cobaltstrike | 08ba7247d4902ce16b25fbcb774b566ae7af2bfce7129efa4a3a57a460430fc0

Analysis

max time kernel
141s
max time network
145s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-06-2024 08:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

6756f812c46a38ac5e8f40a4385fee4b
SHA1

172f9a9fb0f28d6d260f908d9162c8cb343973fa
SHA256

08ba7247d4902ce16b25fbcb774b566ae7af2bfce7129efa4a3a57a460430fc0
SHA512

24519da855cb42d5fdbef859314c7b3b4dd29f9a3ba2f82620d68508c514efa25ac8f40229dcdfaac6676a1d4dbb4ace90ea1bfb9bf65a0120d9e0a321728bce
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUS:T+856utgpPF8u/7S

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\system\cvRnjAV.exe	cobalt_reflective_dll
\Windows\system\kLMNJqX.exe	cobalt_reflective_dll
C:\Windows\system\wHPATcA.exe	cobalt_reflective_dll
C:\Windows\system\VWYMcdX.exe	cobalt_reflective_dll
C:\Windows\system\LzWpdIv.exe	cobalt_reflective_dll
C:\Windows\system\XVwFTwF.exe	cobalt_reflective_dll
C:\Windows\system\ucOhBqU.exe	cobalt_reflective_dll
C:\Windows\system\PxupwtV.exe	cobalt_reflective_dll
C:\Windows\system\SKTtlAV.exe	cobalt_reflective_dll
C:\Windows\system\ODDwZpb.exe	cobalt_reflective_dll
C:\Windows\system\qMemRFO.exe	cobalt_reflective_dll
C:\Windows\system\JaFTsvt.exe	cobalt_reflective_dll
C:\Windows\system\RIOFTqv.exe	cobalt_reflective_dll
C:\Windows\system\sKyfPSp.exe	cobalt_reflective_dll
C:\Windows\system\RtqHxll.exe	cobalt_reflective_dll
C:\Windows\system\ifgbWcd.exe	cobalt_reflective_dll
C:\Windows\system\JfwNyJM.exe	cobalt_reflective_dll
C:\Windows\system\XBlnUHy.exe	cobalt_reflective_dll
C:\Windows\system\CNWzrob.exe	cobalt_reflective_dll
C:\Windows\system\jvyitwm.exe	cobalt_reflective_dll
C:\Windows\system\XvoKymr.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\system\cvRnjAV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\kLMNJqX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\wHPATcA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\VWYMcdX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\LzWpdIv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\XVwFTwF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ucOhBqU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\PxupwtV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\SKTtlAV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ODDwZpb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\qMemRFO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\JaFTsvt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\RIOFTqv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\sKyfPSp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\RtqHxll.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ifgbWcd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\JfwNyJM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\XBlnUHy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\CNWzrob.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\jvyitwm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\XvoKymr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 55 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1096-0-0x000000013F770000-0x000000013FAC4000-memory.dmp	UPX
C:\Windows\system\cvRnjAV.exe	UPX
behavioral1/memory/1068-9-0x000000013F690000-0x000000013F9E4000-memory.dmp	UPX
\Windows\system\kLMNJqX.exe	UPX
behavioral1/memory/3048-23-0x000000013F7D0000-0x000000013FB24000-memory.dmp	UPX
behavioral1/memory/2836-36-0x000000013FF90000-0x00000001402E4000-memory.dmp	UPX
C:\Windows\system\wHPATcA.exe	UPX
C:\Windows\system\VWYMcdX.exe	UPX
behavioral1/memory/2488-65-0x000000013F440000-0x000000013F794000-memory.dmp	UPX
behavioral1/memory/2920-79-0x000000013FF80000-0x00000001402D4000-memory.dmp	UPX
behavioral1/memory/2708-94-0x000000013F850000-0x000000013FBA4000-memory.dmp	UPX
C:\Windows\system\LzWpdIv.exe	UPX
C:\Windows\system\XVwFTwF.exe	UPX
C:\Windows\system\ucOhBqU.exe	UPX
C:\Windows\system\PxupwtV.exe	UPX
C:\Windows\system\SKTtlAV.exe	UPX
behavioral1/memory/1988-102-0x000000013F0E0000-0x000000013F434000-memory.dmp	UPX
behavioral1/memory/2836-101-0x000000013FF90000-0x00000001402E4000-memory.dmp	UPX
C:\Windows\system\ODDwZpb.exe	UPX
C:\Windows\system\qMemRFO.exe	UPX
behavioral1/memory/2660-114-0x000000013F260000-0x000000013F5B4000-memory.dmp	UPX
C:\Windows\system\JaFTsvt.exe	UPX
C:\Windows\system\RIOFTqv.exe	UPX
behavioral1/memory/500-87-0x000000013F640000-0x000000013F994000-memory.dmp	UPX
behavioral1/memory/2632-85-0x000000013FB90000-0x000000013FEE4000-memory.dmp	UPX
C:\Windows\system\sKyfPSp.exe	UPX
behavioral1/memory/2816-77-0x000000013F1B0000-0x000000013F504000-memory.dmp	UPX
C:\Windows\system\RtqHxll.exe	UPX
behavioral1/memory/2464-71-0x000000013FFE0000-0x0000000140334000-memory.dmp	UPX
C:\Windows\system\ifgbWcd.exe	UPX
behavioral1/memory/1096-64-0x000000013F770000-0x000000013FAC4000-memory.dmp	UPX
C:\Windows\system\JfwNyJM.exe	UPX
behavioral1/memory/2960-58-0x000000013FFA0000-0x00000001402F4000-memory.dmp	UPX
C:\Windows\system\XBlnUHy.exe	UPX
behavioral1/memory/2748-51-0x000000013F280000-0x000000013F5D4000-memory.dmp	UPX
behavioral1/memory/2660-41-0x000000013F260000-0x000000013F5B4000-memory.dmp	UPX
C:\Windows\system\CNWzrob.exe	UPX
C:\Windows\system\jvyitwm.exe	UPX
behavioral1/memory/2632-30-0x000000013FB90000-0x000000013FEE4000-memory.dmp	UPX
behavioral1/memory/2816-15-0x000000013F1B0000-0x000000013F504000-memory.dmp	UPX
C:\Windows\system\XvoKymr.exe	UPX
behavioral1/memory/1068-143-0x000000013F690000-0x000000013F9E4000-memory.dmp	UPX
behavioral1/memory/2816-144-0x000000013F1B0000-0x000000013F504000-memory.dmp	UPX
behavioral1/memory/3048-145-0x000000013F7D0000-0x000000013FB24000-memory.dmp	UPX
behavioral1/memory/2632-146-0x000000013FB90000-0x000000013FEE4000-memory.dmp	UPX
behavioral1/memory/2660-147-0x000000013F260000-0x000000013F5B4000-memory.dmp	UPX
behavioral1/memory/2836-148-0x000000013FF90000-0x00000001402E4000-memory.dmp	UPX
behavioral1/memory/2748-149-0x000000013F280000-0x000000013F5D4000-memory.dmp	UPX
behavioral1/memory/2960-150-0x000000013FFA0000-0x00000001402F4000-memory.dmp	UPX
behavioral1/memory/2488-151-0x000000013F440000-0x000000013F794000-memory.dmp	UPX
behavioral1/memory/2464-152-0x000000013FFE0000-0x0000000140334000-memory.dmp	UPX
behavioral1/memory/2920-153-0x000000013FF80000-0x00000001402D4000-memory.dmp	UPX
behavioral1/memory/500-154-0x000000013F640000-0x000000013F994000-memory.dmp	UPX
behavioral1/memory/2708-155-0x000000013F850000-0x000000013FBA4000-memory.dmp	UPX
behavioral1/memory/1988-156-0x000000013F0E0000-0x000000013F434000-memory.dmp	UPX

XMRig Miner payload 57 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1096-0-0x000000013F770000-0x000000013FAC4000-memory.dmp	xmrig
C:\Windows\system\cvRnjAV.exe	xmrig
behavioral1/memory/1068-9-0x000000013F690000-0x000000013F9E4000-memory.dmp	xmrig
\Windows\system\kLMNJqX.exe	xmrig
behavioral1/memory/3048-23-0x000000013F7D0000-0x000000013FB24000-memory.dmp	xmrig
behavioral1/memory/2836-36-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
C:\Windows\system\wHPATcA.exe	xmrig
C:\Windows\system\VWYMcdX.exe	xmrig
behavioral1/memory/2488-65-0x000000013F440000-0x000000013F794000-memory.dmp	xmrig
behavioral1/memory/2920-79-0x000000013FF80000-0x00000001402D4000-memory.dmp	xmrig
behavioral1/memory/2708-94-0x000000013F850000-0x000000013FBA4000-memory.dmp	xmrig
C:\Windows\system\LzWpdIv.exe	xmrig
C:\Windows\system\XVwFTwF.exe	xmrig
C:\Windows\system\ucOhBqU.exe	xmrig
C:\Windows\system\PxupwtV.exe	xmrig
C:\Windows\system\SKTtlAV.exe	xmrig
behavioral1/memory/1988-102-0x000000013F0E0000-0x000000013F434000-memory.dmp	xmrig
behavioral1/memory/2836-101-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
C:\Windows\system\ODDwZpb.exe	xmrig
C:\Windows\system\qMemRFO.exe	xmrig
behavioral1/memory/2660-114-0x000000013F260000-0x000000013F5B4000-memory.dmp	xmrig
C:\Windows\system\JaFTsvt.exe	xmrig
C:\Windows\system\RIOFTqv.exe	xmrig
behavioral1/memory/500-87-0x000000013F640000-0x000000013F994000-memory.dmp	xmrig
behavioral1/memory/2632-85-0x000000013FB90000-0x000000013FEE4000-memory.dmp	xmrig
C:\Windows\system\sKyfPSp.exe	xmrig
behavioral1/memory/2816-77-0x000000013F1B0000-0x000000013F504000-memory.dmp	xmrig
C:\Windows\system\RtqHxll.exe	xmrig
behavioral1/memory/2464-71-0x000000013FFE0000-0x0000000140334000-memory.dmp	xmrig
C:\Windows\system\ifgbWcd.exe	xmrig
behavioral1/memory/1096-64-0x000000013F770000-0x000000013FAC4000-memory.dmp	xmrig
C:\Windows\system\JfwNyJM.exe	xmrig
behavioral1/memory/2960-58-0x000000013FFA0000-0x00000001402F4000-memory.dmp	xmrig
C:\Windows\system\XBlnUHy.exe	xmrig
behavioral1/memory/2748-51-0x000000013F280000-0x000000013F5D4000-memory.dmp	xmrig
behavioral1/memory/2660-41-0x000000013F260000-0x000000013F5B4000-memory.dmp	xmrig
C:\Windows\system\CNWzrob.exe	xmrig
C:\Windows\system\jvyitwm.exe	xmrig
behavioral1/memory/1096-33-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
behavioral1/memory/2632-30-0x000000013FB90000-0x000000013FEE4000-memory.dmp	xmrig
behavioral1/memory/2816-15-0x000000013F1B0000-0x000000013F504000-memory.dmp	xmrig
C:\Windows\system\XvoKymr.exe	xmrig
behavioral1/memory/1096-142-0x000000013FAF0000-0x000000013FE44000-memory.dmp	xmrig
behavioral1/memory/1068-143-0x000000013F690000-0x000000013F9E4000-memory.dmp	xmrig
behavioral1/memory/2816-144-0x000000013F1B0000-0x000000013F504000-memory.dmp	xmrig
behavioral1/memory/3048-145-0x000000013F7D0000-0x000000013FB24000-memory.dmp	xmrig
behavioral1/memory/2632-146-0x000000013FB90000-0x000000013FEE4000-memory.dmp	xmrig
behavioral1/memory/2660-147-0x000000013F260000-0x000000013F5B4000-memory.dmp	xmrig
behavioral1/memory/2836-148-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
behavioral1/memory/2748-149-0x000000013F280000-0x000000013F5D4000-memory.dmp	xmrig
behavioral1/memory/2960-150-0x000000013FFA0000-0x00000001402F4000-memory.dmp	xmrig
behavioral1/memory/2488-151-0x000000013F440000-0x000000013F794000-memory.dmp	xmrig
behavioral1/memory/2464-152-0x000000013FFE0000-0x0000000140334000-memory.dmp	xmrig
behavioral1/memory/2920-153-0x000000013FF80000-0x00000001402D4000-memory.dmp	xmrig
behavioral1/memory/500-154-0x000000013F640000-0x000000013F994000-memory.dmp	xmrig
behavioral1/memory/2708-155-0x000000013F850000-0x000000013FBA4000-memory.dmp	xmrig
behavioral1/memory/1988-156-0x000000013F0E0000-0x000000013F434000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

cvRnjAV.exekLMNJqX.exeXvoKymr.exeCNWzrob.exejvyitwm.exewHPATcA.exeVWYMcdX.exeXBlnUHy.exeJfwNyJM.exeifgbWcd.exeRtqHxll.exesKyfPSp.exeRIOFTqv.exeODDwZpb.exeJaFTsvt.exeqMemRFO.exeSKTtlAV.exeLzWpdIv.exeucOhBqU.exeXVwFTwF.exePxupwtV.exe

pid	process
1068	cvRnjAV.exe
2816	kLMNJqX.exe
3048	XvoKymr.exe
2632	CNWzrob.exe
2836	jvyitwm.exe
2660	wHPATcA.exe
2748	VWYMcdX.exe
2960	XBlnUHy.exe
2488	JfwNyJM.exe
2464	ifgbWcd.exe
2920	RtqHxll.exe
500	sKyfPSp.exe
2708	RIOFTqv.exe
1988	ODDwZpb.exe
1744	JaFTsvt.exe
1568	qMemRFO.exe
764	SKTtlAV.exe
600	LzWpdIv.exe
1652	ucOhBqU.exe
2204	XVwFTwF.exe
1604	PxupwtV.exe

Loads dropped DLL 21 IoCs

Processes:

2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe

pid	process
1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe

UPX packed file 55 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1096-0-0x000000013F770000-0x000000013FAC4000-memory.dmp	upx
C:\Windows\system\cvRnjAV.exe	upx
behavioral1/memory/1068-9-0x000000013F690000-0x000000013F9E4000-memory.dmp	upx
\Windows\system\kLMNJqX.exe	upx
behavioral1/memory/3048-23-0x000000013F7D0000-0x000000013FB24000-memory.dmp	upx
behavioral1/memory/2836-36-0x000000013FF90000-0x00000001402E4000-memory.dmp	upx
C:\Windows\system\wHPATcA.exe	upx
C:\Windows\system\VWYMcdX.exe	upx
behavioral1/memory/2488-65-0x000000013F440000-0x000000013F794000-memory.dmp	upx
behavioral1/memory/2920-79-0x000000013FF80000-0x00000001402D4000-memory.dmp	upx
behavioral1/memory/2708-94-0x000000013F850000-0x000000013FBA4000-memory.dmp	upx
C:\Windows\system\LzWpdIv.exe	upx
C:\Windows\system\XVwFTwF.exe	upx
C:\Windows\system\ucOhBqU.exe	upx
C:\Windows\system\PxupwtV.exe	upx
C:\Windows\system\SKTtlAV.exe	upx
behavioral1/memory/1988-102-0x000000013F0E0000-0x000000013F434000-memory.dmp	upx
behavioral1/memory/2836-101-0x000000013FF90000-0x00000001402E4000-memory.dmp	upx
C:\Windows\system\ODDwZpb.exe	upx
C:\Windows\system\qMemRFO.exe	upx
behavioral1/memory/2660-114-0x000000013F260000-0x000000013F5B4000-memory.dmp	upx
C:\Windows\system\JaFTsvt.exe	upx
C:\Windows\system\RIOFTqv.exe	upx
behavioral1/memory/500-87-0x000000013F640000-0x000000013F994000-memory.dmp	upx
behavioral1/memory/2632-85-0x000000013FB90000-0x000000013FEE4000-memory.dmp	upx
C:\Windows\system\sKyfPSp.exe	upx
behavioral1/memory/2816-77-0x000000013F1B0000-0x000000013F504000-memory.dmp	upx
C:\Windows\system\RtqHxll.exe	upx
behavioral1/memory/2464-71-0x000000013FFE0000-0x0000000140334000-memory.dmp	upx
C:\Windows\system\ifgbWcd.exe	upx
behavioral1/memory/1096-64-0x000000013F770000-0x000000013FAC4000-memory.dmp	upx
C:\Windows\system\JfwNyJM.exe	upx
behavioral1/memory/2960-58-0x000000013FFA0000-0x00000001402F4000-memory.dmp	upx
C:\Windows\system\XBlnUHy.exe	upx
behavioral1/memory/2748-51-0x000000013F280000-0x000000013F5D4000-memory.dmp	upx
behavioral1/memory/2660-41-0x000000013F260000-0x000000013F5B4000-memory.dmp	upx
C:\Windows\system\CNWzrob.exe	upx
C:\Windows\system\jvyitwm.exe	upx
behavioral1/memory/2632-30-0x000000013FB90000-0x000000013FEE4000-memory.dmp	upx
behavioral1/memory/2816-15-0x000000013F1B0000-0x000000013F504000-memory.dmp	upx
C:\Windows\system\XvoKymr.exe	upx
behavioral1/memory/1068-143-0x000000013F690000-0x000000013F9E4000-memory.dmp	upx
behavioral1/memory/2816-144-0x000000013F1B0000-0x000000013F504000-memory.dmp	upx
behavioral1/memory/3048-145-0x000000013F7D0000-0x000000013FB24000-memory.dmp	upx
behavioral1/memory/2632-146-0x000000013FB90000-0x000000013FEE4000-memory.dmp	upx
behavioral1/memory/2660-147-0x000000013F260000-0x000000013F5B4000-memory.dmp	upx
behavioral1/memory/2836-148-0x000000013FF90000-0x00000001402E4000-memory.dmp	upx
behavioral1/memory/2748-149-0x000000013F280000-0x000000013F5D4000-memory.dmp	upx
behavioral1/memory/2960-150-0x000000013FFA0000-0x00000001402F4000-memory.dmp	upx
behavioral1/memory/2488-151-0x000000013F440000-0x000000013F794000-memory.dmp	upx
behavioral1/memory/2464-152-0x000000013FFE0000-0x0000000140334000-memory.dmp	upx
behavioral1/memory/2920-153-0x000000013FF80000-0x00000001402D4000-memory.dmp	upx
behavioral1/memory/500-154-0x000000013F640000-0x000000013F994000-memory.dmp	upx
behavioral1/memory/2708-155-0x000000013F850000-0x000000013FBA4000-memory.dmp	upx
behavioral1/memory/1988-156-0x000000013F0E0000-0x000000013F434000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\VWYMcdX.exe	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sKyfPSp.exe	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JaFTsvt.exe	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XVwFTwF.exe	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PxupwtV.exe	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kLMNJqX.exe	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wHPATcA.exe	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SKTtlAV.exe	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qMemRFO.exe	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LzWpdIv.exe	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CNWzrob.exe	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XBlnUHy.exe	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ifgbWcd.exe	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RtqHxll.exe	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RIOFTqv.exe	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ODDwZpb.exe	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jvyitwm.exe	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JfwNyJM.exe	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ucOhBqU.exe	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cvRnjAV.exe	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XvoKymr.exe	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 1096 wrote to memory of 1068	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	cvRnjAV.exe
PID 1096 wrote to memory of 1068	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	cvRnjAV.exe
PID 1096 wrote to memory of 1068	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	cvRnjAV.exe
PID 1096 wrote to memory of 2816	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	kLMNJqX.exe
PID 1096 wrote to memory of 2816	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	kLMNJqX.exe
PID 1096 wrote to memory of 2816	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	kLMNJqX.exe
PID 1096 wrote to memory of 3048	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	XvoKymr.exe
PID 1096 wrote to memory of 3048	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	XvoKymr.exe
PID 1096 wrote to memory of 3048	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	XvoKymr.exe
PID 1096 wrote to memory of 2632	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	CNWzrob.exe
PID 1096 wrote to memory of 2632	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	CNWzrob.exe
PID 1096 wrote to memory of 2632	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	CNWzrob.exe
PID 1096 wrote to memory of 2836	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	jvyitwm.exe
PID 1096 wrote to memory of 2836	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	jvyitwm.exe
PID 1096 wrote to memory of 2836	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	jvyitwm.exe
PID 1096 wrote to memory of 2660	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	wHPATcA.exe
PID 1096 wrote to memory of 2660	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	wHPATcA.exe
PID 1096 wrote to memory of 2660	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	wHPATcA.exe
PID 1096 wrote to memory of 2748	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	VWYMcdX.exe
PID 1096 wrote to memory of 2748	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	VWYMcdX.exe
PID 1096 wrote to memory of 2748	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	VWYMcdX.exe
PID 1096 wrote to memory of 2960	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	XBlnUHy.exe
PID 1096 wrote to memory of 2960	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	XBlnUHy.exe
PID 1096 wrote to memory of 2960	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	XBlnUHy.exe
PID 1096 wrote to memory of 2488	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	JfwNyJM.exe
PID 1096 wrote to memory of 2488	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	JfwNyJM.exe
PID 1096 wrote to memory of 2488	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	JfwNyJM.exe
PID 1096 wrote to memory of 2464	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	ifgbWcd.exe
PID 1096 wrote to memory of 2464	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	ifgbWcd.exe
PID 1096 wrote to memory of 2464	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	ifgbWcd.exe
PID 1096 wrote to memory of 2920	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	RtqHxll.exe
PID 1096 wrote to memory of 2920	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	RtqHxll.exe
PID 1096 wrote to memory of 2920	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	RtqHxll.exe
PID 1096 wrote to memory of 500	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	sKyfPSp.exe
PID 1096 wrote to memory of 500	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	sKyfPSp.exe
PID 1096 wrote to memory of 500	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	sKyfPSp.exe
PID 1096 wrote to memory of 2708	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	RIOFTqv.exe
PID 1096 wrote to memory of 2708	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	RIOFTqv.exe
PID 1096 wrote to memory of 2708	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	RIOFTqv.exe
PID 1096 wrote to memory of 1988	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	ODDwZpb.exe
PID 1096 wrote to memory of 1988	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	ODDwZpb.exe
PID 1096 wrote to memory of 1988	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	ODDwZpb.exe
PID 1096 wrote to memory of 1744	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	JaFTsvt.exe
PID 1096 wrote to memory of 1744	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	JaFTsvt.exe
PID 1096 wrote to memory of 1744	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	JaFTsvt.exe
PID 1096 wrote to memory of 764	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	SKTtlAV.exe
PID 1096 wrote to memory of 764	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	SKTtlAV.exe
PID 1096 wrote to memory of 764	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	SKTtlAV.exe
PID 1096 wrote to memory of 1568	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	qMemRFO.exe
PID 1096 wrote to memory of 1568	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	qMemRFO.exe
PID 1096 wrote to memory of 1568	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	qMemRFO.exe
PID 1096 wrote to memory of 1652	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	ucOhBqU.exe
PID 1096 wrote to memory of 1652	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	ucOhBqU.exe
PID 1096 wrote to memory of 1652	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	ucOhBqU.exe
PID 1096 wrote to memory of 600	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	LzWpdIv.exe
PID 1096 wrote to memory of 600	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	LzWpdIv.exe
PID 1096 wrote to memory of 600	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	LzWpdIv.exe
PID 1096 wrote to memory of 2204	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	XVwFTwF.exe
PID 1096 wrote to memory of 2204	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	XVwFTwF.exe
PID 1096 wrote to memory of 2204	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	XVwFTwF.exe
PID 1096 wrote to memory of 1604	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	PxupwtV.exe
PID 1096 wrote to memory of 1604	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	PxupwtV.exe
PID 1096 wrote to memory of 1604	1096	2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe	PxupwtV.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_6756f812c46a38ac5e8f40a4385fee4b_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\System\cvRnjAV.exe
C:\Windows\System\cvRnjAV.exe
2⤵
- Executes dropped EXE
PID:1068

C:\Windows\System\kLMNJqX.exe
C:\Windows\System\kLMNJqX.exe
2⤵
- Executes dropped EXE
PID:2816

C:\Windows\System\XvoKymr.exe
C:\Windows\System\XvoKymr.exe
2⤵
- Executes dropped EXE
PID:3048

C:\Windows\System\CNWzrob.exe
C:\Windows\System\CNWzrob.exe
2⤵
- Executes dropped EXE
PID:2632

C:\Windows\System\jvyitwm.exe
C:\Windows\System\jvyitwm.exe
2⤵
- Executes dropped EXE
PID:2836

C:\Windows\System\wHPATcA.exe
C:\Windows\System\wHPATcA.exe
2⤵
- Executes dropped EXE
PID:2660

C:\Windows\System\VWYMcdX.exe
C:\Windows\System\VWYMcdX.exe
2⤵
- Executes dropped EXE
PID:2748

C:\Windows\System\XBlnUHy.exe
C:\Windows\System\XBlnUHy.exe
2⤵
- Executes dropped EXE
PID:2960

C:\Windows\System\JfwNyJM.exe
C:\Windows\System\JfwNyJM.exe
2⤵
- Executes dropped EXE
PID:2488

C:\Windows\System\ifgbWcd.exe
C:\Windows\System\ifgbWcd.exe
2⤵
- Executes dropped EXE
PID:2464

C:\Windows\System\RtqHxll.exe
C:\Windows\System\RtqHxll.exe
2⤵
- Executes dropped EXE
PID:2920

C:\Windows\System\sKyfPSp.exe
C:\Windows\System\sKyfPSp.exe
2⤵
- Executes dropped EXE
PID:500

C:\Windows\System\RIOFTqv.exe
C:\Windows\System\RIOFTqv.exe
2⤵
- Executes dropped EXE
PID:2708

C:\Windows\System\ODDwZpb.exe
C:\Windows\System\ODDwZpb.exe
2⤵
- Executes dropped EXE
PID:1988

C:\Windows\System\JaFTsvt.exe
C:\Windows\System\JaFTsvt.exe
2⤵
- Executes dropped EXE
PID:1744

C:\Windows\System\SKTtlAV.exe
C:\Windows\System\SKTtlAV.exe
2⤵
- Executes dropped EXE
PID:764

C:\Windows\System\qMemRFO.exe
C:\Windows\System\qMemRFO.exe
2⤵
- Executes dropped EXE
PID:1568

C:\Windows\System\ucOhBqU.exe
C:\Windows\System\ucOhBqU.exe
2⤵
- Executes dropped EXE
PID:1652

C:\Windows\System\LzWpdIv.exe
C:\Windows\System\LzWpdIv.exe
2⤵
- Executes dropped EXE
PID:600

C:\Windows\System\XVwFTwF.exe
C:\Windows\System\XVwFTwF.exe
2⤵
- Executes dropped EXE
PID:2204

C:\Windows\System\PxupwtV.exe
C:\Windows\System\PxupwtV.exe
2⤵
- Executes dropped EXE
PID:1604

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\CNWzrob.exe
Filesize
5.9MB

MD5
03d6cb8ea680fc8786f3fdc3b56c67b5

SHA1
4f9ff30fc3c9b928caafbfce07fb608f0e90466e

SHA256
9028cdad6a9e120064a720cb324d72767e820907d13b8f9bc9fff6198433a82a

SHA512
dd056d544c4910aa82570c75b51582c36919541d24ebfe3c31b0421fd0d626164431026d34b2584c2aeaf873df030f30ba720904ebdddee3124deb64d7fbcace

Download Submit
C:\Windows\system\JaFTsvt.exe
Filesize
5.9MB

MD5
3c4ab555ef6df3cea6a11abd813684ef

SHA1
882093919bfaacbce60a90d7dc2a61c869c356be

SHA256
d3ff2dfa2219dd0dd01d7ff0e90613ad0faf359d5c5e4e08610da346582231eb

SHA512
18bad97580cbef990045ca0c45f5e83c78ce9dac5c24335147801552cb6a2810872cd9a1539b3e44be0412352a5d229747b4a6f3d6a87f9fc539f0e378fef045

Download Submit
C:\Windows\system\JfwNyJM.exe
Filesize
5.9MB

MD5
c4fe9f52a687102476b2a963fd192025

SHA1
06b0a1e2cbc9160d2a1aa27d204fe938242312b0

SHA256
f72ad486a7df474751ee2aa00abd2de826829e11437daff0f4aeff7334cb3c20

SHA512
ea493b370c923b46fcf6b65394cab329008786775e559c3e1846b961d495694a5e7984fc4b226d5b16ea6f8aca0a82a42e2974583f67f3caa1db9ad51064257a

Download Submit
C:\Windows\system\LzWpdIv.exe
Filesize
5.9MB

MD5
5acae8af6a3452edb94065b8ac11e3e0

SHA1
f8c54344ea76ab21a4f7842cbb34b2eba45ea5c4

SHA256
35930e1be6d4f84818d9471e0d23c5f3f918a272de2807544c0a256b9fb1ae57

SHA512
6cfec00b0fdc332868414eb0b0e4efb94606426dd83b70d8a05f47914c366f4897d6f078835710ab1212f7a135cfbca3c01bf9acfe4426882e31bb03f6baaa5d

Download Submit
C:\Windows\system\ODDwZpb.exe
Filesize
5.9MB

MD5
1f1f86c6c6fda4811e4794c4b65ae966

SHA1
718e5b05b32bf51f4403c60ba68b793e83242f05

SHA256
9b982c3ce6111b189fd53b9a74739d582c7f35747a7bed1221f53cb228e964d3

SHA512
6eb5654537049288e6c7e11212ec1d0a96ee91d509fc4a599e22fbc4b6b52cd22f26d243716203b9ae8dd0b653a853c444287bf227cc279492500468c64a8348

Download Submit
C:\Windows\system\PxupwtV.exe
Filesize
5.9MB

MD5
68f1ecf87f69d359f653155bd7bab7e9

SHA1
c231805153da8172310d816e6acef81845c25cc6

SHA256
40445a3c725189adb2196f4927aa157fb92828110923f4e24533c6596c437893

SHA512
12c9ecc3b2b162bca515ddb3acdbc521cad7b8ba5e853dbcdc491007aed5d4418d35e5be0d3fbf2bd472564a4538c2c8df87ced0426270931a3a1b82961959aa

Download Submit
C:\Windows\system\RIOFTqv.exe
Filesize
5.9MB

MD5
d577a8f98e545918e5bf490516c38571

SHA1
2a5b35e389785cb60f5c472ee5863da0ab53b77c

SHA256
eabb99e7ca52599910a1a256acd8018956cff6c1dfe99a0b31b66f56dba6d18e

SHA512
7ac385806c25a0af04315c2f5a9a0c2c0811b58422a46237a6d90daffd0ca1ad75b5746ef256a9f9b10b01e1ac4b98d8d6ffa9e2fe12a85ce09a7033339c5378

Download Submit
C:\Windows\system\RtqHxll.exe
Filesize
5.9MB

MD5
bac106e44630a8ae0cb89a928d62399e

SHA1
c146dfec45d4f4220713ce3ac515a8330943d5a8

SHA256
a01ebcbd66d844a2dd3d01802595c15880b894ecd26a172148cadcf23e72f501

SHA512
f4b70b55fd6edd862be4cd2e6a5d8cde86643f4fa03f52605aec07b3cff47c0848b49297e60d4bdb4672b75731073e40f7e6e302a1e1aba871c45d82337c58a7

Download Submit
C:\Windows\system\SKTtlAV.exe
Filesize
5.9MB

MD5
dea0e01b021b5667b6549bec32bd2cb8

SHA1
9d4c3e1b50abbaf9e5aeaa80a92630db2c6d8c2f

SHA256
004d5bb145be0d1dd90f38413e4ffc22cb6678248087204c79432e386207a9cc

SHA512
6583b68193cb0193081ddd886834835d8bed160e86584a5891af12d6dc088f9aa0a9260b21af60a331924509e69237766b5979541ac899773f5af54f06fde325

Download Submit
C:\Windows\system\VWYMcdX.exe
Filesize
5.9MB

MD5
42c0886b147454d537fd5970397d403b

SHA1
100fb1010bcc0f615e12cbd128f4d1ca9994d655

SHA256
135642eaaad3842259a15ce959db3665578203b60d8395bacaebb3d6d29527d8

SHA512
6e94faf7def12ef6dea54fc7b3f701d52ec909a7f6d69614eb892bb57161b98008bbef66789085b37ef0cada4bdbf4c4e5e161e6d964662cf2f1cebdf7dc0c88

Download Submit
C:\Windows\system\XBlnUHy.exe
Filesize
5.9MB

MD5
b75fb5f828c9531fe007510e748b7742

SHA1
18dbe18adbfd55afb49a7b5eef906d19789b6a57

SHA256
d2278c20259d5676fc858dbf55666051ede2f624e2fd4cf100ca64619459ff92

SHA512
a1a9de78058669d8014017bc874f2802568eaa474b7b9041d31fca15acb24ae47e55805f0b909b20294e4e805865b93d952787b2338fb5cec1a952f30cb73be5

Download Submit
C:\Windows\system\XVwFTwF.exe
Filesize
5.9MB

MD5
028ee117a567cb051e3c7b790f68db13

SHA1
f35fbbfcf8a78c28d150af237be371a45b8fd3e7

SHA256
ce4079e62fa572f8e5902511722da8d14348996dd766955064f4d3228e9ae647

SHA512
bfa36d8b0b1495fd88e87a2e1dfb74d6efd6a9f1ed97d1c0b9ef58b477b2b72960d36eb47edf2c2c6779d2837fb9c3dac25ea19d8ef8da59d4d11fcef54056b9

Download Submit
C:\Windows\system\XvoKymr.exe
Filesize
5.9MB

MD5
602feb8164872fda747c33d430c23f13

SHA1
1ff73af6672fb869f58983667acf280e5c01643c

SHA256
8f997654b1a6ca8810c2b80d0dd5b5877919bcda98a78595e4a14d6a6980c66e

SHA512
b134f4c2962433028558d12426cfe6539f56bfc1d6ee913cab48ec6d98a45443338b62beceff367a7e1fb76ff1103056f5ac4afcdb0e90524382540be214a4de

Download Submit
C:\Windows\system\cvRnjAV.exe
Filesize
5.9MB

MD5
83232cccf15d5124d6a48ee250fad2bf

SHA1
02630e47fbd75573b3fc9acd99106b187821b054

SHA256
f953287ce09fa90eb065313c708b9fa24587bafa67819cc7fdb5d5f5f9931dd5

SHA512
2828bd24298a3f70854a4f4b1be6793b2b7250f95726e4e32d979f2b60b80bf9e079813c86a576c2664bf1dcc29c2240701b68091d0a14b97e466799314d8749

Download Submit
C:\Windows\system\ifgbWcd.exe
Filesize
5.9MB

MD5
7b3742cca3522b73735a0b0bad3f61b7

SHA1
0315fd554a30e3338a60125d44dbbbb5adfa17c4

SHA256
48a70a9870fab4add583c600ebcd5da913a76e94299465a716222ee4d5a9f856

SHA512
a56dbef520686596b1894688f1bd2d4019d84e07c5e6cca4aa3e99c3be18d590419e2b0c3c981dbcd0f5314eab6abd44a4bbfa7108399cd38cce9ad48c7144e0

Download Submit
C:\Windows\system\jvyitwm.exe
Filesize
5.9MB

MD5
7c4acb9ddeb2996fc44472249f09393c

SHA1
78f9d5c3e152a196352913df283797ab615237be

SHA256
0c590af1a68089114e438b6623c7e2a1487a05c7103bd167ebb6b713db2f5856

SHA512
632844f3030a14a6fdb1c8deee2e9dddce4311465a8ed843a46ce8d71614ea3e2bffc62972db5d769730177bb39bc33b697ed5f42bebc622a6549850dccf506b

Download Submit
C:\Windows\system\qMemRFO.exe
Filesize
5.9MB

MD5
28b27082e9f8458715d8ab6291627c60

SHA1
c30c7a348208ffa4d3b2c87c9f228eeece2007f8

SHA256
584c3c43350c6163d6a6e4659c79301119eb38a1924ac266e646aa38a35d001c

SHA512
26e1403979f52de14670687a8668c1eae74ccba606ec378dc02845f3f344be850efc8305a4dff7e25d6a7f9eeaa0cb9126a0936ea3f0c4d9c6c394841bfba705

Download Submit
C:\Windows\system\sKyfPSp.exe
Filesize
5.9MB

MD5
17f40aec255fad2a1b22a2827d86538a

SHA1
a30d30aa9e3b26093585ad55b5a3e7ad7773c25c

SHA256
9c79eae1fb5384dae0afa9b94e688192559d4e55be6d2c25801acc671f2d58b5

SHA512
e46467a4cd5fb92a153e32186a01d7e73cc14be5404f0a260c8936eaa845991d74e909b1a6187b85cfd400dea3c25e7adc9b4b6e9cfa326b5579a6bb2921950c

Download Submit
C:\Windows\system\ucOhBqU.exe
Filesize
5.9MB

MD5
77e343eab688e0104b5bc974c7c6fdf3

SHA1
b33f2e38c6a9bfcd7c8ee0c1d89a68385368c57b

SHA256
758b8a703004d84ec1be044344a555961e5d40f84cb51d58d97fd8d4f1aaef0d

SHA512
cabcca5f38056552b3219854c4c0e66c65fdcc8de3a2a5ce093f578847a228f91eff5f72ee6c6e31890689df9defa4ee1738a1e822052a1d2545d35587ecb298

Download Submit
C:\Windows\system\wHPATcA.exe
Filesize
5.9MB

MD5
7e082520a846f9b807a62b68bd7cec6d

SHA1
0242669ce7cceea59ce1e5c554e761d06b214c95

SHA256
18fca08770d4febbe563a8abd2f4660210b0ad90c38a0af833679e97caf14263

SHA512
2bc06555c2729ee80a8e91bdd94423880f448054c21a01946aabffde791da5efa1297cf50f19fd81065bc22ca3673dd121a3e5bebdc252889abd6781f1b33e78

Download Submit
\Windows\system\kLMNJqX.exe
Filesize
5.9MB

MD5
686f673fb71b5bc07bdd185ca85966cc

SHA1
f26d7f026d4840eab25435809cbbee2c8d9b89f5

SHA256
fb2095865f210a721e8baf4cc4027478042281cfbe8e1bc16912c330bb1a5980

SHA512
2ea2af6989a131ba1e412bbd673364538c2728a907819894c25977c42c7b283bf84d35d5a6ef5460968deabd184ef6efe73ed6ede6cd467e05bb32dc0fa5a23d

Download Submit
memory/500-87-0x000000013F640000-0x000000013F994000-memory.dmp

Filesize
3.3MB

Download
memory/500-154-0x000000013F640000-0x000000013F994000-memory.dmp

Filesize
3.3MB

Download
memory/1068-9-0x000000013F690000-0x000000013F9E4000-memory.dmp

Filesize
3.3MB

Download
memory/1068-143-0x000000013F690000-0x000000013F9E4000-memory.dmp

Filesize
3.3MB

Download
memory/1096-14-0x000000013F1B0000-0x000000013F504000-memory.dmp

Filesize
3.3MB

Download
memory/1096-8-0x00000000023A0000-0x00000000026F4000-memory.dmp

Filesize
3.3MB

Download
memory/1096-116-0x000000013FAF0000-0x000000013FE44000-memory.dmp

Filesize
3.3MB

Download
memory/1096-93-0x00000000023A0000-0x00000000026F4000-memory.dmp

Filesize
3.3MB

Download
memory/1096-98-0x000000013F0E0000-0x000000013F434000-memory.dmp

Filesize
3.3MB

Download
memory/1096-1-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/1096-86-0x00000000023A0000-0x00000000026F4000-memory.dmp

Filesize
3.3MB

Download
memory/1096-142-0x000000013FAF0000-0x000000013FE44000-memory.dmp

Filesize
3.3MB

Download
memory/1096-141-0x000000013F0E0000-0x000000013F434000-memory.dmp

Filesize
3.3MB

Download
memory/1096-78-0x000000013FF80000-0x00000001402D4000-memory.dmp

Filesize
3.3MB

Download
memory/1096-140-0x00000000023A0000-0x00000000026F4000-memory.dmp

Filesize
3.3MB

Download
memory/1096-139-0x000000013FF80000-0x00000001402D4000-memory.dmp

Filesize
3.3MB

Download
memory/1096-0-0x000000013F770000-0x000000013FAC4000-memory.dmp

Filesize
3.3MB

Download
memory/1096-22-0x00000000023A0000-0x00000000026F4000-memory.dmp

Filesize
3.3MB

Download
memory/1096-64-0x000000013F770000-0x000000013FAC4000-memory.dmp

Filesize
3.3MB

Download
memory/1096-33-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/1096-28-0x000000013FB90000-0x000000013FEE4000-memory.dmp

Filesize
3.3MB

Download
memory/1096-57-0x000000013FFA0000-0x00000001402F4000-memory.dmp

Filesize
3.3MB

Download
memory/1096-40-0x000000013F260000-0x000000013F5B4000-memory.dmp

Filesize
3.3MB

Download
memory/1096-50-0x000000013F280000-0x000000013F5D4000-memory.dmp

Filesize
3.3MB

Download
memory/1988-102-0x000000013F0E0000-0x000000013F434000-memory.dmp

Filesize
3.3MB

Download
memory/1988-156-0x000000013F0E0000-0x000000013F434000-memory.dmp

Filesize
3.3MB

Download
memory/2464-152-0x000000013FFE0000-0x0000000140334000-memory.dmp

Filesize
3.3MB

Download
memory/2464-71-0x000000013FFE0000-0x0000000140334000-memory.dmp

Filesize
3.3MB

Download
memory/2488-65-0x000000013F440000-0x000000013F794000-memory.dmp

Filesize
3.3MB

Download
memory/2488-151-0x000000013F440000-0x000000013F794000-memory.dmp

Filesize
3.3MB

Download
memory/2632-30-0x000000013FB90000-0x000000013FEE4000-memory.dmp

Filesize
3.3MB

Download
memory/2632-146-0x000000013FB90000-0x000000013FEE4000-memory.dmp

Filesize
3.3MB

Download
memory/2632-85-0x000000013FB90000-0x000000013FEE4000-memory.dmp

Filesize
3.3MB

Download
memory/2660-41-0x000000013F260000-0x000000013F5B4000-memory.dmp

Filesize
3.3MB

Download
memory/2660-114-0x000000013F260000-0x000000013F5B4000-memory.dmp

Filesize
3.3MB

Download
memory/2660-147-0x000000013F260000-0x000000013F5B4000-memory.dmp

Filesize
3.3MB

Download
memory/2708-155-0x000000013F850000-0x000000013FBA4000-memory.dmp

Filesize
3.3MB

Download
memory/2708-94-0x000000013F850000-0x000000013FBA4000-memory.dmp

Filesize
3.3MB

Download
memory/2748-51-0x000000013F280000-0x000000013F5D4000-memory.dmp

Filesize
3.3MB

Download
memory/2748-149-0x000000013F280000-0x000000013F5D4000-memory.dmp

Filesize
3.3MB

Download
memory/2816-15-0x000000013F1B0000-0x000000013F504000-memory.dmp

Filesize
3.3MB

Download
memory/2816-144-0x000000013F1B0000-0x000000013F504000-memory.dmp

Filesize
3.3MB

Download
memory/2816-77-0x000000013F1B0000-0x000000013F504000-memory.dmp

Filesize
3.3MB

Download
memory/2836-148-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2836-101-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2836-36-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2920-79-0x000000013FF80000-0x00000001402D4000-memory.dmp

Filesize
3.3MB

Download
memory/2920-153-0x000000013FF80000-0x00000001402D4000-memory.dmp

Filesize
3.3MB

Download
memory/2960-150-0x000000013FFA0000-0x00000001402F4000-memory.dmp

Filesize
3.3MB

Download
memory/2960-58-0x000000013FFA0000-0x00000001402F4000-memory.dmp

Filesize
3.3MB

Download
memory/3048-145-0x000000013F7D0000-0x000000013FB24000-memory.dmp

Filesize
3.3MB

Download
memory/3048-23-0x000000013F7D0000-0x000000013FB24000-memory.dmp

Filesize
3.3MB

Download