memory of 2440	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	JZJmYLA.exe
PID 1640 wrote to memory of 2440	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	JZJmYLA.exe
PID 1640 wrote to memory of 2440	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	JZJmYLA.exe
PID 1640 wrote to memory of 2804	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	JZJPCjF.exe
PID 1640 wrote to memory of 2804	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	JZJPCjF.exe
PID 1640 wrote to memory of 2804	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	JZJPCjF.exe
PID 1640 wrote to memory of 1688	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	xfDMUpe.exe
PID 1640 wrote to memory of 1688	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	xfDMUpe.exe
PID 1640 wrote to memory of 1688	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	xfDMUpe.exe
PID 1640 wrote to memory of 1800	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	hnacIHg.exe
PID 1640 wrote to memory of 1800	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	hnacIHg.exe
PID 1640 wrote to memory of 1800	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	hnacIHg.exe
PID 1640 wrote to memory of 2152	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	lyWVIJf.exe
PID 1640 wrote to memory of 2152	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	lyWVIJf.exe
PID 1640 wrote to memory of 2152	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	lyWVIJf.exe
PID 1640 wrote to memory of 2136	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	AIaFbVy.exe
PID 1640 wrote to memory of 2136	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	AIaFbVy.exe
PID 1640 wrote to memory of 2136	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	AIaFbVy.exe
PID 1640 wrote to memory of 1580	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	NvvtRan.exe
PID 1640 wrote to memory of 1580	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	NvvtRan.exe
PID 1640 wrote to memory of 1580	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	NvvtRan.exe
PID 1640 wrote to memory of 1588	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	VvMpGYl.exe
PID 1640 wrote to memory of 1588	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	VvMpGYl.exe
PID 1640 wrote to memory of 1588	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	VvMpGYl.exe
PID 1640 wrote to memory of 1764	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	dChGlFr.exe
PID 1640 wrote to memory of 1764	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	dChGlFr.exe
PID 1640 wrote to memory of 1764	1640	2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe	dChGlFr.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-20_a9d0f8891ed9235c0883644623749ac8_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\System\XlBVCYI.exe
C:\Windows\System\XlBVCYI.exe
2⤵
- Executes dropped EXE
PID:1752

C:\Windows\System\IppqZMf.exe
C:\Windows\System\IppqZMf.exe
2⤵
- Executes dropped EXE
PID:2080

C:\Windows\System\TqmvrQd.exe
C:\Windows\System\TqmvrQd.exe
2⤵
- Executes dropped EXE
PID:2888

C:\Windows\System\lPfEdkB.exe
C:\Windows\System\lPfEdkB.exe
2⤵
- Executes dropped EXE
PID:2580

C:\Windows\System\tPnugGP.exe
C:\Windows\System\tPnugGP.exe
2⤵
- Executes dropped EXE
PID:2632

C:\Windows\System\mVDHGHV.exe
C:\Windows\System\mVDHGHV.exe
2⤵
- Executes dropped EXE
PID:2648

C:\Windows\System\PdphLBf.exe
C:\Windows\System\PdphLBf.exe
2⤵
- Executes dropped EXE
PID:2088

C:\Windows\System\XxWJOfb.exe
C:\Windows\System\XxWJOfb.exe
2⤵
- Executes dropped EXE
PID:2644

C:\Windows\System\lMFMweP.exe
C:\Windows\System\lMFMweP.exe
2⤵
- Executes dropped EXE
PID:2388

C:\Windows\System\EVisljr.exe
C:\Windows\System\EVisljr.exe
2⤵
- Executes dropped EXE
PID:2504

C:\Windows\System\pVIyvMd.exe
C:\Windows\System\pVIyvMd.exe
2⤵
- Executes dropped EXE
PID:2360

C:\Windows\System\bgxXXCz.exe
C:\Windows\System\bgxXXCz.exe
2⤵
- Executes dropped EXE
PID:2404

C:\Windows\System\JZJmYLA.exe
C:\Windows\System\JZJmYLA.exe
2⤵
- Executes dropped EXE
PID:2440

C:\Windows\System\JZJPCjF.exe
C:\Windows\System\JZJPCjF.exe
2⤵
- Executes dropped EXE
PID:2804

C:\Windows\System\xfDMUpe.exe
C:\Windows\System\xfDMUpe.exe
2⤵
- Executes dropped EXE
PID:1688

C:\Windows\System\hnacIHg.exe
C:\Windows\System\hnacIHg.exe
2⤵
- Executes dropped EXE
PID:1800

C:\Windows\System\lyWVIJf.exe
C:\Windows\System\lyWVIJf.exe
2⤵
- Executes dropped EXE
PID:2152

C:\Windows\System\AIaFbVy.exe
C:\Windows\System\AIaFbVy.exe
2⤵
- Executes dropped EXE
PID:2136

C:\Windows\System\NvvtRan.exe
C:\Windows\System\NvvtRan.exe
2⤵
- Executes dropped EXE
PID:1580

C:\Windows\System\VvMpGYl.exe
C:\Windows\System\VvMpGYl.exe
2⤵
- Executes dropped EXE
PID:1588

C:\Windows\System\dChGlFr.exe
C:\Windows\System\dChGlFr.exe
2⤵
- Executes dropped EXE
PID:1764

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AIaFbVy.exe
Filesize
5.2MB

MD5
b0d5d13caf2fd7eeacac112a07222978

SHA1
9b2b8454d40a0b874d07ee41e89e3230a9d78fb7

SHA256
e42a6ca4ff23519453e8d28abcc6464e6803ca48b78d8b32c2b1f8c6372c07e3

SHA512
76c07dd1966e8e31abb81bb19432b5357ebb23c37412a4a98ce38e925d76108cb0ccb37a82d4bacfa1626b02beefbf51f1503c7c5bbb686d33ee8d777ee94f44

Download Submit
C:\Windows\system\EVisljr.exe
Filesize
5.2MB

MD5
6d4351112ffec8d5a9a3dcf47909510d

SHA1
a1c3622d100fc1f24c423743bf98bf851d003bbf

SHA256
3e9b904e2559ce75e6ad68018294169ca3dd681366be3557261db44b3d06b517

SHA512
0dfb66d5c38d15ef331dc08e4a8930fee0a6c1c9236f4b4b7846b8dfb0398ef881d8b26630dc32b7b1141c308c719adb6ab444bc8f19639cc9e96241fd540afd

Download Submit
C:\Windows\system\JZJPCjF.exe
Filesize
5.2MB

MD5
f2ff6c1f761373a5c83cd8e7879b6381

SHA1
5a9dc4adfcaf524042c5d1480119bcaee79e9f5c

SHA256
8dcf0341ad210ea9d536bb9fa4029b8bbb391590c7e18a26fbfd7c9fa0282c56

SHA512
21024c64370d239e064e67859fc3deeb4f9b8f5e5b622a3721339a562b2ac052a8a188fccb8809f93505eff975cdd822a11fb712827b6d8d235521736e2cfc8d

Download Submit
C:\Windows\system\JZJmYLA.exe
Filesize
5.2MB

MD5
b882f483154a70823894b6286fda072a

SHA1
978be5c57ad4e9372f69553a5524c1eb695f31c7

SHA256
23f2986fa286d14257b8e26c5b2ae64dc8c89bb1d59880e28eaa4042a939639b

SHA512
6070d8142522ae32d0da21bce85e6b6d7a35c679d28d32620f3e4d4d1e8a3b8c3c8df6d2bbd24a3dd5464109b6051c4bf3df55dcee2f1222888191858133816b

Download Submit
C:\Windows\system\NvvtRan.exe
Filesize
5.2MB

MD5
eeddc70eef45250344d23cfa49df53ee

SHA1
b27514799d2d3128aba0939e847ac84596a87438

SHA256
f4e0053191d42c8df9c7687a467ecdef86f658dd69a05cd9ec3c6551de6279b2

SHA512
59cada25bdd04c43e77d6779a0ef4aa25e45a8e0c08da5b5aba8fc3a87dacf531091a7951644e44354e36fc132c912eb0e515191f3793d0e763e8a944192440a

Download Submit
C:\Windows\system\PdphLBf.exe
Filesize
5.2MB

MD5
2ce8350db3ddfa5dc91aa80e15153cdc

SHA1
5722a2b42518312088e0efd85d681184aaea3e1e

SHA256
f7c8f5a3bcd59d61bce2d2aec4f503d0b7a8437ff8168103bcfa347715da563a

SHA512
6002ddd7f889349a646f0a2991e8720afd9dcb0237ab01bfb67d1368cd10bb1c69d29573fe811adf0a03ef59b512d77ddf51875cb0960ad54d48f6d9e8bf93d8

Download Submit
C:\Windows\system\TqmvrQd.exe
Filesize
5.2MB

MD5
6d4e23f3ecd0e8a97873f9bf76d4e9bb

SHA1
c901d6b28e8c278b0fa0904ae140a3368f2440ee

SHA256
4f6eb5e6de08d06b1703efab28ca0f10d0b06b687d5c3929570f335e7df824ea

SHA512
2ced90e52dab9123a96ca42a5ea2a2f8d0de98dd23ae596a612629c634d01aaa092d6344d3ce6f7e79a061bc1b6943ff8bf77a06b4af1a64de25ffad772e8dce

Download Submit
C:\Windows\system\VvMpGYl.exe
Filesize
5.2MB

MD5
2ea06753fb3073e3c5529fd7b4cd0ab8

SHA1
27d83d42ff11810f0dc690ec36b6d275979bf5d8

SHA256
4be3f2866c4ebecde208e0b6efa06fb5a57af77476e130df9a5bbc93e63b5af8

SHA512
265ed17875b675c71b8d7b4737710a3738d00a69ddba874784090ab31abea997aec8f9abdde1772492ca7bc92b97b93ca74129e2adc10bdf838bb779ef1f3de9

Download Submit
C:\Windows\system\XlBVCYI.exe
Filesize
5.2MB

MD5
de67a4a4fa656853db7eb5bfacb0514c

SHA1
6923a696fb8fde888c654274e13b419b80725ec1

SHA256
e56cc6ec9eb4d49384fdde4aa1ad14cbce066c39fc4bef8c1480a56f16a9de94

SHA512
5b4a8dcc65d1a9ab44a661c78204a79836326af41fa71646b6b0c6e30e0b127d276944ae1e4a45c9b0251f494811402cf252fa5994e8fe1ec2baff4c36873dd2

Download Submit
C:\Windows\system\XxWJOfb.exe
Filesize
5.2MB

MD5
082ad8e90e0956e420acf3e4e96e5ac5

SHA1
fe8cac3f3522237ea28ae12aa5d5ff14b785fa4d

SHA256
2fb2d53eeae9e1d7f52ae012cd02c99969ad4745377d2486944d3e092f1e2fa7

SHA512
d8666bd27ebe1224395233b2a9055d1c4ccb9c06fcb57390bf04072a41d0c2c23d38626f9e58810127c859a86505055ee0111e823a46223789b79158b3e87513

Download Submit
C:\Windows\system\bgxXXCz.exe
Filesize
5.2MB

MD5
81a2b30ed7dd3238a548d63d40bcde81

SHA1
720e431f50eb31ecb16ee4a85b47c670a8ca84ed

SHA256
479a379eefa4f4717d0406b0ac73595eb2561d4d6847b46e3251c60d76672b0d

SHA512
e6c65e9b83d93ba77848f133ec4f7e99b70d90dd72fa32ac4012ca47107b0a3fb19d3576a977a21566d51151f19991fa46a618a136943cda5281f1ee858c2cf6

Download Submit
C:\Windows\system\dChGlFr.exe
Filesize
5.2MB

MD5
cc0f263bd6349494df8447deaf237885

SHA1
652baf75eacd1aa120f94a40ab1fe3caaa29854f

SHA256
0436bacca1d14b46e093dbeea0d9e5ef95df2ec4a2b84ddfe5fa0c442c9fce83

SHA512
b1624abd5a7f9ce265deb39ac6d98a540d6aa8460c92e5d5d4582e6aca85f36b917f69e6de9d0892283c017d4aa1cd0037eefa91ee2e00b2a32132e8cc1125c7

Download Submit
C:\Windows\system\hnacIHg.exe
Filesize
5.2MB

MD5
274c831f13241374980e795d7db97e2a

SHA1
98943499fcec6163a9f4fd05ba2fc62b9865add2

SHA256
bbf7c6b8487b0de1faef01c99c06c77a44872088570517a383949c4236c501ef

SHA512
f427d5c41c9db74c012b540694e9989962a648f5c7be8370c8b1b0f525ce0ec89824773c20dd4541a8583c5ff79bb0d0d042763bc377600f02e999ce83b8a8e0

Download Submit
C:\Windows\system\lMFMweP.exe
Filesize
5.2MB

MD5
eed21339fe461f746c570c86fcc4f0fb

SHA1
65a73667a353973fbba2bb04686760202c3b0736

SHA256
ddd1df139ccb3439cdb38036546dcabf624c6a4890627abb564f5bfdb784b4eb

SHA512
0ef7f9a65d2e81a64f3ef70af33dc9fe745c989536ddedf11caad84cffb33152ce4f0635ec93dcb87005dc8402a56f1059a757cbfb527ac0628147b57b1e87b9

Download Submit
C:\Windows\system\lyWVIJf.exe
Filesize
5.2MB

MD5
a27c5f8e0d23a6c4b01093092cce4190

SHA1
54b0de858ce52336e2177174e43675a477f8ac12

SHA256
7639eafc29706a58b137fe60a4c216b33fc5cd84cf585c4595f8d4c0d88d663e

SHA512
204689ac8997a6c08c8d69e3993c5090b4e2422a74f330fa68372b70199f3e04628b86faaf4339309cc0fb87d2f10e7b78125f63b91c546b798baea7bfd3c1dd

Download Submit
C:\Windows\system\mVDHGHV.exe
Filesize
5.2MB

MD5
c73e67114a405e9cd0a2c9c737722066

SHA1
02ec54b584eb5faffbc8c83df23ca2fb4ebd8fe2

SHA256
424b06409445014ae0af5d4f7d42962abb3d0e8c2baeea8b54a13db80e415cd9

SHA512
bb8854b27ce7ee28820c974a0aa07b34938f0d8725d7448354f5cc45f6324c9c0db8e78ffb4fead4e3d8e08a4cfc20af637fee8f204eba9ffccabae978ad0bee

Download Submit
C:\Windows\system\pVIyvMd.exe
Filesize
5.2MB

MD5
8aef00f49ba1a53899837af43448bf64

SHA1
4e6e7260ddc38cba94941213e92d115fd4e5407b

SHA256
41f67501615396fd8b26ee96730fd8ea1003a1fc50a02e71453fe8d51fcca370

SHA512
5b480cbcf9d79a49b8dfb0c1bbc0b028cbe361b9f73ed08cbfdefd55279a1aca3d6020707c71767d1fa3c4f00e9f1e54e3603becd5ecd6b9fe6c31bd94e7c59b

Download Submit
C:\Windows\system\tPnugGP.exe
Filesize
5.2MB

MD5
66332042d6076b304d6ab95870723a9c

SHA1
8f6e34b6ac6f2a2122bc798671aef629e5451f2b

SHA256
294bb99dd622f23c6ac91159e28cae31df7ca88b39cf8ed8c72b75e4283ff2f9

SHA512
53e17560b9f0b0a56b0b6690db3497cf87afef7d6378c7e459fc29de4bd2ed8084079b2bac42ab7ef0a678b906d7de1f173c07b66e1f5c0e1f06b796be035eb1

Download Submit
C:\Windows\system\xfDMUpe.exe
Filesize
5.2MB

MD5
6f462300a009c982f3f78bae36b2f9d7

SHA1
bf6032a3e7b8d2bc5aca9b1892d7fdfaeb91de37

SHA256
27802f14a8e531534bb1777c0e462bf5f5e33bbdb89e37f3fd78f8056fce6aab

SHA512
744a7a8cce988475df4b7135c123489b017c6f9af7878e3ce9a8b6d1e0eb7fe92416697a2371ef7f568e8272f7670afec4b3d11cbb07be1e75ad05b202490928

Download Submit
\Windows\system\IppqZMf.exe
Filesize
5.2MB

MD5
ebd79528cfd30e40642dd0c043aa72b6

SHA1
3c6ea7b9c0091f843ebfc78f4b701748675805d0

SHA256
72039fbf2fb7f4bf112ad345bf7eba5aa10203de914ae5d289a3b0c1cd88f3d5

SHA512
2dac4ad7e6c1f29249f230d59050369efc448baa2c83cb0aa196901f08cdea6c2168bf1ceaa18532561e52ab4104332d758473edb1ee3a63f2f0357c7036c080

Download Submit
\Windows\system\lPfEdkB.exe
Filesize
5.2MB

MD5
6d686c24d0c1add14fd3cd1fdd2b6270

SHA1
c66b753f8761eebe9003712fccaafe5c8f9a7573

SHA256
be4080fdc33b9f1cc966e21d5d15f78e091ca96525ac4410ed419b03e1d9f5ac

SHA512
1f3bb2dbc8462267777144d6d0afb349d0db0b2248a34af3b9a3ab9fe3ea35888e177d21a19143ee6232ddeec32c5495138c1333ade5323e7897086026c5cd29

Download Submit
memory/1580-154-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

Filesize
3.3MB

Download
memory/1588-155-0x000000013FBC0000-0x000000013FF11000-memory.dmp

Filesize
3.3MB

Download
memory/1640-158-0x000000013FD40000-0x0000000140091000-memory.dmp

Filesize
3.3MB

Download
memory/1640-91-0x000000013F2C0000-0x000000013F611000-memory.dmp

Filesize
3.3MB

Download
memory/1640-82-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

Filesize
3.3MB

Download
memory/1640-135-0x000000013FD40000-0x0000000140091000-memory.dmp

Filesize
3.3MB

Download
memory/1640-87-0x0000000002320000-0x0000000002671000-memory.dmp

Filesize
3.3MB

Download
memory/1640-0-0x000000013FD40000-0x0000000140091000-memory.dmp

Filesize
3.3MB

Download
memory/1640-12-0x000000013F150000-0x000000013F4A1000-memory.dmp

Filesize
3.3MB

Download
memory/1640-84-0x000000013F900000-0x000000013FC51000-memory.dmp

Filesize
3.3MB

Download
memory/1640-97-0x000000013F120000-0x000000013F471000-memory.dmp

Filesize
3.3MB

Download
memory/1640-157-0x000000013FD40000-0x0000000140091000-memory.dmp

Filesize
3.3MB

Download
memory/1640-34-0x000000013F170000-0x000000013F4C1000-memory.dmp

Filesize
3.3MB

Download
memory/1640-83-0x000000013F510000-0x000000013F861000-memory.dmp

Filesize
3.3MB

Download
memory/1640-48-0x0000000002320000-0x0000000002671000-memory.dmp

Filesize
3.3MB

Download
memory/1640-99-0x000000013F420000-0x000000013F771000-memory.dmp

Filesize
3.3MB

Download
memory/1640-20-0x0000000002320000-0x0000000002671000-memory.dmp

Filesize
3.3MB

Download
memory/1640-102-0x0000000002320000-0x0000000002671000-memory.dmp

Filesize
3.3MB

Download
memory/1640-159-0x0000000002320000-0x0000000002671000-memory.dmp

Filesize
3.3MB

Download
memory/1640-52-0x000000013F370000-0x000000013F6C1000-memory.dmp

Filesize
3.3MB

Download
memory/1640-98-0x0000000002320000-0x0000000002671000-memory.dmp

Filesize
3.3MB

Download
memory/1640-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/1688-223-0x000000013F2C0000-0x000000013F611000-memory.dmp

Filesize
3.3MB

Download
memory/1688-94-0x000000013F2C0000-0x000000013F611000-memory.dmp

Filesize
3.3MB

Download
memory/1752-95-0x000000013F150000-0x000000013F4A1000-memory.dmp

Filesize
3.3MB

Download
memory/1752-204-0x000000013F150000-0x000000013F4A1000-memory.dmp

Filesize
3.3MB

Download
memory/1764-156-0x000000013F9D0000-0x000000013FD21000-memory.dmp

Filesize
3.3MB

Download
memory/1800-151-0x000000013F1C0000-0x000000013F511000-memory.dmp

Filesize
3.3MB

Download
memory/2080-211-0x000000013FBD0000-0x000000013FF21000-memory.dmp

Filesize
3.3MB

Download
memory/2080-59-0x000000013FBD0000-0x000000013FF21000-memory.dmp

Filesize
3.3MB

Download
memory/2088-214-0x000000013F120000-0x000000013F471000-memory.dmp

Filesize
3.3MB

Download
memory/2088-85-0x000000013F120000-0x000000013F471000-memory.dmp

Filesize
3.3MB

Download
memory/2136-153-0x000000013F130000-0x000000013F481000-memory.dmp

Filesize
3.3MB

Download
memory/2152-152-0x000000013F370000-0x000000013F6C1000-memory.dmp

Filesize
3.3MB

Download
memory/2360-92-0x000000013FA10000-0x000000013FD61000-memory.dmp

Filesize
3.3MB

Download
memory/2360-227-0x000000013FA10000-0x000000013FD61000-memory.dmp

Filesize
3.3MB

Download
memory/2388-217-0x000000013F510000-0x000000013F861000-memory.dmp

Filesize
3.3MB

Download
memory/2388-86-0x000000013F510000-0x000000013F861000-memory.dmp

Filesize
3.3MB

Download
memory/2404-147-0x000000013F420000-0x000000013F771000-memory.dmp

Filesize
3.3MB

Download
memory/2404-105-0x000000013F420000-0x000000013F771000-memory.dmp

Filesize
3.3MB

Download
memory/2404-242-0x000000013F420000-0x000000013F771000-memory.dmp

Filesize
3.3MB

Download
memory/2440-93-0x000000013FE70000-0x00000001401C1000-memory.dmp

Filesize
3.3MB

Download
memory/2440-220-0x000000013FE70000-0x00000001401C1000-memory.dmp

Filesize
3.3MB

Download
memory/2504-228-0x000000013F900000-0x000000013FC51000-memory.dmp

Filesize
3.3MB

Download
memory/2504-104-0x000000013F900000-0x000000013FC51000-memory.dmp

Filesize
3.3MB

Download
memory/2580-208-0x000000013FF30000-0x0000000140281000-memory.dmp

Filesize
3.3MB

Download
memory/2580-80-0x000000013FF30000-0x0000000140281000-memory.dmp

Filesize
3.3MB

Download
memory/2632-77-0x000000013F370000-0x000000013F6C1000-memory.dmp

Filesize
3.3MB

Download
memory/2632-212-0x000000013F370000-0x000000013F6C1000-memory.dmp

Filesize
3.3MB

Download
memory/2644-224-0x000000013FD10000-0x0000000140061000-memory.dmp

Filesize
3.3MB

Download
memory/2644-89-0x000000013FD10000-0x0000000140061000-memory.dmp

Filesize
3.3MB

Download
memory/2648-218-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

Filesize
3.3MB

Download
memory/2648-88-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

Filesize
3.3MB

Download
memory/2804-149-0x000000013FB70000-0x000000013FEC1000-memory.dmp

Filesize
3.3MB

Download
memory/2888-96-0x000000013F170000-0x000000013F4C1000-memory.dmp

Filesize
3.3MB

Download
memory/2888-206-0x000000013F170000-0x000000013F4C1000-memory.dmp

Filesize
3.3MB

Download