Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
07-06-2024 01:40
Behavioral task
behavioral1
Sample
2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe
Resource
win7-20240508-en
General
-
Target
2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe
-
Size
5.9MB
-
MD5
8c16781cae7bb12c1986fd74494e9bd9
-
SHA1
e3d7e89bfc3c3105a6e61abffd3908066c840661
-
SHA256
f3f91ff34eb039f19fc642217809df770bd0ed7f832397ac80b2945e351e0574
-
SHA512
a2a62eab4f9f2998054b012de30b2fe8d931001acc840047526fb4a30d2516ac5ae31e4612884efc93b29fbbe2191257f2b222b05d5ab115ffd3614dd7178f1e
-
SSDEEP
98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU5:Q+856utgpPF8u/75
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
Processes:
resource yara_rule \Windows\system\EtzunXT.exe cobalt_reflective_dll C:\Windows\system\ULGTYBI.exe cobalt_reflective_dll C:\Windows\system\EsKpquD.exe cobalt_reflective_dll \Windows\system\RgWNHog.exe cobalt_reflective_dll C:\Windows\system\mAwTfAf.exe cobalt_reflective_dll \Windows\system\VKosYnJ.exe cobalt_reflective_dll \Windows\system\UboLdSc.exe cobalt_reflective_dll C:\Windows\system\hsSldVs.exe cobalt_reflective_dll \Windows\system\tElOZEz.exe cobalt_reflective_dll C:\Windows\system\HHeHorJ.exe cobalt_reflective_dll C:\Windows\system\kfrRdvP.exe cobalt_reflective_dll \Windows\system\wzGZENe.exe cobalt_reflective_dll C:\Windows\system\pjoUwRe.exe cobalt_reflective_dll C:\Windows\system\RXWnKsT.exe cobalt_reflective_dll C:\Windows\system\zfgwmjG.exe cobalt_reflective_dll C:\Windows\system\IEqAjNk.exe cobalt_reflective_dll C:\Windows\system\olunaIt.exe cobalt_reflective_dll C:\Windows\system\dnKBaBM.exe cobalt_reflective_dll C:\Windows\system\XMIprlW.exe cobalt_reflective_dll C:\Windows\system\GLrPXxh.exe cobalt_reflective_dll C:\Windows\system\ZDjZyXo.exe cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Detects Reflective DLL injection artifacts 21 IoCs
Processes:
resource yara_rule \Windows\system\EtzunXT.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\ULGTYBI.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\EsKpquD.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\RgWNHog.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\mAwTfAf.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\VKosYnJ.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\UboLdSc.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\hsSldVs.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\tElOZEz.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\HHeHorJ.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\kfrRdvP.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\wzGZENe.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\pjoUwRe.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\RXWnKsT.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\zfgwmjG.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\IEqAjNk.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\olunaIt.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\dnKBaBM.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\XMIprlW.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\GLrPXxh.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\ZDjZyXo.exe INDICATOR_SUSPICIOUS_ReflectiveLoader -
UPX dump on OEP (original entry point) 64 IoCs
Processes:
resource yara_rule behavioral1/memory/1932-0-0x000000013F1C0000-0x000000013F514000-memory.dmp UPX \Windows\system\EtzunXT.exe UPX behavioral1/memory/1932-6-0x000000013F7B0000-0x000000013FB04000-memory.dmp UPX behavioral1/memory/2068-8-0x000000013F7B0000-0x000000013FB04000-memory.dmp UPX C:\Windows\system\ULGTYBI.exe UPX C:\Windows\system\EsKpquD.exe UPX \Windows\system\RgWNHog.exe UPX behavioral1/memory/2576-27-0x000000013FEE0000-0x0000000140234000-memory.dmp UPX behavioral1/memory/1040-28-0x000000013F710000-0x000000013FA64000-memory.dmp UPX behavioral1/memory/2756-20-0x000000013F700000-0x000000013FA54000-memory.dmp UPX behavioral1/memory/2664-36-0x000000013F0E0000-0x000000013F434000-memory.dmp UPX C:\Windows\system\mAwTfAf.exe UPX \Windows\system\VKosYnJ.exe UPX behavioral1/memory/2480-44-0x000000013F520000-0x000000013F874000-memory.dmp UPX behavioral1/memory/1932-43-0x000000013F1C0000-0x000000013F514000-memory.dmp UPX \Windows\system\UboLdSc.exe UPX behavioral1/memory/2484-60-0x000000013FC20000-0x000000013FF74000-memory.dmp UPX C:\Windows\system\hsSldVs.exe UPX \Windows\system\tElOZEz.exe UPX C:\Windows\system\HHeHorJ.exe UPX behavioral1/memory/2540-89-0x000000013F6E0000-0x000000013FA34000-memory.dmp UPX behavioral1/memory/2480-102-0x000000013F520000-0x000000013F874000-memory.dmp UPX C:\Windows\system\kfrRdvP.exe UPX \Windows\system\wzGZENe.exe UPX C:\Windows\system\pjoUwRe.exe UPX C:\Windows\system\RXWnKsT.exe UPX C:\Windows\system\zfgwmjG.exe UPX C:\Windows\system\IEqAjNk.exe UPX C:\Windows\system\olunaIt.exe UPX behavioral1/memory/2212-103-0x000000013F8F0000-0x000000013FC44000-memory.dmp UPX behavioral1/memory/2712-96-0x000000013F550000-0x000000013F8A4000-memory.dmp UPX C:\Windows\system\dnKBaBM.exe UPX C:\Windows\system\XMIprlW.exe UPX behavioral1/memory/2664-87-0x000000013F0E0000-0x000000013F434000-memory.dmp UPX behavioral1/memory/2128-82-0x000000013FEB0000-0x0000000140204000-memory.dmp UPX behavioral1/memory/1040-81-0x000000013F710000-0x000000013FA64000-memory.dmp UPX C:\Windows\system\GLrPXxh.exe UPX behavioral1/memory/2896-67-0x000000013FBD0000-0x000000013FF24000-memory.dmp UPX behavioral1/memory/2072-73-0x000000013F940000-0x000000013FC94000-memory.dmp UPX behavioral1/memory/2484-141-0x000000013FC20000-0x000000013FF74000-memory.dmp UPX behavioral1/memory/2608-53-0x000000013FDC0000-0x0000000140114000-memory.dmp UPX behavioral1/memory/2068-52-0x000000013F7B0000-0x000000013FB04000-memory.dmp UPX behavioral1/memory/2756-58-0x000000013F700000-0x000000013FA54000-memory.dmp UPX C:\Windows\system\ZDjZyXo.exe UPX behavioral1/memory/2896-143-0x000000013FBD0000-0x000000013FF24000-memory.dmp UPX behavioral1/memory/2072-145-0x000000013F940000-0x000000013FC94000-memory.dmp UPX behavioral1/memory/2128-146-0x000000013FEB0000-0x0000000140204000-memory.dmp UPX behavioral1/memory/2540-148-0x000000013F6E0000-0x000000013FA34000-memory.dmp UPX behavioral1/memory/2712-150-0x000000013F550000-0x000000013F8A4000-memory.dmp UPX behavioral1/memory/2212-152-0x000000013F8F0000-0x000000013FC44000-memory.dmp UPX behavioral1/memory/2068-153-0x000000013F7B0000-0x000000013FB04000-memory.dmp UPX behavioral1/memory/2756-154-0x000000013F700000-0x000000013FA54000-memory.dmp UPX behavioral1/memory/2576-155-0x000000013FEE0000-0x0000000140234000-memory.dmp UPX behavioral1/memory/1040-156-0x000000013F710000-0x000000013FA64000-memory.dmp UPX behavioral1/memory/2664-157-0x000000013F0E0000-0x000000013F434000-memory.dmp UPX behavioral1/memory/2480-158-0x000000013F520000-0x000000013F874000-memory.dmp UPX behavioral1/memory/2608-159-0x000000013FDC0000-0x0000000140114000-memory.dmp UPX behavioral1/memory/2484-160-0x000000013FC20000-0x000000013FF74000-memory.dmp UPX behavioral1/memory/2896-162-0x000000013FBD0000-0x000000013FF24000-memory.dmp UPX behavioral1/memory/2072-161-0x000000013F940000-0x000000013FC94000-memory.dmp UPX behavioral1/memory/2128-163-0x000000013FEB0000-0x0000000140204000-memory.dmp UPX behavioral1/memory/2540-164-0x000000013F6E0000-0x000000013FA34000-memory.dmp UPX behavioral1/memory/2712-165-0x000000013F550000-0x000000013F8A4000-memory.dmp UPX behavioral1/memory/2212-166-0x000000013F8F0000-0x000000013FC44000-memory.dmp UPX -
XMRig Miner payload 64 IoCs
Processes:
resource yara_rule behavioral1/memory/1932-0-0x000000013F1C0000-0x000000013F514000-memory.dmp xmrig \Windows\system\EtzunXT.exe xmrig behavioral1/memory/1932-6-0x000000013F7B0000-0x000000013FB04000-memory.dmp xmrig behavioral1/memory/2068-8-0x000000013F7B0000-0x000000013FB04000-memory.dmp xmrig C:\Windows\system\ULGTYBI.exe xmrig C:\Windows\system\EsKpquD.exe xmrig \Windows\system\RgWNHog.exe xmrig behavioral1/memory/2576-27-0x000000013FEE0000-0x0000000140234000-memory.dmp xmrig behavioral1/memory/1040-28-0x000000013F710000-0x000000013FA64000-memory.dmp xmrig behavioral1/memory/2756-20-0x000000013F700000-0x000000013FA54000-memory.dmp xmrig behavioral1/memory/2664-36-0x000000013F0E0000-0x000000013F434000-memory.dmp xmrig C:\Windows\system\mAwTfAf.exe xmrig \Windows\system\VKosYnJ.exe xmrig behavioral1/memory/2480-44-0x000000013F520000-0x000000013F874000-memory.dmp xmrig behavioral1/memory/1932-43-0x000000013F1C0000-0x000000013F514000-memory.dmp xmrig \Windows\system\UboLdSc.exe xmrig behavioral1/memory/1932-59-0x000000013FC20000-0x000000013FF74000-memory.dmp xmrig behavioral1/memory/2484-60-0x000000013FC20000-0x000000013FF74000-memory.dmp xmrig C:\Windows\system\hsSldVs.exe xmrig \Windows\system\tElOZEz.exe xmrig C:\Windows\system\HHeHorJ.exe xmrig behavioral1/memory/2540-89-0x000000013F6E0000-0x000000013FA34000-memory.dmp xmrig behavioral1/memory/2480-102-0x000000013F520000-0x000000013F874000-memory.dmp xmrig C:\Windows\system\kfrRdvP.exe xmrig \Windows\system\wzGZENe.exe xmrig C:\Windows\system\pjoUwRe.exe xmrig C:\Windows\system\RXWnKsT.exe xmrig C:\Windows\system\zfgwmjG.exe xmrig C:\Windows\system\IEqAjNk.exe xmrig C:\Windows\system\olunaIt.exe xmrig behavioral1/memory/2212-103-0x000000013F8F0000-0x000000013FC44000-memory.dmp xmrig behavioral1/memory/2712-96-0x000000013F550000-0x000000013F8A4000-memory.dmp xmrig C:\Windows\system\dnKBaBM.exe xmrig C:\Windows\system\XMIprlW.exe xmrig behavioral1/memory/2664-87-0x000000013F0E0000-0x000000013F434000-memory.dmp xmrig behavioral1/memory/2128-82-0x000000013FEB0000-0x0000000140204000-memory.dmp xmrig behavioral1/memory/1040-81-0x000000013F710000-0x000000013FA64000-memory.dmp xmrig C:\Windows\system\GLrPXxh.exe xmrig behavioral1/memory/1932-77-0x000000013FEB0000-0x0000000140204000-memory.dmp xmrig behavioral1/memory/2896-67-0x000000013FBD0000-0x000000013FF24000-memory.dmp xmrig behavioral1/memory/2072-73-0x000000013F940000-0x000000013FC94000-memory.dmp xmrig behavioral1/memory/2484-141-0x000000013FC20000-0x000000013FF74000-memory.dmp xmrig behavioral1/memory/1932-140-0x000000013FC20000-0x000000013FF74000-memory.dmp xmrig behavioral1/memory/2608-53-0x000000013FDC0000-0x0000000140114000-memory.dmp xmrig behavioral1/memory/2068-52-0x000000013F7B0000-0x000000013FB04000-memory.dmp xmrig behavioral1/memory/2756-58-0x000000013F700000-0x000000013FA54000-memory.dmp xmrig C:\Windows\system\ZDjZyXo.exe xmrig behavioral1/memory/2896-143-0x000000013FBD0000-0x000000013FF24000-memory.dmp xmrig behavioral1/memory/2072-145-0x000000013F940000-0x000000013FC94000-memory.dmp xmrig behavioral1/memory/2128-146-0x000000013FEB0000-0x0000000140204000-memory.dmp xmrig behavioral1/memory/2540-148-0x000000013F6E0000-0x000000013FA34000-memory.dmp xmrig behavioral1/memory/2712-150-0x000000013F550000-0x000000013F8A4000-memory.dmp xmrig behavioral1/memory/2212-152-0x000000013F8F0000-0x000000013FC44000-memory.dmp xmrig behavioral1/memory/2068-153-0x000000013F7B0000-0x000000013FB04000-memory.dmp xmrig behavioral1/memory/2756-154-0x000000013F700000-0x000000013FA54000-memory.dmp xmrig behavioral1/memory/2576-155-0x000000013FEE0000-0x0000000140234000-memory.dmp xmrig behavioral1/memory/1040-156-0x000000013F710000-0x000000013FA64000-memory.dmp xmrig behavioral1/memory/2664-157-0x000000013F0E0000-0x000000013F434000-memory.dmp xmrig behavioral1/memory/2480-158-0x000000013F520000-0x000000013F874000-memory.dmp xmrig behavioral1/memory/2608-159-0x000000013FDC0000-0x0000000140114000-memory.dmp xmrig behavioral1/memory/2484-160-0x000000013FC20000-0x000000013FF74000-memory.dmp xmrig behavioral1/memory/2896-162-0x000000013FBD0000-0x000000013FF24000-memory.dmp xmrig behavioral1/memory/2072-161-0x000000013F940000-0x000000013FC94000-memory.dmp xmrig behavioral1/memory/2128-163-0x000000013FEB0000-0x0000000140204000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
Processes:
EtzunXT.exeULGTYBI.exeEsKpquD.exeRgWNHog.exemAwTfAf.exeVKosYnJ.exeUboLdSc.exeZDjZyXo.exetElOZEz.exehsSldVs.exeGLrPXxh.exeHHeHorJ.exednKBaBM.exeXMIprlW.exeIEqAjNk.exeolunaIt.exeRXWnKsT.exezfgwmjG.exepjoUwRe.exekfrRdvP.exewzGZENe.exepid process 2068 EtzunXT.exe 2756 ULGTYBI.exe 2576 EsKpquD.exe 1040 RgWNHog.exe 2664 mAwTfAf.exe 2480 VKosYnJ.exe 2608 UboLdSc.exe 2484 ZDjZyXo.exe 2896 tElOZEz.exe 2072 hsSldVs.exe 2128 GLrPXxh.exe 2540 HHeHorJ.exe 2712 dnKBaBM.exe 2212 XMIprlW.exe 1288 IEqAjNk.exe 1956 olunaIt.exe 1324 RXWnKsT.exe 1296 zfgwmjG.exe 2132 pjoUwRe.exe 1736 kfrRdvP.exe 2368 wzGZENe.exe -
Loads dropped DLL 21 IoCs
Processes:
2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exepid process 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe -
Processes:
resource yara_rule behavioral1/memory/1932-0-0x000000013F1C0000-0x000000013F514000-memory.dmp upx \Windows\system\EtzunXT.exe upx behavioral1/memory/1932-6-0x000000013F7B0000-0x000000013FB04000-memory.dmp upx behavioral1/memory/2068-8-0x000000013F7B0000-0x000000013FB04000-memory.dmp upx C:\Windows\system\ULGTYBI.exe upx C:\Windows\system\EsKpquD.exe upx \Windows\system\RgWNHog.exe upx behavioral1/memory/2576-27-0x000000013FEE0000-0x0000000140234000-memory.dmp upx behavioral1/memory/1040-28-0x000000013F710000-0x000000013FA64000-memory.dmp upx behavioral1/memory/2756-20-0x000000013F700000-0x000000013FA54000-memory.dmp upx behavioral1/memory/2664-36-0x000000013F0E0000-0x000000013F434000-memory.dmp upx C:\Windows\system\mAwTfAf.exe upx \Windows\system\VKosYnJ.exe upx behavioral1/memory/2480-44-0x000000013F520000-0x000000013F874000-memory.dmp upx behavioral1/memory/1932-43-0x000000013F1C0000-0x000000013F514000-memory.dmp upx \Windows\system\UboLdSc.exe upx behavioral1/memory/2484-60-0x000000013FC20000-0x000000013FF74000-memory.dmp upx C:\Windows\system\hsSldVs.exe upx \Windows\system\tElOZEz.exe upx C:\Windows\system\HHeHorJ.exe upx behavioral1/memory/2540-89-0x000000013F6E0000-0x000000013FA34000-memory.dmp upx behavioral1/memory/2480-102-0x000000013F520000-0x000000013F874000-memory.dmp upx C:\Windows\system\kfrRdvP.exe upx \Windows\system\wzGZENe.exe upx C:\Windows\system\pjoUwRe.exe upx C:\Windows\system\RXWnKsT.exe upx C:\Windows\system\zfgwmjG.exe upx C:\Windows\system\IEqAjNk.exe upx C:\Windows\system\olunaIt.exe upx behavioral1/memory/2212-103-0x000000013F8F0000-0x000000013FC44000-memory.dmp upx behavioral1/memory/2712-96-0x000000013F550000-0x000000013F8A4000-memory.dmp upx C:\Windows\system\dnKBaBM.exe upx C:\Windows\system\XMIprlW.exe upx behavioral1/memory/2664-87-0x000000013F0E0000-0x000000013F434000-memory.dmp upx behavioral1/memory/2128-82-0x000000013FEB0000-0x0000000140204000-memory.dmp upx behavioral1/memory/1040-81-0x000000013F710000-0x000000013FA64000-memory.dmp upx C:\Windows\system\GLrPXxh.exe upx behavioral1/memory/2896-67-0x000000013FBD0000-0x000000013FF24000-memory.dmp upx behavioral1/memory/2072-73-0x000000013F940000-0x000000013FC94000-memory.dmp upx behavioral1/memory/2484-141-0x000000013FC20000-0x000000013FF74000-memory.dmp upx behavioral1/memory/2608-53-0x000000013FDC0000-0x0000000140114000-memory.dmp upx behavioral1/memory/2068-52-0x000000013F7B0000-0x000000013FB04000-memory.dmp upx behavioral1/memory/2756-58-0x000000013F700000-0x000000013FA54000-memory.dmp upx C:\Windows\system\ZDjZyXo.exe upx behavioral1/memory/2896-143-0x000000013FBD0000-0x000000013FF24000-memory.dmp upx behavioral1/memory/2072-145-0x000000013F940000-0x000000013FC94000-memory.dmp upx behavioral1/memory/2128-146-0x000000013FEB0000-0x0000000140204000-memory.dmp upx behavioral1/memory/2540-148-0x000000013F6E0000-0x000000013FA34000-memory.dmp upx behavioral1/memory/2712-150-0x000000013F550000-0x000000013F8A4000-memory.dmp upx behavioral1/memory/2212-152-0x000000013F8F0000-0x000000013FC44000-memory.dmp upx behavioral1/memory/2068-153-0x000000013F7B0000-0x000000013FB04000-memory.dmp upx behavioral1/memory/2756-154-0x000000013F700000-0x000000013FA54000-memory.dmp upx behavioral1/memory/2576-155-0x000000013FEE0000-0x0000000140234000-memory.dmp upx behavioral1/memory/1040-156-0x000000013F710000-0x000000013FA64000-memory.dmp upx behavioral1/memory/2664-157-0x000000013F0E0000-0x000000013F434000-memory.dmp upx behavioral1/memory/2480-158-0x000000013F520000-0x000000013F874000-memory.dmp upx behavioral1/memory/2608-159-0x000000013FDC0000-0x0000000140114000-memory.dmp upx behavioral1/memory/2484-160-0x000000013FC20000-0x000000013FF74000-memory.dmp upx behavioral1/memory/2896-162-0x000000013FBD0000-0x000000013FF24000-memory.dmp upx behavioral1/memory/2072-161-0x000000013F940000-0x000000013FC94000-memory.dmp upx behavioral1/memory/2128-163-0x000000013FEB0000-0x0000000140204000-memory.dmp upx behavioral1/memory/2540-164-0x000000013F6E0000-0x000000013FA34000-memory.dmp upx behavioral1/memory/2712-165-0x000000013F550000-0x000000013F8A4000-memory.dmp upx behavioral1/memory/2212-166-0x000000013F8F0000-0x000000013FC44000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
Processes:
2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exedescription ioc process File created C:\Windows\System\RgWNHog.exe 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\mAwTfAf.exe 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\XMIprlW.exe 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\zfgwmjG.exe 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\EtzunXT.exe 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\ULGTYBI.exe 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\EsKpquD.exe 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\dnKBaBM.exe 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\olunaIt.exe 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\VKosYnJ.exe 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\ZDjZyXo.exe 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\tElOZEz.exe 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\GLrPXxh.exe 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\IEqAjNk.exe 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\UboLdSc.exe 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\hsSldVs.exe 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\HHeHorJ.exe 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\RXWnKsT.exe 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\pjoUwRe.exe 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\kfrRdvP.exe 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\wzGZENe.exe 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exedescription pid process Token: SeLockMemoryPrivilege 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe Token: SeLockMemoryPrivilege 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exedescription pid process target process PID 1932 wrote to memory of 2068 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe EtzunXT.exe PID 1932 wrote to memory of 2068 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe EtzunXT.exe PID 1932 wrote to memory of 2068 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe EtzunXT.exe PID 1932 wrote to memory of 2756 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe ULGTYBI.exe PID 1932 wrote to memory of 2756 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe ULGTYBI.exe PID 1932 wrote to memory of 2756 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe ULGTYBI.exe PID 1932 wrote to memory of 1040 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe RgWNHog.exe PID 1932 wrote to memory of 1040 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe RgWNHog.exe PID 1932 wrote to memory of 1040 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe RgWNHog.exe PID 1932 wrote to memory of 2576 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe EsKpquD.exe PID 1932 wrote to memory of 2576 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe EsKpquD.exe PID 1932 wrote to memory of 2576 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe EsKpquD.exe PID 1932 wrote to memory of 2664 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe mAwTfAf.exe PID 1932 wrote to memory of 2664 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe mAwTfAf.exe PID 1932 wrote to memory of 2664 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe mAwTfAf.exe PID 1932 wrote to memory of 2480 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe VKosYnJ.exe PID 1932 wrote to memory of 2480 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe VKosYnJ.exe PID 1932 wrote to memory of 2480 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe VKosYnJ.exe PID 1932 wrote to memory of 2608 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe UboLdSc.exe PID 1932 wrote to memory of 2608 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe UboLdSc.exe PID 1932 wrote to memory of 2608 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe UboLdSc.exe PID 1932 wrote to memory of 2484 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe ZDjZyXo.exe PID 1932 wrote to memory of 2484 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe ZDjZyXo.exe PID 1932 wrote to memory of 2484 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe ZDjZyXo.exe PID 1932 wrote to memory of 2896 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe tElOZEz.exe PID 1932 wrote to memory of 2896 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe tElOZEz.exe PID 1932 wrote to memory of 2896 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe tElOZEz.exe PID 1932 wrote to memory of 2072 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe hsSldVs.exe PID 1932 wrote to memory of 2072 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe hsSldVs.exe PID 1932 wrote to memory of 2072 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe hsSldVs.exe PID 1932 wrote to memory of 2128 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe GLrPXxh.exe PID 1932 wrote to memory of 2128 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe GLrPXxh.exe PID 1932 wrote to memory of 2128 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe GLrPXxh.exe PID 1932 wrote to memory of 2540 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe HHeHorJ.exe PID 1932 wrote to memory of 2540 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe HHeHorJ.exe PID 1932 wrote to memory of 2540 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe HHeHorJ.exe PID 1932 wrote to memory of 2712 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe dnKBaBM.exe PID 1932 wrote to memory of 2712 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe dnKBaBM.exe PID 1932 wrote to memory of 2712 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe dnKBaBM.exe PID 1932 wrote to memory of 2212 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe XMIprlW.exe PID 1932 wrote to memory of 2212 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe XMIprlW.exe PID 1932 wrote to memory of 2212 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe XMIprlW.exe PID 1932 wrote to memory of 1288 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe IEqAjNk.exe PID 1932 wrote to memory of 1288 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe IEqAjNk.exe PID 1932 wrote to memory of 1288 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe IEqAjNk.exe PID 1932 wrote to memory of 1956 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe olunaIt.exe PID 1932 wrote to memory of 1956 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe olunaIt.exe PID 1932 wrote to memory of 1956 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe olunaIt.exe PID 1932 wrote to memory of 1324 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe RXWnKsT.exe PID 1932 wrote to memory of 1324 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe RXWnKsT.exe PID 1932 wrote to memory of 1324 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe RXWnKsT.exe PID 1932 wrote to memory of 1296 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe zfgwmjG.exe PID 1932 wrote to memory of 1296 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe zfgwmjG.exe PID 1932 wrote to memory of 1296 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe zfgwmjG.exe PID 1932 wrote to memory of 2132 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe pjoUwRe.exe PID 1932 wrote to memory of 2132 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe pjoUwRe.exe PID 1932 wrote to memory of 2132 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe pjoUwRe.exe PID 1932 wrote to memory of 1736 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe kfrRdvP.exe PID 1932 wrote to memory of 1736 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe kfrRdvP.exe PID 1932 wrote to memory of 1736 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe kfrRdvP.exe PID 1932 wrote to memory of 2368 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe wzGZENe.exe PID 1932 wrote to memory of 2368 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe wzGZENe.exe PID 1932 wrote to memory of 2368 1932 2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe wzGZENe.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\System\EtzunXT.exeC:\Windows\System\EtzunXT.exe2⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\System\ULGTYBI.exeC:\Windows\System\ULGTYBI.exe2⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\System\RgWNHog.exeC:\Windows\System\RgWNHog.exe2⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\System\EsKpquD.exeC:\Windows\System\EsKpquD.exe2⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\System\mAwTfAf.exeC:\Windows\System\mAwTfAf.exe2⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\System\VKosYnJ.exeC:\Windows\System\VKosYnJ.exe2⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\System\UboLdSc.exeC:\Windows\System\UboLdSc.exe2⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\System\ZDjZyXo.exeC:\Windows\System\ZDjZyXo.exe2⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\System\tElOZEz.exeC:\Windows\System\tElOZEz.exe2⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\System\hsSldVs.exeC:\Windows\System\hsSldVs.exe2⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\System\GLrPXxh.exeC:\Windows\System\GLrPXxh.exe2⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\System\HHeHorJ.exeC:\Windows\System\HHeHorJ.exe2⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\System\dnKBaBM.exeC:\Windows\System\dnKBaBM.exe2⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\System\XMIprlW.exeC:\Windows\System\XMIprlW.exe2⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\System\IEqAjNk.exeC:\Windows\System\IEqAjNk.exe2⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\System\olunaIt.exeC:\Windows\System\olunaIt.exe2⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\System\RXWnKsT.exeC:\Windows\System\RXWnKsT.exe2⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\System\zfgwmjG.exeC:\Windows\System\zfgwmjG.exe2⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\System\pjoUwRe.exeC:\Windows\System\pjoUwRe.exe2⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\System\kfrRdvP.exeC:\Windows\System\kfrRdvP.exe2⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\System\wzGZENe.exeC:\Windows\System\wzGZENe.exe2⤵
- Executes dropped EXE
PID:2368
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD50bb562c327e0d21ebf0d899c61e56968
SHA170e8805c3c90f80a56a2af4f01e0e9897119fa0b
SHA256a9c366a56f08b454ded0902a227a68f40f6edd9b6b61711f47ac503e70160598
SHA512a345d805b32bd09fa1e3350cb674e3a2d4393e5751eb65ec62f8a71606bf000a35eafc7b28c2581cbd3826d140500c9ab44305b072f606b042daddabb403a5d5
-
Filesize
5.9MB
MD515d36d0e8789763565c17db4afd25d83
SHA16235296f1314af1ba17bf41b3da0c3517775c5e1
SHA256c688de26d4838cd75483f01495704195da9b28f6c0bd088b1bd5e2452e8f36c3
SHA5121d62481c651a0b3f86c7a657a67fc034993ef3692f8b19936c85f9815cfcf3fbb9cb80acb5f29be896ae642860d3488b639bde1f1ccca89055cdcd56b8d102bf
-
Filesize
5.9MB
MD523258638437131e687aa042ab22ae726
SHA1d50ae3e481ab807b36dd460b60b253018ba8962d
SHA2563a7e337efa52de26aed99ff9256441bd5639417fd2bbeaaa55119c3eab308b14
SHA5122c59471edc7cf8226a56fe990b86c3043cad0ff397f0d7f0466844f6fa9f50fd9cc257703767fcd79bfc7c12bb019156dc7f8c1047638a298e9e7f947e79a5e4
-
Filesize
5.9MB
MD5212f38d534364701f1b1fade0d1599d7
SHA184dd1d9acbd03c62e27c55ac679d1372fb6bd171
SHA256f74513649caf90da502284fac6bec09a8fe8fdf87a82aee8f146897b17c3578b
SHA51276571d277de68b317e4f06b837b6d43232c97ef8874cc59e54f358dc676f8696de113c45db9b7a8611fec981378059cc9c76cf7e80dc91f83b06df17dd026891
-
Filesize
5.9MB
MD55391207a754324e08c15d43a7b5f26ac
SHA13318486efb35c33aa44e31658b206b47838c8392
SHA2564f5c7c2271a9219d5c1acf6a95f948faf321dc5cf36beb9d7df58c89309d2245
SHA5126b40d691183cdee95b0149750dc698a3fd0653c7c3f8e6080be5fdcb08beb5b47559b074ae003e075d77c11aa3fae98da28c5145e8b577c91a3cf84c9f3761a3
-
Filesize
5.9MB
MD53055876544b08296b315a8fb0c18b5eb
SHA147298a50083e263dff5a7e989c9c1df2b9c2d5fe
SHA25653cebc46774bc17cec9ce31fa0b455c5d499bcd3dfa20dce0135420db1bf6fb8
SHA512a7114439c44992629206428a38f6ec0cb53c9d3d8c650d49bce2b725d6acb1a5091f0291adfb082cd1bf29dae72b0e0a9ded0b5f7f95feac74b40664868eb5a8
-
Filesize
5.9MB
MD56b41cec5878a2ad4f0e3f59bd9792f95
SHA13db56774a61383bade8945f5c11a9f6f62122d11
SHA256a8c28b1bb20a8d626da94e6334c3da5d6b30c9d51ac276998ae539fe3a8fdefd
SHA512dd2e4fd0075aa56cbfebddff87e7ce54127604153c001bcadb057454eee5e3e5218ceb368ca0996e941607e848d3fec95420c3cc9e917c831ce89585789474ad
-
Filesize
5.9MB
MD52807f5d9916f6c1b57a0ee5d4bdbf967
SHA158683066891c9e5d10e7384fe9db49a2f9185c9e
SHA2563cb02df24209cdb78955e48db23895b9f90f452a0f28408545c8e52bfa747dfd
SHA5126c3d8563029bb5792554c5567396a39605d306a0ddf4e510948a3b9d35e5fd485aa06a507b4ddaf95e119c3fa46dd420ac2cbfbd057089c102d6d13799246045
-
Filesize
5.9MB
MD5b3972ac9cb536424c56ca6dc2842f2f0
SHA14431e659ee4ed43cfc5108da9136edabd39e4657
SHA25629ee27f8e5c759122590fe09f20afa4b79d36befacbff355a7aa9b9cb1590ad8
SHA512a866f6c9c95b223cfb4c31c6a98be1c62479a606b09e69662d9bb41a07ace7230f0d586866229e8b91e7b8949baf4bc2f5ec218d2a9fba530631db16158c3abf
-
Filesize
5.9MB
MD5ec9376e574ab59d846b8071e318b3186
SHA15c7fb16075770955ddedc912b77a784a4b323af9
SHA256b394b8bc2ab5f3dc7c450cacc02d70f837f16aed38cf346ba52743bd7ab14138
SHA51237549c2791bb9f8871d6960c88da2a5367e9dc530fa5304eb3cce6b60b46fae0de95ff46f69b0ccbec13f5ce2ed8d007c98e16d7fd745348470d09ddef7e7708
-
Filesize
5.9MB
MD5298aff57955bc9ac0483874eed999726
SHA10e7a22e6c5ec67fad831d9d136e6deef95e9da84
SHA25604f42abb727805d4be93f751f5d479deab96fd228479563e84008c3ea75ec43c
SHA512a0b19c4953843a844f2e3ab410244eb39fb11ed7198d2e1c32bc47d84826ef1089f0b19b1fc0a5fe239980d0ab32116376c484d60a136575a4d5d107f57f88db
-
Filesize
5.9MB
MD5047a8c73e7ef97f6e51db319ca9edc5a
SHA1419d62e6ed5d496d65ac1a76d5715e9fa7989b43
SHA256e42de31a883f6fe72e264cfa862ae40307dbb5cacacef3a0858041c1210bc3ef
SHA512b7c2b42b74ea572265e77899459935ce6c17eba3f7b1c52e449f48e51c540e05fb1220a30bc66ed2b34849e6b317a53882bac060d130f2a3e1c02971475980c3
-
Filesize
5.9MB
MD5d5f67696d796d4bd9d438df41c96b8a9
SHA1e12f75406963fa1552bf4592b9d07b2ce53aeff6
SHA25610d2cc5fc91dee32711d345d517c664b65125a8d83909deb70eaf7bcf71b601e
SHA51280d0d05f689add39c00f557b9c8b99c2e22099a3314a3a78f04d8bf6f1af85ec19b477f650ef336aa0eb9498e1c365764dc7778b8c0c404bcf59e7320bfe7ed0
-
Filesize
5.9MB
MD5d0e47f9abba739955435deb220d69916
SHA11719385558a416722959196142b9103b054cc7e8
SHA256177f9ee2514bcb08831222dcc782c2b3a69edbf62157d34ba0b3bbe42211f8e9
SHA51259d326f26ea74efca34af809d901b7f60432301f286d43f007c3b24cadc133ef1e40ffa6331ebd325e19e08971d0494cdb06a27e09d1f9f86f6dde44257ff3f7
-
Filesize
5.9MB
MD5ed02768bac54388f5a354845fa38841d
SHA17cc78212e8b761f5db8dee3d724b8c0a6b52e9d6
SHA256ae89f07c790516d444fb5ed5820c7d2376b9a5a6435a2d0a17a89584652cfee3
SHA512aecf30f10ecc9f24f44c86ebca0e96c2d359293eb4a3a1001153f16d602e24aa1a61128432474b74edc78e5f4acf8866e12a96f01a0f990b7076680dff3ec34d
-
Filesize
5.9MB
MD512ceda513f79b255b10ec326eac2857b
SHA17afc636c2000c7bdd96bf99961899d3c3fa79e17
SHA256c68dfd1d16c07989b33bf62b23fc0a8e017b592b2e8e2c4a9b6a84715a2fce5a
SHA5121ff2360fc4d27969d264c1634d5200b4f021810821324250c6661d988f321257e7298626a7a91b52b2b315bc74c08b02e54c4839c04fdf8c0eacc6682ac2d49f
-
Filesize
5.9MB
MD577ea7994f712ca414aa3b434f3175ca0
SHA1efb2d15c0b2b53b621a8010d0274fc252797d70c
SHA256e8c81afa1c9c37b9a427943432c74b96dadc5ec306486d1f9d78f21954c8f75e
SHA5129593ef09240011950b088ebfd98942620b64fc68635796f89efb04962e31f84ce55f1202696f1ca6a1faa86655dcb032ce21a65ad81433a07f2db22ba4cef97c
-
Filesize
5.9MB
MD566f1a6f180b4051709a0753273017105
SHA12e717e020a62675665ecde92410eca54c0d66239
SHA25678b9d2b29c8bf28fa3d44bba501dba39d9b222afb3e2ade4fb912b298b1ab933
SHA51226af3863296609e816a837f4efa9aed47d9f6653183d6901a40cf4b22423308fc3ddbef135a362c1e2ff4d7cf7e00f45039dd5933b57138416e6ce0078b7c233
-
Filesize
5.9MB
MD5bf269a78c19cae1ddb59a40a26beb9b8
SHA15a36f3ee7b36293ea22a1165c9436212a4c08523
SHA256178e6b9c3ac403e5b26f2c1a1d2e9f7881d95049ee40f986fd68274eb7fa9636
SHA51261a5ed5a2d6d8824555fd85fef06fe53fc4f13d3e2c27d3985f80fd2b39127bed7220394fe8d11a90e30a6466392a42a905a849631008c14909f7b056f7b1843
-
Filesize
5.9MB
MD5a2173df71bc6d190bef3f1c1710ea2e3
SHA1a70bd63890270ce605be68de0fd826252c2aed2d
SHA256e25bbec886d2bb79bcd65981671b233d2de704b280f0be243f231caa19e5959e
SHA512ef17cffd1dee096ba6ffacac0bccbc86ac7aa439e59c175597682135f2ba032509dc347f8ab264a3af578d7db1ffa3eb8e2ae1f7f8427d6de617122b5a1a8ef0
-
Filesize
5.9MB
MD56bca77fa312adddaa6ffeb9ac5dd7e1b
SHA11a9204f7d04874bc1ea981edd6290d4cd2a73c61
SHA256591a69a367f15471f3669629dcf7312514ca886fcb719758eedfff1ccb30ab31
SHA512dec5864dd71f2773c82a54edde6b4323c37b3ff36c682dfb49ccaa45a4d19136be1596fd3a1dd538910d7284a9a0eb48d064fa3af8acb630ce541f45eb4bca99