Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06-06-2024 12:32
Behavioral task
behavioral1
Sample
2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe
Resource
win7-20240221-en
General
-
Target
2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe
-
Size
5.9MB
-
MD5
576323a61567ad3b8c8e3b2c1291ebe6
-
SHA1
09b74863493f60b2f13f8c74df9be5fb2827959f
-
SHA256
6f6057c04cd85dfb29863ed15cd66d2a6100f782f112725f6bada081205bf223
-
SHA512
bac1680c2ad3b48772a16feecc3f0cb1e98919f94717d33d88b269b9d25674f1737b80c32268ff9d24800c67d89107c8e63ca78a54e8242015f298988ef74cc6
-
SSDEEP
98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUV:Q+856utgpPF8u/7V
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
Processes:
resource yara_rule \Windows\system\WNPfmgp.exe cobalt_reflective_dll \Windows\system\BsVBgbg.exe cobalt_reflective_dll C:\Windows\system\NhQlQDM.exe cobalt_reflective_dll C:\Windows\system\fQwrjUV.exe cobalt_reflective_dll \Windows\system\tEkHrYg.exe cobalt_reflective_dll C:\Windows\system\uUqupNF.exe cobalt_reflective_dll \Windows\system\oCvrJZR.exe cobalt_reflective_dll \Windows\system\bKnIcIL.exe cobalt_reflective_dll \Windows\system\NnXnYLN.exe cobalt_reflective_dll C:\Windows\system\FQwoNMK.exe cobalt_reflective_dll C:\Windows\system\MEYimLq.exe cobalt_reflective_dll C:\Windows\system\cIExyMK.exe cobalt_reflective_dll \Windows\system\vfapkHh.exe cobalt_reflective_dll \Windows\system\TsmUOCw.exe cobalt_reflective_dll \Windows\system\qkruryb.exe cobalt_reflective_dll \Windows\system\NauGehs.exe cobalt_reflective_dll C:\Windows\system\XnGOrxn.exe cobalt_reflective_dll \Windows\system\nooleCK.exe cobalt_reflective_dll C:\Windows\system\AsswDPL.exe cobalt_reflective_dll C:\Windows\system\bObNrGU.exe cobalt_reflective_dll C:\Windows\system\ynFooWL.exe cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Detects Reflective DLL injection artifacts 21 IoCs
Processes:
resource yara_rule \Windows\system\WNPfmgp.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\BsVBgbg.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\NhQlQDM.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\fQwrjUV.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\tEkHrYg.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\uUqupNF.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\oCvrJZR.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\bKnIcIL.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\NnXnYLN.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\FQwoNMK.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\MEYimLq.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\cIExyMK.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\vfapkHh.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\TsmUOCw.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\qkruryb.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\NauGehs.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\XnGOrxn.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\nooleCK.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\AsswDPL.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\bObNrGU.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\ynFooWL.exe INDICATOR_SUSPICIOUS_ReflectiveLoader -
UPX dump on OEP (original entry point) 60 IoCs
Processes:
resource yara_rule behavioral1/memory/1152-0-0x000000013F410000-0x000000013F764000-memory.dmp UPX \Windows\system\WNPfmgp.exe UPX \Windows\system\BsVBgbg.exe UPX behavioral1/memory/2228-7-0x000000013FDF0000-0x0000000140144000-memory.dmp UPX behavioral1/memory/2236-15-0x000000013FAA0000-0x000000013FDF4000-memory.dmp UPX C:\Windows\system\NhQlQDM.exe UPX C:\Windows\system\fQwrjUV.exe UPX behavioral1/memory/1704-27-0x000000013F5F0000-0x000000013F944000-memory.dmp UPX behavioral1/memory/2824-21-0x000000013F2B0000-0x000000013F604000-memory.dmp UPX \Windows\system\tEkHrYg.exe UPX C:\Windows\system\uUqupNF.exe UPX behavioral1/memory/1744-37-0x000000013F790000-0x000000013FAE4000-memory.dmp UPX behavioral1/memory/3000-39-0x000000013F500000-0x000000013F854000-memory.dmp UPX \Windows\system\oCvrJZR.exe UPX behavioral1/memory/2908-49-0x000000013F5F0000-0x000000013F944000-memory.dmp UPX behavioral1/memory/1152-52-0x000000013F9E0000-0x000000013FD34000-memory.dmp UPX behavioral1/memory/2228-55-0x000000013FDF0000-0x0000000140144000-memory.dmp UPX \Windows\system\bKnIcIL.exe UPX \Windows\system\NnXnYLN.exe UPX behavioral1/memory/1152-47-0x000000013F410000-0x000000013F764000-memory.dmp UPX C:\Windows\system\FQwoNMK.exe UPX behavioral1/memory/2508-68-0x000000013F9E0000-0x000000013FD34000-memory.dmp UPX C:\Windows\system\MEYimLq.exe UPX behavioral1/memory/2644-77-0x000000013F850000-0x000000013FBA4000-memory.dmp UPX C:\Windows\system\cIExyMK.exe UPX behavioral1/memory/2480-87-0x000000013F3D0000-0x000000013F724000-memory.dmp UPX behavioral1/memory/2824-88-0x000000013F2B0000-0x000000013F604000-memory.dmp UPX \Windows\system\vfapkHh.exe UPX behavioral1/memory/2376-95-0x000000013F630000-0x000000013F984000-memory.dmp UPX behavioral1/memory/1704-92-0x000000013F5F0000-0x000000013F944000-memory.dmp UPX behavioral1/memory/2540-83-0x000000013FF60000-0x00000001402B4000-memory.dmp UPX behavioral1/memory/2236-80-0x000000013FAA0000-0x000000013FDF4000-memory.dmp UPX behavioral1/memory/2636-73-0x000000013FE10000-0x0000000140164000-memory.dmp UPX \Windows\system\TsmUOCw.exe UPX \Windows\system\qkruryb.exe UPX \Windows\system\NauGehs.exe UPX behavioral1/memory/2848-124-0x000000013FE90000-0x00000001401E4000-memory.dmp UPX C:\Windows\system\XnGOrxn.exe UPX \Windows\system\nooleCK.exe UPX C:\Windows\system\AsswDPL.exe UPX C:\Windows\system\bObNrGU.exe UPX behavioral1/memory/2908-115-0x000000013F5F0000-0x000000013F944000-memory.dmp UPX C:\Windows\system\ynFooWL.exe UPX behavioral1/memory/3000-102-0x000000013F500000-0x000000013F854000-memory.dmp UPX behavioral1/memory/1744-98-0x000000013F790000-0x000000013FAE4000-memory.dmp UPX behavioral1/memory/2376-146-0x000000013F630000-0x000000013F984000-memory.dmp UPX behavioral1/memory/2228-148-0x000000013FDF0000-0x0000000140144000-memory.dmp UPX behavioral1/memory/2236-149-0x000000013FAA0000-0x000000013FDF4000-memory.dmp UPX behavioral1/memory/1704-150-0x000000013F5F0000-0x000000013F944000-memory.dmp UPX behavioral1/memory/2824-151-0x000000013F2B0000-0x000000013F604000-memory.dmp UPX behavioral1/memory/3000-152-0x000000013F500000-0x000000013F854000-memory.dmp UPX behavioral1/memory/1744-153-0x000000013F790000-0x000000013FAE4000-memory.dmp UPX behavioral1/memory/2508-154-0x000000013F9E0000-0x000000013FD34000-memory.dmp UPX behavioral1/memory/2908-155-0x000000013F5F0000-0x000000013F944000-memory.dmp UPX behavioral1/memory/2636-156-0x000000013FE10000-0x0000000140164000-memory.dmp UPX behavioral1/memory/2644-157-0x000000013F850000-0x000000013FBA4000-memory.dmp UPX behavioral1/memory/2540-158-0x000000013FF60000-0x00000001402B4000-memory.dmp UPX behavioral1/memory/2480-159-0x000000013F3D0000-0x000000013F724000-memory.dmp UPX behavioral1/memory/2376-160-0x000000013F630000-0x000000013F984000-memory.dmp UPX behavioral1/memory/2848-161-0x000000013FE90000-0x00000001401E4000-memory.dmp UPX -
XMRig Miner payload 64 IoCs
Processes:
resource yara_rule behavioral1/memory/1152-0-0x000000013F410000-0x000000013F764000-memory.dmp xmrig \Windows\system\WNPfmgp.exe xmrig \Windows\system\BsVBgbg.exe xmrig behavioral1/memory/2228-7-0x000000013FDF0000-0x0000000140144000-memory.dmp xmrig behavioral1/memory/2236-15-0x000000013FAA0000-0x000000013FDF4000-memory.dmp xmrig C:\Windows\system\NhQlQDM.exe xmrig C:\Windows\system\fQwrjUV.exe xmrig behavioral1/memory/1704-27-0x000000013F5F0000-0x000000013F944000-memory.dmp xmrig behavioral1/memory/2824-21-0x000000013F2B0000-0x000000013F604000-memory.dmp xmrig \Windows\system\tEkHrYg.exe xmrig C:\Windows\system\uUqupNF.exe xmrig behavioral1/memory/1744-37-0x000000013F790000-0x000000013FAE4000-memory.dmp xmrig behavioral1/memory/3000-39-0x000000013F500000-0x000000013F854000-memory.dmp xmrig \Windows\system\oCvrJZR.exe xmrig behavioral1/memory/2908-49-0x000000013F5F0000-0x000000013F944000-memory.dmp xmrig behavioral1/memory/1152-52-0x000000013F9E0000-0x000000013FD34000-memory.dmp xmrig behavioral1/memory/2228-55-0x000000013FDF0000-0x0000000140144000-memory.dmp xmrig \Windows\system\bKnIcIL.exe xmrig \Windows\system\NnXnYLN.exe xmrig behavioral1/memory/1152-47-0x000000013F410000-0x000000013F764000-memory.dmp xmrig C:\Windows\system\FQwoNMK.exe xmrig behavioral1/memory/2508-68-0x000000013F9E0000-0x000000013FD34000-memory.dmp xmrig C:\Windows\system\MEYimLq.exe xmrig behavioral1/memory/2644-77-0x000000013F850000-0x000000013FBA4000-memory.dmp xmrig C:\Windows\system\cIExyMK.exe xmrig behavioral1/memory/2480-87-0x000000013F3D0000-0x000000013F724000-memory.dmp xmrig behavioral1/memory/2824-88-0x000000013F2B0000-0x000000013F604000-memory.dmp xmrig \Windows\system\vfapkHh.exe xmrig behavioral1/memory/2376-95-0x000000013F630000-0x000000013F984000-memory.dmp xmrig behavioral1/memory/1152-93-0x0000000002340000-0x0000000002694000-memory.dmp xmrig behavioral1/memory/1704-92-0x000000013F5F0000-0x000000013F944000-memory.dmp xmrig behavioral1/memory/2540-83-0x000000013FF60000-0x00000001402B4000-memory.dmp xmrig behavioral1/memory/2236-80-0x000000013FAA0000-0x000000013FDF4000-memory.dmp xmrig behavioral1/memory/1152-78-0x000000013FF60000-0x00000001402B4000-memory.dmp xmrig behavioral1/memory/2636-73-0x000000013FE10000-0x0000000140164000-memory.dmp xmrig \Windows\system\TsmUOCw.exe xmrig \Windows\system\qkruryb.exe xmrig \Windows\system\NauGehs.exe xmrig behavioral1/memory/2848-124-0x000000013FE90000-0x00000001401E4000-memory.dmp xmrig C:\Windows\system\XnGOrxn.exe xmrig \Windows\system\nooleCK.exe xmrig C:\Windows\system\AsswDPL.exe xmrig C:\Windows\system\bObNrGU.exe xmrig behavioral1/memory/2908-115-0x000000013F5F0000-0x000000013F944000-memory.dmp xmrig behavioral1/memory/1152-121-0x0000000002340000-0x0000000002694000-memory.dmp xmrig C:\Windows\system\ynFooWL.exe xmrig behavioral1/memory/3000-102-0x000000013F500000-0x000000013F854000-memory.dmp xmrig behavioral1/memory/1744-98-0x000000013F790000-0x000000013FAE4000-memory.dmp xmrig behavioral1/memory/2376-146-0x000000013F630000-0x000000013F984000-memory.dmp xmrig behavioral1/memory/1152-147-0x0000000002340000-0x0000000002694000-memory.dmp xmrig behavioral1/memory/2228-148-0x000000013FDF0000-0x0000000140144000-memory.dmp xmrig behavioral1/memory/2236-149-0x000000013FAA0000-0x000000013FDF4000-memory.dmp xmrig behavioral1/memory/1704-150-0x000000013F5F0000-0x000000013F944000-memory.dmp xmrig behavioral1/memory/2824-151-0x000000013F2B0000-0x000000013F604000-memory.dmp xmrig behavioral1/memory/3000-152-0x000000013F500000-0x000000013F854000-memory.dmp xmrig behavioral1/memory/1744-153-0x000000013F790000-0x000000013FAE4000-memory.dmp xmrig behavioral1/memory/2508-154-0x000000013F9E0000-0x000000013FD34000-memory.dmp xmrig behavioral1/memory/2908-155-0x000000013F5F0000-0x000000013F944000-memory.dmp xmrig behavioral1/memory/2636-156-0x000000013FE10000-0x0000000140164000-memory.dmp xmrig behavioral1/memory/2644-157-0x000000013F850000-0x000000013FBA4000-memory.dmp xmrig behavioral1/memory/2540-158-0x000000013FF60000-0x00000001402B4000-memory.dmp xmrig behavioral1/memory/2480-159-0x000000013F3D0000-0x000000013F724000-memory.dmp xmrig behavioral1/memory/2376-160-0x000000013F630000-0x000000013F984000-memory.dmp xmrig behavioral1/memory/2848-161-0x000000013FE90000-0x00000001401E4000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
Processes:
WNPfmgp.exeBsVBgbg.exeNhQlQDM.exefQwrjUV.exetEkHrYg.exeuUqupNF.exebKnIcIL.exeoCvrJZR.exeNnXnYLN.exeFQwoNMK.exeMEYimLq.execIExyMK.exevfapkHh.exeTsmUOCw.exeqkruryb.exeynFooWL.exeNauGehs.exebObNrGU.exeXnGOrxn.exeAsswDPL.exenooleCK.exepid process 2228 WNPfmgp.exe 2236 BsVBgbg.exe 2824 NhQlQDM.exe 1704 fQwrjUV.exe 1744 tEkHrYg.exe 3000 uUqupNF.exe 2908 bKnIcIL.exe 2508 oCvrJZR.exe 2644 NnXnYLN.exe 2636 FQwoNMK.exe 2540 MEYimLq.exe 2480 cIExyMK.exe 2376 vfapkHh.exe 2848 TsmUOCw.exe 2356 qkruryb.exe 2864 ynFooWL.exe 2080 NauGehs.exe 1112 bObNrGU.exe 1292 XnGOrxn.exe 2180 AsswDPL.exe 2168 nooleCK.exe -
Loads dropped DLL 21 IoCs
Processes:
2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exepid process 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe -
Processes:
resource yara_rule behavioral1/memory/1152-0-0x000000013F410000-0x000000013F764000-memory.dmp upx \Windows\system\WNPfmgp.exe upx \Windows\system\BsVBgbg.exe upx behavioral1/memory/2228-7-0x000000013FDF0000-0x0000000140144000-memory.dmp upx behavioral1/memory/2236-15-0x000000013FAA0000-0x000000013FDF4000-memory.dmp upx C:\Windows\system\NhQlQDM.exe upx C:\Windows\system\fQwrjUV.exe upx behavioral1/memory/1704-27-0x000000013F5F0000-0x000000013F944000-memory.dmp upx behavioral1/memory/2824-21-0x000000013F2B0000-0x000000013F604000-memory.dmp upx \Windows\system\tEkHrYg.exe upx C:\Windows\system\uUqupNF.exe upx behavioral1/memory/1744-37-0x000000013F790000-0x000000013FAE4000-memory.dmp upx behavioral1/memory/3000-39-0x000000013F500000-0x000000013F854000-memory.dmp upx \Windows\system\oCvrJZR.exe upx behavioral1/memory/2908-49-0x000000013F5F0000-0x000000013F944000-memory.dmp upx behavioral1/memory/1152-52-0x000000013F9E0000-0x000000013FD34000-memory.dmp upx behavioral1/memory/2228-55-0x000000013FDF0000-0x0000000140144000-memory.dmp upx \Windows\system\bKnIcIL.exe upx \Windows\system\NnXnYLN.exe upx behavioral1/memory/1152-47-0x000000013F410000-0x000000013F764000-memory.dmp upx C:\Windows\system\FQwoNMK.exe upx behavioral1/memory/2508-68-0x000000013F9E0000-0x000000013FD34000-memory.dmp upx C:\Windows\system\MEYimLq.exe upx behavioral1/memory/2644-77-0x000000013F850000-0x000000013FBA4000-memory.dmp upx C:\Windows\system\cIExyMK.exe upx behavioral1/memory/2480-87-0x000000013F3D0000-0x000000013F724000-memory.dmp upx behavioral1/memory/2824-88-0x000000013F2B0000-0x000000013F604000-memory.dmp upx \Windows\system\vfapkHh.exe upx behavioral1/memory/2376-95-0x000000013F630000-0x000000013F984000-memory.dmp upx behavioral1/memory/1704-92-0x000000013F5F0000-0x000000013F944000-memory.dmp upx behavioral1/memory/2540-83-0x000000013FF60000-0x00000001402B4000-memory.dmp upx behavioral1/memory/2236-80-0x000000013FAA0000-0x000000013FDF4000-memory.dmp upx behavioral1/memory/2636-73-0x000000013FE10000-0x0000000140164000-memory.dmp upx behavioral1/memory/1152-96-0x0000000002340000-0x0000000002694000-memory.dmp upx \Windows\system\TsmUOCw.exe upx \Windows\system\qkruryb.exe upx \Windows\system\NauGehs.exe upx behavioral1/memory/2848-124-0x000000013FE90000-0x00000001401E4000-memory.dmp upx C:\Windows\system\XnGOrxn.exe upx \Windows\system\nooleCK.exe upx C:\Windows\system\AsswDPL.exe upx C:\Windows\system\bObNrGU.exe upx behavioral1/memory/2908-115-0x000000013F5F0000-0x000000013F944000-memory.dmp upx C:\Windows\system\ynFooWL.exe upx behavioral1/memory/3000-102-0x000000013F500000-0x000000013F854000-memory.dmp upx behavioral1/memory/1744-98-0x000000013F790000-0x000000013FAE4000-memory.dmp upx behavioral1/memory/2376-146-0x000000013F630000-0x000000013F984000-memory.dmp upx behavioral1/memory/2228-148-0x000000013FDF0000-0x0000000140144000-memory.dmp upx behavioral1/memory/2236-149-0x000000013FAA0000-0x000000013FDF4000-memory.dmp upx behavioral1/memory/1704-150-0x000000013F5F0000-0x000000013F944000-memory.dmp upx behavioral1/memory/2824-151-0x000000013F2B0000-0x000000013F604000-memory.dmp upx behavioral1/memory/3000-152-0x000000013F500000-0x000000013F854000-memory.dmp upx behavioral1/memory/1744-153-0x000000013F790000-0x000000013FAE4000-memory.dmp upx behavioral1/memory/2508-154-0x000000013F9E0000-0x000000013FD34000-memory.dmp upx behavioral1/memory/2908-155-0x000000013F5F0000-0x000000013F944000-memory.dmp upx behavioral1/memory/2636-156-0x000000013FE10000-0x0000000140164000-memory.dmp upx behavioral1/memory/2644-157-0x000000013F850000-0x000000013FBA4000-memory.dmp upx behavioral1/memory/2540-158-0x000000013FF60000-0x00000001402B4000-memory.dmp upx behavioral1/memory/2480-159-0x000000013F3D0000-0x000000013F724000-memory.dmp upx behavioral1/memory/2376-160-0x000000013F630000-0x000000013F984000-memory.dmp upx behavioral1/memory/2848-161-0x000000013FE90000-0x00000001401E4000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
Processes:
2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exedescription ioc process File created C:\Windows\System\WNPfmgp.exe 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\BsVBgbg.exe 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\fQwrjUV.exe 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\tEkHrYg.exe 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\FQwoNMK.exe 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\TsmUOCw.exe 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\ynFooWL.exe 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\nooleCK.exe 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\bKnIcIL.exe 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\MEYimLq.exe 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\vfapkHh.exe 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\bObNrGU.exe 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\AsswDPL.exe 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\oCvrJZR.exe 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\NnXnYLN.exe 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\XnGOrxn.exe 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\NhQlQDM.exe 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\uUqupNF.exe 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\cIExyMK.exe 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\qkruryb.exe 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\NauGehs.exe 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exedescription pid process Token: SeLockMemoryPrivilege 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe Token: SeLockMemoryPrivilege 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exedescription pid process target process PID 1152 wrote to memory of 2228 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe WNPfmgp.exe PID 1152 wrote to memory of 2228 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe WNPfmgp.exe PID 1152 wrote to memory of 2228 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe WNPfmgp.exe PID 1152 wrote to memory of 2236 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe BsVBgbg.exe PID 1152 wrote to memory of 2236 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe BsVBgbg.exe PID 1152 wrote to memory of 2236 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe BsVBgbg.exe PID 1152 wrote to memory of 2824 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe NhQlQDM.exe PID 1152 wrote to memory of 2824 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe NhQlQDM.exe PID 1152 wrote to memory of 2824 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe NhQlQDM.exe PID 1152 wrote to memory of 1704 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe fQwrjUV.exe PID 1152 wrote to memory of 1704 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe fQwrjUV.exe PID 1152 wrote to memory of 1704 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe fQwrjUV.exe PID 1152 wrote to memory of 1744 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe tEkHrYg.exe PID 1152 wrote to memory of 1744 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe tEkHrYg.exe PID 1152 wrote to memory of 1744 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe tEkHrYg.exe PID 1152 wrote to memory of 3000 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe uUqupNF.exe PID 1152 wrote to memory of 3000 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe uUqupNF.exe PID 1152 wrote to memory of 3000 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe uUqupNF.exe PID 1152 wrote to memory of 2908 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe bKnIcIL.exe PID 1152 wrote to memory of 2908 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe bKnIcIL.exe PID 1152 wrote to memory of 2908 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe bKnIcIL.exe PID 1152 wrote to memory of 2508 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe oCvrJZR.exe PID 1152 wrote to memory of 2508 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe oCvrJZR.exe PID 1152 wrote to memory of 2508 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe oCvrJZR.exe PID 1152 wrote to memory of 2644 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe NnXnYLN.exe PID 1152 wrote to memory of 2644 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe NnXnYLN.exe PID 1152 wrote to memory of 2644 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe NnXnYLN.exe PID 1152 wrote to memory of 2636 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe FQwoNMK.exe PID 1152 wrote to memory of 2636 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe FQwoNMK.exe PID 1152 wrote to memory of 2636 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe FQwoNMK.exe PID 1152 wrote to memory of 2540 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe MEYimLq.exe PID 1152 wrote to memory of 2540 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe MEYimLq.exe PID 1152 wrote to memory of 2540 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe MEYimLq.exe PID 1152 wrote to memory of 2480 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe cIExyMK.exe PID 1152 wrote to memory of 2480 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe cIExyMK.exe PID 1152 wrote to memory of 2480 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe cIExyMK.exe PID 1152 wrote to memory of 2376 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe vfapkHh.exe PID 1152 wrote to memory of 2376 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe vfapkHh.exe PID 1152 wrote to memory of 2376 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe vfapkHh.exe PID 1152 wrote to memory of 2848 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe TsmUOCw.exe PID 1152 wrote to memory of 2848 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe TsmUOCw.exe PID 1152 wrote to memory of 2848 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe TsmUOCw.exe PID 1152 wrote to memory of 2864 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe ynFooWL.exe PID 1152 wrote to memory of 2864 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe ynFooWL.exe PID 1152 wrote to memory of 2864 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe ynFooWL.exe PID 1152 wrote to memory of 2356 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe qkruryb.exe PID 1152 wrote to memory of 2356 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe qkruryb.exe PID 1152 wrote to memory of 2356 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe qkruryb.exe PID 1152 wrote to memory of 2080 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe NauGehs.exe PID 1152 wrote to memory of 2080 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe NauGehs.exe PID 1152 wrote to memory of 2080 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe NauGehs.exe PID 1152 wrote to memory of 1112 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe bObNrGU.exe PID 1152 wrote to memory of 1112 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe bObNrGU.exe PID 1152 wrote to memory of 1112 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe bObNrGU.exe PID 1152 wrote to memory of 1292 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe XnGOrxn.exe PID 1152 wrote to memory of 1292 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe XnGOrxn.exe PID 1152 wrote to memory of 1292 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe XnGOrxn.exe PID 1152 wrote to memory of 2180 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe AsswDPL.exe PID 1152 wrote to memory of 2180 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe AsswDPL.exe PID 1152 wrote to memory of 2180 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe AsswDPL.exe PID 1152 wrote to memory of 2168 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe nooleCK.exe PID 1152 wrote to memory of 2168 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe nooleCK.exe PID 1152 wrote to memory of 2168 1152 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe nooleCK.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\System\WNPfmgp.exeC:\Windows\System\WNPfmgp.exe2⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\System\BsVBgbg.exeC:\Windows\System\BsVBgbg.exe2⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\System\NhQlQDM.exeC:\Windows\System\NhQlQDM.exe2⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\System\fQwrjUV.exeC:\Windows\System\fQwrjUV.exe2⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\System\tEkHrYg.exeC:\Windows\System\tEkHrYg.exe2⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\System\uUqupNF.exeC:\Windows\System\uUqupNF.exe2⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\System\bKnIcIL.exeC:\Windows\System\bKnIcIL.exe2⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\System\oCvrJZR.exeC:\Windows\System\oCvrJZR.exe2⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\System\NnXnYLN.exeC:\Windows\System\NnXnYLN.exe2⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\System\FQwoNMK.exeC:\Windows\System\FQwoNMK.exe2⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\System\MEYimLq.exeC:\Windows\System\MEYimLq.exe2⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\System\cIExyMK.exeC:\Windows\System\cIExyMK.exe2⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\System\vfapkHh.exeC:\Windows\System\vfapkHh.exe2⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\System\TsmUOCw.exeC:\Windows\System\TsmUOCw.exe2⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\System\ynFooWL.exeC:\Windows\System\ynFooWL.exe2⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\System\qkruryb.exeC:\Windows\System\qkruryb.exe2⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\System\NauGehs.exeC:\Windows\System\NauGehs.exe2⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\System\bObNrGU.exeC:\Windows\System\bObNrGU.exe2⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\System\XnGOrxn.exeC:\Windows\System\XnGOrxn.exe2⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\System\AsswDPL.exeC:\Windows\System\AsswDPL.exe2⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\System\nooleCK.exeC:\Windows\System\nooleCK.exe2⤵
- Executes dropped EXE
PID:2168
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD50609fab9c695eb18e501461fcdd7fd5b
SHA1c4432e2288496c803cf1974e7226b4a7f1878a62
SHA25664efbb391992c4cad0ce8ff3b969d83fb90bda9d127e19f4929ec7e9a6a13a36
SHA5126dab5fd426e6f6914d8ff9c817b4e98a347b9fcc286371aa4b295968509f1f489601c76b5f211d024d93be3da098bf42931d9d8f7154aa6dfb2963b86457e31c
-
Filesize
5.9MB
MD56e00893f49a13d3ca604073671c04f6a
SHA1941d19b5a5824260b4ebdc4085c87c9900655f5c
SHA25623a9378ffe9de4a1349c1ae9426bb2bfda57fe9a9ebb65e20e8faf83a0d347ac
SHA512dc088b8d0254a01ab4c3febf8e9edb3ecba57758767059a821d15bd5aba086a0ce5bbdb5f0ff6624e5a41f324516f5b43d6cbcc279b2fff89151b011ce3b530c
-
Filesize
5.9MB
MD5c127e49e2c95bb5a192e0942639914e3
SHA1c85315b5dc672bfb1b57079832957303bca93408
SHA256f99a4599b6d16ce2ad48787d3f77e2676226e13a408f75617ce7168dd308ee7c
SHA5120070b7eb0393d338c9b81ad7db672a8be507c63bd0b78d184196e82e1e36983ae52543f04b4aa0ede6124cdd38387f00a250461a1ab317e97c14b6b0baeea8c4
-
Filesize
5.9MB
MD5328a92ba49457b65ef0bb14872325016
SHA1c0b80f3c243d95a328c90ebc716b486599fbe9ec
SHA2569fe79c4a391cc0c9c2ef4c2607c08c1c2abad986ded942007933468ba605418f
SHA512bda0311d4d09b84b34a5cc70ec542a7a4cae9025c4a0e0d4156449e06dc15df73c61c6e295efcbd576125d48f56182be033953b5115d8f75b6d5932e830d2ed5
-
Filesize
5.9MB
MD5cb042f2fbb042e25d4c462a318bbc00f
SHA1403694ee324a1577a05973bc2b5a79c27b24b7f0
SHA256237ecc918d5bf4726e7ee6f1c5928d2d7d0f24b0a651e84e8e70ac661fb0409d
SHA512c26bcd051a70755aaa3ef5bdd4ed46c8823718a420ca71dca91b416653f8a8c15668289c6099aeed556546621376ee4615dd8b6c33377902334ce94623ec7569
-
Filesize
5.9MB
MD5f0b29fdf636876b882108cd662c12019
SHA1c91c739380772a30c94816387a4e27834678c9b3
SHA2561c939acc3e46560a689d1a15e5ecb43ab330d96cdaabd51a8310d089b8ea4357
SHA512d711939384cdba94a7303247505875607d787782e288ea5030f375418171de9a7f69223f00f374321a84f0bce4e3116c1ec4c0a65d73beba033962988db94e70
-
Filesize
5.9MB
MD5fd37c645b8712e0b77d1b45ed0ffa396
SHA19ebdb304922adad9586fc2f62b234b3a858325e5
SHA256de1c6734590022d9a6cfbc6586f1af38e29bccf5530f3945fd70b21137f54628
SHA512c93a1c64170ed474a5d0383b48fd625943056e9a5a0a8972bf926b913960ab05755cf0b0517d43b19712cdb32d7f5678c7ad33630245072b8e0ba458428902f3
-
Filesize
5.9MB
MD545f822d6ec91d3553fb9400d446d0d38
SHA1e629229565e0fe80c2c5144993fa13dcaf097d2c
SHA256b3ec9c86e357e0c45c989134a25e2ec0a89e036b2a3a88b1a327da0d9ef8c8a7
SHA512192b41b3c26ea2e401efee1954c2c715edb6acfa6e4171d61a4a22a219d7b5c28e3b969ff7ea36b966ea35a7f6a95feb6f8be294ea4c282a0d827c55ddc879d9
-
Filesize
5.9MB
MD54072b2722dbdbe570270bfeadb687843
SHA1c9d3e5200ff09561d70b384ae8af814790661da1
SHA2565c9931db5fdf67dcd4eb9894387f63d28853cb868e10d778b260d356d59f09fe
SHA51294140072e8cc88f4e0def3be8c652529856dedaaa5b82f202d0b8ba932cc45f9426014b59caff2099ffc33aa5496f1a787dd5960d8f957e9a0f848cc88c2138e
-
Filesize
5.9MB
MD59c59a74c603aaffaa840242242d0a8b9
SHA1765dd9571bc6d2dda9c276e651182745fdf2dd01
SHA2561ec3ae2f2dde71128b5951b47b7f14c2b24e2de56756af6e93b301d550625120
SHA512bc4984c7bbcaa7ffa1088055a4ac56afe2e90c767795896a7462d0b048c466e277b780f5ebed5d9f603326d1db3fb4738826d62d6ae8e0897c8309b38ffb7517
-
Filesize
5.9MB
MD59b40f6a112b19fbb6f704f1c53e90131
SHA1a614a8fc93f63ee5da20b23bbda9791fb8cc6163
SHA256bfbdb0a042283833be5ec1b0b2719a25b563e010647da8cdf55dbff13b62df1d
SHA512dc255a65fb43adbfe0e5b179f8e71d01d70ef848212450e5076c8485946dc2e28da51d3b8d435d069e69fc21930c5f9c17bb5a85388935b1d578401177163545
-
Filesize
5.9MB
MD50d123aab921caaaa6a6e0d6d55810a2b
SHA1ba2122b0818af4ad8803ea3e2e60fff90d85b966
SHA256c227093c69de2a053decbd8d32f8884f58f2cbb12b2d09c83fd806f411f6b55b
SHA51259f360180b95c3b0a7a3a74ef1d568c05d00814fcccdae8ca1aa0f65c82db8180a8194be17ea9925568b99c8ca9cb572b7cc8a25a047d4e750366717a4d53cec
-
Filesize
5.9MB
MD5eb16ca9547e0ffd436dd572f93ef0b23
SHA1c350ebd05aad6bffcf7c4f8a8160070eaacb26a2
SHA256627b5ae722eef39f3b1990a0dc02d971a63918fa58534012b55eede8981a5a6e
SHA512e2ec5fdf7c1af81f6882d115e95a6ed02d02453d0ba1a646f16fdead3725bb405bddd7b6506ccd0d4b5a0be3a01fb867b1c56e72a30335f108d7cd1a2c01529c
-
Filesize
5.9MB
MD58764008bc634101d27d021a827c56ffd
SHA14b323694d65a01b91bb698aa00b3a078049295e6
SHA256eb5c0e258558c7ae680bf6939486dc680168a05bc059ce2025ffbae323666a95
SHA512a6165d832a1f6d848195a5b71273da80499dce33c655d40a1259d2bc7217da6278cf55c8dc45e6ef9c714778bf17e517af39e8dad3030e5bbea2231ab6f918ba
-
Filesize
5.9MB
MD5d92fa9bcbaedcbfded5783fc4bdfbc2e
SHA105ef28d4c60e81ceaf4d131e20272b9cc25420c9
SHA256bb6fa71e0c2e3ce539682c212d960bb541199b86fde22b486e234f6dee6935e6
SHA51268e472c4a1d6d878bd7ff3ddf1edf7570ef639120c26248b381664d3b4b5f67b6fcb2d701c9dd00346138ae180e579bb3eaf01331e4511d7cddb89bc7466268c
-
Filesize
5.9MB
MD59ce0cf392d9b20526655f5f46ab32a6c
SHA1717b7192a7032c96e276074d7d046567d03113fe
SHA256022b2ccd27d0277e101f9124e4378fe691998eb42acfd0bb808d88e78b7ada44
SHA5127efdd1649d23539b37c07065a5c084466ad0351ead2dbff205b3496dee871fea09c0389156757a2c4b78946ea54f3d67035567266cc371838081de61d2b849cd
-
Filesize
5.9MB
MD56859c00ce6523af6efb69de2f42d30a9
SHA1a3e61a3d3692889c44ebe4b524e1351d375ada33
SHA2564aa2f50fdad802530876abf60c56eb0ec844f09106c25b6c1dc0a6a38d558ac5
SHA5128f21986ba3b865bc5420b944f666788760af1ce1f7b241af06758c36fb871a0d042920a1bd4610c73e76347f1096059389631256362725a402b420c87f150ac3
-
Filesize
5.9MB
MD5fd9a69cc7a173ad45c07375c985e1312
SHA1aa31a8335edccad3bfcb51e7b590561c8205c6a4
SHA256c52459493704014669ecd7c0b0ba143ec4b845032f26d1a5420f90a16d55f29c
SHA5121a280e06dce28cb814a222af10b0be35dff56fc51af7a47c3d980febe41bcf1085fa63c0a9e24ce617937ea2a1401fcafde426d9a54a00d33570a296a42a8df2
-
Filesize
5.9MB
MD58ff5f30cf3e9b62cccab561f5d931683
SHA1998673c496a4bbb1f6addf55e1f226b8a8bf78f1
SHA25695fcbf4fee3259603f8876f55f424d89c8db514f5ac6aa76efc96ef1244a1954
SHA512964716b8549c90299951473cbc54b7f2e418072a392df54aa978c65e4626b0a8dac1e5388d4018a77b1ee5ed70fc528bc787db5a741e4d9acba147ca3b15a73d
-
Filesize
5.9MB
MD5114f59a9f1b9eadc83d66f62fa57813b
SHA154aa2e1f2fac300a619fc32fe3d8692c081fa867
SHA25660f53ed3d77bbb33e25c08f1eea6808e543e1ce1fb4edb87b99541b72fac9b0d
SHA51205ae925bed4979f9b69ac483c47ce41fe462f2f84782cc3c3672db880340530a8c0a45a03c3bac8e6027604ccb3ee673b810bda8004120db8504b6b99f08733e
-
Filesize
5.9MB
MD55ac8ef9a4bde56328bd60c6b7ad817b8
SHA189928c568f378ac9ade10289d8342924ff8031cc
SHA256a52fde297510c91312b431257918f98af451c6760e286497d55cc2fd81292a06
SHA512579bb04deef102434dcd2e70800b3a1dded8631fc40d8d7b519f5f8537170ef4ccddaacec3a90342bdc2639c5756dffa6834015b92e92450b4b66a106129a67f