Analysis
-
max time kernel
125s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06-06-2024 10:55
Behavioral task
behavioral1
Sample
2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe
Resource
win7-20240221-en
General
-
Target
2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe
-
Size
5.9MB
-
MD5
8caad0840acab799cfe6dfb9e5812b4d
-
SHA1
125f48606208c212b1206b60a637c6b5c7bfc6b0
-
SHA256
2df4d1207fada40a7ffad4aadcc125e32b53c9d7227362c8e9c2df1fe5800574
-
SHA512
bfb67d62cd0ecd2c86b2b888fda6be570569e64336cf7a9251aed0cfc817613a7f782b821d396722cef4b51d540e38ac62eeb40e9ba02cf7d32144f80fb59549
-
SSDEEP
98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUX:Q+856utgpPF8u/7X
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
Processes:
resource yara_rule \Windows\system\OvXmhpr.exe cobalt_reflective_dll C:\Windows\system\CRxoaFL.exe cobalt_reflective_dll C:\Windows\system\TUjvsmz.exe cobalt_reflective_dll C:\Windows\system\CZbrKaJ.exe cobalt_reflective_dll C:\Windows\system\eiqSDIu.exe cobalt_reflective_dll C:\Windows\system\cqXJusk.exe cobalt_reflective_dll \Windows\system\fXEoEBJ.exe cobalt_reflective_dll \Windows\system\PgTRvjW.exe cobalt_reflective_dll C:\Windows\system\INRCsTh.exe cobalt_reflective_dll \Windows\system\rhsBbqo.exe cobalt_reflective_dll \Windows\system\KfqfpOc.exe cobalt_reflective_dll C:\Windows\system\voiihyW.exe cobalt_reflective_dll \Windows\system\yfbLJoO.exe cobalt_reflective_dll \Windows\system\BkDawcq.exe cobalt_reflective_dll C:\Windows\system\rYSVvzs.exe cobalt_reflective_dll \Windows\system\GCNDGwx.exe cobalt_reflective_dll C:\Windows\system\mCdjUTk.exe cobalt_reflective_dll C:\Windows\system\drdFtTG.exe cobalt_reflective_dll C:\Windows\system\jvZQYrD.exe cobalt_reflective_dll C:\Windows\system\grcrHtm.exe cobalt_reflective_dll C:\Windows\system\AlqlEaR.exe cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Detects Reflective DLL injection artifacts 21 IoCs
Processes:
resource yara_rule \Windows\system\OvXmhpr.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\CRxoaFL.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\TUjvsmz.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\CZbrKaJ.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\eiqSDIu.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\cqXJusk.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\fXEoEBJ.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\PgTRvjW.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\INRCsTh.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\rhsBbqo.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\KfqfpOc.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\voiihyW.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\yfbLJoO.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\BkDawcq.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\rYSVvzs.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\GCNDGwx.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\mCdjUTk.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\drdFtTG.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\jvZQYrD.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\grcrHtm.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\AlqlEaR.exe INDICATOR_SUSPICIOUS_ReflectiveLoader -
UPX dump on OEP (original entry point) 61 IoCs
Processes:
resource yara_rule behavioral1/memory/1412-0-0x000000013F610000-0x000000013F964000-memory.dmp UPX \Windows\system\OvXmhpr.exe UPX C:\Windows\system\CRxoaFL.exe UPX C:\Windows\system\TUjvsmz.exe UPX C:\Windows\system\CZbrKaJ.exe UPX behavioral1/memory/2812-18-0x000000013F640000-0x000000013F994000-memory.dmp UPX behavioral1/memory/2884-26-0x000000013F020000-0x000000013F374000-memory.dmp UPX behavioral1/memory/2464-24-0x000000013FCB0000-0x0000000140004000-memory.dmp UPX C:\Windows\system\eiqSDIu.exe UPX behavioral1/memory/2204-40-0x000000013F9A0000-0x000000013FCF4000-memory.dmp UPX behavioral1/memory/2896-42-0x000000013FDA0000-0x00000001400F4000-memory.dmp UPX behavioral1/memory/1412-39-0x000000013F610000-0x000000013F964000-memory.dmp UPX behavioral1/memory/2952-34-0x000000013FB20000-0x000000013FE74000-memory.dmp UPX C:\Windows\system\cqXJusk.exe UPX behavioral1/memory/2204-10-0x000000013F9A0000-0x000000013FCF4000-memory.dmp UPX \Windows\system\fXEoEBJ.exe UPX behavioral1/memory/2600-51-0x000000013F9E0000-0x000000013FD34000-memory.dmp UPX \Windows\system\PgTRvjW.exe UPX C:\Windows\system\INRCsTh.exe UPX behavioral1/memory/2772-66-0x000000013FD70000-0x00000001400C4000-memory.dmp UPX behavioral1/memory/2464-77-0x000000013FCB0000-0x0000000140004000-memory.dmp UPX \Windows\system\rhsBbqo.exe UPX \Windows\system\KfqfpOc.exe UPX C:\Windows\system\voiihyW.exe UPX behavioral1/memory/2896-102-0x000000013FDA0000-0x00000001400F4000-memory.dmp UPX behavioral1/memory/2856-103-0x000000013F5B0000-0x000000013F904000-memory.dmp UPX \Windows\system\yfbLJoO.exe UPX \Windows\system\BkDawcq.exe UPX C:\Windows\system\rYSVvzs.exe UPX \Windows\system\GCNDGwx.exe UPX C:\Windows\system\mCdjUTk.exe UPX C:\Windows\system\drdFtTG.exe UPX C:\Windows\system\jvZQYrD.exe UPX C:\Windows\system\grcrHtm.exe UPX behavioral1/memory/2576-94-0x000000013FD20000-0x0000000140074000-memory.dmp UPX behavioral1/memory/2404-93-0x000000013F660000-0x000000013F9B4000-memory.dmp UPX behavioral1/memory/2952-92-0x000000013FB20000-0x000000013FE74000-memory.dmp UPX C:\Windows\system\AlqlEaR.exe UPX behavioral1/memory/2616-89-0x000000013F750000-0x000000013FAA4000-memory.dmp UPX behavioral1/memory/2884-84-0x000000013F020000-0x000000013F374000-memory.dmp UPX behavioral1/memory/2556-83-0x000000013F250000-0x000000013F5A4000-memory.dmp UPX behavioral1/memory/2620-72-0x000000013F8D0000-0x000000013FC24000-memory.dmp UPX behavioral1/memory/2556-144-0x000000013F250000-0x000000013F5A4000-memory.dmp UPX behavioral1/memory/2616-146-0x000000013F750000-0x000000013FAA4000-memory.dmp UPX behavioral1/memory/2404-147-0x000000013F660000-0x000000013F9B4000-memory.dmp UPX behavioral1/memory/2576-148-0x000000013FD20000-0x0000000140074000-memory.dmp UPX behavioral1/memory/2856-150-0x000000013F5B0000-0x000000013F904000-memory.dmp UPX behavioral1/memory/2204-152-0x000000013F9A0000-0x000000013FCF4000-memory.dmp UPX behavioral1/memory/2812-153-0x000000013F640000-0x000000013F994000-memory.dmp UPX behavioral1/memory/2464-154-0x000000013FCB0000-0x0000000140004000-memory.dmp UPX behavioral1/memory/2884-155-0x000000013F020000-0x000000013F374000-memory.dmp UPX behavioral1/memory/2952-156-0x000000013FB20000-0x000000013FE74000-memory.dmp UPX behavioral1/memory/2896-157-0x000000013FDA0000-0x00000001400F4000-memory.dmp UPX behavioral1/memory/2600-158-0x000000013F9E0000-0x000000013FD34000-memory.dmp UPX behavioral1/memory/2772-159-0x000000013FD70000-0x00000001400C4000-memory.dmp UPX behavioral1/memory/2620-160-0x000000013F8D0000-0x000000013FC24000-memory.dmp UPX behavioral1/memory/2556-161-0x000000013F250000-0x000000013F5A4000-memory.dmp UPX behavioral1/memory/2404-163-0x000000013F660000-0x000000013F9B4000-memory.dmp UPX behavioral1/memory/2616-162-0x000000013F750000-0x000000013FAA4000-memory.dmp UPX behavioral1/memory/2576-164-0x000000013FD20000-0x0000000140074000-memory.dmp UPX behavioral1/memory/2856-165-0x000000013F5B0000-0x000000013F904000-memory.dmp UPX -
XMRig Miner payload 64 IoCs
Processes:
resource yara_rule behavioral1/memory/1412-0-0x000000013F610000-0x000000013F964000-memory.dmp xmrig \Windows\system\OvXmhpr.exe xmrig C:\Windows\system\CRxoaFL.exe xmrig C:\Windows\system\TUjvsmz.exe xmrig C:\Windows\system\CZbrKaJ.exe xmrig behavioral1/memory/2812-18-0x000000013F640000-0x000000013F994000-memory.dmp xmrig behavioral1/memory/2884-26-0x000000013F020000-0x000000013F374000-memory.dmp xmrig behavioral1/memory/2464-24-0x000000013FCB0000-0x0000000140004000-memory.dmp xmrig C:\Windows\system\eiqSDIu.exe xmrig behavioral1/memory/2204-40-0x000000013F9A0000-0x000000013FCF4000-memory.dmp xmrig behavioral1/memory/1412-41-0x000000013FDA0000-0x00000001400F4000-memory.dmp xmrig behavioral1/memory/2896-42-0x000000013FDA0000-0x00000001400F4000-memory.dmp xmrig behavioral1/memory/1412-39-0x000000013F610000-0x000000013F964000-memory.dmp xmrig behavioral1/memory/2952-34-0x000000013FB20000-0x000000013FE74000-memory.dmp xmrig C:\Windows\system\cqXJusk.exe xmrig behavioral1/memory/2204-10-0x000000013F9A0000-0x000000013FCF4000-memory.dmp xmrig \Windows\system\fXEoEBJ.exe xmrig behavioral1/memory/1412-50-0x000000013F9E0000-0x000000013FD34000-memory.dmp xmrig behavioral1/memory/2600-51-0x000000013F9E0000-0x000000013FD34000-memory.dmp xmrig \Windows\system\PgTRvjW.exe xmrig C:\Windows\system\INRCsTh.exe xmrig behavioral1/memory/2772-66-0x000000013FD70000-0x00000001400C4000-memory.dmp xmrig behavioral1/memory/2464-77-0x000000013FCB0000-0x0000000140004000-memory.dmp xmrig \Windows\system\rhsBbqo.exe xmrig \Windows\system\KfqfpOc.exe xmrig C:\Windows\system\voiihyW.exe xmrig behavioral1/memory/2896-102-0x000000013FDA0000-0x00000001400F4000-memory.dmp xmrig behavioral1/memory/2856-103-0x000000013F5B0000-0x000000013F904000-memory.dmp xmrig \Windows\system\yfbLJoO.exe xmrig \Windows\system\BkDawcq.exe xmrig C:\Windows\system\rYSVvzs.exe xmrig \Windows\system\GCNDGwx.exe xmrig C:\Windows\system\mCdjUTk.exe xmrig C:\Windows\system\drdFtTG.exe xmrig behavioral1/memory/1412-141-0x000000013FD70000-0x00000001400C4000-memory.dmp xmrig behavioral1/memory/1412-140-0x000000013F9E0000-0x000000013FD34000-memory.dmp xmrig C:\Windows\system\jvZQYrD.exe xmrig C:\Windows\system\grcrHtm.exe xmrig behavioral1/memory/2576-94-0x000000013FD20000-0x0000000140074000-memory.dmp xmrig behavioral1/memory/2404-93-0x000000013F660000-0x000000013F9B4000-memory.dmp xmrig behavioral1/memory/2952-92-0x000000013FB20000-0x000000013FE74000-memory.dmp xmrig C:\Windows\system\AlqlEaR.exe xmrig behavioral1/memory/2616-89-0x000000013F750000-0x000000013FAA4000-memory.dmp xmrig behavioral1/memory/1412-85-0x000000013FD20000-0x0000000140074000-memory.dmp xmrig behavioral1/memory/2884-84-0x000000013F020000-0x000000013F374000-memory.dmp xmrig behavioral1/memory/2556-83-0x000000013F250000-0x000000013F5A4000-memory.dmp xmrig behavioral1/memory/1412-82-0x000000013F250000-0x000000013F5A4000-memory.dmp xmrig behavioral1/memory/1412-101-0x000000013FDA0000-0x00000001400F4000-memory.dmp xmrig behavioral1/memory/1412-73-0x00000000023A0000-0x00000000026F4000-memory.dmp xmrig behavioral1/memory/2620-72-0x000000013F8D0000-0x000000013FC24000-memory.dmp xmrig behavioral1/memory/1412-143-0x000000013F250000-0x000000013F5A4000-memory.dmp xmrig behavioral1/memory/2556-144-0x000000013F250000-0x000000013F5A4000-memory.dmp xmrig behavioral1/memory/2616-146-0x000000013F750000-0x000000013FAA4000-memory.dmp xmrig behavioral1/memory/2404-147-0x000000013F660000-0x000000013F9B4000-memory.dmp xmrig behavioral1/memory/2576-148-0x000000013FD20000-0x0000000140074000-memory.dmp xmrig behavioral1/memory/1412-149-0x00000000023A0000-0x00000000026F4000-memory.dmp xmrig behavioral1/memory/2856-150-0x000000013F5B0000-0x000000013F904000-memory.dmp xmrig behavioral1/memory/2204-152-0x000000013F9A0000-0x000000013FCF4000-memory.dmp xmrig behavioral1/memory/2812-153-0x000000013F640000-0x000000013F994000-memory.dmp xmrig behavioral1/memory/2464-154-0x000000013FCB0000-0x0000000140004000-memory.dmp xmrig behavioral1/memory/2884-155-0x000000013F020000-0x000000013F374000-memory.dmp xmrig behavioral1/memory/2952-156-0x000000013FB20000-0x000000013FE74000-memory.dmp xmrig behavioral1/memory/2896-157-0x000000013FDA0000-0x00000001400F4000-memory.dmp xmrig behavioral1/memory/2600-158-0x000000013F9E0000-0x000000013FD34000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
Processes:
OvXmhpr.exeCRxoaFL.exeTUjvsmz.exeCZbrKaJ.execqXJusk.exeeiqSDIu.exefXEoEBJ.exePgTRvjW.exeINRCsTh.exerhsBbqo.exeKfqfpOc.exeAlqlEaR.exeyfbLJoO.exevoiihyW.exegrcrHtm.exejvZQYrD.exedrdFtTG.exemCdjUTk.exerYSVvzs.exeBkDawcq.exeGCNDGwx.exepid process 2204 OvXmhpr.exe 2812 CRxoaFL.exe 2464 TUjvsmz.exe 2884 CZbrKaJ.exe 2952 cqXJusk.exe 2896 eiqSDIu.exe 2600 fXEoEBJ.exe 2772 PgTRvjW.exe 2620 INRCsTh.exe 2556 rhsBbqo.exe 2616 KfqfpOc.exe 2404 AlqlEaR.exe 2576 yfbLJoO.exe 2856 voiihyW.exe 1020 grcrHtm.exe 604 jvZQYrD.exe 2148 drdFtTG.exe 1892 mCdjUTk.exe 1196 rYSVvzs.exe 2280 BkDawcq.exe 2284 GCNDGwx.exe -
Loads dropped DLL 21 IoCs
Processes:
2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exepid process 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe -
Processes:
resource yara_rule behavioral1/memory/1412-0-0x000000013F610000-0x000000013F964000-memory.dmp upx \Windows\system\OvXmhpr.exe upx C:\Windows\system\CRxoaFL.exe upx C:\Windows\system\TUjvsmz.exe upx C:\Windows\system\CZbrKaJ.exe upx behavioral1/memory/2812-18-0x000000013F640000-0x000000013F994000-memory.dmp upx behavioral1/memory/2884-26-0x000000013F020000-0x000000013F374000-memory.dmp upx behavioral1/memory/2464-24-0x000000013FCB0000-0x0000000140004000-memory.dmp upx C:\Windows\system\eiqSDIu.exe upx behavioral1/memory/2204-40-0x000000013F9A0000-0x000000013FCF4000-memory.dmp upx behavioral1/memory/2896-42-0x000000013FDA0000-0x00000001400F4000-memory.dmp upx behavioral1/memory/1412-39-0x000000013F610000-0x000000013F964000-memory.dmp upx behavioral1/memory/2952-34-0x000000013FB20000-0x000000013FE74000-memory.dmp upx C:\Windows\system\cqXJusk.exe upx behavioral1/memory/2204-10-0x000000013F9A0000-0x000000013FCF4000-memory.dmp upx \Windows\system\fXEoEBJ.exe upx behavioral1/memory/2600-51-0x000000013F9E0000-0x000000013FD34000-memory.dmp upx \Windows\system\PgTRvjW.exe upx C:\Windows\system\INRCsTh.exe upx behavioral1/memory/2772-66-0x000000013FD70000-0x00000001400C4000-memory.dmp upx behavioral1/memory/2464-77-0x000000013FCB0000-0x0000000140004000-memory.dmp upx \Windows\system\rhsBbqo.exe upx \Windows\system\KfqfpOc.exe upx C:\Windows\system\voiihyW.exe upx behavioral1/memory/2896-102-0x000000013FDA0000-0x00000001400F4000-memory.dmp upx behavioral1/memory/2856-103-0x000000013F5B0000-0x000000013F904000-memory.dmp upx \Windows\system\yfbLJoO.exe upx \Windows\system\BkDawcq.exe upx C:\Windows\system\rYSVvzs.exe upx \Windows\system\GCNDGwx.exe upx C:\Windows\system\mCdjUTk.exe upx C:\Windows\system\drdFtTG.exe upx C:\Windows\system\jvZQYrD.exe upx C:\Windows\system\grcrHtm.exe upx behavioral1/memory/2576-94-0x000000013FD20000-0x0000000140074000-memory.dmp upx behavioral1/memory/2404-93-0x000000013F660000-0x000000013F9B4000-memory.dmp upx behavioral1/memory/2952-92-0x000000013FB20000-0x000000013FE74000-memory.dmp upx C:\Windows\system\AlqlEaR.exe upx behavioral1/memory/2616-89-0x000000013F750000-0x000000013FAA4000-memory.dmp upx behavioral1/memory/2884-84-0x000000013F020000-0x000000013F374000-memory.dmp upx behavioral1/memory/2556-83-0x000000013F250000-0x000000013F5A4000-memory.dmp upx behavioral1/memory/2620-72-0x000000013F8D0000-0x000000013FC24000-memory.dmp upx behavioral1/memory/2556-144-0x000000013F250000-0x000000013F5A4000-memory.dmp upx behavioral1/memory/2616-146-0x000000013F750000-0x000000013FAA4000-memory.dmp upx behavioral1/memory/2404-147-0x000000013F660000-0x000000013F9B4000-memory.dmp upx behavioral1/memory/2576-148-0x000000013FD20000-0x0000000140074000-memory.dmp upx behavioral1/memory/2856-150-0x000000013F5B0000-0x000000013F904000-memory.dmp upx behavioral1/memory/2204-152-0x000000013F9A0000-0x000000013FCF4000-memory.dmp upx behavioral1/memory/2812-153-0x000000013F640000-0x000000013F994000-memory.dmp upx behavioral1/memory/2464-154-0x000000013FCB0000-0x0000000140004000-memory.dmp upx behavioral1/memory/2884-155-0x000000013F020000-0x000000013F374000-memory.dmp upx behavioral1/memory/2952-156-0x000000013FB20000-0x000000013FE74000-memory.dmp upx behavioral1/memory/2896-157-0x000000013FDA0000-0x00000001400F4000-memory.dmp upx behavioral1/memory/2600-158-0x000000013F9E0000-0x000000013FD34000-memory.dmp upx behavioral1/memory/2772-159-0x000000013FD70000-0x00000001400C4000-memory.dmp upx behavioral1/memory/2620-160-0x000000013F8D0000-0x000000013FC24000-memory.dmp upx behavioral1/memory/2556-161-0x000000013F250000-0x000000013F5A4000-memory.dmp upx behavioral1/memory/2404-163-0x000000013F660000-0x000000013F9B4000-memory.dmp upx behavioral1/memory/2616-162-0x000000013F750000-0x000000013FAA4000-memory.dmp upx behavioral1/memory/2576-164-0x000000013FD20000-0x0000000140074000-memory.dmp upx behavioral1/memory/2856-165-0x000000013F5B0000-0x000000013F904000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
Processes:
2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exedescription ioc process File created C:\Windows\System\rhsBbqo.exe 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\yfbLJoO.exe 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\mCdjUTk.exe 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\rYSVvzs.exe 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\GCNDGwx.exe 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\CRxoaFL.exe 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\CZbrKaJ.exe 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\eiqSDIu.exe 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\PgTRvjW.exe 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\grcrHtm.exe 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\BkDawcq.exe 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\TUjvsmz.exe 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\cqXJusk.exe 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\AlqlEaR.exe 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\voiihyW.exe 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\drdFtTG.exe 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\OvXmhpr.exe 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\fXEoEBJ.exe 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\KfqfpOc.exe 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\INRCsTh.exe 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\jvZQYrD.exe 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exedescription pid process Token: SeLockMemoryPrivilege 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe Token: SeLockMemoryPrivilege 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exedescription pid process target process PID 1412 wrote to memory of 2204 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe OvXmhpr.exe PID 1412 wrote to memory of 2204 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe OvXmhpr.exe PID 1412 wrote to memory of 2204 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe OvXmhpr.exe PID 1412 wrote to memory of 2812 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe CRxoaFL.exe PID 1412 wrote to memory of 2812 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe CRxoaFL.exe PID 1412 wrote to memory of 2812 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe CRxoaFL.exe PID 1412 wrote to memory of 2884 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe CZbrKaJ.exe PID 1412 wrote to memory of 2884 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe CZbrKaJ.exe PID 1412 wrote to memory of 2884 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe CZbrKaJ.exe PID 1412 wrote to memory of 2464 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe TUjvsmz.exe PID 1412 wrote to memory of 2464 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe TUjvsmz.exe PID 1412 wrote to memory of 2464 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe TUjvsmz.exe PID 1412 wrote to memory of 2952 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe cqXJusk.exe PID 1412 wrote to memory of 2952 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe cqXJusk.exe PID 1412 wrote to memory of 2952 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe cqXJusk.exe PID 1412 wrote to memory of 2896 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe eiqSDIu.exe PID 1412 wrote to memory of 2896 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe eiqSDIu.exe PID 1412 wrote to memory of 2896 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe eiqSDIu.exe PID 1412 wrote to memory of 2600 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe fXEoEBJ.exe PID 1412 wrote to memory of 2600 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe fXEoEBJ.exe PID 1412 wrote to memory of 2600 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe fXEoEBJ.exe PID 1412 wrote to memory of 2772 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe PgTRvjW.exe PID 1412 wrote to memory of 2772 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe PgTRvjW.exe PID 1412 wrote to memory of 2772 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe PgTRvjW.exe PID 1412 wrote to memory of 2616 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe KfqfpOc.exe PID 1412 wrote to memory of 2616 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe KfqfpOc.exe PID 1412 wrote to memory of 2616 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe KfqfpOc.exe PID 1412 wrote to memory of 2620 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe INRCsTh.exe PID 1412 wrote to memory of 2620 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe INRCsTh.exe PID 1412 wrote to memory of 2620 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe INRCsTh.exe PID 1412 wrote to memory of 2404 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe AlqlEaR.exe PID 1412 wrote to memory of 2404 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe AlqlEaR.exe PID 1412 wrote to memory of 2404 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe AlqlEaR.exe PID 1412 wrote to memory of 2556 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe rhsBbqo.exe PID 1412 wrote to memory of 2556 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe rhsBbqo.exe PID 1412 wrote to memory of 2556 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe rhsBbqo.exe PID 1412 wrote to memory of 2576 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe yfbLJoO.exe PID 1412 wrote to memory of 2576 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe yfbLJoO.exe PID 1412 wrote to memory of 2576 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe yfbLJoO.exe PID 1412 wrote to memory of 2856 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe voiihyW.exe PID 1412 wrote to memory of 2856 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe voiihyW.exe PID 1412 wrote to memory of 2856 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe voiihyW.exe PID 1412 wrote to memory of 1020 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe grcrHtm.exe PID 1412 wrote to memory of 1020 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe grcrHtm.exe PID 1412 wrote to memory of 1020 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe grcrHtm.exe PID 1412 wrote to memory of 604 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe jvZQYrD.exe PID 1412 wrote to memory of 604 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe jvZQYrD.exe PID 1412 wrote to memory of 604 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe jvZQYrD.exe PID 1412 wrote to memory of 2148 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe drdFtTG.exe PID 1412 wrote to memory of 2148 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe drdFtTG.exe PID 1412 wrote to memory of 2148 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe drdFtTG.exe PID 1412 wrote to memory of 1892 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe mCdjUTk.exe PID 1412 wrote to memory of 1892 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe mCdjUTk.exe PID 1412 wrote to memory of 1892 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe mCdjUTk.exe PID 1412 wrote to memory of 1196 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe rYSVvzs.exe PID 1412 wrote to memory of 1196 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe rYSVvzs.exe PID 1412 wrote to memory of 1196 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe rYSVvzs.exe PID 1412 wrote to memory of 2280 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe BkDawcq.exe PID 1412 wrote to memory of 2280 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe BkDawcq.exe PID 1412 wrote to memory of 2280 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe BkDawcq.exe PID 1412 wrote to memory of 2284 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe GCNDGwx.exe PID 1412 wrote to memory of 2284 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe GCNDGwx.exe PID 1412 wrote to memory of 2284 1412 2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe GCNDGwx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-06_8caad0840acab799cfe6dfb9e5812b4d_cobalt-strike_cobaltstrike.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\System\OvXmhpr.exeC:\Windows\System\OvXmhpr.exe2⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\System\CRxoaFL.exeC:\Windows\System\CRxoaFL.exe2⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\System\CZbrKaJ.exeC:\Windows\System\CZbrKaJ.exe2⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\System\TUjvsmz.exeC:\Windows\System\TUjvsmz.exe2⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\System\cqXJusk.exeC:\Windows\System\cqXJusk.exe2⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\System\eiqSDIu.exeC:\Windows\System\eiqSDIu.exe2⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\System\fXEoEBJ.exeC:\Windows\System\fXEoEBJ.exe2⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\System\PgTRvjW.exeC:\Windows\System\PgTRvjW.exe2⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\System\KfqfpOc.exeC:\Windows\System\KfqfpOc.exe2⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\System\INRCsTh.exeC:\Windows\System\INRCsTh.exe2⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\System\AlqlEaR.exeC:\Windows\System\AlqlEaR.exe2⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\System\rhsBbqo.exeC:\Windows\System\rhsBbqo.exe2⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\System\yfbLJoO.exeC:\Windows\System\yfbLJoO.exe2⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\System\voiihyW.exeC:\Windows\System\voiihyW.exe2⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\System\grcrHtm.exeC:\Windows\System\grcrHtm.exe2⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\System\jvZQYrD.exeC:\Windows\System\jvZQYrD.exe2⤵
- Executes dropped EXE
PID:604 -
C:\Windows\System\drdFtTG.exeC:\Windows\System\drdFtTG.exe2⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\System\mCdjUTk.exeC:\Windows\System\mCdjUTk.exe2⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\System\rYSVvzs.exeC:\Windows\System\rYSVvzs.exe2⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\System\BkDawcq.exeC:\Windows\System\BkDawcq.exe2⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\System\GCNDGwx.exeC:\Windows\System\GCNDGwx.exe2⤵
- Executes dropped EXE
PID:2284
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD5a49cfd3a0cfdc332e98c1ead234234e5
SHA13f7054ce5a14caa31bef0164ab1045824310aa1d
SHA256894b5a2ddc9d0480ccc01d097ddaea1d70cec81173eeee8f6e9ba06877c7891d
SHA512fd9ead27ab1df5b515637bbfc508bfe36303c75c06d204d95f2aafe86ea8e588e74b687a73cb3d965598dccfc2ff7444755fe37ecb61802bc717d90c250ac07c
-
Filesize
5.9MB
MD55b0ed9c91e5b836bc347412d70750200
SHA1ed0d3e931c5edcc4f03a7d9a5aef81eeeaa7f077
SHA256cddd879fa1a968f4e2efe4a53c23496b4aa1741acf8c20fdaaab1bec7c72451a
SHA5127ef95b3202e02bb82c22b4db0532d3ac02f591da3f8afc92bf6e2ca53838216b55c7f98ab5f3bdd32942c1774a0efb587cb737f115664e1583e2a1e950485f98
-
Filesize
5.9MB
MD5c0de85e2248bc547d98022faa3d4b0e5
SHA12ce13abb32a9494ddc45bfd93bd397a3fb99b614
SHA256e7fba8a79adcee0db38fd72361cc854b1aa78934a5ce3b2aac30d5c8d22cab74
SHA51215038e11a8e192f09315e3ed94bac210debceb80def488aae383cf3c4105c31ccb4317dd2b0d2e899c963414c45ae3874e7a63d8fdc94121826166a82109814c
-
Filesize
5.9MB
MD5fe3c6e8be76005c1def20a17eecbe629
SHA1acabab3a607cb98f9d02a05b7c49b90114fb7f0c
SHA25680a504b3be380f8523ea3d8123aff9ec6b0980f2c06b1df94f2c2633abb40165
SHA512e4f0ddcc7a729d78bcb9869570931aec6b7e77991382b03c77b49f5b29ad64e5438c9a4d4d3523ca44eb9928930ec18c4ec67a06460374c42598157784ec4054
-
Filesize
5.9MB
MD51c38ebc0b657edee6e470908a29323f5
SHA1effc3b6095f5fd56ca6c426ff4458e0af57fa36b
SHA256c226b6c6440d30f469deace3ee1988233bb356f8955efccb123f3a55f9b547c6
SHA512107524ebb5c0033b49c2709465e4a6e2fc5f18b436eba3caac497ab299e432e62962f0911bd52a4f9fe16b408cf5bda2caadc9ada48c6d11b666f954c1d95697
-
Filesize
5.9MB
MD5ae01b604f1e7cde70c5eebbc5c4738a7
SHA1a62ee48c03056f5ee4c02be1567d73b881f947be
SHA256279566450106fbd1a94feda9b5b6f18d7fc3a7d530786f39e2ab23b201da906f
SHA5120e31dfc3f830e107c4410472918229b7779e985b0053393db1c693612289bc545d0f7102eeef19391b1aee4988b1ddaac565a98d68b9e51579c8242b6c2ea997
-
Filesize
5.9MB
MD5767bc3cf02b9a4437e2624a9a7d50a90
SHA14002540378662709a7efcbec96496b4806ab6e26
SHA2563218ad760840d8b120ba2b356331c3bdb1669bc1efc2b875d364bf766ba0aca9
SHA512b294775df66da2a22c26c956e59d689596d75dd600148a7d7b81a2f11e9dcce54c2b22485e99cb40af28bcdeb4aa51872e99dcdcdb98827d390faa7aa7ac3504
-
Filesize
5.9MB
MD5ac8f99bcc10ae6225b78f8cf14303cc3
SHA17c4f9dfea109a8c23bb339a11cebf328e1bed3c7
SHA256d4acb18b624a221f882af4dfc3563fe8a6e9293ff2d4d24397ec1be3be38fbfa
SHA512a041459e70f8abcc3f246523d167f598f4c903641cd188d5a73e1278e754782228f28127c7185175418aed4eb0a7b5c3c05fa3fb6d5d50049588718263ab6c3e
-
Filesize
5.9MB
MD5a553ec7ab38bbd1abf397fb047eeba17
SHA1551f4ed9e84ad8341d24d6e15f733beb806bc7e8
SHA2561fe4a9e4804d57da29624f371239ae214ceb40858b9eb343a7643546fe7a934b
SHA512d085ee80c01f712c653d18bd9e4b09d2ed79b764fea67b6d45e0f525c50001c3adb026ce0aea758ed1c25222f2b43b47e000dd72d14258042e0cfde6f40c11c0
-
Filesize
5.9MB
MD5a00a24748da48dd6a7a1eb0d5d273585
SHA1b3ca01f4214ca8ec4c9900fb0df2d3a4cf081bd9
SHA256acf28d986e47570f7fdff5ee13991c6c55397f880a0c5aaed7e535515901ad47
SHA5122cc7380e7e9e20b302446de7e6a5910de0e65472a6ed0ee00972a0b41e4a74ea93b87038470e45aa633cd5c784884fecd68ca146694d93d5bc7703369454554c
-
Filesize
5.9MB
MD53b827321aa9e5ed67528aca860c2a8b3
SHA17679531fe85d64cf67e8778f143a86fb931b5da2
SHA256bfdca2fa2c4eefe0e685f7e2d9097ca4a78e8ec324ddf4e5d75a0148ab79825d
SHA512c9326e19b493f09553a22175a386c49ed40aa391b2a603e357c6af82b42e8fe75c091345a4bdcc5eb19f0f923b7d87f14ce462b71c007e7caad9687a278492ed
-
Filesize
5.9MB
MD5083693a7d2ea5a951a812c2454e70334
SHA10f5019ae92b5a6866839b24761ed56fc606a6dfd
SHA256928e76bae14ea04437681999fb9666bf9ea622e163d684c9611cc7bda81d31e2
SHA5123eab3964ae71296d8abcfaaf3503760c8b1d8d48d53f7f1155b85a4791d59e2420b1dcd5e14896c39bddfd019c64f85944d3c61caf6a19ad662f84d12bbf963e
-
Filesize
5.9MB
MD5ff3de1d087afe6e0d5e5c4e6e5088586
SHA1af5154b7a8dbc99410c8dbeb95b8fc9d84a35899
SHA2565d7dc3d35cc066a37f40bdd0b5187388522c6012b9f13afeb3f1f26590b3a884
SHA512ea36130d3d8023e69eb4794738b56ac7205058d17659522eb193c33f868aa17623bb90eba1912a756a98f7e98a3d676ab97a5fa7ba420e0fd1937b7cc6c1a47b
-
Filesize
5.9MB
MD5ce44f5ac688a7428a39434df7da8e668
SHA182f6ce58a73198dd256f46057a709e4f3bccc63c
SHA2569839bf59d52cd0272c24d949bcc6c8baafe4164c02abade613a804d738afbd08
SHA5123e66336c67fc67352437ce9930ebcb8f7c29608041545225c31f72431f9d433e6e0bb557d7c61371d371a957b2e63eb53a4e0e873a6f19c7f7cf3cb478564dad
-
Filesize
5.9MB
MD535ea136d4b9d82e3516b3f238c7fbacd
SHA10a0aa2f4c242a8389436650cf35a303eb7a66c1b
SHA25620f32631ee8f7147f1ecf99e6e25e60648a6fdd9b0807a8f20bf09842c60c924
SHA51211757d45bb7dc6384557548ba8b2d10c990b3e18776a6108f918fbfc2282beed72455d1bda7de634fb6838a4b0d421c72ba541e915c0b357eef2705e7e280a86
-
Filesize
5.9MB
MD504eafb1e1ba1d1727bac3b8161f39aad
SHA141c8f541cbeaa6d8ea66d99210bbed97f4b81c70
SHA256d78216f68e623991b6fe09d7f51b5cf4a32e0ecb850831657df66edd5c15f1e5
SHA51285d5c86ef70a8df456d72d298252d2c5d2f08431a0ec5f068a09e4cd432478a712ada47b5270d7df736cc6dee3b859137087576cfe9e12cf04b039e82093544c
-
Filesize
5.9MB
MD525f84d6328fef7c2621c5eb5156f0a2d
SHA12567e48d4cf57062911072bc4b8770f9a183fa53
SHA2565831aecc1bc4d6c9447f119b81fafda76b22fd5ab29896a94b706d172d6861e7
SHA5128b245d5c079311db7e50e454a211b8bda7613dde4e35ac9a2ddcdd69683da7e26b0e460144d731bfc370e11cd3945b56bae7e6dae8f7b4e82f36f4ec59db2b5f
-
Filesize
5.9MB
MD537fa8a9423a32dfad4eb24e6e0053bcd
SHA1760039481d1ba1f7dbd1c62aeb4b3affbadce3d2
SHA2563f26515c5c4cddf94fae2e787c6b788f41a724d04bbff9b32cdd1fda56ef8e8c
SHA51273225c5fc6533be0500e74a27998ce36287cb6387b4d4f4039307fbadb4da81afd523308f0cf58fd2a4cd57a6c0563dd212035743cf4c4ed1d52a0e2f543c0c7
-
Filesize
5.9MB
MD54c88008f6a09a809b962435ca625d80b
SHA1d25ce86922236f598c0e32263345a0f11275d6c3
SHA2562429b5580baea3df7d4e6cd67bc7500017ff152582209e7600884d7ac376a11d
SHA512b5151fa03a0c20f22e0c81d754f1dcf0583f6b7b61dbde53ba0985c070ad15a9efeb42039b5323fcfbf0c19ced03a30fba48b880d2e1e4927ed55aa2ba37f1ab
-
Filesize
5.9MB
MD559eecd6988ba2ca1260a163bfa129cd3
SHA17c833daa4cc7480e1f4ec3c351d54631c0ff3d61
SHA2563fb38dfcd1e7f746aca25743df993af06aeef01e6244063698914937ec0218e5
SHA512c36f834e70ea6d9b537412e22b997b4ef51a498217c463e96c41000c41c70521e144779b4be2312fbe2b09a4dc9ff751e9199604d4c2346e58208d9e8a51087a
-
Filesize
5.9MB
MD572987b61e2b94e4b24f7e4c3a7f23e43
SHA166a91fe5a649694f92a7a8b48526d06c732ccc1c
SHA2568c8e7b225333d7c893edaf7222aa07f2d84007b47bf3bcf2a1e036c7ab441566
SHA512d45e96a9bc753c6df142eab9a74c20ff0c599e46f170856fb61ccde8c04af628e591ca20dad49e77eb3368366c667c63ba8475a411ffc71cfa4397367f6141ca