Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06-06-2024 18:43
Behavioral task
behavioral1
Sample
2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe
Resource
win7-20240221-en
General
-
Target
2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe
-
Size
5.9MB
-
MD5
8b3e0dd2091117471a6b821c575135a4
-
SHA1
5dd022a943e299124bedad2ccc3b62364c9d2d38
-
SHA256
3e556ffaf9e2648325df77d7469c3ef04541e4d21c8c031a352b6cbbfef45fc0
-
SHA512
91cceccf3ac494d9c2da7f7bc21ec4f79f4a45292618ea3e7d9b8d6025fbf51eaddd21967b145a4d37e0d28b3c6297c8ee6fd7ffba773cdbe7c03ad69e224e98
-
SSDEEP
98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUb:Q+856utgpPF8u/7b
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
Processes:
resource yara_rule \Windows\system\IeWEplK.exe cobalt_reflective_dll \Windows\system\nlBHFCV.exe cobalt_reflective_dll \Windows\system\bCtwBIm.exe cobalt_reflective_dll C:\Windows\system\HEDjmOD.exe cobalt_reflective_dll C:\Windows\system\jwZMUmc.exe cobalt_reflective_dll C:\Windows\system\drIlBVq.exe cobalt_reflective_dll \Windows\system\JmuTvez.exe cobalt_reflective_dll C:\Windows\system\ZwXfQQH.exe cobalt_reflective_dll C:\Windows\system\LdsrTZq.exe cobalt_reflective_dll C:\Windows\system\PEuDGPN.exe cobalt_reflective_dll C:\Windows\system\vqOawKQ.exe cobalt_reflective_dll C:\Windows\system\bCrzDQn.exe cobalt_reflective_dll C:\Windows\system\AlSBiqT.exe cobalt_reflective_dll C:\Windows\system\kbGraKR.exe cobalt_reflective_dll C:\Windows\system\rURooeK.exe cobalt_reflective_dll C:\Windows\system\mHaYSMx.exe cobalt_reflective_dll C:\Windows\system\bxOBqeY.exe cobalt_reflective_dll C:\Windows\system\YSYmBmQ.exe cobalt_reflective_dll C:\Windows\system\GTpALEi.exe cobalt_reflective_dll C:\Windows\system\IEMdUSS.exe cobalt_reflective_dll C:\Windows\system\UpsQWRF.exe cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Detects Reflective DLL injection artifacts 21 IoCs
Processes:
resource yara_rule \Windows\system\IeWEplK.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\nlBHFCV.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\bCtwBIm.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\HEDjmOD.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\jwZMUmc.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\drIlBVq.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\JmuTvez.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\ZwXfQQH.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\LdsrTZq.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\PEuDGPN.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\vqOawKQ.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\bCrzDQn.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\AlSBiqT.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\kbGraKR.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\rURooeK.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\mHaYSMx.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\bxOBqeY.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\YSYmBmQ.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\GTpALEi.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\IEMdUSS.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\UpsQWRF.exe INDICATOR_SUSPICIOUS_ReflectiveLoader -
UPX dump on OEP (original entry point) 64 IoCs
Processes:
resource yara_rule behavioral1/memory/3020-0-0x000000013F520000-0x000000013F874000-memory.dmp UPX \Windows\system\IeWEplK.exe UPX behavioral1/memory/3020-6-0x00000000024D0000-0x0000000002824000-memory.dmp UPX \Windows\system\nlBHFCV.exe UPX behavioral1/memory/2180-15-0x000000013F600000-0x000000013F954000-memory.dmp UPX behavioral1/memory/2160-14-0x000000013F410000-0x000000013F764000-memory.dmp UPX \Windows\system\bCtwBIm.exe UPX behavioral1/memory/2552-27-0x000000013F200000-0x000000013F554000-memory.dmp UPX behavioral1/memory/2688-34-0x000000013FB80000-0x000000013FED4000-memory.dmp UPX behavioral1/memory/2720-41-0x000000013FB90000-0x000000013FEE4000-memory.dmp UPX behavioral1/memory/2608-48-0x000000013F660000-0x000000013F9B4000-memory.dmp UPX behavioral1/memory/2468-54-0x000000013F230000-0x000000013F584000-memory.dmp UPX C:\Windows\system\HEDjmOD.exe UPX C:\Windows\system\jwZMUmc.exe UPX behavioral1/memory/2752-96-0x000000013F1D0000-0x000000013F524000-memory.dmp UPX C:\Windows\system\drIlBVq.exe UPX \Windows\system\JmuTvez.exe UPX C:\Windows\system\ZwXfQQH.exe UPX C:\Windows\system\LdsrTZq.exe UPX C:\Windows\system\PEuDGPN.exe UPX behavioral1/memory/2720-137-0x000000013FB90000-0x000000013FEE4000-memory.dmp UPX behavioral1/memory/3000-105-0x000000013F7B0000-0x000000013FB04000-memory.dmp UPX C:\Windows\system\vqOawKQ.exe UPX C:\Windows\system\bCrzDQn.exe UPX C:\Windows\system\AlSBiqT.exe UPX behavioral1/memory/1628-89-0x000000013F090000-0x000000013F3E4000-memory.dmp UPX behavioral1/memory/2608-139-0x000000013F660000-0x000000013F9B4000-memory.dmp UPX behavioral1/memory/2552-94-0x000000013F200000-0x000000013F554000-memory.dmp UPX C:\Windows\system\kbGraKR.exe UPX behavioral1/memory/3032-77-0x000000013F880000-0x000000013FBD4000-memory.dmp UPX behavioral1/memory/2180-75-0x000000013F600000-0x000000013F954000-memory.dmp UPX behavioral1/memory/2160-74-0x000000013F410000-0x000000013F764000-memory.dmp UPX behavioral1/memory/2468-140-0x000000013F230000-0x000000013F584000-memory.dmp UPX behavioral1/memory/2960-83-0x000000013FE60000-0x00000001401B4000-memory.dmp UPX C:\Windows\system\rURooeK.exe UPX behavioral1/memory/1016-62-0x000000013F910000-0x000000013FC64000-memory.dmp UPX behavioral1/memory/2476-68-0x000000013F3B0000-0x000000013F704000-memory.dmp UPX behavioral1/memory/3020-61-0x000000013F520000-0x000000013F874000-memory.dmp UPX C:\Windows\system\mHaYSMx.exe UPX behavioral1/memory/1016-141-0x000000013F910000-0x000000013FC64000-memory.dmp UPX C:\Windows\system\bxOBqeY.exe UPX C:\Windows\system\YSYmBmQ.exe UPX C:\Windows\system\GTpALEi.exe UPX C:\Windows\system\IEMdUSS.exe UPX behavioral1/memory/1628-20-0x000000013F090000-0x000000013F3E4000-memory.dmp UPX C:\Windows\system\UpsQWRF.exe UPX behavioral1/memory/2476-142-0x000000013F3B0000-0x000000013F704000-memory.dmp UPX behavioral1/memory/3032-144-0x000000013F880000-0x000000013FBD4000-memory.dmp UPX behavioral1/memory/2960-146-0x000000013FE60000-0x00000001401B4000-memory.dmp UPX behavioral1/memory/2752-148-0x000000013F1D0000-0x000000013F524000-memory.dmp UPX behavioral1/memory/3000-150-0x000000013F7B0000-0x000000013FB04000-memory.dmp UPX behavioral1/memory/2160-151-0x000000013F410000-0x000000013F764000-memory.dmp UPX behavioral1/memory/2180-152-0x000000013F600000-0x000000013F954000-memory.dmp UPX behavioral1/memory/1628-153-0x000000013F090000-0x000000013F3E4000-memory.dmp UPX behavioral1/memory/2552-154-0x000000013F200000-0x000000013F554000-memory.dmp UPX behavioral1/memory/2720-155-0x000000013FB90000-0x000000013FEE4000-memory.dmp UPX behavioral1/memory/2608-156-0x000000013F660000-0x000000013F9B4000-memory.dmp UPX behavioral1/memory/2468-157-0x000000013F230000-0x000000013F584000-memory.dmp UPX behavioral1/memory/1016-158-0x000000013F910000-0x000000013FC64000-memory.dmp UPX behavioral1/memory/2476-159-0x000000013F3B0000-0x000000013F704000-memory.dmp UPX behavioral1/memory/3032-160-0x000000013F880000-0x000000013FBD4000-memory.dmp UPX behavioral1/memory/2960-161-0x000000013FE60000-0x00000001401B4000-memory.dmp UPX behavioral1/memory/2752-162-0x000000013F1D0000-0x000000013F524000-memory.dmp UPX behavioral1/memory/3000-163-0x000000013F7B0000-0x000000013FB04000-memory.dmp UPX -
XMRig Miner payload 64 IoCs
Processes:
resource yara_rule behavioral1/memory/3020-0-0x000000013F520000-0x000000013F874000-memory.dmp xmrig \Windows\system\IeWEplK.exe xmrig behavioral1/memory/3020-6-0x00000000024D0000-0x0000000002824000-memory.dmp xmrig \Windows\system\nlBHFCV.exe xmrig behavioral1/memory/2180-15-0x000000013F600000-0x000000013F954000-memory.dmp xmrig behavioral1/memory/2160-14-0x000000013F410000-0x000000013F764000-memory.dmp xmrig \Windows\system\bCtwBIm.exe xmrig behavioral1/memory/2552-27-0x000000013F200000-0x000000013F554000-memory.dmp xmrig behavioral1/memory/2688-34-0x000000013FB80000-0x000000013FED4000-memory.dmp xmrig behavioral1/memory/2720-41-0x000000013FB90000-0x000000013FEE4000-memory.dmp xmrig behavioral1/memory/2608-48-0x000000013F660000-0x000000013F9B4000-memory.dmp xmrig behavioral1/memory/2468-54-0x000000013F230000-0x000000013F584000-memory.dmp xmrig C:\Windows\system\HEDjmOD.exe xmrig C:\Windows\system\jwZMUmc.exe xmrig behavioral1/memory/3020-76-0x000000013F880000-0x000000013FBD4000-memory.dmp xmrig behavioral1/memory/2752-96-0x000000013F1D0000-0x000000013F524000-memory.dmp xmrig C:\Windows\system\drIlBVq.exe xmrig \Windows\system\JmuTvez.exe xmrig C:\Windows\system\ZwXfQQH.exe xmrig C:\Windows\system\LdsrTZq.exe xmrig C:\Windows\system\PEuDGPN.exe xmrig behavioral1/memory/2720-137-0x000000013FB90000-0x000000013FEE4000-memory.dmp xmrig behavioral1/memory/3000-105-0x000000013F7B0000-0x000000013FB04000-memory.dmp xmrig C:\Windows\system\vqOawKQ.exe xmrig C:\Windows\system\bCrzDQn.exe xmrig C:\Windows\system\AlSBiqT.exe xmrig behavioral1/memory/3020-90-0x00000000024D0000-0x0000000002824000-memory.dmp xmrig behavioral1/memory/1628-89-0x000000013F090000-0x000000013F3E4000-memory.dmp xmrig behavioral1/memory/2608-139-0x000000013F660000-0x000000013F9B4000-memory.dmp xmrig behavioral1/memory/2552-94-0x000000013F200000-0x000000013F554000-memory.dmp xmrig C:\Windows\system\kbGraKR.exe xmrig behavioral1/memory/3032-77-0x000000013F880000-0x000000013FBD4000-memory.dmp xmrig behavioral1/memory/2180-75-0x000000013F600000-0x000000013F954000-memory.dmp xmrig behavioral1/memory/2160-74-0x000000013F410000-0x000000013F764000-memory.dmp xmrig behavioral1/memory/2468-140-0x000000013F230000-0x000000013F584000-memory.dmp xmrig behavioral1/memory/2960-83-0x000000013FE60000-0x00000001401B4000-memory.dmp xmrig C:\Windows\system\rURooeK.exe xmrig behavioral1/memory/1016-62-0x000000013F910000-0x000000013FC64000-memory.dmp xmrig behavioral1/memory/2476-68-0x000000013F3B0000-0x000000013F704000-memory.dmp xmrig behavioral1/memory/3020-61-0x000000013F520000-0x000000013F874000-memory.dmp xmrig C:\Windows\system\mHaYSMx.exe xmrig behavioral1/memory/1016-141-0x000000013F910000-0x000000013FC64000-memory.dmp xmrig C:\Windows\system\bxOBqeY.exe xmrig C:\Windows\system\YSYmBmQ.exe xmrig C:\Windows\system\GTpALEi.exe xmrig C:\Windows\system\IEMdUSS.exe xmrig behavioral1/memory/1628-20-0x000000013F090000-0x000000013F3E4000-memory.dmp xmrig C:\Windows\system\UpsQWRF.exe xmrig behavioral1/memory/2476-142-0x000000013F3B0000-0x000000013F704000-memory.dmp xmrig behavioral1/memory/3032-144-0x000000013F880000-0x000000013FBD4000-memory.dmp xmrig behavioral1/memory/2960-146-0x000000013FE60000-0x00000001401B4000-memory.dmp xmrig behavioral1/memory/2752-148-0x000000013F1D0000-0x000000013F524000-memory.dmp xmrig behavioral1/memory/3000-150-0x000000013F7B0000-0x000000013FB04000-memory.dmp xmrig behavioral1/memory/2160-151-0x000000013F410000-0x000000013F764000-memory.dmp xmrig behavioral1/memory/2180-152-0x000000013F600000-0x000000013F954000-memory.dmp xmrig behavioral1/memory/1628-153-0x000000013F090000-0x000000013F3E4000-memory.dmp xmrig behavioral1/memory/2552-154-0x000000013F200000-0x000000013F554000-memory.dmp xmrig behavioral1/memory/2720-155-0x000000013FB90000-0x000000013FEE4000-memory.dmp xmrig behavioral1/memory/2608-156-0x000000013F660000-0x000000013F9B4000-memory.dmp xmrig behavioral1/memory/2468-157-0x000000013F230000-0x000000013F584000-memory.dmp xmrig behavioral1/memory/1016-158-0x000000013F910000-0x000000013FC64000-memory.dmp xmrig behavioral1/memory/2476-159-0x000000013F3B0000-0x000000013F704000-memory.dmp xmrig behavioral1/memory/3032-160-0x000000013F880000-0x000000013FBD4000-memory.dmp xmrig behavioral1/memory/2960-161-0x000000013FE60000-0x00000001401B4000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
Processes:
IeWEplK.exenlBHFCV.exeUpsQWRF.exebCtwBIm.exeGTpALEi.exeIEMdUSS.exeYSYmBmQ.exebxOBqeY.exemHaYSMx.exeHEDjmOD.exerURooeK.exejwZMUmc.exekbGraKR.exebCrzDQn.exevqOawKQ.exeAlSBiqT.exePEuDGPN.exeLdsrTZq.exedrIlBVq.exeZwXfQQH.exeJmuTvez.exepid process 2160 IeWEplK.exe 2180 nlBHFCV.exe 1628 UpsQWRF.exe 2552 bCtwBIm.exe 2688 GTpALEi.exe 2720 IEMdUSS.exe 2608 YSYmBmQ.exe 2468 bxOBqeY.exe 1016 mHaYSMx.exe 2476 HEDjmOD.exe 3032 rURooeK.exe 2960 jwZMUmc.exe 2752 kbGraKR.exe 3000 bCrzDQn.exe 1640 vqOawKQ.exe 1476 AlSBiqT.exe 356 PEuDGPN.exe 884 LdsrTZq.exe 1936 drIlBVq.exe 2776 ZwXfQQH.exe 844 JmuTvez.exe -
Loads dropped DLL 21 IoCs
Processes:
2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exepid process 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe -
Processes:
resource yara_rule behavioral1/memory/3020-0-0x000000013F520000-0x000000013F874000-memory.dmp upx \Windows\system\IeWEplK.exe upx behavioral1/memory/3020-6-0x00000000024D0000-0x0000000002824000-memory.dmp upx \Windows\system\nlBHFCV.exe upx behavioral1/memory/2180-15-0x000000013F600000-0x000000013F954000-memory.dmp upx behavioral1/memory/2160-14-0x000000013F410000-0x000000013F764000-memory.dmp upx \Windows\system\bCtwBIm.exe upx behavioral1/memory/2552-27-0x000000013F200000-0x000000013F554000-memory.dmp upx behavioral1/memory/2688-34-0x000000013FB80000-0x000000013FED4000-memory.dmp upx behavioral1/memory/2720-41-0x000000013FB90000-0x000000013FEE4000-memory.dmp upx behavioral1/memory/2608-48-0x000000013F660000-0x000000013F9B4000-memory.dmp upx behavioral1/memory/2468-54-0x000000013F230000-0x000000013F584000-memory.dmp upx C:\Windows\system\HEDjmOD.exe upx C:\Windows\system\jwZMUmc.exe upx behavioral1/memory/2752-96-0x000000013F1D0000-0x000000013F524000-memory.dmp upx C:\Windows\system\drIlBVq.exe upx \Windows\system\JmuTvez.exe upx C:\Windows\system\ZwXfQQH.exe upx C:\Windows\system\LdsrTZq.exe upx C:\Windows\system\PEuDGPN.exe upx behavioral1/memory/2720-137-0x000000013FB90000-0x000000013FEE4000-memory.dmp upx behavioral1/memory/3000-105-0x000000013F7B0000-0x000000013FB04000-memory.dmp upx C:\Windows\system\vqOawKQ.exe upx C:\Windows\system\bCrzDQn.exe upx C:\Windows\system\AlSBiqT.exe upx behavioral1/memory/1628-89-0x000000013F090000-0x000000013F3E4000-memory.dmp upx behavioral1/memory/2608-139-0x000000013F660000-0x000000013F9B4000-memory.dmp upx behavioral1/memory/2552-94-0x000000013F200000-0x000000013F554000-memory.dmp upx C:\Windows\system\kbGraKR.exe upx behavioral1/memory/3032-77-0x000000013F880000-0x000000013FBD4000-memory.dmp upx behavioral1/memory/2180-75-0x000000013F600000-0x000000013F954000-memory.dmp upx behavioral1/memory/2160-74-0x000000013F410000-0x000000013F764000-memory.dmp upx behavioral1/memory/2468-140-0x000000013F230000-0x000000013F584000-memory.dmp upx behavioral1/memory/2960-83-0x000000013FE60000-0x00000001401B4000-memory.dmp upx C:\Windows\system\rURooeK.exe upx behavioral1/memory/1016-62-0x000000013F910000-0x000000013FC64000-memory.dmp upx behavioral1/memory/2476-68-0x000000013F3B0000-0x000000013F704000-memory.dmp upx behavioral1/memory/3020-61-0x000000013F520000-0x000000013F874000-memory.dmp upx C:\Windows\system\mHaYSMx.exe upx behavioral1/memory/1016-141-0x000000013F910000-0x000000013FC64000-memory.dmp upx C:\Windows\system\bxOBqeY.exe upx C:\Windows\system\YSYmBmQ.exe upx C:\Windows\system\GTpALEi.exe upx C:\Windows\system\IEMdUSS.exe upx behavioral1/memory/1628-20-0x000000013F090000-0x000000013F3E4000-memory.dmp upx C:\Windows\system\UpsQWRF.exe upx behavioral1/memory/2476-142-0x000000013F3B0000-0x000000013F704000-memory.dmp upx behavioral1/memory/3032-144-0x000000013F880000-0x000000013FBD4000-memory.dmp upx behavioral1/memory/2960-146-0x000000013FE60000-0x00000001401B4000-memory.dmp upx behavioral1/memory/2752-148-0x000000013F1D0000-0x000000013F524000-memory.dmp upx behavioral1/memory/3000-150-0x000000013F7B0000-0x000000013FB04000-memory.dmp upx behavioral1/memory/2160-151-0x000000013F410000-0x000000013F764000-memory.dmp upx behavioral1/memory/2180-152-0x000000013F600000-0x000000013F954000-memory.dmp upx behavioral1/memory/1628-153-0x000000013F090000-0x000000013F3E4000-memory.dmp upx behavioral1/memory/2552-154-0x000000013F200000-0x000000013F554000-memory.dmp upx behavioral1/memory/2720-155-0x000000013FB90000-0x000000013FEE4000-memory.dmp upx behavioral1/memory/2608-156-0x000000013F660000-0x000000013F9B4000-memory.dmp upx behavioral1/memory/2468-157-0x000000013F230000-0x000000013F584000-memory.dmp upx behavioral1/memory/1016-158-0x000000013F910000-0x000000013FC64000-memory.dmp upx behavioral1/memory/2476-159-0x000000013F3B0000-0x000000013F704000-memory.dmp upx behavioral1/memory/3032-160-0x000000013F880000-0x000000013FBD4000-memory.dmp upx behavioral1/memory/2960-161-0x000000013FE60000-0x00000001401B4000-memory.dmp upx behavioral1/memory/2752-162-0x000000013F1D0000-0x000000013F524000-memory.dmp upx behavioral1/memory/3000-163-0x000000013F7B0000-0x000000013FB04000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
Processes:
2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exedescription ioc process File created C:\Windows\System\vqOawKQ.exe 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\PEuDGPN.exe 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\LdsrTZq.exe 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\IeWEplK.exe 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\GTpALEi.exe 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\mHaYSMx.exe 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\HEDjmOD.exe 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\kbGraKR.exe 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\JmuTvez.exe 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\ZwXfQQH.exe 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\nlBHFCV.exe 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\UpsQWRF.exe 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\bCtwBIm.exe 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\YSYmBmQ.exe 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\rURooeK.exe 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\drIlBVq.exe 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\IEMdUSS.exe 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\bxOBqeY.exe 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\jwZMUmc.exe 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\bCrzDQn.exe 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\AlSBiqT.exe 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exedescription pid process Token: SeLockMemoryPrivilege 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe Token: SeLockMemoryPrivilege 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exedescription pid process target process PID 3020 wrote to memory of 2160 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe IeWEplK.exe PID 3020 wrote to memory of 2160 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe IeWEplK.exe PID 3020 wrote to memory of 2160 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe IeWEplK.exe PID 3020 wrote to memory of 2180 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe nlBHFCV.exe PID 3020 wrote to memory of 2180 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe nlBHFCV.exe PID 3020 wrote to memory of 2180 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe nlBHFCV.exe PID 3020 wrote to memory of 1628 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe UpsQWRF.exe PID 3020 wrote to memory of 1628 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe UpsQWRF.exe PID 3020 wrote to memory of 1628 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe UpsQWRF.exe PID 3020 wrote to memory of 2552 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe bCtwBIm.exe PID 3020 wrote to memory of 2552 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe bCtwBIm.exe PID 3020 wrote to memory of 2552 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe bCtwBIm.exe PID 3020 wrote to memory of 2688 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe GTpALEi.exe PID 3020 wrote to memory of 2688 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe GTpALEi.exe PID 3020 wrote to memory of 2688 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe GTpALEi.exe PID 3020 wrote to memory of 2720 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe IEMdUSS.exe PID 3020 wrote to memory of 2720 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe IEMdUSS.exe PID 3020 wrote to memory of 2720 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe IEMdUSS.exe PID 3020 wrote to memory of 2608 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe YSYmBmQ.exe PID 3020 wrote to memory of 2608 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe YSYmBmQ.exe PID 3020 wrote to memory of 2608 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe YSYmBmQ.exe PID 3020 wrote to memory of 2468 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe bxOBqeY.exe PID 3020 wrote to memory of 2468 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe bxOBqeY.exe PID 3020 wrote to memory of 2468 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe bxOBqeY.exe PID 3020 wrote to memory of 1016 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe mHaYSMx.exe PID 3020 wrote to memory of 1016 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe mHaYSMx.exe PID 3020 wrote to memory of 1016 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe mHaYSMx.exe PID 3020 wrote to memory of 2476 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe HEDjmOD.exe PID 3020 wrote to memory of 2476 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe HEDjmOD.exe PID 3020 wrote to memory of 2476 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe HEDjmOD.exe PID 3020 wrote to memory of 3032 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe rURooeK.exe PID 3020 wrote to memory of 3032 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe rURooeK.exe PID 3020 wrote to memory of 3032 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe rURooeK.exe PID 3020 wrote to memory of 2960 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe jwZMUmc.exe PID 3020 wrote to memory of 2960 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe jwZMUmc.exe PID 3020 wrote to memory of 2960 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe jwZMUmc.exe PID 3020 wrote to memory of 3000 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe bCrzDQn.exe PID 3020 wrote to memory of 3000 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe bCrzDQn.exe PID 3020 wrote to memory of 3000 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe bCrzDQn.exe PID 3020 wrote to memory of 2752 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe kbGraKR.exe PID 3020 wrote to memory of 2752 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe kbGraKR.exe PID 3020 wrote to memory of 2752 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe kbGraKR.exe PID 3020 wrote to memory of 1640 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe vqOawKQ.exe PID 3020 wrote to memory of 1640 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe vqOawKQ.exe PID 3020 wrote to memory of 1640 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe vqOawKQ.exe PID 3020 wrote to memory of 1476 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe AlSBiqT.exe PID 3020 wrote to memory of 1476 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe AlSBiqT.exe PID 3020 wrote to memory of 1476 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe AlSBiqT.exe PID 3020 wrote to memory of 356 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe PEuDGPN.exe PID 3020 wrote to memory of 356 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe PEuDGPN.exe PID 3020 wrote to memory of 356 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe PEuDGPN.exe PID 3020 wrote to memory of 884 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe LdsrTZq.exe PID 3020 wrote to memory of 884 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe LdsrTZq.exe PID 3020 wrote to memory of 884 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe LdsrTZq.exe PID 3020 wrote to memory of 1936 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe drIlBVq.exe PID 3020 wrote to memory of 1936 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe drIlBVq.exe PID 3020 wrote to memory of 1936 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe drIlBVq.exe PID 3020 wrote to memory of 2776 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe ZwXfQQH.exe PID 3020 wrote to memory of 2776 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe ZwXfQQH.exe PID 3020 wrote to memory of 2776 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe ZwXfQQH.exe PID 3020 wrote to memory of 844 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe JmuTvez.exe PID 3020 wrote to memory of 844 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe JmuTvez.exe PID 3020 wrote to memory of 844 3020 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe JmuTvez.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\System\IeWEplK.exeC:\Windows\System\IeWEplK.exe2⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\System\nlBHFCV.exeC:\Windows\System\nlBHFCV.exe2⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\System\UpsQWRF.exeC:\Windows\System\UpsQWRF.exe2⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\System\bCtwBIm.exeC:\Windows\System\bCtwBIm.exe2⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\System\GTpALEi.exeC:\Windows\System\GTpALEi.exe2⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\System\IEMdUSS.exeC:\Windows\System\IEMdUSS.exe2⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\System\YSYmBmQ.exeC:\Windows\System\YSYmBmQ.exe2⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\System\bxOBqeY.exeC:\Windows\System\bxOBqeY.exe2⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\System\mHaYSMx.exeC:\Windows\System\mHaYSMx.exe2⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\System\HEDjmOD.exeC:\Windows\System\HEDjmOD.exe2⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\System\rURooeK.exeC:\Windows\System\rURooeK.exe2⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\System\jwZMUmc.exeC:\Windows\System\jwZMUmc.exe2⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\System\bCrzDQn.exeC:\Windows\System\bCrzDQn.exe2⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\System\kbGraKR.exeC:\Windows\System\kbGraKR.exe2⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\System\vqOawKQ.exeC:\Windows\System\vqOawKQ.exe2⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\System\AlSBiqT.exeC:\Windows\System\AlSBiqT.exe2⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\System\PEuDGPN.exeC:\Windows\System\PEuDGPN.exe2⤵
- Executes dropped EXE
PID:356 -
C:\Windows\System\LdsrTZq.exeC:\Windows\System\LdsrTZq.exe2⤵
- Executes dropped EXE
PID:884 -
C:\Windows\System\drIlBVq.exeC:\Windows\System\drIlBVq.exe2⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\System\ZwXfQQH.exeC:\Windows\System\ZwXfQQH.exe2⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\System\JmuTvez.exeC:\Windows\System\JmuTvez.exe2⤵
- Executes dropped EXE
PID:844
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD568b08c6b1060136a2999fb5b0d51fa10
SHA14583dd9e0131b61b0e7c1e4084dcd13d2b579ff5
SHA2563f9b4e3f14f131b9695a9954df86a760aed55959d3852736285c5d982f1e5107
SHA512fb4f4644bdb89aeaf13f30693459f5433a33ebce87601c26339b47520321862739538823c491f5c1f50cc2d5fa39b59eaadcf2c6315f478dd0591beedb8763ef
-
Filesize
5.9MB
MD53f3acd7a2453331520289d012effa68c
SHA1bf205ca78b3663c5f19afa406c12c76a15582976
SHA256a2f285211fdfe80f1a9ec156177f8edbddc7ec5169f6e5e432180873793cc680
SHA512f7c43d6c88cfcb09aceb343a449e3df2748abb2912e808b01ee27ee49aa0715b921528a6d06a49afb61a0a1a11ddd1f568e05258c47ae64fb8c420d4841adf1b
-
Filesize
5.9MB
MD5d86b100fc55bceecc32c3df6298abd39
SHA16d22e3ebcc17e879d4b881df17403a91afaaa5b6
SHA25604e2da5b58062bd67aa60984a7519280d1ddc700f1ee1a4b1b1f68da3538c647
SHA5121eefa3ef13bde1066d65a90ce1e568e21049b52e90dfe1b6f9c802e74437598cf312b997deace214fa3b780c75d03b102e04eab99104639c9e723fa700f5fe67
-
Filesize
5.9MB
MD595aeac685967dd7eea8609a7a0a6b093
SHA1139edd9f25866a7d1b63cda1a84713842d875ded
SHA25638b11f1d26ab3c208bb3bcc94575cc33248906c42179f255342803bd0b0c9d9a
SHA5122d907dd26d57f6939be4f6483e866b81e1e21e27b32861dc98b98e8f89a1b0cb2313a144812dec7aa6f225f0e56008b4c60e47a8580032d78a1a5c91759941fd
-
Filesize
5.9MB
MD535ccbd48366ec5a7b80e081b8f0cbebd
SHA188a4e59565d178156584e14cc3d3f18d8d244096
SHA2564aaa55aaac5185fd2fbecaebdd192c857b152ff6bb9bbf0a0b11607ef9605a47
SHA512846089f67ba22224a7f7ad882aab514be478cdcbf2cfd4a4b1eac7f52356f54fa139d2f663b8b147ae81c0a0fd8426927b10be656cd16543f1a456cfca091b77
-
Filesize
5.9MB
MD55ed333703af44e343f229514c715187b
SHA16bf97c613c4d5f99a4f1dc62f6c433b4cef7e2b8
SHA256b8f745609aa997681ea449bebedc3ca01333bee2d03501a2a3c19aff55296c11
SHA512eb064970b33c95d29702f2931a34ca9bc5a7afe9b4382036a56773b597fe4662e4482b615aa19fc16040c988df573bd06c1c2b5b01fdf1c5e4d3735d49c1039f
-
Filesize
5.9MB
MD5d710f0a79c724198bae6fa2c9d973cdc
SHA1083058e37a13343d121b316ceb22af0ec08581ab
SHA2567a2fd99985e89798cbc4d0366a16be3c6ba36f78f4b4633440a7ebd47ffb8504
SHA512383254d581344e20a46eece153f30223996ba6d1572cc7c0b0b709241302f33d4b0004028b809cfc45587de90f4195c065f626e89ea6c1e58b78105b25d41cfa
-
Filesize
5.9MB
MD58b3e62a0dcc7487dd73463d0052fef6d
SHA194a4eb930ec247e9d138c207efc643d6d1911744
SHA256745c0d042252f843b771fff31af57462839273c5aa8b8442915cda9dd6aee048
SHA5123da0c9063650e14d082e9c61eeec06ab4cb9871ae4097a83d9546d34f837182b48f2b9c8b90fd3801fac8ac255680563252594a053ad3ec9b2a617a040d649a5
-
Filesize
5.9MB
MD5a1cd38d59c698897ed42a36a7ad4dba1
SHA13bf15fd02bd552ebe5b19f39c8e86231fd65c00d
SHA256e10f13e3b7a8c227af3af6bcc13815f76395e6a5a6b802fd713e85effce44519
SHA512e4e1d0e44f42ece0ce7c1a90ac7db50f0b325232cd052d1ca641fa0f84b259a840c3d1c84c160569958730deb8b38c3104d53167d996b4617a5fb5aa093fa2ab
-
Filesize
5.9MB
MD53ff814fbdec42092980147828759467e
SHA1c34ab7f18ce33a5b92eec9f45a7386c83509a094
SHA2564f76a55bc6e28ab6d6d0bf09653863709d0ae70eb6dc0a0063ef2e6750dc57d3
SHA512ae68df0af57f5d6c5d3333192fb6382b1a842cfcfd057646b7d87a2c1b7b7dd91643bb33e53dfa9a91e88d6dbae116bfb9fde4d45e133b3cc2756f80cd09d271
-
Filesize
5.9MB
MD5a4e28f8607daabc4b72319d4df9f27f8
SHA15d51e81a9f28bf348b495ec982574d97aa9a7505
SHA256183d368cec469cb558074c0211a21f8aa94d7afb85850f233d9094697a596b7f
SHA5122c2ff0e6a7ac4ab32e697412d2e6903fd0b38361f56faf40132cad498ad2e071b7e31bb41e67482b1b5c0b9ca80f13477f0011771125ace7d7736cbdff940e7b
-
Filesize
5.9MB
MD5b24cb4ce356c5506b1595f2dbefdc175
SHA1871d227b7483bb453c09b42c4131e50d894e536c
SHA25663b6283f6ec7c7c25215f12c4410332046221e8dc0460eca530e7186e2c3abde
SHA512f1f4bd088b4551c441b735a40b0fda833b9987967b477b9399fda840f65e75c2411ebdb5d4c2ea89017ffa1fce4a492108d908d5f09ffcd74c6217bd97c3c1ff
-
Filesize
5.9MB
MD5ab41a176964423e9bda73f0c26ad82ac
SHA1934df14e2a87152b159c1893ebe082d3961925b1
SHA25600156b0dcacecba1de3e1198e5dc5b4b1d912004057656c8efdc090a6a7abae9
SHA512fca3652455388b5e8dd29aa41510535f610a46fe47608dd0391b1748ff34594d4dcf1db3c79f5ad290cf21b2e04582e7aa24713ec2701893c302da11f4cd7e02
-
Filesize
5.9MB
MD53c0b8cf51b31a6081d01584f27aa88bd
SHA1ba4410c94c2532bc6f52e6504c4e00ac29dc5823
SHA2568104f2c548a2470026292a364c35d1fbdf7b0099d6b9515925bcabc716d779df
SHA512a3905c3a822143d8acbf2a5d4a539928a742fb3a43ef6c25197f432eea9ad9160dfd4d06d8e33f97368e3ec9a30317b399f279d012ea4ed79baf0233369fb22e
-
Filesize
5.9MB
MD5b792c54247545eae95d9728fe93ef136
SHA186fa354d9df30f721948b80f09fc020b33432b1a
SHA2567a93e0fc43f04bebab51652341d1c0dcc1341e9aeec6af10aaaf77b7bad2b993
SHA51275d61930a34165ad010ba00716630c14e7683bc0bbcc881f65060d17eb873adbb1313f489da87ef7dcecb55097e859cf15f1a9c05def5b221d0b7399d331ef57
-
Filesize
5.9MB
MD531d6aa1bff22adf05629a276ad3dab68
SHA16818f6cd8dbb90b7015f41d3339a6b569ad2fb7e
SHA256b5c0f63fdc06b83ad677ce1af49971b2234feb6c5ef123955d8b90f557a90e52
SHA5125cebebcff93d5d77885520b11deb3b7a1142e471245acefaf0b561f81a0f855d2df58853fdb3c8ac19dbeaace6a3b6537cb1baa7b3af4ab0112fc87f90fea715
-
Filesize
5.9MB
MD5fb7f4d17fb6ae29eae49dfff25312e41
SHA1a408683ac5d3dbb709286dc50487cbd49f5c8320
SHA256ec306f55606a7f319d9a3f33e45de4dc32269abd443cfa51aa27b4b3b79796d3
SHA512d5870c2ce2bf8da844d04bc8db74ac2086e65cf8261416f2b6f4e1a5bcfd999ea17aef8aef11fa4e328f710dbeb23b5fa4b6e9b02a59abe00eaf2b84c34f0964
-
Filesize
5.9MB
MD5480140cdfaab069bd8a87a69a40cc80b
SHA11dc614a9cd644ec8ca8f0c9f9af8094ad390e97e
SHA25618262e542e8f49e8076137ee7b9576725aedf8244f7bfd6accb040a929fcc8ed
SHA512172818c7d49b9d8bbeae9ec6c7430cdfecf77a1d0dfab2bb70a589f4258a965c3a1723dc013686a71be8a2255a208b358802cf1ab392dfe5c5669d931564d414
-
Filesize
5.9MB
MD5fee68a8801744917a32702f674ae9580
SHA1743c217d008bd5c0a392e79d2c25c8fb31efd49c
SHA256540da21271d2a2124366e98bfd5a2f1050d05004b5e1ae1ba2e93f17e068bd43
SHA512c63c61f5f17347bc5f10a4b7b80d0bbbd162d5fda3a618dbae38de22d50080b49cb11a1fa3f4d5bf5e226e0b623f4f1a95d0993475738811b4c6e7c400c5de30
-
Filesize
5.9MB
MD5215fc5b6f9a71de33a5ac5c026f3f3f9
SHA11665bca825584f3620a3cecd06ad356ef857ae1b
SHA256d8f5dbe5ec641cff26a9e28e8af1cdab71aea645d25628f113d5b6c44ef9f928
SHA5122afd020c5cf42be15827f3e64d8070875fb2005d349a34d40bea92c4dff77f79e2a5d0ed36e03d4107b041d04b14573031fec1b2def7284a1adcbbf3ec094c51
-
Filesize
5.9MB
MD58e859af6a1192856afadb48c18d19026
SHA142379e42d32a0637879e689e24e95882e8a341eb
SHA2568b70a12363341f69213d6c7aad7f1bfdd18a47269dad10320b4e53f87e66633a
SHA5129cb9d2cf8a26de8dcf824bf37c46a7e431ccc02d06eae2db5f0a1fc0d4c9e350b6f73c733ca92da1bd6821c61e87cb9eb95730ec4ce9cd66b7a699045667eaf1