Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-06-2024 00:47
Behavioral task
behavioral1
Sample
2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe
Resource
win7-20240221-en
General
-
Target
2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe
-
Size
5.9MB
-
MD5
03ae526cd0c361b166c0d3cf36b24cee
-
SHA1
9f38ec9893234713b6d3911c2a791a500a750893
-
SHA256
9d9bebef53e23af5dbd251c31a53e7a5beda04d4baec31bb1c5d81dab29985c8
-
SHA512
122c108c6e954d35aea4fde9c1dd210a0c412489c95a852ced8d76d20225075051fa0a6e437c779dde633889221be6b61ab9ab6bf9d2ded43d5b28281dd0f6b1
-
SSDEEP
98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUT:Q+856utgpPF8u/7T
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
Processes:
resource yara_rule \Windows\system\LIOaWFr.exe cobalt_reflective_dll C:\Windows\system\yozivTF.exe cobalt_reflective_dll \Windows\system\YIHqDur.exe cobalt_reflective_dll C:\Windows\system\gBudILL.exe cobalt_reflective_dll C:\Windows\system\YGkzpep.exe cobalt_reflective_dll C:\Windows\system\fUOoQTt.exe cobalt_reflective_dll C:\Windows\system\BFtzmFV.exe cobalt_reflective_dll C:\Windows\system\hXlbZhW.exe cobalt_reflective_dll C:\Windows\system\uUrrRcq.exe cobalt_reflective_dll C:\Windows\system\aUAvRZU.exe cobalt_reflective_dll C:\Windows\system\bzwOfwL.exe cobalt_reflective_dll C:\Windows\system\yGAcGAx.exe cobalt_reflective_dll C:\Windows\system\BthFRqy.exe cobalt_reflective_dll C:\Windows\system\MUzOzqD.exe cobalt_reflective_dll C:\Windows\system\cBzMpVc.exe cobalt_reflective_dll C:\Windows\system\EmgQtAG.exe cobalt_reflective_dll C:\Windows\system\NindsaN.exe cobalt_reflective_dll C:\Windows\system\UjRIsOH.exe cobalt_reflective_dll C:\Windows\system\znOEvIJ.exe cobalt_reflective_dll C:\Windows\system\AfAjanN.exe cobalt_reflective_dll C:\Windows\system\bdTmpHj.exe cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Detects Reflective DLL injection artifacts 21 IoCs
Processes:
resource yara_rule \Windows\system\LIOaWFr.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\yozivTF.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\YIHqDur.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\gBudILL.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\YGkzpep.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\fUOoQTt.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\BFtzmFV.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\hXlbZhW.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\uUrrRcq.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\aUAvRZU.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\bzwOfwL.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\yGAcGAx.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\BthFRqy.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\MUzOzqD.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\cBzMpVc.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\EmgQtAG.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\NindsaN.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\UjRIsOH.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\znOEvIJ.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\AfAjanN.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\bdTmpHj.exe INDICATOR_SUSPICIOUS_ReflectiveLoader -
UPX dump on OEP (original entry point) 61 IoCs
Processes:
resource yara_rule behavioral1/memory/2664-0-0x000000013F6D0000-0x000000013FA24000-memory.dmp UPX \Windows\system\LIOaWFr.exe UPX C:\Windows\system\yozivTF.exe UPX behavioral1/memory/2924-14-0x000000013F710000-0x000000013FA64000-memory.dmp UPX behavioral1/memory/2444-11-0x000000013FD10000-0x0000000140064000-memory.dmp UPX behavioral1/memory/2556-21-0x000000013FF80000-0x00000001402D4000-memory.dmp UPX \Windows\system\YIHqDur.exe UPX C:\Windows\system\gBudILL.exe UPX behavioral1/memory/2752-138-0x000000013FB40000-0x000000013FE94000-memory.dmp UPX behavioral1/memory/2384-136-0x000000013F870000-0x000000013FBC4000-memory.dmp UPX behavioral1/memory/2336-135-0x000000013F630000-0x000000013F984000-memory.dmp UPX C:\Windows\system\YGkzpep.exe UPX C:\Windows\system\fUOoQTt.exe UPX C:\Windows\system\BFtzmFV.exe UPX C:\Windows\system\hXlbZhW.exe UPX C:\Windows\system\uUrrRcq.exe UPX C:\Windows\system\aUAvRZU.exe UPX behavioral1/memory/2340-88-0x000000013F320000-0x000000013F674000-memory.dmp UPX C:\Windows\system\bzwOfwL.exe UPX behavioral1/memory/2068-90-0x000000013FCB0000-0x0000000140004000-memory.dmp UPX C:\Windows\system\yGAcGAx.exe UPX C:\Windows\system\BthFRqy.exe UPX behavioral1/memory/1964-79-0x000000013F950000-0x000000013FCA4000-memory.dmp UPX behavioral1/memory/2556-77-0x000000013FF80000-0x00000001402D4000-memory.dmp UPX C:\Windows\system\MUzOzqD.exe UPX behavioral1/memory/2756-72-0x000000013F310000-0x000000013F664000-memory.dmp UPX behavioral1/memory/2924-70-0x000000013F710000-0x000000013FA64000-memory.dmp UPX C:\Windows\system\cBzMpVc.exe UPX behavioral1/memory/2752-65-0x000000013FB40000-0x000000013FE94000-memory.dmp UPX behavioral1/memory/2444-63-0x000000013FD10000-0x0000000140064000-memory.dmp UPX C:\Windows\system\EmgQtAG.exe UPX behavioral1/memory/2384-58-0x000000013F870000-0x000000013FBC4000-memory.dmp UPX C:\Windows\system\NindsaN.exe UPX behavioral1/memory/2336-52-0x000000013F630000-0x000000013F984000-memory.dmp UPX C:\Windows\system\UjRIsOH.exe UPX behavioral1/memory/2568-47-0x000000013F770000-0x000000013FAC4000-memory.dmp UPX behavioral1/memory/2664-46-0x000000013F6D0000-0x000000013FA24000-memory.dmp UPX C:\Windows\system\znOEvIJ.exe UPX behavioral1/memory/2356-40-0x000000013FF00000-0x0000000140254000-memory.dmp UPX C:\Windows\system\AfAjanN.exe UPX behavioral1/memory/2608-35-0x000000013FE10000-0x0000000140164000-memory.dmp UPX behavioral1/memory/2340-28-0x000000013F320000-0x000000013F674000-memory.dmp UPX C:\Windows\system\bdTmpHj.exe UPX behavioral1/memory/2756-140-0x000000013F310000-0x000000013F664000-memory.dmp UPX behavioral1/memory/1964-142-0x000000013F950000-0x000000013FCA4000-memory.dmp UPX behavioral1/memory/1524-144-0x000000013FB40000-0x000000013FE94000-memory.dmp UPX behavioral1/memory/2068-146-0x000000013FCB0000-0x0000000140004000-memory.dmp UPX behavioral1/memory/2444-148-0x000000013FD10000-0x0000000140064000-memory.dmp UPX behavioral1/memory/2924-149-0x000000013F710000-0x000000013FA64000-memory.dmp UPX behavioral1/memory/2556-150-0x000000013FF80000-0x00000001402D4000-memory.dmp UPX behavioral1/memory/2608-151-0x000000013FE10000-0x0000000140164000-memory.dmp UPX behavioral1/memory/1524-155-0x000000013FB40000-0x000000013FE94000-memory.dmp UPX behavioral1/memory/2568-154-0x000000013F770000-0x000000013FAC4000-memory.dmp UPX behavioral1/memory/2756-153-0x000000013F310000-0x000000013F664000-memory.dmp UPX behavioral1/memory/2384-152-0x000000013F870000-0x000000013FBC4000-memory.dmp UPX behavioral1/memory/2336-160-0x000000013F630000-0x000000013F984000-memory.dmp UPX behavioral1/memory/2356-161-0x000000013FF00000-0x0000000140254000-memory.dmp UPX behavioral1/memory/2752-159-0x000000013FB40000-0x000000013FE94000-memory.dmp UPX behavioral1/memory/1964-158-0x000000013F950000-0x000000013FCA4000-memory.dmp UPX behavioral1/memory/2068-157-0x000000013FCB0000-0x0000000140004000-memory.dmp UPX behavioral1/memory/2340-156-0x000000013F320000-0x000000013F674000-memory.dmp UPX -
XMRig Miner payload 64 IoCs
Processes:
resource yara_rule behavioral1/memory/2664-0-0x000000013F6D0000-0x000000013FA24000-memory.dmp xmrig \Windows\system\LIOaWFr.exe xmrig C:\Windows\system\yozivTF.exe xmrig behavioral1/memory/2924-14-0x000000013F710000-0x000000013FA64000-memory.dmp xmrig behavioral1/memory/2444-11-0x000000013FD10000-0x0000000140064000-memory.dmp xmrig behavioral1/memory/2556-21-0x000000013FF80000-0x00000001402D4000-memory.dmp xmrig \Windows\system\YIHqDur.exe xmrig C:\Windows\system\gBudILL.exe xmrig behavioral1/memory/2752-138-0x000000013FB40000-0x000000013FE94000-memory.dmp xmrig behavioral1/memory/2664-137-0x000000013FB40000-0x000000013FE94000-memory.dmp xmrig behavioral1/memory/2384-136-0x000000013F870000-0x000000013FBC4000-memory.dmp xmrig behavioral1/memory/2336-135-0x000000013F630000-0x000000013F984000-memory.dmp xmrig C:\Windows\system\YGkzpep.exe xmrig C:\Windows\system\fUOoQTt.exe xmrig C:\Windows\system\BFtzmFV.exe xmrig C:\Windows\system\hXlbZhW.exe xmrig C:\Windows\system\uUrrRcq.exe xmrig C:\Windows\system\aUAvRZU.exe xmrig behavioral1/memory/2340-88-0x000000013F320000-0x000000013F674000-memory.dmp xmrig C:\Windows\system\bzwOfwL.exe xmrig behavioral1/memory/2664-91-0x000000013FF10000-0x0000000140264000-memory.dmp xmrig behavioral1/memory/2068-90-0x000000013FCB0000-0x0000000140004000-memory.dmp xmrig C:\Windows\system\yGAcGAx.exe xmrig C:\Windows\system\BthFRqy.exe xmrig behavioral1/memory/1964-79-0x000000013F950000-0x000000013FCA4000-memory.dmp xmrig behavioral1/memory/2556-77-0x000000013FF80000-0x00000001402D4000-memory.dmp xmrig C:\Windows\system\MUzOzqD.exe xmrig behavioral1/memory/2756-72-0x000000013F310000-0x000000013F664000-memory.dmp xmrig behavioral1/memory/2664-71-0x000000013F310000-0x000000013F664000-memory.dmp xmrig behavioral1/memory/2924-70-0x000000013F710000-0x000000013FA64000-memory.dmp xmrig C:\Windows\system\cBzMpVc.exe xmrig behavioral1/memory/2752-65-0x000000013FB40000-0x000000013FE94000-memory.dmp xmrig behavioral1/memory/2444-63-0x000000013FD10000-0x0000000140064000-memory.dmp xmrig C:\Windows\system\EmgQtAG.exe xmrig behavioral1/memory/2384-58-0x000000013F870000-0x000000013FBC4000-memory.dmp xmrig C:\Windows\system\NindsaN.exe xmrig behavioral1/memory/2336-52-0x000000013F630000-0x000000013F984000-memory.dmp xmrig C:\Windows\system\UjRIsOH.exe xmrig behavioral1/memory/2568-47-0x000000013F770000-0x000000013FAC4000-memory.dmp xmrig behavioral1/memory/2664-46-0x000000013F6D0000-0x000000013FA24000-memory.dmp xmrig C:\Windows\system\znOEvIJ.exe xmrig behavioral1/memory/2356-40-0x000000013FF00000-0x0000000140254000-memory.dmp xmrig C:\Windows\system\AfAjanN.exe xmrig behavioral1/memory/2608-35-0x000000013FE10000-0x0000000140164000-memory.dmp xmrig behavioral1/memory/2340-28-0x000000013F320000-0x000000013F674000-memory.dmp xmrig C:\Windows\system\bdTmpHj.exe xmrig behavioral1/memory/2756-140-0x000000013F310000-0x000000013F664000-memory.dmp xmrig behavioral1/memory/1964-142-0x000000013F950000-0x000000013FCA4000-memory.dmp xmrig behavioral1/memory/1524-144-0x000000013FB40000-0x000000013FE94000-memory.dmp xmrig behavioral1/memory/2664-145-0x000000013FCB0000-0x0000000140004000-memory.dmp xmrig behavioral1/memory/2068-146-0x000000013FCB0000-0x0000000140004000-memory.dmp xmrig behavioral1/memory/2444-148-0x000000013FD10000-0x0000000140064000-memory.dmp xmrig behavioral1/memory/2924-149-0x000000013F710000-0x000000013FA64000-memory.dmp xmrig behavioral1/memory/2556-150-0x000000013FF80000-0x00000001402D4000-memory.dmp xmrig behavioral1/memory/2608-151-0x000000013FE10000-0x0000000140164000-memory.dmp xmrig behavioral1/memory/1524-155-0x000000013FB40000-0x000000013FE94000-memory.dmp xmrig behavioral1/memory/2568-154-0x000000013F770000-0x000000013FAC4000-memory.dmp xmrig behavioral1/memory/2756-153-0x000000013F310000-0x000000013F664000-memory.dmp xmrig behavioral1/memory/2384-152-0x000000013F870000-0x000000013FBC4000-memory.dmp xmrig behavioral1/memory/2336-160-0x000000013F630000-0x000000013F984000-memory.dmp xmrig behavioral1/memory/2356-161-0x000000013FF00000-0x0000000140254000-memory.dmp xmrig behavioral1/memory/2752-159-0x000000013FB40000-0x000000013FE94000-memory.dmp xmrig behavioral1/memory/1964-158-0x000000013F950000-0x000000013FCA4000-memory.dmp xmrig behavioral1/memory/2068-157-0x000000013FCB0000-0x0000000140004000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
Processes:
yozivTF.exeLIOaWFr.exegBudILL.exeYIHqDur.exebdTmpHj.exeAfAjanN.exeznOEvIJ.exeUjRIsOH.exeNindsaN.exeEmgQtAG.execBzMpVc.exeMUzOzqD.exeBthFRqy.exeyGAcGAx.exebzwOfwL.exeaUAvRZU.exeuUrrRcq.exehXlbZhW.exeBFtzmFV.exefUOoQTt.exeYGkzpep.exepid process 2444 yozivTF.exe 2924 LIOaWFr.exe 2556 gBudILL.exe 2340 YIHqDur.exe 2608 bdTmpHj.exe 2356 AfAjanN.exe 2568 znOEvIJ.exe 2336 UjRIsOH.exe 2384 NindsaN.exe 2752 EmgQtAG.exe 2756 cBzMpVc.exe 1964 MUzOzqD.exe 1524 BthFRqy.exe 2068 yGAcGAx.exe 1700 bzwOfwL.exe 1724 aUAvRZU.exe 2116 uUrrRcq.exe 2112 hXlbZhW.exe 1836 BFtzmFV.exe 620 fUOoQTt.exe 392 YGkzpep.exe -
Loads dropped DLL 21 IoCs
Processes:
2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exepid process 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe -
Processes:
resource yara_rule behavioral1/memory/2664-0-0x000000013F6D0000-0x000000013FA24000-memory.dmp upx \Windows\system\LIOaWFr.exe upx C:\Windows\system\yozivTF.exe upx behavioral1/memory/2924-14-0x000000013F710000-0x000000013FA64000-memory.dmp upx behavioral1/memory/2444-11-0x000000013FD10000-0x0000000140064000-memory.dmp upx behavioral1/memory/2556-21-0x000000013FF80000-0x00000001402D4000-memory.dmp upx \Windows\system\YIHqDur.exe upx C:\Windows\system\gBudILL.exe upx behavioral1/memory/2752-138-0x000000013FB40000-0x000000013FE94000-memory.dmp upx behavioral1/memory/2384-136-0x000000013F870000-0x000000013FBC4000-memory.dmp upx behavioral1/memory/2336-135-0x000000013F630000-0x000000013F984000-memory.dmp upx C:\Windows\system\YGkzpep.exe upx C:\Windows\system\fUOoQTt.exe upx C:\Windows\system\BFtzmFV.exe upx C:\Windows\system\hXlbZhW.exe upx C:\Windows\system\uUrrRcq.exe upx C:\Windows\system\aUAvRZU.exe upx behavioral1/memory/2340-88-0x000000013F320000-0x000000013F674000-memory.dmp upx C:\Windows\system\bzwOfwL.exe upx behavioral1/memory/2068-90-0x000000013FCB0000-0x0000000140004000-memory.dmp upx C:\Windows\system\yGAcGAx.exe upx C:\Windows\system\BthFRqy.exe upx behavioral1/memory/1964-79-0x000000013F950000-0x000000013FCA4000-memory.dmp upx behavioral1/memory/2556-77-0x000000013FF80000-0x00000001402D4000-memory.dmp upx C:\Windows\system\MUzOzqD.exe upx behavioral1/memory/2756-72-0x000000013F310000-0x000000013F664000-memory.dmp upx behavioral1/memory/2924-70-0x000000013F710000-0x000000013FA64000-memory.dmp upx C:\Windows\system\cBzMpVc.exe upx behavioral1/memory/2752-65-0x000000013FB40000-0x000000013FE94000-memory.dmp upx behavioral1/memory/2444-63-0x000000013FD10000-0x0000000140064000-memory.dmp upx C:\Windows\system\EmgQtAG.exe upx behavioral1/memory/2384-58-0x000000013F870000-0x000000013FBC4000-memory.dmp upx C:\Windows\system\NindsaN.exe upx behavioral1/memory/2336-52-0x000000013F630000-0x000000013F984000-memory.dmp upx C:\Windows\system\UjRIsOH.exe upx behavioral1/memory/2568-47-0x000000013F770000-0x000000013FAC4000-memory.dmp upx behavioral1/memory/2664-46-0x000000013F6D0000-0x000000013FA24000-memory.dmp upx C:\Windows\system\znOEvIJ.exe upx behavioral1/memory/2356-40-0x000000013FF00000-0x0000000140254000-memory.dmp upx C:\Windows\system\AfAjanN.exe upx behavioral1/memory/2608-35-0x000000013FE10000-0x0000000140164000-memory.dmp upx behavioral1/memory/2340-28-0x000000013F320000-0x000000013F674000-memory.dmp upx C:\Windows\system\bdTmpHj.exe upx behavioral1/memory/2756-140-0x000000013F310000-0x000000013F664000-memory.dmp upx behavioral1/memory/1964-142-0x000000013F950000-0x000000013FCA4000-memory.dmp upx behavioral1/memory/1524-144-0x000000013FB40000-0x000000013FE94000-memory.dmp upx behavioral1/memory/2068-146-0x000000013FCB0000-0x0000000140004000-memory.dmp upx behavioral1/memory/2444-148-0x000000013FD10000-0x0000000140064000-memory.dmp upx behavioral1/memory/2924-149-0x000000013F710000-0x000000013FA64000-memory.dmp upx behavioral1/memory/2556-150-0x000000013FF80000-0x00000001402D4000-memory.dmp upx behavioral1/memory/2608-151-0x000000013FE10000-0x0000000140164000-memory.dmp upx behavioral1/memory/1524-155-0x000000013FB40000-0x000000013FE94000-memory.dmp upx behavioral1/memory/2568-154-0x000000013F770000-0x000000013FAC4000-memory.dmp upx behavioral1/memory/2756-153-0x000000013F310000-0x000000013F664000-memory.dmp upx behavioral1/memory/2384-152-0x000000013F870000-0x000000013FBC4000-memory.dmp upx behavioral1/memory/2336-160-0x000000013F630000-0x000000013F984000-memory.dmp upx behavioral1/memory/2356-161-0x000000013FF00000-0x0000000140254000-memory.dmp upx behavioral1/memory/2752-159-0x000000013FB40000-0x000000013FE94000-memory.dmp upx behavioral1/memory/1964-158-0x000000013F950000-0x000000013FCA4000-memory.dmp upx behavioral1/memory/2068-157-0x000000013FCB0000-0x0000000140004000-memory.dmp upx behavioral1/memory/2340-156-0x000000013F320000-0x000000013F674000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
Processes:
2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exedescription ioc process File created C:\Windows\System\yozivTF.exe 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\bdTmpHj.exe 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\cBzMpVc.exe 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\BthFRqy.exe 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\yGAcGAx.exe 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\BFtzmFV.exe 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\YGkzpep.exe 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\LIOaWFr.exe 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\YIHqDur.exe 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\znOEvIJ.exe 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\EmgQtAG.exe 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\uUrrRcq.exe 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\gBudILL.exe 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\UjRIsOH.exe 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\NindsaN.exe 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\MUzOzqD.exe 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\bzwOfwL.exe 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\aUAvRZU.exe 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\hXlbZhW.exe 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\AfAjanN.exe 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\fUOoQTt.exe 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exedescription pid process Token: SeLockMemoryPrivilege 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe Token: SeLockMemoryPrivilege 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exedescription pid process target process PID 2664 wrote to memory of 2924 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe LIOaWFr.exe PID 2664 wrote to memory of 2924 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe LIOaWFr.exe PID 2664 wrote to memory of 2924 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe LIOaWFr.exe PID 2664 wrote to memory of 2444 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe yozivTF.exe PID 2664 wrote to memory of 2444 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe yozivTF.exe PID 2664 wrote to memory of 2444 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe yozivTF.exe PID 2664 wrote to memory of 2556 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe gBudILL.exe PID 2664 wrote to memory of 2556 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe gBudILL.exe PID 2664 wrote to memory of 2556 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe gBudILL.exe PID 2664 wrote to memory of 2340 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe YIHqDur.exe PID 2664 wrote to memory of 2340 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe YIHqDur.exe PID 2664 wrote to memory of 2340 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe YIHqDur.exe PID 2664 wrote to memory of 2608 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe bdTmpHj.exe PID 2664 wrote to memory of 2608 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe bdTmpHj.exe PID 2664 wrote to memory of 2608 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe bdTmpHj.exe PID 2664 wrote to memory of 2356 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe AfAjanN.exe PID 2664 wrote to memory of 2356 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe AfAjanN.exe PID 2664 wrote to memory of 2356 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe AfAjanN.exe PID 2664 wrote to memory of 2568 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe znOEvIJ.exe PID 2664 wrote to memory of 2568 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe znOEvIJ.exe PID 2664 wrote to memory of 2568 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe znOEvIJ.exe PID 2664 wrote to memory of 2336 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe UjRIsOH.exe PID 2664 wrote to memory of 2336 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe UjRIsOH.exe PID 2664 wrote to memory of 2336 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe UjRIsOH.exe PID 2664 wrote to memory of 2384 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe NindsaN.exe PID 2664 wrote to memory of 2384 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe NindsaN.exe PID 2664 wrote to memory of 2384 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe NindsaN.exe PID 2664 wrote to memory of 2752 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe EmgQtAG.exe PID 2664 wrote to memory of 2752 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe EmgQtAG.exe PID 2664 wrote to memory of 2752 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe EmgQtAG.exe PID 2664 wrote to memory of 2756 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe cBzMpVc.exe PID 2664 wrote to memory of 2756 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe cBzMpVc.exe PID 2664 wrote to memory of 2756 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe cBzMpVc.exe PID 2664 wrote to memory of 1964 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe MUzOzqD.exe PID 2664 wrote to memory of 1964 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe MUzOzqD.exe PID 2664 wrote to memory of 1964 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe MUzOzqD.exe PID 2664 wrote to memory of 1524 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe BthFRqy.exe PID 2664 wrote to memory of 1524 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe BthFRqy.exe PID 2664 wrote to memory of 1524 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe BthFRqy.exe PID 2664 wrote to memory of 2068 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe yGAcGAx.exe PID 2664 wrote to memory of 2068 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe yGAcGAx.exe PID 2664 wrote to memory of 2068 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe yGAcGAx.exe PID 2664 wrote to memory of 1700 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe bzwOfwL.exe PID 2664 wrote to memory of 1700 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe bzwOfwL.exe PID 2664 wrote to memory of 1700 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe bzwOfwL.exe PID 2664 wrote to memory of 1724 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe aUAvRZU.exe PID 2664 wrote to memory of 1724 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe aUAvRZU.exe PID 2664 wrote to memory of 1724 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe aUAvRZU.exe PID 2664 wrote to memory of 2116 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe uUrrRcq.exe PID 2664 wrote to memory of 2116 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe uUrrRcq.exe PID 2664 wrote to memory of 2116 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe uUrrRcq.exe PID 2664 wrote to memory of 2112 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe hXlbZhW.exe PID 2664 wrote to memory of 2112 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe hXlbZhW.exe PID 2664 wrote to memory of 2112 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe hXlbZhW.exe PID 2664 wrote to memory of 1836 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe BFtzmFV.exe PID 2664 wrote to memory of 1836 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe BFtzmFV.exe PID 2664 wrote to memory of 1836 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe BFtzmFV.exe PID 2664 wrote to memory of 620 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe fUOoQTt.exe PID 2664 wrote to memory of 620 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe fUOoQTt.exe PID 2664 wrote to memory of 620 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe fUOoQTt.exe PID 2664 wrote to memory of 392 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe YGkzpep.exe PID 2664 wrote to memory of 392 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe YGkzpep.exe PID 2664 wrote to memory of 392 2664 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe YGkzpep.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\System\LIOaWFr.exeC:\Windows\System\LIOaWFr.exe2⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\System\yozivTF.exeC:\Windows\System\yozivTF.exe2⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\System\gBudILL.exeC:\Windows\System\gBudILL.exe2⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\System\YIHqDur.exeC:\Windows\System\YIHqDur.exe2⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\System\bdTmpHj.exeC:\Windows\System\bdTmpHj.exe2⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\System\AfAjanN.exeC:\Windows\System\AfAjanN.exe2⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\System\znOEvIJ.exeC:\Windows\System\znOEvIJ.exe2⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\System\UjRIsOH.exeC:\Windows\System\UjRIsOH.exe2⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\System\NindsaN.exeC:\Windows\System\NindsaN.exe2⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\System\EmgQtAG.exeC:\Windows\System\EmgQtAG.exe2⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\System\cBzMpVc.exeC:\Windows\System\cBzMpVc.exe2⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\System\MUzOzqD.exeC:\Windows\System\MUzOzqD.exe2⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\System\BthFRqy.exeC:\Windows\System\BthFRqy.exe2⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\System\yGAcGAx.exeC:\Windows\System\yGAcGAx.exe2⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\System\bzwOfwL.exeC:\Windows\System\bzwOfwL.exe2⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\System\aUAvRZU.exeC:\Windows\System\aUAvRZU.exe2⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\System\uUrrRcq.exeC:\Windows\System\uUrrRcq.exe2⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\System\hXlbZhW.exeC:\Windows\System\hXlbZhW.exe2⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\System\BFtzmFV.exeC:\Windows\System\BFtzmFV.exe2⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\System\fUOoQTt.exeC:\Windows\System\fUOoQTt.exe2⤵
- Executes dropped EXE
PID:620 -
C:\Windows\System\YGkzpep.exeC:\Windows\System\YGkzpep.exe2⤵
- Executes dropped EXE
PID:392
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD5276048a23a47edaa9c6c65268b9b3b6f
SHA1588a4d80e9e23affc8c084d852fba162e39069a7
SHA2562ed764bdbe53a2ad4470ce29665df4df9f4f6d1394a2ea3eab01cbc897074e25
SHA512e0b001f1d92b0211d9f313f2a657eecfb7aba2bc88cf6dd49fdb57d2a7ac1c2dcc9942c469f1d787fc92c7c0c65862c701ba0e8693b31aab6d37c17cd2db8355
-
Filesize
5.9MB
MD51597aaf72a42a8f833525a6dc8e6c94e
SHA131ac0b11f3b46e3e1a27eac7503c4a06470c3b79
SHA256fc789decc84f0f454112b3824dee96f7e9067be6a0594f6e4287e6bdec32c90a
SHA5128b1fb1b6453bb45696474eb4a1491c6fb72ef27ab33e8b928bca226566958f30e5ab0ff593222ede7794d476a920fc5b046e5ce3cb59cedd2289f51def1e7cc4
-
Filesize
5.9MB
MD5e3af737c690ef0ec84e02e814f3fb6c9
SHA15c064d82068623f40eb2cadeae30a603989038d2
SHA2562a3bf1b96564873a98e8a4cad89e74b101ad97265015c5c842ce8e6936ebf8e7
SHA512535808e7054089ba06d8af3c290287e43209088e8d04fc6e1c4691194775c0fd0713fb51bdf7e2012c9ee62cc1565ffe5e1761df28a1254b616d13f508a98d36
-
Filesize
5.9MB
MD57f779bfbc949cc455ae96a3106aa26f5
SHA1a4c20aaa7e9786e63b5d4eaacd75ee3a6d7f51f9
SHA25678cfdeee936a48a334325966ed4b8cb5d19d7d10e8bb440e4833d6e49d421691
SHA512c013059e740211b5c70d8b78cd2870bbb77aeeb9a0b1628012726beebf12a495555acac6bc1c875604751c7af9585afefa78ff90866be0292e6fabe409e8da41
-
Filesize
5.9MB
MD5e5ba3b287db9aec1cbbc9cac4a817a35
SHA11ed5f51cffa32f437e2cfb7450f959b9302ce843
SHA256d23e53c7c00226fa6e973b9b7c499f6fc783e85f877cf0c71a4219610873be03
SHA51220017a3ed973acf2b791cb972455ae8556ae37269d5e10abcebff46bbbe3815ce55097bce66bdf652e273a980da04b9946d91a2ff15e1eae2ac698da4fd42d1a
-
Filesize
5.9MB
MD5dc1d1c99d917c5f36dd450970fb8c1ba
SHA1ac1c30d949938bbc01dee1f041042124d91ce71c
SHA2569323720a43dcb2aec5ea0ad8dac0bf1375f44a54ad670cc9b55241b709e0552b
SHA5124c4a3001add3dbb7f288f14da3c416cd00c2208e98ed37e87d3ef1d851a7e9887c3f705f22de98d4d4e74ea2af4811a02043f3b2d52e1f3ede3b0d4413400d11
-
Filesize
5.9MB
MD573a595c52915abbf0eba9b47da0ad520
SHA1033e3c46bf74f5fe4e848fc7927433acba102e5e
SHA256fe924948d2e3c37dc1f3702814443c2b212ee19d0ac15e98c2876ca85bf3dd3a
SHA5125ae174447911d5d2994258dc8d490e44d86dfae1cdce195a85d2e3ead2d5474ffbdd103c4605c0224244f293907632c774d37ed34621665bc9422c5b32860fd5
-
Filesize
5.9MB
MD5f30803b70b4005cb249cec1406257ef4
SHA171246859cf78769a1df1d1f1c324ebb4978963df
SHA256f6549543f5cb1311b8588d97cf7c19c5688e561232fe9a684224400b3b442517
SHA512d4482bb783756bdf985506d6d56ec8a51c1d06968358a61c6b61f6e8ea794275e758da10c6d8f2a0314bb6472969f6dbc152249be1b873bf1bb8c75a267561fd
-
Filesize
5.9MB
MD552def6e6a5d3d0af8d2aff84549beba3
SHA142a6c4a51e12667468d23c4fd0d61e3be160939f
SHA25663f0e2d8bc4ed07a420f4aa8ae1e90ffefa2b38d53132923ce0d8c4a065e4f6d
SHA51241ba5cfffeac26a0157ddb6a83d790469cc579c5a60cf24d51eb8e838b362c7813cfb9ddc34c9ec91a6d9f788f73ea9dabdd3e17cf7fefdaded1436a1eb66daa
-
Filesize
5.9MB
MD51e3ebab2909eb3594f84be7a817c684c
SHA1de4555322f30bd45042484b82970d34e39bf4bef
SHA25687c4275c9372494646242cee8c3c68a9051d9b4c16888f4aa0149667f4cb6763
SHA512f873518b192c47cf1e2629d70320b1264fcf7ea17775695b1b54129d1fb5a1ecdfa67319c01b7405a593eccf74cb5490272874545a4eb5fb964390d5e0fb0a5c
-
Filesize
5.9MB
MD5aa57e6da36b3b9a95b1dcc91ad55aeb0
SHA13332d8c9835a1a85686ceb8f6267bcb6181b05e0
SHA256e725ea549193d9f98eb98648be05c109532ca7f2a1d8c65957b551476f4038f6
SHA5128529bfb0466f9280b775165a3efced6512eb329d849d2cc690b4b954cbff847e3da186a326ab5dd2acb73f7a70729acdc6250e44d9e6360c48346db6bd8e3672
-
Filesize
5.9MB
MD52aef90561fa2ffa2a31d9fef5a5bd87c
SHA19761c0035821b7d2c9cb08471e195f8bb6738559
SHA256663c650e2920c80ba978d9863957e4c5f6ba4207fe375b8002cc049f38e5eab2
SHA512b3cd7db0b909572586840d8412c16ca4b8fb737ea5bc60e427dd4faf6de0559fbc1a41d70cb425595baccf7c4e4646f57b400c7b9cb6fe77ba6ddfd6214a4097
-
Filesize
5.9MB
MD58ae9edbe977de8b85c0f59061d363e16
SHA19f41db2cb8a69ea261e922dd7640b93bc6309013
SHA256f1f496fbb1d5153f3211aed26fafa9fa8ab004e21e7bb7044dd43107e03c1943
SHA512ea9cafe22ea31988383a0a91789779d8a24788af8c12fc89358947c8aeecc5c253a5d0e092526fc78bcfc339819a21f8b1eb7f8ae5f9108a589853598fa29937
-
Filesize
5.9MB
MD522e36bfb89d46e2fee30b484a34d92a4
SHA1ec22863b8745c5013064cf6ca59c776572676681
SHA256af7540acfafa922791a0781dc5e067426cec180344ecfb6b7101102b62fcbec7
SHA512336d962a9cdead20854ac0aa26b5f36b1c8a1695989eb5a5236fdbe34bd2d5b09d118eedb5a8ba3723886f69517a3ab4099a1bcbbcfe542adeec5a55c92abb8c
-
Filesize
5.9MB
MD593a14013a6d462785738488fb457b34b
SHA166c3c6d9caf8e26c0746577920ca903fffdb0fef
SHA25602aa51fb80e1ab143aa0161a418dd7d244bf324b842b5e385b4583565a124c25
SHA5124eff9a28fa435e369b61ab421ba63e975b154cd62f31bd1abef133a47ec73d6286f873353867b40c04dee288f739b173080cb94b5e773be55c51fa4cfe29f42d
-
Filesize
5.9MB
MD53e3be67c96f735ed154acd84291611d9
SHA10a41da1b4119b9946b1753c82c8e666290fb007a
SHA25666df8155b157a332fa01d30ff73409996db4431ec6fcd58da10294713a4ab7a8
SHA512afedbf266dc95f3aba30f3e16462958aba65a7aae7df34e58190b707db73e8c3f16f52ac8af54cbb0b57edd4aec465ccaf54f574f8e0a50f10a704cc6a42d86e
-
Filesize
5.9MB
MD587d37f6f049691dca3dc911b98610d62
SHA15c821a553b6ee4c86ac6d10c365469034f36f70a
SHA25674eab57e77efa046db844d994091d3ec9a6fc0f526be921ae923a7184a02f8c1
SHA512b8f2fc105c96442033faef2f66f9785bec4a659f63e1f2e0787184e67314e01abfd8e29e1fa618886249730eeba1b7161105840402bb12c9077678929093a16e
-
Filesize
5.9MB
MD577c527d10feb863a3286c471e864c573
SHA139c2e2350df474f1bc8879daa939ef5cd68514b4
SHA256582805e84c60c55f81af52b417e94f551ac4f19853382957839c03676c5aa69c
SHA5128c88718b31534a46f3e6198393063fecc03533cce1eb6deb83e37009ebe2ffe35a8f229bb9322cf099d776ad010d5b68bad79552543f833df9c010b4cabf5ea3
-
Filesize
5.9MB
MD5702c206e7a1559435cfc7a184c20256b
SHA18b8ec06404590607d328cfa1195ea4f6ba11ecf9
SHA256305dcf5470a18cfaf2622f5f8e64da7421665311b34c36af9702c2aaad07b8b5
SHA512a53ce0eaefc8735b0709662e4f23f1136cfbef44553e47fd11a52a045eb394e1e7baa63670e0b2f750b5c6acc56a1915103105198cc74889aba69166d131c53e
-
Filesize
5.9MB
MD536668e21035d512493ba1b5197dd15f6
SHA19bb07ad67858dab228efa9d30d379ae0f3e554e7
SHA25603f9c144d63628e5e3fbf386a8bd83f2a423faf922c175ac5028b5c6ba5958aa
SHA512e4c2f7fc6c48907ab38cd3626d2a8de15bb7b5ce577535c59541ae300d0699c2a6eaaa5f28b0837bc2c8d63393914f447748d9f0d2cd481e05a9bd17bbcea481
-
Filesize
5.9MB
MD5620fa4c5fb93aa32d18bbf01838dd5a1
SHA199f3d221324a344edd4621e40531ae7a7620ab48
SHA2566b33d3210f768b24d714cb3cddb4f7b8e2cc939ad98fc5ef089def799ea671ed
SHA512563191e766be08e73c8d5753e03d5dcfeb6e5f0d5e5a176737856136bf8c3149f5103ded97cb6dbd0a98257c0b944f2ece75751c8a85afe4a1ec946bf5f4c5c1