Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
07-06-2024 01:32
Behavioral task
behavioral1
Sample
2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe
Resource
win7-20240508-en
General
-
Target
2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe
-
Size
5.9MB
-
MD5
8dae92c0a623158ab5baf9c21b6b47c4
-
SHA1
1d592bc0b6f9b0a40c0e5f0af21e4af605f16ccb
-
SHA256
fade6579c5745e148923498b5e2be690a2c45c444e5e664164c4d0208beba1eb
-
SHA512
33d5bf8612c4e952d52f25a90ed43d3899c372b8cc409a147e739bac9309e33465c59288ddab2bb9e5238cd05d775e5c3755a7595c7c8ee6ce8315544aa5a10e
-
SSDEEP
98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUb:Q+856utgpPF8u/7b
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 20 IoCs
Detects the reflective loader used by Cobalt Strike.
Processes:
resource yara_rule \Windows\system\jJUrdrX.exe cobalt_reflective_dll \Windows\system\FilBJTy.exe cobalt_reflective_dll C:\Windows\system\GDEquYn.exe cobalt_reflective_dll C:\Windows\system\pKzjpAc.exe cobalt_reflective_dll C:\Windows\system\cRdFGmZ.exe cobalt_reflective_dll C:\Windows\system\klhIWmQ.exe cobalt_reflective_dll C:\Windows\system\aLllZQN.exe cobalt_reflective_dll C:\Windows\system\YjfYnmD.exe cobalt_reflective_dll C:\Windows\system\RmHMGhI.exe cobalt_reflective_dll C:\Windows\system\sMvJAEB.exe cobalt_reflective_dll C:\Windows\system\ugcTiqG.exe cobalt_reflective_dll C:\Windows\system\PlYlAor.exe cobalt_reflective_dll C:\Windows\system\LRMfqjt.exe cobalt_reflective_dll C:\Windows\system\xjNjUuS.exe cobalt_reflective_dll C:\Windows\system\zrunwUJ.exe cobalt_reflective_dll \Windows\system\jAVkXTo.exe cobalt_reflective_dll C:\Windows\system\oNzSgFN.exe cobalt_reflective_dll C:\Windows\system\xWyegZN.exe cobalt_reflective_dll C:\Windows\system\sDkIpOm.exe cobalt_reflective_dll C:\Windows\system\qyvxeCe.exe cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Detects Reflective DLL injection artifacts 20 IoCs
Processes:
resource yara_rule \Windows\system\jJUrdrX.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\FilBJTy.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\GDEquYn.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\pKzjpAc.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\cRdFGmZ.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\klhIWmQ.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\aLllZQN.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\YjfYnmD.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\RmHMGhI.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\sMvJAEB.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\ugcTiqG.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\PlYlAor.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\LRMfqjt.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\xjNjUuS.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\zrunwUJ.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\jAVkXTo.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\oNzSgFN.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\xWyegZN.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\sDkIpOm.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\qyvxeCe.exe INDICATOR_SUSPICIOUS_ReflectiveLoader -
UPX dump on OEP (original entry point) 62 IoCs
Processes:
resource yara_rule behavioral1/memory/1872-0-0x000000013F3C0000-0x000000013F714000-memory.dmp UPX \Windows\system\jJUrdrX.exe UPX \Windows\system\FilBJTy.exe UPX behavioral1/memory/2880-15-0x000000013FC00000-0x000000013FF54000-memory.dmp UPX behavioral1/memory/2948-14-0x000000013FBD0000-0x000000013FF24000-memory.dmp UPX C:\Windows\system\GDEquYn.exe UPX behavioral1/memory/2272-22-0x000000013FE40000-0x0000000140194000-memory.dmp UPX behavioral1/memory/2644-28-0x000000013F2F0000-0x000000013F644000-memory.dmp UPX C:\Windows\system\pKzjpAc.exe UPX behavioral1/memory/2592-41-0x000000013F230000-0x000000013F584000-memory.dmp UPX behavioral1/memory/1628-61-0x000000013F990000-0x000000013FCE4000-memory.dmp UPX behavioral1/memory/2332-63-0x000000013FD30000-0x0000000140084000-memory.dmp UPX C:\Windows\system\cRdFGmZ.exe UPX behavioral1/memory/2508-70-0x000000013F970000-0x000000013FCC4000-memory.dmp UPX behavioral1/memory/2276-81-0x000000013F7F0000-0x000000013FB44000-memory.dmp UPX behavioral1/memory/836-95-0x000000013F560000-0x000000013F8B4000-memory.dmp UPX behavioral1/memory/2592-101-0x000000013F230000-0x000000013F584000-memory.dmp UPX C:\Windows\system\klhIWmQ.exe UPX C:\Windows\system\aLllZQN.exe UPX C:\Windows\system\YjfYnmD.exe UPX \Windows\system\aLllZQN.exe UPX C:\Windows\system\RmHMGhI.exe UPX C:\Windows\system\sMvJAEB.exe UPX \Windows\system\RmHMGhI.exe UPX C:\Windows\system\cRUhzlR.exe UPX \Windows\system\cRUhzlR.exe UPX C:\Windows\system\ugcTiqG.exe UPX behavioral1/memory/2728-105-0x000000013FDC0000-0x0000000140114000-memory.dmp UPX behavioral1/memory/2520-103-0x000000013FE00000-0x0000000140154000-memory.dmp UPX C:\Windows\system\PlYlAor.exe UPX C:\Windows\system\LRMfqjt.exe UPX behavioral1/memory/840-88-0x000000013F240000-0x000000013F594000-memory.dmp UPX C:\Windows\system\xjNjUuS.exe UPX behavioral1/memory/2632-79-0x000000013FA20000-0x000000013FD74000-memory.dmp UPX behavioral1/memory/2644-78-0x000000013F2F0000-0x000000013F644000-memory.dmp UPX C:\Windows\system\zrunwUJ.exe UPX behavioral1/memory/2272-68-0x000000013FE40000-0x0000000140194000-memory.dmp UPX \Windows\system\cRdFGmZ.exe UPX behavioral1/memory/1872-51-0x000000013F3C0000-0x000000013F714000-memory.dmp UPX behavioral1/memory/2520-50-0x000000013FE00000-0x0000000140154000-memory.dmp UPX \Windows\system\jAVkXTo.exe UPX C:\Windows\system\oNzSgFN.exe UPX C:\Windows\system\xWyegZN.exe UPX behavioral1/memory/2632-36-0x000000013FA20000-0x000000013FD74000-memory.dmp UPX C:\Windows\system\sDkIpOm.exe UPX C:\Windows\system\qyvxeCe.exe UPX behavioral1/memory/2332-140-0x000000013FD30000-0x0000000140084000-memory.dmp UPX behavioral1/memory/2508-142-0x000000013F970000-0x000000013FCC4000-memory.dmp UPX behavioral1/memory/2880-148-0x000000013FC00000-0x000000013FF54000-memory.dmp UPX behavioral1/memory/2948-147-0x000000013FBD0000-0x000000013FF24000-memory.dmp UPX behavioral1/memory/2272-149-0x000000013FE40000-0x0000000140194000-memory.dmp UPX behavioral1/memory/2632-150-0x000000013FA20000-0x000000013FD74000-memory.dmp UPX behavioral1/memory/2644-151-0x000000013F2F0000-0x000000013F644000-memory.dmp UPX behavioral1/memory/1628-154-0x000000013F990000-0x000000013FCE4000-memory.dmp UPX behavioral1/memory/2592-153-0x000000013F230000-0x000000013F584000-memory.dmp UPX behavioral1/memory/2332-155-0x000000013FD30000-0x0000000140084000-memory.dmp UPX behavioral1/memory/2508-156-0x000000013F970000-0x000000013FCC4000-memory.dmp UPX behavioral1/memory/2276-157-0x000000013F7F0000-0x000000013FB44000-memory.dmp UPX behavioral1/memory/840-158-0x000000013F240000-0x000000013F594000-memory.dmp UPX behavioral1/memory/836-159-0x000000013F560000-0x000000013F8B4000-memory.dmp UPX behavioral1/memory/2728-160-0x000000013FDC0000-0x0000000140114000-memory.dmp UPX behavioral1/memory/2520-152-0x000000013FE00000-0x0000000140154000-memory.dmp UPX -
XMRig Miner payload 64 IoCs
Processes:
resource yara_rule behavioral1/memory/1872-0-0x000000013F3C0000-0x000000013F714000-memory.dmp xmrig \Windows\system\jJUrdrX.exe xmrig \Windows\system\FilBJTy.exe xmrig behavioral1/memory/2880-15-0x000000013FC00000-0x000000013FF54000-memory.dmp xmrig behavioral1/memory/2948-14-0x000000013FBD0000-0x000000013FF24000-memory.dmp xmrig C:\Windows\system\GDEquYn.exe xmrig behavioral1/memory/2272-22-0x000000013FE40000-0x0000000140194000-memory.dmp xmrig behavioral1/memory/2644-28-0x000000013F2F0000-0x000000013F644000-memory.dmp xmrig C:\Windows\system\pKzjpAc.exe xmrig behavioral1/memory/2592-41-0x000000013F230000-0x000000013F584000-memory.dmp xmrig behavioral1/memory/1628-61-0x000000013F990000-0x000000013FCE4000-memory.dmp xmrig behavioral1/memory/2332-63-0x000000013FD30000-0x0000000140084000-memory.dmp xmrig C:\Windows\system\cRdFGmZ.exe xmrig behavioral1/memory/2508-70-0x000000013F970000-0x000000013FCC4000-memory.dmp xmrig behavioral1/memory/2276-81-0x000000013F7F0000-0x000000013FB44000-memory.dmp xmrig behavioral1/memory/836-95-0x000000013F560000-0x000000013F8B4000-memory.dmp xmrig behavioral1/memory/2592-101-0x000000013F230000-0x000000013F584000-memory.dmp xmrig C:\Windows\system\klhIWmQ.exe xmrig C:\Windows\system\aLllZQN.exe xmrig C:\Windows\system\YjfYnmD.exe xmrig \Windows\system\aLllZQN.exe xmrig C:\Windows\system\RmHMGhI.exe xmrig C:\Windows\system\sMvJAEB.exe xmrig \Windows\system\RmHMGhI.exe xmrig C:\Windows\system\cRUhzlR.exe xmrig \Windows\system\cRUhzlR.exe xmrig C:\Windows\system\ugcTiqG.exe xmrig behavioral1/memory/2728-105-0x000000013FDC0000-0x0000000140114000-memory.dmp xmrig behavioral1/memory/1872-104-0x000000013FDC0000-0x0000000140114000-memory.dmp xmrig behavioral1/memory/2520-103-0x000000013FE00000-0x0000000140154000-memory.dmp xmrig C:\Windows\system\PlYlAor.exe xmrig C:\Windows\system\LRMfqjt.exe xmrig behavioral1/memory/840-88-0x000000013F240000-0x000000013F594000-memory.dmp xmrig C:\Windows\system\xjNjUuS.exe xmrig behavioral1/memory/2632-79-0x000000013FA20000-0x000000013FD74000-memory.dmp xmrig behavioral1/memory/2644-78-0x000000013F2F0000-0x000000013F644000-memory.dmp xmrig C:\Windows\system\zrunwUJ.exe xmrig behavioral1/memory/2272-68-0x000000013FE40000-0x0000000140194000-memory.dmp xmrig \Windows\system\cRdFGmZ.exe xmrig behavioral1/memory/1872-51-0x000000013F3C0000-0x000000013F714000-memory.dmp xmrig behavioral1/memory/2520-50-0x000000013FE00000-0x0000000140154000-memory.dmp xmrig \Windows\system\jAVkXTo.exe xmrig C:\Windows\system\oNzSgFN.exe xmrig C:\Windows\system\xWyegZN.exe xmrig behavioral1/memory/2632-36-0x000000013FA20000-0x000000013FD74000-memory.dmp xmrig C:\Windows\system\sDkIpOm.exe xmrig C:\Windows\system\qyvxeCe.exe xmrig behavioral1/memory/2332-140-0x000000013FD30000-0x0000000140084000-memory.dmp xmrig behavioral1/memory/2508-142-0x000000013F970000-0x000000013FCC4000-memory.dmp xmrig behavioral1/memory/1872-145-0x000000013FDC0000-0x0000000140114000-memory.dmp xmrig behavioral1/memory/2880-148-0x000000013FC00000-0x000000013FF54000-memory.dmp xmrig behavioral1/memory/2948-147-0x000000013FBD0000-0x000000013FF24000-memory.dmp xmrig behavioral1/memory/2272-149-0x000000013FE40000-0x0000000140194000-memory.dmp xmrig behavioral1/memory/2632-150-0x000000013FA20000-0x000000013FD74000-memory.dmp xmrig behavioral1/memory/2644-151-0x000000013F2F0000-0x000000013F644000-memory.dmp xmrig behavioral1/memory/1628-154-0x000000013F990000-0x000000013FCE4000-memory.dmp xmrig behavioral1/memory/2592-153-0x000000013F230000-0x000000013F584000-memory.dmp xmrig behavioral1/memory/2332-155-0x000000013FD30000-0x0000000140084000-memory.dmp xmrig behavioral1/memory/2508-156-0x000000013F970000-0x000000013FCC4000-memory.dmp xmrig behavioral1/memory/2276-157-0x000000013F7F0000-0x000000013FB44000-memory.dmp xmrig behavioral1/memory/840-158-0x000000013F240000-0x000000013F594000-memory.dmp xmrig behavioral1/memory/836-159-0x000000013F560000-0x000000013F8B4000-memory.dmp xmrig behavioral1/memory/2728-160-0x000000013FDC0000-0x0000000140114000-memory.dmp xmrig behavioral1/memory/2520-152-0x000000013FE00000-0x0000000140154000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
Processes:
jJUrdrX.exeFilBJTy.exeGDEquYn.exeqyvxeCe.exesDkIpOm.exepKzjpAc.exexWyegZN.exeoNzSgFN.exejAVkXTo.execRdFGmZ.exezrunwUJ.exexjNjUuS.exeLRMfqjt.exePlYlAor.exeugcTiqG.execRUhzlR.exeklhIWmQ.exeRmHMGhI.exesMvJAEB.exeaLllZQN.exeYjfYnmD.exepid process 2948 jJUrdrX.exe 2880 FilBJTy.exe 2272 GDEquYn.exe 2644 qyvxeCe.exe 2632 sDkIpOm.exe 2592 pKzjpAc.exe 2520 xWyegZN.exe 1628 oNzSgFN.exe 2332 jAVkXTo.exe 2508 cRdFGmZ.exe 2276 zrunwUJ.exe 840 xjNjUuS.exe 836 LRMfqjt.exe 2728 PlYlAor.exe 352 ugcTiqG.exe 316 cRUhzlR.exe 2368 klhIWmQ.exe 1496 RmHMGhI.exe 2792 sMvJAEB.exe 2776 aLllZQN.exe 2012 YjfYnmD.exe -
Loads dropped DLL 21 IoCs
Processes:
2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exepid process 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe -
Processes:
resource yara_rule behavioral1/memory/1872-0-0x000000013F3C0000-0x000000013F714000-memory.dmp upx \Windows\system\jJUrdrX.exe upx \Windows\system\FilBJTy.exe upx behavioral1/memory/2880-15-0x000000013FC00000-0x000000013FF54000-memory.dmp upx behavioral1/memory/2948-14-0x000000013FBD0000-0x000000013FF24000-memory.dmp upx C:\Windows\system\GDEquYn.exe upx behavioral1/memory/2272-22-0x000000013FE40000-0x0000000140194000-memory.dmp upx behavioral1/memory/2644-28-0x000000013F2F0000-0x000000013F644000-memory.dmp upx C:\Windows\system\pKzjpAc.exe upx behavioral1/memory/2592-41-0x000000013F230000-0x000000013F584000-memory.dmp upx behavioral1/memory/1628-61-0x000000013F990000-0x000000013FCE4000-memory.dmp upx behavioral1/memory/2332-63-0x000000013FD30000-0x0000000140084000-memory.dmp upx C:\Windows\system\cRdFGmZ.exe upx behavioral1/memory/2508-70-0x000000013F970000-0x000000013FCC4000-memory.dmp upx behavioral1/memory/2276-81-0x000000013F7F0000-0x000000013FB44000-memory.dmp upx behavioral1/memory/836-95-0x000000013F560000-0x000000013F8B4000-memory.dmp upx behavioral1/memory/2592-101-0x000000013F230000-0x000000013F584000-memory.dmp upx C:\Windows\system\klhIWmQ.exe upx C:\Windows\system\aLllZQN.exe upx C:\Windows\system\YjfYnmD.exe upx \Windows\system\aLllZQN.exe upx C:\Windows\system\RmHMGhI.exe upx C:\Windows\system\sMvJAEB.exe upx \Windows\system\RmHMGhI.exe upx C:\Windows\system\cRUhzlR.exe upx \Windows\system\cRUhzlR.exe upx C:\Windows\system\ugcTiqG.exe upx behavioral1/memory/2728-105-0x000000013FDC0000-0x0000000140114000-memory.dmp upx behavioral1/memory/2520-103-0x000000013FE00000-0x0000000140154000-memory.dmp upx C:\Windows\system\PlYlAor.exe upx C:\Windows\system\LRMfqjt.exe upx behavioral1/memory/840-88-0x000000013F240000-0x000000013F594000-memory.dmp upx C:\Windows\system\xjNjUuS.exe upx behavioral1/memory/2632-79-0x000000013FA20000-0x000000013FD74000-memory.dmp upx behavioral1/memory/2644-78-0x000000013F2F0000-0x000000013F644000-memory.dmp upx C:\Windows\system\zrunwUJ.exe upx behavioral1/memory/2272-68-0x000000013FE40000-0x0000000140194000-memory.dmp upx \Windows\system\cRdFGmZ.exe upx behavioral1/memory/1872-51-0x000000013F3C0000-0x000000013F714000-memory.dmp upx behavioral1/memory/2520-50-0x000000013FE00000-0x0000000140154000-memory.dmp upx \Windows\system\jAVkXTo.exe upx C:\Windows\system\oNzSgFN.exe upx C:\Windows\system\xWyegZN.exe upx behavioral1/memory/2632-36-0x000000013FA20000-0x000000013FD74000-memory.dmp upx C:\Windows\system\sDkIpOm.exe upx C:\Windows\system\qyvxeCe.exe upx behavioral1/memory/2332-140-0x000000013FD30000-0x0000000140084000-memory.dmp upx behavioral1/memory/2508-142-0x000000013F970000-0x000000013FCC4000-memory.dmp upx behavioral1/memory/2880-148-0x000000013FC00000-0x000000013FF54000-memory.dmp upx behavioral1/memory/2948-147-0x000000013FBD0000-0x000000013FF24000-memory.dmp upx behavioral1/memory/2272-149-0x000000013FE40000-0x0000000140194000-memory.dmp upx behavioral1/memory/2632-150-0x000000013FA20000-0x000000013FD74000-memory.dmp upx behavioral1/memory/2644-151-0x000000013F2F0000-0x000000013F644000-memory.dmp upx behavioral1/memory/1628-154-0x000000013F990000-0x000000013FCE4000-memory.dmp upx behavioral1/memory/2592-153-0x000000013F230000-0x000000013F584000-memory.dmp upx behavioral1/memory/2332-155-0x000000013FD30000-0x0000000140084000-memory.dmp upx behavioral1/memory/2508-156-0x000000013F970000-0x000000013FCC4000-memory.dmp upx behavioral1/memory/2276-157-0x000000013F7F0000-0x000000013FB44000-memory.dmp upx behavioral1/memory/840-158-0x000000013F240000-0x000000013F594000-memory.dmp upx behavioral1/memory/836-159-0x000000013F560000-0x000000013F8B4000-memory.dmp upx behavioral1/memory/2728-160-0x000000013FDC0000-0x0000000140114000-memory.dmp upx behavioral1/memory/2520-152-0x000000013FE00000-0x0000000140154000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
Processes:
2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exedescription ioc process File created C:\Windows\System\cRdFGmZ.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\sMvJAEB.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\qyvxeCe.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\jAVkXTo.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\xWyegZN.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\zrunwUJ.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\PlYlAor.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\RmHMGhI.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\aLllZQN.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\jJUrdrX.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\FilBJTy.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\LRMfqjt.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\ugcTiqG.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\cRUhzlR.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\klhIWmQ.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\YjfYnmD.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\GDEquYn.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\sDkIpOm.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\xjNjUuS.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\pKzjpAc.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\oNzSgFN.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exedescription pid process Token: SeLockMemoryPrivilege 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe Token: SeLockMemoryPrivilege 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exedescription pid process target process PID 1872 wrote to memory of 2948 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe jJUrdrX.exe PID 1872 wrote to memory of 2948 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe jJUrdrX.exe PID 1872 wrote to memory of 2948 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe jJUrdrX.exe PID 1872 wrote to memory of 2880 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe FilBJTy.exe PID 1872 wrote to memory of 2880 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe FilBJTy.exe PID 1872 wrote to memory of 2880 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe FilBJTy.exe PID 1872 wrote to memory of 2272 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe GDEquYn.exe PID 1872 wrote to memory of 2272 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe GDEquYn.exe PID 1872 wrote to memory of 2272 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe GDEquYn.exe PID 1872 wrote to memory of 2644 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe qyvxeCe.exe PID 1872 wrote to memory of 2644 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe qyvxeCe.exe PID 1872 wrote to memory of 2644 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe qyvxeCe.exe PID 1872 wrote to memory of 2632 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe sDkIpOm.exe PID 1872 wrote to memory of 2632 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe sDkIpOm.exe PID 1872 wrote to memory of 2632 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe sDkIpOm.exe PID 1872 wrote to memory of 2592 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe pKzjpAc.exe PID 1872 wrote to memory of 2592 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe pKzjpAc.exe PID 1872 wrote to memory of 2592 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe pKzjpAc.exe PID 1872 wrote to memory of 2520 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe xWyegZN.exe PID 1872 wrote to memory of 2520 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe xWyegZN.exe PID 1872 wrote to memory of 2520 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe xWyegZN.exe PID 1872 wrote to memory of 2332 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe jAVkXTo.exe PID 1872 wrote to memory of 2332 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe jAVkXTo.exe PID 1872 wrote to memory of 2332 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe jAVkXTo.exe PID 1872 wrote to memory of 1628 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe oNzSgFN.exe PID 1872 wrote to memory of 1628 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe oNzSgFN.exe PID 1872 wrote to memory of 1628 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe oNzSgFN.exe PID 1872 wrote to memory of 2508 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe cRdFGmZ.exe PID 1872 wrote to memory of 2508 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe cRdFGmZ.exe PID 1872 wrote to memory of 2508 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe cRdFGmZ.exe PID 1872 wrote to memory of 2276 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe zrunwUJ.exe PID 1872 wrote to memory of 2276 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe zrunwUJ.exe PID 1872 wrote to memory of 2276 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe zrunwUJ.exe PID 1872 wrote to memory of 840 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe xjNjUuS.exe PID 1872 wrote to memory of 840 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe xjNjUuS.exe PID 1872 wrote to memory of 840 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe xjNjUuS.exe PID 1872 wrote to memory of 836 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe LRMfqjt.exe PID 1872 wrote to memory of 836 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe LRMfqjt.exe PID 1872 wrote to memory of 836 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe LRMfqjt.exe PID 1872 wrote to memory of 2728 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe PlYlAor.exe PID 1872 wrote to memory of 2728 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe PlYlAor.exe PID 1872 wrote to memory of 2728 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe PlYlAor.exe PID 1872 wrote to memory of 352 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe ugcTiqG.exe PID 1872 wrote to memory of 352 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe ugcTiqG.exe PID 1872 wrote to memory of 352 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe ugcTiqG.exe PID 1872 wrote to memory of 316 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe cRUhzlR.exe PID 1872 wrote to memory of 316 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe cRUhzlR.exe PID 1872 wrote to memory of 316 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe cRUhzlR.exe PID 1872 wrote to memory of 2368 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe klhIWmQ.exe PID 1872 wrote to memory of 2368 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe klhIWmQ.exe PID 1872 wrote to memory of 2368 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe klhIWmQ.exe PID 1872 wrote to memory of 1496 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe RmHMGhI.exe PID 1872 wrote to memory of 1496 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe RmHMGhI.exe PID 1872 wrote to memory of 1496 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe RmHMGhI.exe PID 1872 wrote to memory of 2792 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe sMvJAEB.exe PID 1872 wrote to memory of 2792 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe sMvJAEB.exe PID 1872 wrote to memory of 2792 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe sMvJAEB.exe PID 1872 wrote to memory of 2776 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe aLllZQN.exe PID 1872 wrote to memory of 2776 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe aLllZQN.exe PID 1872 wrote to memory of 2776 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe aLllZQN.exe PID 1872 wrote to memory of 2012 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe YjfYnmD.exe PID 1872 wrote to memory of 2012 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe YjfYnmD.exe PID 1872 wrote to memory of 2012 1872 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe YjfYnmD.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\System\jJUrdrX.exeC:\Windows\System\jJUrdrX.exe2⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\System\FilBJTy.exeC:\Windows\System\FilBJTy.exe2⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\System\GDEquYn.exeC:\Windows\System\GDEquYn.exe2⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\System\qyvxeCe.exeC:\Windows\System\qyvxeCe.exe2⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\System\sDkIpOm.exeC:\Windows\System\sDkIpOm.exe2⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\System\pKzjpAc.exeC:\Windows\System\pKzjpAc.exe2⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\System\xWyegZN.exeC:\Windows\System\xWyegZN.exe2⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\System\jAVkXTo.exeC:\Windows\System\jAVkXTo.exe2⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\System\oNzSgFN.exeC:\Windows\System\oNzSgFN.exe2⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\System\cRdFGmZ.exeC:\Windows\System\cRdFGmZ.exe2⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\System\zrunwUJ.exeC:\Windows\System\zrunwUJ.exe2⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\System\xjNjUuS.exeC:\Windows\System\xjNjUuS.exe2⤵
- Executes dropped EXE
PID:840 -
C:\Windows\System\LRMfqjt.exeC:\Windows\System\LRMfqjt.exe2⤵
- Executes dropped EXE
PID:836 -
C:\Windows\System\PlYlAor.exeC:\Windows\System\PlYlAor.exe2⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\System\ugcTiqG.exeC:\Windows\System\ugcTiqG.exe2⤵
- Executes dropped EXE
PID:352 -
C:\Windows\System\cRUhzlR.exeC:\Windows\System\cRUhzlR.exe2⤵
- Executes dropped EXE
PID:316 -
C:\Windows\System\klhIWmQ.exeC:\Windows\System\klhIWmQ.exe2⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\System\RmHMGhI.exeC:\Windows\System\RmHMGhI.exe2⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\System\sMvJAEB.exeC:\Windows\System\sMvJAEB.exe2⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\System\aLllZQN.exeC:\Windows\System\aLllZQN.exe2⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\System\YjfYnmD.exeC:\Windows\System\YjfYnmD.exe2⤵
- Executes dropped EXE
PID:2012
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD52dad0398158baa0e22be739ddce1079a
SHA1abc86e17ed6b5f137a19471b3cfa3c6aad0f0e3e
SHA256a49328b05d3926c812ba6e683be413154cd116f13abf4dba0b768492b736fa51
SHA512d9ba1ad192069b0a47de00be3bda91a3fc68846ab8755e8966a738d6bfe3b49222c593355aa458cca1ef0dee95d801540d68994777cfae124482dd49d4d9793d
-
Filesize
5.9MB
MD504c07271dd2c1957e69f2330cc9a995d
SHA16997f073aa27a18c26984ecbdf54ce1fecc19da4
SHA2560e3a57335afc2a5a90c1c5d168d0eee9ca0e33277d5faedf04d985dc4ed25921
SHA512470b4046e5f3ad6ec576cb9335eaba44f6dcdacb39e98f22153be19f15d84326b5ac7dfb61910febe67825675698fa242430a243a82e1aad3183f6264a51fed4
-
Filesize
5.9MB
MD59388a431d776fb3384cc0f8d889c5fe8
SHA166f8b35e47221994ff4fc314a69a8a79a8ebc4c5
SHA256482908ab4109d086faa1485dac315f1e3f5c0118e0b4482155d77041a8ca8982
SHA51244c241d469e4f32c8e679838c423c74ce374e74ebaf7f80146110ef4bddf8db62923d8a3d8e3c7bff9abc70cc1269c950395bd1be36cd3f539a94529769021ab
-
Filesize
5.9MB
MD5d41cc16989ea771640e6da397c21b7b2
SHA13b10f46dfc365cfc46a7404b9502b843b659311c
SHA25686774ad5a2227e7c7e5c6c747e5575b09c320f7150c8ba3cf712fa2e2917de36
SHA512cc0190cf600f7e4a966db9472d77820a210e3006063551481576a878b3bb18f8f4ab87dd60fbff21c43f2d3671fad53df15e849a9d1b17773832dd113b765ece
-
Filesize
5.9MB
MD57f9fd3dbb6e0886aae949d54855fbec7
SHA165490b2044fbd48eb4ca5bf2998070308e01bce7
SHA2566edf88823a0cb723668b4e207f17d3b1a5e29d09cc9ec9a46776e19ff7d6dee9
SHA512e18fc5c12357b1f7bbb47cd76a9fc972536aeb18c605747c937786ed9c7275e7528fa8dc3a3f7957f1b060bef6669249196aa835404f352dff81a25e0f7e9114
-
Filesize
5.9MB
MD5e132bb7d49a49b7053a8befc7be53b1b
SHA13cbdf5211276355edb2fcf47dd7cf3433aa30cca
SHA256e2d3e85e59b0d2552b88a4f98631ad8864a3272d836b13a5e181fe1915521c97
SHA512b74de076196c5a663d3c576f91fac652595e818424fa42caf0b1423d27ef23aa0b33e729a7319ad282930f859e52b93f9960a9162853358250d4b800afa51def
-
Filesize
4.0MB
MD5f505e9632fbd4a5d58adc9e4173d1271
SHA11bde162a3fb4ccb17e2151f596876ce0481e68a3
SHA256470c9e84848117759613eb687b446759f7d07a7f41d04dc436b012f7f509e2e6
SHA512e198372dce29bd351d9034837bc88bf336ab45518f945c233b0df8303eb7db6dfe81aa40e79300136ac6bc7ee0344b1f19f04eb515a02bbb33d814e047faaccf
-
Filesize
5.9MB
MD554836edc137c745b3f03f09a7f0fb5f6
SHA1b0f93d5f7d3230afa75dc31ac73b031a20d5201d
SHA2565918c183c31826de74c8f8d8a25161f0e17592b835f1b386ff1212529fad980d
SHA512605366e8979c8129e79ab3ac7daeaaca112261af6e6e5a925ea538ad227ef72421272c25c8b973e7a1729e015a3c4013acf187a47eb5e02539005c2e88609c5a
-
Filesize
5.9MB
MD52505bf5838e2bbdc8ff6e2fe96dfb113
SHA1b26f95298ea77c9c6c99b2df8c3c677ad7384e09
SHA2568b0f2b01ceb0d2b5e67b98cfc1369075266e0772ac245aed6a76657aabdf5261
SHA512b5b906a542ec6899dacc904418a78b80523573007e9a2079967fca3b72730ae96af3b494e9999cc8b10fd15d5cb061ff64b29c4301b9547ec06d60d11f8c4abb
-
Filesize
5.9MB
MD5e7444d77cf14ef0e95c0a8cd435e9490
SHA10e0a708ed2619225be4adb14afb3fe5611522f74
SHA256a706948e9037d7b1f0c228cc79efdad7fcc0c221c0a70b3a9041f4d21ae56912
SHA512b21e1bcd3dcbf2a47b2f002cf783a704b2daab3434f069b3eca66f5bb43bb00aa8337eed8912de0de7b61acb6c16cda8162b233b4401f240eafe4ed90b625559
-
Filesize
5.9MB
MD5d8ba5a3fa1340754bfde60b66563d88c
SHA1647bd730c5e3d1262101a579b9e9c018f283907f
SHA256ab437544d942699cf25e202bbaeb6be6dbd34bac6b98b4d370bc86ac592d3809
SHA5122f6e66c09a42d919509d6d3d1d50a25fa5b59e1d6422aa26da276f70b1177c72161acfbb9793b9ffa6aa6524dc389966fd356eeb5a03187eff1341ef140c4f50
-
Filesize
5.9MB
MD5cc1bd029f9fbde25af7836ab4529bee4
SHA14f07f573100ff6e1cf57b1e0e5999d63e34d3b4f
SHA256d960febdb2edb56842ef38ca8acf84549536c4ed5cde47099c4d688247ab07c8
SHA5124961e525242aac34acb05740d1bc743dc6dc338090cbda080367774bdb1f7fb572123d3494e3af1762882944c6c4b58b4766ce0e39a78d4a8517d182b23bd8bb
-
Filesize
5.9MB
MD513c43bd31a380a2ec41d43d72ae962f2
SHA1267cec60b8644cad5446f7b1570a64740ef34c3e
SHA256b0565691213e413b0c35efe6c47f809597e2eaa9b0db0a2b9ffdf9eaf85aadb1
SHA51288581808fcbe2c5f1607aced4e8a05abfd7f1167467e70f13ae497ad22337858f2a21ce68504dfa175bc5e8208619bd72116da866db34e12d9ead44c2add019a
-
Filesize
5.9MB
MD5c2c6b7154820ea527a4c0649645bba94
SHA13418a9f21e490de49e4e5ec657bd00241a9e14cf
SHA256549cbc3b6501b943b446c9e4992708a35dff9eb214e75efce5fb3401b100b784
SHA512c4e498120c25bb9bbc7d8a198170dcc7b8d95b2d7b215d0a617277bf1cc5324a51731eef4b8be25eacdb932af1223082bd31f3ff3b2c38ec81f81807e712da1b
-
Filesize
5.9MB
MD53cb624af897d52a81e426d4f5dd59d60
SHA138356b755815775283f59d16c133c5e3105415eb
SHA256d50bb98d3205c0f9bd21e9333c1f911364f1253dd92fb5ea16f15d0712b195dc
SHA5120a207149724ba627e0b96cff365833da977a591e9cb52cfa909d40a9c4fb54cb0d756289dfe50ad3611619abb8690f22fd860f7df291b44c412bac710e7a472b
-
Filesize
5.9MB
MD5f0676dfd30283cd21514bb1d30ac9cec
SHA1c75665b8fab12b8ae5e7627225e4700b988f4f77
SHA256cb309ac32a2b5d5d945d7d9b882f76fe049935d9fe58c5ca985e33d41f93aa87
SHA5126ee45480050e9eb6ab96c504edf5c1fbffd0694c470356de5f702b336c57887ed0812f95fa14abb155905fa80c3aa2b28ed2787d73f1e8dabaf41edb8f896764
-
Filesize
5.9MB
MD5a6e11638de1c1049cced1684ca7cd041
SHA1afac20e587821316792de96dadae8351ca4d69ed
SHA2564caba453c6182f54be465df0480760a39d7b9b678164d04cddbeab2b748ddb63
SHA512de1ce779a46bcc7122831312c111e13c8caf89aaa0b3fa5480a6ef3854a9433777b4000f4f982c8fe18d90ae43f81de84375fe5e5d1291663fa754796516c435
-
Filesize
5.9MB
MD54b33a158dbe7078072d056207cca5b88
SHA1cd7026b204c8364f98fb9faec5df24e6feb232ee
SHA25694213f11e41d98cf89b2316e919c373394f2012962a683e3eca873189ec97fcf
SHA512a4e71d3e7162761b5e47192a4ba502cb311b93c9fd753b9c98f17142e93bd61e1c4a92f6c46c2f17e0fd0ce8be4e7e0dddc7808db1fd5ee552758ee7c7ea4644
-
Filesize
5.9MB
MD52b50b80d6af7d20a4af5533921126b4e
SHA1b026c16c5d0cd71dbf5d87f8a105c551dd64a9d3
SHA25616216fe5f0b6c982b3a842a642c998afbbade3eec0f3c47d254ef5920ff75f8c
SHA51278ba8edcb20746f2e63d33c29a0d399f7a482fd036c1ed61eb6f3ce0f5ffe5620594f17da50fe22e1703d37f7b9a6895ed748d87a67e2869d5d960d726d3349e
-
Filesize
4.9MB
MD54b7216d89e20f49e9c16c0253cc47511
SHA12897390157f4ddd1aa5b6b0434e8fd2685151896
SHA25604a2e3581379ca63394646169e2f7cb8764608261eb5b43957d0130fd0e5013f
SHA512f54f6e029123d95222d09bc2138897f709e3650dbd2270183df96ad9e927ef303c0844f40a0b5cc26ee82536f2274eb38af1088d33729d685b4f9415ecb7be84
-
Filesize
5.8MB
MD5d087d60bee972482ba414dde57d94064
SHA10e58102d75409e85387c950e86f4cc96da371515
SHA2561ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9
SHA512500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b
-
Filesize
5.6MB
MD538e1b7b0b9aa649f5c14f03127a6d132
SHA13917ca36707cd2c4dba6b6926d34a14a7bb117b1
SHA256ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72
SHA51247f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0
-
Filesize
5.9MB
MD5f6cdfb3d88537b367792cbd894bd98ed
SHA13d3f99c94c72c456dffcf949bc5d30603a7e936c
SHA25605dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86
SHA5120da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3
-
Filesize
5.9MB
MD5a367b6d521c108d0d655409af3987a51
SHA1e089965a81cdd40f5255db7b387258b187714b1e
SHA25674722ed8ea31a31c0a862af965b51a937e91d4b397659b64e4f01aaaa208cc8e
SHA512a6202dfe8040e1510787086efe5d6dc9207f9edc13fe9e0dce31a25c6b6c2b674ab2aa70c652e4ede78be5a6cbd9d2974a7381c9ef5bafc47aab76b6c2ebb0ff
-
Filesize
5.9MB
MD5a197e1c17fea896e5eb056890d185cd4
SHA1d964bc11c4945b153ab99520e32dc2df28c26515
SHA2563f335d39ade0dd77daa485e6e2d9134e9b251427e60ab59cd04f3027dfdf779d
SHA5124326ed000a82257a6f9917c383e774c445ae6fd1b77d2a5b3ba9c1a0828b3376943e2317ee046e9231f97ab70ad3972e4464960a1d82735fb8bc4b6b846258ce