cobaltstrike | cdce79e68b7d47cda949e72c69a45d7e5bbe34fba232bb5bca34b9a119144fae

Analysis

max time kernel
142s
max time network
146s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

0d73b00d3b0f3341623a5a10f335a190
SHA1

5587f3f8dab926cab9a7bcfe39fff42534a0e9ca
SHA256

cdce79e68b7d47cda949e72c69a45d7e5bbe34fba232bb5bca34b9a119144fae
SHA512

9a2a4f49b69037069c59b33a6843d52bbf21ee191ca56457e9e920ba054faae2ea965f31d3c058c2a33a1fadd7850d01854925715be8847cd84b30e5cbc89447
SSDEEP

49152:ROdWCCi7/ray56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lo:RWWBibh56utgpPFotBER/mQ32lUk

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\oXhzlhz.exe	cobalt_reflective_dll
\Windows\system\vikvOpi.exe	cobalt_reflective_dll
\Windows\system\bJUBtld.exe	cobalt_reflective_dll
C:\Windows\system\iIdSTnQ.exe	cobalt_reflective_dll
C:\Windows\system\pIdnKac.exe	cobalt_reflective_dll
C:\Windows\system\rRKDYed.exe	cobalt_reflective_dll
C:\Windows\system\TehDeqr.exe	cobalt_reflective_dll
\Windows\system\iviDLiR.exe	cobalt_reflective_dll
C:\Windows\system\VwnaxDq.exe	cobalt_reflective_dll
C:\Windows\system\UdPNBFF.exe	cobalt_reflective_dll
C:\Windows\system\knqBejm.exe	cobalt_reflective_dll
\Windows\system\paoklUi.exe	cobalt_reflective_dll
C:\Windows\system\fPKKOlY.exe	cobalt_reflective_dll
C:\Windows\system\pGPHaRR.exe	cobalt_reflective_dll
C:\Windows\system\mXZivoB.exe	cobalt_reflective_dll
C:\Windows\system\ipClMMP.exe	cobalt_reflective_dll
C:\Windows\system\FovsPJB.exe	cobalt_reflective_dll
C:\Windows\system\FdbojDB.exe	cobalt_reflective_dll
C:\Windows\system\sRdzyhe.exe	cobalt_reflective_dll
C:\Windows\system\fnHgAyj.exe	cobalt_reflective_dll
C:\Windows\system\dNVvOSm.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\oXhzlhz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\vikvOpi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\bJUBtld.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\iIdSTnQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\pIdnKac.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\rRKDYed.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\TehDeqr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\iviDLiR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\VwnaxDq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\UdPNBFF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\knqBejm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\paoklUi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\fPKKOlY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\pGPHaRR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\mXZivoB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ipClMMP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\FovsPJB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\FdbojDB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\sRdzyhe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\fnHgAyj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\dNVvOSm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2368-0-0x000000013FE30000-0x0000000140181000-memory.dmp	UPX
\Windows\system\oXhzlhz.exe	UPX
\Windows\system\vikvOpi.exe	UPX
\Windows\system\bJUBtld.exe	UPX
behavioral1/memory/2220-21-0x000000013FDD0000-0x0000000140121000-memory.dmp	UPX
behavioral1/memory/3044-20-0x000000013FC00000-0x000000013FF51000-memory.dmp	UPX
behavioral1/memory/1248-18-0x000000013F110000-0x000000013F461000-memory.dmp	UPX
behavioral1/memory/2764-27-0x000000013FEA0000-0x00000001401F1000-memory.dmp	UPX
C:\Windows\system\iIdSTnQ.exe	UPX
behavioral1/memory/2688-35-0x000000013F9D0000-0x000000013FD21000-memory.dmp	UPX
behavioral1/memory/2828-41-0x000000013F650000-0x000000013F9A1000-memory.dmp	UPX
C:\Windows\system\pIdnKac.exe	UPX
C:\Windows\system\rRKDYed.exe	UPX
behavioral1/memory/2220-75-0x000000013FDD0000-0x0000000140121000-memory.dmp	UPX
C:\Windows\system\TehDeqr.exe	UPX
behavioral1/memory/2764-79-0x000000013FEA0000-0x00000001401F1000-memory.dmp	UPX
behavioral1/memory/2844-80-0x000000013F910000-0x000000013FC61000-memory.dmp	UPX
\Windows\system\iviDLiR.exe	UPX
C:\Windows\system\VwnaxDq.exe	UPX
C:\Windows\system\UdPNBFF.exe	UPX
C:\Windows\system\knqBejm.exe	UPX
\Windows\system\paoklUi.exe	UPX
C:\Windows\system\fPKKOlY.exe	UPX
C:\Windows\system\pGPHaRR.exe	UPX
C:\Windows\system\mXZivoB.exe	UPX
behavioral1/memory/2828-103-0x000000013F650000-0x000000013F9A1000-memory.dmp	UPX
behavioral1/memory/2916-139-0x000000013F4B0000-0x000000013F801000-memory.dmp	UPX
C:\Windows\system\ipClMMP.exe	UPX
behavioral1/memory/2612-89-0x000000013FC60000-0x000000013FFB1000-memory.dmp	UPX
behavioral1/memory/2688-87-0x000000013F9D0000-0x000000013FD21000-memory.dmp	UPX
behavioral1/memory/3008-99-0x000000013F5F0000-0x000000013F941000-memory.dmp	UPX
behavioral1/memory/2888-97-0x000000013F400000-0x000000013F751000-memory.dmp	UPX
C:\Windows\system\FovsPJB.exe	UPX
behavioral1/memory/2916-49-0x000000013F4B0000-0x000000013F801000-memory.dmp	UPX
C:\Windows\system\FdbojDB.exe	UPX
behavioral1/memory/2368-44-0x000000013FE30000-0x0000000140181000-memory.dmp	UPX
behavioral1/memory/2712-76-0x000000013F290000-0x000000013F5E1000-memory.dmp	UPX
behavioral1/memory/3016-74-0x000000013FF70000-0x00000001402C1000-memory.dmp	UPX
behavioral1/memory/2556-73-0x000000013FDD0000-0x0000000140121000-memory.dmp	UPX
C:\Windows\system\sRdzyhe.exe	UPX
C:\Windows\system\fnHgAyj.exe	UPX
C:\Windows\system\dNVvOSm.exe	UPX
behavioral1/memory/2368-142-0x000000013FE30000-0x0000000140181000-memory.dmp	UPX
behavioral1/memory/2556-152-0x000000013FDD0000-0x0000000140121000-memory.dmp	UPX
behavioral1/memory/2612-153-0x000000013FC60000-0x000000013FFB1000-memory.dmp	UPX
behavioral1/memory/3016-154-0x000000013FF70000-0x00000001402C1000-memory.dmp	UPX
behavioral1/memory/2844-151-0x000000013F910000-0x000000013FC61000-memory.dmp	UPX
behavioral1/memory/2712-150-0x000000013F290000-0x000000013F5E1000-memory.dmp	UPX
behavioral1/memory/2888-155-0x000000013F400000-0x000000013F751000-memory.dmp	UPX
behavioral1/memory/2804-160-0x000000013FD60000-0x00000001400B1000-memory.dmp	UPX
behavioral1/memory/880-163-0x000000013FE80000-0x00000001401D1000-memory.dmp	UPX
behavioral1/memory/552-161-0x000000013FD90000-0x00000001400E1000-memory.dmp	UPX
behavioral1/memory/1668-159-0x000000013F030000-0x000000013F381000-memory.dmp	UPX
behavioral1/memory/1756-158-0x000000013F0D0000-0x000000013F421000-memory.dmp	UPX
behavioral1/memory/2524-157-0x000000013F870000-0x000000013FBC1000-memory.dmp	UPX
behavioral1/memory/3008-156-0x000000013F5F0000-0x000000013F941000-memory.dmp	UPX
behavioral1/memory/1508-162-0x000000013F170000-0x000000013F4C1000-memory.dmp	UPX
behavioral1/memory/2368-165-0x000000013FE30000-0x0000000140181000-memory.dmp	UPX
behavioral1/memory/1248-213-0x000000013F110000-0x000000013F461000-memory.dmp	UPX
behavioral1/memory/3044-214-0x000000013FC00000-0x000000013FF51000-memory.dmp	UPX
behavioral1/memory/2220-216-0x000000013FDD0000-0x0000000140121000-memory.dmp	UPX
behavioral1/memory/2764-218-0x000000013FEA0000-0x00000001401F1000-memory.dmp	UPX
behavioral1/memory/2828-222-0x000000013F650000-0x000000013F9A1000-memory.dmp	UPX
behavioral1/memory/2688-237-0x000000013F9D0000-0x000000013FD21000-memory.dmp	UPX

XMRig Miner payload 39 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/3044-20-0x000000013FC00000-0x000000013FF51000-memory.dmp	xmrig
behavioral1/memory/1248-18-0x000000013F110000-0x000000013F461000-memory.dmp	xmrig
behavioral1/memory/2220-75-0x000000013FDD0000-0x0000000140121000-memory.dmp	xmrig
behavioral1/memory/2764-79-0x000000013FEA0000-0x00000001401F1000-memory.dmp	xmrig
behavioral1/memory/2828-103-0x000000013F650000-0x000000013F9A1000-memory.dmp	xmrig
behavioral1/memory/2916-139-0x000000013F4B0000-0x000000013F801000-memory.dmp	xmrig
behavioral1/memory/2368-138-0x000000013F4B0000-0x000000013F801000-memory.dmp	xmrig
behavioral1/memory/2688-87-0x000000013F9D0000-0x000000013FD21000-memory.dmp	xmrig
behavioral1/memory/2368-44-0x000000013FE30000-0x0000000140181000-memory.dmp	xmrig
behavioral1/memory/2368-142-0x000000013FE30000-0x0000000140181000-memory.dmp	xmrig
behavioral1/memory/2556-152-0x000000013FDD0000-0x0000000140121000-memory.dmp	xmrig
behavioral1/memory/2612-153-0x000000013FC60000-0x000000013FFB1000-memory.dmp	xmrig
behavioral1/memory/3016-154-0x000000013FF70000-0x00000001402C1000-memory.dmp	xmrig
behavioral1/memory/2844-151-0x000000013F910000-0x000000013FC61000-memory.dmp	xmrig
behavioral1/memory/2712-150-0x000000013F290000-0x000000013F5E1000-memory.dmp	xmrig
behavioral1/memory/2888-155-0x000000013F400000-0x000000013F751000-memory.dmp	xmrig
behavioral1/memory/2804-160-0x000000013FD60000-0x00000001400B1000-memory.dmp	xmrig
behavioral1/memory/880-163-0x000000013FE80000-0x00000001401D1000-memory.dmp	xmrig
behavioral1/memory/552-161-0x000000013FD90000-0x00000001400E1000-memory.dmp	xmrig
behavioral1/memory/1668-159-0x000000013F030000-0x000000013F381000-memory.dmp	xmrig
behavioral1/memory/1756-158-0x000000013F0D0000-0x000000013F421000-memory.dmp	xmrig
behavioral1/memory/2524-157-0x000000013F870000-0x000000013FBC1000-memory.dmp	xmrig
behavioral1/memory/3008-156-0x000000013F5F0000-0x000000013F941000-memory.dmp	xmrig
behavioral1/memory/1508-162-0x000000013F170000-0x000000013F4C1000-memory.dmp	xmrig
behavioral1/memory/2368-165-0x000000013FE30000-0x0000000140181000-memory.dmp	xmrig
behavioral1/memory/1248-213-0x000000013F110000-0x000000013F461000-memory.dmp	xmrig
behavioral1/memory/3044-214-0x000000013FC00000-0x000000013FF51000-memory.dmp	xmrig
behavioral1/memory/2220-216-0x000000013FDD0000-0x0000000140121000-memory.dmp	xmrig
behavioral1/memory/2764-218-0x000000013FEA0000-0x00000001401F1000-memory.dmp	xmrig
behavioral1/memory/2828-222-0x000000013F650000-0x000000013F9A1000-memory.dmp	xmrig
behavioral1/memory/2688-237-0x000000013F9D0000-0x000000013FD21000-memory.dmp	xmrig
behavioral1/memory/2916-239-0x000000013F4B0000-0x000000013F801000-memory.dmp	xmrig
behavioral1/memory/2712-241-0x000000013F290000-0x000000013F5E1000-memory.dmp	xmrig
behavioral1/memory/2556-243-0x000000013FDD0000-0x0000000140121000-memory.dmp	xmrig
behavioral1/memory/3016-245-0x000000013FF70000-0x00000001402C1000-memory.dmp	xmrig
behavioral1/memory/2844-247-0x000000013F910000-0x000000013FC61000-memory.dmp	xmrig
behavioral1/memory/2612-249-0x000000013FC60000-0x000000013FFB1000-memory.dmp	xmrig
behavioral1/memory/3008-251-0x000000013F5F0000-0x000000013F941000-memory.dmp	xmrig
behavioral1/memory/2888-253-0x000000013F400000-0x000000013F751000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

bJUBtld.exeoXhzlhz.exevikvOpi.exedNVvOSm.exeiIdSTnQ.exefnHgAyj.exeFdbojDB.exesRdzyhe.exepIdnKac.exerRKDYed.exeTehDeqr.exeiviDLiR.exeipClMMP.exeFovsPJB.exemXZivoB.exeVwnaxDq.exepGPHaRR.exeUdPNBFF.exefPKKOlY.exeknqBejm.exepaoklUi.exe

pid	process
3044	bJUBtld.exe
1248	oXhzlhz.exe
2220	vikvOpi.exe
2764	dNVvOSm.exe
2688	iIdSTnQ.exe
2828	fnHgAyj.exe
2916	FdbojDB.exe
2712	sRdzyhe.exe
2556	pIdnKac.exe
3016	rRKDYed.exe
2844	TehDeqr.exe
2612	iviDLiR.exe
2888	ipClMMP.exe
3008	FovsPJB.exe
2524	mXZivoB.exe
1756	VwnaxDq.exe
1668	pGPHaRR.exe
2804	UdPNBFF.exe
552	fPKKOlY.exe
1508	knqBejm.exe
880	paoklUi.exe

Loads dropped DLL 21 IoCs

Processes:

2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe

pid	process
2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2368-0-0x000000013FE30000-0x0000000140181000-memory.dmp	upx
\Windows\system\oXhzlhz.exe	upx
\Windows\system\vikvOpi.exe	upx
\Windows\system\bJUBtld.exe	upx
behavioral1/memory/2220-21-0x000000013FDD0000-0x0000000140121000-memory.dmp	upx
behavioral1/memory/3044-20-0x000000013FC00000-0x000000013FF51000-memory.dmp	upx
behavioral1/memory/1248-18-0x000000013F110000-0x000000013F461000-memory.dmp	upx
behavioral1/memory/2764-27-0x000000013FEA0000-0x00000001401F1000-memory.dmp	upx
C:\Windows\system\iIdSTnQ.exe	upx
behavioral1/memory/2688-35-0x000000013F9D0000-0x000000013FD21000-memory.dmp	upx
behavioral1/memory/2828-41-0x000000013F650000-0x000000013F9A1000-memory.dmp	upx
C:\Windows\system\pIdnKac.exe	upx
C:\Windows\system\rRKDYed.exe	upx
behavioral1/memory/2220-75-0x000000013FDD0000-0x0000000140121000-memory.dmp	upx
C:\Windows\system\TehDeqr.exe	upx
behavioral1/memory/2764-79-0x000000013FEA0000-0x00000001401F1000-memory.dmp	upx
behavioral1/memory/2844-80-0x000000013F910000-0x000000013FC61000-memory.dmp	upx
\Windows\system\iviDLiR.exe	upx
C:\Windows\system\VwnaxDq.exe	upx
C:\Windows\system\UdPNBFF.exe	upx
C:\Windows\system\knqBejm.exe	upx
\Windows\system\paoklUi.exe	upx
C:\Windows\system\fPKKOlY.exe	upx
C:\Windows\system\pGPHaRR.exe	upx
C:\Windows\system\mXZivoB.exe	upx
behavioral1/memory/2828-103-0x000000013F650000-0x000000013F9A1000-memory.dmp	upx
behavioral1/memory/2916-139-0x000000013F4B0000-0x000000013F801000-memory.dmp	upx
C:\Windows\system\ipClMMP.exe	upx
behavioral1/memory/2612-89-0x000000013FC60000-0x000000013FFB1000-memory.dmp	upx
behavioral1/memory/2688-87-0x000000013F9D0000-0x000000013FD21000-memory.dmp	upx
behavioral1/memory/3008-99-0x000000013F5F0000-0x000000013F941000-memory.dmp	upx
behavioral1/memory/2888-97-0x000000013F400000-0x000000013F751000-memory.dmp	upx
C:\Windows\system\FovsPJB.exe	upx
behavioral1/memory/2916-49-0x000000013F4B0000-0x000000013F801000-memory.dmp	upx
C:\Windows\system\FdbojDB.exe	upx
behavioral1/memory/2368-44-0x000000013FE30000-0x0000000140181000-memory.dmp	upx
behavioral1/memory/2712-76-0x000000013F290000-0x000000013F5E1000-memory.dmp	upx
behavioral1/memory/3016-74-0x000000013FF70000-0x00000001402C1000-memory.dmp	upx
behavioral1/memory/2556-73-0x000000013FDD0000-0x0000000140121000-memory.dmp	upx
C:\Windows\system\sRdzyhe.exe	upx
C:\Windows\system\fnHgAyj.exe	upx
C:\Windows\system\dNVvOSm.exe	upx
behavioral1/memory/2368-142-0x000000013FE30000-0x0000000140181000-memory.dmp	upx
behavioral1/memory/2556-152-0x000000013FDD0000-0x0000000140121000-memory.dmp	upx
behavioral1/memory/2612-153-0x000000013FC60000-0x000000013FFB1000-memory.dmp	upx
behavioral1/memory/3016-154-0x000000013FF70000-0x00000001402C1000-memory.dmp	upx
behavioral1/memory/2844-151-0x000000013F910000-0x000000013FC61000-memory.dmp	upx
behavioral1/memory/2712-150-0x000000013F290000-0x000000013F5E1000-memory.dmp	upx
behavioral1/memory/2888-155-0x000000013F400000-0x000000013F751000-memory.dmp	upx
behavioral1/memory/2804-160-0x000000013FD60000-0x00000001400B1000-memory.dmp	upx
behavioral1/memory/880-163-0x000000013FE80000-0x00000001401D1000-memory.dmp	upx
behavioral1/memory/552-161-0x000000013FD90000-0x00000001400E1000-memory.dmp	upx
behavioral1/memory/1668-159-0x000000013F030000-0x000000013F381000-memory.dmp	upx
behavioral1/memory/1756-158-0x000000013F0D0000-0x000000013F421000-memory.dmp	upx
behavioral1/memory/2524-157-0x000000013F870000-0x000000013FBC1000-memory.dmp	upx
behavioral1/memory/3008-156-0x000000013F5F0000-0x000000013F941000-memory.dmp	upx
behavioral1/memory/1508-162-0x000000013F170000-0x000000013F4C1000-memory.dmp	upx
behavioral1/memory/2368-165-0x000000013FE30000-0x0000000140181000-memory.dmp	upx
behavioral1/memory/1248-213-0x000000013F110000-0x000000013F461000-memory.dmp	upx
behavioral1/memory/3044-214-0x000000013FC00000-0x000000013FF51000-memory.dmp	upx
behavioral1/memory/2220-216-0x000000013FDD0000-0x0000000140121000-memory.dmp	upx
behavioral1/memory/2764-218-0x000000013FEA0000-0x00000001401F1000-memory.dmp	upx
behavioral1/memory/2828-222-0x000000013F650000-0x000000013F9A1000-memory.dmp	upx
behavioral1/memory/2688-237-0x000000013F9D0000-0x000000013FD21000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\iIdSTnQ.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pIdnKac.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iviDLiR.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pGPHaRR.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sRdzyhe.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mXZivoB.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VwnaxDq.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bJUBtld.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vikvOpi.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dNVvOSm.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fnHgAyj.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\knqBejm.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ipClMMP.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FovsPJB.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UdPNBFF.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fPKKOlY.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oXhzlhz.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FdbojDB.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TehDeqr.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rRKDYed.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\paoklUi.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2368 wrote to memory of 1248	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	oXhzlhz.exe
PID 2368 wrote to memory of 1248	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	oXhzlhz.exe
PID 2368 wrote to memory of 1248	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	oXhzlhz.exe
PID 2368 wrote to memory of 3044	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	bJUBtld.exe
PID 2368 wrote to memory of 3044	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	bJUBtld.exe
PID 2368 wrote to memory of 3044	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	bJUBtld.exe
PID 2368 wrote to memory of 2220	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	vikvOpi.exe
PID 2368 wrote to memory of 2220	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	vikvOpi.exe
PID 2368 wrote to memory of 2220	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	vikvOpi.exe
PID 2368 wrote to memory of 2764	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	dNVvOSm.exe
PID 2368 wrote to memory of 2764	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	dNVvOSm.exe
PID 2368 wrote to memory of 2764	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	dNVvOSm.exe
PID 2368 wrote to memory of 2688	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	iIdSTnQ.exe
PID 2368 wrote to memory of 2688	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	iIdSTnQ.exe
PID 2368 wrote to memory of 2688	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	iIdSTnQ.exe
PID 2368 wrote to memory of 2828	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	fnHgAyj.exe
PID 2368 wrote to memory of 2828	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	fnHgAyj.exe
PID 2368 wrote to memory of 2828	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	fnHgAyj.exe
PID 2368 wrote to memory of 2916	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	FdbojDB.exe
PID 2368 wrote to memory of 2916	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	FdbojDB.exe
PID 2368 wrote to memory of 2916	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	FdbojDB.exe
PID 2368 wrote to memory of 2712	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	sRdzyhe.exe
PID 2368 wrote to memory of 2712	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	sRdzyhe.exe
PID 2368 wrote to memory of 2712	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	sRdzyhe.exe
PID 2368 wrote to memory of 2844	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	TehDeqr.exe
PID 2368 wrote to memory of 2844	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	TehDeqr.exe
PID 2368 wrote to memory of 2844	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	TehDeqr.exe
PID 2368 wrote to memory of 2556	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	pIdnKac.exe
PID 2368 wrote to memory of 2556	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	pIdnKac.exe
PID 2368 wrote to memory of 2556	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	pIdnKac.exe
PID 2368 wrote to memory of 2612	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	iviDLiR.exe
PID 2368 wrote to memory of 2612	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	iviDLiR.exe
PID 2368 wrote to memory of 2612	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	iviDLiR.exe
PID 2368 wrote to memory of 3016	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	rRKDYed.exe
PID 2368 wrote to memory of 3016	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	rRKDYed.exe
PID 2368 wrote to memory of 3016	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	rRKDYed.exe
PID 2368 wrote to memory of 2888	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	ipClMMP.exe
PID 2368 wrote to memory of 2888	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	ipClMMP.exe
PID 2368 wrote to memory of 2888	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	ipClMMP.exe
PID 2368 wrote to memory of 3008	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	FovsPJB.exe
PID 2368 wrote to memory of 3008	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	FovsPJB.exe
PID 2368 wrote to memory of 3008	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	FovsPJB.exe
PID 2368 wrote to memory of 2524	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	mXZivoB.exe
PID 2368 wrote to memory of 2524	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	mXZivoB.exe
PID 2368 wrote to memory of 2524	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	mXZivoB.exe
PID 2368 wrote to memory of 1756	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	VwnaxDq.exe
PID 2368 wrote to memory of 1756	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	VwnaxDq.exe
PID 2368 wrote to memory of 1756	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	VwnaxDq.exe
PID 2368 wrote to memory of 1668	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	pGPHaRR.exe
PID 2368 wrote to memory of 1668	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	pGPHaRR.exe
PID 2368 wrote to memory of 1668	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	pGPHaRR.exe
PID 2368 wrote to memory of 2804	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	UdPNBFF.exe
PID 2368 wrote to memory of 2804	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	UdPNBFF.exe
PID 2368 wrote to memory of 2804	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	UdPNBFF.exe
PID 2368 wrote to memory of 552	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	fPKKOlY.exe
PID 2368 wrote to memory of 552	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	fPKKOlY.exe
PID 2368 wrote to memory of 552	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	fPKKOlY.exe
PID 2368 wrote to memory of 1508	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	knqBejm.exe
PID 2368 wrote to memory of 1508	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	knqBejm.exe
PID 2368 wrote to memory of 1508	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	knqBejm.exe
PID 2368 wrote to memory of 880	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	paoklUi.exe
PID 2368 wrote to memory of 880	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	paoklUi.exe
PID 2368 wrote to memory of 880	2368	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	paoklUi.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\System\oXhzlhz.exe
C:\Windows\System\oXhzlhz.exe
2⤵
- Executes dropped EXE
PID:1248

C:\Windows\System\bJUBtld.exe
C:\Windows\System\bJUBtld.exe
2⤵
- Executes dropped EXE
PID:3044

C:\Windows\System\vikvOpi.exe
C:\Windows\System\vikvOpi.exe
2⤵
- Executes dropped EXE
PID:2220

C:\Windows\System\dNVvOSm.exe
C:\Windows\System\dNVvOSm.exe
2⤵
- Executes dropped EXE
PID:2764

C:\Windows\System\iIdSTnQ.exe
C:\Windows\System\iIdSTnQ.exe
2⤵
- Executes dropped EXE
PID:2688

C:\Windows\System\fnHgAyj.exe
C:\Windows\System\fnHgAyj.exe
2⤵
- Executes dropped EXE
PID:2828

C:\Windows\System\FdbojDB.exe
C:\Windows\System\FdbojDB.exe
2⤵
- Executes dropped EXE
PID:2916

C:\Windows\System\sRdzyhe.exe
C:\Windows\System\sRdzyhe.exe
2⤵
- Executes dropped EXE
PID:2712

C:\Windows\System\TehDeqr.exe
C:\Windows\System\TehDeqr.exe
2⤵
- Executes dropped EXE
PID:2844

C:\Windows\System\pIdnKac.exe
C:\Windows\System\pIdnKac.exe
2⤵
- Executes dropped EXE
PID:2556

C:\Windows\System\iviDLiR.exe
C:\Windows\System\iviDLiR.exe
2⤵
- Executes dropped EXE
PID:2612

C:\Windows\System\rRKDYed.exe
C:\Windows\System\rRKDYed.exe
2⤵
- Executes dropped EXE
PID:3016

C:\Windows\System\ipClMMP.exe
C:\Windows\System\ipClMMP.exe
2⤵
- Executes dropped EXE
PID:2888

C:\Windows\System\FovsPJB.exe
C:\Windows\System\FovsPJB.exe
2⤵
- Executes dropped EXE
PID:3008

C:\Windows\System\mXZivoB.exe
C:\Windows\System\mXZivoB.exe
2⤵
- Executes dropped EXE
PID:2524

C:\Windows\System\VwnaxDq.exe
C:\Windows\System\VwnaxDq.exe
2⤵
- Executes dropped EXE
PID:1756

C:\Windows\System\pGPHaRR.exe
C:\Windows\System\pGPHaRR.exe
2⤵
- Executes dropped EXE
PID:1668

C:\Windows\System\UdPNBFF.exe
C:\Windows\System\UdPNBFF.exe
2⤵
- Executes dropped EXE
PID:2804

C:\Windows\System\fPKKOlY.exe
C:\Windows\System\fPKKOlY.exe
2⤵
- Executes dropped EXE
PID:552

C:\Windows\System\knqBejm.exe
C:\Windows\System\knqBejm.exe
2⤵
- Executes dropped EXE
PID:1508

C:\Windows\System\paoklUi.exe
C:\Windows\System\paoklUi.exe
2⤵
- Executes dropped EXE
PID:880

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\FdbojDB.exe
Filesize
5.2MB

MD5
8f17ef1a52000bbfae099c26d67cc24f

SHA1
3f53fdcd5e7680d09c2e93f14576723d36253c26

SHA256
5bfa7031fa017c9cb304c757ef70fbe16ccdfb587f5a01500834749293652a99

SHA512
4431b0afe1564f74aaf295b9cf02f344a1b0ceb9a781ba74e60d21472eee1a167773849740f17f15c42054cfd5be318c11f492a1aca689912f1d4d2edd56f9f8

Download Submit
C:\Windows\system\FovsPJB.exe
Filesize
5.2MB

MD5
88fd04d4aab85b99a6178a690a837c8e

SHA1
09c104e790ba377a5fbb4e8575c1bd0dc83bd204

SHA256
91ac609f0e45a234a5cb741d2d411b7092d1046fc7340cf4d091daf4f219ac86

SHA512
a4f4b7878d0b651b383de940ae87f9c38611475d9f3aab85a4be96d056e7c3271c5fbdb4f7aa0810ad49b63bf825e213243cafae39b92dc2b0ec09e3c4412c49

Download Submit
C:\Windows\system\TehDeqr.exe
Filesize
5.2MB

MD5
7772c236f28d2e2592d4124544032bc8

SHA1
d9bf91c34bc59c52c27d0b5298d96bca92d8044d

SHA256
ae9ef1b07aa5343343f20f72ba32cc587e5f1152a413676eb65060f30f2eaf0e

SHA512
ee05c02a89c639447ffd95139c4dfb37a52ca100dde265432284aa9a9bd388b9b48551f36311738278a16274908c6046e8bbb0d118de26c3cacacd48400780a2

Download Submit
C:\Windows\system\UdPNBFF.exe
Filesize
5.2MB

MD5
404dcee8392ac6915f66efbddb75fc9c

SHA1
26f6404655ba045cc1dad09904dd633e97d9bef3

SHA256
fba91f68544b335613f4f876a719c7ce6f10684e19e349d9f30f28132b6f6afb

SHA512
e3e811de1e93c3082696c7d759c56a5cf7348ae8c8986440bc4b4295fb35d2f9d2af8661863a77ae54055aca1024cc0d6308de4ac35a2410ba1f3b157115d404

Download Submit
C:\Windows\system\VwnaxDq.exe
Filesize
5.2MB

MD5
9610a62bcbc950fd33f987c4c293b572

SHA1
efb8f0be1b6496d96d9cdeb120fc3f85d9f894af

SHA256
ade27b9a4a5e3710affbf47e3272dc1669ed0ea4cb96c539166006173164d5da

SHA512
4f0bc703b10d2e107e75b359575efef73bbb073a224fc0f4c85e4953fcb76607edbeece82ce9ac21eae9a12a9276b135e9492052ab4229587594d89a830779c4

Download Submit
C:\Windows\system\dNVvOSm.exe
Filesize
5.2MB

MD5
d234a673450db4897c114cad39cdb2fd

SHA1
7660f27ae9fd5d3a78e85717298130ee62b80b21

SHA256
05fa5e09d87ec6281d278897d660c217cb6d7bc5a555944fa642dc17e387c56f

SHA512
9a5e5cfb47d0d1fc8908ce266bc221e24fa2d6eb0ab2e06ba485a4ae70f4f658d6b387217dcca3080fabf2934566f3d541199120d6ff86a8ded00c34d72f36fb

Download Submit
C:\Windows\system\fPKKOlY.exe
Filesize
5.2MB

MD5
b0579b037a698ef02b13653db7b02fe2

SHA1
d25dc82c954a4fcdc1ba0f94d9b8a4a2e9d991b0

SHA256
6909fdb6af458c788430a7d43227505e9719684d1626f74b0a56f09b2356b735

SHA512
84937bf30d6f26b3ea5ffa4b78799e335841e5c05696c29db65961179582ea154ac62d1b0806abc9028ec1c682286d20cd6bb0a71d4943658b1a9164cb1d90ae

Download Submit
C:\Windows\system\fnHgAyj.exe
Filesize
5.2MB

MD5
c35cf55944675728e5fcbeb180d4f084

SHA1
41c8719559a0ed2a007f13b4931935e260e2647a

SHA256
284ed25c1f45e2cf1ac4cf2ca1a57a7e9bd327b96ac049437fe1631261cdf073

SHA512
70df9bdc3b94fc6c4891a3f7a2e6a15f08b2e3514fbc3e8d63fd692ba157bd6c3ee55ef8c134462f87cdb4ba70b8333b0e05ea402469caf6fbe2fc2921766f56

Download Submit
C:\Windows\system\iIdSTnQ.exe
Filesize
5.2MB

MD5
47b5fc2a71d024f0508f7c7331a7a787

SHA1
80daa2d00c126b870eac788ed0c1bf937e17b0bb

SHA256
abebc62da7d75e57502fe3d3d999163f6501412ffc6d8cb623363175dd35047a

SHA512
be4ab943aa4ec2e2c0873b58847919dbd48a30e1c75d2f4477d3babe245f6ddcec26e0e61b91a1d5d31aa0c391351e73529b0d5fa97d152322c47fd62b516aeb

Download Submit
C:\Windows\system\ipClMMP.exe
Filesize
5.2MB

MD5
0489e0359bb678677e39d4d8661e1b32

SHA1
cff625a0dbb179751b759dde8febc18d9e66a10b

SHA256
df080ddfde8f184c38c7ff2aaabd1bacc623dded970184bbb1070a406d30ee27

SHA512
7280d67e346de8d8e40772813739bbb999ce62b569e686d19fa29e20f224d15807d3723bf9664247c14192c29a7ef5a9b28bbccfa3939636f402a6f9427ea2a8

Download Submit
C:\Windows\system\knqBejm.exe
Filesize
5.2MB

MD5
3a0483eebeb6684f286aa4f60907bb3c

SHA1
1f173236d8ddbbe9a9c0c32b71af20d2ff11f403

SHA256
29eddf37cd2b1d027530f12711aa0d234d00dce65a6a9f69593990619f32264b

SHA512
22732347f799b678286b1b4a8a0efa59abeae878f3018b3fabe25dbee75af10b819ff8d4895a911974a144dee56d6d8aae6a6bd2beb0e739a731e1010c0f5d36

Download Submit
C:\Windows\system\mXZivoB.exe
Filesize
5.2MB

MD5
c27e83c73a728c62e34eb9b75792098b

SHA1
e54ce66804f40c92deab20e2bbe34259f766546e

SHA256
8a84ad8590d021465ed1a60599fc644dce35fe40e4357633590c6195f3302670

SHA512
cd1800c2b08106a517d06fcda5ce6319cb70b6db28893747e2cfbfdfe5e000a37b6c1e81b3c4ed6d81b86b8d58bc176f36de945eab19bcf88022adfef43e3e7b

Download Submit
C:\Windows\system\pGPHaRR.exe
Filesize
5.2MB

MD5
5ca251fe8d37fddfc89248fa0c53adda

SHA1
5cfee55bfb67f8625552a6b2bb442daa63a2470e

SHA256
dc023efd80fc7fc0128a793b9b19cbe77856458cce3eb1869ebed8d1692bcf6e

SHA512
17cd6b8a725998118a506879fe5fd1112935f83b855f056577abdf009578a34bb0ce39124c169af18a9ccf81c2627d522d4aea6ffbe875e05faa1bccfa753680

Download Submit
C:\Windows\system\pIdnKac.exe
Filesize
5.2MB

MD5
e84e0f78661963f6c42cd5942889130e

SHA1
e855f4e1837004fc2cb53591a27482120b4df190

SHA256
1b7a74feb75643fa64b460e619d97b457a6fee2bc9cf8cf5a94a94f9cc8224aa

SHA512
165021eccd54f6596577d9f76d9657c750b767feb0740ce261242526ff9ec351ffa8f95daecf25f4b715b4adc9cf20b3bb6dff6be25001fd3da15cb7720c6ffd

Download Submit
C:\Windows\system\rRKDYed.exe
Filesize
5.2MB

MD5
b05b3ed8eabae228e7762070fc6748b7

SHA1
99677a2af423e0bb0765d867ad8081f8d184c862

SHA256
6bb132ddb0eaac90eb5c811a9b2af1d6d433d7de25537c7f399ccf033de31abb

SHA512
76f4865b38905aaacdb1f24c1e53511bdd0e8cfd5f2a53f9f4d5baddec54bd096d05df13c27a321a9ccd97a0fb9ce2c99fe6b1a0c3f0903f4bd6cbc44989ae08

Download Submit
C:\Windows\system\sRdzyhe.exe
Filesize
5.2MB

MD5
57c5bd561955b19c4aeaef0d4b0f4de1

SHA1
287cadb035a2c60f631843988f1858e0a86391e8

SHA256
78176156d79fd8ddb1afd8e7943d3a97d3d91a3d4a5d970f4b6f9fe7291b8b10

SHA512
47a1fef3e40052dd09cb651e160588aed1c0472c8a7793e059979a96b1730cd1b414fc8cdab1d27eb5e4849cdb010bceb9cca8f2517caa48b11ee4b56f969de1

Download Submit
\Windows\system\bJUBtld.exe
Filesize
5.2MB

MD5
98e788e1b2be5543842f0f87462dda99

SHA1
28cbe8310533a810ef626189e2ab3a42f8bbfe63

SHA256
d124c7868b46aac65b5e0117423bae2e188ad6947aee084a34952ccc8a7964a4

SHA512
385e38c04416f1e05cb4aca0d053e693fe59bdf6ab0011c48dadf13ca536111ff8add7e375d6124effd40dbb9be4935c618bed6fa56105538c42b6eaf48ba148

Download Submit
\Windows\system\iviDLiR.exe
Filesize
5.2MB

MD5
0ba84d0fc7c190a5537644ca9af990b7

SHA1
d26d238b0af014484cffed7139555f174f20a3c0

SHA256
668440fd808a82cea8f0aeaece32ab3ef779f95e6d610d49cbb93c1ccd3b36f0

SHA512
744212d4b16d20d62ea8b8ca6bb8b7c0ba5f64267a68cebec04c9114bf38c3c0e5bb88cc8f37184b432e4307e81bc98f70fd45b10ea4c12616b5d3240492f572

Download Submit
\Windows\system\oXhzlhz.exe
Filesize
5.2MB

MD5
6bdd9617afe29cb6dfbe075bb33aebcb

SHA1
414eb40ca2bf41063878075151a60e3fd93531c8

SHA256
b07cc85fba509c22ebbc371786c5be4df90d11c34a4c99fc1e0618ab8dd4996e

SHA512
ab9aa4bfb721302f5561581c941df0c726912a54349b1752594f8b8ef97d6833c07757e5dde5cc984c79101c2a4d2ef3845b890442cc4dfd289fbdf217ec375f

Download Submit
\Windows\system\paoklUi.exe
Filesize
5.2MB

MD5
ed64eb1447e1f682eeb9fc32338af9d2

SHA1
f84e30da44691daeda8c1b83cbd05c8d0ee32f14

SHA256
ffab5f785ca9d72a7429a8e3c57f74376f2366579c284dab27c931745dc084aa

SHA512
214788bbccda43f1bf0484ab3c90c80d33b776fade31072f84f7d7e4d32061f05e7cba9a3f8e020552170ea5a8d2fb84099d09040c4f469a46871803f4e87b63

Download Submit
\Windows\system\vikvOpi.exe
Filesize
5.2MB

MD5
dacca99fabcd397f093f3b34af2a4a27

SHA1
a9718557a0f0e10f25e6e02d0c919687b0651a5e

SHA256
0469845bd1d8d52d7988764fa3a04f52dbc8afdd589e69d44ec853008432977e

SHA512
9f621c86c8308170e828a4be695840e3a48901394312bca89d51d3719669b4064fab2b81a80887fc4c91d5bee0cdc02073b0e054c9da2aa145e9428008e5dd19

Download Submit
memory/552-161-0x000000013FD90000-0x00000001400E1000-memory.dmp

Filesize
3.3MB

Download
memory/880-163-0x000000013FE80000-0x00000001401D1000-memory.dmp

Filesize
3.3MB

Download
memory/1248-213-0x000000013F110000-0x000000013F461000-memory.dmp

Filesize
3.3MB

Download
memory/1248-18-0x000000013F110000-0x000000013F461000-memory.dmp

Filesize
3.3MB

Download
memory/1508-162-0x000000013F170000-0x000000013F4C1000-memory.dmp

Filesize
3.3MB

Download
memory/1668-159-0x000000013F030000-0x000000013F381000-memory.dmp

Filesize
3.3MB

Download
memory/1756-158-0x000000013F0D0000-0x000000013F421000-memory.dmp

Filesize
3.3MB

Download
memory/2220-75-0x000000013FDD0000-0x0000000140121000-memory.dmp

Filesize
3.3MB

Download
memory/2220-21-0x000000013FDD0000-0x0000000140121000-memory.dmp

Filesize
3.3MB

Download
memory/2220-216-0x000000013FDD0000-0x0000000140121000-memory.dmp

Filesize
3.3MB

Download
memory/2368-44-0x000000013FE30000-0x0000000140181000-memory.dmp

Filesize
3.3MB

Download
memory/2368-169-0x000000013F400000-0x000000013F751000-memory.dmp

Filesize
3.3MB

Download
memory/2368-138-0x000000013F4B0000-0x000000013F801000-memory.dmp

Filesize
3.3MB

Download
memory/2368-0-0x000000013FE30000-0x0000000140181000-memory.dmp

Filesize
3.3MB

Download
memory/2368-8-0x000000013F110000-0x000000013F461000-memory.dmp

Filesize
3.3MB

Download
memory/2368-88-0x000000013F400000-0x000000013F751000-memory.dmp

Filesize
3.3MB

Download
memory/2368-188-0x000000013F870000-0x000000013FBC1000-memory.dmp

Filesize
3.3MB

Download
memory/2368-165-0x000000013FE30000-0x0000000140181000-memory.dmp

Filesize
3.3MB

Download
memory/2368-98-0x000000013F5F0000-0x000000013F941000-memory.dmp

Filesize
3.3MB

Download
memory/2368-17-0x00000000024C0000-0x0000000002811000-memory.dmp

Filesize
3.3MB

Download
memory/2368-55-0x000000013F290000-0x000000013F5E1000-memory.dmp

Filesize
3.3MB

Download
memory/2368-104-0x000000013F870000-0x000000013FBC1000-memory.dmp

Filesize
3.3MB

Download
memory/2368-26-0x00000000024C0000-0x0000000002811000-memory.dmp

Filesize
3.3MB

Download
memory/2368-164-0x00000000024C0000-0x0000000002811000-memory.dmp

Filesize
3.3MB

Download
memory/2368-1-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2368-140-0x000000013F290000-0x000000013F5E1000-memory.dmp

Filesize
3.3MB

Download
memory/2368-142-0x000000013FE30000-0x0000000140181000-memory.dmp

Filesize
3.3MB

Download
memory/2368-141-0x000000013F910000-0x000000013FC61000-memory.dmp

Filesize
3.3MB

Download
memory/2368-33-0x000000013F9D0000-0x000000013FD21000-memory.dmp

Filesize
3.3MB

Download
memory/2368-71-0x00000000024C0000-0x0000000002811000-memory.dmp

Filesize
3.3MB

Download
memory/2368-72-0x00000000024C0000-0x0000000002811000-memory.dmp

Filesize
3.3MB

Download
memory/2368-66-0x000000013F910000-0x000000013FC61000-memory.dmp

Filesize
3.3MB

Download
memory/2368-40-0x000000013F650000-0x000000013F9A1000-memory.dmp

Filesize
3.3MB

Download
memory/2524-157-0x000000013F870000-0x000000013FBC1000-memory.dmp

Filesize
3.3MB

Download
memory/2556-73-0x000000013FDD0000-0x0000000140121000-memory.dmp

Filesize
3.3MB

Download
memory/2556-243-0x000000013FDD0000-0x0000000140121000-memory.dmp

Filesize
3.3MB

Download
memory/2556-152-0x000000013FDD0000-0x0000000140121000-memory.dmp

Filesize
3.3MB

Download
memory/2612-249-0x000000013FC60000-0x000000013FFB1000-memory.dmp

Filesize
3.3MB

Download
memory/2612-153-0x000000013FC60000-0x000000013FFB1000-memory.dmp

Filesize
3.3MB

Download
memory/2612-89-0x000000013FC60000-0x000000013FFB1000-memory.dmp

Filesize
3.3MB

Download
memory/2688-35-0x000000013F9D0000-0x000000013FD21000-memory.dmp

Filesize
3.3MB

Download
memory/2688-87-0x000000013F9D0000-0x000000013FD21000-memory.dmp

Filesize
3.3MB

Download
memory/2688-237-0x000000013F9D0000-0x000000013FD21000-memory.dmp

Filesize
3.3MB

Download
memory/2712-76-0x000000013F290000-0x000000013F5E1000-memory.dmp

Filesize
3.3MB

Download
memory/2712-150-0x000000013F290000-0x000000013F5E1000-memory.dmp

Filesize
3.3MB

Download
memory/2712-241-0x000000013F290000-0x000000013F5E1000-memory.dmp

Filesize
3.3MB

Download
memory/2764-218-0x000000013FEA0000-0x00000001401F1000-memory.dmp

Filesize
3.3MB

Download
memory/2764-79-0x000000013FEA0000-0x00000001401F1000-memory.dmp

Filesize
3.3MB

Download
memory/2764-27-0x000000013FEA0000-0x00000001401F1000-memory.dmp

Filesize
3.3MB

Download
memory/2804-160-0x000000013FD60000-0x00000001400B1000-memory.dmp

Filesize
3.3MB

Download
memory/2828-222-0x000000013F650000-0x000000013F9A1000-memory.dmp

Filesize
3.3MB

Download
memory/2828-103-0x000000013F650000-0x000000013F9A1000-memory.dmp

Filesize
3.3MB

Download
memory/2828-41-0x000000013F650000-0x000000013F9A1000-memory.dmp

Filesize
3.3MB

Download
memory/2844-247-0x000000013F910000-0x000000013FC61000-memory.dmp

Filesize
3.3MB

Download
memory/2844-151-0x000000013F910000-0x000000013FC61000-memory.dmp

Filesize
3.3MB

Download
memory/2844-80-0x000000013F910000-0x000000013FC61000-memory.dmp

Filesize
3.3MB

Download
memory/2888-97-0x000000013F400000-0x000000013F751000-memory.dmp

Filesize
3.3MB

Download
memory/2888-253-0x000000013F400000-0x000000013F751000-memory.dmp

Filesize
3.3MB

Download
memory/2888-155-0x000000013F400000-0x000000013F751000-memory.dmp

Filesize
3.3MB

Download
memory/2916-239-0x000000013F4B0000-0x000000013F801000-memory.dmp

Filesize
3.3MB

Download
memory/2916-49-0x000000013F4B0000-0x000000013F801000-memory.dmp

Filesize
3.3MB

Download
memory/2916-139-0x000000013F4B0000-0x000000013F801000-memory.dmp

Filesize
3.3MB

Download
memory/3008-99-0x000000013F5F0000-0x000000013F941000-memory.dmp

Filesize
3.3MB

Download
memory/3008-251-0x000000013F5F0000-0x000000013F941000-memory.dmp

Filesize
3.3MB

Download
memory/3008-156-0x000000013F5F0000-0x000000013F941000-memory.dmp

Filesize
3.3MB

Download
memory/3016-154-0x000000013FF70000-0x00000001402C1000-memory.dmp

Filesize
3.3MB

Download
memory/3016-74-0x000000013FF70000-0x00000001402C1000-memory.dmp

Filesize
3.3MB

Download
memory/3016-245-0x000000013FF70000-0x00000001402C1000-memory.dmp

Filesize
3.3MB

Download
memory/3044-214-0x000000013FC00000-0x000000013FF51000-memory.dmp

Filesize
3.3MB

Download
memory/3044-20-0x000000013FC00000-0x000000013FF51000-memory.dmp

Filesize
3.3MB

Download