Analysis
-
max time kernel
142s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
08-06-2024 08:43
Behavioral task
behavioral1
Sample
2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe
Resource
win7-20240419-en
General
-
Target
2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe
-
Size
5.9MB
-
MD5
d1e400c0201bbe03851c57d78c496d6d
-
SHA1
0e8d2027218976d57e2a97f5bc88ad58acd9a8c6
-
SHA256
e6a9a78b4a8fa1f1902cc96b91650547fc41523c4e884912aa00f25d4673e683
-
SHA512
4c05824fca9134f8afb33be0e6689e46291dede4458bc10b61522ed10d7364c9511c488f86d5618f6960883036ca941624b516bd6f35066cd233e48bc928136a
-
SSDEEP
98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUN:Q+856utgpPF8u/7N
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
Processes:
resource yara_rule \Windows\system\aHvKVhH.exe cobalt_reflective_dll \Windows\system\KWbdyEf.exe cobalt_reflective_dll \Windows\system\lTzmwYP.exe cobalt_reflective_dll C:\Windows\system\oAQZqht.exe cobalt_reflective_dll C:\Windows\system\JeUpuzH.exe cobalt_reflective_dll C:\Windows\system\SYDPzmd.exe cobalt_reflective_dll C:\Windows\system\atoHRbj.exe cobalt_reflective_dll \Windows\system\jUtUNdi.exe cobalt_reflective_dll C:\Windows\system\YZYADDR.exe cobalt_reflective_dll C:\Windows\system\lZXinBA.exe cobalt_reflective_dll \Windows\system\FSFGWdp.exe cobalt_reflective_dll C:\Windows\system\YEJVoNw.exe cobalt_reflective_dll C:\Windows\system\JUIFqUY.exe cobalt_reflective_dll C:\Windows\system\hoqOuZQ.exe cobalt_reflective_dll C:\Windows\system\hAGOBQA.exe cobalt_reflective_dll C:\Windows\system\KiLMsnW.exe cobalt_reflective_dll C:\Windows\system\BIZCqZZ.exe cobalt_reflective_dll C:\Windows\system\tFjfnxb.exe cobalt_reflective_dll C:\Windows\system\BdUCkMO.exe cobalt_reflective_dll C:\Windows\system\fbGisJh.exe cobalt_reflective_dll C:\Windows\system\vJyApuh.exe cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Detects Reflective DLL injection artifacts 21 IoCs
Processes:
resource yara_rule \Windows\system\aHvKVhH.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\KWbdyEf.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\lTzmwYP.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\oAQZqht.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\JeUpuzH.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\SYDPzmd.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\atoHRbj.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\jUtUNdi.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\YZYADDR.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\lZXinBA.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\FSFGWdp.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\YEJVoNw.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\JUIFqUY.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\hoqOuZQ.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\hAGOBQA.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\KiLMsnW.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\BIZCqZZ.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\tFjfnxb.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\BdUCkMO.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\fbGisJh.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\vJyApuh.exe INDICATOR_SUSPICIOUS_ReflectiveLoader -
UPX dump on OEP (original entry point) 63 IoCs
Processes:
resource yara_rule behavioral1/memory/1968-2-0x000000013F240000-0x000000013F594000-memory.dmp UPX \Windows\system\aHvKVhH.exe UPX behavioral1/memory/3008-8-0x000000013F8E0000-0x000000013FC34000-memory.dmp UPX \Windows\system\KWbdyEf.exe UPX \Windows\system\lTzmwYP.exe UPX C:\Windows\system\oAQZqht.exe UPX behavioral1/memory/2736-29-0x000000013F720000-0x000000013FA74000-memory.dmp UPX behavioral1/memory/2664-26-0x000000013FDF0000-0x0000000140144000-memory.dmp UPX behavioral1/memory/2596-14-0x000000013F7B0000-0x000000013FB04000-memory.dmp UPX behavioral1/memory/2788-35-0x000000013FF20000-0x0000000140274000-memory.dmp UPX behavioral1/memory/2488-43-0x000000013FBC0000-0x000000013FF14000-memory.dmp UPX C:\Windows\system\JeUpuzH.exe UPX C:\Windows\system\SYDPzmd.exe UPX behavioral1/memory/2780-49-0x000000013F1B0000-0x000000013F504000-memory.dmp UPX behavioral1/memory/2532-56-0x000000013F7A0000-0x000000013FAF4000-memory.dmp UPX C:\Windows\system\atoHRbj.exe UPX behavioral1/memory/2504-63-0x000000013F290000-0x000000013F5E4000-memory.dmp UPX behavioral1/memory/1596-69-0x000000013F050000-0x000000013F3A4000-memory.dmp UPX \Windows\system\jUtUNdi.exe UPX C:\Windows\system\YZYADDR.exe UPX behavioral1/memory/1588-99-0x000000013FC60000-0x000000013FFB4000-memory.dmp UPX C:\Windows\system\lZXinBA.exe UPX \Windows\system\FSFGWdp.exe UPX C:\Windows\system\YEJVoNw.exe UPX C:\Windows\system\JUIFqUY.exe UPX C:\Windows\system\hoqOuZQ.exe UPX C:\Windows\system\hAGOBQA.exe UPX C:\Windows\system\KiLMsnW.exe UPX behavioral1/memory/1584-92-0x000000013F680000-0x000000013F9D4000-memory.dmp UPX behavioral1/memory/2780-136-0x000000013F1B0000-0x000000013F504000-memory.dmp UPX C:\Windows\system\BIZCqZZ.exe UPX behavioral1/memory/2524-77-0x000000013FF10000-0x0000000140264000-memory.dmp UPX behavioral1/memory/2664-75-0x000000013FDF0000-0x0000000140144000-memory.dmp UPX behavioral1/memory/2596-74-0x000000013F7B0000-0x000000013FB04000-memory.dmp UPX behavioral1/memory/2788-97-0x000000013FF20000-0x0000000140274000-memory.dmp UPX behavioral1/memory/2632-85-0x000000013F9E0000-0x000000013FD34000-memory.dmp UPX C:\Windows\system\tFjfnxb.exe UPX behavioral1/memory/2532-137-0x000000013F7A0000-0x000000013FAF4000-memory.dmp UPX behavioral1/memory/3008-62-0x000000013F8E0000-0x000000013FC34000-memory.dmp UPX C:\Windows\system\BdUCkMO.exe UPX C:\Windows\system\fbGisJh.exe UPX behavioral1/memory/1968-48-0x000000013F240000-0x000000013F594000-memory.dmp UPX C:\Windows\system\vJyApuh.exe UPX behavioral1/memory/2504-138-0x000000013F290000-0x000000013F5E4000-memory.dmp UPX behavioral1/memory/1596-140-0x000000013F050000-0x000000013F3A4000-memory.dmp UPX behavioral1/memory/2524-142-0x000000013FF10000-0x0000000140264000-memory.dmp UPX behavioral1/memory/2632-143-0x000000013F9E0000-0x000000013FD34000-memory.dmp UPX behavioral1/memory/1584-145-0x000000013F680000-0x000000013F9D4000-memory.dmp UPX behavioral1/memory/1588-147-0x000000013FC60000-0x000000013FFB4000-memory.dmp UPX behavioral1/memory/3008-149-0x000000013F8E0000-0x000000013FC34000-memory.dmp UPX behavioral1/memory/2596-150-0x000000013F7B0000-0x000000013FB04000-memory.dmp UPX behavioral1/memory/2664-151-0x000000013FDF0000-0x0000000140144000-memory.dmp UPX behavioral1/memory/2736-152-0x000000013F720000-0x000000013FA74000-memory.dmp UPX behavioral1/memory/2788-153-0x000000013FF20000-0x0000000140274000-memory.dmp UPX behavioral1/memory/2488-154-0x000000013FBC0000-0x000000013FF14000-memory.dmp UPX behavioral1/memory/2780-155-0x000000013F1B0000-0x000000013F504000-memory.dmp UPX behavioral1/memory/2532-156-0x000000013F7A0000-0x000000013FAF4000-memory.dmp UPX behavioral1/memory/2504-157-0x000000013F290000-0x000000013F5E4000-memory.dmp UPX behavioral1/memory/1596-158-0x000000013F050000-0x000000013F3A4000-memory.dmp UPX behavioral1/memory/2524-159-0x000000013FF10000-0x0000000140264000-memory.dmp UPX behavioral1/memory/2632-160-0x000000013F9E0000-0x000000013FD34000-memory.dmp UPX behavioral1/memory/1584-161-0x000000013F680000-0x000000013F9D4000-memory.dmp UPX behavioral1/memory/1588-162-0x000000013FC60000-0x000000013FFB4000-memory.dmp UPX -
XMRig Miner payload 64 IoCs
Processes:
resource yara_rule behavioral1/memory/1968-2-0x000000013F240000-0x000000013F594000-memory.dmp xmrig \Windows\system\aHvKVhH.exe xmrig behavioral1/memory/3008-8-0x000000013F8E0000-0x000000013FC34000-memory.dmp xmrig \Windows\system\KWbdyEf.exe xmrig \Windows\system\lTzmwYP.exe xmrig C:\Windows\system\oAQZqht.exe xmrig behavioral1/memory/2736-29-0x000000013F720000-0x000000013FA74000-memory.dmp xmrig behavioral1/memory/2664-26-0x000000013FDF0000-0x0000000140144000-memory.dmp xmrig behavioral1/memory/2596-14-0x000000013F7B0000-0x000000013FB04000-memory.dmp xmrig behavioral1/memory/2788-35-0x000000013FF20000-0x0000000140274000-memory.dmp xmrig behavioral1/memory/2488-43-0x000000013FBC0000-0x000000013FF14000-memory.dmp xmrig C:\Windows\system\JeUpuzH.exe xmrig C:\Windows\system\SYDPzmd.exe xmrig behavioral1/memory/2780-49-0x000000013F1B0000-0x000000013F504000-memory.dmp xmrig behavioral1/memory/2532-56-0x000000013F7A0000-0x000000013FAF4000-memory.dmp xmrig C:\Windows\system\atoHRbj.exe xmrig behavioral1/memory/2504-63-0x000000013F290000-0x000000013F5E4000-memory.dmp xmrig behavioral1/memory/1596-69-0x000000013F050000-0x000000013F3A4000-memory.dmp xmrig \Windows\system\jUtUNdi.exe xmrig C:\Windows\system\YZYADDR.exe xmrig behavioral1/memory/1588-99-0x000000013FC60000-0x000000013FFB4000-memory.dmp xmrig C:\Windows\system\lZXinBA.exe xmrig \Windows\system\FSFGWdp.exe xmrig C:\Windows\system\YEJVoNw.exe xmrig C:\Windows\system\JUIFqUY.exe xmrig C:\Windows\system\hoqOuZQ.exe xmrig C:\Windows\system\hAGOBQA.exe xmrig C:\Windows\system\KiLMsnW.exe xmrig behavioral1/memory/1584-92-0x000000013F680000-0x000000013F9D4000-memory.dmp xmrig behavioral1/memory/2780-136-0x000000013F1B0000-0x000000013F504000-memory.dmp xmrig C:\Windows\system\BIZCqZZ.exe xmrig behavioral1/memory/2524-77-0x000000013FF10000-0x0000000140264000-memory.dmp xmrig behavioral1/memory/2664-75-0x000000013FDF0000-0x0000000140144000-memory.dmp xmrig behavioral1/memory/2596-74-0x000000013F7B0000-0x000000013FB04000-memory.dmp xmrig behavioral1/memory/2788-97-0x000000013FF20000-0x0000000140274000-memory.dmp xmrig behavioral1/memory/2632-85-0x000000013F9E0000-0x000000013FD34000-memory.dmp xmrig C:\Windows\system\tFjfnxb.exe xmrig behavioral1/memory/2532-137-0x000000013F7A0000-0x000000013FAF4000-memory.dmp xmrig behavioral1/memory/3008-62-0x000000013F8E0000-0x000000013FC34000-memory.dmp xmrig C:\Windows\system\BdUCkMO.exe xmrig C:\Windows\system\fbGisJh.exe xmrig behavioral1/memory/1968-48-0x000000013F240000-0x000000013F594000-memory.dmp xmrig C:\Windows\system\vJyApuh.exe xmrig behavioral1/memory/2504-138-0x000000013F290000-0x000000013F5E4000-memory.dmp xmrig behavioral1/memory/1596-140-0x000000013F050000-0x000000013F3A4000-memory.dmp xmrig behavioral1/memory/1968-141-0x000000013FF10000-0x0000000140264000-memory.dmp xmrig behavioral1/memory/2524-142-0x000000013FF10000-0x0000000140264000-memory.dmp xmrig behavioral1/memory/2632-143-0x000000013F9E0000-0x000000013FD34000-memory.dmp xmrig behavioral1/memory/1584-145-0x000000013F680000-0x000000013F9D4000-memory.dmp xmrig behavioral1/memory/1588-147-0x000000013FC60000-0x000000013FFB4000-memory.dmp xmrig behavioral1/memory/3008-149-0x000000013F8E0000-0x000000013FC34000-memory.dmp xmrig behavioral1/memory/2596-150-0x000000013F7B0000-0x000000013FB04000-memory.dmp xmrig behavioral1/memory/2664-151-0x000000013FDF0000-0x0000000140144000-memory.dmp xmrig behavioral1/memory/2736-152-0x000000013F720000-0x000000013FA74000-memory.dmp xmrig behavioral1/memory/2788-153-0x000000013FF20000-0x0000000140274000-memory.dmp xmrig behavioral1/memory/2488-154-0x000000013FBC0000-0x000000013FF14000-memory.dmp xmrig behavioral1/memory/2780-155-0x000000013F1B0000-0x000000013F504000-memory.dmp xmrig behavioral1/memory/2532-156-0x000000013F7A0000-0x000000013FAF4000-memory.dmp xmrig behavioral1/memory/2504-157-0x000000013F290000-0x000000013F5E4000-memory.dmp xmrig behavioral1/memory/1596-158-0x000000013F050000-0x000000013F3A4000-memory.dmp xmrig behavioral1/memory/2524-159-0x000000013FF10000-0x0000000140264000-memory.dmp xmrig behavioral1/memory/2632-160-0x000000013F9E0000-0x000000013FD34000-memory.dmp xmrig behavioral1/memory/1584-161-0x000000013F680000-0x000000013F9D4000-memory.dmp xmrig behavioral1/memory/1588-162-0x000000013FC60000-0x000000013FFB4000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
Processes:
aHvKVhH.exeKWbdyEf.exelTzmwYP.exeoAQZqht.exeSYDPzmd.exeJeUpuzH.exevJyApuh.exefbGisJh.exeBdUCkMO.exeatoHRbj.exejUtUNdi.exetFjfnxb.exeBIZCqZZ.exeYZYADDR.exehAGOBQA.exeKiLMsnW.exehoqOuZQ.exelZXinBA.exeJUIFqUY.exeYEJVoNw.exeFSFGWdp.exepid process 3008 aHvKVhH.exe 2596 KWbdyEf.exe 2664 lTzmwYP.exe 2736 oAQZqht.exe 2788 SYDPzmd.exe 2488 JeUpuzH.exe 2780 vJyApuh.exe 2532 fbGisJh.exe 2504 BdUCkMO.exe 1596 atoHRbj.exe 2524 jUtUNdi.exe 2632 tFjfnxb.exe 1584 BIZCqZZ.exe 1588 YZYADDR.exe 1780 hAGOBQA.exe 1436 KiLMsnW.exe 344 hoqOuZQ.exe 1604 lZXinBA.exe 836 JUIFqUY.exe 2796 YEJVoNw.exe 2832 FSFGWdp.exe -
Loads dropped DLL 21 IoCs
Processes:
2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exepid process 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe -
Processes:
resource yara_rule behavioral1/memory/1968-2-0x000000013F240000-0x000000013F594000-memory.dmp upx \Windows\system\aHvKVhH.exe upx behavioral1/memory/3008-8-0x000000013F8E0000-0x000000013FC34000-memory.dmp upx \Windows\system\KWbdyEf.exe upx \Windows\system\lTzmwYP.exe upx C:\Windows\system\oAQZqht.exe upx behavioral1/memory/2736-29-0x000000013F720000-0x000000013FA74000-memory.dmp upx behavioral1/memory/2664-26-0x000000013FDF0000-0x0000000140144000-memory.dmp upx behavioral1/memory/2596-14-0x000000013F7B0000-0x000000013FB04000-memory.dmp upx behavioral1/memory/2788-35-0x000000013FF20000-0x0000000140274000-memory.dmp upx behavioral1/memory/2488-43-0x000000013FBC0000-0x000000013FF14000-memory.dmp upx C:\Windows\system\JeUpuzH.exe upx C:\Windows\system\SYDPzmd.exe upx behavioral1/memory/2780-49-0x000000013F1B0000-0x000000013F504000-memory.dmp upx behavioral1/memory/2532-56-0x000000013F7A0000-0x000000013FAF4000-memory.dmp upx C:\Windows\system\atoHRbj.exe upx behavioral1/memory/2504-63-0x000000013F290000-0x000000013F5E4000-memory.dmp upx behavioral1/memory/1596-69-0x000000013F050000-0x000000013F3A4000-memory.dmp upx \Windows\system\jUtUNdi.exe upx C:\Windows\system\YZYADDR.exe upx behavioral1/memory/1588-99-0x000000013FC60000-0x000000013FFB4000-memory.dmp upx C:\Windows\system\lZXinBA.exe upx \Windows\system\FSFGWdp.exe upx C:\Windows\system\YEJVoNw.exe upx C:\Windows\system\JUIFqUY.exe upx C:\Windows\system\hoqOuZQ.exe upx C:\Windows\system\hAGOBQA.exe upx C:\Windows\system\KiLMsnW.exe upx behavioral1/memory/1584-92-0x000000013F680000-0x000000013F9D4000-memory.dmp upx behavioral1/memory/2780-136-0x000000013F1B0000-0x000000013F504000-memory.dmp upx C:\Windows\system\BIZCqZZ.exe upx behavioral1/memory/2524-77-0x000000013FF10000-0x0000000140264000-memory.dmp upx behavioral1/memory/2664-75-0x000000013FDF0000-0x0000000140144000-memory.dmp upx behavioral1/memory/2596-74-0x000000013F7B0000-0x000000013FB04000-memory.dmp upx behavioral1/memory/2788-97-0x000000013FF20000-0x0000000140274000-memory.dmp upx behavioral1/memory/2632-85-0x000000013F9E0000-0x000000013FD34000-memory.dmp upx C:\Windows\system\tFjfnxb.exe upx behavioral1/memory/2532-137-0x000000013F7A0000-0x000000013FAF4000-memory.dmp upx behavioral1/memory/3008-62-0x000000013F8E0000-0x000000013FC34000-memory.dmp upx C:\Windows\system\BdUCkMO.exe upx C:\Windows\system\fbGisJh.exe upx behavioral1/memory/1968-48-0x000000013F240000-0x000000013F594000-memory.dmp upx C:\Windows\system\vJyApuh.exe upx behavioral1/memory/2504-138-0x000000013F290000-0x000000013F5E4000-memory.dmp upx behavioral1/memory/1596-140-0x000000013F050000-0x000000013F3A4000-memory.dmp upx behavioral1/memory/2524-142-0x000000013FF10000-0x0000000140264000-memory.dmp upx behavioral1/memory/2632-143-0x000000013F9E0000-0x000000013FD34000-memory.dmp upx behavioral1/memory/1584-145-0x000000013F680000-0x000000013F9D4000-memory.dmp upx behavioral1/memory/1588-147-0x000000013FC60000-0x000000013FFB4000-memory.dmp upx behavioral1/memory/3008-149-0x000000013F8E0000-0x000000013FC34000-memory.dmp upx behavioral1/memory/2596-150-0x000000013F7B0000-0x000000013FB04000-memory.dmp upx behavioral1/memory/2664-151-0x000000013FDF0000-0x0000000140144000-memory.dmp upx behavioral1/memory/2736-152-0x000000013F720000-0x000000013FA74000-memory.dmp upx behavioral1/memory/2788-153-0x000000013FF20000-0x0000000140274000-memory.dmp upx behavioral1/memory/2488-154-0x000000013FBC0000-0x000000013FF14000-memory.dmp upx behavioral1/memory/2780-155-0x000000013F1B0000-0x000000013F504000-memory.dmp upx behavioral1/memory/2532-156-0x000000013F7A0000-0x000000013FAF4000-memory.dmp upx behavioral1/memory/2504-157-0x000000013F290000-0x000000013F5E4000-memory.dmp upx behavioral1/memory/1596-158-0x000000013F050000-0x000000013F3A4000-memory.dmp upx behavioral1/memory/2524-159-0x000000013FF10000-0x0000000140264000-memory.dmp upx behavioral1/memory/2632-160-0x000000013F9E0000-0x000000013FD34000-memory.dmp upx behavioral1/memory/1584-161-0x000000013F680000-0x000000013F9D4000-memory.dmp upx behavioral1/memory/1588-162-0x000000013FC60000-0x000000013FFB4000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
Processes:
2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exedescription ioc process File created C:\Windows\System\jUtUNdi.exe 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\KiLMsnW.exe 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\hoqOuZQ.exe 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\lTzmwYP.exe 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\JeUpuzH.exe 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\vJyApuh.exe 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\fbGisJh.exe 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\YZYADDR.exe 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\hAGOBQA.exe 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\JUIFqUY.exe 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\FSFGWdp.exe 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\KWbdyEf.exe 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\oAQZqht.exe 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\SYDPzmd.exe 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\lZXinBA.exe 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\YEJVoNw.exe 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\aHvKVhH.exe 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\atoHRbj.exe 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\tFjfnxb.exe 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\BdUCkMO.exe 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\BIZCqZZ.exe 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exedescription pid process Token: SeLockMemoryPrivilege 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe Token: SeLockMemoryPrivilege 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exedescription pid process target process PID 1968 wrote to memory of 3008 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe aHvKVhH.exe PID 1968 wrote to memory of 3008 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe aHvKVhH.exe PID 1968 wrote to memory of 3008 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe aHvKVhH.exe PID 1968 wrote to memory of 2596 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe KWbdyEf.exe PID 1968 wrote to memory of 2596 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe KWbdyEf.exe PID 1968 wrote to memory of 2596 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe KWbdyEf.exe PID 1968 wrote to memory of 2664 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe lTzmwYP.exe PID 1968 wrote to memory of 2664 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe lTzmwYP.exe PID 1968 wrote to memory of 2664 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe lTzmwYP.exe PID 1968 wrote to memory of 2736 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe oAQZqht.exe PID 1968 wrote to memory of 2736 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe oAQZqht.exe PID 1968 wrote to memory of 2736 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe oAQZqht.exe PID 1968 wrote to memory of 2788 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe SYDPzmd.exe PID 1968 wrote to memory of 2788 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe SYDPzmd.exe PID 1968 wrote to memory of 2788 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe SYDPzmd.exe PID 1968 wrote to memory of 2488 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe JeUpuzH.exe PID 1968 wrote to memory of 2488 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe JeUpuzH.exe PID 1968 wrote to memory of 2488 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe JeUpuzH.exe PID 1968 wrote to memory of 2780 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe vJyApuh.exe PID 1968 wrote to memory of 2780 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe vJyApuh.exe PID 1968 wrote to memory of 2780 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe vJyApuh.exe PID 1968 wrote to memory of 2532 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe fbGisJh.exe PID 1968 wrote to memory of 2532 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe fbGisJh.exe PID 1968 wrote to memory of 2532 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe fbGisJh.exe PID 1968 wrote to memory of 2504 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe BdUCkMO.exe PID 1968 wrote to memory of 2504 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe BdUCkMO.exe PID 1968 wrote to memory of 2504 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe BdUCkMO.exe PID 1968 wrote to memory of 1596 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe atoHRbj.exe PID 1968 wrote to memory of 1596 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe atoHRbj.exe PID 1968 wrote to memory of 1596 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe atoHRbj.exe PID 1968 wrote to memory of 2524 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe jUtUNdi.exe PID 1968 wrote to memory of 2524 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe jUtUNdi.exe PID 1968 wrote to memory of 2524 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe jUtUNdi.exe PID 1968 wrote to memory of 2632 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe tFjfnxb.exe PID 1968 wrote to memory of 2632 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe tFjfnxb.exe PID 1968 wrote to memory of 2632 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe tFjfnxb.exe PID 1968 wrote to memory of 1584 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe BIZCqZZ.exe PID 1968 wrote to memory of 1584 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe BIZCqZZ.exe PID 1968 wrote to memory of 1584 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe BIZCqZZ.exe PID 1968 wrote to memory of 1588 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe YZYADDR.exe PID 1968 wrote to memory of 1588 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe YZYADDR.exe PID 1968 wrote to memory of 1588 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe YZYADDR.exe PID 1968 wrote to memory of 1780 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe hAGOBQA.exe PID 1968 wrote to memory of 1780 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe hAGOBQA.exe PID 1968 wrote to memory of 1780 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe hAGOBQA.exe PID 1968 wrote to memory of 1436 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe KiLMsnW.exe PID 1968 wrote to memory of 1436 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe KiLMsnW.exe PID 1968 wrote to memory of 1436 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe KiLMsnW.exe PID 1968 wrote to memory of 344 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe hoqOuZQ.exe PID 1968 wrote to memory of 344 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe hoqOuZQ.exe PID 1968 wrote to memory of 344 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe hoqOuZQ.exe PID 1968 wrote to memory of 1604 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe lZXinBA.exe PID 1968 wrote to memory of 1604 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe lZXinBA.exe PID 1968 wrote to memory of 1604 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe lZXinBA.exe PID 1968 wrote to memory of 836 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe JUIFqUY.exe PID 1968 wrote to memory of 836 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe JUIFqUY.exe PID 1968 wrote to memory of 836 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe JUIFqUY.exe PID 1968 wrote to memory of 2796 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe YEJVoNw.exe PID 1968 wrote to memory of 2796 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe YEJVoNw.exe PID 1968 wrote to memory of 2796 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe YEJVoNw.exe PID 1968 wrote to memory of 2832 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe FSFGWdp.exe PID 1968 wrote to memory of 2832 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe FSFGWdp.exe PID 1968 wrote to memory of 2832 1968 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe FSFGWdp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\System\aHvKVhH.exeC:\Windows\System\aHvKVhH.exe2⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\System\KWbdyEf.exeC:\Windows\System\KWbdyEf.exe2⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\System\lTzmwYP.exeC:\Windows\System\lTzmwYP.exe2⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\System\oAQZqht.exeC:\Windows\System\oAQZqht.exe2⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\System\SYDPzmd.exeC:\Windows\System\SYDPzmd.exe2⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\System\JeUpuzH.exeC:\Windows\System\JeUpuzH.exe2⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\System\vJyApuh.exeC:\Windows\System\vJyApuh.exe2⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\System\fbGisJh.exeC:\Windows\System\fbGisJh.exe2⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\System\BdUCkMO.exeC:\Windows\System\BdUCkMO.exe2⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\System\atoHRbj.exeC:\Windows\System\atoHRbj.exe2⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\System\jUtUNdi.exeC:\Windows\System\jUtUNdi.exe2⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\System\tFjfnxb.exeC:\Windows\System\tFjfnxb.exe2⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\System\BIZCqZZ.exeC:\Windows\System\BIZCqZZ.exe2⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\System\YZYADDR.exeC:\Windows\System\YZYADDR.exe2⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\System\hAGOBQA.exeC:\Windows\System\hAGOBQA.exe2⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\System\KiLMsnW.exeC:\Windows\System\KiLMsnW.exe2⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\System\hoqOuZQ.exeC:\Windows\System\hoqOuZQ.exe2⤵
- Executes dropped EXE
PID:344 -
C:\Windows\System\lZXinBA.exeC:\Windows\System\lZXinBA.exe2⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\System\JUIFqUY.exeC:\Windows\System\JUIFqUY.exe2⤵
- Executes dropped EXE
PID:836 -
C:\Windows\System\YEJVoNw.exeC:\Windows\System\YEJVoNw.exe2⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\System\FSFGWdp.exeC:\Windows\System\FSFGWdp.exe2⤵
- Executes dropped EXE
PID:2832
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD58336c4934bb1e5fe2e12d9bb5cdc4465
SHA13fb07cd23105b00cc838c7d41c43d9ad5fe9e4b5
SHA256b201120b6454d9aa484f2b7546dc11729fa3b0df003eceddccf68b3610aaa275
SHA5129e2657f9f762c04d0bbb187bdef1629b6ab4a2f1d2b39b5d44fbaa3fe1b5cec5099e8591646ea0d7543438915d5fb937ba12ae339867cd6178eb4a7a953d1d56
-
Filesize
5.9MB
MD59d242080a29101ea417121d269e439c1
SHA16f79fc31b3ba8276808c322445d11b1ea761cc03
SHA25644153767998c3a1183345bc741fe0e21dfe013097c546771fd585bab9504c558
SHA512cae98a1492089bc496495789912e4e7b1d34d637f549b5602ee6157b426d93d0dd62ff91ce4ef1ffb2b8969a92468ff7a0e73666fde7ba81852f4b8e0dbf406d
-
Filesize
5.9MB
MD5775983015164f26ffb297f3b03d11bf0
SHA1a67981ccd9d8482696fe14da51a958e0dae4f553
SHA2568f0f1bbac317c77ab5c42455b152165dacdb7a13629edd28174df712995c5974
SHA51201b25692bd4767fa80059e197666161ecc053e755ef7aca14d002f342a8cb7ba1ceac0a1ce47c33cd84fa31ce4714b319ceb87463ca3f26b81f5ce6171628760
-
Filesize
5.9MB
MD5e962a30a22a6cba30f82d58139aa33ff
SHA1e4c6b84f07301f32157680ee3160d5c71010f341
SHA256f8122527d3cfc9c0f45c6568e4cee517e01115afe8def921bea10b701bfcd3af
SHA512dd629fe2b66d31e4457fcaf281f9a95c79971eb8d187bcf3e6b2792cba774b5d1d0ca4a776b805a899bdb085c523731b82c08572257cc7ab058d6ee92a647646
-
Filesize
5.9MB
MD570268d965d3bd1193610da9a3bfa8cc3
SHA106bf23ae25c33d798cca2879258e821cb8dd0b1e
SHA256a464504611dbd33f44a3a779a46aa49d36392e5dcf810b862987b5eacca1beba
SHA512de33ab058cb52a66dbbe08d7c3d8dbe6687f79f943d9e45334c831d3311f7fb5c3575788069c7b36b7a1b876ea9c364beaf8ace02a071cc780581b32d7d5a0d3
-
Filesize
5.9MB
MD531d8d6bed97811a2c8183dd7d0723e30
SHA1fe92dd6854990487d605c4d3835f29701e2c6903
SHA256f95003cd4fbc9fb6f5a2389e1903c388fbf207916950034606e016e54c0dc249
SHA512569211519f8da4b174ec58872e6431a022aa6a277e9d1fdc7a4fbceb717394a8fcfefa27f972a043f8d8527001fb4f7daba077ee4f3fd081fb2ab23a78901dd8
-
Filesize
5.9MB
MD562c6eba47634f877dc30bafbe07ae0b1
SHA13a769d5764e2ddca363ba936dff31a003da51ece
SHA25613a806d9617141522060a3a10b62ef9561853d6137767be9c72f31bd6665ee8f
SHA5122a783b53643b28b2872f2b80cf13da725f40d0cc1712a52bfaa7d75b4ed9360de13b6bf242a56770874540bf4f8d9a9aba2770b514631aa8176683c2610d3d7e
-
Filesize
5.9MB
MD585031710d40453d68c36f1c697d4aa93
SHA120a1ad6ad6947f3f06de1a4afb4a227c31d07eb9
SHA25681a3c270179558414a6fc4c28fcc49457304b6ce9cdd5eda3b4235103f4e6ef0
SHA5122294790c0a670a758183f25961dec0fccdb989edf82f040c62163d826ec3607376cd36ad5bd6c03310dfaa1d4447859ade98f67975452dbf9cec24feeac6db9c
-
Filesize
5.9MB
MD53c31f53fa79ccb3c2cca0949b6030d81
SHA14a03ad35d77e44e23f3b5610e2ea1d1a347b9847
SHA25667ed21380a3469eb1475f6f43e8bdfb2782a4672220fa520c044e53a779bcb48
SHA5121518917693336449ac711668ef043bf27fd40ab3866fabbaac88cbb7dbc345f47ea28b9fc81702bd84f809351bcc635c876805054c620a9b63387b2a058a57d9
-
Filesize
5.9MB
MD5fee2b4540de28d4de1d225c97b5dee6b
SHA1d8c558259b66e1d6345ab66fdd9cadae8f0aaac5
SHA256c015f6c3ff440179f573e6c996c08b4048b52565aadf4bb46e96aee9f904b417
SHA51287a6ef6c605f8a7ef9ae000f283ff61932f95592847ed05fe5a7e861990c62b40be94cd00295d7eb5ffe6dab71a1466175ab0684e7dcc440b41e0d349c78de94
-
Filesize
5.9MB
MD595922d25b21b1a1fdb3b7de9a092a552
SHA1ff627df1bc295827fb238c66964885ab1437d70a
SHA25681d00a0922847d8f307771cf9925415b4415d606fdd3fe12eae6b0b869cb1029
SHA5129dc3027a138f85cc5b6f3e63ea2eaf1cf4785042b232713c243c86ec73485b5bfe33d03b7c2f13837ee043aa3a6c2fcdc0d841d438d11bdc0394283d37dba3d8
-
Filesize
5.9MB
MD5c3cf9225e2ddd589b80bf81e9d12fa8a
SHA1fd8eb7742ad44cafff6b1bfb21407e9f663c15b0
SHA25676c353c7a099c64049191926eecddfd5c148e29f2b34ec2186c4c05b819e5e1a
SHA51205329e6c946a2fe73865086885d9ee2cf55e80c11077b24049af9e6cf95d0e0111b7755d4cf17a0dd5e3d52e92a17f5f18f5e15de66c2c5c99907c6af4f58520
-
Filesize
5.9MB
MD5ea3d70e2748e9830d552e5c4d5f85ea0
SHA14a380bdb4bfa866ae5e2e0a3afd0b50f149277cf
SHA25671f74a6c2d529860a168585751e84f97ba0700399ffb23a9271c3683feb6bc29
SHA512b999180c30a1db69a3610f79c54476d983af0fd28627f594f700912f40ae48fe949627f3aaa81b14aaeda9d0e0b2120bfac0f60bba36484ba6c7ac98b0c5fe90
-
Filesize
5.9MB
MD5a47115b9ca02b0919f8dea9b64895c36
SHA1eb8e6ba1a4bfe8f8b08bb92c4a48421653c1c444
SHA2562d2bf25993575c5bff611aa019a9e7f8bcd82fb8b8d30e7600a9cc8e66065637
SHA512f329b8afaf879699b8562e954e17c47904e0e92a96fb18722e4f72658b22cc0ea9a08d4005f32cae2678d42fff115cee0912287172bb2ba3e7e93b8f2f2baae7
-
Filesize
5.9MB
MD57c7f8f6479618853f012c8da98b9bffc
SHA146aa73d757dad3e3b8c91a1326c5a479b0ab2dda
SHA256a86d9876b15c62bd397d0a1ac6b9b1b2af010158f2d99a5b26b169de454f7559
SHA512e67281a2f76277b8345fd29178ecc8f2c307473a5533ef9e3b7a616e48e44b52b18d833983a48c1590b1d8d7056859da486a195c45465ebe7c58ae822a4c2d80
-
Filesize
5.9MB
MD5165717a7c7d307a6143ad7cbf6835ea5
SHA1b4f8617c191ee61946a8ea4cb3ef7ff1367b20b8
SHA25682a95b066496a88e96baca069e7b712f0f6ad1f163d4f664140abfc559215c34
SHA512255955ca0e116893cf47073538db874b7ff4b3e7f91c64c420865cc278cdff15af3d1ccb6c8fa3901733c39d049d8fb40c13f1ed6567f5ae1039bdbc07e9d35d
-
Filesize
5.9MB
MD5c9248cbe49a2ca6c61cd67acc3833c83
SHA1546576bf34dc353a9e8df92513fdd3b542171fa7
SHA25611c28cb2773d5a3283610acab0c1b03cbf73180a6792491c6e44a2e60ecb1f49
SHA5129f1a0a64336f9c3958e6a587839ee5727961686bfd2327d2dd78847814a9930730bd5a841e2958413f1d89b14f3b6de7f557ac9f552df229e4c4e242efe9ddeb
-
Filesize
5.9MB
MD504aa09ed29e3413a045d545793c211e7
SHA14bdbde3b5e5ca60ac450e32b548a8ac54d0a1ef7
SHA256f058b7ddcf3e9286f013c727cbb7b3249187abb432cbe1507d98c44f64981919
SHA512ae742a6ba6ef9ac3ac5705f888990bb5f623c096dd87a482a7a2d0dcf4cb74eaa2d10dd298f77511b07b5b8e07f31e895e8be1a5aab22ae13799bf469f5dd393
-
Filesize
5.9MB
MD5c59688da11d39e62832ebdb9361b4976
SHA1c7a9f0ff7da05e495d0a0aeec67df0ced7846a8c
SHA256de3efa1f06808498d6bbc50355072b41295caee310aff197fa467f6b0f691268
SHA5125a08fe3fd053e66b632441151bc12b644d5b4cc0e2f7ce00f8e488d63332e31b4d08a895236715873feffab66078bb700847b332281ec33a1401a4471bc5eea5
-
Filesize
5.9MB
MD586d114f7a1ac68e3dd9dae8af90507f8
SHA11017bce5f8d7990fccef767220361c1d27e58a8d
SHA2568d11e4de38cc6b8eb4e71043702bd2478111134d5d8b7ba79a9146aa6fd95df3
SHA5123e81b6f7c9c85f813b6d2ff4cd77a8931e6d0c407929b552535d3de10bc5f1fb9301797073182ee784de0b6159368bd218eb14ee0ba9b1a1168611ea2ece5e80
-
Filesize
5.9MB
MD5f96716b4aa2b572162d91b0fc05dec4f
SHA14a10b73b22269fa78d587af3ea9e1cffbaee3f70
SHA256d4083f7a6f2d41dbed0a1f76943be9149daa478f23260d304c341dfd5cf3e7e2
SHA5123cd650b87bc6ad9f3602d50058e854b605c46b59a4c5fabffe136bbe171b9f0eeffc0367f65179f78ed036fb3ade7072934a58922153f3e9fb9ef305bf880f3d