cobaltstrike | ea5d21cbfc480e93ee72f0f14792230db0a0380c0235eb82f1bf8f97bd96b9aa

Analysis

max time kernel
141s
max time network
138s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 12:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

89bb0a8945c30a2a7e5f8c748f68bc54
SHA1

bc47b98c30b725d61b03b976c54e324647d20c65
SHA256

ea5d21cbfc480e93ee72f0f14792230db0a0380c0235eb82f1bf8f97bd96b9aa
SHA512

242c4942f0220b44e31890187bc621c3dccd883c4037f21a195ccc6d86e9d8f6bd60f2a5dc6118c77d82785c7ce1ee5e52ab728081a71a5330ee96e62dfa346e
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lw:RWWBibf56utgpPFotBER/mQ32lUM

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 20 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\ILzVXct.exe	cobalt_reflective_dll
\Windows\system\bqjrgnr.exe	cobalt_reflective_dll
C:\Windows\system\xAEXFTJ.exe	cobalt_reflective_dll
C:\Windows\system\tqkkNTn.exe	cobalt_reflective_dll
C:\Windows\system\ElAVRZc.exe	cobalt_reflective_dll
C:\Windows\system\qQkjaTM.exe	cobalt_reflective_dll
\Windows\system\dcNiukx.exe	cobalt_reflective_dll
C:\Windows\system\cCIaQuY.exe	cobalt_reflective_dll
\Windows\system\ptYXcZj.exe	cobalt_reflective_dll
\Windows\system\rjcGSAI.exe	cobalt_reflective_dll
\Windows\system\lSvDzwS.exe	cobalt_reflective_dll
\Windows\system\MRqVElS.exe	cobalt_reflective_dll
C:\Windows\system\jFtRZJq.exe	cobalt_reflective_dll
C:\Windows\system\OUEIqHj.exe	cobalt_reflective_dll
C:\Windows\system\aJaDSqF.exe	cobalt_reflective_dll
\Windows\system\VQTwgCA.exe	cobalt_reflective_dll
\Windows\system\hPTbENt.exe	cobalt_reflective_dll
C:\Windows\system\TdYlooD.exe	cobalt_reflective_dll
C:\Windows\system\SSPSbiW.exe	cobalt_reflective_dll
C:\Windows\system\WAKlDNe.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 20 IoCs

Processes:

resource	yara_rule
\Windows\system\ILzVXct.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\bqjrgnr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\xAEXFTJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\tqkkNTn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ElAVRZc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\qQkjaTM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\dcNiukx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\cCIaQuY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\ptYXcZj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\rjcGSAI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\lSvDzwS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\MRqVElS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\jFtRZJq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\OUEIqHj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\aJaDSqF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\VQTwgCA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\hPTbENt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\TdYlooD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\SSPSbiW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\WAKlDNe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 60 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2460-0-0x000000013FEB0000-0x0000000140201000-memory.dmp	UPX
\Windows\system\ILzVXct.exe	UPX
\Windows\system\bqjrgnr.exe	UPX
behavioral1/memory/2884-15-0x000000013F0C0000-0x000000013F411000-memory.dmp	UPX
C:\Windows\system\xAEXFTJ.exe	UPX
behavioral1/memory/2596-23-0x000000013FE80000-0x00000001401D1000-memory.dmp	UPX
C:\Windows\system\tqkkNTn.exe	UPX
behavioral1/memory/2604-41-0x000000013F070000-0x000000013F3C1000-memory.dmp	UPX
C:\Windows\system\ElAVRZc.exe	UPX
C:\Windows\system\qQkjaTM.exe	UPX
\Windows\system\dcNiukx.exe	UPX
behavioral1/memory/2416-93-0x000000013F270000-0x000000013F5C1000-memory.dmp	UPX
C:\Windows\system\cCIaQuY.exe	UPX
\Windows\system\ptYXcZj.exe	UPX
\Windows\system\rjcGSAI.exe	UPX
\Windows\system\lSvDzwS.exe	UPX
behavioral1/memory/2596-134-0x000000013FE80000-0x00000001401D1000-memory.dmp	UPX
C:\Windows\system\MRqVElS.exe	UPX
\Windows\system\MRqVElS.exe	UPX
behavioral1/memory/2172-116-0x000000013FA30000-0x000000013FD81000-memory.dmp	UPX
C:\Windows\system\jFtRZJq.exe	UPX
behavioral1/memory/1868-109-0x000000013F310000-0x000000013F661000-memory.dmp	UPX
C:\Windows\system\OUEIqHj.exe	UPX
behavioral1/memory/1572-99-0x000000013F930000-0x000000013FC81000-memory.dmp	UPX
C:\Windows\system\aJaDSqF.exe	UPX
C:\Windows\system\VQTwgCA.exe	UPX
behavioral1/memory/2460-135-0x000000013FEB0000-0x0000000140201000-memory.dmp	UPX
\Windows\system\VQTwgCA.exe	UPX
C:\Windows\system\BfUtWUZ.exe	UPX
\Windows\system\BfUtWUZ.exe	UPX
behavioral1/memory/2404-63-0x000000013FCE0000-0x0000000140031000-memory.dmp	UPX
behavioral1/memory/2428-55-0x000000013FB60000-0x000000013FEB1000-memory.dmp	UPX
behavioral1/memory/2572-52-0x000000013F2F0000-0x000000013F641000-memory.dmp	UPX
behavioral1/memory/1492-156-0x000000013F9E0000-0x000000013FD31000-memory.dmp	UPX
behavioral1/memory/2428-143-0x000000013FB60000-0x000000013FEB1000-memory.dmp	UPX
behavioral1/memory/2604-141-0x000000013F070000-0x000000013F3C1000-memory.dmp	UPX
behavioral1/memory/2892-140-0x000000013FE40000-0x0000000140191000-memory.dmp	UPX
behavioral1/memory/2460-61-0x000000013FEB0000-0x0000000140201000-memory.dmp	UPX
C:\Windows\system\hPTbENt.exe	UPX
\Windows\system\hPTbENt.exe	UPX
C:\Windows\system\TdYlooD.exe	UPX
behavioral1/memory/2688-38-0x000000013FF70000-0x00000001402C1000-memory.dmp	UPX
behavioral1/memory/2892-36-0x000000013FE40000-0x0000000140191000-memory.dmp	UPX
C:\Windows\system\SSPSbiW.exe	UPX
behavioral1/memory/2468-14-0x000000013FF40000-0x0000000140291000-memory.dmp	UPX
C:\Windows\system\WAKlDNe.exe	UPX
behavioral1/memory/2460-157-0x000000013FEB0000-0x0000000140201000-memory.dmp	UPX
behavioral1/memory/2468-209-0x000000013FF40000-0x0000000140291000-memory.dmp	UPX
behavioral1/memory/2884-211-0x000000013F0C0000-0x000000013F411000-memory.dmp	UPX
behavioral1/memory/2596-213-0x000000013FE80000-0x00000001401D1000-memory.dmp	UPX
behavioral1/memory/2688-215-0x000000013FF70000-0x00000001402C1000-memory.dmp	UPX
behavioral1/memory/2892-217-0x000000013FE40000-0x0000000140191000-memory.dmp	UPX
behavioral1/memory/2572-221-0x000000013F2F0000-0x000000013F641000-memory.dmp	UPX
behavioral1/memory/2604-219-0x000000013F070000-0x000000013F3C1000-memory.dmp	UPX
behavioral1/memory/2428-223-0x000000013FB60000-0x000000013FEB1000-memory.dmp	UPX
behavioral1/memory/2404-225-0x000000013FCE0000-0x0000000140031000-memory.dmp	UPX
behavioral1/memory/2416-227-0x000000013F270000-0x000000013F5C1000-memory.dmp	UPX
behavioral1/memory/1572-229-0x000000013F930000-0x000000013FC81000-memory.dmp	UPX
behavioral1/memory/1868-246-0x000000013F310000-0x000000013F661000-memory.dmp	UPX
behavioral1/memory/2172-242-0x000000013FA30000-0x000000013FD81000-memory.dmp	UPX

XMRig Miner payload 42 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2884-15-0x000000013F0C0000-0x000000013F411000-memory.dmp	xmrig
behavioral1/memory/2416-93-0x000000013F270000-0x000000013F5C1000-memory.dmp	xmrig
behavioral1/memory/2596-134-0x000000013FE80000-0x00000001401D1000-memory.dmp	xmrig
behavioral1/memory/2460-105-0x000000013FB30000-0x000000013FE81000-memory.dmp	xmrig
behavioral1/memory/1572-99-0x000000013F930000-0x000000013FC81000-memory.dmp	xmrig
behavioral1/memory/2460-135-0x000000013FEB0000-0x0000000140201000-memory.dmp	xmrig
behavioral1/memory/2460-53-0x0000000002500000-0x0000000002851000-memory.dmp	xmrig
behavioral1/memory/2572-52-0x000000013F2F0000-0x000000013F641000-memory.dmp	xmrig
behavioral1/memory/1492-156-0x000000013F9E0000-0x000000013FD31000-memory.dmp	xmrig
behavioral1/memory/2180-155-0x000000013F8D0000-0x000000013FC21000-memory.dmp	xmrig
behavioral1/memory/948-154-0x000000013F1C0000-0x000000013F511000-memory.dmp	xmrig
behavioral1/memory/1620-153-0x000000013F030000-0x000000013F381000-memory.dmp	xmrig
behavioral1/memory/1400-152-0x000000013F830000-0x000000013FB81000-memory.dmp	xmrig
behavioral1/memory/2332-151-0x000000013F4E0000-0x000000013F831000-memory.dmp	xmrig
behavioral1/memory/1868-150-0x000000013F310000-0x000000013F661000-memory.dmp	xmrig
behavioral1/memory/852-149-0x000000013F070000-0x000000013F3C1000-memory.dmp	xmrig
behavioral1/memory/2172-148-0x000000013FA30000-0x000000013FD81000-memory.dmp	xmrig
behavioral1/memory/1072-147-0x000000013FB30000-0x000000013FE81000-memory.dmp	xmrig
behavioral1/memory/2404-144-0x000000013FCE0000-0x0000000140031000-memory.dmp	xmrig
behavioral1/memory/2428-143-0x000000013FB60000-0x000000013FEB1000-memory.dmp	xmrig
behavioral1/memory/2604-141-0x000000013F070000-0x000000013F3C1000-memory.dmp	xmrig
behavioral1/memory/2892-140-0x000000013FE40000-0x0000000140191000-memory.dmp	xmrig
behavioral1/memory/2460-62-0x0000000002500000-0x0000000002851000-memory.dmp	xmrig
behavioral1/memory/2460-61-0x000000013FEB0000-0x0000000140201000-memory.dmp	xmrig
behavioral1/memory/2688-38-0x000000013FF70000-0x00000001402C1000-memory.dmp	xmrig
behavioral1/memory/2468-14-0x000000013FF40000-0x0000000140291000-memory.dmp	xmrig
behavioral1/memory/2460-19-0x0000000002500000-0x0000000002851000-memory.dmp	xmrig
behavioral1/memory/2460-157-0x000000013FEB0000-0x0000000140201000-memory.dmp	xmrig
behavioral1/memory/2460-179-0x0000000002500000-0x0000000002851000-memory.dmp	xmrig
behavioral1/memory/2468-209-0x000000013FF40000-0x0000000140291000-memory.dmp	xmrig
behavioral1/memory/2884-211-0x000000013F0C0000-0x000000013F411000-memory.dmp	xmrig
behavioral1/memory/2596-213-0x000000013FE80000-0x00000001401D1000-memory.dmp	xmrig
behavioral1/memory/2688-215-0x000000013FF70000-0x00000001402C1000-memory.dmp	xmrig
behavioral1/memory/2892-217-0x000000013FE40000-0x0000000140191000-memory.dmp	xmrig
behavioral1/memory/2572-221-0x000000013F2F0000-0x000000013F641000-memory.dmp	xmrig
behavioral1/memory/2604-219-0x000000013F070000-0x000000013F3C1000-memory.dmp	xmrig
behavioral1/memory/2428-223-0x000000013FB60000-0x000000013FEB1000-memory.dmp	xmrig
behavioral1/memory/2404-225-0x000000013FCE0000-0x0000000140031000-memory.dmp	xmrig
behavioral1/memory/2416-227-0x000000013F270000-0x000000013F5C1000-memory.dmp	xmrig
behavioral1/memory/1572-229-0x000000013F930000-0x000000013FC81000-memory.dmp	xmrig
behavioral1/memory/1868-246-0x000000013F310000-0x000000013F661000-memory.dmp	xmrig
behavioral1/memory/2172-242-0x000000013FA30000-0x000000013FD81000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

ILzVXct.exebqjrgnr.exeWAKlDNe.exeSSPSbiW.exexAEXFTJ.exeTdYlooD.exetqkkNTn.exeElAVRZc.exehPTbENt.exeMRqVElS.exeBfUtWUZ.exeVQTwgCA.execCIaQuY.exeaJaDSqF.exeOUEIqHj.exejFtRZJq.exelSvDzwS.exerjcGSAI.exeptYXcZj.exedcNiukx.exeqQkjaTM.exe

pid	process
2468	ILzVXct.exe
2884	bqjrgnr.exe
2596	WAKlDNe.exe
2892	SSPSbiW.exe
2688	xAEXFTJ.exe
2604	TdYlooD.exe
2572	tqkkNTn.exe
2428	ElAVRZc.exe
2404	hPTbENt.exe
2416	MRqVElS.exe
1572	BfUtWUZ.exe
2172	VQTwgCA.exe
1868	cCIaQuY.exe
1400	aJaDSqF.exe
948	OUEIqHj.exe
1492	jFtRZJq.exe
1072	lSvDzwS.exe
852	rjcGSAI.exe
2332	ptYXcZj.exe
1620	dcNiukx.exe
2180	qQkjaTM.exe

Loads dropped DLL 21 IoCs

Processes:

2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe

pid	process
2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2460-0-0x000000013FEB0000-0x0000000140201000-memory.dmp	upx
\Windows\system\ILzVXct.exe	upx
\Windows\system\bqjrgnr.exe	upx
behavioral1/memory/2884-15-0x000000013F0C0000-0x000000013F411000-memory.dmp	upx
C:\Windows\system\xAEXFTJ.exe	upx
behavioral1/memory/2596-23-0x000000013FE80000-0x00000001401D1000-memory.dmp	upx
C:\Windows\system\tqkkNTn.exe	upx
behavioral1/memory/2604-41-0x000000013F070000-0x000000013F3C1000-memory.dmp	upx
C:\Windows\system\ElAVRZc.exe	upx
C:\Windows\system\qQkjaTM.exe	upx
\Windows\system\dcNiukx.exe	upx
behavioral1/memory/2416-93-0x000000013F270000-0x000000013F5C1000-memory.dmp	upx
C:\Windows\system\cCIaQuY.exe	upx
\Windows\system\ptYXcZj.exe	upx
\Windows\system\rjcGSAI.exe	upx
\Windows\system\lSvDzwS.exe	upx
behavioral1/memory/2596-134-0x000000013FE80000-0x00000001401D1000-memory.dmp	upx
C:\Windows\system\MRqVElS.exe	upx
\Windows\system\MRqVElS.exe	upx
behavioral1/memory/2172-116-0x000000013FA30000-0x000000013FD81000-memory.dmp	upx
C:\Windows\system\jFtRZJq.exe	upx
behavioral1/memory/1868-109-0x000000013F310000-0x000000013F661000-memory.dmp	upx
C:\Windows\system\OUEIqHj.exe	upx
behavioral1/memory/1572-99-0x000000013F930000-0x000000013FC81000-memory.dmp	upx
C:\Windows\system\aJaDSqF.exe	upx
C:\Windows\system\VQTwgCA.exe	upx
behavioral1/memory/2460-135-0x000000013FEB0000-0x0000000140201000-memory.dmp	upx
\Windows\system\VQTwgCA.exe	upx
C:\Windows\system\BfUtWUZ.exe	upx
\Windows\system\BfUtWUZ.exe	upx
behavioral1/memory/2404-63-0x000000013FCE0000-0x0000000140031000-memory.dmp	upx
behavioral1/memory/2428-55-0x000000013FB60000-0x000000013FEB1000-memory.dmp	upx
behavioral1/memory/2572-52-0x000000013F2F0000-0x000000013F641000-memory.dmp	upx
behavioral1/memory/1492-156-0x000000013F9E0000-0x000000013FD31000-memory.dmp	upx
behavioral1/memory/2180-155-0x000000013F8D0000-0x000000013FC21000-memory.dmp	upx
behavioral1/memory/948-154-0x000000013F1C0000-0x000000013F511000-memory.dmp	upx
behavioral1/memory/1620-153-0x000000013F030000-0x000000013F381000-memory.dmp	upx
behavioral1/memory/1400-152-0x000000013F830000-0x000000013FB81000-memory.dmp	upx
behavioral1/memory/2332-151-0x000000013F4E0000-0x000000013F831000-memory.dmp	upx
behavioral1/memory/1868-150-0x000000013F310000-0x000000013F661000-memory.dmp	upx
behavioral1/memory/852-149-0x000000013F070000-0x000000013F3C1000-memory.dmp	upx
behavioral1/memory/2172-148-0x000000013FA30000-0x000000013FD81000-memory.dmp	upx
behavioral1/memory/1072-147-0x000000013FB30000-0x000000013FE81000-memory.dmp	upx
behavioral1/memory/2404-144-0x000000013FCE0000-0x0000000140031000-memory.dmp	upx
behavioral1/memory/2428-143-0x000000013FB60000-0x000000013FEB1000-memory.dmp	upx
behavioral1/memory/2604-141-0x000000013F070000-0x000000013F3C1000-memory.dmp	upx
behavioral1/memory/2892-140-0x000000013FE40000-0x0000000140191000-memory.dmp	upx
behavioral1/memory/2460-61-0x000000013FEB0000-0x0000000140201000-memory.dmp	upx
C:\Windows\system\hPTbENt.exe	upx
\Windows\system\hPTbENt.exe	upx
C:\Windows\system\TdYlooD.exe	upx
behavioral1/memory/2688-38-0x000000013FF70000-0x00000001402C1000-memory.dmp	upx
behavioral1/memory/2892-36-0x000000013FE40000-0x0000000140191000-memory.dmp	upx
C:\Windows\system\SSPSbiW.exe	upx
behavioral1/memory/2468-14-0x000000013FF40000-0x0000000140291000-memory.dmp	upx
C:\Windows\system\WAKlDNe.exe	upx
behavioral1/memory/2460-157-0x000000013FEB0000-0x0000000140201000-memory.dmp	upx
behavioral1/memory/2468-209-0x000000013FF40000-0x0000000140291000-memory.dmp	upx
behavioral1/memory/2884-211-0x000000013F0C0000-0x000000013F411000-memory.dmp	upx
behavioral1/memory/2596-213-0x000000013FE80000-0x00000001401D1000-memory.dmp	upx
behavioral1/memory/2688-215-0x000000013FF70000-0x00000001402C1000-memory.dmp	upx
behavioral1/memory/2892-217-0x000000013FE40000-0x0000000140191000-memory.dmp	upx
behavioral1/memory/2572-221-0x000000013F2F0000-0x000000013F641000-memory.dmp	upx
behavioral1/memory/2604-219-0x000000013F070000-0x000000013F3C1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\cCIaQuY.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qQkjaTM.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jFtRZJq.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xAEXFTJ.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hPTbENt.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VQTwgCA.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BfUtWUZ.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aJaDSqF.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bqjrgnr.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TdYlooD.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tqkkNTn.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rjcGSAI.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dcNiukx.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ILzVXct.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WAKlDNe.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SSPSbiW.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ptYXcZj.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OUEIqHj.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ElAVRZc.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MRqVElS.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lSvDzwS.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2460 wrote to memory of 2468	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	ILzVXct.exe
PID 2460 wrote to memory of 2468	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	ILzVXct.exe
PID 2460 wrote to memory of 2468	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	ILzVXct.exe
PID 2460 wrote to memory of 2884	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	bqjrgnr.exe
PID 2460 wrote to memory of 2884	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	bqjrgnr.exe
PID 2460 wrote to memory of 2884	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	bqjrgnr.exe
PID 2460 wrote to memory of 2596	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	WAKlDNe.exe
PID 2460 wrote to memory of 2596	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	WAKlDNe.exe
PID 2460 wrote to memory of 2596	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	WAKlDNe.exe
PID 2460 wrote to memory of 2688	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	xAEXFTJ.exe
PID 2460 wrote to memory of 2688	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	xAEXFTJ.exe
PID 2460 wrote to memory of 2688	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	xAEXFTJ.exe
PID 2460 wrote to memory of 2892	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	SSPSbiW.exe
PID 2460 wrote to memory of 2892	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	SSPSbiW.exe
PID 2460 wrote to memory of 2892	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	SSPSbiW.exe
PID 2460 wrote to memory of 2604	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	TdYlooD.exe
PID 2460 wrote to memory of 2604	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	TdYlooD.exe
PID 2460 wrote to memory of 2604	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	TdYlooD.exe
PID 2460 wrote to memory of 2572	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	tqkkNTn.exe
PID 2460 wrote to memory of 2572	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	tqkkNTn.exe
PID 2460 wrote to memory of 2572	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	tqkkNTn.exe
PID 2460 wrote to memory of 2428	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	ElAVRZc.exe
PID 2460 wrote to memory of 2428	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	ElAVRZc.exe
PID 2460 wrote to memory of 2428	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	ElAVRZc.exe
PID 2460 wrote to memory of 2404	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	hPTbENt.exe
PID 2460 wrote to memory of 2404	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	hPTbENt.exe
PID 2460 wrote to memory of 2404	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	hPTbENt.exe
PID 2460 wrote to memory of 2416	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	MRqVElS.exe
PID 2460 wrote to memory of 2416	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	MRqVElS.exe
PID 2460 wrote to memory of 2416	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	MRqVElS.exe
PID 2460 wrote to memory of 1572	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	BfUtWUZ.exe
PID 2460 wrote to memory of 1572	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	BfUtWUZ.exe
PID 2460 wrote to memory of 1572	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	BfUtWUZ.exe
PID 2460 wrote to memory of 1072	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	lSvDzwS.exe
PID 2460 wrote to memory of 1072	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	lSvDzwS.exe
PID 2460 wrote to memory of 1072	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	lSvDzwS.exe
PID 2460 wrote to memory of 2172	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	VQTwgCA.exe
PID 2460 wrote to memory of 2172	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	VQTwgCA.exe
PID 2460 wrote to memory of 2172	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	VQTwgCA.exe
PID 2460 wrote to memory of 852	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	rjcGSAI.exe
PID 2460 wrote to memory of 852	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	rjcGSAI.exe
PID 2460 wrote to memory of 852	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	rjcGSAI.exe
PID 2460 wrote to memory of 1868	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	cCIaQuY.exe
PID 2460 wrote to memory of 1868	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	cCIaQuY.exe
PID 2460 wrote to memory of 1868	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	cCIaQuY.exe
PID 2460 wrote to memory of 2332	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	ptYXcZj.exe
PID 2460 wrote to memory of 2332	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	ptYXcZj.exe
PID 2460 wrote to memory of 2332	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	ptYXcZj.exe
PID 2460 wrote to memory of 1400	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	aJaDSqF.exe
PID 2460 wrote to memory of 1400	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	aJaDSqF.exe
PID 2460 wrote to memory of 1400	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	aJaDSqF.exe
PID 2460 wrote to memory of 1620	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	dcNiukx.exe
PID 2460 wrote to memory of 1620	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	dcNiukx.exe
PID 2460 wrote to memory of 1620	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	dcNiukx.exe
PID 2460 wrote to memory of 948	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	OUEIqHj.exe
PID 2460 wrote to memory of 948	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	OUEIqHj.exe
PID 2460 wrote to memory of 948	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	OUEIqHj.exe
PID 2460 wrote to memory of 2180	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	qQkjaTM.exe
PID 2460 wrote to memory of 2180	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	qQkjaTM.exe
PID 2460 wrote to memory of 2180	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	qQkjaTM.exe
PID 2460 wrote to memory of 1492	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	jFtRZJq.exe
PID 2460 wrote to memory of 1492	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	jFtRZJq.exe
PID 2460 wrote to memory of 1492	2460	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	jFtRZJq.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\System\ILzVXct.exe
C:\Windows\System\ILzVXct.exe
2⤵
- Executes dropped EXE
PID:2468

C:\Windows\System\bqjrgnr.exe
C:\Windows\System\bqjrgnr.exe
2⤵
- Executes dropped EXE
PID:2884

C:\Windows\System\WAKlDNe.exe
C:\Windows\System\WAKlDNe.exe
2⤵
- Executes dropped EXE
PID:2596

C:\Windows\System\xAEXFTJ.exe
C:\Windows\System\xAEXFTJ.exe
2⤵
- Executes dropped EXE
PID:2688

C:\Windows\System\SSPSbiW.exe
C:\Windows\System\SSPSbiW.exe
2⤵
- Executes dropped EXE
PID:2892

C:\Windows\System\TdYlooD.exe
C:\Windows\System\TdYlooD.exe
2⤵
- Executes dropped EXE
PID:2604

C:\Windows\System\tqkkNTn.exe
C:\Windows\System\tqkkNTn.exe
2⤵
- Executes dropped EXE
PID:2572

C:\Windows\System\ElAVRZc.exe
C:\Windows\System\ElAVRZc.exe
2⤵
- Executes dropped EXE
PID:2428

C:\Windows\System\hPTbENt.exe
C:\Windows\System\hPTbENt.exe
2⤵
- Executes dropped EXE
PID:2404

C:\Windows\System\MRqVElS.exe
C:\Windows\System\MRqVElS.exe
2⤵
- Executes dropped EXE
PID:2416

C:\Windows\System\BfUtWUZ.exe
C:\Windows\System\BfUtWUZ.exe
2⤵
- Executes dropped EXE
PID:1572

C:\Windows\System\lSvDzwS.exe
C:\Windows\System\lSvDzwS.exe
2⤵
- Executes dropped EXE
PID:1072

C:\Windows\System\VQTwgCA.exe
C:\Windows\System\VQTwgCA.exe
2⤵
- Executes dropped EXE
PID:2172

C:\Windows\System\rjcGSAI.exe
C:\Windows\System\rjcGSAI.exe
2⤵
- Executes dropped EXE
PID:852

C:\Windows\System\cCIaQuY.exe
C:\Windows\System\cCIaQuY.exe
2⤵
- Executes dropped EXE
PID:1868

C:\Windows\System\ptYXcZj.exe
C:\Windows\System\ptYXcZj.exe
2⤵
- Executes dropped EXE
PID:2332

C:\Windows\System\aJaDSqF.exe
C:\Windows\System\aJaDSqF.exe
2⤵
- Executes dropped EXE
PID:1400

C:\Windows\System\dcNiukx.exe
C:\Windows\System\dcNiukx.exe
2⤵
- Executes dropped EXE
PID:1620

C:\Windows\System\OUEIqHj.exe
C:\Windows\System\OUEIqHj.exe
2⤵
- Executes dropped EXE
PID:948

C:\Windows\System\qQkjaTM.exe
C:\Windows\System\qQkjaTM.exe
2⤵
- Executes dropped EXE
PID:2180

C:\Windows\System\jFtRZJq.exe
C:\Windows\System\jFtRZJq.exe
2⤵
- Executes dropped EXE
PID:1492

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BfUtWUZ.exe
Filesize
4.8MB

MD5
1fd9b9c1e9ccbcda1bccd1eff4ff107e

SHA1
2226d6f05a86e34eed208ca2cba00505082dd897

SHA256
1eb61c3fb841494468544fd6f024118292329dd0196bd14a591e627ce635a19f

SHA512
71f8edadb6e8bbed9352606b400b1680f3fc86668653d3dda92fb495f0949c05764f36e6657f6f5ce674e5c59288b08d0e85157168244c1f9f62bcc84c530bce

Download Submit
C:\Windows\system\ElAVRZc.exe
Filesize
5.2MB

MD5
f1052ed9b002315447af4de585bc6ddd

SHA1
bab819c1b1a303a62585b09af025727296fa1111

SHA256
0aaa8b47390b9ab15e4576e6ff5117e5de83dfddbdfedb3fb9cab4c214d6ea80

SHA512
9392ac830d441f54700548c0dcad9252c955bc17b0f8351db67394fe2569b80a4d7d59eeb735c7acb662704cfd704932ea3f3349814ca3b6da5a1cfc7ae7a19c

Download Submit
C:\Windows\system\MRqVElS.exe
Filesize
3.7MB

MD5
31b31c9c3aa5f4ceac6cb95398ada393

SHA1
b268c544e053a865e1ec01f4bfe822c7e2eede7e

SHA256
bec4a955cb0e8bd5365181f33aade30adc2500ef681a2979f0cb973031068352

SHA512
3d1e6f2af86bd8f09817177c22d391a03dd2ec081a72af7159347001d6fba886817bc23a3e8161f1af2bba41f9960229a7f8a22cc0c8125ad8460b9aaf2a3c86

Download Submit
C:\Windows\system\OUEIqHj.exe
Filesize
5.2MB

MD5
18e5be218d0b9162faf6b70722cc6c6b

SHA1
4a80317409753fcf1471467be206f7039cd632ef

SHA256
a929711d81b3fe6aa9b2f9845f1c441e1e1301e72b0c64d0e2d7d36096bb7586

SHA512
a7decf479267ac7b25df9070dc4c5262a5dc633e57d0611d4b52babc2644f1010baccc05b82eaad4ab617ef6dad1edb35b0914883d33abda6a6397edecaf2521

Download Submit
C:\Windows\system\SSPSbiW.exe
Filesize
5.2MB

MD5
5aeb569a132dfec9857bfc81517f65aa

SHA1
1dae2a0213fb696de7a726363608718c3de06636

SHA256
9e933f71606d89073e4b38a3e87c473c400febb61dea480e44d4a169db61772b

SHA512
561fb7c81f50f2a30139cdf03cf26341acea148340e3c9b567cfbec7dc54d6052633505abf61e9582b46f030a95af8fb2c4c72e5f5ac75794b2d987b781ab6d6

Download Submit
C:\Windows\system\TdYlooD.exe
Filesize
5.2MB

MD5
7baef970d7470cf1a41d9ee27ccdaea9

SHA1
06857a676a10288eb8ccc4883f67665f51a7dfed

SHA256
38de176ce6b8423cff18de95286c43ed6ebab897eea098c8daaff42e49a4258a

SHA512
888e9fb93e99f1401665fd7f78d29e883c36278d3f640419db940782bd2b2338408cbe9cc0c72f0d5dd5609f4b221726aef2ba9190032c2a87244bd9cab403c7

Download Submit
C:\Windows\system\VQTwgCA.exe
Filesize
4.4MB

MD5
1c188e3890a2ded791333607b5010836

SHA1
7b52404de9bf774b4f432d86b3575632d47c9a0f

SHA256
aef175299d0c90533ca1294fe1b0e92edf86a2de157d9ed565e8727b85f50871

SHA512
626124dcb1c97710dd180d69527a447a3d850562cf797dabf54846386e6d01562b875cf5b533a891e28256f3a333d8ec5a52039e5265f3e511d0d06d58222f5b

Download Submit
C:\Windows\system\WAKlDNe.exe
Filesize
5.2MB

MD5
099b68533f0a0f02fcaaddec8b426f53

SHA1
85d60cd64b1e2bbb7cd837726a35f1a59edf64d0

SHA256
f65ec878fdc0408194e3aa66e23708d3edb7a130cbb41d77c8033e2d1d4aad0c

SHA512
edf0f8ec5df90b0da33b0c730352cc3ae060586c5b759b1ffbe62c507b0bb2fa473155626cf2a6cedb052b50cd42760f6d66ba6ea227f593fdcdfe1315758511

Download Submit
C:\Windows\system\aJaDSqF.exe
Filesize
5.2MB

MD5
148a80da729e24bfc28aa7760b139c49

SHA1
a013ae3e1f96ebaf3d48af3be809061a0a39bc74

SHA256
1fa070263496d36892c1c2b8fd1ab82ab57e6379a3c7f3767c6774ccc1bba7b2

SHA512
813ad6b6a6630d496de880be7a05e82894a1439a8f8c57f2b6c291759d732f94b5a1dcc08a83e29709cebb6664c2c0c5aea2030ad835fef9147bdfccfd63e1ae

Download Submit
C:\Windows\system\cCIaQuY.exe
Filesize
5.2MB

MD5
075c3fae49d7a3ba91a6632b6c8fb8ca

SHA1
fa55b9897079a2443341dbfd71dd88b03b001fad

SHA256
cf0f9ffe69f5411ba22673c04d04e0942a2c2e7293d38db125bcfd5f67710e3f

SHA512
ccac08ecabe8c69cc47ba3a55ba19d2da08ae2c4ad9257fdd81962c54e79326a10660d3504de49e02823856a5bb59f4bc64ab730259009b434234161b431646c

Download Submit
C:\Windows\system\hPTbENt.exe
Filesize
4.8MB

MD5
bf7bd2ffad1bc185b79bd35881c6b5b6

SHA1
5394e4f485bd33f08c8dee5a97e2a4fc0736ae93

SHA256
fc808d752b5f81a4fcdbfe2829fffeed2268f07193d6a3a1aa6256176dc96749

SHA512
f4634bd1e93ac7532d0ff00384e7f00976105967a880bdc36e327cc8b1a53342fc7c5f667ada70cac0d4fb72be167515e0f8783ffd4bef470ed8b2b97073642c

Download Submit
C:\Windows\system\jFtRZJq.exe
Filesize
5.2MB

MD5
7483c7a629565b50f45a12e7ef6972ca

SHA1
abe9d1ca428bd8f0029cf3dcc30fd0f4847cfb4e

SHA256
31e760acceddd4e92f26af4051bf21e8011eaee0d5613dea4c25fc4161207146

SHA512
e5a641287818a6fcff88034e93a7fae9e5b51d73e970a82f565cce05850a2fc0ea404302e731d1334ed43728afc3e889eab0c080e220b5a63af86e233625909c

Download Submit
C:\Windows\system\qQkjaTM.exe
Filesize
5.2MB

MD5
2ea0193a6c6755556cbaa21ebeb5ce8c

SHA1
2f2a187ad4abf15f4c9615005f7cea01e162c0e4

SHA256
a00950cfb60fa4ca3503a38d9c36ea283f13a4a1c59d680a517361c281324beb

SHA512
7d676e799feb99f71fd73b8b534e73ef3c1a19b7db40523d3343f88fe6610d5471570cde584f9e76af55357caa17c93cd4e30bf38b5931374f67063a9fd17b9a

Download Submit
C:\Windows\system\tqkkNTn.exe
Filesize
5.2MB

MD5
390cf90a5a314474f5fe653bc37334ef

SHA1
0b811478b7b8cf4341e91292641e02ce7b5eb272

SHA256
f50a666b6a0e3975474f3be4b99641fea472d92b48e7ee202c6a7172bd8e0ed4

SHA512
60dc943bb4d4e0b3e29843813b46f54065d1b55bacf9b6774498aba6fc54f6b831f25cef4aac5cd0da71bb93867ac4e86a232f52e835c025f8734c89b87219d3

Download Submit
C:\Windows\system\xAEXFTJ.exe
Filesize
5.2MB

MD5
9cdaff5448ecab06588f04717af377e4

SHA1
22cfe02f3ff1891ff571314c7eae450e3263e62e

SHA256
f186969a1f46ab83797bf8c3a647b7986d4bc8878e96f694b7819b6b0ee503ef

SHA512
bd6556a4e48167b3efa82aeaa0f9e2c6ec1eb262e287bea172182cdcc07906ccd8c808bd1feb30d40da72918242d098325487874a939537f9a3262711e4c3c3c

Download Submit
\Windows\system\BfUtWUZ.exe
Filesize
4.6MB

MD5
6a24d1ac25e504e93969cb7f12339316

SHA1
057dabb006c2b33b4096cbcdee588a54762a6caf

SHA256
f5e91dc5712969dda71fc9dc7e952c7a9e0486afdb503948ce7f7c170376347b

SHA512
f8d2b2237945ebeae8b7de55cebe98c34a6ef45579ac39e27087799d6dfb9a7dbefa4443bcc7e8f108635921fa28371cc55e2cd7893f375b8ca35251ab908622

Download Submit
\Windows\system\ILzVXct.exe
Filesize
5.2MB

MD5
41bf33c3931a0d33b5109c57e872b6f7

SHA1
46c046d2677f68b405d5b42dbc3836f51e19d2c6

SHA256
d6d1390519d83a74e687e3e8c5ed3186b7f1416d266966262cd6b590e92fb97e

SHA512
7dc2abf027a4872edf0571e7afab968e24f9730e5763ceb539d1dc5adb555c57c050cc69f8b57b38198f15188e0a590ff2b3640b6b6c902e823dbc44facac4ca

Download Submit
\Windows\system\MRqVElS.exe
Filesize
5.2MB

MD5
8dc419379f900f3efca2364bc29015f3

SHA1
a51c088ac19ab55d8c55226b2075c43245261c59

SHA256
c8c59879addd38af79be321a648dc9c5ffc482f35cfa94d8015a13e218837ee0

SHA512
6145a1f9d90e7c81eec1fe3b35fd13bab98ca1df8bda3a5f14a46ba52b9fb8948405617db505b048b77e902d2a520099ce72745d78b473da5f2d694ed6afb8cb

Download Submit
\Windows\system\VQTwgCA.exe
Filesize
5.2MB

MD5
8733ad9a6ae916834a58c909a6f242be

SHA1
bb0a0e2a01978d4313ddff1a4282676f8b2e5b55

SHA256
21e2a27311c1acad3cd37e77744fc89bca05c23f1f595b88b437eaa7908919d3

SHA512
0c6d43be8fd5d697b0666eb7f961867ab683df118788287726eecda5535e9da1079e6b00768e992bd17b092dfaa76995e5b54ac3827a1ae1e16ffa5554670927

Download Submit
\Windows\system\bqjrgnr.exe
Filesize
5.2MB

MD5
1e9f70ab5abfed6a81a4679a4b63d3e0

SHA1
77bec7d58ada815386d41f6128da9eb6ed989590

SHA256
766ee95902e32a2ab44f84de7a9463587572de7f2a657b6eda89f6299c8217d0

SHA512
d92c8c1f95713deb79cad8f6b36fadcdf4442be9f5ce80a7217bcbac631401391265add6cbf1c68bf1a41f75e122373f656edf689f5672eea7689688f29211ca

Download Submit
\Windows\system\dcNiukx.exe
Filesize
5.2MB

MD5
adff0829babe437191f88eeb17d8482f

SHA1
53555607a2070ca7ac37e3dd38460e1bc42fe4ae

SHA256
a3b8aa592acc0039fde549af438755ea4c8b8822b1483494974324832c702181

SHA512
211f81c39b0adcfa8406be83a5697fbe0d9e62c874fa62ae21b51806ec12d4209eb2eb97a5593d453fc72b80d2d5dd66fd42a91489c636c176d32ccd8ed843af

Download Submit
\Windows\system\hPTbENt.exe
Filesize
5.2MB

MD5
5c8c5b9253d11d2fe87bcf9b897bb9ea

SHA1
05de9b15cb19d9e3c22eb2dd6a812b47c0d34e4a

SHA256
aa37247b1c1ab232be5ad10e28f212affa3c52e7e7b407a8c74e3dcfdf8344c7

SHA512
b9803677e7917ce7c60d018c6c4d6fccf1749a28a1b0f1825f46cf187755c04e9b6d770fff56b9e777243b3e9e48f599ec019707cc270de6b2e9516e88117140

Download Submit
\Windows\system\lSvDzwS.exe
Filesize
5.2MB

MD5
8cc5df3572b018daab30662dc735ba6d

SHA1
e9b47a9b71cbe508d7145156cb057a2384a3de09

SHA256
8295b260451f9659ac0187c1233110d409aa8fc2f6a5f23acd2bd357b6a42877

SHA512
0a0d5b39955b61ac78b45fb9de6197571d32cda4fadea133413fa36fc3f88048acace49890f5404e9d6fd6bb5716c8e8a5e801dd8cb4e83c8f778788183792b5

Download Submit
\Windows\system\ptYXcZj.exe
Filesize
5.2MB

MD5
b1706e16086735f50d6a81fe608dadbc

SHA1
c242227902932bda0ed993c78c9947ff03140906

SHA256
e26dd203c9af93675b086f0fc1571744b7d67354cbc1e3e933c7d77d237dcd96

SHA512
c92b57da2a5bffce81f8b47ba1359bf6b3646cd3e9a91e928594a96c773f84abd6497f0c1d7e6c284960a1e351e04e357fb40e4d10f72587b84b93257dbd8258

Download Submit
\Windows\system\rjcGSAI.exe
Filesize
5.2MB

MD5
a0b2a2fcba3e73903eb613d0a12c7a26

SHA1
dc58ed167e08e2dd8b4022e4d035e11bf60917d4

SHA256
46a9699b395609ae52e294add7eb45cade4b38bc8e3607d841e26b63206a5fc6

SHA512
1146cd7f222c906ec5026ae2407eac9e5d643e8e3f94e6cab27e80f5f3cf26e3926ead77e79eaf753a523856e8f474203c08b3326732bde9aaab2eeeb5daf192

Download Submit
memory/852-149-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/948-154-0x000000013F1C0000-0x000000013F511000-memory.dmp

Filesize
3.3MB

Download
memory/1072-147-0x000000013FB30000-0x000000013FE81000-memory.dmp

Filesize
3.3MB

Download
memory/1400-152-0x000000013F830000-0x000000013FB81000-memory.dmp

Filesize
3.3MB

Download
memory/1492-156-0x000000013F9E0000-0x000000013FD31000-memory.dmp

Filesize
3.3MB

Download
memory/1572-99-0x000000013F930000-0x000000013FC81000-memory.dmp

Filesize
3.3MB

Download
memory/1572-229-0x000000013F930000-0x000000013FC81000-memory.dmp

Filesize
3.3MB

Download
memory/1620-153-0x000000013F030000-0x000000013F381000-memory.dmp

Filesize
3.3MB

Download
memory/1868-150-0x000000013F310000-0x000000013F661000-memory.dmp

Filesize
3.3MB

Download
memory/1868-109-0x000000013F310000-0x000000013F661000-memory.dmp

Filesize
3.3MB

Download
memory/1868-246-0x000000013F310000-0x000000013F661000-memory.dmp

Filesize
3.3MB

Download
memory/2172-116-0x000000013FA30000-0x000000013FD81000-memory.dmp

Filesize
3.3MB

Download
memory/2172-148-0x000000013FA30000-0x000000013FD81000-memory.dmp

Filesize
3.3MB

Download
memory/2172-242-0x000000013FA30000-0x000000013FD81000-memory.dmp

Filesize
3.3MB

Download
memory/2180-155-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Filesize
3.3MB

Download
memory/2332-151-0x000000013F4E0000-0x000000013F831000-memory.dmp

Filesize
3.3MB

Download
memory/2404-225-0x000000013FCE0000-0x0000000140031000-memory.dmp

Filesize
3.3MB

Download
memory/2404-63-0x000000013FCE0000-0x0000000140031000-memory.dmp

Filesize
3.3MB

Download
memory/2404-144-0x000000013FCE0000-0x0000000140031000-memory.dmp

Filesize
3.3MB

Download
memory/2416-227-0x000000013F270000-0x000000013F5C1000-memory.dmp

Filesize
3.3MB

Download
memory/2416-93-0x000000013F270000-0x000000013F5C1000-memory.dmp

Filesize
3.3MB

Download
memory/2428-55-0x000000013FB60000-0x000000013FEB1000-memory.dmp

Filesize
3.3MB

Download
memory/2428-223-0x000000013FB60000-0x000000013FEB1000-memory.dmp

Filesize
3.3MB

Download
memory/2428-143-0x000000013FB60000-0x000000013FEB1000-memory.dmp

Filesize
3.3MB

Download
memory/2460-39-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/2460-118-0x000000013F4E0000-0x000000013F831000-memory.dmp

Filesize
3.3MB

Download
memory/2460-0-0x000000013FEB0000-0x0000000140201000-memory.dmp

Filesize
3.3MB

Download
memory/2460-108-0x000000013F310000-0x000000013F661000-memory.dmp

Filesize
3.3MB

Download
memory/2460-53-0x0000000002500000-0x0000000002851000-memory.dmp

Filesize
3.3MB

Download
memory/2460-1-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2460-62-0x0000000002500000-0x0000000002851000-memory.dmp

Filesize
3.3MB

Download
memory/2460-61-0x000000013FEB0000-0x0000000140201000-memory.dmp

Filesize
3.3MB

Download
memory/2460-180-0x000000013FA30000-0x000000013FD81000-memory.dmp

Filesize
3.3MB

Download
memory/2460-105-0x000000013FB30000-0x000000013FE81000-memory.dmp

Filesize
3.3MB

Download
memory/2460-51-0x000000013F2F0000-0x000000013F641000-memory.dmp

Filesize
3.3MB

Download
memory/2460-179-0x0000000002500000-0x0000000002851000-memory.dmp

Filesize
3.3MB

Download
memory/2460-96-0x000000013F930000-0x000000013FC81000-memory.dmp

Filesize
3.3MB

Download
memory/2460-135-0x000000013FEB0000-0x0000000140201000-memory.dmp

Filesize
3.3MB

Download
memory/2460-87-0x000000013F270000-0x000000013F5C1000-memory.dmp

Filesize
3.3MB

Download
memory/2460-26-0x0000000002500000-0x0000000002851000-memory.dmp

Filesize
3.3MB

Download
memory/2460-157-0x000000013FEB0000-0x0000000140201000-memory.dmp

Filesize
3.3MB

Download
memory/2460-19-0x0000000002500000-0x0000000002851000-memory.dmp

Filesize
3.3MB

Download
memory/2460-12-0x000000013F0C0000-0x000000013F411000-memory.dmp

Filesize
3.3MB

Download
memory/2460-117-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/2468-14-0x000000013FF40000-0x0000000140291000-memory.dmp

Filesize
3.3MB

Download
memory/2468-209-0x000000013FF40000-0x0000000140291000-memory.dmp

Filesize
3.3MB

Download
memory/2572-221-0x000000013F2F0000-0x000000013F641000-memory.dmp

Filesize
3.3MB

Download
memory/2572-52-0x000000013F2F0000-0x000000013F641000-memory.dmp

Filesize
3.3MB

Download
memory/2596-23-0x000000013FE80000-0x00000001401D1000-memory.dmp

Filesize
3.3MB

Download
memory/2596-213-0x000000013FE80000-0x00000001401D1000-memory.dmp

Filesize
3.3MB

Download
memory/2596-134-0x000000013FE80000-0x00000001401D1000-memory.dmp

Filesize
3.3MB

Download
memory/2604-41-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/2604-219-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/2604-141-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/2688-215-0x000000013FF70000-0x00000001402C1000-memory.dmp

Filesize
3.3MB

Download
memory/2688-38-0x000000013FF70000-0x00000001402C1000-memory.dmp

Filesize
3.3MB

Download
memory/2884-211-0x000000013F0C0000-0x000000013F411000-memory.dmp

Filesize
3.3MB

Download
memory/2884-15-0x000000013F0C0000-0x000000013F411000-memory.dmp

Filesize
3.3MB

Download
memory/2892-217-0x000000013FE40000-0x0000000140191000-memory.dmp

Filesize
3.3MB

Download
memory/2892-36-0x000000013FE40000-0x0000000140191000-memory.dmp

Filesize
3.3MB

Download
memory/2892-140-0x000000013FE40000-0x0000000140191000-memory.dmp

Filesize
3.3MB

Download