cobaltstrike | e71e639032d251e8668f825bd7728779d4e13c540b5e7af56a00deed945638b0

Analysis

max time kernel
142s
max time network
148s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 08:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

993a9d59f962ae35f5f7a6cbff51ddd3
SHA1

3a078439a7235bbd546e58f4fddc27521cc1b661
SHA256

e71e639032d251e8668f825bd7728779d4e13c540b5e7af56a00deed945638b0
SHA512

28775e88fc4a6c8f9dcacaac960aa39d7dc5edcbdd554df2ce8ca0a9509eb950c98dc2929419ada0195ad8fad82686ba3026cf89a5548c2cfc5333f33334449e
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lT:RWWBibf56utgpPFotBER/mQ32lUX

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\xbUEsND.exe	cobalt_reflective_dll
\Windows\system\llKOEkc.exe	cobalt_reflective_dll
C:\Windows\system\DXUhTXR.exe	cobalt_reflective_dll
C:\Windows\system\SZAahVY.exe	cobalt_reflective_dll
C:\Windows\system\hQWCqYq.exe	cobalt_reflective_dll
C:\Windows\system\ovakmxB.exe	cobalt_reflective_dll
C:\Windows\system\xNEGssi.exe	cobalt_reflective_dll
\Windows\system\BsVvQZO.exe	cobalt_reflective_dll
C:\Windows\system\Hqmbryz.exe	cobalt_reflective_dll
\Windows\system\DGHCHwF.exe	cobalt_reflective_dll
C:\Windows\system\aWUzaDC.exe	cobalt_reflective_dll
C:\Windows\system\qczJWzb.exe	cobalt_reflective_dll
C:\Windows\system\UPvLHfY.exe	cobalt_reflective_dll
\Windows\system\xtQxMNh.exe	cobalt_reflective_dll
C:\Windows\system\CGcekQV.exe	cobalt_reflective_dll
C:\Windows\system\kZToSWN.exe	cobalt_reflective_dll
\Windows\system\NBHXFqx.exe	cobalt_reflective_dll
C:\Windows\system\krapuLM.exe	cobalt_reflective_dll
C:\Windows\system\HdtvNix.exe	cobalt_reflective_dll
C:\Windows\system\RsdcBnP.exe	cobalt_reflective_dll
\Windows\system\eosZZQS.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\xbUEsND.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\llKOEkc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\DXUhTXR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\SZAahVY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\hQWCqYq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ovakmxB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\xNEGssi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\BsVvQZO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\Hqmbryz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\DGHCHwF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\aWUzaDC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\qczJWzb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\UPvLHfY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\xtQxMNh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\CGcekQV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\kZToSWN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\NBHXFqx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\krapuLM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\HdtvNix.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\RsdcBnP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\eosZZQS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 62 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2860-0-0x000000013FE00000-0x0000000140151000-memory.dmp	UPX
\Windows\system\xbUEsND.exe	UPX
\Windows\system\llKOEkc.exe	UPX
C:\Windows\system\DXUhTXR.exe	UPX
behavioral1/memory/2748-34-0x000000013FBF0000-0x000000013FF41000-memory.dmp	UPX
behavioral1/memory/2204-31-0x000000013FA70000-0x000000013FDC1000-memory.dmp	UPX
behavioral1/memory/2832-36-0x000000013FAF0000-0x000000013FE41000-memory.dmp	UPX
behavioral1/memory/2160-35-0x000000013FDC0000-0x0000000140111000-memory.dmp	UPX
C:\Windows\system\SZAahVY.exe	UPX
C:\Windows\system\hQWCqYq.exe	UPX
behavioral1/memory/2212-10-0x000000013F360000-0x000000013F6B1000-memory.dmp	UPX
C:\Windows\system\ovakmxB.exe	UPX
behavioral1/memory/2608-42-0x000000013F960000-0x000000013FCB1000-memory.dmp	UPX
C:\Windows\system\xNEGssi.exe	UPX
behavioral1/memory/2556-48-0x000000013F5C0000-0x000000013F911000-memory.dmp	UPX
\Windows\system\BsVvQZO.exe	UPX
behavioral1/memory/2432-62-0x000000013F2B0000-0x000000013F601000-memory.dmp	UPX
C:\Windows\system\Hqmbryz.exe	UPX
behavioral1/memory/2528-55-0x000000013F650000-0x000000013F9A1000-memory.dmp	UPX
\Windows\system\DGHCHwF.exe	UPX
behavioral1/memory/2096-69-0x000000013F940000-0x000000013FC91000-memory.dmp	UPX
behavioral1/memory/2212-76-0x000000013F360000-0x000000013F6B1000-memory.dmp	UPX
behavioral1/memory/2860-75-0x000000013FE00000-0x0000000140151000-memory.dmp	UPX
C:\Windows\system\aWUzaDC.exe	UPX
behavioral1/memory/2452-78-0x000000013FD70000-0x00000001400C1000-memory.dmp	UPX
C:\Windows\system\qczJWzb.exe	UPX
C:\Windows\system\UPvLHfY.exe	UPX
\Windows\system\xtQxMNh.exe	UPX
behavioral1/memory/2836-98-0x000000013F1D0000-0x000000013F521000-memory.dmp	UPX
behavioral1/memory/1924-107-0x000000013F6F0000-0x000000013FA41000-memory.dmp	UPX
C:\Windows\system\CGcekQV.exe	UPX
behavioral1/memory/2256-103-0x000000013FBE0000-0x000000013FF31000-memory.dmp	UPX
C:\Windows\system\kZToSWN.exe	UPX
\Windows\system\NBHXFqx.exe	UPX
C:\Windows\system\krapuLM.exe	UPX
C:\Windows\system\HdtvNix.exe	UPX
C:\Windows\system\RsdcBnP.exe	UPX
\Windows\system\eosZZQS.exe	UPX
behavioral1/memory/2860-136-0x000000013FE00000-0x0000000140151000-memory.dmp	UPX
behavioral1/memory/2556-143-0x000000013F5C0000-0x000000013F911000-memory.dmp	UPX
behavioral1/memory/1932-152-0x000000013F810000-0x000000013FB61000-memory.dmp	UPX
behavioral1/memory/1500-157-0x000000013F890000-0x000000013FBE1000-memory.dmp	UPX
behavioral1/memory/2472-156-0x000000013F640000-0x000000013F991000-memory.dmp	UPX
behavioral1/memory/2144-154-0x000000013F670000-0x000000013F9C1000-memory.dmp	UPX
behavioral1/memory/1920-153-0x000000013F920000-0x000000013FC71000-memory.dmp	UPX
behavioral1/memory/1612-151-0x000000013FC90000-0x000000013FFE1000-memory.dmp	UPX
behavioral1/memory/1864-155-0x000000013FF00000-0x0000000140251000-memory.dmp	UPX
behavioral1/memory/2860-158-0x000000013FE00000-0x0000000140151000-memory.dmp	UPX
behavioral1/memory/2212-205-0x000000013F360000-0x000000013F6B1000-memory.dmp	UPX
behavioral1/memory/2748-207-0x000000013FBF0000-0x000000013FF41000-memory.dmp	UPX
behavioral1/memory/2160-210-0x000000013FDC0000-0x0000000140111000-memory.dmp	UPX
behavioral1/memory/2204-211-0x000000013FA70000-0x000000013FDC1000-memory.dmp	UPX
behavioral1/memory/2832-213-0x000000013FAF0000-0x000000013FE41000-memory.dmp	UPX
behavioral1/memory/2608-220-0x000000013F960000-0x000000013FCB1000-memory.dmp	UPX
behavioral1/memory/2556-222-0x000000013F5C0000-0x000000013F911000-memory.dmp	UPX
behavioral1/memory/2528-224-0x000000013F650000-0x000000013F9A1000-memory.dmp	UPX
behavioral1/memory/2432-226-0x000000013F2B0000-0x000000013F601000-memory.dmp	UPX
behavioral1/memory/2096-228-0x000000013F940000-0x000000013FC91000-memory.dmp	UPX
behavioral1/memory/2452-230-0x000000013FD70000-0x00000001400C1000-memory.dmp	UPX
behavioral1/memory/2836-232-0x000000013F1D0000-0x000000013F521000-memory.dmp	UPX
behavioral1/memory/2256-238-0x000000013FBE0000-0x000000013FF31000-memory.dmp	UPX
behavioral1/memory/1924-240-0x000000013F6F0000-0x000000013FA41000-memory.dmp	UPX

XMRig Miner payload 39 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2748-34-0x000000013FBF0000-0x000000013FF41000-memory.dmp	xmrig
behavioral1/memory/2204-31-0x000000013FA70000-0x000000013FDC1000-memory.dmp	xmrig
behavioral1/memory/2832-36-0x000000013FAF0000-0x000000013FE41000-memory.dmp	xmrig
behavioral1/memory/2160-35-0x000000013FDC0000-0x0000000140111000-memory.dmp	xmrig
behavioral1/memory/2608-42-0x000000013F960000-0x000000013FCB1000-memory.dmp	xmrig
behavioral1/memory/2556-48-0x000000013F5C0000-0x000000013F911000-memory.dmp	xmrig
behavioral1/memory/2432-62-0x000000013F2B0000-0x000000013F601000-memory.dmp	xmrig
behavioral1/memory/2528-55-0x000000013F650000-0x000000013F9A1000-memory.dmp	xmrig
behavioral1/memory/2096-69-0x000000013F940000-0x000000013FC91000-memory.dmp	xmrig
behavioral1/memory/2212-76-0x000000013F360000-0x000000013F6B1000-memory.dmp	xmrig
behavioral1/memory/2860-75-0x000000013FE00000-0x0000000140151000-memory.dmp	xmrig
behavioral1/memory/2452-78-0x000000013FD70000-0x00000001400C1000-memory.dmp	xmrig
behavioral1/memory/2836-98-0x000000013F1D0000-0x000000013F521000-memory.dmp	xmrig
behavioral1/memory/1924-107-0x000000013F6F0000-0x000000013FA41000-memory.dmp	xmrig
behavioral1/memory/2256-103-0x000000013FBE0000-0x000000013FF31000-memory.dmp	xmrig
behavioral1/memory/2860-136-0x000000013FE00000-0x0000000140151000-memory.dmp	xmrig
behavioral1/memory/2556-143-0x000000013F5C0000-0x000000013F911000-memory.dmp	xmrig
behavioral1/memory/1932-152-0x000000013F810000-0x000000013FB61000-memory.dmp	xmrig
behavioral1/memory/1500-157-0x000000013F890000-0x000000013FBE1000-memory.dmp	xmrig
behavioral1/memory/2472-156-0x000000013F640000-0x000000013F991000-memory.dmp	xmrig
behavioral1/memory/2144-154-0x000000013F670000-0x000000013F9C1000-memory.dmp	xmrig
behavioral1/memory/1920-153-0x000000013F920000-0x000000013FC71000-memory.dmp	xmrig
behavioral1/memory/1612-151-0x000000013FC90000-0x000000013FFE1000-memory.dmp	xmrig
behavioral1/memory/1864-155-0x000000013FF00000-0x0000000140251000-memory.dmp	xmrig
behavioral1/memory/2860-158-0x000000013FE00000-0x0000000140151000-memory.dmp	xmrig
behavioral1/memory/2212-205-0x000000013F360000-0x000000013F6B1000-memory.dmp	xmrig
behavioral1/memory/2748-207-0x000000013FBF0000-0x000000013FF41000-memory.dmp	xmrig
behavioral1/memory/2160-210-0x000000013FDC0000-0x0000000140111000-memory.dmp	xmrig
behavioral1/memory/2204-211-0x000000013FA70000-0x000000013FDC1000-memory.dmp	xmrig
behavioral1/memory/2832-213-0x000000013FAF0000-0x000000013FE41000-memory.dmp	xmrig
behavioral1/memory/2608-220-0x000000013F960000-0x000000013FCB1000-memory.dmp	xmrig
behavioral1/memory/2556-222-0x000000013F5C0000-0x000000013F911000-memory.dmp	xmrig
behavioral1/memory/2528-224-0x000000013F650000-0x000000013F9A1000-memory.dmp	xmrig
behavioral1/memory/2432-226-0x000000013F2B0000-0x000000013F601000-memory.dmp	xmrig
behavioral1/memory/2096-228-0x000000013F940000-0x000000013FC91000-memory.dmp	xmrig
behavioral1/memory/2452-230-0x000000013FD70000-0x00000001400C1000-memory.dmp	xmrig
behavioral1/memory/2836-232-0x000000013F1D0000-0x000000013F521000-memory.dmp	xmrig
behavioral1/memory/2256-238-0x000000013FBE0000-0x000000013FF31000-memory.dmp	xmrig
behavioral1/memory/1924-240-0x000000013F6F0000-0x000000013FA41000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

xbUEsND.exeDXUhTXR.exehQWCqYq.exellKOEkc.exeSZAahVY.exeovakmxB.exexNEGssi.exeBsVvQZO.exeHqmbryz.exeDGHCHwF.exeaWUzaDC.exeqczJWzb.exekZToSWN.exeUPvLHfY.exextQxMNh.exeCGcekQV.exeHdtvNix.exeNBHXFqx.exekrapuLM.exeRsdcBnP.exeeosZZQS.exe

pid	process
2212	xbUEsND.exe
2748	DXUhTXR.exe
2204	hQWCqYq.exe
2160	llKOEkc.exe
2832	SZAahVY.exe
2608	ovakmxB.exe
2556	xNEGssi.exe
2528	BsVvQZO.exe
2432	Hqmbryz.exe
2096	DGHCHwF.exe
2452	aWUzaDC.exe
2836	qczJWzb.exe
2256	kZToSWN.exe
1924	UPvLHfY.exe
1612	xtQxMNh.exe
1932	CGcekQV.exe
1920	HdtvNix.exe
2144	NBHXFqx.exe
1864	krapuLM.exe
2472	RsdcBnP.exe
1500	eosZZQS.exe

Loads dropped DLL 21 IoCs

Processes:

2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe

pid	process
2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe

UPX packed file 62 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2860-0-0x000000013FE00000-0x0000000140151000-memory.dmp	upx
\Windows\system\xbUEsND.exe	upx
\Windows\system\llKOEkc.exe	upx
C:\Windows\system\DXUhTXR.exe	upx
behavioral1/memory/2748-34-0x000000013FBF0000-0x000000013FF41000-memory.dmp	upx
behavioral1/memory/2204-31-0x000000013FA70000-0x000000013FDC1000-memory.dmp	upx
behavioral1/memory/2832-36-0x000000013FAF0000-0x000000013FE41000-memory.dmp	upx
behavioral1/memory/2160-35-0x000000013FDC0000-0x0000000140111000-memory.dmp	upx
C:\Windows\system\SZAahVY.exe	upx
C:\Windows\system\hQWCqYq.exe	upx
behavioral1/memory/2212-10-0x000000013F360000-0x000000013F6B1000-memory.dmp	upx
C:\Windows\system\ovakmxB.exe	upx
behavioral1/memory/2608-42-0x000000013F960000-0x000000013FCB1000-memory.dmp	upx
C:\Windows\system\xNEGssi.exe	upx
behavioral1/memory/2556-48-0x000000013F5C0000-0x000000013F911000-memory.dmp	upx
\Windows\system\BsVvQZO.exe	upx
behavioral1/memory/2432-62-0x000000013F2B0000-0x000000013F601000-memory.dmp	upx
C:\Windows\system\Hqmbryz.exe	upx
behavioral1/memory/2528-55-0x000000013F650000-0x000000013F9A1000-memory.dmp	upx
\Windows\system\DGHCHwF.exe	upx
behavioral1/memory/2096-69-0x000000013F940000-0x000000013FC91000-memory.dmp	upx
behavioral1/memory/2212-76-0x000000013F360000-0x000000013F6B1000-memory.dmp	upx
behavioral1/memory/2860-75-0x000000013FE00000-0x0000000140151000-memory.dmp	upx
C:\Windows\system\aWUzaDC.exe	upx
behavioral1/memory/2452-78-0x000000013FD70000-0x00000001400C1000-memory.dmp	upx
C:\Windows\system\qczJWzb.exe	upx
C:\Windows\system\UPvLHfY.exe	upx
\Windows\system\xtQxMNh.exe	upx
behavioral1/memory/2836-98-0x000000013F1D0000-0x000000013F521000-memory.dmp	upx
behavioral1/memory/1924-107-0x000000013F6F0000-0x000000013FA41000-memory.dmp	upx
C:\Windows\system\CGcekQV.exe	upx
behavioral1/memory/2256-103-0x000000013FBE0000-0x000000013FF31000-memory.dmp	upx
C:\Windows\system\kZToSWN.exe	upx
\Windows\system\NBHXFqx.exe	upx
C:\Windows\system\krapuLM.exe	upx
C:\Windows\system\HdtvNix.exe	upx
C:\Windows\system\RsdcBnP.exe	upx
\Windows\system\eosZZQS.exe	upx
behavioral1/memory/2860-136-0x000000013FE00000-0x0000000140151000-memory.dmp	upx
behavioral1/memory/2556-143-0x000000013F5C0000-0x000000013F911000-memory.dmp	upx
behavioral1/memory/1932-152-0x000000013F810000-0x000000013FB61000-memory.dmp	upx
behavioral1/memory/1500-157-0x000000013F890000-0x000000013FBE1000-memory.dmp	upx
behavioral1/memory/2472-156-0x000000013F640000-0x000000013F991000-memory.dmp	upx
behavioral1/memory/2144-154-0x000000013F670000-0x000000013F9C1000-memory.dmp	upx
behavioral1/memory/1920-153-0x000000013F920000-0x000000013FC71000-memory.dmp	upx
behavioral1/memory/1612-151-0x000000013FC90000-0x000000013FFE1000-memory.dmp	upx
behavioral1/memory/1864-155-0x000000013FF00000-0x0000000140251000-memory.dmp	upx
behavioral1/memory/2860-158-0x000000013FE00000-0x0000000140151000-memory.dmp	upx
behavioral1/memory/2212-205-0x000000013F360000-0x000000013F6B1000-memory.dmp	upx
behavioral1/memory/2748-207-0x000000013FBF0000-0x000000013FF41000-memory.dmp	upx
behavioral1/memory/2160-210-0x000000013FDC0000-0x0000000140111000-memory.dmp	upx
behavioral1/memory/2204-211-0x000000013FA70000-0x000000013FDC1000-memory.dmp	upx
behavioral1/memory/2832-213-0x000000013FAF0000-0x000000013FE41000-memory.dmp	upx
behavioral1/memory/2608-220-0x000000013F960000-0x000000013FCB1000-memory.dmp	upx
behavioral1/memory/2556-222-0x000000013F5C0000-0x000000013F911000-memory.dmp	upx
behavioral1/memory/2528-224-0x000000013F650000-0x000000013F9A1000-memory.dmp	upx
behavioral1/memory/2432-226-0x000000013F2B0000-0x000000013F601000-memory.dmp	upx
behavioral1/memory/2096-228-0x000000013F940000-0x000000013FC91000-memory.dmp	upx
behavioral1/memory/2452-230-0x000000013FD70000-0x00000001400C1000-memory.dmp	upx
behavioral1/memory/2836-232-0x000000013F1D0000-0x000000013F521000-memory.dmp	upx
behavioral1/memory/2256-238-0x000000013FBE0000-0x000000013FF31000-memory.dmp	upx
behavioral1/memory/1924-240-0x000000013F6F0000-0x000000013FA41000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\xtQxMNh.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HdtvNix.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SZAahVY.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xNEGssi.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ovakmxB.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UPvLHfY.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CGcekQV.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eosZZQS.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DXUhTXR.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\llKOEkc.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aWUzaDC.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qczJWzb.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kZToSWN.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NBHXFqx.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\krapuLM.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RsdcBnP.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hQWCqYq.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\Hqmbryz.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DGHCHwF.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xbUEsND.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BsVvQZO.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2860 wrote to memory of 2212	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	xbUEsND.exe
PID 2860 wrote to memory of 2212	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	xbUEsND.exe
PID 2860 wrote to memory of 2212	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	xbUEsND.exe
PID 2860 wrote to memory of 2748	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	DXUhTXR.exe
PID 2860 wrote to memory of 2748	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	DXUhTXR.exe
PID 2860 wrote to memory of 2748	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	DXUhTXR.exe
PID 2860 wrote to memory of 2160	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	llKOEkc.exe
PID 2860 wrote to memory of 2160	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	llKOEkc.exe
PID 2860 wrote to memory of 2160	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	llKOEkc.exe
PID 2860 wrote to memory of 2204	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	hQWCqYq.exe
PID 2860 wrote to memory of 2204	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	hQWCqYq.exe
PID 2860 wrote to memory of 2204	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	hQWCqYq.exe
PID 2860 wrote to memory of 2832	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	SZAahVY.exe
PID 2860 wrote to memory of 2832	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	SZAahVY.exe
PID 2860 wrote to memory of 2832	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	SZAahVY.exe
PID 2860 wrote to memory of 2608	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	ovakmxB.exe
PID 2860 wrote to memory of 2608	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	ovakmxB.exe
PID 2860 wrote to memory of 2608	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	ovakmxB.exe
PID 2860 wrote to memory of 2556	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	xNEGssi.exe
PID 2860 wrote to memory of 2556	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	xNEGssi.exe
PID 2860 wrote to memory of 2556	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	xNEGssi.exe
PID 2860 wrote to memory of 2528	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	BsVvQZO.exe
PID 2860 wrote to memory of 2528	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	BsVvQZO.exe
PID 2860 wrote to memory of 2528	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	BsVvQZO.exe
PID 2860 wrote to memory of 2432	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	Hqmbryz.exe
PID 2860 wrote to memory of 2432	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	Hqmbryz.exe
PID 2860 wrote to memory of 2432	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	Hqmbryz.exe
PID 2860 wrote to memory of 2096	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	DGHCHwF.exe
PID 2860 wrote to memory of 2096	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	DGHCHwF.exe
PID 2860 wrote to memory of 2096	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	DGHCHwF.exe
PID 2860 wrote to memory of 2452	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	aWUzaDC.exe
PID 2860 wrote to memory of 2452	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	aWUzaDC.exe
PID 2860 wrote to memory of 2452	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	aWUzaDC.exe
PID 2860 wrote to memory of 2836	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	qczJWzb.exe
PID 2860 wrote to memory of 2836	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	qczJWzb.exe
PID 2860 wrote to memory of 2836	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	qczJWzb.exe
PID 2860 wrote to memory of 2256	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	kZToSWN.exe
PID 2860 wrote to memory of 2256	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	kZToSWN.exe
PID 2860 wrote to memory of 2256	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	kZToSWN.exe
PID 2860 wrote to memory of 1924	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	UPvLHfY.exe
PID 2860 wrote to memory of 1924	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	UPvLHfY.exe
PID 2860 wrote to memory of 1924	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	UPvLHfY.exe
PID 2860 wrote to memory of 1612	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	xtQxMNh.exe
PID 2860 wrote to memory of 1612	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	xtQxMNh.exe
PID 2860 wrote to memory of 1612	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	xtQxMNh.exe
PID 2860 wrote to memory of 1932	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	CGcekQV.exe
PID 2860 wrote to memory of 1932	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	CGcekQV.exe
PID 2860 wrote to memory of 1932	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	CGcekQV.exe
PID 2860 wrote to memory of 1920	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	HdtvNix.exe
PID 2860 wrote to memory of 1920	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	HdtvNix.exe
PID 2860 wrote to memory of 1920	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	HdtvNix.exe
PID 2860 wrote to memory of 2144	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	NBHXFqx.exe
PID 2860 wrote to memory of 2144	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	NBHXFqx.exe
PID 2860 wrote to memory of 2144	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	NBHXFqx.exe
PID 2860 wrote to memory of 1864	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	krapuLM.exe
PID 2860 wrote to memory of 1864	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	krapuLM.exe
PID 2860 wrote to memory of 1864	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	krapuLM.exe
PID 2860 wrote to memory of 2472	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	RsdcBnP.exe
PID 2860 wrote to memory of 2472	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	RsdcBnP.exe
PID 2860 wrote to memory of 2472	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	RsdcBnP.exe
PID 2860 wrote to memory of 1500	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	eosZZQS.exe
PID 2860 wrote to memory of 1500	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	eosZZQS.exe
PID 2860 wrote to memory of 1500	2860	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	eosZZQS.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\System\xbUEsND.exe
C:\Windows\System\xbUEsND.exe
2⤵
- Executes dropped EXE
PID:2212

C:\Windows\System\DXUhTXR.exe
C:\Windows\System\DXUhTXR.exe
2⤵
- Executes dropped EXE
PID:2748

C:\Windows\System\llKOEkc.exe
C:\Windows\System\llKOEkc.exe
2⤵
- Executes dropped EXE
PID:2160

C:\Windows\System\hQWCqYq.exe
C:\Windows\System\hQWCqYq.exe
2⤵
- Executes dropped EXE
PID:2204

C:\Windows\System\SZAahVY.exe
C:\Windows\System\SZAahVY.exe
2⤵
- Executes dropped EXE
PID:2832

C:\Windows\System\ovakmxB.exe
C:\Windows\System\ovakmxB.exe
2⤵
- Executes dropped EXE
PID:2608

C:\Windows\System\xNEGssi.exe
C:\Windows\System\xNEGssi.exe
2⤵
- Executes dropped EXE
PID:2556

C:\Windows\System\BsVvQZO.exe
C:\Windows\System\BsVvQZO.exe
2⤵
- Executes dropped EXE
PID:2528

C:\Windows\System\Hqmbryz.exe
C:\Windows\System\Hqmbryz.exe
2⤵
- Executes dropped EXE
PID:2432

C:\Windows\System\DGHCHwF.exe
C:\Windows\System\DGHCHwF.exe
2⤵
- Executes dropped EXE
PID:2096

C:\Windows\System\aWUzaDC.exe
C:\Windows\System\aWUzaDC.exe
2⤵
- Executes dropped EXE
PID:2452

C:\Windows\System\qczJWzb.exe
C:\Windows\System\qczJWzb.exe
2⤵
- Executes dropped EXE
PID:2836

C:\Windows\System\kZToSWN.exe
C:\Windows\System\kZToSWN.exe
2⤵
- Executes dropped EXE
PID:2256

C:\Windows\System\UPvLHfY.exe
C:\Windows\System\UPvLHfY.exe
2⤵
- Executes dropped EXE
PID:1924

C:\Windows\System\xtQxMNh.exe
C:\Windows\System\xtQxMNh.exe
2⤵
- Executes dropped EXE
PID:1612

C:\Windows\System\CGcekQV.exe
C:\Windows\System\CGcekQV.exe
2⤵
- Executes dropped EXE
PID:1932

C:\Windows\System\HdtvNix.exe
C:\Windows\System\HdtvNix.exe
2⤵
- Executes dropped EXE
PID:1920

C:\Windows\System\NBHXFqx.exe
C:\Windows\System\NBHXFqx.exe
2⤵
- Executes dropped EXE
PID:2144

C:\Windows\System\krapuLM.exe
C:\Windows\System\krapuLM.exe
2⤵
- Executes dropped EXE
PID:1864

C:\Windows\System\RsdcBnP.exe
C:\Windows\System\RsdcBnP.exe
2⤵
- Executes dropped EXE
PID:2472

C:\Windows\System\eosZZQS.exe
C:\Windows\System\eosZZQS.exe
2⤵
- Executes dropped EXE
PID:1500

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\CGcekQV.exe
Filesize
5.2MB

MD5
baa5cb7c5e0aac951b8b2eb23a2b6c9d

SHA1
fca9eef46080853d355f47ec893db70016b4c9d8

SHA256
5675043a994b7bf5c75b22d1f0768ebeaed1180d182a249209741a09ec877d17

SHA512
d7891b62c684ad9af043275333bdb3ee311891ee4eb2ab24186452cd931bf193009f654c42e0ec4f9ac993969f5f23d243729dcca51f67942f5bd169446b4a32

Download Submit
C:\Windows\system\DXUhTXR.exe
Filesize
5.2MB

MD5
6f578196c6a99151cacb2af11a935c81

SHA1
a0f914338d29b14d2b948269aca0fd41e9ed4cd0

SHA256
5fd60063ba674d295382dc6824a3515ca3d3136c5bcdc4554bae528e8e7ad009

SHA512
0637ac8256f35ccbbd5489d8582cfdf02c8c0e289f8411905066ebea75e347c9bea94176015ad44758dd3f9ac639463ffaf6b36c2e9b4d0c4575c439b3157b37

Download Submit
C:\Windows\system\HdtvNix.exe
Filesize
5.2MB

MD5
ca5b4157c86a9fe8e7ad6b5383fecc60

SHA1
fc118350b719d73c8c522d85d469616d1d334d31

SHA256
d2ec30b5ac35c5e2458b556967984040ffdbd9096b9695783cfe65ce95694f5e

SHA512
76ea35b945c69f9a3ba20f31a81b1dc31c7b6a906763ad25b50b599c1ef1687562bde28e310375c661f54898609725ee18fb867e7e195bf2c8247452a21518da

Download Submit
C:\Windows\system\Hqmbryz.exe
Filesize
5.2MB

MD5
740f63a273eb84af32a70aa559049a88

SHA1
f15232f2e09f968685a55ca4f897d532a7eaf94d

SHA256
bdbd448928c581db96bf98d30c663e636aca4100f3f1e8bb024ce968998ba76e

SHA512
3dfabb8ce057199af90240492d7cb35629658cbd8a8d7ec733fb546883f9b877c0e78d9af461a6cc6a9e56fecd636de97c72969f2b0feeb3584fe5b58d43b2e0

Download Submit
C:\Windows\system\RsdcBnP.exe
Filesize
5.2MB

MD5
1be4f7e2d2ce05640ce509f8ff7e9eed

SHA1
4cecd0f692470ec6a6982ef788bbb5416982a710

SHA256
283e804f138e84e5279bf1a1c60ab24c61b81d9234dc6945a8e64794c87f4149

SHA512
b02a59056ad6332f9dc76bcd11e018e00bdc6b06be91c4a1341b5be64b01f783246a4ca0a2f1b3a20443876faf3f9e3b827e915ebc59e19f6c506e4c98128f8e

Download Submit
C:\Windows\system\SZAahVY.exe
Filesize
5.2MB

MD5
64141fb48483ee3855b70fa82304c06f

SHA1
7f31ba0a3edae8ea51a260a3be5b3f2456f3e298

SHA256
fd0689f669c8c6bdbe301665c29d4b2a898ace8a518394b353733b9e7e0ca810

SHA512
819a3443f35bf2727e26d14a987226c67fc52b3bb641728a740231267a5ec3568819e0d99a8ed125f7e6075504c72909aa9d2d77704a4ddc29419f02e412dd6d

Download Submit
C:\Windows\system\UPvLHfY.exe
Filesize
5.2MB

MD5
dcc4995868973b64ab68315c371ca760

SHA1
e56f25695a81a4d5ce7a1c2497754611db1c5c87

SHA256
efd4f6d601f41c4624c3d0df3c18dc70541ad41fc1d955eb1d48990be35d2752

SHA512
c76301d32cbda4cea82f2bac5341f5eb9787fe80e11c02cbb12fabd53b3587dbbd465e432f079225d9cfba0ee1cb85a0c1f7c357343735d7ed91a3fd4ec80d9a

Download Submit
C:\Windows\system\aWUzaDC.exe
Filesize
5.2MB

MD5
2e851730fa67925a0b16c810a8bec13e

SHA1
5acdcfbc62b949721f87081bec85a5f0a57ba7b7

SHA256
43e86ebf8007b9938572146e3d243069fe4a283a717839f760d26973b46d7f1a

SHA512
7649edbd4fd3ac137a8ade770919550bdef8efe10b37293062196af9bef759ed5d79d5befeee820f08216b901b031eb6451f066218684a8c39f6e917dcf6121e

Download Submit
C:\Windows\system\hQWCqYq.exe
Filesize
5.2MB

MD5
8edf27b0367c7a9fd1d465fb9e2424fd

SHA1
d5134038e1555be1b734301f065eb73c2865f3e9

SHA256
2c49e477fc1761a7e76fa9e0db1d1625f178f8827aa0631c98f77f98337779f6

SHA512
7a4aa4873849f709cde3c4aa02bb6b443f3d9f8915aaea2e62bdc8e2c6a9754994b8d72c5e4add294851113b67d31546babc7e2e7d251815823046705ed829ed

Download Submit
C:\Windows\system\kZToSWN.exe
Filesize
5.2MB

MD5
bf67e816bd001077cb8332daea070f17

SHA1
891a62ad769148dd86f0d336af11c8690435e0d9

SHA256
cb82965bb03ceeeeb0b6d406da06c601f4c70df1f962299b106744a535d31570

SHA512
9742735b766bc5e39d990534c91fcf6b3e1a8f0e5c60e27519822399f4802e18a3bf9a432311fbb2b09c68e1e71542c60555c1659d37c93ec4abc425f5546902

Download Submit
C:\Windows\system\krapuLM.exe
Filesize
5.2MB

MD5
d0484de545ddd9389d1fb060ea62b883

SHA1
ed3e4757eb56223e1b1e51b82a9ffd842a63f029

SHA256
0dc2080e5395d61f4940bc4ffa9e88e5d36d3a9ae669442929580f30d934584e

SHA512
92a5d0b20097de466aa6e5dd3897ddd3b2a28d2e0e62b1a777f538cad58cc3d63e449da4d245faf31c575a4334934d67a491d28854475cc9545bf14e1f6752b1

Download Submit
C:\Windows\system\ovakmxB.exe
Filesize
5.2MB

MD5
629ca10612731db3f6e76aa21aab15d6

SHA1
aa00aa96619e8280c60c91c8456383d7e3dc3256

SHA256
fc36ada37c34583aa9e838eef1ec8f5b48b6ff46cff50588256eff147a3a8a74

SHA512
d1967d1b3fa9090ebc2c78772cbb30cd59400b4c75f7ceb17cf32951256a45a63562f62accc4e165aa65eb97e539ced3837636656d2ed8cfa60d922c55e5d3a2

Download Submit
C:\Windows\system\qczJWzb.exe
Filesize
5.2MB

MD5
090c85304d7c3743a2e6aaafedcf7e04

SHA1
1b692ce6e53d50081d6fc2b6b1ca0d6c4c6ac07c

SHA256
2a85e303715362c1204347bc0c18dc69ed2a532b005c2d89f1ff6b632c1b39e8

SHA512
ea2f33cfff44e8ea37bb5f7da8ff2e84b47a9251669da636d348179b69464e1e8b7051f96b4b2780e7935d25920126ab1b3ded79aa7800991db37059d7e240e7

Download Submit
C:\Windows\system\xNEGssi.exe
Filesize
5.2MB

MD5
206f21203f59d1c174941126d54a0d6a

SHA1
a75666ee59c003573a5034a8d89690e4f6bc46c0

SHA256
ed0558272eb534a2ff4ea3a1974249065d53488cfede34a96693df6f5b0493d3

SHA512
93bf02842732a53b2195b4298d252c451e527139cd657d5a0ab2ccd27c21b123618a790074341640372c558e76bbef8d919542fd70508ca52301b988523484e4

Download Submit
\Windows\system\BsVvQZO.exe
Filesize
5.2MB

MD5
9fa506e381f0bb4d33f4744f420e4b9c

SHA1
f70a37068822db3c117466989e37c245a5560b21

SHA256
23b0a07035534c888bf1347acb807f4cc4134e40c08bb5a7f4fbd3bd9544ed74

SHA512
b9827f5855607149e15a731c7b1815a7ad587d53939ab13ac60250f2d349133331f23a576346eec755f3d5a6212b3285fa30a0ebe48b6e81cdf29001b79c1122

Download Submit
\Windows\system\DGHCHwF.exe
Filesize
5.2MB

MD5
4b149e5f517a9f31c9ea5f23b777c444

SHA1
b6097a17b60e6a1ecf83646ae0d31cf0b7b6eed6

SHA256
e861075f263c2ccd83fe86ec72e153fcab3c75c19fa7d1a3ce0f9ba3a1d765d7

SHA512
25fea0e5d5bbaf6027ba237ca0090079178bcd6512643820c34e64d1ab769b12d3a28028464e9f9c57cf2d965421cbf9afbd2a431ead9fcd4cc810e5b669026f

Download Submit
\Windows\system\NBHXFqx.exe
Filesize
5.2MB

MD5
9017d7d7b31cc08cacae85c3eebe5afa

SHA1
a099a49ee74d37aa55b11da6e62c674bb329c37a

SHA256
ea13cf008bf2e47a1a40d0e297afbf51e396b36e681b86a652e0b8ffa0e97cc6

SHA512
232895ffcce42e6d9bcf4a3a72d6766a899d68d80c35554cea0efd1c67666b069f3dea965310781ecc7b5fdc04a58cd78ff0c8923b3de76142f7977ea899abcf

Download Submit
\Windows\system\eosZZQS.exe
Filesize
5.2MB

MD5
654a146523c756d2f3378afbe7af7011

SHA1
a997641786da2bffeb43ffa66ad8bb6ac0e6da28

SHA256
71e7a97350da7e063550bf6a1bd31c6958ba2f1b69dc3c6152837f75d6f2e299

SHA512
74f503a2eb0eda633a375ee5b38f46fda05fe97f2f71ab69daa5eaa009a6c64b93a897060b8c24433c78e424ddfb6f7da2912451cd4daf9039621008025a11c2

Download Submit
\Windows\system\llKOEkc.exe
Filesize
5.2MB

MD5
1304c0161fd565924760bd7e526e78a1

SHA1
223e5df148eeddb7224b172338d4e951e21080e1

SHA256
99b1cc4f6c69901d549bc7980e5f2ca5159d434eac1da1fc9f4d100ef62a7ae9

SHA512
f6f5af7f73393fd0795c4d81545ad43a50b19c2da0a2e05e33db44cf31d9a89fa576f60ed79d29e72f276d2c3486f0885e7971dadc8501fac55c5e1d89e56651

Download Submit
\Windows\system\xbUEsND.exe
Filesize
5.2MB

MD5
4435d9725be1ee29b20904377bddc8c1

SHA1
bbcc38010f6b0e104bce5386655889ecbcf01448

SHA256
bb310931f0c10dcbde5f1ae628f3d5957028a626694c754432c3fd88bf18a3d6

SHA512
0d32f11b982697f28234d309aa0cffa984c734c0d8d649ce0f651e5c766521a36de7bc65b5598936e8c56037d1a13f9cc727b6a70f5db1a32cd20b6502507feb

Download Submit
\Windows\system\xtQxMNh.exe
Filesize
5.2MB

MD5
d843532f115767a9175fff6d0eca4367

SHA1
04de438040fee26588ad63137790277672d036d9

SHA256
497fbb58456328abe2d72402b73627c6fde8ef844ffda6035efbc8b8d535677e

SHA512
2975a251d49b0709cdef508911e3927cd8eef4b8b8d5422550e53dcd1a4e8936372a82556505374ea3edfc2bd8122eaf9bfa6445bf510764341ef58da5aafc45

Download Submit
memory/1500-157-0x000000013F890000-0x000000013FBE1000-memory.dmp

Filesize
3.3MB

Download
memory/1612-151-0x000000013FC90000-0x000000013FFE1000-memory.dmp

Filesize
3.3MB

Download
memory/1864-155-0x000000013FF00000-0x0000000140251000-memory.dmp

Filesize
3.3MB

Download
memory/1920-153-0x000000013F920000-0x000000013FC71000-memory.dmp

Filesize
3.3MB

Download
memory/1924-107-0x000000013F6F0000-0x000000013FA41000-memory.dmp

Filesize
3.3MB

Download
memory/1924-240-0x000000013F6F0000-0x000000013FA41000-memory.dmp

Filesize
3.3MB

Download
memory/1932-152-0x000000013F810000-0x000000013FB61000-memory.dmp

Filesize
3.3MB

Download
memory/2096-228-0x000000013F940000-0x000000013FC91000-memory.dmp

Filesize
3.3MB

Download
memory/2096-69-0x000000013F940000-0x000000013FC91000-memory.dmp

Filesize
3.3MB

Download
memory/2144-154-0x000000013F670000-0x000000013F9C1000-memory.dmp

Filesize
3.3MB

Download
memory/2160-35-0x000000013FDC0000-0x0000000140111000-memory.dmp

Filesize
3.3MB

Download
memory/2160-210-0x000000013FDC0000-0x0000000140111000-memory.dmp

Filesize
3.3MB

Download
memory/2204-31-0x000000013FA70000-0x000000013FDC1000-memory.dmp

Filesize
3.3MB

Download
memory/2204-211-0x000000013FA70000-0x000000013FDC1000-memory.dmp

Filesize
3.3MB

Download
memory/2212-76-0x000000013F360000-0x000000013F6B1000-memory.dmp

Filesize
3.3MB

Download
memory/2212-10-0x000000013F360000-0x000000013F6B1000-memory.dmp

Filesize
3.3MB

Download
memory/2212-205-0x000000013F360000-0x000000013F6B1000-memory.dmp

Filesize
3.3MB

Download
memory/2256-238-0x000000013FBE0000-0x000000013FF31000-memory.dmp

Filesize
3.3MB

Download
memory/2256-103-0x000000013FBE0000-0x000000013FF31000-memory.dmp

Filesize
3.3MB

Download
memory/2432-226-0x000000013F2B0000-0x000000013F601000-memory.dmp

Filesize
3.3MB

Download
memory/2432-62-0x000000013F2B0000-0x000000013F601000-memory.dmp

Filesize
3.3MB

Download
memory/2452-230-0x000000013FD70000-0x00000001400C1000-memory.dmp

Filesize
3.3MB

Download
memory/2452-78-0x000000013FD70000-0x00000001400C1000-memory.dmp

Filesize
3.3MB

Download
memory/2472-156-0x000000013F640000-0x000000013F991000-memory.dmp

Filesize
3.3MB

Download
memory/2528-224-0x000000013F650000-0x000000013F9A1000-memory.dmp

Filesize
3.3MB

Download
memory/2528-55-0x000000013F650000-0x000000013F9A1000-memory.dmp

Filesize
3.3MB

Download
memory/2556-143-0x000000013F5C0000-0x000000013F911000-memory.dmp

Filesize
3.3MB

Download
memory/2556-48-0x000000013F5C0000-0x000000013F911000-memory.dmp

Filesize
3.3MB

Download
memory/2556-222-0x000000013F5C0000-0x000000013F911000-memory.dmp

Filesize
3.3MB

Download
memory/2608-220-0x000000013F960000-0x000000013FCB1000-memory.dmp

Filesize
3.3MB

Download
memory/2608-42-0x000000013F960000-0x000000013FCB1000-memory.dmp

Filesize
3.3MB

Download
memory/2748-34-0x000000013FBF0000-0x000000013FF41000-memory.dmp

Filesize
3.3MB

Download
memory/2748-207-0x000000013FBF0000-0x000000013FF41000-memory.dmp

Filesize
3.3MB

Download
memory/2832-36-0x000000013FAF0000-0x000000013FE41000-memory.dmp

Filesize
3.3MB

Download
memory/2832-213-0x000000013FAF0000-0x000000013FE41000-memory.dmp

Filesize
3.3MB

Download
memory/2836-232-0x000000013F1D0000-0x000000013F521000-memory.dmp

Filesize
3.3MB

Download
memory/2836-98-0x000000013F1D0000-0x000000013F521000-memory.dmp

Filesize
3.3MB

Download
memory/2860-54-0x000000013F650000-0x000000013F9A1000-memory.dmp

Filesize
3.3MB

Download
memory/2860-111-0x0000000002200000-0x0000000002551000-memory.dmp

Filesize
3.3MB

Download
memory/2860-32-0x0000000002200000-0x0000000002551000-memory.dmp

Filesize
3.3MB

Download
memory/2860-158-0x000000013FE00000-0x0000000140151000-memory.dmp

Filesize
3.3MB

Download
memory/2860-170-0x0000000002200000-0x0000000002551000-memory.dmp

Filesize
3.3MB

Download
memory/2860-180-0x000000013F1D0000-0x000000013F521000-memory.dmp

Filesize
3.3MB

Download
memory/2860-109-0x0000000002200000-0x0000000002551000-memory.dmp

Filesize
3.3MB

Download
memory/2860-0-0x000000013FE00000-0x0000000140151000-memory.dmp

Filesize
3.3MB

Download
memory/2860-110-0x000000013FA70000-0x000000013FDC1000-memory.dmp

Filesize
3.3MB

Download
memory/2860-61-0x000000013F2B0000-0x000000013F601000-memory.dmp

Filesize
3.3MB

Download
memory/2860-106-0x000000013F6F0000-0x000000013FA41000-memory.dmp

Filesize
3.3MB

Download
memory/2860-29-0x000000013FA70000-0x000000013FDC1000-memory.dmp

Filesize
3.3MB

Download
memory/2860-75-0x000000013FE00000-0x0000000140151000-memory.dmp

Filesize
3.3MB

Download
memory/2860-136-0x000000013FE00000-0x0000000140151000-memory.dmp

Filesize
3.3MB

Download
memory/2860-94-0x000000013F1D0000-0x000000013F521000-memory.dmp

Filesize
3.3MB

Download
memory/2860-25-0x0000000002200000-0x0000000002551000-memory.dmp

Filesize
3.3MB

Download
memory/2860-68-0x000000013F940000-0x000000013FC91000-memory.dmp

Filesize
3.3MB

Download
memory/2860-14-0x0000000002200000-0x0000000002551000-memory.dmp

Filesize
3.3MB

Download
memory/2860-77-0x0000000002200000-0x0000000002551000-memory.dmp

Filesize
3.3MB

Download
memory/2860-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download