Analysis
-
max time kernel
141s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
06-06-2024 22:22
Behavioral task
behavioral1
Sample
2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe
Resource
win7-20240508-en
General
-
Target
2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe
-
Size
5.9MB
-
MD5
8668c8f2f3e9fa8c6c7e9d4a3dd1ec08
-
SHA1
9897e9b1b3e3c2743dc60303ccd6fe14b81f4d6d
-
SHA256
bb7e98681e0fa5c70515989a29b492392c48c83e0cb41e505eccc6e71408d4b4
-
SHA512
9fb6aa4c915e9cd5667e3a875e04cb97b6010b7ec41409503d55276228d4a0ad787d948723fe5cdc96ba5bc9c5806d524198af894c740f99c05abcb6263926c6
-
SSDEEP
98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUN:Q+856utgpPF8u/7N
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
Processes:
resource yara_rule \Windows\system\ZmpHGwy.exe cobalt_reflective_dll C:\Windows\system\tUVSrsK.exe cobalt_reflective_dll C:\Windows\system\hRgCHIi.exe cobalt_reflective_dll \Windows\system\dlBLvsy.exe cobalt_reflective_dll C:\Windows\system\RqyeXLY.exe cobalt_reflective_dll \Windows\system\iscjGGR.exe cobalt_reflective_dll C:\Windows\system\iDDcGHa.exe cobalt_reflective_dll C:\Windows\system\dplpwIn.exe cobalt_reflective_dll C:\Windows\system\sQPsBQz.exe cobalt_reflective_dll C:\Windows\system\fjzPiXT.exe cobalt_reflective_dll \Windows\system\ZYktjwb.exe cobalt_reflective_dll C:\Windows\system\tgDTONA.exe cobalt_reflective_dll C:\Windows\system\LdJjERU.exe cobalt_reflective_dll C:\Windows\system\AtGKlQa.exe cobalt_reflective_dll C:\Windows\system\ropVOqb.exe cobalt_reflective_dll C:\Windows\system\xCIkquB.exe cobalt_reflective_dll C:\Windows\system\IsWCUGA.exe cobalt_reflective_dll C:\Windows\system\bvFXWpt.exe cobalt_reflective_dll C:\Windows\system\bRuPPpf.exe cobalt_reflective_dll C:\Windows\system\diBDrhz.exe cobalt_reflective_dll C:\Windows\system\phYEEAb.exe cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Detects Reflective DLL injection artifacts 21 IoCs
Processes:
resource yara_rule \Windows\system\ZmpHGwy.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\tUVSrsK.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\hRgCHIi.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\dlBLvsy.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\RqyeXLY.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\iscjGGR.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\iDDcGHa.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\dplpwIn.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\sQPsBQz.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\fjzPiXT.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\ZYktjwb.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\tgDTONA.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\LdJjERU.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\AtGKlQa.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\ropVOqb.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\xCIkquB.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\IsWCUGA.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\bvFXWpt.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\bRuPPpf.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\diBDrhz.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\phYEEAb.exe INDICATOR_SUSPICIOUS_ReflectiveLoader -
UPX dump on OEP (original entry point) 47 IoCs
Processes:
resource yara_rule behavioral1/memory/2176-0-0x000000013F4E0000-0x000000013F834000-memory.dmp UPX \Windows\system\ZmpHGwy.exe UPX behavioral1/memory/2176-6-0x000000013FDF0000-0x0000000140144000-memory.dmp UPX behavioral1/memory/1780-12-0x000000013FDF0000-0x0000000140144000-memory.dmp UPX behavioral1/memory/1704-15-0x000000013F690000-0x000000013F9E4000-memory.dmp UPX C:\Windows\system\tUVSrsK.exe UPX C:\Windows\system\hRgCHIi.exe UPX \Windows\system\dlBLvsy.exe UPX behavioral1/memory/2868-29-0x000000013F9D0000-0x000000013FD24000-memory.dmp UPX C:\Windows\system\RqyeXLY.exe UPX behavioral1/memory/3032-36-0x000000013F830000-0x000000013FB84000-memory.dmp UPX behavioral1/memory/3024-42-0x000000013F4F0000-0x000000013F844000-memory.dmp UPX \Windows\system\iscjGGR.exe UPX C:\Windows\system\iDDcGHa.exe UPX behavioral1/memory/1668-87-0x000000013FE70000-0x00000001401C4000-memory.dmp UPX behavioral1/memory/2812-102-0x000000013F2C0000-0x000000013F614000-memory.dmp UPX C:\Windows\system\dplpwIn.exe UPX C:\Windows\system\sQPsBQz.exe UPX C:\Windows\system\fjzPiXT.exe UPX \Windows\system\ZYktjwb.exe UPX C:\Windows\system\tgDTONA.exe UPX C:\Windows\system\LdJjERU.exe UPX C:\Windows\system\AtGKlQa.exe UPX behavioral1/memory/3024-108-0x000000013F4F0000-0x000000013F844000-memory.dmp UPX behavioral1/memory/2560-95-0x000000013F760000-0x000000013FAB4000-memory.dmp UPX behavioral1/memory/2868-93-0x000000013F9D0000-0x000000013FD24000-memory.dmp UPX behavioral1/memory/3032-100-0x000000013F830000-0x000000013FB84000-memory.dmp UPX C:\Windows\system\ropVOqb.exe UPX C:\Windows\system\xCIkquB.exe UPX behavioral1/memory/2756-140-0x000000013F9E0000-0x000000013FD34000-memory.dmp UPX behavioral1/memory/2940-79-0x000000013F800000-0x000000013FB54000-memory.dmp UPX C:\Windows\system\IsWCUGA.exe UPX behavioral1/memory/2552-72-0x000000013F810000-0x000000013FB64000-memory.dmp UPX C:\Windows\system\bvFXWpt.exe UPX behavioral1/memory/2228-66-0x000000013FDB0000-0x0000000140104000-memory.dmp UPX behavioral1/memory/1704-64-0x000000013F690000-0x000000013F9E4000-memory.dmp UPX behavioral1/memory/2756-51-0x000000013F9E0000-0x000000013FD34000-memory.dmp UPX C:\Windows\system\bRuPPpf.exe UPX behavioral1/memory/1780-48-0x000000013FDF0000-0x0000000140144000-memory.dmp UPX behavioral1/memory/2468-56-0x000000013F030000-0x000000013F384000-memory.dmp UPX C:\Windows\system\diBDrhz.exe UPX C:\Windows\system\phYEEAb.exe UPX behavioral1/memory/2176-41-0x000000013F4E0000-0x000000013F834000-memory.dmp UPX behavioral1/memory/2648-23-0x000000013F830000-0x000000013FB84000-memory.dmp UPX behavioral1/memory/2468-141-0x000000013F030000-0x000000013F384000-memory.dmp UPX behavioral1/memory/2228-143-0x000000013FDB0000-0x0000000140104000-memory.dmp UPX behavioral1/memory/1668-148-0x000000013FE70000-0x00000001401C4000-memory.dmp UPX -
XMRig Miner payload 60 IoCs
Processes:
resource yara_rule behavioral1/memory/2176-0-0x000000013F4E0000-0x000000013F834000-memory.dmp xmrig \Windows\system\ZmpHGwy.exe xmrig behavioral1/memory/2176-6-0x000000013FDF0000-0x0000000140144000-memory.dmp xmrig behavioral1/memory/1780-12-0x000000013FDF0000-0x0000000140144000-memory.dmp xmrig behavioral1/memory/1704-15-0x000000013F690000-0x000000013F9E4000-memory.dmp xmrig C:\Windows\system\tUVSrsK.exe xmrig C:\Windows\system\hRgCHIi.exe xmrig \Windows\system\dlBLvsy.exe xmrig behavioral1/memory/2868-29-0x000000013F9D0000-0x000000013FD24000-memory.dmp xmrig C:\Windows\system\RqyeXLY.exe xmrig behavioral1/memory/3032-36-0x000000013F830000-0x000000013FB84000-memory.dmp xmrig behavioral1/memory/3024-42-0x000000013F4F0000-0x000000013F844000-memory.dmp xmrig \Windows\system\iscjGGR.exe xmrig C:\Windows\system\iDDcGHa.exe xmrig behavioral1/memory/1668-87-0x000000013FE70000-0x00000001401C4000-memory.dmp xmrig behavioral1/memory/2812-102-0x000000013F2C0000-0x000000013F614000-memory.dmp xmrig C:\Windows\system\dplpwIn.exe xmrig C:\Windows\system\sQPsBQz.exe xmrig C:\Windows\system\fjzPiXT.exe xmrig \Windows\system\ZYktjwb.exe xmrig C:\Windows\system\tgDTONA.exe xmrig C:\Windows\system\LdJjERU.exe xmrig C:\Windows\system\AtGKlQa.exe xmrig behavioral1/memory/3024-108-0x000000013F4F0000-0x000000013F844000-memory.dmp xmrig behavioral1/memory/2560-95-0x000000013F760000-0x000000013FAB4000-memory.dmp xmrig behavioral1/memory/2176-94-0x0000000002320000-0x0000000002674000-memory.dmp xmrig behavioral1/memory/2868-93-0x000000013F9D0000-0x000000013FD24000-memory.dmp xmrig behavioral1/memory/3032-100-0x000000013F830000-0x000000013FB84000-memory.dmp xmrig C:\Windows\system\ropVOqb.exe xmrig C:\Windows\system\xCIkquB.exe xmrig behavioral1/memory/2756-140-0x000000013F9E0000-0x000000013FD34000-memory.dmp xmrig behavioral1/memory/2940-79-0x000000013F800000-0x000000013FB54000-memory.dmp xmrig behavioral1/memory/2176-78-0x0000000002320000-0x0000000002674000-memory.dmp xmrig C:\Windows\system\IsWCUGA.exe xmrig behavioral1/memory/2552-72-0x000000013F810000-0x000000013FB64000-memory.dmp xmrig C:\Windows\system\bvFXWpt.exe xmrig behavioral1/memory/2228-66-0x000000013FDB0000-0x0000000140104000-memory.dmp xmrig behavioral1/memory/1704-64-0x000000013F690000-0x000000013F9E4000-memory.dmp xmrig behavioral1/memory/2756-51-0x000000013F9E0000-0x000000013FD34000-memory.dmp xmrig C:\Windows\system\bRuPPpf.exe xmrig behavioral1/memory/1780-48-0x000000013FDF0000-0x0000000140144000-memory.dmp xmrig behavioral1/memory/2468-56-0x000000013F030000-0x000000013F384000-memory.dmp xmrig C:\Windows\system\diBDrhz.exe xmrig C:\Windows\system\phYEEAb.exe xmrig behavioral1/memory/2176-41-0x000000013F4E0000-0x000000013F834000-memory.dmp xmrig behavioral1/memory/2648-23-0x000000013F830000-0x000000013FB84000-memory.dmp xmrig behavioral1/memory/2468-141-0x000000013F030000-0x000000013F384000-memory.dmp xmrig behavioral1/memory/2176-142-0x000000013FDB0000-0x0000000140104000-memory.dmp xmrig behavioral1/memory/2228-143-0x000000013FDB0000-0x0000000140104000-memory.dmp xmrig behavioral1/memory/2552-145-0x000000013F810000-0x000000013FB64000-memory.dmp xmrig behavioral1/memory/2940-146-0x000000013F800000-0x000000013FB54000-memory.dmp xmrig behavioral1/memory/1668-148-0x000000013FE70000-0x00000001401C4000-memory.dmp xmrig behavioral1/memory/2560-149-0x000000013F760000-0x000000013FAB4000-memory.dmp xmrig behavioral1/memory/2812-150-0x000000013F2C0000-0x000000013F614000-memory.dmp xmrig behavioral1/memory/1704-153-0x000000013F690000-0x000000013F9E4000-memory.dmp xmrig behavioral1/memory/3032-156-0x000000013F830000-0x000000013FB84000-memory.dmp xmrig behavioral1/memory/3024-157-0x000000013F4F0000-0x000000013F844000-memory.dmp xmrig behavioral1/memory/2228-160-0x000000013FDB0000-0x0000000140104000-memory.dmp xmrig behavioral1/memory/2552-161-0x000000013F810000-0x000000013FB64000-memory.dmp xmrig behavioral1/memory/2812-164-0x000000013F2C0000-0x000000013F614000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
Processes:
ZmpHGwy.exetUVSrsK.exehRgCHIi.exedlBLvsy.exephYEEAb.exeRqyeXLY.exebRuPPpf.exediBDrhz.exeiscjGGR.exebvFXWpt.exeIsWCUGA.exeiDDcGHa.exexCIkquB.exeropVOqb.exedplpwIn.exesQPsBQz.exeLdJjERU.exeAtGKlQa.exetgDTONA.exefjzPiXT.exeZYktjwb.exepid process 1780 ZmpHGwy.exe 1704 tUVSrsK.exe 2648 hRgCHIi.exe 2868 dlBLvsy.exe 3032 phYEEAb.exe 3024 RqyeXLY.exe 2756 bRuPPpf.exe 2468 diBDrhz.exe 2228 iscjGGR.exe 2552 bvFXWpt.exe 2940 IsWCUGA.exe 1668 iDDcGHa.exe 2560 xCIkquB.exe 2812 ropVOqb.exe 268 dplpwIn.exe 1924 sQPsBQz.exe 568 LdJjERU.exe 556 AtGKlQa.exe 2988 tgDTONA.exe 1512 fjzPiXT.exe 304 ZYktjwb.exe -
Loads dropped DLL 21 IoCs
Processes:
2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exepid process 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe -
Processes:
resource yara_rule behavioral1/memory/2176-0-0x000000013F4E0000-0x000000013F834000-memory.dmp upx \Windows\system\ZmpHGwy.exe upx behavioral1/memory/2176-6-0x000000013FDF0000-0x0000000140144000-memory.dmp upx behavioral1/memory/1780-12-0x000000013FDF0000-0x0000000140144000-memory.dmp upx behavioral1/memory/1704-15-0x000000013F690000-0x000000013F9E4000-memory.dmp upx C:\Windows\system\tUVSrsK.exe upx C:\Windows\system\hRgCHIi.exe upx \Windows\system\dlBLvsy.exe upx behavioral1/memory/2868-29-0x000000013F9D0000-0x000000013FD24000-memory.dmp upx C:\Windows\system\RqyeXLY.exe upx behavioral1/memory/3032-36-0x000000013F830000-0x000000013FB84000-memory.dmp upx behavioral1/memory/3024-42-0x000000013F4F0000-0x000000013F844000-memory.dmp upx \Windows\system\iscjGGR.exe upx C:\Windows\system\iDDcGHa.exe upx behavioral1/memory/1668-87-0x000000013FE70000-0x00000001401C4000-memory.dmp upx behavioral1/memory/2812-102-0x000000013F2C0000-0x000000013F614000-memory.dmp upx C:\Windows\system\dplpwIn.exe upx C:\Windows\system\sQPsBQz.exe upx C:\Windows\system\fjzPiXT.exe upx \Windows\system\ZYktjwb.exe upx C:\Windows\system\tgDTONA.exe upx C:\Windows\system\LdJjERU.exe upx C:\Windows\system\AtGKlQa.exe upx behavioral1/memory/3024-108-0x000000013F4F0000-0x000000013F844000-memory.dmp upx behavioral1/memory/2560-95-0x000000013F760000-0x000000013FAB4000-memory.dmp upx behavioral1/memory/2868-93-0x000000013F9D0000-0x000000013FD24000-memory.dmp upx behavioral1/memory/3032-100-0x000000013F830000-0x000000013FB84000-memory.dmp upx C:\Windows\system\ropVOqb.exe upx C:\Windows\system\xCIkquB.exe upx behavioral1/memory/2756-140-0x000000013F9E0000-0x000000013FD34000-memory.dmp upx behavioral1/memory/2940-79-0x000000013F800000-0x000000013FB54000-memory.dmp upx C:\Windows\system\IsWCUGA.exe upx behavioral1/memory/2552-72-0x000000013F810000-0x000000013FB64000-memory.dmp upx C:\Windows\system\bvFXWpt.exe upx behavioral1/memory/2228-66-0x000000013FDB0000-0x0000000140104000-memory.dmp upx behavioral1/memory/1704-64-0x000000013F690000-0x000000013F9E4000-memory.dmp upx behavioral1/memory/2756-51-0x000000013F9E0000-0x000000013FD34000-memory.dmp upx C:\Windows\system\bRuPPpf.exe upx behavioral1/memory/1780-48-0x000000013FDF0000-0x0000000140144000-memory.dmp upx behavioral1/memory/2468-56-0x000000013F030000-0x000000013F384000-memory.dmp upx C:\Windows\system\diBDrhz.exe upx C:\Windows\system\phYEEAb.exe upx behavioral1/memory/2176-41-0x000000013F4E0000-0x000000013F834000-memory.dmp upx behavioral1/memory/2648-23-0x000000013F830000-0x000000013FB84000-memory.dmp upx behavioral1/memory/2468-141-0x000000013F030000-0x000000013F384000-memory.dmp upx behavioral1/memory/2228-143-0x000000013FDB0000-0x0000000140104000-memory.dmp upx behavioral1/memory/2552-145-0x000000013F810000-0x000000013FB64000-memory.dmp upx behavioral1/memory/2940-146-0x000000013F800000-0x000000013FB54000-memory.dmp upx behavioral1/memory/1668-148-0x000000013FE70000-0x00000001401C4000-memory.dmp upx behavioral1/memory/2560-149-0x000000013F760000-0x000000013FAB4000-memory.dmp upx behavioral1/memory/2812-150-0x000000013F2C0000-0x000000013F614000-memory.dmp upx behavioral1/memory/1780-152-0x000000013FDF0000-0x0000000140144000-memory.dmp upx behavioral1/memory/2648-154-0x000000013F830000-0x000000013FB84000-memory.dmp upx behavioral1/memory/1704-153-0x000000013F690000-0x000000013F9E4000-memory.dmp upx behavioral1/memory/2868-155-0x000000013F9D0000-0x000000013FD24000-memory.dmp upx behavioral1/memory/3032-156-0x000000013F830000-0x000000013FB84000-memory.dmp upx behavioral1/memory/3024-157-0x000000013F4F0000-0x000000013F844000-memory.dmp upx behavioral1/memory/2756-159-0x000000013F9E0000-0x000000013FD34000-memory.dmp upx behavioral1/memory/2468-158-0x000000013F030000-0x000000013F384000-memory.dmp upx behavioral1/memory/2228-160-0x000000013FDB0000-0x0000000140104000-memory.dmp upx behavioral1/memory/2552-161-0x000000013F810000-0x000000013FB64000-memory.dmp upx behavioral1/memory/2940-162-0x000000013F800000-0x000000013FB54000-memory.dmp upx behavioral1/memory/1668-163-0x000000013FE70000-0x00000001401C4000-memory.dmp upx behavioral1/memory/2560-165-0x000000013F760000-0x000000013FAB4000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
Processes:
2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exedescription ioc process File created C:\Windows\System\hRgCHIi.exe 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\dlBLvsy.exe 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\RqyeXLY.exe 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\iscjGGR.exe 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\bvFXWpt.exe 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\xCIkquB.exe 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\tUVSrsK.exe 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\AtGKlQa.exe 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\tgDTONA.exe 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\fjzPiXT.exe 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\diBDrhz.exe 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\bRuPPpf.exe 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\ZYktjwb.exe 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\ZmpHGwy.exe 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\IsWCUGA.exe 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\iDDcGHa.exe 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\ropVOqb.exe 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\dplpwIn.exe 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\sQPsBQz.exe 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\LdJjERU.exe 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\phYEEAb.exe 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exedescription pid process Token: SeLockMemoryPrivilege 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe Token: SeLockMemoryPrivilege 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exedescription pid process target process PID 2176 wrote to memory of 1780 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe ZmpHGwy.exe PID 2176 wrote to memory of 1780 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe ZmpHGwy.exe PID 2176 wrote to memory of 1780 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe ZmpHGwy.exe PID 2176 wrote to memory of 1704 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe tUVSrsK.exe PID 2176 wrote to memory of 1704 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe tUVSrsK.exe PID 2176 wrote to memory of 1704 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe tUVSrsK.exe PID 2176 wrote to memory of 2648 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe hRgCHIi.exe PID 2176 wrote to memory of 2648 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe hRgCHIi.exe PID 2176 wrote to memory of 2648 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe hRgCHIi.exe PID 2176 wrote to memory of 2868 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe dlBLvsy.exe PID 2176 wrote to memory of 2868 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe dlBLvsy.exe PID 2176 wrote to memory of 2868 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe dlBLvsy.exe PID 2176 wrote to memory of 3032 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe phYEEAb.exe PID 2176 wrote to memory of 3032 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe phYEEAb.exe PID 2176 wrote to memory of 3032 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe phYEEAb.exe PID 2176 wrote to memory of 3024 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe RqyeXLY.exe PID 2176 wrote to memory of 3024 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe RqyeXLY.exe PID 2176 wrote to memory of 3024 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe RqyeXLY.exe PID 2176 wrote to memory of 2756 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe bRuPPpf.exe PID 2176 wrote to memory of 2756 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe bRuPPpf.exe PID 2176 wrote to memory of 2756 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe bRuPPpf.exe PID 2176 wrote to memory of 2468 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe diBDrhz.exe PID 2176 wrote to memory of 2468 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe diBDrhz.exe PID 2176 wrote to memory of 2468 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe diBDrhz.exe PID 2176 wrote to memory of 2228 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe iscjGGR.exe PID 2176 wrote to memory of 2228 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe iscjGGR.exe PID 2176 wrote to memory of 2228 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe iscjGGR.exe PID 2176 wrote to memory of 2552 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe bvFXWpt.exe PID 2176 wrote to memory of 2552 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe bvFXWpt.exe PID 2176 wrote to memory of 2552 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe bvFXWpt.exe PID 2176 wrote to memory of 2940 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe IsWCUGA.exe PID 2176 wrote to memory of 2940 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe IsWCUGA.exe PID 2176 wrote to memory of 2940 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe IsWCUGA.exe PID 2176 wrote to memory of 1668 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe iDDcGHa.exe PID 2176 wrote to memory of 1668 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe iDDcGHa.exe PID 2176 wrote to memory of 1668 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe iDDcGHa.exe PID 2176 wrote to memory of 2560 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe xCIkquB.exe PID 2176 wrote to memory of 2560 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe xCIkquB.exe PID 2176 wrote to memory of 2560 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe xCIkquB.exe PID 2176 wrote to memory of 2812 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe ropVOqb.exe PID 2176 wrote to memory of 2812 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe ropVOqb.exe PID 2176 wrote to memory of 2812 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe ropVOqb.exe PID 2176 wrote to memory of 268 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe dplpwIn.exe PID 2176 wrote to memory of 268 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe dplpwIn.exe PID 2176 wrote to memory of 268 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe dplpwIn.exe PID 2176 wrote to memory of 1924 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe sQPsBQz.exe PID 2176 wrote to memory of 1924 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe sQPsBQz.exe PID 2176 wrote to memory of 1924 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe sQPsBQz.exe PID 2176 wrote to memory of 568 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe LdJjERU.exe PID 2176 wrote to memory of 568 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe LdJjERU.exe PID 2176 wrote to memory of 568 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe LdJjERU.exe PID 2176 wrote to memory of 556 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe AtGKlQa.exe PID 2176 wrote to memory of 556 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe AtGKlQa.exe PID 2176 wrote to memory of 556 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe AtGKlQa.exe PID 2176 wrote to memory of 2988 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe tgDTONA.exe PID 2176 wrote to memory of 2988 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe tgDTONA.exe PID 2176 wrote to memory of 2988 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe tgDTONA.exe PID 2176 wrote to memory of 1512 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe fjzPiXT.exe PID 2176 wrote to memory of 1512 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe fjzPiXT.exe PID 2176 wrote to memory of 1512 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe fjzPiXT.exe PID 2176 wrote to memory of 304 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe ZYktjwb.exe PID 2176 wrote to memory of 304 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe ZYktjwb.exe PID 2176 wrote to memory of 304 2176 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe ZYktjwb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\System\ZmpHGwy.exeC:\Windows\System\ZmpHGwy.exe2⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\System\tUVSrsK.exeC:\Windows\System\tUVSrsK.exe2⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\System\hRgCHIi.exeC:\Windows\System\hRgCHIi.exe2⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\System\dlBLvsy.exeC:\Windows\System\dlBLvsy.exe2⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\System\phYEEAb.exeC:\Windows\System\phYEEAb.exe2⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\System\RqyeXLY.exeC:\Windows\System\RqyeXLY.exe2⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\System\bRuPPpf.exeC:\Windows\System\bRuPPpf.exe2⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\System\diBDrhz.exeC:\Windows\System\diBDrhz.exe2⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\System\iscjGGR.exeC:\Windows\System\iscjGGR.exe2⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\System\bvFXWpt.exeC:\Windows\System\bvFXWpt.exe2⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\System\IsWCUGA.exeC:\Windows\System\IsWCUGA.exe2⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\System\iDDcGHa.exeC:\Windows\System\iDDcGHa.exe2⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\System\xCIkquB.exeC:\Windows\System\xCIkquB.exe2⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\System\ropVOqb.exeC:\Windows\System\ropVOqb.exe2⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\System\dplpwIn.exeC:\Windows\System\dplpwIn.exe2⤵
- Executes dropped EXE
PID:268 -
C:\Windows\System\sQPsBQz.exeC:\Windows\System\sQPsBQz.exe2⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\System\LdJjERU.exeC:\Windows\System\LdJjERU.exe2⤵
- Executes dropped EXE
PID:568 -
C:\Windows\System\AtGKlQa.exeC:\Windows\System\AtGKlQa.exe2⤵
- Executes dropped EXE
PID:556 -
C:\Windows\System\tgDTONA.exeC:\Windows\System\tgDTONA.exe2⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\System\fjzPiXT.exeC:\Windows\System\fjzPiXT.exe2⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\System\ZYktjwb.exeC:\Windows\System\ZYktjwb.exe2⤵
- Executes dropped EXE
PID:304
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD5f10f9781909f4c7a37617576f2ebaa69
SHA1821802e1bea0bc577d1d174fd88e688f1bcbb612
SHA2565d4610dd1f6569524a45a012370518f87aecc59c698bbbf5aaf0da35d80c889b
SHA512fe13574f419cc08cc1e3419928e42cf6595035861153c50acae727224ac9db07b3f86e92caa45e241c7ce16e5dbf0f8305b07ddf4d91cee2cee7c1f74ba59d77
-
Filesize
5.9MB
MD5ec71120cbfc10f49093095afb1a71850
SHA12e7b767cfdf5680daf1331945a680cb14ba5a0b8
SHA256dcfec9b120f1f32a75fc814e267c70f7ca8b01b9f267d01d3f71cfbcffa5c41f
SHA51227deb70c8a1b17af351ac9f62d1f7e48d755db1b84033e538510c4d9cb66084071c2aa44b8bf6c4920c791a5f7978f2855c839b4e29c91e956d232cec91b861f
-
Filesize
5.9MB
MD5dfb22040632befc536fb4b04910902d5
SHA14ea6d476c6b0e142b11e9e79dd34d05453213d6a
SHA2561edfd6e700302e26c236ff80db3648fcf56128e1b73645a45d3d54cc88975155
SHA5126a89a2952f3e2efaf24354c962b535264af510af0d953538d3ca0137ca22ab3cf9de14d7415c6c5c06fb9b75b3ebc08e210ef00dc727a8b2a1f621f9e155e9c7
-
Filesize
5.9MB
MD5fad07c7a375cc77c8bad2ea403df7368
SHA18200f7b45ecaed3456453756d4786a31808f3cfd
SHA256848657e546ac40e70071a28e39a41e9f0cee0588a6bdcdef5b8fb03d5de4f894
SHA512d89f63fb6b3890d9d0d0450493738c1a7fd582703900f09647482ca9fef7f0381cd65a49803cbe6b29cf051716ac782e278d093757a86d15a4e9b25cc419cbe6
-
Filesize
5.9MB
MD5ec1a7c97e4c3824076d540df8370d463
SHA19ec960dbb5806a59972d49b98b1c58ab6d05f01c
SHA25629602631921766b0dee9a973fcea361b3f66055e96fad3f87a9474961e4f2ab9
SHA512e37a1bf7b6029f2fa8be28c6e6bc3be6feb1097f920fc96a024da545a5264632ae2d727cfe955e42e9d23fbbde15a45f95471c6a267570d76dc4d64fd578a606
-
Filesize
5.9MB
MD5519d83a9330bf4ba505d6cef7e259d32
SHA1aa1d27b13a1e3662f724940c177c64e658abf9f8
SHA2567c542484d7a766d139eb82df8ecea5614727e330f89544ea62dd33441271419f
SHA5127f35379ae8bf1b0f7cf4d14f0337ebf20af490ab06033db2a035722da0c16a15310dd1db95b420094ff42e3711918aa754eb8d3356be17378c9e3be05141a8f8
-
Filesize
5.9MB
MD520125ec96db5ec18235046e0dbbbe96e
SHA15282f4680dfb0e5699231115c94f970fff3e4b4e
SHA256365d612cbbeaab6443093ee20a266e347c7087062e39e654176d646a434e8469
SHA51296106d81988fff93baee58964df68c706d693c4cce7463e438271d6fdfb5a9cd698e088093f2e0239794b513a5cd424d6ab9fa7ab37bab666adbfc8324b2086c
-
Filesize
5.9MB
MD540f2e1cbf0aaee4b63729f29181c69c9
SHA198c1949489e6136a4076aad17b21d7a117fa8bb6
SHA2565960a9b38b19e11da49dd1684aaa8e5425df5cddb2f4cd960f0f061ba3637527
SHA51275ba53fe069f442d35bf37fbac92ebe6b57a72f2dac6ab1cd71a4d54018f61093d8d3918c835b142cd9f8ad2db837c43150b715f307027c3662597262d8a311b
-
Filesize
5.9MB
MD5d49a317c0f13c8cc2482a44c071a728d
SHA1e65b30a32e2e0d31ea943b43de9dec0bd5d0b2b8
SHA256a996f588f60b17ed209bb26f398d18d16fd5d4861b95819a72d8b6f9ea63c21c
SHA512f5d1d365b2deb9bab04465062453a363b70b75dd137dcfa8f9ede0d8b352d0bd1f2608f9c7c4fd2f7c0b1f7fd060be35fad579dd581fd5092aa8cc6310fca46f
-
Filesize
5.9MB
MD56382b8d80701be693179837316888184
SHA14e81e1e65504fb9cb078830f42ca28222182ea10
SHA256bc22484f396ed8e830eccdb571fc9d169571f489f06093a6a572b90a87a32ca0
SHA512d46b0b3583ae584e29f68d0a3b60c4dcb9733abb60c5dae627864d03f3b3a9dbd9878d01d3746752c353e865573fcab5e13a8eabac9b76189a051a55b62ff54d
-
Filesize
5.9MB
MD59360c7aa91d330680ed2ff744139e9c6
SHA1a05cb03b5b5eef3e929e2247c7408ecd9cc37ccd
SHA256eb06f91068c3c0ad1116cf697a1f2a093d0fc53e89c7997503372fd56083c59c
SHA512e0bdebbe9746bafaa6ad958bf1d32123ddc51d063a4b47e9234a7044e34eda44ad7cc8938a1383d46800cfbd2be8ecd97d57c903beba9e1d1c7b019329163134
-
Filesize
5.9MB
MD50902836f90a08627f4485ee213b45737
SHA103a05adfd86b3f5b1b731698dcf17c48c12f88a0
SHA2568b8e14e9e2feacfb1186a1a678c36c51b7775f196673848c80ff25f5e81fd1d6
SHA51273ad38c2513db92afd7aa55d00043a1349f188d7a0f5c155c09a75801fe5ffff69a5fe14203e10b88b989f8425ec94d445aca6ece7b1d65d828232f2a289d631
-
Filesize
5.9MB
MD549eac8a46ed93a4a81bb7ff95a186c47
SHA155e40c0b686b1b1a715178ae90e6bce4e20cca6d
SHA2569f9fbe481f3ba8a1a7d4e318e84b6d7b7714e50db7f0a040ef85a9db3a78a741
SHA5123ac6c36b1d5c9b1daecc547e7f7f776558fc9dda88ea1affd9b114cb65b42b43e6e3ea3f97ec9aea6908a087fef4cc8d2af03c7982550005d291ac9af9c3ebe4
-
Filesize
5.9MB
MD50e4a4a3a1c884eb44bde038e9dba5c47
SHA1dc9f41cb1f02dea88be3f46036b932d4ee6719c9
SHA256acc75072333b77bc829b9863eab7d01c443d0a88906f738da547dacb54e5f19c
SHA512f98fa2534afde5372a4c90a8683f5bfc630305c910305b20c74eb84dd10c45141817d079660c9102aff7872676a1aa54cdcac760afc99e0eb89e0d76c716c2ff
-
Filesize
5.9MB
MD57f137236dd2cc1e0ac3fb43e16d8232a
SHA1d5ec712c50813d1ee7fbadaaa492af94e0802c98
SHA256cc672fa6f5ca39338d4d9a306502b6c69a9b7ee1fc20600ce8af1121304df47e
SHA5124a10ea7be4dc0944456ecd29d17f5147ee57c2564b20bdd3030e880da74cea86c36edd64c09d19112b99f776aeed1f4811c2ca08a67dec8cd44bf608a382f287
-
Filesize
5.9MB
MD52640ca0daf45c349ec3ea1b5c8a09b62
SHA1010621664bb654656f91df9b0c62b87159fd2950
SHA2564a68470d740853dbba0cdfa3c3bf0fc165e3d11570707f075170bb53cf51de54
SHA51267ba07bd7f82ac1f072114a412f7e1f17313e88d74a281be4cfb47f4cd8d9d9752adf715acf34829709c496d7696507ffdb29a98426008e473a7e5f9e0ac84fe
-
Filesize
5.9MB
MD5f2749639e9f6aa9d14ed594aaf791ffc
SHA178998bf19c8194dd06c821829f663f3d00872ed4
SHA256cfda5bff0da088ffa8b3924936233207e04777eb1fc8d5b5ae2af274bef35303
SHA5123b6198a3d362fc2b1bda143d85b6f1f066040fdf56945c7052225ca58827f55ee0ecd72de8d0ff461575becefd447eef022f6947d0dc6ac1673d6a66a87b3bff
-
Filesize
5.9MB
MD5743c7a20f2416269c3c8d975e4f19d3c
SHA1ec03184ed7d21e18ad8febd61a391967dd7c43fa
SHA2565268a9f9c3d42bc7a82775797a6ec28c7588a17d79fc51326d6588568564e10a
SHA512b1cd99523c5be9a534c9ef28e57b8e1e140d71839b403f162bfe939de2f7f0ebf35a9df380b91846f3d2e9d464027806147a61b7c336973bd2a0e93c87567250
-
Filesize
5.9MB
MD5d3837ca3413f4d20dc77c300ad94bf7b
SHA15edb0290bb49eebe78382797deb751c35ada0f2e
SHA256b8684428e6d0602a5a0ae01f4fefbc058e0f7a274b072f4dc06fc74bb2bee322
SHA5120a6886de3310457e99409e144bd9702c17e905523c9c76ffbcf077d1d2be8a48d5cfb28a7a54919d7bbe79362504be1bbdc3b2d22c40e1842cd31b89fd9fa46a
-
Filesize
5.9MB
MD5982deaa5f753f2aa854a6b24f6843ebd
SHA1c4357138a2a2e93c00b9f0122b640f5d62aa7d02
SHA25659f11b6174d1be66f957966490a9bb2e2cc152635550700b00af068e7c9687d9
SHA512204545fb205f71d818e8654fd1938da6c1befd083a54547bbb9bc1b0a192fd9c3323a38c4a2252ac1f9a85a52f34b4df689614fd18b1bd6eb5648737455dee3e
-
Filesize
5.9MB
MD58b592ebc427ce6b4826fa180a69cff56
SHA1acfc770de548ae9c41e951ebf8abf5982f9294d6
SHA25681a46b1e4dd2171ddec998b02bdfd73ebdac717ca7fd10ee232b057422b63dfd
SHA5128643954ce51286995297408025887a21e022256d16986e79cc5da9d8bfa1a3d6a134715963c7034b704067d4d6faac5b6f2e0c5f8fc35e4eb33d354c717e50f8