Analysis
-
max time kernel
133s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
07-06-2024 01:43
Behavioral task
behavioral1
Sample
2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe
Resource
win7-20240508-en
General
-
Target
2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe
-
Size
5.9MB
-
MD5
4255859d1910c64892a46db2c71a6145
-
SHA1
06129659169e3453fdba7b95204a3403266b42a5
-
SHA256
ceab942ce0f34d496e9bc456dffff321cbe25a88c5872fdd8b59fdf88a89b368
-
SHA512
9f305a30819dbc3716e857fcdc161db607ef683e5fbde7ac2742a7024252edee86a59cf52dd2c347ed17f8659396cf555a2b9071e1b534054b0eecf127650060
-
SSDEEP
98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUe:Q+856utgpPF8u/7e
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 6 IoCs
Processes:
resource yara_rule behavioral2/memory/4824-147-0x00007FF65EE10000-0x00007FF65F164000-memory.dmp UPX behavioral2/memory/544-150-0x00007FF635A10000-0x00007FF635D64000-memory.dmp UPX behavioral2/memory/4812-151-0x00007FF6715B0000-0x00007FF671904000-memory.dmp UPX behavioral2/memory/2292-155-0x00007FF75A2C0000-0x00007FF75A614000-memory.dmp UPX behavioral2/memory/940-157-0x00007FF714490000-0x00007FF7147E4000-memory.dmp UPX behavioral2/memory/1496-159-0x00007FF664240000-0x00007FF664594000-memory.dmp UPX -
XMRig Miner payload 20 IoCs
Processes:
resource yara_rule behavioral2/memory/3624-143-0x00007FF6FCD70000-0x00007FF6FD0C4000-memory.dmp xmrig behavioral2/memory/208-146-0x00007FF7FBAA0000-0x00007FF7FBDF4000-memory.dmp xmrig behavioral2/memory/4824-147-0x00007FF65EE10000-0x00007FF65F164000-memory.dmp xmrig behavioral2/memory/4688-149-0x00007FF60A7B0000-0x00007FF60AB04000-memory.dmp xmrig behavioral2/memory/544-150-0x00007FF635A10000-0x00007FF635D64000-memory.dmp xmrig behavioral2/memory/4812-151-0x00007FF6715B0000-0x00007FF671904000-memory.dmp xmrig behavioral2/memory/3660-152-0x00007FF772670000-0x00007FF7729C4000-memory.dmp xmrig behavioral2/memory/3668-148-0x00007FF7E71E0000-0x00007FF7E7534000-memory.dmp xmrig behavioral2/memory/1688-154-0x00007FF78E470000-0x00007FF78E7C4000-memory.dmp xmrig behavioral2/memory/5108-156-0x00007FF663450000-0x00007FF6637A4000-memory.dmp xmrig behavioral2/memory/2292-155-0x00007FF75A2C0000-0x00007FF75A614000-memory.dmp xmrig behavioral2/memory/940-157-0x00007FF714490000-0x00007FF7147E4000-memory.dmp xmrig behavioral2/memory/4504-158-0x00007FF7D6990000-0x00007FF7D6CE4000-memory.dmp xmrig behavioral2/memory/1496-159-0x00007FF664240000-0x00007FF664594000-memory.dmp xmrig behavioral2/memory/740-160-0x00007FF62D4B0000-0x00007FF62D804000-memory.dmp xmrig behavioral2/memory/412-163-0x00007FF7A5760000-0x00007FF7A5AB4000-memory.dmp xmrig behavioral2/memory/2888-162-0x00007FF6C7720000-0x00007FF6C7A74000-memory.dmp xmrig behavioral2/memory/4536-153-0x00007FF7773A0000-0x00007FF7776F4000-memory.dmp xmrig behavioral2/memory/1804-145-0x00007FF658BC0000-0x00007FF658F14000-memory.dmp xmrig behavioral2/memory/1176-144-0x00007FF7C9150000-0x00007FF7C94A4000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
Processes:
LVUxBpM.exexEonPre.exeOeyFlxe.exexOrzLHe.exemMomgcf.exeWobcRnx.exeMfCoHdg.exeeyVKxxT.exeWPccKzt.exeTgTWcfc.exeiYbvcpk.exeiuqHQns.exeJLupGEA.exeJtdrhcd.exeHCfTmfe.exeZcrGNoP.exeDfVRHtb.exepvRluMw.exeslJLaCF.exexOYVyGL.exeuCSqTCl.exepid process 3624 LVUxBpM.exe 1176 xEonPre.exe 1804 OeyFlxe.exe 208 xOrzLHe.exe 4824 mMomgcf.exe 3668 WobcRnx.exe 4688 MfCoHdg.exe 544 eyVKxxT.exe 4812 WPccKzt.exe 3660 TgTWcfc.exe 1688 iYbvcpk.exe 4536 iuqHQns.exe 5108 JLupGEA.exe 2292 Jtdrhcd.exe 4504 HCfTmfe.exe 940 ZcrGNoP.exe 1496 DfVRHtb.exe 740 pvRluMw.exe 636 slJLaCF.exe 412 xOYVyGL.exe 2888 uCSqTCl.exe -
Processes:
resource yara_rule behavioral2/memory/556-0-0x00007FF7CED20000-0x00007FF7CF074000-memory.dmp upx C:\Windows\System\LVUxBpM.exe upx C:\Windows\System\xEonPre.exe upx behavioral2/memory/1804-20-0x00007FF658BC0000-0x00007FF658F14000-memory.dmp upx behavioral2/memory/4812-55-0x00007FF6715B0000-0x00007FF671904000-memory.dmp upx behavioral2/memory/3624-67-0x00007FF6FCD70000-0x00007FF6FD0C4000-memory.dmp upx behavioral2/memory/940-102-0x00007FF714490000-0x00007FF7147E4000-memory.dmp upx behavioral2/memory/3668-105-0x00007FF7E71E0000-0x00007FF7E7534000-memory.dmp upx behavioral2/memory/4812-123-0x00007FF6715B0000-0x00007FF671904000-memory.dmp upx behavioral2/memory/2888-136-0x00007FF6C7720000-0x00007FF6C7A74000-memory.dmp upx behavioral2/memory/1688-135-0x00007FF78E470000-0x00007FF78E7C4000-memory.dmp upx C:\Windows\System\uCSqTCl.exe upx behavioral2/memory/412-129-0x00007FF7A5760000-0x00007FF7A5AB4000-memory.dmp upx behavioral2/memory/636-124-0x00007FF7F8710000-0x00007FF7F8A64000-memory.dmp upx behavioral2/memory/740-119-0x00007FF62D4B0000-0x00007FF62D804000-memory.dmp upx behavioral2/memory/544-114-0x00007FF635A10000-0x00007FF635D64000-memory.dmp upx behavioral2/memory/1496-111-0x00007FF664240000-0x00007FF664594000-memory.dmp upx behavioral2/memory/4824-99-0x00007FF65EE10000-0x00007FF65F164000-memory.dmp upx behavioral2/memory/4504-94-0x00007FF7D6990000-0x00007FF7D6CE4000-memory.dmp upx behavioral2/memory/2292-90-0x00007FF75A2C0000-0x00007FF75A614000-memory.dmp upx behavioral2/memory/5108-89-0x00007FF663450000-0x00007FF6637A4000-memory.dmp upx behavioral2/memory/1804-86-0x00007FF658BC0000-0x00007FF658F14000-memory.dmp upx C:\Windows\System\Jtdrhcd.exe upx behavioral2/memory/4536-78-0x00007FF7773A0000-0x00007FF7776F4000-memory.dmp upx behavioral2/memory/1176-74-0x00007FF7C9150000-0x00007FF7C94A4000-memory.dmp upx behavioral2/memory/1688-68-0x00007FF78E470000-0x00007FF78E7C4000-memory.dmp upx behavioral2/memory/3660-66-0x00007FF772670000-0x00007FF7729C4000-memory.dmp upx behavioral2/memory/556-62-0x00007FF7CED20000-0x00007FF7CF074000-memory.dmp upx behavioral2/memory/544-49-0x00007FF635A10000-0x00007FF635D64000-memory.dmp upx behavioral2/memory/4688-44-0x00007FF60A7B0000-0x00007FF60AB04000-memory.dmp upx behavioral2/memory/4536-137-0x00007FF7773A0000-0x00007FF7776F4000-memory.dmp upx behavioral2/memory/3668-39-0x00007FF7E71E0000-0x00007FF7E7534000-memory.dmp upx behavioral2/memory/4824-32-0x00007FF65EE10000-0x00007FF65F164000-memory.dmp upx behavioral2/memory/208-26-0x00007FF7FBAA0000-0x00007FF7FBDF4000-memory.dmp upx behavioral2/memory/1176-14-0x00007FF7C9150000-0x00007FF7C94A4000-memory.dmp upx behavioral2/memory/3624-8-0x00007FF6FCD70000-0x00007FF6FD0C4000-memory.dmp upx behavioral2/memory/5108-138-0x00007FF663450000-0x00007FF6637A4000-memory.dmp upx behavioral2/memory/4504-139-0x00007FF7D6990000-0x00007FF7D6CE4000-memory.dmp upx behavioral2/memory/940-140-0x00007FF714490000-0x00007FF7147E4000-memory.dmp upx behavioral2/memory/1496-141-0x00007FF664240000-0x00007FF664594000-memory.dmp upx behavioral2/memory/412-142-0x00007FF7A5760000-0x00007FF7A5AB4000-memory.dmp upx behavioral2/memory/3624-143-0x00007FF6FCD70000-0x00007FF6FD0C4000-memory.dmp upx behavioral2/memory/208-146-0x00007FF7FBAA0000-0x00007FF7FBDF4000-memory.dmp upx behavioral2/memory/4824-147-0x00007FF65EE10000-0x00007FF65F164000-memory.dmp upx behavioral2/memory/4688-149-0x00007FF60A7B0000-0x00007FF60AB04000-memory.dmp upx behavioral2/memory/544-150-0x00007FF635A10000-0x00007FF635D64000-memory.dmp upx behavioral2/memory/4812-151-0x00007FF6715B0000-0x00007FF671904000-memory.dmp upx behavioral2/memory/3660-152-0x00007FF772670000-0x00007FF7729C4000-memory.dmp upx behavioral2/memory/3668-148-0x00007FF7E71E0000-0x00007FF7E7534000-memory.dmp upx behavioral2/memory/1688-154-0x00007FF78E470000-0x00007FF78E7C4000-memory.dmp upx behavioral2/memory/5108-156-0x00007FF663450000-0x00007FF6637A4000-memory.dmp upx behavioral2/memory/2292-155-0x00007FF75A2C0000-0x00007FF75A614000-memory.dmp upx behavioral2/memory/940-157-0x00007FF714490000-0x00007FF7147E4000-memory.dmp upx behavioral2/memory/4504-158-0x00007FF7D6990000-0x00007FF7D6CE4000-memory.dmp upx behavioral2/memory/1496-159-0x00007FF664240000-0x00007FF664594000-memory.dmp upx behavioral2/memory/740-160-0x00007FF62D4B0000-0x00007FF62D804000-memory.dmp upx behavioral2/memory/636-161-0x00007FF7F8710000-0x00007FF7F8A64000-memory.dmp upx behavioral2/memory/412-163-0x00007FF7A5760000-0x00007FF7A5AB4000-memory.dmp upx behavioral2/memory/2888-162-0x00007FF6C7720000-0x00007FF6C7A74000-memory.dmp upx behavioral2/memory/4536-153-0x00007FF7773A0000-0x00007FF7776F4000-memory.dmp upx behavioral2/memory/1804-145-0x00007FF658BC0000-0x00007FF658F14000-memory.dmp upx behavioral2/memory/1176-144-0x00007FF7C9150000-0x00007FF7C94A4000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
Processes:
2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exedescription ioc process File created C:\Windows\System\ZcrGNoP.exe 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\xEonPre.exe 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\OeyFlxe.exe 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\iYbvcpk.exe 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\eyVKxxT.exe 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\JLupGEA.exe 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\iuqHQns.exe 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\Jtdrhcd.exe 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\HCfTmfe.exe 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\DfVRHtb.exe 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\pvRluMw.exe 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\WobcRnx.exe 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\WPccKzt.exe 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\TgTWcfc.exe 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\uCSqTCl.exe 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\MfCoHdg.exe 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\slJLaCF.exe 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\xOYVyGL.exe 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\LVUxBpM.exe 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\xOrzLHe.exe 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\mMomgcf.exe 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exedescription pid process Token: SeLockMemoryPrivilege 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe Token: SeLockMemoryPrivilege 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exedescription pid process target process PID 556 wrote to memory of 3624 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe LVUxBpM.exe PID 556 wrote to memory of 3624 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe LVUxBpM.exe PID 556 wrote to memory of 1176 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe xEonPre.exe PID 556 wrote to memory of 1176 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe xEonPre.exe PID 556 wrote to memory of 1804 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe OeyFlxe.exe PID 556 wrote to memory of 1804 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe OeyFlxe.exe PID 556 wrote to memory of 208 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe xOrzLHe.exe PID 556 wrote to memory of 208 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe xOrzLHe.exe PID 556 wrote to memory of 4824 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe mMomgcf.exe PID 556 wrote to memory of 4824 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe mMomgcf.exe PID 556 wrote to memory of 3668 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe WobcRnx.exe PID 556 wrote to memory of 3668 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe WobcRnx.exe PID 556 wrote to memory of 4688 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe MfCoHdg.exe PID 556 wrote to memory of 4688 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe MfCoHdg.exe PID 556 wrote to memory of 544 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe eyVKxxT.exe PID 556 wrote to memory of 544 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe eyVKxxT.exe PID 556 wrote to memory of 4812 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe WPccKzt.exe PID 556 wrote to memory of 4812 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe WPccKzt.exe PID 556 wrote to memory of 3660 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe TgTWcfc.exe PID 556 wrote to memory of 3660 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe TgTWcfc.exe PID 556 wrote to memory of 1688 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe iYbvcpk.exe PID 556 wrote to memory of 1688 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe iYbvcpk.exe PID 556 wrote to memory of 4536 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe iuqHQns.exe PID 556 wrote to memory of 4536 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe iuqHQns.exe PID 556 wrote to memory of 5108 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe JLupGEA.exe PID 556 wrote to memory of 5108 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe JLupGEA.exe PID 556 wrote to memory of 2292 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe Jtdrhcd.exe PID 556 wrote to memory of 2292 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe Jtdrhcd.exe PID 556 wrote to memory of 4504 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe HCfTmfe.exe PID 556 wrote to memory of 4504 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe HCfTmfe.exe PID 556 wrote to memory of 940 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe ZcrGNoP.exe PID 556 wrote to memory of 940 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe ZcrGNoP.exe PID 556 wrote to memory of 1496 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe DfVRHtb.exe PID 556 wrote to memory of 1496 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe DfVRHtb.exe PID 556 wrote to memory of 740 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe pvRluMw.exe PID 556 wrote to memory of 740 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe pvRluMw.exe PID 556 wrote to memory of 636 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe slJLaCF.exe PID 556 wrote to memory of 636 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe slJLaCF.exe PID 556 wrote to memory of 412 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe xOYVyGL.exe PID 556 wrote to memory of 412 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe xOYVyGL.exe PID 556 wrote to memory of 2888 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe uCSqTCl.exe PID 556 wrote to memory of 2888 556 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe uCSqTCl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\System\LVUxBpM.exeC:\Windows\System\LVUxBpM.exe2⤵
- Executes dropped EXE
PID:3624 -
C:\Windows\System\xEonPre.exeC:\Windows\System\xEonPre.exe2⤵
- Executes dropped EXE
PID:1176 -
C:\Windows\System\OeyFlxe.exeC:\Windows\System\OeyFlxe.exe2⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\System\xOrzLHe.exeC:\Windows\System\xOrzLHe.exe2⤵
- Executes dropped EXE
PID:208 -
C:\Windows\System\mMomgcf.exeC:\Windows\System\mMomgcf.exe2⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\System\WobcRnx.exeC:\Windows\System\WobcRnx.exe2⤵
- Executes dropped EXE
PID:3668 -
C:\Windows\System\MfCoHdg.exeC:\Windows\System\MfCoHdg.exe2⤵
- Executes dropped EXE
PID:4688 -
C:\Windows\System\eyVKxxT.exeC:\Windows\System\eyVKxxT.exe2⤵
- Executes dropped EXE
PID:544 -
C:\Windows\System\WPccKzt.exeC:\Windows\System\WPccKzt.exe2⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\System\TgTWcfc.exeC:\Windows\System\TgTWcfc.exe2⤵
- Executes dropped EXE
PID:3660 -
C:\Windows\System\iYbvcpk.exeC:\Windows\System\iYbvcpk.exe2⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\System\iuqHQns.exeC:\Windows\System\iuqHQns.exe2⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\System\JLupGEA.exeC:\Windows\System\JLupGEA.exe2⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\System\Jtdrhcd.exeC:\Windows\System\Jtdrhcd.exe2⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\System\HCfTmfe.exeC:\Windows\System\HCfTmfe.exe2⤵
- Executes dropped EXE
PID:4504 -
C:\Windows\System\ZcrGNoP.exeC:\Windows\System\ZcrGNoP.exe2⤵
- Executes dropped EXE
PID:940 -
C:\Windows\System\DfVRHtb.exeC:\Windows\System\DfVRHtb.exe2⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\System\pvRluMw.exeC:\Windows\System\pvRluMw.exe2⤵
- Executes dropped EXE
PID:740 -
C:\Windows\System\slJLaCF.exeC:\Windows\System\slJLaCF.exe2⤵
- Executes dropped EXE
PID:636 -
C:\Windows\System\xOYVyGL.exeC:\Windows\System\xOYVyGL.exe2⤵
- Executes dropped EXE
PID:412 -
C:\Windows\System\uCSqTCl.exeC:\Windows\System\uCSqTCl.exe2⤵
- Executes dropped EXE
PID:2888
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
384KB
MD56207c08555e637186de329c9179e16d9
SHA109098b1d2cbfb2ab317439f6c4fc0121d5b8f70a
SHA25690e60744ec9da51fba847be626db348bca6bdaf98ac91b116446f5b42433003b
SHA512a17015ce5be9dbe107f45a5361c78d0722d3574d1684f1ab5a78044304a8f13b281179a8bde4be29c0529678da2d8332817db568d46fd1e81541274c1a2a6ea7
-
Filesize
448KB
MD50642442db4acbbfb6037e06789624264
SHA1923aee440a6887c7a7a8a78085aa492b2cdcee65
SHA2565d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85
SHA5127fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1
-
Filesize
192KB
MD54a486a2a371d8db348dc0ad03e9fd9f0
SHA1edd912c5d606628022dc3216eaf2db7c93554ff7
SHA25693ebf2ea35e05e71e9c9884bcb76799c1b9f2b81bf8decfe1ec83807b911916b
SHA512deb1d7cb48c961fa18e748db8dfc9769c6fcedd4b7a26b044181e535fbdb31d7ead7b8ae69fab463473bcf0bbda0affdeecb9deffc51a89c74001f68a98bf60b
-
Filesize
128KB
MD57ce4ba1725e83a50f64ba525f8815dcf
SHA1b1714a2d23cfc42c18c37e1546ac0908d8252c04
SHA2569f7e171000696500dfb6a966f2c3ddf12dc1a77b8276ef660f14f7b7188d2908
SHA5122dff777f276295d96892e5749316e2e8892ba50f8398f9972ecc2f6e5378213e3cdd31c7c6ab8360d3490d1ec9e77be4e73ac137e108b2eddff2feaaf600be19