Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
08-06-2024 11:28
Behavioral task
behavioral1
Sample
2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe
Resource
win7-20240508-en
General
-
Target
2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe
-
Size
5.9MB
-
MD5
7be062e05b3c591d4d7fc80903c42aab
-
SHA1
86bf3ee709ed2183bcf3433d656fe5b73ce15bd2
-
SHA256
12b3dc830000aac20afd4832dd577be16bfef67e35c377823c14947f4b758d74
-
SHA512
f7cf3389c8f95756d4df326a534a6830924cee8ec302a3303032095089425cb3940900ead11b6b0d04b387f6838330e1acdf4344c8d7a80c18b50101fa9439d2
-
SSDEEP
98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUm:Q+856utgpPF8u/7m
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
Processes:
resource yara_rule \Windows\system\MRDJPoS.exe cobalt_reflective_dll \Windows\system\YFnMeUJ.exe cobalt_reflective_dll \Windows\system\GrGafSY.exe cobalt_reflective_dll C:\Windows\system\LcIeYhC.exe cobalt_reflective_dll C:\Windows\system\xavoPdy.exe cobalt_reflective_dll C:\Windows\system\LoHaSld.exe cobalt_reflective_dll C:\Windows\system\jOklegk.exe cobalt_reflective_dll C:\Windows\system\essutVN.exe cobalt_reflective_dll C:\Windows\system\jYlRoWJ.exe cobalt_reflective_dll \Windows\system\dHJURQd.exe cobalt_reflective_dll C:\Windows\system\pLxvdGk.exe cobalt_reflective_dll C:\Windows\system\nEpFbEy.exe cobalt_reflective_dll C:\Windows\system\HuIrgKK.exe cobalt_reflective_dll C:\Windows\system\pZHICls.exe cobalt_reflective_dll C:\Windows\system\zZJDGBQ.exe cobalt_reflective_dll C:\Windows\system\saJaHgk.exe cobalt_reflective_dll C:\Windows\system\RGMCEbf.exe cobalt_reflective_dll C:\Windows\system\xlyWglb.exe cobalt_reflective_dll C:\Windows\system\VPuhNnv.exe cobalt_reflective_dll C:\Windows\system\XRcXfVW.exe cobalt_reflective_dll C:\Windows\system\MSteZfr.exe cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Detects Reflective DLL injection artifacts 21 IoCs
Processes:
resource yara_rule \Windows\system\MRDJPoS.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\YFnMeUJ.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\GrGafSY.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\LcIeYhC.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\xavoPdy.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\LoHaSld.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\jOklegk.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\essutVN.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\jYlRoWJ.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\dHJURQd.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\pLxvdGk.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\nEpFbEy.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\HuIrgKK.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\pZHICls.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\zZJDGBQ.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\saJaHgk.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\RGMCEbf.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\xlyWglb.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\VPuhNnv.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\XRcXfVW.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\MSteZfr.exe INDICATOR_SUSPICIOUS_ReflectiveLoader -
UPX dump on OEP (original entry point) 64 IoCs
Processes:
resource yara_rule behavioral1/memory/2196-1-0x000000013F8F0000-0x000000013FC44000-memory.dmp UPX \Windows\system\MRDJPoS.exe UPX behavioral1/memory/1740-8-0x000000013FF40000-0x0000000140294000-memory.dmp UPX \Windows\system\YFnMeUJ.exe UPX behavioral1/memory/2196-12-0x0000000002330000-0x0000000002684000-memory.dmp UPX behavioral1/memory/2204-14-0x000000013F970000-0x000000013FCC4000-memory.dmp UPX \Windows\system\GrGafSY.exe UPX behavioral1/memory/2628-23-0x000000013F310000-0x000000013F664000-memory.dmp UPX C:\Windows\system\LcIeYhC.exe UPX behavioral1/memory/2760-41-0x000000013F800000-0x000000013FB54000-memory.dmp UPX C:\Windows\system\xavoPdy.exe UPX behavioral1/memory/2204-55-0x000000013F970000-0x000000013FCC4000-memory.dmp UPX C:\Windows\system\LoHaSld.exe UPX behavioral1/memory/2512-67-0x000000013F970000-0x000000013FCC4000-memory.dmp UPX behavioral1/memory/2640-73-0x000000013FE60000-0x00000001401B4000-memory.dmp UPX behavioral1/memory/2156-79-0x000000013F110000-0x000000013F464000-memory.dmp UPX behavioral1/memory/2732-88-0x000000013FB70000-0x000000013FEC4000-memory.dmp UPX behavioral1/memory/2800-103-0x000000013FAF0000-0x000000013FE44000-memory.dmp UPX C:\Windows\system\jOklegk.exe UPX C:\Windows\system\essutVN.exe UPX C:\Windows\system\jYlRoWJ.exe UPX \Windows\system\dHJURQd.exe UPX C:\Windows\system\pLxvdGk.exe UPX C:\Windows\system\nEpFbEy.exe UPX behavioral1/memory/2552-110-0x000000013FD60000-0x00000001400B4000-memory.dmp UPX C:\Windows\system\HuIrgKK.exe UPX behavioral1/memory/696-95-0x000000013F4D0000-0x000000013F824000-memory.dmp UPX behavioral1/memory/2652-94-0x000000013F680000-0x000000013F9D4000-memory.dmp UPX behavioral1/memory/1668-142-0x000000013FA50000-0x000000013FDA4000-memory.dmp UPX behavioral1/memory/2760-101-0x000000013F800000-0x000000013FB54000-memory.dmp UPX C:\Windows\system\pZHICls.exe UPX C:\Windows\system\zZJDGBQ.exe UPX behavioral1/memory/1644-89-0x000000013FFF0000-0x0000000140344000-memory.dmp UPX C:\Windows\system\saJaHgk.exe UPX C:\Windows\system\RGMCEbf.exe UPX behavioral1/memory/2628-65-0x000000013F310000-0x000000013F664000-memory.dmp UPX C:\Windows\system\xlyWglb.exe UPX behavioral1/memory/2552-50-0x000000013FD60000-0x00000001400B4000-memory.dmp UPX behavioral1/memory/1740-49-0x000000013FF40000-0x0000000140294000-memory.dmp UPX C:\Windows\system\VPuhNnv.exe UPX behavioral1/memory/1668-56-0x000000013FA50000-0x000000013FDA4000-memory.dmp UPX C:\Windows\system\XRcXfVW.exe UPX behavioral1/memory/2652-38-0x000000013F680000-0x000000013F9D4000-memory.dmp UPX behavioral1/memory/2196-36-0x000000013F8F0000-0x000000013FC44000-memory.dmp UPX C:\Windows\system\MSteZfr.exe UPX behavioral1/memory/2732-33-0x000000013FB70000-0x000000013FEC4000-memory.dmp UPX behavioral1/memory/2640-145-0x000000013FE60000-0x00000001401B4000-memory.dmp UPX behavioral1/memory/2156-147-0x000000013F110000-0x000000013F464000-memory.dmp UPX behavioral1/memory/696-149-0x000000013F4D0000-0x000000013F824000-memory.dmp UPX behavioral1/memory/2800-151-0x000000013FAF0000-0x000000013FE44000-memory.dmp UPX behavioral1/memory/1740-153-0x000000013FF40000-0x0000000140294000-memory.dmp UPX behavioral1/memory/2628-154-0x000000013F310000-0x000000013F664000-memory.dmp UPX behavioral1/memory/2652-156-0x000000013F680000-0x000000013F9D4000-memory.dmp UPX behavioral1/memory/2732-155-0x000000013FB70000-0x000000013FEC4000-memory.dmp UPX behavioral1/memory/2760-159-0x000000013F800000-0x000000013FB54000-memory.dmp UPX behavioral1/memory/2512-161-0x000000013F970000-0x000000013FCC4000-memory.dmp UPX behavioral1/memory/2552-160-0x000000013FD60000-0x00000001400B4000-memory.dmp UPX behavioral1/memory/2204-158-0x000000013F970000-0x000000013FCC4000-memory.dmp UPX behavioral1/memory/1668-157-0x000000013FA50000-0x000000013FDA4000-memory.dmp UPX behavioral1/memory/2640-162-0x000000013FE60000-0x00000001401B4000-memory.dmp UPX behavioral1/memory/2156-163-0x000000013F110000-0x000000013F464000-memory.dmp UPX behavioral1/memory/1644-164-0x000000013FFF0000-0x0000000140344000-memory.dmp UPX behavioral1/memory/696-165-0x000000013F4D0000-0x000000013F824000-memory.dmp UPX behavioral1/memory/2800-166-0x000000013FAF0000-0x000000013FE44000-memory.dmp UPX -
XMRig Miner payload 64 IoCs
Processes:
resource yara_rule behavioral1/memory/2196-1-0x000000013F8F0000-0x000000013FC44000-memory.dmp xmrig \Windows\system\MRDJPoS.exe xmrig behavioral1/memory/1740-8-0x000000013FF40000-0x0000000140294000-memory.dmp xmrig \Windows\system\YFnMeUJ.exe xmrig behavioral1/memory/2196-12-0x0000000002330000-0x0000000002684000-memory.dmp xmrig behavioral1/memory/2204-14-0x000000013F970000-0x000000013FCC4000-memory.dmp xmrig \Windows\system\GrGafSY.exe xmrig behavioral1/memory/2628-23-0x000000013F310000-0x000000013F664000-memory.dmp xmrig C:\Windows\system\LcIeYhC.exe xmrig behavioral1/memory/2760-41-0x000000013F800000-0x000000013FB54000-memory.dmp xmrig C:\Windows\system\xavoPdy.exe xmrig behavioral1/memory/2204-55-0x000000013F970000-0x000000013FCC4000-memory.dmp xmrig C:\Windows\system\LoHaSld.exe xmrig behavioral1/memory/2512-67-0x000000013F970000-0x000000013FCC4000-memory.dmp xmrig behavioral1/memory/2640-73-0x000000013FE60000-0x00000001401B4000-memory.dmp xmrig behavioral1/memory/2156-79-0x000000013F110000-0x000000013F464000-memory.dmp xmrig behavioral1/memory/2732-88-0x000000013FB70000-0x000000013FEC4000-memory.dmp xmrig behavioral1/memory/2800-103-0x000000013FAF0000-0x000000013FE44000-memory.dmp xmrig C:\Windows\system\jOklegk.exe xmrig C:\Windows\system\essutVN.exe xmrig C:\Windows\system\jYlRoWJ.exe xmrig \Windows\system\dHJURQd.exe xmrig C:\Windows\system\pLxvdGk.exe xmrig C:\Windows\system\nEpFbEy.exe xmrig behavioral1/memory/2552-110-0x000000013FD60000-0x00000001400B4000-memory.dmp xmrig C:\Windows\system\HuIrgKK.exe xmrig behavioral1/memory/696-95-0x000000013F4D0000-0x000000013F824000-memory.dmp xmrig behavioral1/memory/2652-94-0x000000013F680000-0x000000013F9D4000-memory.dmp xmrig behavioral1/memory/1668-142-0x000000013FA50000-0x000000013FDA4000-memory.dmp xmrig behavioral1/memory/2760-101-0x000000013F800000-0x000000013FB54000-memory.dmp xmrig C:\Windows\system\pZHICls.exe xmrig C:\Windows\system\zZJDGBQ.exe xmrig behavioral1/memory/2196-91-0x000000013F4D0000-0x000000013F824000-memory.dmp xmrig behavioral1/memory/1644-89-0x000000013FFF0000-0x0000000140344000-memory.dmp xmrig C:\Windows\system\saJaHgk.exe xmrig C:\Windows\system\RGMCEbf.exe xmrig behavioral1/memory/2196-143-0x0000000002330000-0x0000000002684000-memory.dmp xmrig behavioral1/memory/2196-66-0x0000000002330000-0x0000000002684000-memory.dmp xmrig behavioral1/memory/2628-65-0x000000013F310000-0x000000013F664000-memory.dmp xmrig C:\Windows\system\xlyWglb.exe xmrig behavioral1/memory/2552-50-0x000000013FD60000-0x00000001400B4000-memory.dmp xmrig behavioral1/memory/1740-49-0x000000013FF40000-0x0000000140294000-memory.dmp xmrig C:\Windows\system\VPuhNnv.exe xmrig behavioral1/memory/1668-56-0x000000013FA50000-0x000000013FDA4000-memory.dmp xmrig C:\Windows\system\XRcXfVW.exe xmrig behavioral1/memory/2652-38-0x000000013F680000-0x000000013F9D4000-memory.dmp xmrig behavioral1/memory/2196-36-0x000000013F8F0000-0x000000013FC44000-memory.dmp xmrig C:\Windows\system\MSteZfr.exe xmrig behavioral1/memory/2732-33-0x000000013FB70000-0x000000013FEC4000-memory.dmp xmrig behavioral1/memory/2640-145-0x000000013FE60000-0x00000001401B4000-memory.dmp xmrig behavioral1/memory/2156-147-0x000000013F110000-0x000000013F464000-memory.dmp xmrig behavioral1/memory/696-149-0x000000013F4D0000-0x000000013F824000-memory.dmp xmrig behavioral1/memory/2800-151-0x000000013FAF0000-0x000000013FE44000-memory.dmp xmrig behavioral1/memory/1740-153-0x000000013FF40000-0x0000000140294000-memory.dmp xmrig behavioral1/memory/2628-154-0x000000013F310000-0x000000013F664000-memory.dmp xmrig behavioral1/memory/2652-156-0x000000013F680000-0x000000013F9D4000-memory.dmp xmrig behavioral1/memory/2732-155-0x000000013FB70000-0x000000013FEC4000-memory.dmp xmrig behavioral1/memory/2760-159-0x000000013F800000-0x000000013FB54000-memory.dmp xmrig behavioral1/memory/2512-161-0x000000013F970000-0x000000013FCC4000-memory.dmp xmrig behavioral1/memory/2552-160-0x000000013FD60000-0x00000001400B4000-memory.dmp xmrig behavioral1/memory/2204-158-0x000000013F970000-0x000000013FCC4000-memory.dmp xmrig behavioral1/memory/1668-157-0x000000013FA50000-0x000000013FDA4000-memory.dmp xmrig behavioral1/memory/2640-162-0x000000013FE60000-0x00000001401B4000-memory.dmp xmrig behavioral1/memory/2156-163-0x000000013F110000-0x000000013F464000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
Processes:
MRDJPoS.exeYFnMeUJ.exeGrGafSY.exeXRcXfVW.exeMSteZfr.exeLcIeYhC.exeVPuhNnv.exexavoPdy.exeLoHaSld.exexlyWglb.exeRGMCEbf.exesaJaHgk.exezZJDGBQ.exepZHICls.exeHuIrgKK.exejOklegk.exenEpFbEy.exeessutVN.exepLxvdGk.exejYlRoWJ.exedHJURQd.exepid process 1740 MRDJPoS.exe 2204 YFnMeUJ.exe 2628 GrGafSY.exe 2732 XRcXfVW.exe 2652 MSteZfr.exe 2760 LcIeYhC.exe 2552 VPuhNnv.exe 1668 xavoPdy.exe 2512 LoHaSld.exe 2640 xlyWglb.exe 2156 RGMCEbf.exe 1644 saJaHgk.exe 696 zZJDGBQ.exe 2800 pZHICls.exe 2952 HuIrgKK.exe 1224 jOklegk.exe 1996 nEpFbEy.exe 1212 essutVN.exe 2256 pLxvdGk.exe 576 jYlRoWJ.exe 1392 dHJURQd.exe -
Loads dropped DLL 21 IoCs
Processes:
2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exepid process 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe -
Processes:
resource yara_rule behavioral1/memory/2196-1-0x000000013F8F0000-0x000000013FC44000-memory.dmp upx \Windows\system\MRDJPoS.exe upx behavioral1/memory/1740-8-0x000000013FF40000-0x0000000140294000-memory.dmp upx \Windows\system\YFnMeUJ.exe upx behavioral1/memory/2196-12-0x0000000002330000-0x0000000002684000-memory.dmp upx behavioral1/memory/2204-14-0x000000013F970000-0x000000013FCC4000-memory.dmp upx \Windows\system\GrGafSY.exe upx behavioral1/memory/2628-23-0x000000013F310000-0x000000013F664000-memory.dmp upx C:\Windows\system\LcIeYhC.exe upx behavioral1/memory/2760-41-0x000000013F800000-0x000000013FB54000-memory.dmp upx C:\Windows\system\xavoPdy.exe upx behavioral1/memory/2204-55-0x000000013F970000-0x000000013FCC4000-memory.dmp upx C:\Windows\system\LoHaSld.exe upx behavioral1/memory/2512-67-0x000000013F970000-0x000000013FCC4000-memory.dmp upx behavioral1/memory/2640-73-0x000000013FE60000-0x00000001401B4000-memory.dmp upx behavioral1/memory/2156-79-0x000000013F110000-0x000000013F464000-memory.dmp upx behavioral1/memory/2732-88-0x000000013FB70000-0x000000013FEC4000-memory.dmp upx behavioral1/memory/2800-103-0x000000013FAF0000-0x000000013FE44000-memory.dmp upx C:\Windows\system\jOklegk.exe upx C:\Windows\system\essutVN.exe upx C:\Windows\system\jYlRoWJ.exe upx \Windows\system\dHJURQd.exe upx C:\Windows\system\pLxvdGk.exe upx C:\Windows\system\nEpFbEy.exe upx behavioral1/memory/2552-110-0x000000013FD60000-0x00000001400B4000-memory.dmp upx C:\Windows\system\HuIrgKK.exe upx behavioral1/memory/696-95-0x000000013F4D0000-0x000000013F824000-memory.dmp upx behavioral1/memory/2652-94-0x000000013F680000-0x000000013F9D4000-memory.dmp upx behavioral1/memory/1668-142-0x000000013FA50000-0x000000013FDA4000-memory.dmp upx behavioral1/memory/2760-101-0x000000013F800000-0x000000013FB54000-memory.dmp upx C:\Windows\system\pZHICls.exe upx C:\Windows\system\zZJDGBQ.exe upx behavioral1/memory/1644-89-0x000000013FFF0000-0x0000000140344000-memory.dmp upx C:\Windows\system\saJaHgk.exe upx C:\Windows\system\RGMCEbf.exe upx behavioral1/memory/2628-65-0x000000013F310000-0x000000013F664000-memory.dmp upx C:\Windows\system\xlyWglb.exe upx behavioral1/memory/2552-50-0x000000013FD60000-0x00000001400B4000-memory.dmp upx behavioral1/memory/1740-49-0x000000013FF40000-0x0000000140294000-memory.dmp upx C:\Windows\system\VPuhNnv.exe upx behavioral1/memory/1668-56-0x000000013FA50000-0x000000013FDA4000-memory.dmp upx C:\Windows\system\XRcXfVW.exe upx behavioral1/memory/2652-38-0x000000013F680000-0x000000013F9D4000-memory.dmp upx behavioral1/memory/2196-36-0x000000013F8F0000-0x000000013FC44000-memory.dmp upx C:\Windows\system\MSteZfr.exe upx behavioral1/memory/2732-33-0x000000013FB70000-0x000000013FEC4000-memory.dmp upx behavioral1/memory/2640-145-0x000000013FE60000-0x00000001401B4000-memory.dmp upx behavioral1/memory/2156-147-0x000000013F110000-0x000000013F464000-memory.dmp upx behavioral1/memory/696-149-0x000000013F4D0000-0x000000013F824000-memory.dmp upx behavioral1/memory/2800-151-0x000000013FAF0000-0x000000013FE44000-memory.dmp upx behavioral1/memory/1740-153-0x000000013FF40000-0x0000000140294000-memory.dmp upx behavioral1/memory/2628-154-0x000000013F310000-0x000000013F664000-memory.dmp upx behavioral1/memory/2652-156-0x000000013F680000-0x000000013F9D4000-memory.dmp upx behavioral1/memory/2732-155-0x000000013FB70000-0x000000013FEC4000-memory.dmp upx behavioral1/memory/2760-159-0x000000013F800000-0x000000013FB54000-memory.dmp upx behavioral1/memory/2512-161-0x000000013F970000-0x000000013FCC4000-memory.dmp upx behavioral1/memory/2552-160-0x000000013FD60000-0x00000001400B4000-memory.dmp upx behavioral1/memory/2204-158-0x000000013F970000-0x000000013FCC4000-memory.dmp upx behavioral1/memory/1668-157-0x000000013FA50000-0x000000013FDA4000-memory.dmp upx behavioral1/memory/2640-162-0x000000013FE60000-0x00000001401B4000-memory.dmp upx behavioral1/memory/2156-163-0x000000013F110000-0x000000013F464000-memory.dmp upx behavioral1/memory/1644-164-0x000000013FFF0000-0x0000000140344000-memory.dmp upx behavioral1/memory/696-165-0x000000013F4D0000-0x000000013F824000-memory.dmp upx behavioral1/memory/2800-166-0x000000013FAF0000-0x000000013FE44000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
Processes:
2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exedescription ioc process File created C:\Windows\System\dHJURQd.exe 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\YFnMeUJ.exe 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\GrGafSY.exe 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\LcIeYhC.exe 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\VPuhNnv.exe 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\nEpFbEy.exe 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\MSteZfr.exe 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\zZJDGBQ.exe 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\HuIrgKK.exe 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\pLxvdGk.exe 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\essutVN.exe 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\XRcXfVW.exe 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\xavoPdy.exe 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\RGMCEbf.exe 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\pZHICls.exe 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\jOklegk.exe 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\MRDJPoS.exe 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\LoHaSld.exe 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\xlyWglb.exe 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\saJaHgk.exe 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\jYlRoWJ.exe 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exedescription pid process Token: SeLockMemoryPrivilege 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe Token: SeLockMemoryPrivilege 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exedescription pid process target process PID 2196 wrote to memory of 1740 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe MRDJPoS.exe PID 2196 wrote to memory of 1740 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe MRDJPoS.exe PID 2196 wrote to memory of 1740 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe MRDJPoS.exe PID 2196 wrote to memory of 2204 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe YFnMeUJ.exe PID 2196 wrote to memory of 2204 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe YFnMeUJ.exe PID 2196 wrote to memory of 2204 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe YFnMeUJ.exe PID 2196 wrote to memory of 2628 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe GrGafSY.exe PID 2196 wrote to memory of 2628 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe GrGafSY.exe PID 2196 wrote to memory of 2628 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe GrGafSY.exe PID 2196 wrote to memory of 2732 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe XRcXfVW.exe PID 2196 wrote to memory of 2732 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe XRcXfVW.exe PID 2196 wrote to memory of 2732 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe XRcXfVW.exe PID 2196 wrote to memory of 2760 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe LcIeYhC.exe PID 2196 wrote to memory of 2760 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe LcIeYhC.exe PID 2196 wrote to memory of 2760 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe LcIeYhC.exe PID 2196 wrote to memory of 2652 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe MSteZfr.exe PID 2196 wrote to memory of 2652 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe MSteZfr.exe PID 2196 wrote to memory of 2652 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe MSteZfr.exe PID 2196 wrote to memory of 2552 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe VPuhNnv.exe PID 2196 wrote to memory of 2552 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe VPuhNnv.exe PID 2196 wrote to memory of 2552 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe VPuhNnv.exe PID 2196 wrote to memory of 1668 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe xavoPdy.exe PID 2196 wrote to memory of 1668 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe xavoPdy.exe PID 2196 wrote to memory of 1668 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe xavoPdy.exe PID 2196 wrote to memory of 2512 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe LoHaSld.exe PID 2196 wrote to memory of 2512 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe LoHaSld.exe PID 2196 wrote to memory of 2512 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe LoHaSld.exe PID 2196 wrote to memory of 2640 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe xlyWglb.exe PID 2196 wrote to memory of 2640 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe xlyWglb.exe PID 2196 wrote to memory of 2640 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe xlyWglb.exe PID 2196 wrote to memory of 2156 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe RGMCEbf.exe PID 2196 wrote to memory of 2156 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe RGMCEbf.exe PID 2196 wrote to memory of 2156 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe RGMCEbf.exe PID 2196 wrote to memory of 1644 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe saJaHgk.exe PID 2196 wrote to memory of 1644 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe saJaHgk.exe PID 2196 wrote to memory of 1644 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe saJaHgk.exe PID 2196 wrote to memory of 696 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe zZJDGBQ.exe PID 2196 wrote to memory of 696 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe zZJDGBQ.exe PID 2196 wrote to memory of 696 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe zZJDGBQ.exe PID 2196 wrote to memory of 2800 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe pZHICls.exe PID 2196 wrote to memory of 2800 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe pZHICls.exe PID 2196 wrote to memory of 2800 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe pZHICls.exe PID 2196 wrote to memory of 2952 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe HuIrgKK.exe PID 2196 wrote to memory of 2952 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe HuIrgKK.exe PID 2196 wrote to memory of 2952 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe HuIrgKK.exe PID 2196 wrote to memory of 1224 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe jOklegk.exe PID 2196 wrote to memory of 1224 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe jOklegk.exe PID 2196 wrote to memory of 1224 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe jOklegk.exe PID 2196 wrote to memory of 1996 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe nEpFbEy.exe PID 2196 wrote to memory of 1996 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe nEpFbEy.exe PID 2196 wrote to memory of 1996 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe nEpFbEy.exe PID 2196 wrote to memory of 1212 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe essutVN.exe PID 2196 wrote to memory of 1212 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe essutVN.exe PID 2196 wrote to memory of 1212 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe essutVN.exe PID 2196 wrote to memory of 2256 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe pLxvdGk.exe PID 2196 wrote to memory of 2256 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe pLxvdGk.exe PID 2196 wrote to memory of 2256 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe pLxvdGk.exe PID 2196 wrote to memory of 576 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe jYlRoWJ.exe PID 2196 wrote to memory of 576 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe jYlRoWJ.exe PID 2196 wrote to memory of 576 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe jYlRoWJ.exe PID 2196 wrote to memory of 1392 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe dHJURQd.exe PID 2196 wrote to memory of 1392 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe dHJURQd.exe PID 2196 wrote to memory of 1392 2196 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe dHJURQd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\System\MRDJPoS.exeC:\Windows\System\MRDJPoS.exe2⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\System\YFnMeUJ.exeC:\Windows\System\YFnMeUJ.exe2⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\System\GrGafSY.exeC:\Windows\System\GrGafSY.exe2⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\System\XRcXfVW.exeC:\Windows\System\XRcXfVW.exe2⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\System\LcIeYhC.exeC:\Windows\System\LcIeYhC.exe2⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\System\MSteZfr.exeC:\Windows\System\MSteZfr.exe2⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\System\VPuhNnv.exeC:\Windows\System\VPuhNnv.exe2⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\System\xavoPdy.exeC:\Windows\System\xavoPdy.exe2⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\System\LoHaSld.exeC:\Windows\System\LoHaSld.exe2⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\System\xlyWglb.exeC:\Windows\System\xlyWglb.exe2⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\System\RGMCEbf.exeC:\Windows\System\RGMCEbf.exe2⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\System\saJaHgk.exeC:\Windows\System\saJaHgk.exe2⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\System\zZJDGBQ.exeC:\Windows\System\zZJDGBQ.exe2⤵
- Executes dropped EXE
PID:696 -
C:\Windows\System\pZHICls.exeC:\Windows\System\pZHICls.exe2⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\System\HuIrgKK.exeC:\Windows\System\HuIrgKK.exe2⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\System\jOklegk.exeC:\Windows\System\jOklegk.exe2⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\System\nEpFbEy.exeC:\Windows\System\nEpFbEy.exe2⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\System\essutVN.exeC:\Windows\System\essutVN.exe2⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\System\pLxvdGk.exeC:\Windows\System\pLxvdGk.exe2⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\System\jYlRoWJ.exeC:\Windows\System\jYlRoWJ.exe2⤵
- Executes dropped EXE
PID:576 -
C:\Windows\System\dHJURQd.exeC:\Windows\System\dHJURQd.exe2⤵
- Executes dropped EXE
PID:1392
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD54bca5221cf37d7cfb86fad8aeea0cd8b
SHA14f90cfb3a92151e33a8db0dab8ddd3f91ea64e59
SHA25656f931fc7e31ec2720b75740701353b7d3393bb18cdf856a4f0e40b3946ca882
SHA512efc814ea7fae6e9dd82a1e82bdd8b00c615b9783bdf2ea9e5aeb0683b566f5a9d6e1bbd81f8b79466ccda2a10e525b587b5ad87e26f2b6ade4692624b37d8fbb
-
Filesize
5.9MB
MD51e23ef7c144dda42d898b6e43b28c0f1
SHA16dc37894fd7edfd930a43d8fe77dcb30c99ffc62
SHA256571ae1fa5a527d346df607875861bd4efbe264d63e43b7198478a684775f4f96
SHA512f57e676dd5a7b091616f9aef0f53cdcb4fdb32518d9ef7d93e0a8ea10088c699cd70423b87cba118bfacdb4079fced461d2e534688cba2d9663298d9735d6028
-
Filesize
5.9MB
MD5e0fc82cdd0e9e7b46741dfaa237b17fa
SHA10a022bdec6a30a58ff325ae8d26a06ca87039c11
SHA2564feea3a28404144af4f3b7641295f09b96cfd5a0d8c56dee10b6846cf635fd93
SHA5124450f751e3e6435387230bff24bfea38ba87c62a65d9ab31f61209134dd01f4690b32ad12d60873c5f0d07ea8c5735103df49609e1ebb75fecef7c74d58ebd8d
-
Filesize
5.9MB
MD59e3b142fec52847cd19a1d1a8d7f771e
SHA1d2bb66aa63c102ad88eab77ef2e8d833478027d7
SHA256e1365f0bf7a7ecd4c71d9f2b7cdc79725059005d6ca437bf2a36fa01b0f07567
SHA512c2ba4216cfd94c33d3519d127f50bcf9b0a1c40a64c70e41c18e90a8ee7fcab192f786dbc9b78813c9c24c9e8d117e6cbe56785abf10840f0c8d6b7a3eb92705
-
Filesize
5.9MB
MD5c5130c45fd6a72fefa8c87ffac0520c7
SHA1d648b5b9a1b4fc1193f773298679887e94a068f1
SHA256f986a3904732395deed6af3e9413d0dcc081312cb7bb4ac2529ac564522ef51f
SHA51205a4c6a1b7c897f998ef3c287bfb93cd925f53240f3034a9737902804a2d4178725c6a220c47bf5e959f27ba49ab374386e037887c1c41eb4cc3ff4fd04d1e2d
-
Filesize
5.9MB
MD5180bae2512e5272758ec4b140e59d08e
SHA1478f08f611f1571b4253d6395d35e606286e0d49
SHA256f101b31c2026d98a2f467ed8ae2d179b4efed4f40002dfa6569931167d94ce16
SHA512a3fd7887ed89538f2d40787e09546b45db2217415ac799af78a9005aa12dc4744002652ea06d1139fd2df9c3be10c99b078f639be5e85c9ae2a5df9e37cec5b4
-
Filesize
5.9MB
MD5b874d39af76a40ac8818ecca24eb120d
SHA1ea7ea790cfba7c72556587394e3d6357c96c0c07
SHA2569041d319dfe32d9ac2f4616fdbf85c47977992ff6663441661a03d49b97bd10c
SHA512cdba7cedd378ff6a647449e7d9403ed3ff754e74ef4365392854bc0a7d3e54e999827fd52d028d36a292c3fe44446dffe7b4ce76bca725d1f9fd0098a0ebc1a0
-
Filesize
5.9MB
MD59631edf84329d7da54ce0335dad1c6b8
SHA19693e708161186e4f4fd0ad1da9b1619c10b8b4f
SHA25619f75fd3914f6e4c29765e8094a016e44e338b2f0a25fb41c11e1daac79dc398
SHA512cc970e5aef6194442a1b58ac9fc4fa8a9f9ab4f8e2f64b7460fa3fdd37501e6e3fa95ed06ede20e0bedad9684a7421770ee06cd55b11d33a2d631fdf8e9f79dc
-
Filesize
5.9MB
MD5bc449aa88a154ad0712cedacf19561b7
SHA12967854e76154ca69b98c1555bf2e321e4bd9863
SHA256a75d02486dd4c3680e47eb070fb26684f2f8fdbde3d8b50afb76384e056b6bba
SHA512f70e0b7215607f149abae27bda965e48e0f3639781ed704f495cb363b4bd467d94790a3e292a4c9be0b9879bde7584ac73869cc64097904d63f4caa8d20278bd
-
Filesize
5.9MB
MD5b891a1309030a3005b54813b3d3329dc
SHA19375368521a975e6429e78fe24e749f5fd42c697
SHA256b2949df328561674e0276cba1b38b1d9e338275bfbd7be960da6fa8233e80c94
SHA5125bf2bb12d63d5ba996a24f0c49622605890759a34d6d9a8e8b1423508599c3ca5f30d904a65a5133b45b4c133c118a0aad3b0921e8e9638cdda566c2b21aebda
-
Filesize
5.9MB
MD5c98ab2ba7fc0cc590277ae74e729ac97
SHA1406c8733b3d46b217a627ab5adaddbabf80640aa
SHA25672d9c3164e5bc5a0056f0d61e5f933dca7843fbe5cb787c60cbaea6f3c4c5eb9
SHA51283a7736e8e2f611d1275bdcaadddc4be6f0e926f5cea75d098251749b2a05fba571b4f21ce94ae321e82e0195eef199c13db434e58d415277f035333c48675f7
-
Filesize
5.9MB
MD5ec0f6bd61b4d5a1d3cabf3ba241d3e21
SHA11eda5d8ae2e8a26e5beff639e1e6f416ed50469d
SHA25695aba526d5249b74f0d67eadeca8354d1651db5a6c2b9429707f315e47fc7bad
SHA512e6e2cc07e0fc015020d610aa23f07eb0d90671a09cbb1a5f1777fa376813c912b5a1e1bcbcd7c8d9c5df32d53a7ec0c97585eb87a81f4efac0e55c984f79894f
-
Filesize
5.9MB
MD5f7f3b3dd553eb608ea449129c334de36
SHA17b7f2ee3f5ab2c3c2f5127c83b60ea183061a423
SHA256d5581fc5c111d32f06992c082970eac7ce921f6ddcc9185ad59b540d7e162f28
SHA512523e564ac62cf5a38102142feb278dc3de36d821f153bcb33a574c49444422f240af6c74448cd5d43b228997de2f2c02f5707f7bcc91bdbd91a209e3cb8544eb
-
Filesize
5.9MB
MD55ac4060bad10d6bc3ba12b2e873f9a7a
SHA1c087dedba0ed092cd7dee31fc5faaa24428b7416
SHA256d6ca176addd87ce541c671398b40ffbf8a0b02fe2c489f0f526eace5681a293e
SHA51210085ab542c705ae5f9c2c386c35904579d35c83e04c8a488879b548ab4303cabea3f3dd2d96c85f695cec21b07613263fd833e0579112b3d45a69bb684f0fc7
-
Filesize
5.9MB
MD54eb849f56e03b664837b29168b6c1666
SHA1abe50d6a591b17e4277bb1c0088f5ab4b283860b
SHA2563d86268ce96eeb78bf03178e32e99bde553de14c92e2f6431a685d3832a026eb
SHA512681d0fdbea8653685a47da7b2e3572aa422f8c7718b390eb6ff50ca28d3ce5b2b4f15e034220183f8627cb6368c7aa3747f68432696554348fb6a24854cd4bf9
-
Filesize
5.9MB
MD5877605930e52169d74f1cd81dea5fade
SHA1222cdc1738ba0063a1578b0f1c1504be546e8c07
SHA256ac030bbf6391c0c92b24e081f814239eaab875d3f576bf43b42c2b66022a109e
SHA512680ffcefcc03ee9171114af60998949ab8986cf4feee0e879e5de0c3c9b820a62d9aa996f56a42ec0e268ade49263fe9dea0b65ceb9c63ae55ac3250b4c485d4
-
Filesize
5.9MB
MD551b0736a5a843661d2a4f82b42382b8e
SHA15c5cf07176499ac6c6f9ed0e29f6d0b0dbca5339
SHA25654551f3a229436bf826974c21bc8803b961df1f19f4fb689bd10bc7611d6508c
SHA5121d6dda3165e5d580dac65c9cb6111b980de6930e76f8a52c672ae110916c90ae6e53a949b4887e5562cc1f52d4fade8bac38bed1be9cadb84563f1089ff080d2
-
Filesize
5.9MB
MD5c65b0fb3ac45486fd1aab366aa7ad185
SHA107640c9687d1f352fe641ec80c220d0c8cb54865
SHA256f854f8513cd5a034994cf93c949265dc1a7da0357887677a421a682c654a083d
SHA512432bc876a6dc08413324e23a05289e3415d36082d97b682fe25fda05f27422271cc035c8b46dccb8002c663fa6b4aa54441f82df20f93667eef06715c770f0b6
-
Filesize
5.9MB
MD5ab54dd351ee493a070ccbcc0d3e98a1e
SHA1d0925027a076a54be92d56c1bd1ea7004ea9fcd5
SHA256a31754e617e02b31173f36adc2e9fe706742097084b3b2006f0d8a5bf6e69051
SHA5128419636abb931fa73a229583cd015f2a495ece8ba133804e856e5a306f045c7067ce3d50582635f4dc0b6c5e1f4793d72c9df135d98d4132609e62838597a940
-
Filesize
5.9MB
MD5c8e646bf0ad158893b1b754cbe8743dd
SHA15d39f3430ca0bd5a48e27e1822978a4cca213a8f
SHA256af6a35781ca6725806b64d2736e07f480b77ac600852ba8e908bc7a3d3d81c27
SHA5129b40dd4e806a03495f4367fa8c5fcb7d12d846b3d651bee6d535f5e4cb90f27a9c24fb8dbdd6d427642f9e95185cfe359bf70a788f782a9f25b52ad0e4f9ac01
-
Filesize
5.9MB
MD54c6880f61b531914e3e1ab7410d6bc23
SHA1ffe7944f2f9d1f684b03512c7aed96339945808d
SHA25646957b40fb5cb87a693e8536ada88c3e6e4e8914fd90315899749bcff7bbe8b1
SHA5122f1f42d4776baef4d41b03f3c442609c85afc87b521b30561c16abe2e2f635f52fe697942b4389e4090c830bf1902a3fc6fcab0e08831f60a12f7d6243e3a6e0