Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
08-06-2024 09:12
Behavioral task
behavioral1
Sample
2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe
Resource
win7-20240508-en
General
-
Target
2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe
-
Size
5.9MB
-
MD5
f5f50a7810a6c6323e6a27e535c84e13
-
SHA1
2d966e470d0f7a446647e0858f88c92e3c23f2bf
-
SHA256
05bb8ddd38fc4580e2e1d98a1c5b0a230a56d8d0268a81d71df2812d03d7efde
-
SHA512
54054df36932d19e83b19f81d61ae0b057378249d81e4626145bcce260798437bcfa372bc5030090fd4bc1af912bda06502fc7bf8ffbe91c13b12fcf54e8c021
-
SSDEEP
98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUk:Q+856utgpPF8u/7k
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
Processes:
resource yara_rule C:\Windows\system\KURFxjF.exe cobalt_reflective_dll \Windows\system\sDrUVJw.exe cobalt_reflective_dll \Windows\system\GQfPcFO.exe cobalt_reflective_dll \Windows\system\Vubgkse.exe cobalt_reflective_dll C:\Windows\system\oWrxBEQ.exe cobalt_reflective_dll C:\Windows\system\tmOxmdL.exe cobalt_reflective_dll C:\Windows\system\QZKJtLD.exe cobalt_reflective_dll \Windows\system\ogckRUe.exe cobalt_reflective_dll \Windows\system\JuVoFLQ.exe cobalt_reflective_dll C:\Windows\system\sGcLAKK.exe cobalt_reflective_dll C:\Windows\system\ZpVCPkC.exe cobalt_reflective_dll C:\Windows\system\RRkgbbw.exe cobalt_reflective_dll C:\Windows\system\vKvNNrE.exe cobalt_reflective_dll C:\Windows\system\raKbiva.exe cobalt_reflective_dll \Windows\system\GeEOLsD.exe cobalt_reflective_dll C:\Windows\system\HsVBAsH.exe cobalt_reflective_dll \Windows\system\mWbNAvq.exe cobalt_reflective_dll C:\Windows\system\TtkCXHl.exe cobalt_reflective_dll C:\Windows\system\ogMxAas.exe cobalt_reflective_dll C:\Windows\system\SUgQiZL.exe cobalt_reflective_dll C:\Windows\system\rzxJxkZ.exe cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Detects Reflective DLL injection artifacts 21 IoCs
Processes:
resource yara_rule C:\Windows\system\KURFxjF.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\sDrUVJw.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\GQfPcFO.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\Vubgkse.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\oWrxBEQ.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\tmOxmdL.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\QZKJtLD.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\ogckRUe.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\JuVoFLQ.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\sGcLAKK.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\ZpVCPkC.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\RRkgbbw.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\vKvNNrE.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\raKbiva.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\GeEOLsD.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\HsVBAsH.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\mWbNAvq.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\TtkCXHl.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\ogMxAas.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\SUgQiZL.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\rzxJxkZ.exe INDICATOR_SUSPICIOUS_ReflectiveLoader -
UPX dump on OEP (original entry point) 60 IoCs
Processes:
resource yara_rule behavioral1/memory/1224-0-0x000000013FD50000-0x00000001400A4000-memory.dmp UPX C:\Windows\system\KURFxjF.exe UPX behavioral1/memory/2868-9-0x000000013F520000-0x000000013F874000-memory.dmp UPX \Windows\system\sDrUVJw.exe UPX \Windows\system\GQfPcFO.exe UPX behavioral1/memory/2808-22-0x000000013FFB0000-0x0000000140304000-memory.dmp UPX \Windows\system\Vubgkse.exe UPX C:\Windows\system\oWrxBEQ.exe UPX behavioral1/memory/2640-34-0x000000013FE80000-0x00000001401D4000-memory.dmp UPX C:\Windows\system\tmOxmdL.exe UPX behavioral1/memory/2808-76-0x000000013FFB0000-0x0000000140304000-memory.dmp UPX behavioral1/memory/2672-80-0x000000013FD00000-0x0000000140054000-memory.dmp UPX C:\Windows\system\QZKJtLD.exe UPX \Windows\system\ogckRUe.exe UPX \Windows\system\JuVoFLQ.exe UPX C:\Windows\system\sGcLAKK.exe UPX C:\Windows\system\ZpVCPkC.exe UPX C:\Windows\system\RRkgbbw.exe UPX behavioral1/memory/2984-135-0x000000013F6C0000-0x000000013FA14000-memory.dmp UPX behavioral1/memory/2656-134-0x000000013FA00000-0x000000013FD54000-memory.dmp UPX C:\Windows\system\vKvNNrE.exe UPX behavioral1/memory/2548-86-0x000000013F7D0000-0x000000013FB24000-memory.dmp UPX C:\Windows\system\raKbiva.exe UPX behavioral1/memory/2688-79-0x000000013FE30000-0x0000000140184000-memory.dmp UPX behavioral1/memory/2636-69-0x000000013F510000-0x000000013F864000-memory.dmp UPX \Windows\system\GeEOLsD.exe UPX C:\Windows\system\HsVBAsH.exe UPX behavioral1/memory/1224-57-0x000000013FD50000-0x00000001400A4000-memory.dmp UPX behavioral1/memory/2984-55-0x000000013F6C0000-0x000000013FA14000-memory.dmp UPX \Windows\system\mWbNAvq.exe UPX behavioral1/memory/2516-75-0x000000013FD10000-0x0000000140064000-memory.dmp UPX C:\Windows\system\TtkCXHl.exe UPX C:\Windows\system\ogMxAas.exe UPX behavioral1/memory/2760-64-0x000000013F050000-0x000000013F3A4000-memory.dmp UPX C:\Windows\system\SUgQiZL.exe UPX behavioral1/memory/2656-45-0x000000013FA00000-0x000000013FD54000-memory.dmp UPX C:\Windows\system\rzxJxkZ.exe UPX behavioral1/memory/2720-39-0x000000013F0F0000-0x000000013F444000-memory.dmp UPX behavioral1/memory/2588-28-0x000000013F8C0000-0x000000013FC14000-memory.dmp UPX behavioral1/memory/1924-20-0x000000013F6F0000-0x000000013FA44000-memory.dmp UPX behavioral1/memory/2636-138-0x000000013F510000-0x000000013F864000-memory.dmp UPX behavioral1/memory/2760-137-0x000000013F050000-0x000000013F3A4000-memory.dmp UPX behavioral1/memory/2516-141-0x000000013FD10000-0x0000000140064000-memory.dmp UPX behavioral1/memory/2688-142-0x000000013FE30000-0x0000000140184000-memory.dmp UPX behavioral1/memory/2672-143-0x000000013FD00000-0x0000000140054000-memory.dmp UPX behavioral1/memory/2548-145-0x000000013F7D0000-0x000000013FB24000-memory.dmp UPX behavioral1/memory/2868-146-0x000000013F520000-0x000000013F874000-memory.dmp UPX behavioral1/memory/1924-147-0x000000013F6F0000-0x000000013FA44000-memory.dmp UPX behavioral1/memory/2516-153-0x000000013FD10000-0x0000000140064000-memory.dmp UPX behavioral1/memory/2760-152-0x000000013F050000-0x000000013F3A4000-memory.dmp UPX behavioral1/memory/2808-151-0x000000013FFB0000-0x0000000140304000-memory.dmp UPX behavioral1/memory/2984-156-0x000000013F6C0000-0x000000013FA14000-memory.dmp UPX behavioral1/memory/2588-158-0x000000013F8C0000-0x000000013FC14000-memory.dmp UPX behavioral1/memory/2720-157-0x000000013F0F0000-0x000000013F444000-memory.dmp UPX behavioral1/memory/2688-155-0x000000013FE30000-0x0000000140184000-memory.dmp UPX behavioral1/memory/2548-154-0x000000013F7D0000-0x000000013FB24000-memory.dmp UPX behavioral1/memory/2636-150-0x000000013F510000-0x000000013F864000-memory.dmp UPX behavioral1/memory/2656-149-0x000000013FA00000-0x000000013FD54000-memory.dmp UPX behavioral1/memory/2640-148-0x000000013FE80000-0x00000001401D4000-memory.dmp UPX behavioral1/memory/2672-159-0x000000013FD00000-0x0000000140054000-memory.dmp UPX -
XMRig Miner payload 62 IoCs
Processes:
resource yara_rule behavioral1/memory/1224-0-0x000000013FD50000-0x00000001400A4000-memory.dmp xmrig C:\Windows\system\KURFxjF.exe xmrig behavioral1/memory/2868-9-0x000000013F520000-0x000000013F874000-memory.dmp xmrig \Windows\system\sDrUVJw.exe xmrig \Windows\system\GQfPcFO.exe xmrig behavioral1/memory/2808-22-0x000000013FFB0000-0x0000000140304000-memory.dmp xmrig \Windows\system\Vubgkse.exe xmrig C:\Windows\system\oWrxBEQ.exe xmrig behavioral1/memory/2640-34-0x000000013FE80000-0x00000001401D4000-memory.dmp xmrig C:\Windows\system\tmOxmdL.exe xmrig behavioral1/memory/2808-76-0x000000013FFB0000-0x0000000140304000-memory.dmp xmrig behavioral1/memory/2672-80-0x000000013FD00000-0x0000000140054000-memory.dmp xmrig C:\Windows\system\QZKJtLD.exe xmrig \Windows\system\ogckRUe.exe xmrig \Windows\system\JuVoFLQ.exe xmrig C:\Windows\system\sGcLAKK.exe xmrig C:\Windows\system\ZpVCPkC.exe xmrig C:\Windows\system\RRkgbbw.exe xmrig behavioral1/memory/2984-135-0x000000013F6C0000-0x000000013FA14000-memory.dmp xmrig behavioral1/memory/2656-134-0x000000013FA00000-0x000000013FD54000-memory.dmp xmrig C:\Windows\system\vKvNNrE.exe xmrig behavioral1/memory/2548-86-0x000000013F7D0000-0x000000013FB24000-memory.dmp xmrig C:\Windows\system\raKbiva.exe xmrig behavioral1/memory/2688-79-0x000000013FE30000-0x0000000140184000-memory.dmp xmrig behavioral1/memory/2636-69-0x000000013F510000-0x000000013F864000-memory.dmp xmrig \Windows\system\GeEOLsD.exe xmrig C:\Windows\system\HsVBAsH.exe xmrig behavioral1/memory/1224-57-0x000000013FD50000-0x00000001400A4000-memory.dmp xmrig behavioral1/memory/2984-55-0x000000013F6C0000-0x000000013FA14000-memory.dmp xmrig \Windows\system\mWbNAvq.exe xmrig behavioral1/memory/2516-75-0x000000013FD10000-0x0000000140064000-memory.dmp xmrig C:\Windows\system\TtkCXHl.exe xmrig C:\Windows\system\ogMxAas.exe xmrig behavioral1/memory/1224-65-0x000000013F510000-0x000000013F864000-memory.dmp xmrig behavioral1/memory/2760-64-0x000000013F050000-0x000000013F3A4000-memory.dmp xmrig C:\Windows\system\SUgQiZL.exe xmrig behavioral1/memory/1224-62-0x000000013F050000-0x000000013F3A4000-memory.dmp xmrig behavioral1/memory/2656-45-0x000000013FA00000-0x000000013FD54000-memory.dmp xmrig C:\Windows\system\rzxJxkZ.exe xmrig behavioral1/memory/2720-39-0x000000013F0F0000-0x000000013F444000-memory.dmp xmrig behavioral1/memory/2588-28-0x000000013F8C0000-0x000000013FC14000-memory.dmp xmrig behavioral1/memory/1924-20-0x000000013F6F0000-0x000000013FA44000-memory.dmp xmrig behavioral1/memory/2636-138-0x000000013F510000-0x000000013F864000-memory.dmp xmrig behavioral1/memory/2760-137-0x000000013F050000-0x000000013F3A4000-memory.dmp xmrig behavioral1/memory/2516-141-0x000000013FD10000-0x0000000140064000-memory.dmp xmrig behavioral1/memory/2688-142-0x000000013FE30000-0x0000000140184000-memory.dmp xmrig behavioral1/memory/2672-143-0x000000013FD00000-0x0000000140054000-memory.dmp xmrig behavioral1/memory/2548-145-0x000000013F7D0000-0x000000013FB24000-memory.dmp xmrig behavioral1/memory/2868-146-0x000000013F520000-0x000000013F874000-memory.dmp xmrig behavioral1/memory/1924-147-0x000000013F6F0000-0x000000013FA44000-memory.dmp xmrig behavioral1/memory/2516-153-0x000000013FD10000-0x0000000140064000-memory.dmp xmrig behavioral1/memory/2760-152-0x000000013F050000-0x000000013F3A4000-memory.dmp xmrig behavioral1/memory/2808-151-0x000000013FFB0000-0x0000000140304000-memory.dmp xmrig behavioral1/memory/2984-156-0x000000013F6C0000-0x000000013FA14000-memory.dmp xmrig behavioral1/memory/2588-158-0x000000013F8C0000-0x000000013FC14000-memory.dmp xmrig behavioral1/memory/2720-157-0x000000013F0F0000-0x000000013F444000-memory.dmp xmrig behavioral1/memory/2688-155-0x000000013FE30000-0x0000000140184000-memory.dmp xmrig behavioral1/memory/2548-154-0x000000013F7D0000-0x000000013FB24000-memory.dmp xmrig behavioral1/memory/2636-150-0x000000013F510000-0x000000013F864000-memory.dmp xmrig behavioral1/memory/2656-149-0x000000013FA00000-0x000000013FD54000-memory.dmp xmrig behavioral1/memory/2640-148-0x000000013FE80000-0x00000001401D4000-memory.dmp xmrig behavioral1/memory/2672-159-0x000000013FD00000-0x0000000140054000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
Processes:
KURFxjF.exesDrUVJw.exeGQfPcFO.exeVubgkse.exeoWrxBEQ.exetmOxmdL.exerzxJxkZ.exeTtkCXHl.exeHsVBAsH.exeSUgQiZL.exeogMxAas.exemWbNAvq.exeGeEOLsD.exeraKbiva.exeQZKJtLD.exevKvNNrE.exeRRkgbbw.exesGcLAKK.exeZpVCPkC.exeogckRUe.exeJuVoFLQ.exepid process 2868 KURFxjF.exe 1924 sDrUVJw.exe 2808 GQfPcFO.exe 2588 Vubgkse.exe 2640 oWrxBEQ.exe 2720 tmOxmdL.exe 2656 rzxJxkZ.exe 2984 TtkCXHl.exe 2760 HsVBAsH.exe 2636 SUgQiZL.exe 2516 ogMxAas.exe 2688 mWbNAvq.exe 2672 GeEOLsD.exe 2548 raKbiva.exe 1948 QZKJtLD.exe 1288 vKvNNrE.exe 2232 RRkgbbw.exe 1284 sGcLAKK.exe 1768 ZpVCPkC.exe 480 ogckRUe.exe 588 JuVoFLQ.exe -
Loads dropped DLL 21 IoCs
Processes:
2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exepid process 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe -
Processes:
resource yara_rule behavioral1/memory/1224-0-0x000000013FD50000-0x00000001400A4000-memory.dmp upx C:\Windows\system\KURFxjF.exe upx behavioral1/memory/2868-9-0x000000013F520000-0x000000013F874000-memory.dmp upx \Windows\system\sDrUVJw.exe upx \Windows\system\GQfPcFO.exe upx behavioral1/memory/2808-22-0x000000013FFB0000-0x0000000140304000-memory.dmp upx \Windows\system\Vubgkse.exe upx C:\Windows\system\oWrxBEQ.exe upx behavioral1/memory/2640-34-0x000000013FE80000-0x00000001401D4000-memory.dmp upx C:\Windows\system\tmOxmdL.exe upx behavioral1/memory/2808-76-0x000000013FFB0000-0x0000000140304000-memory.dmp upx behavioral1/memory/2672-80-0x000000013FD00000-0x0000000140054000-memory.dmp upx C:\Windows\system\QZKJtLD.exe upx \Windows\system\ogckRUe.exe upx \Windows\system\JuVoFLQ.exe upx C:\Windows\system\sGcLAKK.exe upx C:\Windows\system\ZpVCPkC.exe upx C:\Windows\system\RRkgbbw.exe upx behavioral1/memory/2984-135-0x000000013F6C0000-0x000000013FA14000-memory.dmp upx behavioral1/memory/2656-134-0x000000013FA00000-0x000000013FD54000-memory.dmp upx C:\Windows\system\vKvNNrE.exe upx behavioral1/memory/2548-86-0x000000013F7D0000-0x000000013FB24000-memory.dmp upx C:\Windows\system\raKbiva.exe upx behavioral1/memory/2688-79-0x000000013FE30000-0x0000000140184000-memory.dmp upx behavioral1/memory/2636-69-0x000000013F510000-0x000000013F864000-memory.dmp upx \Windows\system\GeEOLsD.exe upx C:\Windows\system\HsVBAsH.exe upx behavioral1/memory/1224-57-0x000000013FD50000-0x00000001400A4000-memory.dmp upx behavioral1/memory/2984-55-0x000000013F6C0000-0x000000013FA14000-memory.dmp upx \Windows\system\mWbNAvq.exe upx behavioral1/memory/2516-75-0x000000013FD10000-0x0000000140064000-memory.dmp upx C:\Windows\system\TtkCXHl.exe upx C:\Windows\system\ogMxAas.exe upx behavioral1/memory/2760-64-0x000000013F050000-0x000000013F3A4000-memory.dmp upx C:\Windows\system\SUgQiZL.exe upx behavioral1/memory/2656-45-0x000000013FA00000-0x000000013FD54000-memory.dmp upx C:\Windows\system\rzxJxkZ.exe upx behavioral1/memory/2720-39-0x000000013F0F0000-0x000000013F444000-memory.dmp upx behavioral1/memory/2588-28-0x000000013F8C0000-0x000000013FC14000-memory.dmp upx behavioral1/memory/1924-20-0x000000013F6F0000-0x000000013FA44000-memory.dmp upx behavioral1/memory/2636-138-0x000000013F510000-0x000000013F864000-memory.dmp upx behavioral1/memory/2760-137-0x000000013F050000-0x000000013F3A4000-memory.dmp upx behavioral1/memory/2516-141-0x000000013FD10000-0x0000000140064000-memory.dmp upx behavioral1/memory/2688-142-0x000000013FE30000-0x0000000140184000-memory.dmp upx behavioral1/memory/2672-143-0x000000013FD00000-0x0000000140054000-memory.dmp upx behavioral1/memory/2548-145-0x000000013F7D0000-0x000000013FB24000-memory.dmp upx behavioral1/memory/2868-146-0x000000013F520000-0x000000013F874000-memory.dmp upx behavioral1/memory/1924-147-0x000000013F6F0000-0x000000013FA44000-memory.dmp upx behavioral1/memory/2516-153-0x000000013FD10000-0x0000000140064000-memory.dmp upx behavioral1/memory/2760-152-0x000000013F050000-0x000000013F3A4000-memory.dmp upx behavioral1/memory/2808-151-0x000000013FFB0000-0x0000000140304000-memory.dmp upx behavioral1/memory/2984-156-0x000000013F6C0000-0x000000013FA14000-memory.dmp upx behavioral1/memory/2588-158-0x000000013F8C0000-0x000000013FC14000-memory.dmp upx behavioral1/memory/2720-157-0x000000013F0F0000-0x000000013F444000-memory.dmp upx behavioral1/memory/2688-155-0x000000013FE30000-0x0000000140184000-memory.dmp upx behavioral1/memory/2548-154-0x000000013F7D0000-0x000000013FB24000-memory.dmp upx behavioral1/memory/2636-150-0x000000013F510000-0x000000013F864000-memory.dmp upx behavioral1/memory/2656-149-0x000000013FA00000-0x000000013FD54000-memory.dmp upx behavioral1/memory/2640-148-0x000000013FE80000-0x00000001401D4000-memory.dmp upx behavioral1/memory/2672-159-0x000000013FD00000-0x0000000140054000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
Processes:
2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exedescription ioc process File created C:\Windows\System\tmOxmdL.exe 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\RRkgbbw.exe 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\vKvNNrE.exe 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\GQfPcFO.exe 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\Vubgkse.exe 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\rzxJxkZ.exe 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\HsVBAsH.exe 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\raKbiva.exe 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\ogMxAas.exe 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\sGcLAKK.exe 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\ZpVCPkC.exe 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\KURFxjF.exe 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\oWrxBEQ.exe 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\TtkCXHl.exe 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\mWbNAvq.exe 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\SUgQiZL.exe 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\JuVoFLQ.exe 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\ogckRUe.exe 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\sDrUVJw.exe 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\GeEOLsD.exe 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\QZKJtLD.exe 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exedescription pid process Token: SeLockMemoryPrivilege 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe Token: SeLockMemoryPrivilege 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exedescription pid process target process PID 1224 wrote to memory of 2868 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe KURFxjF.exe PID 1224 wrote to memory of 2868 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe KURFxjF.exe PID 1224 wrote to memory of 2868 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe KURFxjF.exe PID 1224 wrote to memory of 1924 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe sDrUVJw.exe PID 1224 wrote to memory of 1924 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe sDrUVJw.exe PID 1224 wrote to memory of 1924 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe sDrUVJw.exe PID 1224 wrote to memory of 2808 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe GQfPcFO.exe PID 1224 wrote to memory of 2808 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe GQfPcFO.exe PID 1224 wrote to memory of 2808 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe GQfPcFO.exe PID 1224 wrote to memory of 2588 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe Vubgkse.exe PID 1224 wrote to memory of 2588 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe Vubgkse.exe PID 1224 wrote to memory of 2588 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe Vubgkse.exe PID 1224 wrote to memory of 2640 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe oWrxBEQ.exe PID 1224 wrote to memory of 2640 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe oWrxBEQ.exe PID 1224 wrote to memory of 2640 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe oWrxBEQ.exe PID 1224 wrote to memory of 2720 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe tmOxmdL.exe PID 1224 wrote to memory of 2720 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe tmOxmdL.exe PID 1224 wrote to memory of 2720 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe tmOxmdL.exe PID 1224 wrote to memory of 2656 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe rzxJxkZ.exe PID 1224 wrote to memory of 2656 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe rzxJxkZ.exe PID 1224 wrote to memory of 2656 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe rzxJxkZ.exe PID 1224 wrote to memory of 2984 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe TtkCXHl.exe PID 1224 wrote to memory of 2984 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe TtkCXHl.exe PID 1224 wrote to memory of 2984 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe TtkCXHl.exe PID 1224 wrote to memory of 2760 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe HsVBAsH.exe PID 1224 wrote to memory of 2760 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe HsVBAsH.exe PID 1224 wrote to memory of 2760 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe HsVBAsH.exe PID 1224 wrote to memory of 2688 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe mWbNAvq.exe PID 1224 wrote to memory of 2688 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe mWbNAvq.exe PID 1224 wrote to memory of 2688 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe mWbNAvq.exe PID 1224 wrote to memory of 2636 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe SUgQiZL.exe PID 1224 wrote to memory of 2636 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe SUgQiZL.exe PID 1224 wrote to memory of 2636 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe SUgQiZL.exe PID 1224 wrote to memory of 2672 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe GeEOLsD.exe PID 1224 wrote to memory of 2672 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe GeEOLsD.exe PID 1224 wrote to memory of 2672 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe GeEOLsD.exe PID 1224 wrote to memory of 2516 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe ogMxAas.exe PID 1224 wrote to memory of 2516 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe ogMxAas.exe PID 1224 wrote to memory of 2516 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe ogMxAas.exe PID 1224 wrote to memory of 2548 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe raKbiva.exe PID 1224 wrote to memory of 2548 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe raKbiva.exe PID 1224 wrote to memory of 2548 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe raKbiva.exe PID 1224 wrote to memory of 1948 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe QZKJtLD.exe PID 1224 wrote to memory of 1948 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe QZKJtLD.exe PID 1224 wrote to memory of 1948 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe QZKJtLD.exe PID 1224 wrote to memory of 1288 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe vKvNNrE.exe PID 1224 wrote to memory of 1288 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe vKvNNrE.exe PID 1224 wrote to memory of 1288 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe vKvNNrE.exe PID 1224 wrote to memory of 2232 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe RRkgbbw.exe PID 1224 wrote to memory of 2232 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe RRkgbbw.exe PID 1224 wrote to memory of 2232 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe RRkgbbw.exe PID 1224 wrote to memory of 1284 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe sGcLAKK.exe PID 1224 wrote to memory of 1284 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe sGcLAKK.exe PID 1224 wrote to memory of 1284 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe sGcLAKK.exe PID 1224 wrote to memory of 1768 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe ZpVCPkC.exe PID 1224 wrote to memory of 1768 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe ZpVCPkC.exe PID 1224 wrote to memory of 1768 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe ZpVCPkC.exe PID 1224 wrote to memory of 588 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe JuVoFLQ.exe PID 1224 wrote to memory of 588 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe JuVoFLQ.exe PID 1224 wrote to memory of 588 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe JuVoFLQ.exe PID 1224 wrote to memory of 480 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe ogckRUe.exe PID 1224 wrote to memory of 480 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe ogckRUe.exe PID 1224 wrote to memory of 480 1224 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe ogckRUe.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\System\KURFxjF.exeC:\Windows\System\KURFxjF.exe2⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\System\sDrUVJw.exeC:\Windows\System\sDrUVJw.exe2⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\System\GQfPcFO.exeC:\Windows\System\GQfPcFO.exe2⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\System\Vubgkse.exeC:\Windows\System\Vubgkse.exe2⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\System\oWrxBEQ.exeC:\Windows\System\oWrxBEQ.exe2⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\System\tmOxmdL.exeC:\Windows\System\tmOxmdL.exe2⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\System\rzxJxkZ.exeC:\Windows\System\rzxJxkZ.exe2⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\System\TtkCXHl.exeC:\Windows\System\TtkCXHl.exe2⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\System\HsVBAsH.exeC:\Windows\System\HsVBAsH.exe2⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\System\mWbNAvq.exeC:\Windows\System\mWbNAvq.exe2⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\System\SUgQiZL.exeC:\Windows\System\SUgQiZL.exe2⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\System\GeEOLsD.exeC:\Windows\System\GeEOLsD.exe2⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\System\ogMxAas.exeC:\Windows\System\ogMxAas.exe2⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\System\raKbiva.exeC:\Windows\System\raKbiva.exe2⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\System\QZKJtLD.exeC:\Windows\System\QZKJtLD.exe2⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\System\vKvNNrE.exeC:\Windows\System\vKvNNrE.exe2⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\System\RRkgbbw.exeC:\Windows\System\RRkgbbw.exe2⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\System\sGcLAKK.exeC:\Windows\System\sGcLAKK.exe2⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\System\ZpVCPkC.exeC:\Windows\System\ZpVCPkC.exe2⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\System\JuVoFLQ.exeC:\Windows\System\JuVoFLQ.exe2⤵
- Executes dropped EXE
PID:588 -
C:\Windows\System\ogckRUe.exeC:\Windows\System\ogckRUe.exe2⤵
- Executes dropped EXE
PID:480
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD5b04714f9f399c88545529775471bfb6d
SHA19c291c87009e76c0b7c3b3845796d6725988c93c
SHA256f39831f181ca7f68125a78f5f39e05628ba87f63b446af7304b83210cd58da4d
SHA512d225d9dca6805f454f3a3d36054b773717318efce1fedfa86ca57d2598526afe1524eef3a5a55ca441bbcd31df9d429af229f56503c8cbaa13ef79cdf0334566
-
Filesize
5.9MB
MD534f039b1a652bf6d7a6b38231000fa09
SHA1a7dc7b02e97099e52c41a0126860e37e83776ff0
SHA25609b986e10966d84508d05f85565ec10f751cd5bf8c947430a6d910de057dcced
SHA5125af03dd03c647c5963efa96ea69c4aef325c95585d39f8a40ea5b800adce1784eb4c5ab41fb6db2ff26496d9bc2f081717d4456995b008b6687d62b1bcfdb0f3
-
Filesize
5.9MB
MD5fa5c6bda150c09e2ab29379a5cb66a80
SHA19fa34454bf0d2f831bdc5c239405abcd13e361c3
SHA256e8b3432da1089982df141b6144b17f371f9ba747e9aa9290b6f8458f1922beac
SHA512b00a9bbdc8cb2251f1ef4fa5b1a0249520a02017a817b72f18d868c5121c0465f376ceddb37fbd5500dd02886f78ca5ee7d782335d7fcc7e1b41f7d72754d6dc
-
Filesize
5.9MB
MD5e573ce3b9609dc1536569633b7dc1130
SHA1c5d350003642a9193eda5497953a933fdcfe30f0
SHA256a6f7f4fda3ccee3bd92b06de692a2a1d477043ecadf62eb6a6d3bef2ff590dc4
SHA512dea8989a827ca9cecaa4f6debe83bdfd7a9a680e9cd3d89581e43ce38f47e62593c9e32a5417fa6a17f935e3f492806c09d18a9e44ba8d97f44a23c14306c85e
-
Filesize
5.9MB
MD5f200c8f91e2b6336dd556c8cc44183e7
SHA195670b4b5db72d8479a34c5bb568fdc7906ec6bf
SHA2563ba9c2fb1125e47278b64dbf3953b433ff2a5a8285099b807c311f5203f051e4
SHA51202e9676eeaf2f5e6a7c041e16ae1bdd1efc3cadbc04743bda969debfb7e821853b250dcaa40b5781719b53bcdf0999f9bec34a5d4b7c990ae2ffbc746a1ea98a
-
Filesize
5.9MB
MD5bb3c528cab8b31820bfa32b864e77b06
SHA15eb8c019662f40fcdb32739754a687ae9ac88a43
SHA256eecf92109179ad8457ee4c3e55763bbb88c295bfc5d33a3044019fc1d12beb00
SHA5121e5687cd789446b147ae28ed4efa1994f5bc4034a0ac3e96989edae7e24c4aae44af2e45ac933d4386b336c6ddc958e03b983988f6fe377e3822b909fdf2609d
-
Filesize
5.9MB
MD57ae2637a790e339ba131468a404a5a03
SHA16058d5be987b6a31e6e6747230ddb1dc7f7ce139
SHA256640d5984241cf5eb37ad39209f1e75a95a1a3907e23552066ad621b67d07c378
SHA51237094db57da44095194331e00ff29240d3f2e2935a9638d0d572ff17966712d078b282f2f3e363310cdb71f69f3d95c237652be86548a5464bb56f36edca4174
-
Filesize
5.9MB
MD57c612ee6f650c64b56d73a9ffe184fe5
SHA174cee9b9b69f0dcd9c8c1ddcfb3f4655925adc90
SHA25662352e82ae0595eadc8c4a9743c1361d1a3643a0ca73b0835c38871f45209aa2
SHA512bf031777004410c95ec1def93025886e1646e0d20ae4d4431b8e4d84f7969e74245e4926fc63a2ba6016ef94d0aabad89b63239a16ae18814f3b893efed320b4
-
Filesize
5.9MB
MD5c440485b3d6e03ab1d40b241fb3971c9
SHA1c7bb145af783a4257284eaa65b35160c9276e00f
SHA256ea4fcd7583f029df31147670e174d4fa8a190673c5371bedb7f3e5cc0951225e
SHA51247dd669e8e8988e084209d55b223818e5a9e6d89a430e8937fd76bd14179d08568afadf5083f6e313905644258c98b69b4d45899e717e7125713fa8f4e8ed38b
-
Filesize
5.9MB
MD5ee95c5343529ae3c5c112e712ce02360
SHA1cd9c68fca297f5934d10373d5f303eb002998b2e
SHA256e152223309c6d86d6e52d803d66610dadfc61fe44a0e2415fab6d75d74876072
SHA512984f87a84dff96ffef8cc325257208e626add062e52175db1c3a4f1bfba97aaaa865d242d86494dcca4e64a0bb30b349589f7e3b7182dbe66fc7f96889effad6
-
Filesize
5.9MB
MD5115873bd4f4863d0b2be919cc8b28a9a
SHA118644d87046b7bb7ac0301ba92eb06dba718be1e
SHA2564a3e05f20f8bace0d4221ac574366b8d7fd29569f3339f2346087171e72e602f
SHA512b4ed1e6fb76cc908324c77e6a8cf9099fdc8bd53f177c7d70bb1733cb9edf9d95ddb1aebe8fa4f4cb4b168b360b3db57f24f059858cab985952dedd8790eead9
-
Filesize
5.9MB
MD500bfaa7bf2e7e6bf90c2f59cde9c4450
SHA124f04a75be40333e046d955bbf98249c3f73dbd9
SHA2561b8a1402494b1007da232e2b4ba03fbeedb0061805ff479ecd675937fd8ec1c7
SHA512854e8d217bac46bafdc2ec47062366603378ba43d669a3f4f67b672e192908eaa77a35f73a119c5b66bea7bcba6676c396e0049d0e52103484a43500d710f395
-
Filesize
5.9MB
MD5b664b23d86efd6272ed2998537927dc5
SHA1add80aa93fc579e8c7264621e0ab9b4ed28f2aae
SHA256fc1b926c2a960c44b7adf5b209add069a9c73168f344e8b17597ad477c826fc3
SHA512c6818d1e608fb6f90cf60b3da71b7497576a35de6c3e4a113bebe2bcc6b55625928f60c24d29b316eeeb805b3f713450c7ab720160a7dd4173426770867c0d0c
-
Filesize
5.9MB
MD52dd415cfc49e1bb8a58645249fd2e6aa
SHA1df3a5c1c83d7e6b3d4c6d5d811a113dbe62c5c15
SHA25677b1c9240402662d2b7998836caaa54ba8c416ac52b2351321a99c72213ce797
SHA512bee0080c985305b9467ba91614acaffed95bf23d0213f4aa0634b94cc71830a9ae1d20b8aa59c09cab961a4fb97c00017c340a139bebdaaefb551f98d93cdc90
-
Filesize
5.9MB
MD5c5776828ca9435eb9831b5a420e00ec5
SHA166dd00f19881b13942c5f614a5b20a9c6988b0ed
SHA2568f92f215abacdde94671b560699ae8a39497da4007246af8239940a38145fd5d
SHA5124936a321b4780854b8c54e0452f61bd99cd6d08c1c5c6a6eaf20c7fcd6d8381c14c76bfe7530689d2c02b4ab4a44ecda36a59897e87cf0764abcf8e0fbffe577
-
Filesize
5.9MB
MD51635aa40d1f7f9846fd3a8d9ceea0346
SHA1b923d0ccfaea59dae6c9653af19c4f3b78046aa7
SHA256e106cdde9902dff59c058597bc5eab5783fbdfbbeeea8935be4cd86179ebcb3d
SHA512c009d1a7d476e93d54cc49eb0bac483e244826f9a507da5d045d91ab1770ba7c9788762e0626feff9d0adb166d7333971985fd8f1305866ffc3c5fd2da99a1e6
-
Filesize
5.9MB
MD5f0680563de498ccf5bb4f279bb9d7049
SHA1151b5e0b3e80fc2a54220db6265817941e706ab6
SHA2569930002b24ac63d006301dd83872ba24dcae3a681b7813a4ec4c4a80c834b1e3
SHA5120b7821fb0e6a6d4d05c8574030565ddc68439bc14e3b19bd7390d41298b06549211cb585a26728f1ed92766af0134b332b45f5587f8c4a5eccb0a2164b69957f
-
Filesize
5.9MB
MD5acaec54b171fb40e25d6bd7ad6921e2b
SHA1aa34a6616ebfa0c73ed7b9eab68ded52907dec93
SHA256b080efd57006867875f4e223bea3ddec0b7ce89683bff26932c5409ea2574c49
SHA5126067585fb70e1717894dd9b9bd99b234849889686e0bcd9c657645256988779075dc83bb439eeb0836c5896480e4873ce39da17e776f5d77789abbc6a357d5df
-
Filesize
5.9MB
MD5a6c69ac4a36ab6f78eed28507f37defa
SHA1683bd594024235f71b2d5b9f965f5016d95f8e58
SHA2560880239297aee6b84e401ab0108a3c7bf5579e12d7b94ebd5f1457d376720f87
SHA512a44de6931352ba1b25289d0f8af97a554303e1ea1ab78944c4858381d430e9532ee2cc369e723fba6a401e1d001b10a99b378cdb924bb6322857849ace541709
-
Filesize
5.9MB
MD5178443474f216b2500d774ce1c87465a
SHA16b19f26afe369c2071c69f6bf25cdad0144f344d
SHA2562cee1d838ba20df50c3d5adce91b99cb0d3d56462325ad7ca297d44c4b2b6b21
SHA51269625dcd6810c920ea7eb7e3bce86576ef9e9b80fad72333dc9b9ba2058df346463bc126f30dfe6d972d7fcd4b35d105af8a7af33b34ca9234b8f13e75fa4164
-
Filesize
5.9MB
MD52e33fd9bea3096fefca8b7e00e152f49
SHA1915c0fbacc4be8b03d69e4faa8a6a2a2ad530d63
SHA2560f515ca3db59ffbb874d931093a81587f01638c46ed7cafeb19077240a21e168
SHA512ca87408ecb20daf352f245e697629a3fee33dcbed58b48aaf3ad4fa19a44bf3dff5a3f8cb48ababffdb794c083684a2093a9cd0ce67ddc34e05ac4c2f17b1a47