Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 00:32
Behavioral task
behavioral1
Sample
2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe
Resource
win7-20240419-en
General
-
Target
2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe
-
Size
6.0MB
-
MD5
2813aa71cdf8402a6ee5bf5f96c4bc60
-
SHA1
bc884edd93b5d355abc015a743233d2f10657419
-
SHA256
cca4bfa4f0a43fda6b2362704760d62e9bbc9c7fa60d66dd73b29f70f450d1ce
-
SHA512
833dcd48ecad8d6b3b2ba13b5c6c4e8401142ebd158864d31222542bdf1aab4e10dc4f4341717e56d4f31637cd70f766124389490a14e1cbeb0e204496c8d246
-
SSDEEP
98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUJ:T+856utgpPF8u/7J
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral1/files/0x000d000000012271-3.dat cobalt_reflective_dll behavioral1/files/0x0012000000015ca9-10.dat cobalt_reflective_dll behavioral1/files/0x0008000000015ce1-19.dat cobalt_reflective_dll behavioral1/files/0x0007000000015d02-31.dat cobalt_reflective_dll behavioral1/files/0x0008000000015ced-30.dat cobalt_reflective_dll behavioral1/files/0x0007000000015d13-38.dat cobalt_reflective_dll behavioral1/files/0x0007000000016ca1-60.dat cobalt_reflective_dll behavioral1/files/0x0012000000015cc2-43.dat cobalt_reflective_dll behavioral1/files/0x0007000000015d1e-53.dat cobalt_reflective_dll behavioral1/files/0x0006000000016ccd-71.dat cobalt_reflective_dll behavioral1/files/0x0007000000016c5b-70.dat cobalt_reflective_dll behavioral1/files/0x0006000000016cf2-76.dat cobalt_reflective_dll behavioral1/files/0x0006000000016d01-89.dat cobalt_reflective_dll behavioral1/files/0x0006000000016d10-94.dat cobalt_reflective_dll behavioral1/files/0x0006000000016d4f-132.dat cobalt_reflective_dll behavioral1/files/0x0006000000016d3e-124.dat cobalt_reflective_dll behavioral1/files/0x0006000000016d46-129.dat cobalt_reflective_dll behavioral1/files/0x0006000000016d2d-114.dat cobalt_reflective_dll behavioral1/files/0x0006000000016d36-119.dat cobalt_reflective_dll behavioral1/files/0x0006000000016d21-109.dat cobalt_reflective_dll behavioral1/files/0x0006000000016d19-102.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Detects Reflective DLL injection artifacts 21 IoCs
resource yara_rule behavioral1/files/0x000d000000012271-3.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x0012000000015ca9-10.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x0008000000015ce1-19.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x0007000000015d02-31.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x0008000000015ced-30.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x0007000000015d13-38.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x0007000000016ca1-60.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x0012000000015cc2-43.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x0007000000015d1e-53.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x0006000000016ccd-71.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x0007000000016c5b-70.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x0006000000016cf2-76.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x0006000000016d01-89.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x0006000000016d10-94.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x0006000000016d4f-132.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x0006000000016d3e-124.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x0006000000016d46-129.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x0006000000016d2d-114.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x0006000000016d36-119.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x0006000000016d21-109.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x0006000000016d19-102.dat INDICATOR_SUSPICIOUS_ReflectiveLoader -
UPX dump on OEP (original entry point) 63 IoCs
resource yara_rule behavioral1/memory/2068-0-0x000000013F330000-0x000000013F684000-memory.dmp UPX behavioral1/files/0x000d000000012271-3.dat UPX behavioral1/memory/1664-9-0x000000013F040000-0x000000013F394000-memory.dmp UPX behavioral1/files/0x0012000000015ca9-10.dat UPX behavioral1/memory/2068-13-0x000000013F860000-0x000000013FBB4000-memory.dmp UPX behavioral1/files/0x0008000000015ce1-19.dat UPX behavioral1/memory/2928-35-0x000000013F820000-0x000000013FB74000-memory.dmp UPX behavioral1/memory/2452-33-0x000000013F050000-0x000000013F3A4000-memory.dmp UPX behavioral1/files/0x0007000000015d02-31.dat UPX behavioral1/files/0x0008000000015ced-30.dat UPX behavioral1/memory/2916-25-0x000000013FEC0000-0x0000000140214000-memory.dmp UPX behavioral1/memory/2780-15-0x000000013F860000-0x000000013FBB4000-memory.dmp UPX behavioral1/files/0x0007000000015d13-38.dat UPX behavioral1/memory/2668-41-0x000000013F530000-0x000000013F884000-memory.dmp UPX behavioral1/files/0x0007000000016ca1-60.dat UPX behavioral1/files/0x0012000000015cc2-43.dat UPX behavioral1/memory/2068-54-0x000000013F330000-0x000000013F684000-memory.dmp UPX behavioral1/files/0x0007000000015d1e-53.dat UPX behavioral1/files/0x0006000000016ccd-71.dat UPX behavioral1/memory/2916-79-0x000000013FEC0000-0x0000000140214000-memory.dmp UPX behavioral1/memory/3004-75-0x000000013FCE0000-0x0000000140034000-memory.dmp UPX behavioral1/memory/2836-74-0x000000013F190000-0x000000013F4E4000-memory.dmp UPX behavioral1/memory/2780-73-0x000000013F860000-0x000000013FBB4000-memory.dmp UPX behavioral1/files/0x0007000000016c5b-70.dat UPX behavioral1/memory/2656-66-0x000000013F9B0000-0x000000013FD04000-memory.dmp UPX behavioral1/files/0x0006000000016cf2-76.dat UPX behavioral1/memory/2420-85-0x000000013F700000-0x000000013FA54000-memory.dmp UPX behavioral1/memory/2452-95-0x000000013F050000-0x000000013F3A4000-memory.dmp UPX behavioral1/memory/2940-91-0x000000013FD20000-0x0000000140074000-memory.dmp UPX behavioral1/files/0x0006000000016d01-89.dat UPX behavioral1/memory/1052-97-0x000000013F620000-0x000000013F974000-memory.dmp UPX behavioral1/files/0x0006000000016d10-94.dat UPX behavioral1/files/0x0006000000016d4f-132.dat UPX behavioral1/files/0x0006000000016d3e-124.dat UPX behavioral1/files/0x0006000000016d46-129.dat UPX behavioral1/files/0x0006000000016d2d-114.dat UPX behavioral1/files/0x0006000000016d36-119.dat UPX behavioral1/files/0x0006000000016d21-109.dat UPX behavioral1/memory/2668-103-0x000000013F530000-0x000000013F884000-memory.dmp UPX behavioral1/files/0x0006000000016d19-102.dat UPX behavioral1/memory/2776-137-0x000000013FFF0000-0x0000000140344000-memory.dmp UPX behavioral1/memory/2528-136-0x000000013F9D0000-0x000000013FD24000-memory.dmp UPX behavioral1/memory/2776-59-0x000000013FFF0000-0x0000000140344000-memory.dmp UPX behavioral1/memory/2528-48-0x000000013F9D0000-0x000000013FD24000-memory.dmp UPX behavioral1/memory/2656-139-0x000000013F9B0000-0x000000013FD04000-memory.dmp UPX behavioral1/memory/2836-141-0x000000013F190000-0x000000013F4E4000-memory.dmp UPX behavioral1/memory/3004-142-0x000000013FCE0000-0x0000000140034000-memory.dmp UPX behavioral1/memory/2940-145-0x000000013FD20000-0x0000000140074000-memory.dmp UPX behavioral1/memory/1052-147-0x000000013F620000-0x000000013F974000-memory.dmp UPX behavioral1/memory/1664-148-0x000000013F040000-0x000000013F394000-memory.dmp UPX behavioral1/memory/2916-149-0x000000013FEC0000-0x0000000140214000-memory.dmp UPX behavioral1/memory/2780-150-0x000000013F860000-0x000000013FBB4000-memory.dmp UPX behavioral1/memory/2452-151-0x000000013F050000-0x000000013F3A4000-memory.dmp UPX behavioral1/memory/2928-152-0x000000013F820000-0x000000013FB74000-memory.dmp UPX behavioral1/memory/2668-153-0x000000013F530000-0x000000013F884000-memory.dmp UPX behavioral1/memory/2528-154-0x000000013F9D0000-0x000000013FD24000-memory.dmp UPX behavioral1/memory/2776-155-0x000000013FFF0000-0x0000000140344000-memory.dmp UPX behavioral1/memory/2656-156-0x000000013F9B0000-0x000000013FD04000-memory.dmp UPX behavioral1/memory/2836-158-0x000000013F190000-0x000000013F4E4000-memory.dmp UPX behavioral1/memory/3004-157-0x000000013FCE0000-0x0000000140034000-memory.dmp UPX behavioral1/memory/2420-159-0x000000013F700000-0x000000013FA54000-memory.dmp UPX behavioral1/memory/1052-160-0x000000013F620000-0x000000013F974000-memory.dmp UPX behavioral1/memory/2940-161-0x000000013FD20000-0x0000000140074000-memory.dmp UPX -
XMRig Miner payload 64 IoCs
resource yara_rule behavioral1/memory/2068-0-0x000000013F330000-0x000000013F684000-memory.dmp xmrig behavioral1/files/0x000d000000012271-3.dat xmrig behavioral1/memory/1664-9-0x000000013F040000-0x000000013F394000-memory.dmp xmrig behavioral1/files/0x0012000000015ca9-10.dat xmrig behavioral1/memory/2068-13-0x000000013F860000-0x000000013FBB4000-memory.dmp xmrig behavioral1/files/0x0008000000015ce1-19.dat xmrig behavioral1/memory/2928-35-0x000000013F820000-0x000000013FB74000-memory.dmp xmrig behavioral1/memory/2452-33-0x000000013F050000-0x000000013F3A4000-memory.dmp xmrig behavioral1/files/0x0007000000015d02-31.dat xmrig behavioral1/files/0x0008000000015ced-30.dat xmrig behavioral1/memory/2916-25-0x000000013FEC0000-0x0000000140214000-memory.dmp xmrig behavioral1/memory/2780-15-0x000000013F860000-0x000000013FBB4000-memory.dmp xmrig behavioral1/files/0x0007000000015d13-38.dat xmrig behavioral1/memory/2668-41-0x000000013F530000-0x000000013F884000-memory.dmp xmrig behavioral1/memory/2068-55-0x000000013FFF0000-0x0000000140344000-memory.dmp xmrig behavioral1/files/0x0007000000016ca1-60.dat xmrig behavioral1/files/0x0012000000015cc2-43.dat xmrig behavioral1/memory/2068-54-0x000000013F330000-0x000000013F684000-memory.dmp xmrig behavioral1/files/0x0007000000015d1e-53.dat xmrig behavioral1/files/0x0006000000016ccd-71.dat xmrig behavioral1/memory/2916-79-0x000000013FEC0000-0x0000000140214000-memory.dmp xmrig behavioral1/memory/3004-75-0x000000013FCE0000-0x0000000140034000-memory.dmp xmrig behavioral1/memory/2836-74-0x000000013F190000-0x000000013F4E4000-memory.dmp xmrig behavioral1/memory/2780-73-0x000000013F860000-0x000000013FBB4000-memory.dmp xmrig behavioral1/files/0x0007000000016c5b-70.dat xmrig behavioral1/memory/2068-69-0x000000013FCE0000-0x0000000140034000-memory.dmp xmrig behavioral1/memory/2656-66-0x000000013F9B0000-0x000000013FD04000-memory.dmp xmrig behavioral1/files/0x0006000000016cf2-76.dat xmrig behavioral1/memory/2420-85-0x000000013F700000-0x000000013FA54000-memory.dmp xmrig behavioral1/memory/2452-95-0x000000013F050000-0x000000013F3A4000-memory.dmp xmrig behavioral1/memory/2940-91-0x000000013FD20000-0x0000000140074000-memory.dmp xmrig behavioral1/files/0x0006000000016d01-89.dat xmrig behavioral1/memory/1052-97-0x000000013F620000-0x000000013F974000-memory.dmp xmrig behavioral1/files/0x0006000000016d10-94.dat xmrig behavioral1/files/0x0006000000016d4f-132.dat xmrig behavioral1/files/0x0006000000016d3e-124.dat xmrig behavioral1/files/0x0006000000016d46-129.dat xmrig behavioral1/files/0x0006000000016d2d-114.dat xmrig behavioral1/files/0x0006000000016d36-119.dat xmrig behavioral1/files/0x0006000000016d21-109.dat xmrig behavioral1/memory/2668-103-0x000000013F530000-0x000000013F884000-memory.dmp xmrig behavioral1/files/0x0006000000016d19-102.dat xmrig behavioral1/memory/2776-137-0x000000013FFF0000-0x0000000140344000-memory.dmp xmrig behavioral1/memory/2528-136-0x000000013F9D0000-0x000000013FD24000-memory.dmp xmrig behavioral1/memory/2776-59-0x000000013FFF0000-0x0000000140344000-memory.dmp xmrig behavioral1/memory/2528-48-0x000000013F9D0000-0x000000013FD24000-memory.dmp xmrig behavioral1/memory/2656-139-0x000000013F9B0000-0x000000013FD04000-memory.dmp xmrig behavioral1/memory/2836-141-0x000000013F190000-0x000000013F4E4000-memory.dmp xmrig behavioral1/memory/3004-142-0x000000013FCE0000-0x0000000140034000-memory.dmp xmrig behavioral1/memory/2940-145-0x000000013FD20000-0x0000000140074000-memory.dmp xmrig behavioral1/memory/1052-147-0x000000013F620000-0x000000013F974000-memory.dmp xmrig behavioral1/memory/1664-148-0x000000013F040000-0x000000013F394000-memory.dmp xmrig behavioral1/memory/2916-149-0x000000013FEC0000-0x0000000140214000-memory.dmp xmrig behavioral1/memory/2780-150-0x000000013F860000-0x000000013FBB4000-memory.dmp xmrig behavioral1/memory/2452-151-0x000000013F050000-0x000000013F3A4000-memory.dmp xmrig behavioral1/memory/2928-152-0x000000013F820000-0x000000013FB74000-memory.dmp xmrig behavioral1/memory/2668-153-0x000000013F530000-0x000000013F884000-memory.dmp xmrig behavioral1/memory/2528-154-0x000000013F9D0000-0x000000013FD24000-memory.dmp xmrig behavioral1/memory/2776-155-0x000000013FFF0000-0x0000000140344000-memory.dmp xmrig behavioral1/memory/2656-156-0x000000013F9B0000-0x000000013FD04000-memory.dmp xmrig behavioral1/memory/2836-158-0x000000013F190000-0x000000013F4E4000-memory.dmp xmrig behavioral1/memory/3004-157-0x000000013FCE0000-0x0000000140034000-memory.dmp xmrig behavioral1/memory/2420-159-0x000000013F700000-0x000000013FA54000-memory.dmp xmrig behavioral1/memory/1052-160-0x000000013F620000-0x000000013F974000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 1664 FkmAxEk.exe 2780 nAOEtln.exe 2916 QYYkaEF.exe 2452 MbRxepY.exe 2928 uYSzhNe.exe 2668 TrUyFMZ.exe 2528 mmKVVfK.exe 2776 vFQCpAl.exe 2656 uoRnUIg.exe 2836 sJmqyGe.exe 3004 CBzqmLd.exe 2420 svglGRI.exe 2940 hTljCJw.exe 1052 HyYlTuI.exe 2208 JeGQDzF.exe 1980 SbWbmsY.exe 1388 VyPpxEc.exe 1608 gxnLWxf.exe 2004 PaJSGVF.exe 1184 BEjTuwT.exe 1976 UefhLkZ.exe -
Loads dropped DLL 21 IoCs
pid Process 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe -
resource yara_rule behavioral1/memory/2068-0-0x000000013F330000-0x000000013F684000-memory.dmp upx behavioral1/files/0x000d000000012271-3.dat upx behavioral1/memory/1664-9-0x000000013F040000-0x000000013F394000-memory.dmp upx behavioral1/files/0x0012000000015ca9-10.dat upx behavioral1/memory/2068-13-0x000000013F860000-0x000000013FBB4000-memory.dmp upx behavioral1/files/0x0008000000015ce1-19.dat upx behavioral1/memory/2928-35-0x000000013F820000-0x000000013FB74000-memory.dmp upx behavioral1/memory/2452-33-0x000000013F050000-0x000000013F3A4000-memory.dmp upx behavioral1/files/0x0007000000015d02-31.dat upx behavioral1/files/0x0008000000015ced-30.dat upx behavioral1/memory/2916-25-0x000000013FEC0000-0x0000000140214000-memory.dmp upx behavioral1/memory/2780-15-0x000000013F860000-0x000000013FBB4000-memory.dmp upx behavioral1/files/0x0007000000015d13-38.dat upx behavioral1/memory/2668-41-0x000000013F530000-0x000000013F884000-memory.dmp upx behavioral1/files/0x0007000000016ca1-60.dat upx behavioral1/files/0x0012000000015cc2-43.dat upx behavioral1/memory/2068-54-0x000000013F330000-0x000000013F684000-memory.dmp upx behavioral1/files/0x0007000000015d1e-53.dat upx behavioral1/files/0x0006000000016ccd-71.dat upx behavioral1/memory/2916-79-0x000000013FEC0000-0x0000000140214000-memory.dmp upx behavioral1/memory/3004-75-0x000000013FCE0000-0x0000000140034000-memory.dmp upx behavioral1/memory/2836-74-0x000000013F190000-0x000000013F4E4000-memory.dmp upx behavioral1/memory/2780-73-0x000000013F860000-0x000000013FBB4000-memory.dmp upx behavioral1/files/0x0007000000016c5b-70.dat upx behavioral1/memory/2656-66-0x000000013F9B0000-0x000000013FD04000-memory.dmp upx behavioral1/files/0x0006000000016cf2-76.dat upx behavioral1/memory/2420-85-0x000000013F700000-0x000000013FA54000-memory.dmp upx behavioral1/memory/2452-95-0x000000013F050000-0x000000013F3A4000-memory.dmp upx behavioral1/memory/2940-91-0x000000013FD20000-0x0000000140074000-memory.dmp upx behavioral1/files/0x0006000000016d01-89.dat upx behavioral1/memory/1052-97-0x000000013F620000-0x000000013F974000-memory.dmp upx behavioral1/files/0x0006000000016d10-94.dat upx behavioral1/files/0x0006000000016d4f-132.dat upx behavioral1/files/0x0006000000016d3e-124.dat upx behavioral1/files/0x0006000000016d46-129.dat upx behavioral1/files/0x0006000000016d2d-114.dat upx behavioral1/files/0x0006000000016d36-119.dat upx behavioral1/files/0x0006000000016d21-109.dat upx behavioral1/memory/2668-103-0x000000013F530000-0x000000013F884000-memory.dmp upx behavioral1/files/0x0006000000016d19-102.dat upx behavioral1/memory/2776-137-0x000000013FFF0000-0x0000000140344000-memory.dmp upx behavioral1/memory/2528-136-0x000000013F9D0000-0x000000013FD24000-memory.dmp upx behavioral1/memory/2776-59-0x000000013FFF0000-0x0000000140344000-memory.dmp upx behavioral1/memory/2528-48-0x000000013F9D0000-0x000000013FD24000-memory.dmp upx behavioral1/memory/2656-139-0x000000013F9B0000-0x000000013FD04000-memory.dmp upx behavioral1/memory/2836-141-0x000000013F190000-0x000000013F4E4000-memory.dmp upx behavioral1/memory/3004-142-0x000000013FCE0000-0x0000000140034000-memory.dmp upx behavioral1/memory/2940-145-0x000000013FD20000-0x0000000140074000-memory.dmp upx behavioral1/memory/1052-147-0x000000013F620000-0x000000013F974000-memory.dmp upx behavioral1/memory/1664-148-0x000000013F040000-0x000000013F394000-memory.dmp upx behavioral1/memory/2916-149-0x000000013FEC0000-0x0000000140214000-memory.dmp upx behavioral1/memory/2780-150-0x000000013F860000-0x000000013FBB4000-memory.dmp upx behavioral1/memory/2452-151-0x000000013F050000-0x000000013F3A4000-memory.dmp upx behavioral1/memory/2928-152-0x000000013F820000-0x000000013FB74000-memory.dmp upx behavioral1/memory/2668-153-0x000000013F530000-0x000000013F884000-memory.dmp upx behavioral1/memory/2528-154-0x000000013F9D0000-0x000000013FD24000-memory.dmp upx behavioral1/memory/2776-155-0x000000013FFF0000-0x0000000140344000-memory.dmp upx behavioral1/memory/2656-156-0x000000013F9B0000-0x000000013FD04000-memory.dmp upx behavioral1/memory/2836-158-0x000000013F190000-0x000000013F4E4000-memory.dmp upx behavioral1/memory/3004-157-0x000000013FCE0000-0x0000000140034000-memory.dmp upx behavioral1/memory/2420-159-0x000000013F700000-0x000000013FA54000-memory.dmp upx behavioral1/memory/1052-160-0x000000013F620000-0x000000013F974000-memory.dmp upx behavioral1/memory/2940-161-0x000000013FD20000-0x0000000140074000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\gxnLWxf.exe 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\FkmAxEk.exe 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\uYSzhNe.exe 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\TrUyFMZ.exe 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\vFQCpAl.exe 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\sJmqyGe.exe 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\uoRnUIg.exe 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\VyPpxEc.exe 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\BEjTuwT.exe 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\mmKVVfK.exe 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\hTljCJw.exe 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\SbWbmsY.exe 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\PaJSGVF.exe 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\CBzqmLd.exe 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\nAOEtln.exe 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\QYYkaEF.exe 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\MbRxepY.exe 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\svglGRI.exe 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\HyYlTuI.exe 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\JeGQDzF.exe 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\UefhLkZ.exe 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe Token: SeLockMemoryPrivilege 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 2068 wrote to memory of 1664 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 29 PID 2068 wrote to memory of 1664 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 29 PID 2068 wrote to memory of 1664 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 29 PID 2068 wrote to memory of 2780 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 30 PID 2068 wrote to memory of 2780 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 30 PID 2068 wrote to memory of 2780 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 30 PID 2068 wrote to memory of 2916 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 31 PID 2068 wrote to memory of 2916 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 31 PID 2068 wrote to memory of 2916 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 31 PID 2068 wrote to memory of 2452 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 32 PID 2068 wrote to memory of 2452 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 32 PID 2068 wrote to memory of 2452 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 32 PID 2068 wrote to memory of 2928 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 33 PID 2068 wrote to memory of 2928 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 33 PID 2068 wrote to memory of 2928 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 33 PID 2068 wrote to memory of 2668 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 34 PID 2068 wrote to memory of 2668 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 34 PID 2068 wrote to memory of 2668 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 34 PID 2068 wrote to memory of 2528 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 35 PID 2068 wrote to memory of 2528 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 35 PID 2068 wrote to memory of 2528 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 35 PID 2068 wrote to memory of 2776 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 36 PID 2068 wrote to memory of 2776 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 36 PID 2068 wrote to memory of 2776 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 36 PID 2068 wrote to memory of 2836 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 37 PID 2068 wrote to memory of 2836 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 37 PID 2068 wrote to memory of 2836 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 37 PID 2068 wrote to memory of 2656 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 38 PID 2068 wrote to memory of 2656 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 38 PID 2068 wrote to memory of 2656 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 38 PID 2068 wrote to memory of 3004 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 39 PID 2068 wrote to memory of 3004 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 39 PID 2068 wrote to memory of 3004 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 39 PID 2068 wrote to memory of 2420 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 40 PID 2068 wrote to memory of 2420 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 40 PID 2068 wrote to memory of 2420 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 40 PID 2068 wrote to memory of 2940 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 41 PID 2068 wrote to memory of 2940 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 41 PID 2068 wrote to memory of 2940 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 41 PID 2068 wrote to memory of 1052 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 42 PID 2068 wrote to memory of 1052 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 42 PID 2068 wrote to memory of 1052 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 42 PID 2068 wrote to memory of 2208 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 43 PID 2068 wrote to memory of 2208 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 43 PID 2068 wrote to memory of 2208 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 43 PID 2068 wrote to memory of 1980 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 44 PID 2068 wrote to memory of 1980 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 44 PID 2068 wrote to memory of 1980 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 44 PID 2068 wrote to memory of 1388 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 45 PID 2068 wrote to memory of 1388 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 45 PID 2068 wrote to memory of 1388 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 45 PID 2068 wrote to memory of 1608 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 46 PID 2068 wrote to memory of 1608 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 46 PID 2068 wrote to memory of 1608 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 46 PID 2068 wrote to memory of 2004 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 47 PID 2068 wrote to memory of 2004 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 47 PID 2068 wrote to memory of 2004 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 47 PID 2068 wrote to memory of 1184 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 48 PID 2068 wrote to memory of 1184 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 48 PID 2068 wrote to memory of 1184 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 48 PID 2068 wrote to memory of 1976 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 49 PID 2068 wrote to memory of 1976 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 49 PID 2068 wrote to memory of 1976 2068 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe 49
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\System\FkmAxEk.exeC:\Windows\System\FkmAxEk.exe2⤵
- Executes dropped EXE
PID:1664
-
-
C:\Windows\System\nAOEtln.exeC:\Windows\System\nAOEtln.exe2⤵
- Executes dropped EXE
PID:2780
-
-
C:\Windows\System\QYYkaEF.exeC:\Windows\System\QYYkaEF.exe2⤵
- Executes dropped EXE
PID:2916
-
-
C:\Windows\System\MbRxepY.exeC:\Windows\System\MbRxepY.exe2⤵
- Executes dropped EXE
PID:2452
-
-
C:\Windows\System\uYSzhNe.exeC:\Windows\System\uYSzhNe.exe2⤵
- Executes dropped EXE
PID:2928
-
-
C:\Windows\System\TrUyFMZ.exeC:\Windows\System\TrUyFMZ.exe2⤵
- Executes dropped EXE
PID:2668
-
-
C:\Windows\System\mmKVVfK.exeC:\Windows\System\mmKVVfK.exe2⤵
- Executes dropped EXE
PID:2528
-
-
C:\Windows\System\vFQCpAl.exeC:\Windows\System\vFQCpAl.exe2⤵
- Executes dropped EXE
PID:2776
-
-
C:\Windows\System\sJmqyGe.exeC:\Windows\System\sJmqyGe.exe2⤵
- Executes dropped EXE
PID:2836
-
-
C:\Windows\System\uoRnUIg.exeC:\Windows\System\uoRnUIg.exe2⤵
- Executes dropped EXE
PID:2656
-
-
C:\Windows\System\CBzqmLd.exeC:\Windows\System\CBzqmLd.exe2⤵
- Executes dropped EXE
PID:3004
-
-
C:\Windows\System\svglGRI.exeC:\Windows\System\svglGRI.exe2⤵
- Executes dropped EXE
PID:2420
-
-
C:\Windows\System\hTljCJw.exeC:\Windows\System\hTljCJw.exe2⤵
- Executes dropped EXE
PID:2940
-
-
C:\Windows\System\HyYlTuI.exeC:\Windows\System\HyYlTuI.exe2⤵
- Executes dropped EXE
PID:1052
-
-
C:\Windows\System\JeGQDzF.exeC:\Windows\System\JeGQDzF.exe2⤵
- Executes dropped EXE
PID:2208
-
-
C:\Windows\System\SbWbmsY.exeC:\Windows\System\SbWbmsY.exe2⤵
- Executes dropped EXE
PID:1980
-
-
C:\Windows\System\VyPpxEc.exeC:\Windows\System\VyPpxEc.exe2⤵
- Executes dropped EXE
PID:1388
-
-
C:\Windows\System\gxnLWxf.exeC:\Windows\System\gxnLWxf.exe2⤵
- Executes dropped EXE
PID:1608
-
-
C:\Windows\System\PaJSGVF.exeC:\Windows\System\PaJSGVF.exe2⤵
- Executes dropped EXE
PID:2004
-
-
C:\Windows\System\BEjTuwT.exeC:\Windows\System\BEjTuwT.exe2⤵
- Executes dropped EXE
PID:1184
-
-
C:\Windows\System\UefhLkZ.exeC:\Windows\System\UefhLkZ.exe2⤵
- Executes dropped EXE
PID:1976
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.0MB
MD59bb976c5e11ce23370a83c19dd3621d4
SHA109e090b82989cfeb19c80e27df2fe7202830227b
SHA25683dcde576e01acd8b5ab5fb84678a5f54ff3c4dc161101bea00bafdc53fb8ef2
SHA5122a487339bd0246d68d21f473610380947de70b181d82e137cc2ca7aef25ee1e0aa6ea7e3b7bed3285e713dfdaf57733eb61f02cad3b6cc6dd77faada176ea961
-
Filesize
6.0MB
MD5a933b963295c79358766d57ad5ac6034
SHA14f838409cc78082438f39f09dab926fd7fcb3fe9
SHA25660bdb1f264890f38a92ea7f09b8ac11764924bb5794072db2b6a74f2c7d38c62
SHA5129d415b76325b270b226e1fa0db12428922daf69d3db5a891a6582973f105cab9cccd234d15e5888686d2143f19355519de76b7a7da16e5b13ccf510aa08b4175
-
Filesize
6.0MB
MD54d4a55d4c5a67e31948746f611235129
SHA1519177a2bcca1df365f306d87b155aa92b92dfa0
SHA25601194ef15d03543b103dd042c260fb5f4fd6638c46ea2a14570b2c354bf3781b
SHA51288366d6ebdf2fe1ad959cbd513d714ea8ae8bb5546c0cf11df62ad4d3a0c6511d6779ef2e4031c1cfd174f0c4fdac4f56f3c386014d06de402f39cdaf0558e20
-
Filesize
6.0MB
MD542c44e7d9f98eb898828396688adb76e
SHA1a195c6ce85fc700d881c0eaf8ebf0273fd421129
SHA256dc940099b270941a29b5181a7e9ba7819e2f5046df985add3261b0a61569051b
SHA51249ec42c13e3a5a7f9c6e21cf37603a263b19cad849269bf4adf52c042c3c55e0a4a04ef11f3f979a9ec7d5f77e317a3f12ceaf894867b4fff5d5aeb9b1efa3ec
-
Filesize
6.0MB
MD54d92dd77d7b93a26aff1db9dc0ce6fc1
SHA1f5876b93651d3fb1cb1da81861402fb61bdcd215
SHA256cd65824bdb9df17d47ceebb672c95510ca254658172cff393fb2eb85b46a04de
SHA512a89b9ed588e2524be10258a0463d1e317cb26fb847fee7a723df93ae6990de4f689cc18dcfe692b8cb6569def30c2e26fc24a7f5709ac81435f1c1307cd04cfa
-
Filesize
6.0MB
MD57a985fb91afcb086bc82c5e42b273d88
SHA1217cff9360aea03e8188cc93dbe0487b4dff1c3a
SHA2569d7355a7bd58dd8958e061d2306eaa9daa4777405fc801a120e4e23e8c676e09
SHA512ac667426476b1d69efd8b4109ff5bc5d63ba1d17788d5546fcc6b800f3e7db4173d4995bee715771af19a91af2538d2f159f9704aaada3ecb67d107f9b6d5208
-
Filesize
6.0MB
MD5b971d7a0d33d39f947e9eea7f72f59b6
SHA137b813cfe76bcfb02b460d5541b755da1039f181
SHA25663920a860cb2a2b81a7e5964133323c7343ff428802f974de937afc54d39d363
SHA512834fd22707f0c8f91b7b38dd22909e99f58065bad3214f8ead12b564d8427d18334677e98bbac4458404263105310ae6ed9e4b926751486adfd02dfb42ed82a2
-
Filesize
6.0MB
MD513381a96e5a5b9c7ab0406bca980cdcd
SHA1482ebb11c01b6626bbb37d74e0a7c55101cdb816
SHA256636c79f86fff413525e030478212443ae4209a463524564f655ea66404ba7b20
SHA512e1a80e385dd3af6dabac10a42ad8d0a281ae7b08ce6b111dab4c7b179dc4b06dfc1117a603a1d525d234b6f5b779c33ae560511b5e0396034dcaac716f32687b
-
Filesize
6.0MB
MD5026145a1e02d70adc5c3037c82206d84
SHA172af845368177641507cdad91bb4de2a6281d66b
SHA256008fca83f42787bd8cba30930bc98d78f84602dc3a3db16732ce1c38c1a94933
SHA5126fe299a55f239cfb0c7727bbc59c2fa86f6752a9c05f1fc1e546aa6457bdf824642b9386879244c5538a07a9a0dabd30f222349bc1adc882f1c6e5ed8df02033
-
Filesize
6.0MB
MD548c2b12e1fb7f27e17e16d8d14b3e71f
SHA13081e20a33c35064ba4ec45104686fdcf79b92e2
SHA25643fb81a57099ddf3c046b892896fdbc60e463d03d94e3441969f8841c8ecc31c
SHA5120958fab851b541a05f98c97c98c3586fc71b6ea510c856af56124b9a2bf742b575f19b04beeb4d8e5c92d2b1d86ac6d054ee23f60888c80a5b0062ead3d3bd72
-
Filesize
6.0MB
MD503a41ce0ad6b16aea26aade8ae2100d3
SHA17fc9032a13710592b1b9e60efbbf3842a335a25a
SHA256c5ffe0baf99f13e6d4bc40e500afdcf74ce506d0650f59472879a7372a451c84
SHA512d197d7a0b07d15b2e76b5a41042cc456be5eb551830005b24291055d43c8dc6c0c1eecb426c78b70f1b74964755ef11b14332e9b9d4256761bf971850ca10274
-
Filesize
6.0MB
MD5d87f9f56a8a7acd109668aeceb10197a
SHA1d02cac39e8fe0b85a97ca4d9a6221381cbd98bc8
SHA256df63815eb86c09e36a58e83851014c4cb06ecb4bc00bc8211b6a5ed678e4249b
SHA5125fa52d382ecb36aecfcb2b7147a0e7e5a9c1169bf72b1319ff5951f249f1ec3d93da481b54193baaa26c35c9e1cc2478c4ac01702a3306d5fbe7f3d455522a04
-
Filesize
6.0MB
MD5e58f4bbe6e35c515c399cbc2762f8d64
SHA16ab8c0fc0564847bf7a6216be3b047f4586dd554
SHA25604f88c0a032db0d7dabbee95bb7de8fc03edb5dc247e87f8c1feb5b1eea8f5e3
SHA512d9950590a3f7875639865eb20b125abf5186c408f0e95feda5616a32ccab8b28a86ca801544302e6bb095721eea86961a91644294f8c5de9fd9cc3fc0093195b
-
Filesize
6.0MB
MD5d6b920a896c8e68105e436db589a081a
SHA14a617256a85ef98bb6d219fac1e21d109657f354
SHA256e8f648e5c0ac7768050db1704f7da44d7f9c3f2f3bb3ee13e4f79f80cf922f89
SHA512aebfc47c80db9c7975bd692d01dbc2d27994cc55736006b72fd245f99ef986c02f3ee0662ea13cbdcb63e253dfc8748f07bf1259617d9233707c29b477e4b89c
-
Filesize
6.0MB
MD5eb1a3e8b66d8c37bfcc47aa86ee3f62e
SHA179f2cc6c21ebe7eac33627f7d92c1070bbc88a50
SHA25653966012b3269d4ccfd2e787da5d01a424a4730d094483828561cd2f98b41d06
SHA512744a295fba7dc234a4bc58bcc21398caed645548d038fc5e2cfdd08a0cf205680fc2187dc1a3272e1e12debea93d7221de2db04e9e599114ba1eb3ab7afd2557
-
Filesize
6.0MB
MD52fa3fb4c1fc35c70b917e4c935ae08fb
SHA1b42b6dadf98b0a9f22c3a8da10fcb0ddc1940a8f
SHA256e3433dfb9bbc873ecb4fa9e9d0af814888a889a2b36b8031a9a1efe4e0cbd9ab
SHA512e3fd48448ac35fcb5ea5e14cca489d1f8a45b52f4b8d67d08061c2e40891173ad401d5671b071bc189b709673a1f29dc8c3413061e4103fe713738dafceb9a56
-
Filesize
6.0MB
MD5107a542680a3cac679459f9c76d3bd32
SHA1f995be0a376cded62343a481c8316b3d8ef8a40a
SHA256f2e02d332fccdb846c3cf1fb3815a26b82fb637805b0d7805fef4e8546eb9e7a
SHA512ec8a4e45fa00f4f1290bab361632cdc6b8dfe9d87d87f3cb4c5ce955990ee99379d5d6f5b71a65e21d5c88babaf8882b08c05c69e05fa0c5fc5897bb957edc6a
-
Filesize
6.0MB
MD524236efda85f76b9955e8311c627aa99
SHA1ba54e1daafc761a6815361c514e891e0fff3b4df
SHA2560afcb9ce81096a23f5262506e12d34ca7dbd0bba9e3792769ddf12ce1d0a315f
SHA51228657e0633cebb82e6e1a2c00f45efad1fb9e945c23c0f7c77d7c3633ae5f294f1bb40abc59a99dcfe0630f5f29765bb183838924eea3b42199f9597dad478b7
-
Filesize
6.0MB
MD5f33b4dddfe72b1eb6825eadcbcb3f746
SHA15fa7f4edfa48ec6367f078546cd250a00ed9d887
SHA25611528cbb4c1d8ed1931421bfc4848b8d268ea5b455721936510e0d726153fdf7
SHA5120c1d8a63a5de62969fa1d810b0f221ba75f6f3f77c6aac0410a61773833e5b58cca56263d70106915f81abb39cc4921cefc79cfb1dea6e84b42190b58ca0b39e
-
Filesize
6.0MB
MD54b01037ecb53788672ac5aca7e009191
SHA19ef2d12264c092ef12059a5b54a225c33ef53617
SHA2567c6cb53e802603841a064c8340d12a5b63d4af482116c0fc8fb8d5a7aa0be18e
SHA51207d1efa478f9b4e6a09f8fbb5d425cfcea2ad0c1fc2902931cbf36e50e517f91fc8dec90dff443ff99ce95a4b066a85a921a0157bbd080bb4963b3361c95e605
-
Filesize
6.0MB
MD53a4af91ef29297f29bf1409fd348a66a
SHA1feca1fffe27114b34ee0bfefa19343875833b303
SHA2560a7888f7453e62735bafcc9375adf12f78be97f87d908d2c59f1af87fec34585
SHA512523a5188030731f7efa5e801a4c6f2980ca65bcbf7bd3a1533914c96a5d1f3f9ae9eea846cdd32703349753dd7c413520f76793b77b8990d4d9a52cf8ee9318e