Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 02:26
Behavioral task
behavioral1
Sample
2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe
Resource
win7-20240508-en
General
-
Target
2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe
-
Size
5.9MB
-
MD5
cdf4eb4c7418aa955eb8f81536e6f200
-
SHA1
adcd409b2148e017aab8a863489c3191ac198c86
-
SHA256
a211816f3d87545a1962f50902bfb93e03a82a7f88b8c203babd645d5cee23dd
-
SHA512
765b3ef794a761b7f076196931b3f35d029e7fbe4567c9f48f062dfcc5b8a7866c48793ba14adbe705b49714fc2a847ee432b11a778d1e9c597988b51beaf54f
-
SSDEEP
98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUn:Q+856utgpPF8u/7n
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral1/files/0x000700000001211d-3.dat cobalt_reflective_dll behavioral1/files/0x00330000000134e6-9.dat cobalt_reflective_dll behavioral1/files/0x0009000000013a62-13.dat cobalt_reflective_dll behavioral1/files/0x0009000000013a76-24.dat cobalt_reflective_dll behavioral1/files/0x0008000000013af3-32.dat cobalt_reflective_dll behavioral1/files/0x0008000000013aa8-41.dat cobalt_reflective_dll behavioral1/files/0x0032000000013726-56.dat cobalt_reflective_dll behavioral1/files/0x0006000000014b18-86.dat cobalt_reflective_dll behavioral1/files/0x0006000000014b70-100.dat cobalt_reflective_dll behavioral1/files/0x00060000000153fd-123.dat cobalt_reflective_dll behavioral1/files/0x0006000000015679-136.dat cobalt_reflective_dll behavioral1/files/0x000600000001542b-128.dat cobalt_reflective_dll behavioral1/files/0x000600000001562c-133.dat cobalt_reflective_dll behavioral1/files/0x000600000001538e-119.dat cobalt_reflective_dll behavioral1/files/0x0006000000014ca5-109.dat cobalt_reflective_dll behavioral1/files/0x0006000000015038-112.dat cobalt_reflective_dll behavioral1/files/0x0006000000014b3f-94.dat cobalt_reflective_dll behavioral1/files/0x00060000000149d0-78.dat cobalt_reflective_dll behavioral1/files/0x00070000000141a1-64.dat cobalt_reflective_dll behavioral1/files/0x00080000000141c5-70.dat cobalt_reflective_dll behavioral1/files/0x0007000000014198-49.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Detects Reflective DLL injection artifacts 21 IoCs
resource yara_rule behavioral1/files/0x000700000001211d-3.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x00330000000134e6-9.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x0009000000013a62-13.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x0009000000013a76-24.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x0008000000013af3-32.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x0008000000013aa8-41.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x0032000000013726-56.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x0006000000014b18-86.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x0006000000014b70-100.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x00060000000153fd-123.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x0006000000015679-136.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x000600000001542b-128.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x000600000001562c-133.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x000600000001538e-119.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x0006000000014ca5-109.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x0006000000015038-112.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x0006000000014b3f-94.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x00060000000149d0-78.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x00070000000141a1-64.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x00080000000141c5-70.dat INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/files/0x0007000000014198-49.dat INDICATOR_SUSPICIOUS_ReflectiveLoader -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral1/memory/1036-0-0x000000013F1A0000-0x000000013F4F4000-memory.dmp UPX behavioral1/files/0x000700000001211d-3.dat UPX behavioral1/memory/2860-8-0x000000013FDF0000-0x0000000140144000-memory.dmp UPX behavioral1/files/0x00330000000134e6-9.dat UPX behavioral1/memory/1036-11-0x000000013F8F0000-0x000000013FC44000-memory.dmp UPX behavioral1/files/0x0009000000013a62-13.dat UPX behavioral1/files/0x0009000000013a76-24.dat UPX behavioral1/files/0x0008000000013af3-32.dat UPX behavioral1/memory/1036-39-0x000000013F1A0000-0x000000013F4F4000-memory.dmp UPX behavioral1/files/0x0008000000013aa8-41.dat UPX behavioral1/memory/2680-40-0x000000013FCB0000-0x0000000140004000-memory.dmp UPX behavioral1/memory/2576-20-0x000000013F550000-0x000000013F8A4000-memory.dmp UPX behavioral1/files/0x0032000000013726-56.dat UPX behavioral1/memory/1664-74-0x000000013F5D0000-0x000000013F924000-memory.dmp UPX behavioral1/files/0x0006000000014b18-86.dat UPX behavioral1/memory/620-88-0x000000013F6F0000-0x000000013FA44000-memory.dmp UPX behavioral1/files/0x0006000000014b70-100.dat UPX behavioral1/memory/1780-101-0x000000013FD80000-0x00000001400D4000-memory.dmp UPX behavioral1/files/0x00060000000153fd-123.dat UPX behavioral1/files/0x0006000000015679-136.dat UPX behavioral1/files/0x000600000001542b-128.dat UPX behavioral1/files/0x000600000001562c-133.dat UPX behavioral1/files/0x000600000001538e-119.dat UPX behavioral1/files/0x0006000000014ca5-109.dat UPX behavioral1/memory/2556-107-0x000000013F0F0000-0x000000013F444000-memory.dmp UPX behavioral1/memory/2872-140-0x000000013FAD0000-0x000000013FE24000-memory.dmp UPX behavioral1/files/0x0006000000015038-112.dat UPX behavioral1/memory/2420-96-0x000000013F690000-0x000000013F9E4000-memory.dmp UPX behavioral1/files/0x0006000000014b3f-94.dat UPX behavioral1/memory/1604-82-0x000000013F320000-0x000000013F674000-memory.dmp UPX behavioral1/memory/2464-142-0x000000013F730000-0x000000013FA84000-memory.dmp UPX behavioral1/memory/2664-80-0x000000013F850000-0x000000013FBA4000-memory.dmp UPX behavioral1/files/0x00060000000149d0-78.dat UPX behavioral1/memory/2576-72-0x000000013F550000-0x000000013F8A4000-memory.dmp UPX behavioral1/memory/2852-66-0x000000013F9E0000-0x000000013FD34000-memory.dmp UPX behavioral1/files/0x00070000000141a1-64.dat UPX behavioral1/files/0x00080000000141c5-70.dat UPX behavioral1/memory/2852-144-0x000000013F9E0000-0x000000013FD34000-memory.dmp UPX behavioral1/memory/2464-59-0x000000013F730000-0x000000013FA84000-memory.dmp UPX behavioral1/memory/2524-57-0x000000013F8F0000-0x000000013FC44000-memory.dmp UPX behavioral1/memory/2872-51-0x000000013FAD0000-0x000000013FE24000-memory.dmp UPX behavioral1/files/0x0007000000014198-49.dat UPX behavioral1/memory/2556-47-0x000000013F0F0000-0x000000013F444000-memory.dmp UPX behavioral1/memory/2860-46-0x000000013FDF0000-0x0000000140144000-memory.dmp UPX behavioral1/memory/2664-30-0x000000013F850000-0x000000013FBA4000-memory.dmp UPX behavioral1/memory/1664-146-0x000000013F5D0000-0x000000013F924000-memory.dmp UPX behavioral1/memory/1604-148-0x000000013F320000-0x000000013F674000-memory.dmp UPX behavioral1/memory/620-150-0x000000013F6F0000-0x000000013FA44000-memory.dmp UPX behavioral1/memory/2420-152-0x000000013F690000-0x000000013F9E4000-memory.dmp UPX behavioral1/memory/1780-154-0x000000013FD80000-0x00000001400D4000-memory.dmp UPX behavioral1/memory/2860-155-0x000000013FDF0000-0x0000000140144000-memory.dmp UPX behavioral1/memory/2524-156-0x000000013F8F0000-0x000000013FC44000-memory.dmp UPX behavioral1/memory/2664-157-0x000000013F850000-0x000000013FBA4000-memory.dmp UPX behavioral1/memory/2576-158-0x000000013F550000-0x000000013F8A4000-memory.dmp UPX behavioral1/memory/2680-159-0x000000013FCB0000-0x0000000140004000-memory.dmp UPX behavioral1/memory/2556-160-0x000000013F0F0000-0x000000013F444000-memory.dmp UPX behavioral1/memory/2872-161-0x000000013FAD0000-0x000000013FE24000-memory.dmp UPX behavioral1/memory/2464-162-0x000000013F730000-0x000000013FA84000-memory.dmp UPX behavioral1/memory/2852-163-0x000000013F9E0000-0x000000013FD34000-memory.dmp UPX behavioral1/memory/1664-164-0x000000013F5D0000-0x000000013F924000-memory.dmp UPX behavioral1/memory/1604-165-0x000000013F320000-0x000000013F674000-memory.dmp UPX behavioral1/memory/620-166-0x000000013F6F0000-0x000000013FA44000-memory.dmp UPX behavioral1/memory/2420-167-0x000000013F690000-0x000000013F9E4000-memory.dmp UPX behavioral1/memory/1780-168-0x000000013FD80000-0x00000001400D4000-memory.dmp UPX -
XMRig Miner payload 64 IoCs
resource yara_rule behavioral1/memory/1036-0-0x000000013F1A0000-0x000000013F4F4000-memory.dmp xmrig behavioral1/files/0x000700000001211d-3.dat xmrig behavioral1/memory/2860-8-0x000000013FDF0000-0x0000000140144000-memory.dmp xmrig behavioral1/files/0x00330000000134e6-9.dat xmrig behavioral1/memory/1036-11-0x000000013F8F0000-0x000000013FC44000-memory.dmp xmrig behavioral1/files/0x0009000000013a62-13.dat xmrig behavioral1/files/0x0009000000013a76-24.dat xmrig behavioral1/files/0x0008000000013af3-32.dat xmrig behavioral1/memory/1036-39-0x000000013F1A0000-0x000000013F4F4000-memory.dmp xmrig behavioral1/files/0x0008000000013aa8-41.dat xmrig behavioral1/memory/2680-40-0x000000013FCB0000-0x0000000140004000-memory.dmp xmrig behavioral1/memory/2576-20-0x000000013F550000-0x000000013F8A4000-memory.dmp xmrig behavioral1/files/0x0032000000013726-56.dat xmrig behavioral1/memory/1664-74-0x000000013F5D0000-0x000000013F924000-memory.dmp xmrig behavioral1/files/0x0006000000014b18-86.dat xmrig behavioral1/memory/620-88-0x000000013F6F0000-0x000000013FA44000-memory.dmp xmrig behavioral1/files/0x0006000000014b70-100.dat xmrig behavioral1/memory/1780-101-0x000000013FD80000-0x00000001400D4000-memory.dmp xmrig behavioral1/files/0x00060000000153fd-123.dat xmrig behavioral1/files/0x0006000000015679-136.dat xmrig behavioral1/files/0x000600000001542b-128.dat xmrig behavioral1/files/0x000600000001562c-133.dat xmrig behavioral1/files/0x000600000001538e-119.dat xmrig behavioral1/files/0x0006000000014ca5-109.dat xmrig behavioral1/memory/1036-108-0x000000013FEB0000-0x0000000140204000-memory.dmp xmrig behavioral1/memory/2556-107-0x000000013F0F0000-0x000000013F444000-memory.dmp xmrig behavioral1/memory/2872-140-0x000000013FAD0000-0x000000013FE24000-memory.dmp xmrig behavioral1/files/0x0006000000015038-112.dat xmrig behavioral1/memory/2420-96-0x000000013F690000-0x000000013F9E4000-memory.dmp xmrig behavioral1/files/0x0006000000014b3f-94.dat xmrig behavioral1/memory/1604-82-0x000000013F320000-0x000000013F674000-memory.dmp xmrig behavioral1/memory/2464-142-0x000000013F730000-0x000000013FA84000-memory.dmp xmrig behavioral1/memory/1036-141-0x000000013F730000-0x000000013FA84000-memory.dmp xmrig behavioral1/memory/1036-81-0x0000000002400000-0x0000000002754000-memory.dmp xmrig behavioral1/memory/2664-80-0x000000013F850000-0x000000013FBA4000-memory.dmp xmrig behavioral1/files/0x00060000000149d0-78.dat xmrig behavioral1/memory/2576-72-0x000000013F550000-0x000000013F8A4000-memory.dmp xmrig behavioral1/memory/2852-66-0x000000013F9E0000-0x000000013FD34000-memory.dmp xmrig behavioral1/files/0x00070000000141a1-64.dat xmrig behavioral1/files/0x00080000000141c5-70.dat xmrig behavioral1/memory/2852-144-0x000000013F9E0000-0x000000013FD34000-memory.dmp xmrig behavioral1/memory/2464-59-0x000000013F730000-0x000000013FA84000-memory.dmp xmrig behavioral1/memory/2524-57-0x000000013F8F0000-0x000000013FC44000-memory.dmp xmrig behavioral1/memory/2872-51-0x000000013FAD0000-0x000000013FE24000-memory.dmp xmrig behavioral1/files/0x0007000000014198-49.dat xmrig behavioral1/memory/2556-47-0x000000013F0F0000-0x000000013F444000-memory.dmp xmrig behavioral1/memory/2860-46-0x000000013FDF0000-0x0000000140144000-memory.dmp xmrig behavioral1/memory/2664-30-0x000000013F850000-0x000000013FBA4000-memory.dmp xmrig behavioral1/memory/1664-146-0x000000013F5D0000-0x000000013F924000-memory.dmp xmrig behavioral1/memory/1036-145-0x000000013F5D0000-0x000000013F924000-memory.dmp xmrig behavioral1/memory/1604-148-0x000000013F320000-0x000000013F674000-memory.dmp xmrig behavioral1/memory/620-150-0x000000013F6F0000-0x000000013FA44000-memory.dmp xmrig behavioral1/memory/2420-152-0x000000013F690000-0x000000013F9E4000-memory.dmp xmrig behavioral1/memory/1780-154-0x000000013FD80000-0x00000001400D4000-memory.dmp xmrig behavioral1/memory/2860-155-0x000000013FDF0000-0x0000000140144000-memory.dmp xmrig behavioral1/memory/2524-156-0x000000013F8F0000-0x000000013FC44000-memory.dmp xmrig behavioral1/memory/2664-157-0x000000013F850000-0x000000013FBA4000-memory.dmp xmrig behavioral1/memory/2576-158-0x000000013F550000-0x000000013F8A4000-memory.dmp xmrig behavioral1/memory/2680-159-0x000000013FCB0000-0x0000000140004000-memory.dmp xmrig behavioral1/memory/2556-160-0x000000013F0F0000-0x000000013F444000-memory.dmp xmrig behavioral1/memory/2872-161-0x000000013FAD0000-0x000000013FE24000-memory.dmp xmrig behavioral1/memory/2464-162-0x000000013F730000-0x000000013FA84000-memory.dmp xmrig behavioral1/memory/2852-163-0x000000013F9E0000-0x000000013FD34000-memory.dmp xmrig behavioral1/memory/1664-164-0x000000013F5D0000-0x000000013F924000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 2860 bZBcKzc.exe 2524 xjkEfSI.exe 2576 LBbcrKJ.exe 2664 pXXqDPk.exe 2680 nLcrwxV.exe 2556 dcglPUa.exe 2872 aKezGQi.exe 2464 zOKwBQx.exe 2852 ivunZda.exe 1664 PzwpBvI.exe 1604 nCcGIFX.exe 620 OpCbVIq.exe 2420 vwMwavL.exe 1780 XCfbCIl.exe 1676 SDZChUs.exe 1248 smizcLM.exe 1744 DqqUGoO.exe 1216 aWwiPwM.exe 2076 eThapiE.exe 1220 zodSnjL.exe 2608 zvgxOzs.exe -
Loads dropped DLL 21 IoCs
pid Process 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe -
resource yara_rule behavioral1/memory/1036-0-0x000000013F1A0000-0x000000013F4F4000-memory.dmp upx behavioral1/files/0x000700000001211d-3.dat upx behavioral1/memory/2860-8-0x000000013FDF0000-0x0000000140144000-memory.dmp upx behavioral1/files/0x00330000000134e6-9.dat upx behavioral1/memory/1036-11-0x000000013F8F0000-0x000000013FC44000-memory.dmp upx behavioral1/files/0x0009000000013a62-13.dat upx behavioral1/files/0x0009000000013a76-24.dat upx behavioral1/files/0x0008000000013af3-32.dat upx behavioral1/memory/1036-39-0x000000013F1A0000-0x000000013F4F4000-memory.dmp upx behavioral1/files/0x0008000000013aa8-41.dat upx behavioral1/memory/2680-40-0x000000013FCB0000-0x0000000140004000-memory.dmp upx behavioral1/memory/2576-20-0x000000013F550000-0x000000013F8A4000-memory.dmp upx behavioral1/files/0x0032000000013726-56.dat upx behavioral1/memory/1664-74-0x000000013F5D0000-0x000000013F924000-memory.dmp upx behavioral1/files/0x0006000000014b18-86.dat upx behavioral1/memory/620-88-0x000000013F6F0000-0x000000013FA44000-memory.dmp upx behavioral1/files/0x0006000000014b70-100.dat upx behavioral1/memory/1780-101-0x000000013FD80000-0x00000001400D4000-memory.dmp upx behavioral1/files/0x00060000000153fd-123.dat upx behavioral1/files/0x0006000000015679-136.dat upx behavioral1/files/0x000600000001542b-128.dat upx behavioral1/files/0x000600000001562c-133.dat upx behavioral1/files/0x000600000001538e-119.dat upx behavioral1/files/0x0006000000014ca5-109.dat upx behavioral1/memory/2556-107-0x000000013F0F0000-0x000000013F444000-memory.dmp upx behavioral1/memory/2872-140-0x000000013FAD0000-0x000000013FE24000-memory.dmp upx behavioral1/files/0x0006000000015038-112.dat upx behavioral1/memory/2420-96-0x000000013F690000-0x000000013F9E4000-memory.dmp upx behavioral1/files/0x0006000000014b3f-94.dat upx behavioral1/memory/1604-82-0x000000013F320000-0x000000013F674000-memory.dmp upx behavioral1/memory/2464-142-0x000000013F730000-0x000000013FA84000-memory.dmp upx behavioral1/memory/2664-80-0x000000013F850000-0x000000013FBA4000-memory.dmp upx behavioral1/files/0x00060000000149d0-78.dat upx behavioral1/memory/2576-72-0x000000013F550000-0x000000013F8A4000-memory.dmp upx behavioral1/memory/2852-66-0x000000013F9E0000-0x000000013FD34000-memory.dmp upx behavioral1/files/0x00070000000141a1-64.dat upx behavioral1/files/0x00080000000141c5-70.dat upx behavioral1/memory/2852-144-0x000000013F9E0000-0x000000013FD34000-memory.dmp upx behavioral1/memory/2464-59-0x000000013F730000-0x000000013FA84000-memory.dmp upx behavioral1/memory/2524-57-0x000000013F8F0000-0x000000013FC44000-memory.dmp upx behavioral1/memory/2872-51-0x000000013FAD0000-0x000000013FE24000-memory.dmp upx behavioral1/files/0x0007000000014198-49.dat upx behavioral1/memory/2556-47-0x000000013F0F0000-0x000000013F444000-memory.dmp upx behavioral1/memory/2860-46-0x000000013FDF0000-0x0000000140144000-memory.dmp upx behavioral1/memory/2664-30-0x000000013F850000-0x000000013FBA4000-memory.dmp upx behavioral1/memory/1664-146-0x000000013F5D0000-0x000000013F924000-memory.dmp upx behavioral1/memory/1604-148-0x000000013F320000-0x000000013F674000-memory.dmp upx behavioral1/memory/620-150-0x000000013F6F0000-0x000000013FA44000-memory.dmp upx behavioral1/memory/2420-152-0x000000013F690000-0x000000013F9E4000-memory.dmp upx behavioral1/memory/1780-154-0x000000013FD80000-0x00000001400D4000-memory.dmp upx behavioral1/memory/2860-155-0x000000013FDF0000-0x0000000140144000-memory.dmp upx behavioral1/memory/2524-156-0x000000013F8F0000-0x000000013FC44000-memory.dmp upx behavioral1/memory/2664-157-0x000000013F850000-0x000000013FBA4000-memory.dmp upx behavioral1/memory/2576-158-0x000000013F550000-0x000000013F8A4000-memory.dmp upx behavioral1/memory/2680-159-0x000000013FCB0000-0x0000000140004000-memory.dmp upx behavioral1/memory/2556-160-0x000000013F0F0000-0x000000013F444000-memory.dmp upx behavioral1/memory/2872-161-0x000000013FAD0000-0x000000013FE24000-memory.dmp upx behavioral1/memory/2464-162-0x000000013F730000-0x000000013FA84000-memory.dmp upx behavioral1/memory/2852-163-0x000000013F9E0000-0x000000013FD34000-memory.dmp upx behavioral1/memory/1664-164-0x000000013F5D0000-0x000000013F924000-memory.dmp upx behavioral1/memory/1604-165-0x000000013F320000-0x000000013F674000-memory.dmp upx behavioral1/memory/620-166-0x000000013F6F0000-0x000000013FA44000-memory.dmp upx behavioral1/memory/2420-167-0x000000013F690000-0x000000013F9E4000-memory.dmp upx behavioral1/memory/1780-168-0x000000013FD80000-0x00000001400D4000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\bZBcKzc.exe 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\xjkEfSI.exe 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\LBbcrKJ.exe 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\nLcrwxV.exe 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\DqqUGoO.exe 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\OpCbVIq.exe 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\aWwiPwM.exe 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\zodSnjL.exe 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\zvgxOzs.exe 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\XCfbCIl.exe 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\SDZChUs.exe 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\dcglPUa.exe 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\aKezGQi.exe 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\zOKwBQx.exe 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\ivunZda.exe 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\PzwpBvI.exe 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\vwMwavL.exe 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\smizcLM.exe 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\pXXqDPk.exe 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\nCcGIFX.exe 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\eThapiE.exe 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe Token: SeLockMemoryPrivilege 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 1036 wrote to memory of 2860 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 29 PID 1036 wrote to memory of 2860 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 29 PID 1036 wrote to memory of 2860 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 29 PID 1036 wrote to memory of 2524 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 30 PID 1036 wrote to memory of 2524 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 30 PID 1036 wrote to memory of 2524 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 30 PID 1036 wrote to memory of 2576 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 31 PID 1036 wrote to memory of 2576 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 31 PID 1036 wrote to memory of 2576 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 31 PID 1036 wrote to memory of 2664 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 32 PID 1036 wrote to memory of 2664 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 32 PID 1036 wrote to memory of 2664 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 32 PID 1036 wrote to memory of 2556 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 33 PID 1036 wrote to memory of 2556 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 33 PID 1036 wrote to memory of 2556 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 33 PID 1036 wrote to memory of 2680 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 34 PID 1036 wrote to memory of 2680 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 34 PID 1036 wrote to memory of 2680 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 34 PID 1036 wrote to memory of 2872 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 35 PID 1036 wrote to memory of 2872 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 35 PID 1036 wrote to memory of 2872 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 35 PID 1036 wrote to memory of 2464 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 36 PID 1036 wrote to memory of 2464 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 36 PID 1036 wrote to memory of 2464 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 36 PID 1036 wrote to memory of 2852 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 37 PID 1036 wrote to memory of 2852 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 37 PID 1036 wrote to memory of 2852 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 37 PID 1036 wrote to memory of 1664 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 38 PID 1036 wrote to memory of 1664 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 38 PID 1036 wrote to memory of 1664 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 38 PID 1036 wrote to memory of 1604 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 39 PID 1036 wrote to memory of 1604 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 39 PID 1036 wrote to memory of 1604 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 39 PID 1036 wrote to memory of 620 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 40 PID 1036 wrote to memory of 620 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 40 PID 1036 wrote to memory of 620 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 40 PID 1036 wrote to memory of 2420 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 41 PID 1036 wrote to memory of 2420 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 41 PID 1036 wrote to memory of 2420 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 41 PID 1036 wrote to memory of 1780 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 42 PID 1036 wrote to memory of 1780 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 42 PID 1036 wrote to memory of 1780 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 42 PID 1036 wrote to memory of 1676 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 43 PID 1036 wrote to memory of 1676 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 43 PID 1036 wrote to memory of 1676 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 43 PID 1036 wrote to memory of 1248 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 44 PID 1036 wrote to memory of 1248 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 44 PID 1036 wrote to memory of 1248 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 44 PID 1036 wrote to memory of 1744 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 45 PID 1036 wrote to memory of 1744 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 45 PID 1036 wrote to memory of 1744 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 45 PID 1036 wrote to memory of 1216 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 46 PID 1036 wrote to memory of 1216 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 46 PID 1036 wrote to memory of 1216 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 46 PID 1036 wrote to memory of 2076 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 47 PID 1036 wrote to memory of 2076 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 47 PID 1036 wrote to memory of 2076 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 47 PID 1036 wrote to memory of 1220 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 48 PID 1036 wrote to memory of 1220 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 48 PID 1036 wrote to memory of 1220 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 48 PID 1036 wrote to memory of 2608 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 49 PID 1036 wrote to memory of 2608 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 49 PID 1036 wrote to memory of 2608 1036 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe 49
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\System\bZBcKzc.exeC:\Windows\System\bZBcKzc.exe2⤵
- Executes dropped EXE
PID:2860
-
-
C:\Windows\System\xjkEfSI.exeC:\Windows\System\xjkEfSI.exe2⤵
- Executes dropped EXE
PID:2524
-
-
C:\Windows\System\LBbcrKJ.exeC:\Windows\System\LBbcrKJ.exe2⤵
- Executes dropped EXE
PID:2576
-
-
C:\Windows\System\pXXqDPk.exeC:\Windows\System\pXXqDPk.exe2⤵
- Executes dropped EXE
PID:2664
-
-
C:\Windows\System\dcglPUa.exeC:\Windows\System\dcglPUa.exe2⤵
- Executes dropped EXE
PID:2556
-
-
C:\Windows\System\nLcrwxV.exeC:\Windows\System\nLcrwxV.exe2⤵
- Executes dropped EXE
PID:2680
-
-
C:\Windows\System\aKezGQi.exeC:\Windows\System\aKezGQi.exe2⤵
- Executes dropped EXE
PID:2872
-
-
C:\Windows\System\zOKwBQx.exeC:\Windows\System\zOKwBQx.exe2⤵
- Executes dropped EXE
PID:2464
-
-
C:\Windows\System\ivunZda.exeC:\Windows\System\ivunZda.exe2⤵
- Executes dropped EXE
PID:2852
-
-
C:\Windows\System\PzwpBvI.exeC:\Windows\System\PzwpBvI.exe2⤵
- Executes dropped EXE
PID:1664
-
-
C:\Windows\System\nCcGIFX.exeC:\Windows\System\nCcGIFX.exe2⤵
- Executes dropped EXE
PID:1604
-
-
C:\Windows\System\OpCbVIq.exeC:\Windows\System\OpCbVIq.exe2⤵
- Executes dropped EXE
PID:620
-
-
C:\Windows\System\vwMwavL.exeC:\Windows\System\vwMwavL.exe2⤵
- Executes dropped EXE
PID:2420
-
-
C:\Windows\System\XCfbCIl.exeC:\Windows\System\XCfbCIl.exe2⤵
- Executes dropped EXE
PID:1780
-
-
C:\Windows\System\SDZChUs.exeC:\Windows\System\SDZChUs.exe2⤵
- Executes dropped EXE
PID:1676
-
-
C:\Windows\System\smizcLM.exeC:\Windows\System\smizcLM.exe2⤵
- Executes dropped EXE
PID:1248
-
-
C:\Windows\System\DqqUGoO.exeC:\Windows\System\DqqUGoO.exe2⤵
- Executes dropped EXE
PID:1744
-
-
C:\Windows\System\aWwiPwM.exeC:\Windows\System\aWwiPwM.exe2⤵
- Executes dropped EXE
PID:1216
-
-
C:\Windows\System\eThapiE.exeC:\Windows\System\eThapiE.exe2⤵
- Executes dropped EXE
PID:2076
-
-
C:\Windows\System\zodSnjL.exeC:\Windows\System\zodSnjL.exe2⤵
- Executes dropped EXE
PID:1220
-
-
C:\Windows\System\zvgxOzs.exeC:\Windows\System\zvgxOzs.exe2⤵
- Executes dropped EXE
PID:2608
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD536bf6dac6004e748ef1d5bb50bac67ab
SHA15cfeb1f9045cc408716c0e2e90b474848bebd884
SHA256a68251d02741faf31211f17aaed9cc580e5fbd80ab0552b3c98584143bbe87e7
SHA51239784ac905e3c268f8ab30ab13d8795b6c2f8ea51e0ff6f2541c9638e71bc8a151274af70fbe5ed0e7b579e684ecd50fb89f38589dbc97aa43269ccd4b325123
-
Filesize
5.9MB
MD53f42e911022ce096230ad0c8f4a416a2
SHA1513ae265a1944cbd51a9681a2c68055d51f72553
SHA256b33615ec51873e23c4378aa26b88c38b4aa64625344d976823b7065db0520098
SHA5125ecde2c413116b5c01c7ce752a4e38962bee81ab565df123042be4236a6fa36c8ac0dc65dcc22f59fc756bbf6c7e64433665b63ae545581a535ee60dfedf0d7d
-
Filesize
5.9MB
MD5646df2377bd1d973faf8039b6c1b4339
SHA18f628623bfc814a27688903a725eae54b2f55607
SHA25629a7f7f9cc61502861951e5604e30e85e01856630a2b868329f76749c6af4579
SHA512a91f26e81a5b5296c823b273b48e18884c49fef27a68df75027eed98d975ffcf97fdf2fbf88184687c511202b2da2583aba545197702f9bab6069d396d11fc4a
-
Filesize
5.9MB
MD5dac102cebf9d643780a175f1ba30b162
SHA1cb9ffbf7bdb6869c1d1e264fc52f53eaa4b37d35
SHA2564fa15cda6f4c12d99f1798609ae86fafe41f23309fb0d5dd271297818c05a5ff
SHA51288880c6a63ad243cc819d9fb578a131351be1d2482d8b8a74368a04019c8d1908b45850ad867cdc5d691c6eae2b36d8d9401ab517b010797fdc2bd4ffa0979fa
-
Filesize
5.9MB
MD51967caf5093ca39cf2073e3e12192120
SHA1d9b6e5c55c252b81da899d56124fdbfbc332720b
SHA256cf6abeced2fb3646d23e2d351c5c14f7cda0dc113af7d1999c8300e130046881
SHA512b58ebbe207085fc273a7cb90b7b48dc08e2cfae25bfa68e2a13e0fbfb97c23bf416e7642218a6585ef495f8a78b3b548c692c2241db17135f54610a55624c42a
-
Filesize
5.9MB
MD53cfdafbb87b737304ea9384884c5b0c4
SHA1218d1c5368991caa67b34031d8786dd4355e9fab
SHA2562d5915ee6c17b68343d22deddbd2cb7c9e40ec1ce58f4dca3d080fb00bd23d54
SHA512bfa7841e552e8b1768ed0df1286fbc4180c838cc24300613178bceacc65da9c9b1369a6ee76cfc4eaf1f947579cac2458089633d97445d25608321bc53c0f9a6
-
Filesize
5.9MB
MD5d259f496469bb7be69df4f7dc9100943
SHA1c76a3da28fa720bf0415e4efecf768fff3fd81a6
SHA256aa47225c930f30661a459c395651b7b7dd2c912e1bc4982ae41405afb9771131
SHA512095a54f9f3adf1558908ce3b3bf6be7919b79daa3eca5312a59e68476782e0e0c3fe0b05cee493950af0088743be0b1582f66990d20c40736ad935e7747f9903
-
Filesize
5.9MB
MD58d322c43341778598176737c2197b5ec
SHA1cb5733dd54dbc12f7ae22b14b44bd9344d067f8d
SHA256df44521c8a6491639e67c777c1771c822412f6ee22c864b4d2f1c0569df257c1
SHA51234eb3469265b04a404bde881779a827126effa1c85e21bd67850e63b9b3078f9a1da51e8584ffeba83b5d8b5a8c96f39646ca355e533a57cc79562bb0b0f2eb7
-
Filesize
5.9MB
MD5502a1f68665756007c0bcf346702b13f
SHA165b0cd798c140848c6cc5e190d5efc9416f82ccf
SHA25613e3836116de8887561cbc6091e33227df7b3a19c0d39f10f5c48401d8252f23
SHA5123de516a417a54f7373f3410f8c9fc26da0ef035adec334f09f6d12a28064a603e329f4887e891858d70a0a4243913679e0fc002aa56bc7ecfbd2b7f22cf3197f
-
Filesize
5.9MB
MD5d2a2f07ff92391072e4b1fdfeb12049d
SHA1d415581d9f34ef6a86b311adc90ae2a0cde7d36e
SHA256be9e7281bb17909de9374356d52d2c5dd273ec4ac279d984e29e69285d01221d
SHA512dbf3fc0154a3a02a04575058cc3eec3d7285099e133103a7e75ff4ea712ce5e33fca7e91287f3aa8053d487343e2db1f6e5e063b0943cd27e2b3077e55300f36
-
Filesize
5.9MB
MD54f5504a9f0d585c5d63fc17bd982f1fb
SHA16a7d295dd68c60e6589de0608fcd745757913a2f
SHA2560f41ca0fee510b1bab01186baa67defa9a7e308caddaf13e433d42b99a840bbd
SHA5125f0b77d94337f6ff40e24a58f347cb3457e4d2551cb6e1486042340ee40835952f6fb3900d3826374d68e0f4918938c014618f59a2dc0a18aa4c3ab8399479b4
-
Filesize
5.9MB
MD55bd13186f2337b0899ee6230de844dce
SHA1a3d51b6dfa71740bb74024682ee40d4d90fccdc9
SHA2567015169b09866f3d8546297cc81d4d259c7f2a93e766d13e9c85fdd1e65e9b2b
SHA5120acd15b76d5638798cbb69f05e49c36f2aa92764e5c9c3e9503f15dd352c9b3d69496afc6610ba3bff6fc344316071d5649df1ea13508a9c5d8593545e9bae54
-
Filesize
5.9MB
MD59ebc43eddf1817c0e0d7e8a837424166
SHA1588ccaf50e983806377108111aba97e31edf5ac3
SHA25635bd96971a1adb3ab31d3ca1cbb767a3c0b8dc62a625b8dbdd193da1ccb17be3
SHA5122a994e6698cacbd8fdbc9418813ac56889ba33c003ce73a503bb546fe71d1c6cff1554006c969fd59a24ecb2817cfcf35b2087b05bbcd4912c60041438785812
-
Filesize
5.9MB
MD59070590d875fff4aa8fa0e20e25c74f0
SHA1d058bc9f4104c5ce94bb94d6e7e644af69f31429
SHA25621d8dcf18d725373a6177804f3251afe0b37bfee37d0b61a5e6dc59e86b124e9
SHA512538e8d4bc8d69d6a6b60093338e302fa1858122bad8ddd2424368a94ee2789c50b32059d2d2d7c8b1c7d6d891c39226139886389d1c0308514232209c8923e2e
-
Filesize
5.9MB
MD5dc219ee98ac78f692226d21b8240f632
SHA193570aff8e687202739756fdd9aef97f80b2b9fb
SHA256d62fc57ad1f7e38cbc3877d3d93fef6eed73c0bb51519ac999675578ab902a58
SHA5124d428140183c0868fecbb6bc735f5d13e84c478d7e69457a56cbb60f8ff0773b5aa5ddeed50a6a3099b470f2b95b5147729a534c2cbefb8e6e4b1920a68fb7bf
-
Filesize
5.9MB
MD58213e6932656ab2391af223acc55f415
SHA1d3d8bd22fcd3e98ef16497623d0878425732e093
SHA256b3593a598523e5499437b2aa838a7bf0b16e4c30a205ae8343f998241693c2a0
SHA512a029fa54f350f1cf5878372a022df026e3c6976ed81c057995595acaa572b31a7e13e19f8ce9395d467cef8985940861587e8bacc9486268f27e0456a26bdcbb
-
Filesize
5.9MB
MD5f31516ab1c05692400741243805ad203
SHA1744798c3c10236318417a5d421ae14d5ebb8ceaf
SHA25659c84dfd798a1406b2d4e2cb046b9e9183cb4d901257cca37522d0a50c065779
SHA512e025025e92f49661b058ae5f67c4ddcc32822d9e53fb55135e54f2c4c5a09e2270cabdb57a5e4c8636d1e95d4bfb5b72ac80e73666584dea378697927f266715
-
Filesize
5.9MB
MD5bdf795eb141a0ecb33eb3f53b38d1132
SHA1d2ab9a825acba8aa230aa176e9e20d5c8348960f
SHA256344d4030fb9fcc662462c67f0a5af2a794b5e759050a8bf2712e1e19d7d102a3
SHA51237f7ce7a52d85c2cad39c537936ab86d28a69af7f2b69abc7a5177a217d94f09b4b7afdece901e787a4bf85dd751dc77057b721933df7ea53471a25cecc86eef
-
Filesize
5.9MB
MD5b168e024d14945b488567a1377a3cf16
SHA18f5f9d1d4d02e9717c8974e964fc4ee228588466
SHA25607c7e759c09765e4b70352829a4bf469265496acbc41fe08ec15698110403505
SHA5125e27387b8d8a710243c1df0152dfa7a193196368f718d9091e9448ea64f494e34ab20beb40c2ca922b1b22f656500538e7e189ace8c9b6cba47209e937442493
-
Filesize
5.9MB
MD56a20f7d5346fffe5e21de3b8e026186c
SHA171161180fac08740e09902ca3d7c6cd061c26f35
SHA256992efb97a7bebdc127fb5f0e32a181736cc3ad6be5d0ef91e28fa09779f66d48
SHA5121e0e6802b613440cad229fd26b20e3660c155d7dc7edfcad9f1ce066a0ebf9a60e5fbd4c094adadcf64349b01ec76e069d6f4cab7fc9d8928801964b3b111e2b
-
Filesize
5.9MB
MD52fb8631c8009f7858c034313122615d9
SHA128ae6c60e9f854a84217671efd9157b6b321dee1
SHA25618cadf7532312a7644c6afe1d5546e3e97eb8105521aa519fae6087d352853fd
SHA5127a47336aceda7f37891deec7a3be54669c9f465c67203835f6e4120b82715044b6cc5dbfe11c327aa9f4b9e93f0f083265b65afc20eae3052e6e0ca5c9d5c730