cobaltstrike | 79a3517ae7eff769fdd51f596e480490087be738fd9c07afaacbacddd9bc458a

Analysis

max time kernel
148s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

7342f8a69c027cfe701f7c3596f3ed5d
SHA1

1a9d205287c9a5fdc7a9ee3ddc95c637765757bb
SHA256

79a3517ae7eff769fdd51f596e480490087be738fd9c07afaacbacddd9bc458a
SHA512

818c88e9915d7c99fb56f2e059b520ffe4e4652c9d9cf6b046c5c1c007aa62d9627d2aea1afe312256fc6c5ae8fbc9f9723e8af4eabd9ff6814099b7966b9e68
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lg:RWWBibf56utgpPFotBER/mQ32lU8

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\UWCiTxr.exe	cobalt_reflective_dll
C:\Windows\system\WWeoyGU.exe	cobalt_reflective_dll
C:\Windows\system\TndEyPa.exe	cobalt_reflective_dll
\Windows\system\wYBQApq.exe	cobalt_reflective_dll
\Windows\system\QiUIhup.exe	cobalt_reflective_dll
\Windows\system\hojfzLw.exe	cobalt_reflective_dll
\Windows\system\AoQmKAL.exe	cobalt_reflective_dll
\Windows\system\mIVTnFD.exe	cobalt_reflective_dll
\Windows\system\xruSsjZ.exe	cobalt_reflective_dll
\Windows\system\cwaUArF.exe	cobalt_reflective_dll
\Windows\system\xjjDbEy.exe	cobalt_reflective_dll
C:\Windows\system\INFbtjc.exe	cobalt_reflective_dll
C:\Windows\system\ITUKOXJ.exe	cobalt_reflective_dll
C:\Windows\system\FOeLFxQ.exe	cobalt_reflective_dll
C:\Windows\system\onNCJIy.exe	cobalt_reflective_dll
C:\Windows\system\QWeHVyv.exe	cobalt_reflective_dll
C:\Windows\system\WIXbPhp.exe	cobalt_reflective_dll
C:\Windows\system\tfKXJQv.exe	cobalt_reflective_dll
C:\Windows\system\KalKVYJ.exe	cobalt_reflective_dll
C:\Windows\system\LZPqAGP.exe	cobalt_reflective_dll
C:\Windows\system\gmLZLwB.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\UWCiTxr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\WWeoyGU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\TndEyPa.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\wYBQApq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\QiUIhup.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\hojfzLw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\AoQmKAL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\mIVTnFD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\xruSsjZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\cwaUArF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\xjjDbEy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\INFbtjc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ITUKOXJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\FOeLFxQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\onNCJIy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\QWeHVyv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\WIXbPhp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\tfKXJQv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\KalKVYJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\LZPqAGP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\gmLZLwB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2168-0-0x000000013F900000-0x000000013FC51000-memory.dmp	UPX
\Windows\system\UWCiTxr.exe	UPX
behavioral1/memory/2084-9-0x000000013F320000-0x000000013F671000-memory.dmp	UPX
behavioral1/memory/2168-6-0x000000013F320000-0x000000013F671000-memory.dmp	UPX
behavioral1/memory/2480-15-0x000000013FB30000-0x000000013FE81000-memory.dmp	UPX
C:\Windows\system\WWeoyGU.exe	UPX
C:\Windows\system\TndEyPa.exe	UPX
\Windows\system\wYBQApq.exe	UPX
\Windows\system\QiUIhup.exe	UPX
\Windows\system\hojfzLw.exe	UPX
behavioral1/memory/2664-72-0x000000013F350000-0x000000013F6A1000-memory.dmp	UPX
\Windows\system\AoQmKAL.exe	UPX
behavioral1/memory/2576-139-0x000000013FEE0000-0x0000000140231000-memory.dmp	UPX
\Windows\system\mIVTnFD.exe	UPX
behavioral1/memory/2500-46-0x000000013FFE0000-0x0000000140331000-memory.dmp	UPX
\Windows\system\xruSsjZ.exe	UPX
behavioral1/memory/2524-36-0x000000013F6E0000-0x000000013FA31000-memory.dmp	UPX
\Windows\system\cwaUArF.exe	UPX
behavioral1/memory/2576-26-0x000000013FEE0000-0x0000000140231000-memory.dmp	UPX
\Windows\system\xjjDbEy.exe	UPX
behavioral1/memory/2480-107-0x000000013FB30000-0x000000013FE81000-memory.dmp	UPX
behavioral1/memory/2808-106-0x000000013F7F0000-0x000000013FB41000-memory.dmp	UPX
behavioral1/memory/2392-104-0x000000013F920000-0x000000013FC71000-memory.dmp	UPX
C:\Windows\system\INFbtjc.exe	UPX
behavioral1/memory/2084-102-0x000000013F320000-0x000000013F671000-memory.dmp	UPX
behavioral1/memory/528-95-0x000000013F500000-0x000000013F851000-memory.dmp	UPX
C:\Windows\system\ITUKOXJ.exe	UPX
behavioral1/memory/2168-140-0x000000013F900000-0x000000013FC51000-memory.dmp	UPX
C:\Windows\system\FOeLFxQ.exe	UPX
C:\Windows\system\onNCJIy.exe	UPX
behavioral1/memory/2624-67-0x000000013F9D0000-0x000000013FD21000-memory.dmp	UPX
C:\Windows\system\QWeHVyv.exe	UPX
behavioral1/memory/2524-145-0x000000013F6E0000-0x000000013FA31000-memory.dmp	UPX
behavioral1/memory/2588-150-0x000000013F040000-0x000000013F391000-memory.dmp	UPX
behavioral1/memory/2624-151-0x000000013F9D0000-0x000000013FD21000-memory.dmp	UPX
behavioral1/memory/528-157-0x000000013F500000-0x000000013F851000-memory.dmp	UPX
behavioral1/memory/2376-158-0x000000013FAC0000-0x000000013FE11000-memory.dmp	UPX
behavioral1/memory/3004-156-0x000000013FB10000-0x000000013FE61000-memory.dmp	UPX
behavioral1/memory/2808-155-0x000000013F7F0000-0x000000013FB41000-memory.dmp	UPX
behavioral1/memory/2436-154-0x000000013F9E0000-0x000000013FD31000-memory.dmp	UPX
behavioral1/memory/2392-153-0x000000013F920000-0x000000013FC71000-memory.dmp	UPX
behavioral1/memory/2212-152-0x000000013FE80000-0x00000001401D1000-memory.dmp	UPX
behavioral1/memory/2664-149-0x000000013F350000-0x000000013F6A1000-memory.dmp	UPX
behavioral1/memory/2672-148-0x000000013F970000-0x000000013FCC1000-memory.dmp	UPX
behavioral1/memory/2500-147-0x000000013FFE0000-0x0000000140331000-memory.dmp	UPX
behavioral1/memory/2620-146-0x000000013F860000-0x000000013FBB1000-memory.dmp	UPX
behavioral1/memory/2980-144-0x000000013F900000-0x000000013FC51000-memory.dmp	UPX
C:\Windows\system\WIXbPhp.exe	UPX
behavioral1/memory/2168-49-0x000000013F900000-0x000000013FC51000-memory.dmp	UPX
C:\Windows\system\tfKXJQv.exe	UPX
C:\Windows\system\KalKVYJ.exe	UPX
C:\Windows\system\LZPqAGP.exe	UPX
behavioral1/memory/1004-159-0x000000013FB20000-0x000000013FE71000-memory.dmp	UPX
C:\Windows\system\gmLZLwB.exe	UPX
behavioral1/memory/2168-162-0x000000013F900000-0x000000013FC51000-memory.dmp	UPX
behavioral1/memory/2084-216-0x000000013F320000-0x000000013F671000-memory.dmp	UPX
behavioral1/memory/2480-233-0x000000013FB30000-0x000000013FE81000-memory.dmp	UPX
behavioral1/memory/2576-235-0x000000013FEE0000-0x0000000140231000-memory.dmp	UPX
behavioral1/memory/2524-237-0x000000013F6E0000-0x000000013FA31000-memory.dmp	UPX
behavioral1/memory/2624-243-0x000000013F9D0000-0x000000013FD21000-memory.dmp	UPX
behavioral1/memory/2664-242-0x000000013F350000-0x000000013F6A1000-memory.dmp	UPX
behavioral1/memory/528-252-0x000000013F500000-0x000000013F851000-memory.dmp	UPX
behavioral1/memory/2392-245-0x000000013F920000-0x000000013FC71000-memory.dmp	UPX
behavioral1/memory/2808-247-0x000000013F7F0000-0x000000013FB41000-memory.dmp	UPX

XMRig Miner payload 36 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2168-56-0x0000000002310000-0x0000000002661000-memory.dmp	xmrig
behavioral1/memory/2576-139-0x000000013FEE0000-0x0000000140231000-memory.dmp	xmrig
behavioral1/memory/2480-107-0x000000013FB30000-0x000000013FE81000-memory.dmp	xmrig
behavioral1/memory/2084-102-0x000000013F320000-0x000000013F671000-memory.dmp	xmrig
behavioral1/memory/2168-140-0x000000013F900000-0x000000013FC51000-memory.dmp	xmrig
behavioral1/memory/2524-145-0x000000013F6E0000-0x000000013FA31000-memory.dmp	xmrig
behavioral1/memory/2588-150-0x000000013F040000-0x000000013F391000-memory.dmp	xmrig
behavioral1/memory/2624-151-0x000000013F9D0000-0x000000013FD21000-memory.dmp	xmrig
behavioral1/memory/528-157-0x000000013F500000-0x000000013F851000-memory.dmp	xmrig
behavioral1/memory/2376-158-0x000000013FAC0000-0x000000013FE11000-memory.dmp	xmrig
behavioral1/memory/3004-156-0x000000013FB10000-0x000000013FE61000-memory.dmp	xmrig
behavioral1/memory/2808-155-0x000000013F7F0000-0x000000013FB41000-memory.dmp	xmrig
behavioral1/memory/2436-154-0x000000013F9E0000-0x000000013FD31000-memory.dmp	xmrig
behavioral1/memory/2392-153-0x000000013F920000-0x000000013FC71000-memory.dmp	xmrig
behavioral1/memory/2212-152-0x000000013FE80000-0x00000001401D1000-memory.dmp	xmrig
behavioral1/memory/2664-149-0x000000013F350000-0x000000013F6A1000-memory.dmp	xmrig
behavioral1/memory/2672-148-0x000000013F970000-0x000000013FCC1000-memory.dmp	xmrig
behavioral1/memory/2500-147-0x000000013FFE0000-0x0000000140331000-memory.dmp	xmrig
behavioral1/memory/2620-146-0x000000013F860000-0x000000013FBB1000-memory.dmp	xmrig
behavioral1/memory/2980-144-0x000000013F900000-0x000000013FC51000-memory.dmp	xmrig
behavioral1/memory/2168-49-0x000000013F900000-0x000000013FC51000-memory.dmp	xmrig
behavioral1/memory/1096-160-0x000000013F1E0000-0x000000013F531000-memory.dmp	xmrig
behavioral1/memory/1572-161-0x000000013FCB0000-0x0000000140001000-memory.dmp	xmrig
behavioral1/memory/1004-159-0x000000013FB20000-0x000000013FE71000-memory.dmp	xmrig
behavioral1/memory/2168-162-0x000000013F900000-0x000000013FC51000-memory.dmp	xmrig
behavioral1/memory/2168-208-0x0000000002310000-0x0000000002661000-memory.dmp	xmrig
behavioral1/memory/2084-216-0x000000013F320000-0x000000013F671000-memory.dmp	xmrig
behavioral1/memory/2480-233-0x000000013FB30000-0x000000013FE81000-memory.dmp	xmrig
behavioral1/memory/2576-235-0x000000013FEE0000-0x0000000140231000-memory.dmp	xmrig
behavioral1/memory/2524-237-0x000000013F6E0000-0x000000013FA31000-memory.dmp	xmrig
behavioral1/memory/2624-243-0x000000013F9D0000-0x000000013FD21000-memory.dmp	xmrig
behavioral1/memory/2664-242-0x000000013F350000-0x000000013F6A1000-memory.dmp	xmrig
behavioral1/memory/528-252-0x000000013F500000-0x000000013F851000-memory.dmp	xmrig
behavioral1/memory/2392-245-0x000000013F920000-0x000000013FC71000-memory.dmp	xmrig
behavioral1/memory/2808-247-0x000000013F7F0000-0x000000013FB41000-memory.dmp	xmrig
behavioral1/memory/2500-240-0x000000013FFE0000-0x0000000140331000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

UWCiTxr.exegmLZLwB.exeLZPqAGP.exeKalKVYJ.exetfKXJQv.exeWIXbPhp.exeQWeHVyv.exeonNCJIy.exeFOeLFxQ.exeITUKOXJ.exeTndEyPa.exeINFbtjc.exexjjDbEy.execwaUArF.exexruSsjZ.exemIVTnFD.exeWWeoyGU.exeAoQmKAL.exehojfzLw.exeQiUIhup.exewYBQApq.exe

pid	process
2084	UWCiTxr.exe
2480	gmLZLwB.exe
2576	LZPqAGP.exe
2524	KalKVYJ.exe
2500	tfKXJQv.exe
2664	WIXbPhp.exe
2624	QWeHVyv.exe
2392	onNCJIy.exe
2808	FOeLFxQ.exe
528	ITUKOXJ.exe
1004	TndEyPa.exe
1572	INFbtjc.exe
2980	xjjDbEy.exe
2620	cwaUArF.exe
2672	xruSsjZ.exe
2588	mIVTnFD.exe
2212	WWeoyGU.exe
2436	AoQmKAL.exe
3004	hojfzLw.exe
2376	QiUIhup.exe
1096	wYBQApq.exe

Loads dropped DLL 21 IoCs

Processes:

2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe

pid	process
2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2168-0-0x000000013F900000-0x000000013FC51000-memory.dmp	upx
\Windows\system\UWCiTxr.exe	upx
behavioral1/memory/2084-9-0x000000013F320000-0x000000013F671000-memory.dmp	upx
behavioral1/memory/2168-6-0x000000013F320000-0x000000013F671000-memory.dmp	upx
behavioral1/memory/2480-15-0x000000013FB30000-0x000000013FE81000-memory.dmp	upx
C:\Windows\system\WWeoyGU.exe	upx
C:\Windows\system\TndEyPa.exe	upx
\Windows\system\wYBQApq.exe	upx
\Windows\system\QiUIhup.exe	upx
\Windows\system\hojfzLw.exe	upx
behavioral1/memory/2664-72-0x000000013F350000-0x000000013F6A1000-memory.dmp	upx
\Windows\system\AoQmKAL.exe	upx
behavioral1/memory/2576-139-0x000000013FEE0000-0x0000000140231000-memory.dmp	upx
\Windows\system\mIVTnFD.exe	upx
behavioral1/memory/2500-46-0x000000013FFE0000-0x0000000140331000-memory.dmp	upx
\Windows\system\xruSsjZ.exe	upx
behavioral1/memory/2524-36-0x000000013F6E0000-0x000000013FA31000-memory.dmp	upx
\Windows\system\cwaUArF.exe	upx
behavioral1/memory/2576-26-0x000000013FEE0000-0x0000000140231000-memory.dmp	upx
\Windows\system\xjjDbEy.exe	upx
behavioral1/memory/2480-107-0x000000013FB30000-0x000000013FE81000-memory.dmp	upx
behavioral1/memory/2808-106-0x000000013F7F0000-0x000000013FB41000-memory.dmp	upx
behavioral1/memory/2392-104-0x000000013F920000-0x000000013FC71000-memory.dmp	upx
C:\Windows\system\INFbtjc.exe	upx
behavioral1/memory/2084-102-0x000000013F320000-0x000000013F671000-memory.dmp	upx
behavioral1/memory/528-95-0x000000013F500000-0x000000013F851000-memory.dmp	upx
C:\Windows\system\ITUKOXJ.exe	upx
behavioral1/memory/2168-140-0x000000013F900000-0x000000013FC51000-memory.dmp	upx
C:\Windows\system\FOeLFxQ.exe	upx
C:\Windows\system\onNCJIy.exe	upx
behavioral1/memory/2624-67-0x000000013F9D0000-0x000000013FD21000-memory.dmp	upx
C:\Windows\system\QWeHVyv.exe	upx
behavioral1/memory/2524-145-0x000000013F6E0000-0x000000013FA31000-memory.dmp	upx
behavioral1/memory/2588-150-0x000000013F040000-0x000000013F391000-memory.dmp	upx
behavioral1/memory/2624-151-0x000000013F9D0000-0x000000013FD21000-memory.dmp	upx
behavioral1/memory/528-157-0x000000013F500000-0x000000013F851000-memory.dmp	upx
behavioral1/memory/2376-158-0x000000013FAC0000-0x000000013FE11000-memory.dmp	upx
behavioral1/memory/3004-156-0x000000013FB10000-0x000000013FE61000-memory.dmp	upx
behavioral1/memory/2808-155-0x000000013F7F0000-0x000000013FB41000-memory.dmp	upx
behavioral1/memory/2436-154-0x000000013F9E0000-0x000000013FD31000-memory.dmp	upx
behavioral1/memory/2392-153-0x000000013F920000-0x000000013FC71000-memory.dmp	upx
behavioral1/memory/2212-152-0x000000013FE80000-0x00000001401D1000-memory.dmp	upx
behavioral1/memory/2664-149-0x000000013F350000-0x000000013F6A1000-memory.dmp	upx
behavioral1/memory/2672-148-0x000000013F970000-0x000000013FCC1000-memory.dmp	upx
behavioral1/memory/2500-147-0x000000013FFE0000-0x0000000140331000-memory.dmp	upx
behavioral1/memory/2620-146-0x000000013F860000-0x000000013FBB1000-memory.dmp	upx
behavioral1/memory/2980-144-0x000000013F900000-0x000000013FC51000-memory.dmp	upx
C:\Windows\system\WIXbPhp.exe	upx
behavioral1/memory/2168-49-0x000000013F900000-0x000000013FC51000-memory.dmp	upx
C:\Windows\system\tfKXJQv.exe	upx
C:\Windows\system\KalKVYJ.exe	upx
C:\Windows\system\LZPqAGP.exe	upx
behavioral1/memory/1096-160-0x000000013F1E0000-0x000000013F531000-memory.dmp	upx
behavioral1/memory/1572-161-0x000000013FCB0000-0x0000000140001000-memory.dmp	upx
behavioral1/memory/1004-159-0x000000013FB20000-0x000000013FE71000-memory.dmp	upx
C:\Windows\system\gmLZLwB.exe	upx
behavioral1/memory/2168-162-0x000000013F900000-0x000000013FC51000-memory.dmp	upx
behavioral1/memory/2084-216-0x000000013F320000-0x000000013F671000-memory.dmp	upx
behavioral1/memory/2480-233-0x000000013FB30000-0x000000013FE81000-memory.dmp	upx
behavioral1/memory/2576-235-0x000000013FEE0000-0x0000000140231000-memory.dmp	upx
behavioral1/memory/2524-237-0x000000013F6E0000-0x000000013FA31000-memory.dmp	upx
behavioral1/memory/2624-243-0x000000013F9D0000-0x000000013FD21000-memory.dmp	upx
behavioral1/memory/2664-242-0x000000013F350000-0x000000013F6A1000-memory.dmp	upx
behavioral1/memory/528-252-0x000000013F500000-0x000000013F851000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\KalKVYJ.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xruSsjZ.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WWeoyGU.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\onNCJIy.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WIXbPhp.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AoQmKAL.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hojfzLw.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ITUKOXJ.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wYBQApq.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mIVTnFD.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QWeHVyv.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QiUIhup.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UWCiTxr.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gmLZLwB.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LZPqAGP.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xjjDbEy.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tfKXJQv.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\INFbtjc.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cwaUArF.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FOeLFxQ.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TndEyPa.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2168 wrote to memory of 2084	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	UWCiTxr.exe
PID 2168 wrote to memory of 2084	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	UWCiTxr.exe
PID 2168 wrote to memory of 2084	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	UWCiTxr.exe
PID 2168 wrote to memory of 2480	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	gmLZLwB.exe
PID 2168 wrote to memory of 2480	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	gmLZLwB.exe
PID 2168 wrote to memory of 2480	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	gmLZLwB.exe
PID 2168 wrote to memory of 2576	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	LZPqAGP.exe
PID 2168 wrote to memory of 2576	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	LZPqAGP.exe
PID 2168 wrote to memory of 2576	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	LZPqAGP.exe
PID 2168 wrote to memory of 2980	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	xjjDbEy.exe
PID 2168 wrote to memory of 2980	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	xjjDbEy.exe
PID 2168 wrote to memory of 2980	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	xjjDbEy.exe
PID 2168 wrote to memory of 2524	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	KalKVYJ.exe
PID 2168 wrote to memory of 2524	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	KalKVYJ.exe
PID 2168 wrote to memory of 2524	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	KalKVYJ.exe
PID 2168 wrote to memory of 2620	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	cwaUArF.exe
PID 2168 wrote to memory of 2620	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	cwaUArF.exe
PID 2168 wrote to memory of 2620	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	cwaUArF.exe
PID 2168 wrote to memory of 2500	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	tfKXJQv.exe
PID 2168 wrote to memory of 2500	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	tfKXJQv.exe
PID 2168 wrote to memory of 2500	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	tfKXJQv.exe
PID 2168 wrote to memory of 2672	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	xruSsjZ.exe
PID 2168 wrote to memory of 2672	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	xruSsjZ.exe
PID 2168 wrote to memory of 2672	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	xruSsjZ.exe
PID 2168 wrote to memory of 2664	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	WIXbPhp.exe
PID 2168 wrote to memory of 2664	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	WIXbPhp.exe
PID 2168 wrote to memory of 2664	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	WIXbPhp.exe
PID 2168 wrote to memory of 2588	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	mIVTnFD.exe
PID 2168 wrote to memory of 2588	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	mIVTnFD.exe
PID 2168 wrote to memory of 2588	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	mIVTnFD.exe
PID 2168 wrote to memory of 2624	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	QWeHVyv.exe
PID 2168 wrote to memory of 2624	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	QWeHVyv.exe
PID 2168 wrote to memory of 2624	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	QWeHVyv.exe
PID 2168 wrote to memory of 2212	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	WWeoyGU.exe
PID 2168 wrote to memory of 2212	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	WWeoyGU.exe
PID 2168 wrote to memory of 2212	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	WWeoyGU.exe
PID 2168 wrote to memory of 2392	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	onNCJIy.exe
PID 2168 wrote to memory of 2392	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	onNCJIy.exe
PID 2168 wrote to memory of 2392	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	onNCJIy.exe
PID 2168 wrote to memory of 2436	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	AoQmKAL.exe
PID 2168 wrote to memory of 2436	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	AoQmKAL.exe
PID 2168 wrote to memory of 2436	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	AoQmKAL.exe
PID 2168 wrote to memory of 2808	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	FOeLFxQ.exe
PID 2168 wrote to memory of 2808	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	FOeLFxQ.exe
PID 2168 wrote to memory of 2808	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	FOeLFxQ.exe
PID 2168 wrote to memory of 3004	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	hojfzLw.exe
PID 2168 wrote to memory of 3004	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	hojfzLw.exe
PID 2168 wrote to memory of 3004	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	hojfzLw.exe
PID 2168 wrote to memory of 528	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	ITUKOXJ.exe
PID 2168 wrote to memory of 528	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	ITUKOXJ.exe
PID 2168 wrote to memory of 528	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	ITUKOXJ.exe
PID 2168 wrote to memory of 2376	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	QiUIhup.exe
PID 2168 wrote to memory of 2376	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	QiUIhup.exe
PID 2168 wrote to memory of 2376	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	QiUIhup.exe
PID 2168 wrote to memory of 1004	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	TndEyPa.exe
PID 2168 wrote to memory of 1004	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	TndEyPa.exe
PID 2168 wrote to memory of 1004	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	TndEyPa.exe
PID 2168 wrote to memory of 1096	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	wYBQApq.exe
PID 2168 wrote to memory of 1096	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	wYBQApq.exe
PID 2168 wrote to memory of 1096	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	wYBQApq.exe
PID 2168 wrote to memory of 1572	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	INFbtjc.exe
PID 2168 wrote to memory of 1572	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	INFbtjc.exe
PID 2168 wrote to memory of 1572	2168	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	INFbtjc.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\System\UWCiTxr.exe
C:\Windows\System\UWCiTxr.exe
2⤵
- Executes dropped EXE
PID:2084

C:\Windows\System\gmLZLwB.exe
C:\Windows\System\gmLZLwB.exe
2⤵
- Executes dropped EXE
PID:2480

C:\Windows\System\LZPqAGP.exe
C:\Windows\System\LZPqAGP.exe
2⤵
- Executes dropped EXE
PID:2576

C:\Windows\System\xjjDbEy.exe
C:\Windows\System\xjjDbEy.exe
2⤵
- Executes dropped EXE
PID:2980

C:\Windows\System\KalKVYJ.exe
C:\Windows\System\KalKVYJ.exe
2⤵
- Executes dropped EXE
PID:2524

C:\Windows\System\cwaUArF.exe
C:\Windows\System\cwaUArF.exe
2⤵
- Executes dropped EXE
PID:2620

C:\Windows\System\tfKXJQv.exe
C:\Windows\System\tfKXJQv.exe
2⤵
- Executes dropped EXE
PID:2500

C:\Windows\System\xruSsjZ.exe
C:\Windows\System\xruSsjZ.exe
2⤵
- Executes dropped EXE
PID:2672

C:\Windows\System\WIXbPhp.exe
C:\Windows\System\WIXbPhp.exe
2⤵
- Executes dropped EXE
PID:2664

C:\Windows\System\mIVTnFD.exe
C:\Windows\System\mIVTnFD.exe
2⤵
- Executes dropped EXE
PID:2588

C:\Windows\System\QWeHVyv.exe
C:\Windows\System\QWeHVyv.exe
2⤵
- Executes dropped EXE
PID:2624

C:\Windows\System\WWeoyGU.exe
C:\Windows\System\WWeoyGU.exe
2⤵
- Executes dropped EXE
PID:2212

C:\Windows\System\onNCJIy.exe
C:\Windows\System\onNCJIy.exe
2⤵
- Executes dropped EXE
PID:2392

C:\Windows\System\AoQmKAL.exe
C:\Windows\System\AoQmKAL.exe
2⤵
- Executes dropped EXE
PID:2436

C:\Windows\System\FOeLFxQ.exe
C:\Windows\System\FOeLFxQ.exe
2⤵
- Executes dropped EXE
PID:2808

C:\Windows\System\hojfzLw.exe
C:\Windows\System\hojfzLw.exe
2⤵
- Executes dropped EXE
PID:3004

C:\Windows\System\ITUKOXJ.exe
C:\Windows\System\ITUKOXJ.exe
2⤵
- Executes dropped EXE
PID:528

C:\Windows\System\QiUIhup.exe
C:\Windows\System\QiUIhup.exe
2⤵
- Executes dropped EXE
PID:2376

C:\Windows\System\TndEyPa.exe
C:\Windows\System\TndEyPa.exe
2⤵
- Executes dropped EXE
PID:1004

C:\Windows\System\wYBQApq.exe
C:\Windows\System\wYBQApq.exe
2⤵
- Executes dropped EXE
PID:1096

C:\Windows\System\INFbtjc.exe
C:\Windows\System\INFbtjc.exe
2⤵
- Executes dropped EXE
PID:1572

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\FOeLFxQ.exe
Filesize
5.2MB

MD5
27bdb03a2c779f8820529ec41bec0c1d

SHA1
9710288f60648825f21ff1e026c5d7a2dbc6c1c5

SHA256
49da068aee64d94e146cc0f62826f94382a1a032bf5bb4a2e0b6a5876c49326e

SHA512
4b7e9b9f7f548054191aff7fff7abcccb98b1b65f1b23d80ecd73fe1524f4ac610be3b07366b0144b9c6192195794e7e42805bd8acc55414aa1aa5a835e074fe

Download Submit
C:\Windows\system\INFbtjc.exe
Filesize
5.2MB

MD5
24a615f120c64675b17adf0a0e4a8570

SHA1
526dc93f559b61203570a4ee748a635c2dc00a56

SHA256
d353a834ae956d104f7adf4c668bdf7e0233d3c60b320bdfdfed34cdbe0fbc8b

SHA512
cbe3bf7c71dada31340385ef77fc04d67129f03181756d193f6140e6b76d1f54732954d7635069a94e22542b4bb3df5002ef097d1a52057b87425bde5df0a70d

Download Submit
C:\Windows\system\ITUKOXJ.exe
Filesize
5.2MB

MD5
528fdd4f2d0e00f9140871dee0fb7f2d

SHA1
c1b9b7d24b5ec49a98865451f398262ca45727a2

SHA256
f22175a1b9cf2ec41c6134602b8022315cc5a42a55849349615e6df19ad99880

SHA512
88565fb910c63798c22be021d725252188a3f1963e24727c2fdacee0385fe6dc26f2e6a0b5c84d3d054ed8c77450bccee2f447aa523beb5b187994c1864676d4

Download Submit
C:\Windows\system\KalKVYJ.exe
Filesize
5.2MB

MD5
86cc92341db4a6af64ff027b91e45d30

SHA1
591d75878eab9eb1dd63921a45f39f3c3fd79b19

SHA256
53b7488ee5a3b59034dfb89184d5285ac6b0605549bd05faf3a4b55c3d508a84

SHA512
74acf15b36d22af242bbca61ac3dfcf1e3fd768658dcfcab1e80e31c66c2a3c0693c0eadda5a71308f3c641b813a3eb5f93a98e1c486e66190114011fef772cf

Download Submit
C:\Windows\system\LZPqAGP.exe
Filesize
5.2MB

MD5
419278568776ea4f3495e3079923da3f

SHA1
5806ddd2adf665c8ce6b16254f885939b553fac8

SHA256
5eacc1a0be03915fbb27aa3facf8f58adbb5e23667396cc1d263f8f9218cd843

SHA512
daeffd7b7a134d01968b213c569d20a480dd6780a956a55d3d2a809c5e66c71e87d21daaffe3c2d1b115f1507e42f31481312906cb691af8d9610624a82e91b2

Download Submit
C:\Windows\system\QWeHVyv.exe
Filesize
5.2MB

MD5
57885ff8f5f084ebb2f5928ac8ceb2ff

SHA1
8ba14d339ddcbe330718d0f9e6e86e0895217444

SHA256
bc2bd5232faad97f602270d205738e43508c35fd7ad994d401d1092456b4c2e9

SHA512
18013ff6ec3319f576812221f559ce720685cf551c97a89ace86e78176a95a81b288d43a33f1d5276e2d65da123583c08f580fd424492e75b642f0bad63d3020

Download Submit
C:\Windows\system\TndEyPa.exe
Filesize
5.2MB

MD5
586d1e1c74294f7932ec78ae443424d1

SHA1
15345e8e07c1f2876e44b204aca2d09074fad083

SHA256
fc92e8553da7bc53ec6b772ec11d16ffc8f2c7a03786ae47c12e0d1c3d07f0fb

SHA512
f9877eee8cd7aa10a4892369aa2a41ffb23f23b6bb901374d800a4fc5968c12892b721230985c5c222dc904ef344d8ef5e65b1607fedfbb51c90862448948658

Download Submit
C:\Windows\system\WIXbPhp.exe
Filesize
5.2MB

MD5
7bea45be4e216f46cd325d1db127ee95

SHA1
37d8e944954cf89f693bc00368b9a823d464215a

SHA256
99e4ce21ac94164e13d5951175b9a14564722bb2a6b8478ef745b0fbbf84cc65

SHA512
24889f59000603fc9dc5d0806b46f51412b79c6443a0a191fdc8f98d89de479dbb3b5340aa4b0370e0f8ad893a19640eb9f59f3f969753e4c994af6ec69e395d

Download Submit
C:\Windows\system\WWeoyGU.exe
Filesize
5.2MB

MD5
9026479ccba07697a9e07040eb646567

SHA1
80b509094e69f58c08a136ab0455e369f34ed043

SHA256
38fe7d3e4e816fc1f838971b7bd17d84432f0723eb737cc8ddacb1ec93f0546a

SHA512
5b0b2215ef3a8ac87a6386ff3a1d835455c623496c5ddbad5ee2699c16f6542ed7be9a708d0b073787760a1e3325ed9d4620a12cd50d7e71cef7ba3dd6965828

Download Submit
C:\Windows\system\gmLZLwB.exe
Filesize
5.2MB

MD5
cea8697416775d2f7d3e8bbbf086145e

SHA1
4da049f2fbfee7c3ea15205d58673075f02c20cc

SHA256
a8216278606284a13ddcb4501f76c286ce429ddd657fe7e4ea9e906842c2a582

SHA512
042b2699703eb8bd9792538769bee74598e5a463fe4ef281325582fe665c04f4bf9c64904b701248be5a6689c999b40ea8b3668c24d032d0ce35dd05c21eee8d

Download Submit
C:\Windows\system\onNCJIy.exe
Filesize
5.2MB

MD5
115e3f2879f4dec7bf74e4bed020b0a4

SHA1
720a47f8faa308a32e846de849a5164ec6066ee9

SHA256
17bcc5aad255df7453ce9904c4cd5380593345f02bdb80c10df3487b60aba15f

SHA512
d1558a3077ad9d1f4743e96ce2ca11fa22f1ce42da7ddd8cb9f1c05c6f8c3e59f2e87605d865d0a6bdeb13c92b91dff03a48953ef856efbc56025399fcab4d70

Download Submit
C:\Windows\system\tfKXJQv.exe
Filesize
5.2MB

MD5
371059b2368b666da2b0f768f3030ee0

SHA1
5d7f2d9f250e70f898ab610cc33462beb5b1facf

SHA256
2d2571f84e3466d0b7290d0ece019c178e52e3a21689807bdae7ef88f2a7c8ab

SHA512
e1bbac573a2300baecaca70bab044298ac73576b949e9ae4cdb75158beeb6bd9ccafae98c3917fda89f4fb3e8b0f5eb0c9ba95c0b1aa7b9ccf00b024d2afcdef

Download Submit
\Windows\system\AoQmKAL.exe
Filesize
5.2MB

MD5
d91ddbc97bb95fb6b2bd1a79798689de

SHA1
3aa8e0a0fa230c08d5bba56a65f9c6d34d640a18

SHA256
2405bf5b5bd822a1accc2d9e0e059337b868d1b6cc2a86c71a8d17f186afd99c

SHA512
77b1981842cfa0b4d8581cd8092beef9785c4e658da55bd3368948a1af80d4182b41144bd666642f9151b73f3db0740bd2e3a351fd011cbb6b2d207e3172abbe

Download Submit
\Windows\system\QiUIhup.exe
Filesize
5.2MB

MD5
7dafe2172748d6d9023a6852610ecb49

SHA1
5fca61227be0376f9106a414b77730256abe7ca1

SHA256
cab6b1dd08ac5babcc691875675070e1bf77331fcf128b30157ff1cc85e451cf

SHA512
0df748715a517e2a21840a95d11b3e416258fc7aebe4ecfdbdfd87ebc2e71bc7f7b5e56cf27e5b56d1b95e8db18f47fe4b5e5cdf27f283858537d4fe69cc1aa0

Download Submit
\Windows\system\UWCiTxr.exe
Filesize
5.2MB

MD5
d8d535147145769150d654e0082a5009

SHA1
802d4e59716f2462741c9db4275274505e3d984d

SHA256
57488a45c4090eeeb595f0768a81f92fdf1affa5af1367c2ae2b4ab8092d3b98

SHA512
0899f2f644bed2eaf8bc1a81f06e87a28c17b702a341cee9d55f1ddc281a69d122be5d2458f353db53ea2bbd735fb8c82ff7438dc1549bf6e853bfc1c753535d

Download Submit
\Windows\system\cwaUArF.exe
Filesize
5.2MB

MD5
7d55a795e3fdacdcf249eab58664e4a8

SHA1
bfa8359d52170dbb2ac4f86b1b5bc50fa5827958

SHA256
82bf2a30a22e9452d679d84d6dc67aa653ade62be9a8aef28292ad774cdf5495

SHA512
3174c0d1105a77ca46f4e9c21277655de68f416a91a42f621268f25b942f13e56ca0b0df82f6e18dacee5b9c57984dc1320291c376d29344a52e72e80960b1b7

Download Submit
\Windows\system\hojfzLw.exe
Filesize
5.2MB

MD5
24052a063e9c9e6d7e02b87c96f5420a

SHA1
d9664b2f0987895c6a208dd2673f3aa59c449db0

SHA256
2d753a5654b6565fd2e3391c56f346ae2c0ae109d5c11040ae3d6c68ca8a1752

SHA512
4b07dbbdccfd69f5f1e52aed9188413bdc2d5d369c6777d18e7d6f99dfb0440f791442df3007523aa6c7065d6f47dd45cd456e2cf2dfa5dfdecec7f23d19f033

Download Submit
\Windows\system\mIVTnFD.exe
Filesize
5.2MB

MD5
3f6fe411ffe136f8599e7b8d8fb2865e

SHA1
73fb77168516c2f16cb3680af33cc3e404057567

SHA256
6addacec0d3361bdaa70284aff433e0cb3a686794b92389c76fdc7d35e465adb

SHA512
f84f6a19cb326002ac5d058b0ed0de600cc795bcd1e2571f64a24d530ab7f6be03b66e03940edad9615fdf073588900869f1ca2af1e00c4a038f9c8cd39e68ed

Download Submit
\Windows\system\wYBQApq.exe
Filesize
5.2MB

MD5
8bbf525687df1c7151fbcbedff8d3dca

SHA1
68a7188c8c6cc2faa7f9f1ea967c0b663f5c689b

SHA256
88dc37034ba2f946757399454027c9361a0e383310a5d4008a5b490e7136b4d6

SHA512
8135e2f9174179cfcfb030ffb6c7e962f803dde101f2f528d644152038d99b4201952e55f806cdab1914ae2d7c8fa0ffb2343dc9b0085fac5c1322ebf6163454

Download Submit
\Windows\system\xjjDbEy.exe
Filesize
5.2MB

MD5
a6f93c598ef9b2420e934b177a68d794

SHA1
638a67562bab064ce3dc2e112b51838b9860c2d3

SHA256
fc0415638f753de6787e25b45bd69210576ed79e55771f9551180390b621ee2f

SHA512
45bbdd397fe98a57316d8ac8842207d8ceeffed31f5668da59b8b1036113e2583dd5217660b34804421b165df565f6dacc2fd5d0db77e2cdf4ee7334213b432b

Download Submit
\Windows\system\xruSsjZ.exe
Filesize
5.2MB

MD5
8c50962fa8e62a069929647f25354bdb

SHA1
280c15789b72a61679ec5e9bf8c3680e659643e6

SHA256
aadd11fba30d7f45a8190d4ae40a2472620c2848f12b10d02f6f0c6403185131

SHA512
881443b4e418f8c576d3ea5f2b4aa0ef0f4dcc3081e154fbff60066959c5cad669482b75e7112586dc71d1f2d0be6dc675251d36432baa6c880eaf7211e68a76

Download Submit
memory/528-157-0x000000013F500000-0x000000013F851000-memory.dmp

Filesize
3.3MB

Download
memory/528-252-0x000000013F500000-0x000000013F851000-memory.dmp

Filesize
3.3MB

Download
memory/528-95-0x000000013F500000-0x000000013F851000-memory.dmp

Filesize
3.3MB

Download
memory/1004-159-0x000000013FB20000-0x000000013FE71000-memory.dmp

Filesize
3.3MB

Download
memory/1096-160-0x000000013F1E0000-0x000000013F531000-memory.dmp

Filesize
3.3MB

Download
memory/1572-161-0x000000013FCB0000-0x0000000140001000-memory.dmp

Filesize
3.3MB

Download
memory/2084-216-0x000000013F320000-0x000000013F671000-memory.dmp

Filesize
3.3MB

Download
memory/2084-9-0x000000013F320000-0x000000013F671000-memory.dmp

Filesize
3.3MB

Download
memory/2084-102-0x000000013F320000-0x000000013F671000-memory.dmp

Filesize
3.3MB

Download
memory/2168-40-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/2168-0-0x000000013F900000-0x000000013FC51000-memory.dmp

Filesize
3.3MB

Download
memory/2168-30-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/2168-56-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/2168-32-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/2168-108-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/2168-87-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/2168-110-0x000000013F500000-0x000000013F851000-memory.dmp

Filesize
3.3MB

Download
memory/2168-140-0x000000013F900000-0x000000013FC51000-memory.dmp

Filesize
3.3MB

Download
memory/2168-78-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/2168-111-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/2168-76-0x000000013F040000-0x000000013F391000-memory.dmp

Filesize
3.3MB

Download
memory/2168-112-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/2168-91-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/2168-14-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/2168-105-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/2168-1-0x0000000000580000-0x0000000000590000-memory.dmp

Filesize
64KB

Download
memory/2168-42-0x000000013FFE0000-0x0000000140331000-memory.dmp

Filesize
3.3MB

Download
memory/2168-6-0x000000013F320000-0x000000013F671000-memory.dmp

Filesize
3.3MB

Download
memory/2168-20-0x000000013FEE0000-0x0000000140231000-memory.dmp

Filesize
3.3MB

Download
memory/2168-208-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/2168-185-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/2168-49-0x000000013F900000-0x000000013FC51000-memory.dmp

Filesize
3.3MB

Download
memory/2168-82-0x000000013FE80000-0x00000001401D1000-memory.dmp

Filesize
3.3MB

Download
memory/2168-52-0x000000013F320000-0x000000013F671000-memory.dmp

Filesize
3.3MB

Download
memory/2168-184-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/2168-162-0x000000013F900000-0x000000013FC51000-memory.dmp

Filesize
3.3MB

Download
memory/2212-152-0x000000013FE80000-0x00000001401D1000-memory.dmp

Filesize
3.3MB

Download
memory/2376-158-0x000000013FAC0000-0x000000013FE11000-memory.dmp

Filesize
3.3MB

Download
memory/2392-153-0x000000013F920000-0x000000013FC71000-memory.dmp

Filesize
3.3MB

Download
memory/2392-245-0x000000013F920000-0x000000013FC71000-memory.dmp

Filesize
3.3MB

Download
memory/2392-104-0x000000013F920000-0x000000013FC71000-memory.dmp

Filesize
3.3MB

Download
memory/2436-154-0x000000013F9E0000-0x000000013FD31000-memory.dmp

Filesize
3.3MB

Download
memory/2480-15-0x000000013FB30000-0x000000013FE81000-memory.dmp

Filesize
3.3MB

Download
memory/2480-233-0x000000013FB30000-0x000000013FE81000-memory.dmp

Filesize
3.3MB

Download
memory/2480-107-0x000000013FB30000-0x000000013FE81000-memory.dmp

Filesize
3.3MB

Download
memory/2500-147-0x000000013FFE0000-0x0000000140331000-memory.dmp

Filesize
3.3MB

Download
memory/2500-46-0x000000013FFE0000-0x0000000140331000-memory.dmp

Filesize
3.3MB

Download
memory/2500-240-0x000000013FFE0000-0x0000000140331000-memory.dmp

Filesize
3.3MB

Download
memory/2524-145-0x000000013F6E0000-0x000000013FA31000-memory.dmp

Filesize
3.3MB

Download
memory/2524-36-0x000000013F6E0000-0x000000013FA31000-memory.dmp

Filesize
3.3MB

Download
memory/2524-237-0x000000013F6E0000-0x000000013FA31000-memory.dmp

Filesize
3.3MB

Download
memory/2576-26-0x000000013FEE0000-0x0000000140231000-memory.dmp

Filesize
3.3MB

Download
memory/2576-139-0x000000013FEE0000-0x0000000140231000-memory.dmp

Filesize
3.3MB

Download
memory/2576-235-0x000000013FEE0000-0x0000000140231000-memory.dmp

Filesize
3.3MB

Download
memory/2588-150-0x000000013F040000-0x000000013F391000-memory.dmp

Filesize
3.3MB

Download
memory/2620-146-0x000000013F860000-0x000000013FBB1000-memory.dmp

Filesize
3.3MB

Download
memory/2624-151-0x000000013F9D0000-0x000000013FD21000-memory.dmp

Filesize
3.3MB

Download
memory/2624-243-0x000000013F9D0000-0x000000013FD21000-memory.dmp

Filesize
3.3MB

Download
memory/2624-67-0x000000013F9D0000-0x000000013FD21000-memory.dmp

Filesize
3.3MB

Download
memory/2664-149-0x000000013F350000-0x000000013F6A1000-memory.dmp

Filesize
3.3MB

Download
memory/2664-242-0x000000013F350000-0x000000013F6A1000-memory.dmp

Filesize
3.3MB

Download
memory/2664-72-0x000000013F350000-0x000000013F6A1000-memory.dmp

Filesize
3.3MB

Download
memory/2672-148-0x000000013F970000-0x000000013FCC1000-memory.dmp

Filesize
3.3MB

Download
memory/2808-155-0x000000013F7F0000-0x000000013FB41000-memory.dmp

Filesize
3.3MB

Download
memory/2808-247-0x000000013F7F0000-0x000000013FB41000-memory.dmp

Filesize
3.3MB

Download
memory/2808-106-0x000000013F7F0000-0x000000013FB41000-memory.dmp

Filesize
3.3MB

Download
memory/2980-144-0x000000013F900000-0x000000013FC51000-memory.dmp

Filesize
3.3MB

Download
memory/3004-156-0x000000013FB10000-0x000000013FE61000-memory.dmp

Filesize
3.3MB

Download