Analysis
-
max time kernel
141s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
08-06-2024 07:04
Behavioral task
behavioral1
Sample
2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe
Resource
win7-20240508-en
General
-
Target
2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe
-
Size
5.9MB
-
MD5
5df16383f9e943639b6bb34484e8005e
-
SHA1
2469786d33777ac9f3e24125b932cba9177739b4
-
SHA256
afc79d2e838171062903255a34fce33f67f71ea7b99964184e1d728223dd8334
-
SHA512
d6257c20baf1a592c65def6faec400cabe8a9ff85841e2fabf0bb88e08a644709a8e1d09d3c31863566b07a138afc0ed8993ce1557f8c994843bb89935390d8a
-
SSDEEP
98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lU2:T+856utgpPF8u/72
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
Processes:
resource yara_rule \Windows\system\YflPxwS.exe cobalt_reflective_dll \Windows\system\QBqlNpH.exe cobalt_reflective_dll C:\Windows\system\mnxRrwM.exe cobalt_reflective_dll \Windows\system\fifFZTk.exe cobalt_reflective_dll \Windows\system\gdLYgPC.exe cobalt_reflective_dll C:\Windows\system\MzEsYAX.exe cobalt_reflective_dll C:\Windows\system\oEJbnIZ.exe cobalt_reflective_dll C:\Windows\system\lTnJpvt.exe cobalt_reflective_dll C:\Windows\system\LDqSqKR.exe cobalt_reflective_dll \Windows\system\bLoDaqM.exe cobalt_reflective_dll C:\Windows\system\tTGGBQj.exe cobalt_reflective_dll C:\Windows\system\xAhriFR.exe cobalt_reflective_dll C:\Windows\system\gXJDiBk.exe cobalt_reflective_dll C:\Windows\system\KhGXgXx.exe cobalt_reflective_dll C:\Windows\system\SdfFolr.exe cobalt_reflective_dll C:\Windows\system\jLdHOQH.exe cobalt_reflective_dll C:\Windows\system\YAfBwvR.exe cobalt_reflective_dll C:\Windows\system\GKfcYGd.exe cobalt_reflective_dll C:\Windows\system\PAzhpbR.exe cobalt_reflective_dll C:\Windows\system\uUcRBjZ.exe cobalt_reflective_dll C:\Windows\system\hTFpolD.exe cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Detects Reflective DLL injection artifacts 21 IoCs
Processes:
resource yara_rule \Windows\system\YflPxwS.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\QBqlNpH.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\mnxRrwM.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\fifFZTk.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\gdLYgPC.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\MzEsYAX.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\oEJbnIZ.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\lTnJpvt.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\LDqSqKR.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\bLoDaqM.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\tTGGBQj.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\xAhriFR.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\gXJDiBk.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\KhGXgXx.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\SdfFolr.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\jLdHOQH.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\YAfBwvR.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\GKfcYGd.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\PAzhpbR.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\uUcRBjZ.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\hTFpolD.exe INDICATOR_SUSPICIOUS_ReflectiveLoader -
UPX dump on OEP (original entry point) 63 IoCs
Processes:
resource yara_rule behavioral1/memory/1304-0-0x000000013FD00000-0x0000000140054000-memory.dmp UPX \Windows\system\YflPxwS.exe UPX behavioral1/memory/1124-8-0x000000013FEA0000-0x00000001401F4000-memory.dmp UPX \Windows\system\QBqlNpH.exe UPX behavioral1/memory/2800-14-0x000000013F250000-0x000000013F5A4000-memory.dmp UPX C:\Windows\system\mnxRrwM.exe UPX behavioral1/memory/2052-21-0x000000013F0B0000-0x000000013F404000-memory.dmp UPX \Windows\system\fifFZTk.exe UPX behavioral1/memory/2584-27-0x000000013FB00000-0x000000013FE54000-memory.dmp UPX \Windows\system\gdLYgPC.exe UPX C:\Windows\system\MzEsYAX.exe UPX behavioral1/memory/2620-39-0x000000013FD20000-0x0000000140074000-memory.dmp UPX C:\Windows\system\oEJbnIZ.exe UPX behavioral1/memory/2688-36-0x000000013F660000-0x000000013F9B4000-memory.dmp UPX behavioral1/memory/2652-54-0x000000013FDE0000-0x0000000140134000-memory.dmp UPX behavioral1/memory/2476-61-0x000000013F6F0000-0x000000013FA44000-memory.dmp UPX behavioral1/memory/2600-66-0x000000013F1B0000-0x000000013F504000-memory.dmp UPX behavioral1/memory/2892-76-0x000000013F5C0000-0x000000013F914000-memory.dmp UPX behavioral1/memory/2548-83-0x000000013F9B0000-0x000000013FD04000-memory.dmp UPX C:\Windows\system\lTnJpvt.exe UPX C:\Windows\system\LDqSqKR.exe UPX \Windows\system\bLoDaqM.exe UPX C:\Windows\system\tTGGBQj.exe UPX C:\Windows\system\xAhriFR.exe UPX C:\Windows\system\gXJDiBk.exe UPX C:\Windows\system\KhGXgXx.exe UPX C:\Windows\system\SdfFolr.exe UPX behavioral1/memory/1152-99-0x000000013F210000-0x000000013F564000-memory.dmp UPX behavioral1/memory/2868-92-0x000000013F4F0000-0x000000013F844000-memory.dmp UPX behavioral1/memory/2620-97-0x000000013FD20000-0x0000000140074000-memory.dmp UPX behavioral1/memory/2688-90-0x000000013F660000-0x000000013F9B4000-memory.dmp UPX behavioral1/memory/2584-89-0x000000013FB00000-0x000000013FE54000-memory.dmp UPX C:\Windows\system\jLdHOQH.exe UPX behavioral1/memory/2800-75-0x000000013F250000-0x000000013F5A4000-memory.dmp UPX C:\Windows\system\YAfBwvR.exe UPX C:\Windows\system\GKfcYGd.exe UPX behavioral1/memory/2748-137-0x000000013F1E0000-0x000000013F534000-memory.dmp UPX behavioral1/memory/2652-138-0x000000013FDE0000-0x0000000140134000-memory.dmp UPX behavioral1/memory/1124-65-0x000000013FEA0000-0x00000001401F4000-memory.dmp UPX C:\Windows\system\PAzhpbR.exe UPX C:\Windows\system\uUcRBjZ.exe UPX behavioral1/memory/1304-58-0x000000013FD00000-0x0000000140054000-memory.dmp UPX behavioral1/memory/2748-52-0x000000013F1E0000-0x000000013F534000-memory.dmp UPX C:\Windows\system\hTFpolD.exe UPX behavioral1/memory/2600-140-0x000000013F1B0000-0x000000013F504000-memory.dmp UPX behavioral1/memory/2892-142-0x000000013F5C0000-0x000000013F914000-memory.dmp UPX behavioral1/memory/2548-144-0x000000013F9B0000-0x000000013FD04000-memory.dmp UPX behavioral1/memory/2868-146-0x000000013F4F0000-0x000000013F844000-memory.dmp UPX behavioral1/memory/1152-148-0x000000013F210000-0x000000013F564000-memory.dmp UPX behavioral1/memory/1124-149-0x000000013FEA0000-0x00000001401F4000-memory.dmp UPX behavioral1/memory/2800-150-0x000000013F250000-0x000000013F5A4000-memory.dmp UPX behavioral1/memory/2052-151-0x000000013F0B0000-0x000000013F404000-memory.dmp UPX behavioral1/memory/2584-152-0x000000013FB00000-0x000000013FE54000-memory.dmp UPX behavioral1/memory/2688-153-0x000000013F660000-0x000000013F9B4000-memory.dmp UPX behavioral1/memory/2620-154-0x000000013FD20000-0x0000000140074000-memory.dmp UPX behavioral1/memory/2600-155-0x000000013F1B0000-0x000000013F504000-memory.dmp UPX behavioral1/memory/2652-156-0x000000013FDE0000-0x0000000140134000-memory.dmp UPX behavioral1/memory/2748-157-0x000000013F1E0000-0x000000013F534000-memory.dmp UPX behavioral1/memory/2892-158-0x000000013F5C0000-0x000000013F914000-memory.dmp UPX behavioral1/memory/2548-159-0x000000013F9B0000-0x000000013FD04000-memory.dmp UPX behavioral1/memory/2868-161-0x000000013F4F0000-0x000000013F844000-memory.dmp UPX behavioral1/memory/1152-160-0x000000013F210000-0x000000013F564000-memory.dmp UPX behavioral1/memory/2476-162-0x000000013F6F0000-0x000000013FA44000-memory.dmp UPX -
XMRig Miner payload 64 IoCs
Processes:
resource yara_rule behavioral1/memory/1304-0-0x000000013FD00000-0x0000000140054000-memory.dmp xmrig \Windows\system\YflPxwS.exe xmrig behavioral1/memory/1124-8-0x000000013FEA0000-0x00000001401F4000-memory.dmp xmrig \Windows\system\QBqlNpH.exe xmrig behavioral1/memory/2800-14-0x000000013F250000-0x000000013F5A4000-memory.dmp xmrig C:\Windows\system\mnxRrwM.exe xmrig behavioral1/memory/2052-21-0x000000013F0B0000-0x000000013F404000-memory.dmp xmrig \Windows\system\fifFZTk.exe xmrig behavioral1/memory/2584-27-0x000000013FB00000-0x000000013FE54000-memory.dmp xmrig \Windows\system\gdLYgPC.exe xmrig C:\Windows\system\MzEsYAX.exe xmrig behavioral1/memory/2620-39-0x000000013FD20000-0x0000000140074000-memory.dmp xmrig C:\Windows\system\oEJbnIZ.exe xmrig behavioral1/memory/2688-36-0x000000013F660000-0x000000013F9B4000-memory.dmp xmrig behavioral1/memory/2652-54-0x000000013FDE0000-0x0000000140134000-memory.dmp xmrig behavioral1/memory/2476-61-0x000000013F6F0000-0x000000013FA44000-memory.dmp xmrig behavioral1/memory/2600-66-0x000000013F1B0000-0x000000013F504000-memory.dmp xmrig behavioral1/memory/2892-76-0x000000013F5C0000-0x000000013F914000-memory.dmp xmrig behavioral1/memory/2548-83-0x000000013F9B0000-0x000000013FD04000-memory.dmp xmrig C:\Windows\system\lTnJpvt.exe xmrig C:\Windows\system\LDqSqKR.exe xmrig \Windows\system\bLoDaqM.exe xmrig C:\Windows\system\tTGGBQj.exe xmrig C:\Windows\system\xAhriFR.exe xmrig C:\Windows\system\gXJDiBk.exe xmrig C:\Windows\system\KhGXgXx.exe xmrig C:\Windows\system\SdfFolr.exe xmrig behavioral1/memory/1152-99-0x000000013F210000-0x000000013F564000-memory.dmp xmrig behavioral1/memory/2868-92-0x000000013F4F0000-0x000000013F844000-memory.dmp xmrig behavioral1/memory/2620-97-0x000000013FD20000-0x0000000140074000-memory.dmp xmrig behavioral1/memory/2688-90-0x000000013F660000-0x000000013F9B4000-memory.dmp xmrig behavioral1/memory/2584-89-0x000000013FB00000-0x000000013FE54000-memory.dmp xmrig C:\Windows\system\jLdHOQH.exe xmrig behavioral1/memory/2800-75-0x000000013F250000-0x000000013F5A4000-memory.dmp xmrig C:\Windows\system\YAfBwvR.exe xmrig C:\Windows\system\GKfcYGd.exe xmrig behavioral1/memory/2748-137-0x000000013F1E0000-0x000000013F534000-memory.dmp xmrig behavioral1/memory/2652-138-0x000000013FDE0000-0x0000000140134000-memory.dmp xmrig behavioral1/memory/1124-65-0x000000013FEA0000-0x00000001401F4000-memory.dmp xmrig C:\Windows\system\PAzhpbR.exe xmrig C:\Windows\system\uUcRBjZ.exe xmrig behavioral1/memory/1304-58-0x000000013FD00000-0x0000000140054000-memory.dmp xmrig behavioral1/memory/2748-52-0x000000013F1E0000-0x000000013F534000-memory.dmp xmrig C:\Windows\system\hTFpolD.exe xmrig behavioral1/memory/2600-140-0x000000013F1B0000-0x000000013F504000-memory.dmp xmrig behavioral1/memory/2892-142-0x000000013F5C0000-0x000000013F914000-memory.dmp xmrig behavioral1/memory/2548-144-0x000000013F9B0000-0x000000013FD04000-memory.dmp xmrig behavioral1/memory/1304-145-0x000000013F4F0000-0x000000013F844000-memory.dmp xmrig behavioral1/memory/2868-146-0x000000013F4F0000-0x000000013F844000-memory.dmp xmrig behavioral1/memory/1304-147-0x000000013F210000-0x000000013F564000-memory.dmp xmrig behavioral1/memory/1152-148-0x000000013F210000-0x000000013F564000-memory.dmp xmrig behavioral1/memory/1124-149-0x000000013FEA0000-0x00000001401F4000-memory.dmp xmrig behavioral1/memory/2800-150-0x000000013F250000-0x000000013F5A4000-memory.dmp xmrig behavioral1/memory/2052-151-0x000000013F0B0000-0x000000013F404000-memory.dmp xmrig behavioral1/memory/2584-152-0x000000013FB00000-0x000000013FE54000-memory.dmp xmrig behavioral1/memory/2688-153-0x000000013F660000-0x000000013F9B4000-memory.dmp xmrig behavioral1/memory/2620-154-0x000000013FD20000-0x0000000140074000-memory.dmp xmrig behavioral1/memory/2600-155-0x000000013F1B0000-0x000000013F504000-memory.dmp xmrig behavioral1/memory/2652-156-0x000000013FDE0000-0x0000000140134000-memory.dmp xmrig behavioral1/memory/2748-157-0x000000013F1E0000-0x000000013F534000-memory.dmp xmrig behavioral1/memory/2892-158-0x000000013F5C0000-0x000000013F914000-memory.dmp xmrig behavioral1/memory/2548-159-0x000000013F9B0000-0x000000013FD04000-memory.dmp xmrig behavioral1/memory/2868-161-0x000000013F4F0000-0x000000013F844000-memory.dmp xmrig behavioral1/memory/1152-160-0x000000013F210000-0x000000013F564000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
Processes:
YflPxwS.exeQBqlNpH.exemnxRrwM.exefifFZTk.exeMzEsYAX.exeoEJbnIZ.exegdLYgPC.exehTFpolD.exeuUcRBjZ.exePAzhpbR.exeGKfcYGd.exeYAfBwvR.exejLdHOQH.exelTnJpvt.exeKhGXgXx.exeSdfFolr.exegXJDiBk.exeLDqSqKR.exexAhriFR.exetTGGBQj.exebLoDaqM.exepid process 1124 YflPxwS.exe 2800 QBqlNpH.exe 2052 mnxRrwM.exe 2584 fifFZTk.exe 2688 MzEsYAX.exe 2620 oEJbnIZ.exe 2748 gdLYgPC.exe 2652 hTFpolD.exe 2476 uUcRBjZ.exe 2600 PAzhpbR.exe 2892 GKfcYGd.exe 2548 YAfBwvR.exe 2868 jLdHOQH.exe 1152 lTnJpvt.exe 1668 KhGXgXx.exe 316 SdfFolr.exe 1072 gXJDiBk.exe 1964 LDqSqKR.exe 1996 xAhriFR.exe 2372 tTGGBQj.exe 1444 bLoDaqM.exe -
Loads dropped DLL 21 IoCs
Processes:
2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exepid process 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe -
Processes:
resource yara_rule behavioral1/memory/1304-0-0x000000013FD00000-0x0000000140054000-memory.dmp upx \Windows\system\YflPxwS.exe upx behavioral1/memory/1124-8-0x000000013FEA0000-0x00000001401F4000-memory.dmp upx \Windows\system\QBqlNpH.exe upx behavioral1/memory/2800-14-0x000000013F250000-0x000000013F5A4000-memory.dmp upx C:\Windows\system\mnxRrwM.exe upx behavioral1/memory/2052-21-0x000000013F0B0000-0x000000013F404000-memory.dmp upx \Windows\system\fifFZTk.exe upx behavioral1/memory/2584-27-0x000000013FB00000-0x000000013FE54000-memory.dmp upx \Windows\system\gdLYgPC.exe upx C:\Windows\system\MzEsYAX.exe upx behavioral1/memory/2620-39-0x000000013FD20000-0x0000000140074000-memory.dmp upx C:\Windows\system\oEJbnIZ.exe upx behavioral1/memory/2688-36-0x000000013F660000-0x000000013F9B4000-memory.dmp upx behavioral1/memory/2652-54-0x000000013FDE0000-0x0000000140134000-memory.dmp upx behavioral1/memory/2476-61-0x000000013F6F0000-0x000000013FA44000-memory.dmp upx behavioral1/memory/2600-66-0x000000013F1B0000-0x000000013F504000-memory.dmp upx behavioral1/memory/2892-76-0x000000013F5C0000-0x000000013F914000-memory.dmp upx behavioral1/memory/2548-83-0x000000013F9B0000-0x000000013FD04000-memory.dmp upx C:\Windows\system\lTnJpvt.exe upx C:\Windows\system\LDqSqKR.exe upx \Windows\system\bLoDaqM.exe upx C:\Windows\system\tTGGBQj.exe upx C:\Windows\system\xAhriFR.exe upx C:\Windows\system\gXJDiBk.exe upx C:\Windows\system\KhGXgXx.exe upx C:\Windows\system\SdfFolr.exe upx behavioral1/memory/1152-99-0x000000013F210000-0x000000013F564000-memory.dmp upx behavioral1/memory/2868-92-0x000000013F4F0000-0x000000013F844000-memory.dmp upx behavioral1/memory/2620-97-0x000000013FD20000-0x0000000140074000-memory.dmp upx behavioral1/memory/2688-90-0x000000013F660000-0x000000013F9B4000-memory.dmp upx behavioral1/memory/2584-89-0x000000013FB00000-0x000000013FE54000-memory.dmp upx C:\Windows\system\jLdHOQH.exe upx behavioral1/memory/2800-75-0x000000013F250000-0x000000013F5A4000-memory.dmp upx C:\Windows\system\YAfBwvR.exe upx C:\Windows\system\GKfcYGd.exe upx behavioral1/memory/2748-137-0x000000013F1E0000-0x000000013F534000-memory.dmp upx behavioral1/memory/2652-138-0x000000013FDE0000-0x0000000140134000-memory.dmp upx behavioral1/memory/1124-65-0x000000013FEA0000-0x00000001401F4000-memory.dmp upx C:\Windows\system\PAzhpbR.exe upx C:\Windows\system\uUcRBjZ.exe upx behavioral1/memory/1304-58-0x000000013FD00000-0x0000000140054000-memory.dmp upx behavioral1/memory/2748-52-0x000000013F1E0000-0x000000013F534000-memory.dmp upx C:\Windows\system\hTFpolD.exe upx behavioral1/memory/2600-140-0x000000013F1B0000-0x000000013F504000-memory.dmp upx behavioral1/memory/2892-142-0x000000013F5C0000-0x000000013F914000-memory.dmp upx behavioral1/memory/2548-144-0x000000013F9B0000-0x000000013FD04000-memory.dmp upx behavioral1/memory/2868-146-0x000000013F4F0000-0x000000013F844000-memory.dmp upx behavioral1/memory/1152-148-0x000000013F210000-0x000000013F564000-memory.dmp upx behavioral1/memory/1124-149-0x000000013FEA0000-0x00000001401F4000-memory.dmp upx behavioral1/memory/2800-150-0x000000013F250000-0x000000013F5A4000-memory.dmp upx behavioral1/memory/2052-151-0x000000013F0B0000-0x000000013F404000-memory.dmp upx behavioral1/memory/2584-152-0x000000013FB00000-0x000000013FE54000-memory.dmp upx behavioral1/memory/2688-153-0x000000013F660000-0x000000013F9B4000-memory.dmp upx behavioral1/memory/2620-154-0x000000013FD20000-0x0000000140074000-memory.dmp upx behavioral1/memory/2600-155-0x000000013F1B0000-0x000000013F504000-memory.dmp upx behavioral1/memory/2652-156-0x000000013FDE0000-0x0000000140134000-memory.dmp upx behavioral1/memory/2748-157-0x000000013F1E0000-0x000000013F534000-memory.dmp upx behavioral1/memory/2892-158-0x000000013F5C0000-0x000000013F914000-memory.dmp upx behavioral1/memory/2548-159-0x000000013F9B0000-0x000000013FD04000-memory.dmp upx behavioral1/memory/2868-161-0x000000013F4F0000-0x000000013F844000-memory.dmp upx behavioral1/memory/1152-160-0x000000013F210000-0x000000013F564000-memory.dmp upx behavioral1/memory/2476-162-0x000000013F6F0000-0x000000013FA44000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
Processes:
2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exedescription ioc process File created C:\Windows\System\jLdHOQH.exe 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\SdfFolr.exe 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\tTGGBQj.exe 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\PAzhpbR.exe 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\fifFZTk.exe 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\hTFpolD.exe 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\GKfcYGd.exe 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\xAhriFR.exe 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\YflPxwS.exe 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\mnxRrwM.exe 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\oEJbnIZ.exe 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\uUcRBjZ.exe 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\YAfBwvR.exe 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\lTnJpvt.exe 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\KhGXgXx.exe 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\LDqSqKR.exe 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\QBqlNpH.exe 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\gdLYgPC.exe 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\gXJDiBk.exe 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\bLoDaqM.exe 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\MzEsYAX.exe 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exedescription pid process Token: SeLockMemoryPrivilege 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe Token: SeLockMemoryPrivilege 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exedescription pid process target process PID 1304 wrote to memory of 1124 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe YflPxwS.exe PID 1304 wrote to memory of 1124 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe YflPxwS.exe PID 1304 wrote to memory of 1124 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe YflPxwS.exe PID 1304 wrote to memory of 2800 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe QBqlNpH.exe PID 1304 wrote to memory of 2800 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe QBqlNpH.exe PID 1304 wrote to memory of 2800 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe QBqlNpH.exe PID 1304 wrote to memory of 2052 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe mnxRrwM.exe PID 1304 wrote to memory of 2052 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe mnxRrwM.exe PID 1304 wrote to memory of 2052 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe mnxRrwM.exe PID 1304 wrote to memory of 2584 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe fifFZTk.exe PID 1304 wrote to memory of 2584 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe fifFZTk.exe PID 1304 wrote to memory of 2584 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe fifFZTk.exe PID 1304 wrote to memory of 2688 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe MzEsYAX.exe PID 1304 wrote to memory of 2688 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe MzEsYAX.exe PID 1304 wrote to memory of 2688 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe MzEsYAX.exe PID 1304 wrote to memory of 2620 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe oEJbnIZ.exe PID 1304 wrote to memory of 2620 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe oEJbnIZ.exe PID 1304 wrote to memory of 2620 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe oEJbnIZ.exe PID 1304 wrote to memory of 2748 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe gdLYgPC.exe PID 1304 wrote to memory of 2748 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe gdLYgPC.exe PID 1304 wrote to memory of 2748 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe gdLYgPC.exe PID 1304 wrote to memory of 2652 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe hTFpolD.exe PID 1304 wrote to memory of 2652 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe hTFpolD.exe PID 1304 wrote to memory of 2652 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe hTFpolD.exe PID 1304 wrote to memory of 2476 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe uUcRBjZ.exe PID 1304 wrote to memory of 2476 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe uUcRBjZ.exe PID 1304 wrote to memory of 2476 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe uUcRBjZ.exe PID 1304 wrote to memory of 2600 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe PAzhpbR.exe PID 1304 wrote to memory of 2600 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe PAzhpbR.exe PID 1304 wrote to memory of 2600 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe PAzhpbR.exe PID 1304 wrote to memory of 2892 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe GKfcYGd.exe PID 1304 wrote to memory of 2892 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe GKfcYGd.exe PID 1304 wrote to memory of 2892 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe GKfcYGd.exe PID 1304 wrote to memory of 2548 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe YAfBwvR.exe PID 1304 wrote to memory of 2548 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe YAfBwvR.exe PID 1304 wrote to memory of 2548 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe YAfBwvR.exe PID 1304 wrote to memory of 2868 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe jLdHOQH.exe PID 1304 wrote to memory of 2868 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe jLdHOQH.exe PID 1304 wrote to memory of 2868 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe jLdHOQH.exe PID 1304 wrote to memory of 1152 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe lTnJpvt.exe PID 1304 wrote to memory of 1152 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe lTnJpvt.exe PID 1304 wrote to memory of 1152 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe lTnJpvt.exe PID 1304 wrote to memory of 1668 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe KhGXgXx.exe PID 1304 wrote to memory of 1668 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe KhGXgXx.exe PID 1304 wrote to memory of 1668 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe KhGXgXx.exe PID 1304 wrote to memory of 316 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe SdfFolr.exe PID 1304 wrote to memory of 316 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe SdfFolr.exe PID 1304 wrote to memory of 316 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe SdfFolr.exe PID 1304 wrote to memory of 1072 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe gXJDiBk.exe PID 1304 wrote to memory of 1072 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe gXJDiBk.exe PID 1304 wrote to memory of 1072 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe gXJDiBk.exe PID 1304 wrote to memory of 1964 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe LDqSqKR.exe PID 1304 wrote to memory of 1964 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe LDqSqKR.exe PID 1304 wrote to memory of 1964 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe LDqSqKR.exe PID 1304 wrote to memory of 1996 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe xAhriFR.exe PID 1304 wrote to memory of 1996 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe xAhriFR.exe PID 1304 wrote to memory of 1996 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe xAhriFR.exe PID 1304 wrote to memory of 2372 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe tTGGBQj.exe PID 1304 wrote to memory of 2372 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe tTGGBQj.exe PID 1304 wrote to memory of 2372 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe tTGGBQj.exe PID 1304 wrote to memory of 1444 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe bLoDaqM.exe PID 1304 wrote to memory of 1444 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe bLoDaqM.exe PID 1304 wrote to memory of 1444 1304 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe bLoDaqM.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\System\YflPxwS.exeC:\Windows\System\YflPxwS.exe2⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\System\QBqlNpH.exeC:\Windows\System\QBqlNpH.exe2⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\System\mnxRrwM.exeC:\Windows\System\mnxRrwM.exe2⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\System\fifFZTk.exeC:\Windows\System\fifFZTk.exe2⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\System\MzEsYAX.exeC:\Windows\System\MzEsYAX.exe2⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\System\oEJbnIZ.exeC:\Windows\System\oEJbnIZ.exe2⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\System\gdLYgPC.exeC:\Windows\System\gdLYgPC.exe2⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\System\hTFpolD.exeC:\Windows\System\hTFpolD.exe2⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\System\uUcRBjZ.exeC:\Windows\System\uUcRBjZ.exe2⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\System\PAzhpbR.exeC:\Windows\System\PAzhpbR.exe2⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\System\GKfcYGd.exeC:\Windows\System\GKfcYGd.exe2⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\System\YAfBwvR.exeC:\Windows\System\YAfBwvR.exe2⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\System\jLdHOQH.exeC:\Windows\System\jLdHOQH.exe2⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\System\lTnJpvt.exeC:\Windows\System\lTnJpvt.exe2⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\System\KhGXgXx.exeC:\Windows\System\KhGXgXx.exe2⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\System\SdfFolr.exeC:\Windows\System\SdfFolr.exe2⤵
- Executes dropped EXE
PID:316 -
C:\Windows\System\gXJDiBk.exeC:\Windows\System\gXJDiBk.exe2⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\System\LDqSqKR.exeC:\Windows\System\LDqSqKR.exe2⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\System\xAhriFR.exeC:\Windows\System\xAhriFR.exe2⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\System\tTGGBQj.exeC:\Windows\System\tTGGBQj.exe2⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\System\bLoDaqM.exeC:\Windows\System\bLoDaqM.exe2⤵
- Executes dropped EXE
PID:1444
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD5e627bf4a91b3f9195517aed1985e4726
SHA15a473cb62c86c9515b75214a366b930e0bae82ad
SHA256fd7e722e6dfab63ddf8f0bf809fafa1f683e315d22c27af2e47bab6993c330dc
SHA512980099d1b11d99624ff3438fc753d4c559237b7c539e09592c2a515f71e04a261412980237ccda553fc3052f7bb6804f0439f77607d62741fd90391dedd779de
-
Filesize
5.9MB
MD5b63af94990e99af291e7ac51cbfdb8b4
SHA12bb3d55ec0f2a4f0c07961d8cba95ce9de428ccc
SHA256a7d33b0534b85798c322955d14d40ad623532b8f695e90a13d62f92382c0fcad
SHA512933abd0a39f8b01470fafbb4e51fc5142f2b2e8f6ee7ff1fb12ca6f3196f035cd7cd9ab2ad9a3d9cb8f53ceff26901a9ad9abacdb0e44a6f7893ac990dc8b2d2
-
Filesize
5.9MB
MD52644857d04651a8e2462c889180ac407
SHA16a04b0d5794f59d2f6888d1da83ae2bf39dc8f68
SHA2560b12b83e68aad30e6e028a7c47a25dd4fe45b5c6078cf0efecd26059151ca41b
SHA512f8584dd4adf8618bc8ff6cf394ae8d2e1a31f407c2daea2285dbb1b3dbfdc0cfd9092bdd9d1dcedbae15365d64a1e0b6ea90cc45cf83b8df8106bfdf2c887707
-
Filesize
5.9MB
MD56ddcaedd6a3fc2e9e99bb435b113dec0
SHA16922c3146826e70347684f72e13786f4db96d8f6
SHA25649b5cd6bf952c2bfb697f4bfa2575899edb84d3c581db9db800e0b65eb2058df
SHA5122fd699e7f10a8d6011e93936214e0f399d208cc89a4e53f554530c8efdcd74c03ec9771aacc1b59e4eb6f4e785c51372b349b80d29c3a494fb095df6479cd35f
-
Filesize
5.9MB
MD5c888d97e2d4c47eb4934f7c2b5f66dc2
SHA1f30c3043882a83d34b69836f82316409bf9c5860
SHA25660da83231098e205e1ea305e442e8f754b632a8f391acc47852ee6bb51c90793
SHA512451663d64a42f9921c0dc7f7bc7a1f477d239cca5fc94c0fe2270b1ee51bcbbbc394f34afe5075fb1c5a4db0ae88c71650032274c81936ee6dc67efd0adbd199
-
Filesize
5.9MB
MD503b6fb3b9c4243cb5e71cace2841e7fe
SHA1f1ddf0febe19ed32c56e27d46e4e0a589a7fc8c3
SHA2566e2b35a5925dfb868151616ce87fa2d7ac242b1724384aeb2f21b09c9a18ab03
SHA512e7b40483d1fc600b4e65bbe0b0889f077a41cdf867bcdb9fd4f07b519c1225fd434d7354e49f5b596d24646cfadbbc291ffe9fe17be11f8544b9b6b92f61d0b9
-
Filesize
5.9MB
MD51a9b12e96410bb1eebcca281977d56fb
SHA1d1e92a86c223864df2fab6df50e91538d675aa0f
SHA2563cbe8f268a0b559e16bf5bddf321c14a1d65a7343b17cc25052376d2a4454f53
SHA51237a7ceece37437067b882b9827fc2a423547101fe485b51eda3ec1b663086e1f74edae28118908ceb483eaba7ff166756e864797b763b6350390c05881dda4b9
-
Filesize
5.9MB
MD55a3a76924484d63071e4f78b447f7cb3
SHA1fdb988cfd8015cffefc02ee3139faeb3c0f86355
SHA2561b7439a51d11ede91659a343f5e89dc4112f23c7d67148cb469d5841eb338816
SHA512d9a719eda9f92944859f4c5c59b0a77471a1792d12cec52577b91997284862a9a69b5a012744855fff193b08608c48a1b13be3b66341b6465064ec8c4b46504c
-
Filesize
5.9MB
MD5dc93eb239ecd386232f3ba16c9c2d95e
SHA19e2531207f7930d0128cfab4f8b7cb4e387af2bc
SHA256462699643efe6f412174893dc5adb18836c098cb5298c5b3bcf64ffdd74e3b29
SHA51286a0cd86acefd35ffffbbc2daa5bbf69e039a49ec68951fa278a91fae31da231d0e240e6b11a08a86d76968fd8ddd4d4c05c2bfc1620b837f6d283ecc59b3687
-
Filesize
5.9MB
MD57d505ed5635c3f345432a7f6b4daea0d
SHA118c609722dd84ceeeae6e245bd699b78f877c103
SHA256fa3091665d3624838cd4fb09b0ac892694e675ddbe688db405a9219412ee0e69
SHA512927a83c01293158e1547ced1a8305bff335311b79f5d32bcbe00c7100599fdf6f909ed52a4042985af7ae33d2eb06a83b42e3d2da58d709e5c15daddeb00388a
-
Filesize
5.9MB
MD5a7b689c7e2d8b2d01ad8bb51326e9892
SHA1a113394e13250e1cc4cc5d10f1e73700cc53d7e6
SHA2568f4c00750d41619b1aa72533dadc9232c3bb3f4fe84cc904353da6be084c273a
SHA512477f5feaeda2a0ec46f049ff278ff41d94080c0998df67cb93bfc9aa9a3b8f8d0721730985f1966b150d6e11d8502b25f699d32ad32a041420197777dd937037
-
Filesize
5.9MB
MD50795d5c24d82912748f300a439db1cb1
SHA177162b6de7d6fb7c22efd8a1ea916a9b12ddba16
SHA25617f3606296890ef0544cc9b0a27bb3549171f86fe06fb9abc36f9e3fc85cf339
SHA51210056aa24d6df3a4d8c415500bde31bd71321b2fe3b9249e9e5567294e34fc4a4816e8b669689743db954ddf1865e1258c1c369673c9d2c004e403307c603227
-
Filesize
5.9MB
MD5e190dfcca64eb46d9af6db7874dfb966
SHA111d2177eae4695d1d5c25c4f1531c91f09193d2d
SHA2561637d460716acf7f8ea93df8c3260eea2cef0d5f5003535d00cfb387be27ad8b
SHA512dd17344f0b45591746f83869ce5f7d8488e2342bf1d87915dec53ab1f36f9959af520b232f1eada55bd13572c65641e2125ca5282c09ff7665f10d927c508c4a
-
Filesize
5.9MB
MD5a6c862c0378555c4106bf3417463dcf2
SHA1df0c530c50a8d299f572028023716b8a5a978cee
SHA256e275bb2fba4753775c02f2dc53cc216293a28cda50c02e87d8fe8266514b62e0
SHA512ae8d25653df58e91957b399e94682a5ec29c193b6f99617bb7a7dc44d88685f40df457f47c0176188bcfad85d69c55524659f4050ce6c63bed64f9f4c142edb3
-
Filesize
5.9MB
MD58f5662e8941dbe382facabfc739532fd
SHA17c241552d72e9a8bba7a956997085a77b291ea48
SHA256719542013855fd3f7279d830c2fbaaf79e17958c9481e6bd3d74ce133b70da0e
SHA512d596a6cc3f5e74cb93794b46715f626c56a2262b425cfa30487fa0e49827a7955a6592678bb4c2cec42c72dcd065ce100fe094f02dd5a4818477d3a6efc81f3d
-
Filesize
5.9MB
MD5cc92923033dc59bcc3381716535f7013
SHA1df69db8c3bd0af2ad90aaeb228bd792349d29b70
SHA256135929ef5fdd85c3f0500ac11df2c9cca9fa35ac6eb42bf7325851a754a531d5
SHA5128ca542f4ab4262222ab8edd77e50ec8ef3656b0d10de18baa99319005580940b79426f77289abdccb3ebd9a39447547b39672bfd0a65468b70b62afb9cd7df5f
-
Filesize
5.9MB
MD508e2d03a0c8757462be73964b920eb93
SHA10adf47d38fa6108d5f218936492f8ae134dbb075
SHA25620b54b0ba0318101b0dec60d7a0e04bec3bd0d3bcd4c54e207ac1e28d8998160
SHA5127c57e6eefc774d04305d943e74b599ec44ad792b5dfbf24d055acdbc2fd6fe1746e89018c05ad63bd1b4a6ad2adc027740b01340ee75446202f50a8b1b5c43bf
-
Filesize
5.9MB
MD5d89b6523697854a16231d4bf79ec441d
SHA18f65d404fc8b6ba61fa96ea35e4ccf76985514b2
SHA2564a965fd20032a141450da17ebe0dba58f4007e18ae6708ee50e1f435d50e16a1
SHA512ef5f06be8476f042f01ab59a2dc51a5ede773c06ce5dba90f030e04acefb4e6140a634f650b2a4b75f355713ac1211df1282ed0970161d170f58343c4bc95e7c
-
Filesize
5.9MB
MD5d47d25e1ea2d2589316c609241c29239
SHA1bbccbb01ff3afb8978f5b0b1cd3ab1c5bce0f6a9
SHA2565e50bf879b3b6f9691a6857d81aec871bc4593d456cabe9012dd93bb29903562
SHA51286cc4ef5c4b838fcaa1222be9b9676be429f9d20a1dd0b237d94503cfc7931e6bf3f41fff91d2d8b54f7355963bb344c8bb4d7b0ceacc41be79f09f944314004
-
Filesize
5.9MB
MD572d8070420dae7300ddd695a5aab1dc9
SHA1658ca89e405d31be0f18910249cf86a6a2112395
SHA25649a4c5e93c82b9dce4f3646f24535b6775f35fb9630537650c700943bf52ee8f
SHA512d1c8b7ec56879a8d63165c90c72e4764d7efdca1c104ade087d4653051fb717d3785c96d1569b74823b54960f2e05b1ddd32c62d88b184864ab6340a61c16e7f
-
Filesize
5.9MB
MD5e631adbdbceac624c705cb98a4ad5129
SHA1bfc3ba925f751a909e5d0188d78e1422a7835726
SHA256771b88f3dde576dec6051d66d17ca7483417baeb5258586f4e8c95af9717a1a0
SHA512d8c2053df2c450c96a80a05ca3a00c1fcd4fb17864f71e034f5486306329b15d889d992f2d0c101f4f7159f028cb22783fe086a5e237a648fca388c0dcb775a7