Analysis
-
max time kernel
134s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
08-06-2024 08:42
Behavioral task
behavioral1
Sample
2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe
Resource
win7-20240508-en
General
-
Target
2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe
-
Size
5.9MB
-
MD5
ca3f78d97e2a532f29a7ae8189e9f192
-
SHA1
1c2605f1893d50fb6a458432183fc7e6c49f2aa6
-
SHA256
d609a3537c2943a264101bac876c2bd5bf03a1fa3ad6dd77e8c68d37310af66c
-
SHA512
b1901203b1c1b4e8fe480a730b5cb4eabefb8d923758eef8c3feac8e99aba0293eddbb006e4d2c25660808da7fafccc4011ab35c0b768714bed25464722557d0
-
SSDEEP
98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUS:Q+856utgpPF8u/7S
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
Processes:
resource yara_rule C:\Windows\system\MSKmQzY.exe cobalt_reflective_dll C:\Windows\system\XEqHYQO.exe cobalt_reflective_dll C:\Windows\system\VVMWImK.exe cobalt_reflective_dll C:\Windows\system\WqIhaAk.exe cobalt_reflective_dll C:\Windows\system\twWzNmP.exe cobalt_reflective_dll C:\Windows\system\QIzrlXQ.exe cobalt_reflective_dll C:\Windows\system\brXADCH.exe cobalt_reflective_dll C:\Windows\system\pvSdPJE.exe cobalt_reflective_dll C:\Windows\system\zmTswFt.exe cobalt_reflective_dll C:\Windows\system\slKiUth.exe cobalt_reflective_dll C:\Windows\system\MWMlbOX.exe cobalt_reflective_dll C:\Windows\system\eyKmVLe.exe cobalt_reflective_dll C:\Windows\system\PZKLRHZ.exe cobalt_reflective_dll C:\Windows\system\CJcmDht.exe cobalt_reflective_dll C:\Windows\system\qRqcURA.exe cobalt_reflective_dll C:\Windows\system\eDHAkqi.exe cobalt_reflective_dll C:\Windows\system\ezIkzur.exe cobalt_reflective_dll C:\Windows\system\XTJYLHE.exe cobalt_reflective_dll C:\Windows\system\RiGpszq.exe cobalt_reflective_dll C:\Windows\system\CWRkqjz.exe cobalt_reflective_dll C:\Windows\system\oDlwaGS.exe cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Detects Reflective DLL injection artifacts 21 IoCs
Processes:
resource yara_rule C:\Windows\system\MSKmQzY.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\XEqHYQO.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\VVMWImK.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\WqIhaAk.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\twWzNmP.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\QIzrlXQ.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\brXADCH.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\pvSdPJE.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\zmTswFt.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\slKiUth.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\MWMlbOX.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\eyKmVLe.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\PZKLRHZ.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\CJcmDht.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\qRqcURA.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\eDHAkqi.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\ezIkzur.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\XTJYLHE.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\RiGpszq.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\CWRkqjz.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\oDlwaGS.exe INDICATOR_SUSPICIOUS_ReflectiveLoader -
UPX dump on OEP (original entry point) 59 IoCs
Processes:
resource yara_rule behavioral1/memory/1928-0-0x000000013F450000-0x000000013F7A4000-memory.dmp UPX C:\Windows\system\MSKmQzY.exe UPX C:\Windows\system\XEqHYQO.exe UPX C:\Windows\system\VVMWImK.exe UPX C:\Windows\system\WqIhaAk.exe UPX C:\Windows\system\twWzNmP.exe UPX C:\Windows\system\QIzrlXQ.exe UPX C:\Windows\system\brXADCH.exe UPX C:\Windows\system\pvSdPJE.exe UPX C:\Windows\system\zmTswFt.exe UPX C:\Windows\system\slKiUth.exe UPX C:\Windows\system\MWMlbOX.exe UPX C:\Windows\system\eyKmVLe.exe UPX C:\Windows\system\PZKLRHZ.exe UPX C:\Windows\system\CJcmDht.exe UPX behavioral1/memory/1676-116-0x000000013F200000-0x000000013F554000-memory.dmp UPX behavioral1/memory/2504-118-0x000000013FB10000-0x000000013FE64000-memory.dmp UPX behavioral1/memory/2796-115-0x000000013F120000-0x000000013F474000-memory.dmp UPX behavioral1/memory/2728-114-0x000000013FEE0000-0x0000000140234000-memory.dmp UPX behavioral1/memory/2812-112-0x000000013FA50000-0x000000013FDA4000-memory.dmp UPX behavioral1/memory/2928-110-0x000000013F3A0000-0x000000013F6F4000-memory.dmp UPX behavioral1/memory/2628-109-0x000000013FE90000-0x00000001401E4000-memory.dmp UPX behavioral1/memory/2944-107-0x000000013F430000-0x000000013F784000-memory.dmp UPX behavioral1/memory/2704-106-0x000000013F4F0000-0x000000013F844000-memory.dmp UPX behavioral1/memory/2640-104-0x000000013FE10000-0x0000000140164000-memory.dmp UPX behavioral1/memory/2368-102-0x000000013FA70000-0x000000013FDC4000-memory.dmp UPX behavioral1/memory/2136-100-0x000000013FF00000-0x0000000140254000-memory.dmp UPX behavioral1/memory/1932-89-0x000000013F300000-0x000000013F654000-memory.dmp UPX behavioral1/memory/2448-88-0x000000013F6A0000-0x000000013F9F4000-memory.dmp UPX C:\Windows\system\qRqcURA.exe UPX C:\Windows\system\eDHAkqi.exe UPX C:\Windows\system\ezIkzur.exe UPX C:\Windows\system\XTJYLHE.exe UPX C:\Windows\system\RiGpszq.exe UPX C:\Windows\system\CWRkqjz.exe UPX C:\Windows\system\oDlwaGS.exe UPX behavioral1/memory/1928-130-0x000000013F450000-0x000000013F7A4000-memory.dmp UPX behavioral1/memory/2448-131-0x000000013F6A0000-0x000000013F9F4000-memory.dmp UPX behavioral1/memory/1932-132-0x000000013F300000-0x000000013F654000-memory.dmp UPX behavioral1/memory/2368-135-0x000000013FA70000-0x000000013FDC4000-memory.dmp UPX behavioral1/memory/2704-136-0x000000013F4F0000-0x000000013F844000-memory.dmp UPX behavioral1/memory/2628-137-0x000000013FE90000-0x00000001401E4000-memory.dmp UPX behavioral1/memory/2504-140-0x000000013FB10000-0x000000013FE64000-memory.dmp UPX behavioral1/memory/2796-139-0x000000013F120000-0x000000013F474000-memory.dmp UPX behavioral1/memory/2812-138-0x000000013FA50000-0x000000013FDA4000-memory.dmp UPX behavioral1/memory/2448-141-0x000000013F6A0000-0x000000013F9F4000-memory.dmp UPX behavioral1/memory/2136-142-0x000000013FF00000-0x0000000140254000-memory.dmp UPX behavioral1/memory/2640-146-0x000000013FE10000-0x0000000140164000-memory.dmp UPX behavioral1/memory/1676-147-0x000000013F200000-0x000000013F554000-memory.dmp UPX behavioral1/memory/2944-145-0x000000013F430000-0x000000013F784000-memory.dmp UPX behavioral1/memory/2728-144-0x000000013FEE0000-0x0000000140234000-memory.dmp UPX behavioral1/memory/2928-143-0x000000013F3A0000-0x000000013F6F4000-memory.dmp UPX behavioral1/memory/2704-152-0x000000013F4F0000-0x000000013F844000-memory.dmp UPX behavioral1/memory/1932-154-0x000000013F300000-0x000000013F654000-memory.dmp UPX behavioral1/memory/2368-153-0x000000013FA70000-0x000000013FDC4000-memory.dmp UPX behavioral1/memory/2628-151-0x000000013FE90000-0x00000001401E4000-memory.dmp UPX behavioral1/memory/2812-150-0x000000013FA50000-0x000000013FDA4000-memory.dmp UPX behavioral1/memory/2504-149-0x000000013FB10000-0x000000013FE64000-memory.dmp UPX behavioral1/memory/2796-148-0x000000013F120000-0x000000013F474000-memory.dmp UPX -
XMRig Miner payload 62 IoCs
Processes:
resource yara_rule behavioral1/memory/1928-0-0x000000013F450000-0x000000013F7A4000-memory.dmp xmrig C:\Windows\system\MSKmQzY.exe xmrig C:\Windows\system\XEqHYQO.exe xmrig C:\Windows\system\VVMWImK.exe xmrig C:\Windows\system\WqIhaAk.exe xmrig C:\Windows\system\twWzNmP.exe xmrig C:\Windows\system\QIzrlXQ.exe xmrig C:\Windows\system\brXADCH.exe xmrig C:\Windows\system\pvSdPJE.exe xmrig C:\Windows\system\zmTswFt.exe xmrig C:\Windows\system\slKiUth.exe xmrig C:\Windows\system\MWMlbOX.exe xmrig C:\Windows\system\eyKmVLe.exe xmrig C:\Windows\system\PZKLRHZ.exe xmrig C:\Windows\system\CJcmDht.exe xmrig behavioral1/memory/1928-101-0x000000013FA70000-0x000000013FDC4000-memory.dmp xmrig behavioral1/memory/1676-116-0x000000013F200000-0x000000013F554000-memory.dmp xmrig behavioral1/memory/1928-119-0x000000013FCE0000-0x0000000140034000-memory.dmp xmrig behavioral1/memory/2504-118-0x000000013FB10000-0x000000013FE64000-memory.dmp xmrig behavioral1/memory/1928-117-0x000000013FB10000-0x000000013FE64000-memory.dmp xmrig behavioral1/memory/2796-115-0x000000013F120000-0x000000013F474000-memory.dmp xmrig behavioral1/memory/2728-114-0x000000013FEE0000-0x0000000140234000-memory.dmp xmrig behavioral1/memory/2812-112-0x000000013FA50000-0x000000013FDA4000-memory.dmp xmrig behavioral1/memory/2928-110-0x000000013F3A0000-0x000000013F6F4000-memory.dmp xmrig behavioral1/memory/2628-109-0x000000013FE90000-0x00000001401E4000-memory.dmp xmrig behavioral1/memory/2944-107-0x000000013F430000-0x000000013F784000-memory.dmp xmrig behavioral1/memory/2704-106-0x000000013F4F0000-0x000000013F844000-memory.dmp xmrig behavioral1/memory/2640-104-0x000000013FE10000-0x0000000140164000-memory.dmp xmrig behavioral1/memory/2368-102-0x000000013FA70000-0x000000013FDC4000-memory.dmp xmrig behavioral1/memory/2136-100-0x000000013FF00000-0x0000000140254000-memory.dmp xmrig behavioral1/memory/1932-89-0x000000013F300000-0x000000013F654000-memory.dmp xmrig behavioral1/memory/2448-88-0x000000013F6A0000-0x000000013F9F4000-memory.dmp xmrig C:\Windows\system\qRqcURA.exe xmrig C:\Windows\system\eDHAkqi.exe xmrig C:\Windows\system\ezIkzur.exe xmrig C:\Windows\system\XTJYLHE.exe xmrig C:\Windows\system\RiGpszq.exe xmrig C:\Windows\system\CWRkqjz.exe xmrig C:\Windows\system\oDlwaGS.exe xmrig behavioral1/memory/1928-130-0x000000013F450000-0x000000013F7A4000-memory.dmp xmrig behavioral1/memory/2448-131-0x000000013F6A0000-0x000000013F9F4000-memory.dmp xmrig behavioral1/memory/1932-132-0x000000013F300000-0x000000013F654000-memory.dmp xmrig behavioral1/memory/2368-135-0x000000013FA70000-0x000000013FDC4000-memory.dmp xmrig behavioral1/memory/2704-136-0x000000013F4F0000-0x000000013F844000-memory.dmp xmrig behavioral1/memory/2628-137-0x000000013FE90000-0x00000001401E4000-memory.dmp xmrig behavioral1/memory/2504-140-0x000000013FB10000-0x000000013FE64000-memory.dmp xmrig behavioral1/memory/2796-139-0x000000013F120000-0x000000013F474000-memory.dmp xmrig behavioral1/memory/2812-138-0x000000013FA50000-0x000000013FDA4000-memory.dmp xmrig behavioral1/memory/2448-141-0x000000013F6A0000-0x000000013F9F4000-memory.dmp xmrig behavioral1/memory/2136-142-0x000000013FF00000-0x0000000140254000-memory.dmp xmrig behavioral1/memory/2640-146-0x000000013FE10000-0x0000000140164000-memory.dmp xmrig behavioral1/memory/1676-147-0x000000013F200000-0x000000013F554000-memory.dmp xmrig behavioral1/memory/2944-145-0x000000013F430000-0x000000013F784000-memory.dmp xmrig behavioral1/memory/2728-144-0x000000013FEE0000-0x0000000140234000-memory.dmp xmrig behavioral1/memory/2928-143-0x000000013F3A0000-0x000000013F6F4000-memory.dmp xmrig behavioral1/memory/2704-152-0x000000013F4F0000-0x000000013F844000-memory.dmp xmrig behavioral1/memory/1932-154-0x000000013F300000-0x000000013F654000-memory.dmp xmrig behavioral1/memory/2368-153-0x000000013FA70000-0x000000013FDC4000-memory.dmp xmrig behavioral1/memory/2628-151-0x000000013FE90000-0x00000001401E4000-memory.dmp xmrig behavioral1/memory/2812-150-0x000000013FA50000-0x000000013FDA4000-memory.dmp xmrig behavioral1/memory/2504-149-0x000000013FB10000-0x000000013FE64000-memory.dmp xmrig behavioral1/memory/2796-148-0x000000013F120000-0x000000013F474000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
Processes:
MSKmQzY.exeXEqHYQO.exeVVMWImK.exeWqIhaAk.exetwWzNmP.exeQIzrlXQ.exeoDlwaGS.exeCWRkqjz.exebrXADCH.exepvSdPJE.exezmTswFt.exeRiGpszq.exeslKiUth.exeXTJYLHE.exeezIkzur.exeMWMlbOX.exeeDHAkqi.exeqRqcURA.exeCJcmDht.exeeyKmVLe.exePZKLRHZ.exepid process 2448 MSKmQzY.exe 1932 XEqHYQO.exe 2136 VVMWImK.exe 2368 WqIhaAk.exe 2640 twWzNmP.exe 2704 QIzrlXQ.exe 2944 oDlwaGS.exe 2628 CWRkqjz.exe 2928 brXADCH.exe 2812 pvSdPJE.exe 2728 zmTswFt.exe 2796 RiGpszq.exe 1676 slKiUth.exe 2504 XTJYLHE.exe 2544 ezIkzur.exe 2664 MWMlbOX.exe 2032 eDHAkqi.exe 1920 qRqcURA.exe 2780 CJcmDht.exe 2840 eyKmVLe.exe 2860 PZKLRHZ.exe -
Loads dropped DLL 21 IoCs
Processes:
2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exepid process 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe -
Processes:
resource yara_rule behavioral1/memory/1928-0-0x000000013F450000-0x000000013F7A4000-memory.dmp upx C:\Windows\system\MSKmQzY.exe upx C:\Windows\system\XEqHYQO.exe upx C:\Windows\system\VVMWImK.exe upx C:\Windows\system\WqIhaAk.exe upx C:\Windows\system\twWzNmP.exe upx C:\Windows\system\QIzrlXQ.exe upx C:\Windows\system\brXADCH.exe upx C:\Windows\system\pvSdPJE.exe upx C:\Windows\system\zmTswFt.exe upx C:\Windows\system\slKiUth.exe upx C:\Windows\system\MWMlbOX.exe upx C:\Windows\system\eyKmVLe.exe upx C:\Windows\system\PZKLRHZ.exe upx C:\Windows\system\CJcmDht.exe upx behavioral1/memory/1676-116-0x000000013F200000-0x000000013F554000-memory.dmp upx behavioral1/memory/2504-118-0x000000013FB10000-0x000000013FE64000-memory.dmp upx behavioral1/memory/2796-115-0x000000013F120000-0x000000013F474000-memory.dmp upx behavioral1/memory/2728-114-0x000000013FEE0000-0x0000000140234000-memory.dmp upx behavioral1/memory/2812-112-0x000000013FA50000-0x000000013FDA4000-memory.dmp upx behavioral1/memory/2928-110-0x000000013F3A0000-0x000000013F6F4000-memory.dmp upx behavioral1/memory/2628-109-0x000000013FE90000-0x00000001401E4000-memory.dmp upx behavioral1/memory/2944-107-0x000000013F430000-0x000000013F784000-memory.dmp upx behavioral1/memory/2704-106-0x000000013F4F0000-0x000000013F844000-memory.dmp upx behavioral1/memory/2640-104-0x000000013FE10000-0x0000000140164000-memory.dmp upx behavioral1/memory/2368-102-0x000000013FA70000-0x000000013FDC4000-memory.dmp upx behavioral1/memory/2136-100-0x000000013FF00000-0x0000000140254000-memory.dmp upx behavioral1/memory/1932-89-0x000000013F300000-0x000000013F654000-memory.dmp upx behavioral1/memory/2448-88-0x000000013F6A0000-0x000000013F9F4000-memory.dmp upx C:\Windows\system\qRqcURA.exe upx C:\Windows\system\eDHAkqi.exe upx C:\Windows\system\ezIkzur.exe upx C:\Windows\system\XTJYLHE.exe upx C:\Windows\system\RiGpszq.exe upx C:\Windows\system\CWRkqjz.exe upx C:\Windows\system\oDlwaGS.exe upx behavioral1/memory/1928-130-0x000000013F450000-0x000000013F7A4000-memory.dmp upx behavioral1/memory/2448-131-0x000000013F6A0000-0x000000013F9F4000-memory.dmp upx behavioral1/memory/1932-132-0x000000013F300000-0x000000013F654000-memory.dmp upx behavioral1/memory/2368-135-0x000000013FA70000-0x000000013FDC4000-memory.dmp upx behavioral1/memory/2704-136-0x000000013F4F0000-0x000000013F844000-memory.dmp upx behavioral1/memory/2628-137-0x000000013FE90000-0x00000001401E4000-memory.dmp upx behavioral1/memory/2504-140-0x000000013FB10000-0x000000013FE64000-memory.dmp upx behavioral1/memory/2796-139-0x000000013F120000-0x000000013F474000-memory.dmp upx behavioral1/memory/2812-138-0x000000013FA50000-0x000000013FDA4000-memory.dmp upx behavioral1/memory/2448-141-0x000000013F6A0000-0x000000013F9F4000-memory.dmp upx behavioral1/memory/2136-142-0x000000013FF00000-0x0000000140254000-memory.dmp upx behavioral1/memory/2640-146-0x000000013FE10000-0x0000000140164000-memory.dmp upx behavioral1/memory/1676-147-0x000000013F200000-0x000000013F554000-memory.dmp upx behavioral1/memory/2944-145-0x000000013F430000-0x000000013F784000-memory.dmp upx behavioral1/memory/2728-144-0x000000013FEE0000-0x0000000140234000-memory.dmp upx behavioral1/memory/2928-143-0x000000013F3A0000-0x000000013F6F4000-memory.dmp upx behavioral1/memory/2704-152-0x000000013F4F0000-0x000000013F844000-memory.dmp upx behavioral1/memory/1932-154-0x000000013F300000-0x000000013F654000-memory.dmp upx behavioral1/memory/2368-153-0x000000013FA70000-0x000000013FDC4000-memory.dmp upx behavioral1/memory/2628-151-0x000000013FE90000-0x00000001401E4000-memory.dmp upx behavioral1/memory/2812-150-0x000000013FA50000-0x000000013FDA4000-memory.dmp upx behavioral1/memory/2504-149-0x000000013FB10000-0x000000013FE64000-memory.dmp upx behavioral1/memory/2796-148-0x000000013F120000-0x000000013F474000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
Processes:
2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exedescription ioc process File created C:\Windows\System\zmTswFt.exe 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\MWMlbOX.exe 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\pvSdPJE.exe 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\ezIkzur.exe 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\qRqcURA.exe 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\PZKLRHZ.exe 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\XTJYLHE.exe 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\VVMWImK.exe 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\twWzNmP.exe 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\QIzrlXQ.exe 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\oDlwaGS.exe 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\eyKmVLe.exe 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\XEqHYQO.exe 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\WqIhaAk.exe 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\CWRkqjz.exe 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\brXADCH.exe 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\RiGpszq.exe 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\slKiUth.exe 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\eDHAkqi.exe 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\CJcmDht.exe 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\MSKmQzY.exe 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exedescription pid process Token: SeLockMemoryPrivilege 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe Token: SeLockMemoryPrivilege 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exedescription pid process target process PID 1928 wrote to memory of 2448 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe MSKmQzY.exe PID 1928 wrote to memory of 2448 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe MSKmQzY.exe PID 1928 wrote to memory of 2448 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe MSKmQzY.exe PID 1928 wrote to memory of 1932 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe XEqHYQO.exe PID 1928 wrote to memory of 1932 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe XEqHYQO.exe PID 1928 wrote to memory of 1932 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe XEqHYQO.exe PID 1928 wrote to memory of 2136 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe VVMWImK.exe PID 1928 wrote to memory of 2136 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe VVMWImK.exe PID 1928 wrote to memory of 2136 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe VVMWImK.exe PID 1928 wrote to memory of 2368 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe WqIhaAk.exe PID 1928 wrote to memory of 2368 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe WqIhaAk.exe PID 1928 wrote to memory of 2368 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe WqIhaAk.exe PID 1928 wrote to memory of 2640 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe twWzNmP.exe PID 1928 wrote to memory of 2640 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe twWzNmP.exe PID 1928 wrote to memory of 2640 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe twWzNmP.exe PID 1928 wrote to memory of 2704 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe QIzrlXQ.exe PID 1928 wrote to memory of 2704 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe QIzrlXQ.exe PID 1928 wrote to memory of 2704 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe QIzrlXQ.exe PID 1928 wrote to memory of 2944 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe oDlwaGS.exe PID 1928 wrote to memory of 2944 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe oDlwaGS.exe PID 1928 wrote to memory of 2944 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe oDlwaGS.exe PID 1928 wrote to memory of 2628 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe CWRkqjz.exe PID 1928 wrote to memory of 2628 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe CWRkqjz.exe PID 1928 wrote to memory of 2628 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe CWRkqjz.exe PID 1928 wrote to memory of 2928 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe brXADCH.exe PID 1928 wrote to memory of 2928 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe brXADCH.exe PID 1928 wrote to memory of 2928 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe brXADCH.exe PID 1928 wrote to memory of 2812 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe pvSdPJE.exe PID 1928 wrote to memory of 2812 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe pvSdPJE.exe PID 1928 wrote to memory of 2812 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe pvSdPJE.exe PID 1928 wrote to memory of 2728 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe zmTswFt.exe PID 1928 wrote to memory of 2728 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe zmTswFt.exe PID 1928 wrote to memory of 2728 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe zmTswFt.exe PID 1928 wrote to memory of 2796 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe RiGpszq.exe PID 1928 wrote to memory of 2796 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe RiGpszq.exe PID 1928 wrote to memory of 2796 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe RiGpszq.exe PID 1928 wrote to memory of 1676 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe slKiUth.exe PID 1928 wrote to memory of 1676 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe slKiUth.exe PID 1928 wrote to memory of 1676 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe slKiUth.exe PID 1928 wrote to memory of 2504 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe XTJYLHE.exe PID 1928 wrote to memory of 2504 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe XTJYLHE.exe PID 1928 wrote to memory of 2504 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe XTJYLHE.exe PID 1928 wrote to memory of 2544 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe ezIkzur.exe PID 1928 wrote to memory of 2544 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe ezIkzur.exe PID 1928 wrote to memory of 2544 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe ezIkzur.exe PID 1928 wrote to memory of 2664 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe MWMlbOX.exe PID 1928 wrote to memory of 2664 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe MWMlbOX.exe PID 1928 wrote to memory of 2664 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe MWMlbOX.exe PID 1928 wrote to memory of 2032 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe eDHAkqi.exe PID 1928 wrote to memory of 2032 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe eDHAkqi.exe PID 1928 wrote to memory of 2032 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe eDHAkqi.exe PID 1928 wrote to memory of 1920 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe qRqcURA.exe PID 1928 wrote to memory of 1920 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe qRqcURA.exe PID 1928 wrote to memory of 1920 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe qRqcURA.exe PID 1928 wrote to memory of 2780 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe CJcmDht.exe PID 1928 wrote to memory of 2780 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe CJcmDht.exe PID 1928 wrote to memory of 2780 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe CJcmDht.exe PID 1928 wrote to memory of 2840 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe eyKmVLe.exe PID 1928 wrote to memory of 2840 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe eyKmVLe.exe PID 1928 wrote to memory of 2840 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe eyKmVLe.exe PID 1928 wrote to memory of 2860 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe PZKLRHZ.exe PID 1928 wrote to memory of 2860 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe PZKLRHZ.exe PID 1928 wrote to memory of 2860 1928 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe PZKLRHZ.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\System\MSKmQzY.exeC:\Windows\System\MSKmQzY.exe2⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\System\XEqHYQO.exeC:\Windows\System\XEqHYQO.exe2⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\System\VVMWImK.exeC:\Windows\System\VVMWImK.exe2⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\System\WqIhaAk.exeC:\Windows\System\WqIhaAk.exe2⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\System\twWzNmP.exeC:\Windows\System\twWzNmP.exe2⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\System\QIzrlXQ.exeC:\Windows\System\QIzrlXQ.exe2⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\System\oDlwaGS.exeC:\Windows\System\oDlwaGS.exe2⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\System\CWRkqjz.exeC:\Windows\System\CWRkqjz.exe2⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\System\brXADCH.exeC:\Windows\System\brXADCH.exe2⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\System\pvSdPJE.exeC:\Windows\System\pvSdPJE.exe2⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\System\zmTswFt.exeC:\Windows\System\zmTswFt.exe2⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\System\RiGpszq.exeC:\Windows\System\RiGpszq.exe2⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\System\slKiUth.exeC:\Windows\System\slKiUth.exe2⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\System\XTJYLHE.exeC:\Windows\System\XTJYLHE.exe2⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\System\ezIkzur.exeC:\Windows\System\ezIkzur.exe2⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\System\MWMlbOX.exeC:\Windows\System\MWMlbOX.exe2⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\System\eDHAkqi.exeC:\Windows\System\eDHAkqi.exe2⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\System\qRqcURA.exeC:\Windows\System\qRqcURA.exe2⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\System\CJcmDht.exeC:\Windows\System\CJcmDht.exe2⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\System\eyKmVLe.exeC:\Windows\System\eyKmVLe.exe2⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\System\PZKLRHZ.exeC:\Windows\System\PZKLRHZ.exe2⤵
- Executes dropped EXE
PID:2860
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD549d71db7c33aa71a2f3e0d62d560d27c
SHA1a18674c130f88ce54162fe3ec7f9fc804f1341dc
SHA25698e24c0800c3f48e1e7df3ba5fedd149de5cd4627edd9de185eb4e9ad3207336
SHA512c861d9861255acb4b340b6a940854eea18e0c8f66b4c95779846f843b53f40c1999d2d2047c42982e4a3450c1af675dc9c4f2da34944507e500aa67be6a78b34
-
Filesize
5.9MB
MD59af547ea86fce9ae45be91d58d9c73e4
SHA1b0fde15662ac124c033d8500aefcf69d002a058a
SHA256a532efb9b17cf023309cfbe300da85d4a9946a11694e6650cfdbc0e1d7460fed
SHA5129d714a5a9e460c492271cd86920e886941708cfd1eb49e3fa3d7eb300e042766ef60caf9b16009dce6534e91e3b8779c19e7f3ae8d0de47617cd1716b8159e2b
-
Filesize
5.9MB
MD5813db0636b55b65f9534cce08204f1a0
SHA1ac5e95cd4dd8304bb6e66a7ab65f704a504d90fb
SHA256b1de3770d65a1b3a8a9828c588847d188471b19bb35c7795eb565ba8f61893cb
SHA51219cba23caf0dcfaa65f54d194801743a50db08f7948e6896089e768fa2e8e0e39391a9a765e54003624424e6700fa2e10a6183e50700acf26ccb64687bb3f4c5
-
Filesize
5.9MB
MD54a1b6742e04ffb5df78ce94045588aab
SHA12c52b587f7fb290304f10fdc851daad7d3c597dd
SHA256828d3010dd9350338a77ce444a7dbb7bf7489a75868fa5dcd960f9d743f1ca16
SHA512d32cc411d3fd7fb0f95365c8769bc7b9c79b3eb9adbfc2bd1f2310e5742a3f56b06bdcb3304be6c55196932ea7be702963dea7df7e5058feacc2e35c3897ad83
-
Filesize
5.9MB
MD5d7ac8a087588d77cc7575da7ae0f8c2f
SHA198f758cd3b4fcc7e23df2aaa0e3b5c51f65ed721
SHA256e520d24af7187b527a8e5b17ae914b510211cea720f5f23de19d627afa2f6529
SHA512afddf6c28c2caa7bdc3ed2dcb4e43d090569140253d500e869421f185db7e6e59ab6d38ff88aacd571b9bd0acfd568743b4075a76f146185fc80ab9c4b050813
-
Filesize
5.9MB
MD5fd9feaef287132abb26daa0339f7f075
SHA144acf66a0777db69a123ef6976c6faac8cc704ef
SHA2569825a8aadc31f3841d79dc0ef5b536ad6b4e823234b27ebf43bfd990f72521bc
SHA5127bc1b7882b55efd905bde9643b754cb3092cb93ce074624744fda3cce3b1e628cd5bf6b362679f3bca70fb6f18dc622b5a01d50de2908f369f79034ca1308ccd
-
Filesize
5.9MB
MD5cc9caade7f00dda13bfa4d87beba10b3
SHA120f7be4fbdfc72d9da7a9296efea4e3d306d08d3
SHA25632c8dc7a0b31a44d36bcce3d154da4485d19b39a115c6acdd96ebfbf3735916e
SHA51240c3472c60e81229bd5005e72c2774ea3712088c22d022e342c121645374b43db8ed22dfb3970bc99442d18532fc3851b31a5c140c52418227fd92b0228651de
-
Filesize
5.9MB
MD5630a84e4f8c4804888c4da288bd5d5f8
SHA1a9cd2f5fe1da15eab70f2883b466e0a50a122c18
SHA256dc600c4a9a3a41fdcb2d143cdd51b84ae5b3a93ddd40ab7a67f75630d298b22e
SHA5120219ff4290431090513575c48f6ec5534e84b52716c7b96e57e02c77668b5b05082d9dfe0fbc2b9ead5392a31e766f52fc44e364537355c8cd79b94442cb9b5f
-
Filesize
5.9MB
MD5979483e23332b5438f1102f573e90a10
SHA18aaab4c47f39c8d1f0ae65a8e70f4cfb7a4902a4
SHA25654df7acc83028f86e95461b2ce6d1c6bcc9fbc22a7110709fd19af8e899fc961
SHA5127fee476fd5d784246d39bbac68d155dd1b687dcc7b80679277c209c340143dd54e283607b5766a819bbdfbc1eb91b494661701bfa5cd67f90d157cf8bcdf8166
-
Filesize
5.9MB
MD5e16ce437529fb445cc1641f16fc3d14f
SHA1c53c14c23e04afb0d333c825f2ba8ad3192545e7
SHA256ba71989e6eee2872239a2c20d312bc95694ee358aab82e7a780328ec40ace43e
SHA5121fedcf8790ca1036e8eb3c3e23f9ce7f1ddf37575cac0fa22a63c4069313eec3ec4262ae7c5ccf0dea00a4d03148ff274129e7c830849e3cd1591a8acccc2600
-
Filesize
5.9MB
MD51f8015258bc338144e41576ef80bf472
SHA19495e48f41c626cd506653adb98d2ae602f87570
SHA256e072610f0df1b615f7916ac055cb93601f7895aefb849e769267e295572bbc13
SHA51265c6d7dfb60aee413bbb7023b19ef1e0826ca411fdd8a1babb92bc6ac399292a6bf39a6bcc143011c1464ec4644bbb73edc8eaa311def6aef05c91d583911155
-
Filesize
5.9MB
MD5ab4a34568a7a37cee983f19d8329f3d0
SHA162ae1c729a796f84e77a346e13e6f9392b89a192
SHA2566052c94ee71069bf24e574a3d1d67a02341f169a4a6ce9acb10a75726bcb4ad2
SHA512f97a4e2805ad0c3e1b07dda6e25f061ec1abd419d0d35870ae0d3c3571ab26ec2dcee3e901b158785a0936c81284d301903b4e8bcba7c8946470961b252e5ad2
-
Filesize
5.9MB
MD5ad684815dbb5d8aff65fdcf10bf27f31
SHA13a8e33ee12811968dba7cc8668e3bb368e6e8654
SHA256d4e20123d34f6337134cdb972365f517c9e47fc7d1246067f8141839113105b0
SHA51203945388566498d765f969bcc42a5dad46d3421efc6a49e9b21001a2226e796e9b872ff5a20d5facf9419c056c3794777b39081c0e8af77598ea7d699dfec2d9
-
Filesize
5.9MB
MD5f3bafa34cc89c846a2b9ae9e13a35b9b
SHA1a7c7f80599ba2ea6d2512f23c5f59ffa83615eef
SHA25665a6fc2c77086d856192ccb820a9e043df0349213d52c92c4254ab4f71e638c2
SHA5120974dd291991b7c5bec615ae4bc13d0204a58933ada32b50a4270dc0a294e06c423222a7166ce041ba0e8660b48597997aa0bef73871cc70e4934d092f51f448
-
Filesize
5.9MB
MD544c489af4b283cae0458bf1763db0c44
SHA158b9b60f48200944ad19f6543bf8c5879b66701c
SHA2567149455bd339045cec68ad462e4df2299fac817dba47a1279d1d8449eb6d029c
SHA5126c2ba9a520e468a139f865ff76b25c06241b5c20bda0230e090a4f77aea5fc98a4b771e4299f7369b3b927ae643ac9e15bbdf2122f084704bba4a403c0463d50
-
Filesize
5.9MB
MD5bd82ede5f165e54e725af8d2a7d80158
SHA1a7deb30ba68b1f074044322a13a4162b37d9197b
SHA2562cebf6b639de4988390d68d7374a0038da8073e88220c6a9e877efc5b9d98c13
SHA512b0f494e2adfba615d984f33788bdce5e5e55a4780c37ac8164a29fd74c0cd42e17f407a8a0fb5018f115c2d58ce55450ae84dede8cf152c4cc08d13a09edffc9
-
Filesize
5.9MB
MD5319c01507a2f5df3e5433669b09e8cff
SHA110ed191dbb879151aa41ae09f6b29993b1eaa1dd
SHA2561498d33f0f975665cfe6630045e1a1dd13cfaa12659ee8dc8a2076731e9609b4
SHA512defce5463769f1537509bd17d0b5288e866eba5870f13dc6e8ebc61213b63daf549c0331dc2970dd5c92a227b325f04341045fa09c635da39fcf878dbe806cfb
-
Filesize
5.9MB
MD542e71bd3200c86af41a262047cd9f484
SHA118994c9df71a02927da1526c8434aaff15f6b19b
SHA2562dc1f2678840dcf88c0d704820ea3c8c14e281e863dec620b90cc9130561cea0
SHA5125fdbeda40f646b8dbd172591ae3609ab077826916aeb50500e44f2e26e6e215ca046f3733a79280dcb398170be2ff421498abc884278889612e5f95f82500299
-
Filesize
5.9MB
MD5c18e81921a22304cc2d5ada4a1a84e79
SHA1ad7f5fe000437630dba611086e37ea6f32186899
SHA256ce72817ea842acd012c485621c29471223b0cb3b6f5284c8f7548366583897af
SHA51217ff99b51203518030a178c5111f9fe5199b1f310b26da4f80cdc249c9f205e5b8a3dc1186ba2242b48879cd35c4954248d23aa19632f7cae6f2deaaa9c340b2
-
Filesize
5.9MB
MD5da575eda49ae68b463c1d841fe50fb66
SHA14360a9dd636a4f925e0aaabe01cce858094cef6d
SHA256bc15aeb42278d22019c843ef7782bba8f6901e332c813643748c73167f33c9b2
SHA5120f9404e1a32ed9021a90d37be4db1e6f92e9d8ac8b6b22852b56024a6d1320e4638e0effa50ef3931b21d4313f2da7cdd8f161be0dab196104f723b11201320e
-
Filesize
5.9MB
MD5d10d916c1a8560ab5365e12822d991c5
SHA1d34ddf06cd6be67a49da78c736dcfb47b65c31e9
SHA256c02cd89a8cf30cd45549e85d5f6c2b3be7e735fef0c636a6f62fe5a21d90098d
SHA512dfff429a3de0bd5f55bd7803c1e16ab9c46b70aa20c1ceaa04cee89897fd0e0cde954c053c784027af3c7a174af2e9c3ef9c72ff4794c822703537fc2059897f