Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
08-06-2024 11:46
Behavioral task
behavioral1
Sample
2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe
Resource
win7-20240508-en
General
-
Target
2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe
-
Size
5.9MB
-
MD5
36ba5fe81c4fe4653201f9b80c9ff6a3
-
SHA1
12d6d5def54881798a3e15f06e6cd731fc889de7
-
SHA256
4105b92740cadfe5fd32b5ec6a3e60657866dbdeb37e435b4e1131fe39e0ef77
-
SHA512
d9028059796c638b2b484c79bed53e29761793f947d94e0fb4e47038616df434003d6df3d62130e0308a5255073352e869877a35343752b819e98302eed0793a
-
SSDEEP
98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUF:Q+856utgpPF8u/7F
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
Processes:
resource yara_rule \Windows\system\nEmgDWy.exe cobalt_reflective_dll C:\Windows\system\YALPepz.exe cobalt_reflective_dll C:\Windows\system\HKpZmvG.exe cobalt_reflective_dll \Windows\system\ENKqZwX.exe cobalt_reflective_dll \Windows\system\xYPvAcd.exe cobalt_reflective_dll \Windows\system\fEJhSwf.exe cobalt_reflective_dll \Windows\system\pTlqmPv.exe cobalt_reflective_dll C:\Windows\system\kucIuBg.exe cobalt_reflective_dll C:\Windows\system\kmgJXkx.exe cobalt_reflective_dll \Windows\system\QpnDeVx.exe cobalt_reflective_dll \Windows\system\YDPMtEU.exe cobalt_reflective_dll \Windows\system\QJYtFxs.exe cobalt_reflective_dll C:\Windows\system\EQkMxPM.exe cobalt_reflective_dll C:\Windows\system\TEdRDLP.exe cobalt_reflective_dll C:\Windows\system\UyfBiBv.exe cobalt_reflective_dll C:\Windows\system\HllWRzS.exe cobalt_reflective_dll \Windows\system\uTDnJmr.exe cobalt_reflective_dll \Windows\system\qguPOBv.exe cobalt_reflective_dll \Windows\system\DdzpJxE.exe cobalt_reflective_dll C:\Windows\system\XhbnuLS.exe cobalt_reflective_dll \Windows\system\xlqrnOm.exe cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Detects Reflective DLL injection artifacts 21 IoCs
Processes:
resource yara_rule \Windows\system\nEmgDWy.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\YALPepz.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\HKpZmvG.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\ENKqZwX.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\xYPvAcd.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\fEJhSwf.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\pTlqmPv.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\kucIuBg.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\kmgJXkx.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\QpnDeVx.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\YDPMtEU.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\QJYtFxs.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\EQkMxPM.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\TEdRDLP.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\UyfBiBv.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\HllWRzS.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\uTDnJmr.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\qguPOBv.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\DdzpJxE.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\XhbnuLS.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\xlqrnOm.exe INDICATOR_SUSPICIOUS_ReflectiveLoader -
UPX dump on OEP (original entry point) 58 IoCs
Processes:
resource yara_rule behavioral1/memory/2952-0-0x000000013F730000-0x000000013FA84000-memory.dmp UPX \Windows\system\nEmgDWy.exe UPX behavioral1/memory/2952-6-0x000000013FFC0000-0x0000000140314000-memory.dmp UPX behavioral1/memory/2476-9-0x000000013FFC0000-0x0000000140314000-memory.dmp UPX C:\Windows\system\YALPepz.exe UPX behavioral1/memory/2128-14-0x000000013F170000-0x000000013F4C4000-memory.dmp UPX C:\Windows\system\HKpZmvG.exe UPX \Windows\system\ENKqZwX.exe UPX behavioral1/memory/2632-29-0x000000013F480000-0x000000013F7D4000-memory.dmp UPX behavioral1/memory/2372-27-0x000000013FEB0000-0x0000000140204000-memory.dmp UPX \Windows\system\xYPvAcd.exe UPX behavioral1/memory/2096-35-0x000000013FAB0000-0x000000013FE04000-memory.dmp UPX \Windows\system\fEJhSwf.exe UPX behavioral1/memory/2788-42-0x000000013FBE0000-0x000000013FF34000-memory.dmp UPX behavioral1/memory/2952-40-0x000000013F730000-0x000000013FA84000-memory.dmp UPX \Windows\system\pTlqmPv.exe UPX C:\Windows\system\kucIuBg.exe UPX behavioral1/memory/2476-51-0x000000013FFC0000-0x0000000140314000-memory.dmp UPX behavioral1/memory/2784-55-0x000000013F7A0000-0x000000013FAF4000-memory.dmp UPX behavioral1/memory/2688-54-0x000000013F770000-0x000000013FAC4000-memory.dmp UPX C:\Windows\system\kmgJXkx.exe UPX behavioral1/memory/2536-61-0x000000013F2A0000-0x000000013F5F4000-memory.dmp UPX behavioral1/memory/2128-57-0x000000013F170000-0x000000013F4C4000-memory.dmp UPX behavioral1/memory/2372-62-0x000000013FEB0000-0x0000000140204000-memory.dmp UPX \Windows\system\QpnDeVx.exe UPX \Windows\system\YDPMtEU.exe UPX \Windows\system\QJYtFxs.exe UPX C:\Windows\system\EQkMxPM.exe UPX behavioral1/memory/3064-110-0x000000013F110000-0x000000013F464000-memory.dmp UPX C:\Windows\system\TEdRDLP.exe UPX C:\Windows\system\UyfBiBv.exe UPX behavioral1/memory/2708-94-0x000000013F5E0000-0x000000013F934000-memory.dmp UPX behavioral1/memory/2832-92-0x000000013FB40000-0x000000013FE94000-memory.dmp UPX C:\Windows\system\HllWRzS.exe UPX \Windows\system\uTDnJmr.exe UPX behavioral1/memory/1360-74-0x000000013FC70000-0x000000013FFC4000-memory.dmp UPX \Windows\system\qguPOBv.exe UPX behavioral1/memory/2788-87-0x000000013FBE0000-0x000000013FF34000-memory.dmp UPX \Windows\system\DdzpJxE.exe UPX C:\Windows\system\XhbnuLS.exe UPX \Windows\system\xlqrnOm.exe UPX behavioral1/memory/2536-136-0x000000013F2A0000-0x000000013F5F4000-memory.dmp UPX behavioral1/memory/2832-138-0x000000013FB40000-0x000000013FE94000-memory.dmp UPX behavioral1/memory/2708-140-0x000000013F5E0000-0x000000013F934000-memory.dmp UPX behavioral1/memory/3064-141-0x000000013F110000-0x000000013F464000-memory.dmp UPX behavioral1/memory/2476-142-0x000000013FFC0000-0x0000000140314000-memory.dmp UPX behavioral1/memory/2128-143-0x000000013F170000-0x000000013F4C4000-memory.dmp UPX behavioral1/memory/2632-144-0x000000013F480000-0x000000013F7D4000-memory.dmp UPX behavioral1/memory/2372-145-0x000000013FEB0000-0x0000000140204000-memory.dmp UPX behavioral1/memory/2096-146-0x000000013FAB0000-0x000000013FE04000-memory.dmp UPX behavioral1/memory/2788-147-0x000000013FBE0000-0x000000013FF34000-memory.dmp UPX behavioral1/memory/2784-148-0x000000013F7A0000-0x000000013FAF4000-memory.dmp UPX behavioral1/memory/2688-149-0x000000013F770000-0x000000013FAC4000-memory.dmp UPX behavioral1/memory/2536-150-0x000000013F2A0000-0x000000013F5F4000-memory.dmp UPX behavioral1/memory/1360-151-0x000000013FC70000-0x000000013FFC4000-memory.dmp UPX behavioral1/memory/2832-152-0x000000013FB40000-0x000000013FE94000-memory.dmp UPX behavioral1/memory/2708-153-0x000000013F5E0000-0x000000013F934000-memory.dmp UPX behavioral1/memory/3064-154-0x000000013F110000-0x000000013F464000-memory.dmp UPX -
XMRig Miner payload 59 IoCs
Processes:
resource yara_rule behavioral1/memory/2952-0-0x000000013F730000-0x000000013FA84000-memory.dmp xmrig \Windows\system\nEmgDWy.exe xmrig behavioral1/memory/2952-6-0x000000013FFC0000-0x0000000140314000-memory.dmp xmrig behavioral1/memory/2476-9-0x000000013FFC0000-0x0000000140314000-memory.dmp xmrig C:\Windows\system\YALPepz.exe xmrig behavioral1/memory/2128-14-0x000000013F170000-0x000000013F4C4000-memory.dmp xmrig C:\Windows\system\HKpZmvG.exe xmrig \Windows\system\ENKqZwX.exe xmrig behavioral1/memory/2632-29-0x000000013F480000-0x000000013F7D4000-memory.dmp xmrig behavioral1/memory/2372-27-0x000000013FEB0000-0x0000000140204000-memory.dmp xmrig \Windows\system\xYPvAcd.exe xmrig behavioral1/memory/2096-35-0x000000013FAB0000-0x000000013FE04000-memory.dmp xmrig \Windows\system\fEJhSwf.exe xmrig behavioral1/memory/2788-42-0x000000013FBE0000-0x000000013FF34000-memory.dmp xmrig behavioral1/memory/2952-40-0x000000013F730000-0x000000013FA84000-memory.dmp xmrig \Windows\system\pTlqmPv.exe xmrig C:\Windows\system\kucIuBg.exe xmrig behavioral1/memory/2476-51-0x000000013FFC0000-0x0000000140314000-memory.dmp xmrig behavioral1/memory/2784-55-0x000000013F7A0000-0x000000013FAF4000-memory.dmp xmrig behavioral1/memory/2688-54-0x000000013F770000-0x000000013FAC4000-memory.dmp xmrig C:\Windows\system\kmgJXkx.exe xmrig behavioral1/memory/2536-61-0x000000013F2A0000-0x000000013F5F4000-memory.dmp xmrig behavioral1/memory/2128-57-0x000000013F170000-0x000000013F4C4000-memory.dmp xmrig behavioral1/memory/2372-62-0x000000013FEB0000-0x0000000140204000-memory.dmp xmrig \Windows\system\QpnDeVx.exe xmrig \Windows\system\YDPMtEU.exe xmrig \Windows\system\QJYtFxs.exe xmrig C:\Windows\system\EQkMxPM.exe xmrig behavioral1/memory/3064-110-0x000000013F110000-0x000000013F464000-memory.dmp xmrig C:\Windows\system\TEdRDLP.exe xmrig C:\Windows\system\UyfBiBv.exe xmrig behavioral1/memory/2708-94-0x000000013F5E0000-0x000000013F934000-memory.dmp xmrig behavioral1/memory/2832-92-0x000000013FB40000-0x000000013FE94000-memory.dmp xmrig C:\Windows\system\HllWRzS.exe xmrig \Windows\system\uTDnJmr.exe xmrig behavioral1/memory/1360-74-0x000000013FC70000-0x000000013FFC4000-memory.dmp xmrig \Windows\system\qguPOBv.exe xmrig behavioral1/memory/2788-87-0x000000013FBE0000-0x000000013FF34000-memory.dmp xmrig \Windows\system\DdzpJxE.exe xmrig C:\Windows\system\XhbnuLS.exe xmrig \Windows\system\xlqrnOm.exe xmrig behavioral1/memory/2952-135-0x000000013F2A0000-0x000000013F5F4000-memory.dmp xmrig behavioral1/memory/2536-136-0x000000013F2A0000-0x000000013F5F4000-memory.dmp xmrig behavioral1/memory/2832-138-0x000000013FB40000-0x000000013FE94000-memory.dmp xmrig behavioral1/memory/2708-140-0x000000013F5E0000-0x000000013F934000-memory.dmp xmrig behavioral1/memory/3064-141-0x000000013F110000-0x000000013F464000-memory.dmp xmrig behavioral1/memory/2476-142-0x000000013FFC0000-0x0000000140314000-memory.dmp xmrig behavioral1/memory/2128-143-0x000000013F170000-0x000000013F4C4000-memory.dmp xmrig behavioral1/memory/2632-144-0x000000013F480000-0x000000013F7D4000-memory.dmp xmrig behavioral1/memory/2372-145-0x000000013FEB0000-0x0000000140204000-memory.dmp xmrig behavioral1/memory/2096-146-0x000000013FAB0000-0x000000013FE04000-memory.dmp xmrig behavioral1/memory/2788-147-0x000000013FBE0000-0x000000013FF34000-memory.dmp xmrig behavioral1/memory/2784-148-0x000000013F7A0000-0x000000013FAF4000-memory.dmp xmrig behavioral1/memory/2688-149-0x000000013F770000-0x000000013FAC4000-memory.dmp xmrig behavioral1/memory/2536-150-0x000000013F2A0000-0x000000013F5F4000-memory.dmp xmrig behavioral1/memory/1360-151-0x000000013FC70000-0x000000013FFC4000-memory.dmp xmrig behavioral1/memory/2832-152-0x000000013FB40000-0x000000013FE94000-memory.dmp xmrig behavioral1/memory/2708-153-0x000000013F5E0000-0x000000013F934000-memory.dmp xmrig behavioral1/memory/3064-154-0x000000013F110000-0x000000013F464000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
Processes:
nEmgDWy.exeYALPepz.exeHKpZmvG.exeENKqZwX.exexYPvAcd.exefEJhSwf.exepTlqmPv.exekucIuBg.exekmgJXkx.exeQpnDeVx.exeYDPMtEU.exeHllWRzS.exeQJYtFxs.exeEQkMxPM.exeqguPOBv.exeTEdRDLP.exeuTDnJmr.exeUyfBiBv.exeDdzpJxE.exeXhbnuLS.exexlqrnOm.exepid process 2476 nEmgDWy.exe 2128 YALPepz.exe 2372 HKpZmvG.exe 2632 ENKqZwX.exe 2096 xYPvAcd.exe 2788 fEJhSwf.exe 2784 pTlqmPv.exe 2688 kucIuBg.exe 2536 kmgJXkx.exe 1360 QpnDeVx.exe 2832 YDPMtEU.exe 2708 HllWRzS.exe 3064 QJYtFxs.exe 1740 EQkMxPM.exe 1688 qguPOBv.exe 2880 TEdRDLP.exe 2936 uTDnJmr.exe 288 UyfBiBv.exe 1952 DdzpJxE.exe 2824 XhbnuLS.exe 2840 xlqrnOm.exe -
Loads dropped DLL 21 IoCs
Processes:
2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exepid process 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe -
Processes:
resource yara_rule behavioral1/memory/2952-0-0x000000013F730000-0x000000013FA84000-memory.dmp upx \Windows\system\nEmgDWy.exe upx behavioral1/memory/2952-6-0x000000013FFC0000-0x0000000140314000-memory.dmp upx behavioral1/memory/2476-9-0x000000013FFC0000-0x0000000140314000-memory.dmp upx C:\Windows\system\YALPepz.exe upx behavioral1/memory/2128-14-0x000000013F170000-0x000000013F4C4000-memory.dmp upx C:\Windows\system\HKpZmvG.exe upx \Windows\system\ENKqZwX.exe upx behavioral1/memory/2632-29-0x000000013F480000-0x000000013F7D4000-memory.dmp upx behavioral1/memory/2372-27-0x000000013FEB0000-0x0000000140204000-memory.dmp upx \Windows\system\xYPvAcd.exe upx behavioral1/memory/2096-35-0x000000013FAB0000-0x000000013FE04000-memory.dmp upx \Windows\system\fEJhSwf.exe upx behavioral1/memory/2788-42-0x000000013FBE0000-0x000000013FF34000-memory.dmp upx behavioral1/memory/2952-40-0x000000013F730000-0x000000013FA84000-memory.dmp upx \Windows\system\pTlqmPv.exe upx C:\Windows\system\kucIuBg.exe upx behavioral1/memory/2476-51-0x000000013FFC0000-0x0000000140314000-memory.dmp upx behavioral1/memory/2784-55-0x000000013F7A0000-0x000000013FAF4000-memory.dmp upx behavioral1/memory/2688-54-0x000000013F770000-0x000000013FAC4000-memory.dmp upx C:\Windows\system\kmgJXkx.exe upx behavioral1/memory/2536-61-0x000000013F2A0000-0x000000013F5F4000-memory.dmp upx behavioral1/memory/2128-57-0x000000013F170000-0x000000013F4C4000-memory.dmp upx behavioral1/memory/2372-62-0x000000013FEB0000-0x0000000140204000-memory.dmp upx \Windows\system\QpnDeVx.exe upx \Windows\system\YDPMtEU.exe upx \Windows\system\QJYtFxs.exe upx C:\Windows\system\EQkMxPM.exe upx behavioral1/memory/3064-110-0x000000013F110000-0x000000013F464000-memory.dmp upx C:\Windows\system\TEdRDLP.exe upx C:\Windows\system\UyfBiBv.exe upx behavioral1/memory/2708-94-0x000000013F5E0000-0x000000013F934000-memory.dmp upx behavioral1/memory/2832-92-0x000000013FB40000-0x000000013FE94000-memory.dmp upx C:\Windows\system\HllWRzS.exe upx \Windows\system\uTDnJmr.exe upx behavioral1/memory/1360-74-0x000000013FC70000-0x000000013FFC4000-memory.dmp upx \Windows\system\qguPOBv.exe upx behavioral1/memory/2788-87-0x000000013FBE0000-0x000000013FF34000-memory.dmp upx \Windows\system\DdzpJxE.exe upx C:\Windows\system\XhbnuLS.exe upx \Windows\system\xlqrnOm.exe upx behavioral1/memory/2536-136-0x000000013F2A0000-0x000000013F5F4000-memory.dmp upx behavioral1/memory/2832-138-0x000000013FB40000-0x000000013FE94000-memory.dmp upx behavioral1/memory/2708-140-0x000000013F5E0000-0x000000013F934000-memory.dmp upx behavioral1/memory/3064-141-0x000000013F110000-0x000000013F464000-memory.dmp upx behavioral1/memory/2476-142-0x000000013FFC0000-0x0000000140314000-memory.dmp upx behavioral1/memory/2128-143-0x000000013F170000-0x000000013F4C4000-memory.dmp upx behavioral1/memory/2632-144-0x000000013F480000-0x000000013F7D4000-memory.dmp upx behavioral1/memory/2372-145-0x000000013FEB0000-0x0000000140204000-memory.dmp upx behavioral1/memory/2096-146-0x000000013FAB0000-0x000000013FE04000-memory.dmp upx behavioral1/memory/2788-147-0x000000013FBE0000-0x000000013FF34000-memory.dmp upx behavioral1/memory/2784-148-0x000000013F7A0000-0x000000013FAF4000-memory.dmp upx behavioral1/memory/2688-149-0x000000013F770000-0x000000013FAC4000-memory.dmp upx behavioral1/memory/2536-150-0x000000013F2A0000-0x000000013F5F4000-memory.dmp upx behavioral1/memory/1360-151-0x000000013FC70000-0x000000013FFC4000-memory.dmp upx behavioral1/memory/2832-152-0x000000013FB40000-0x000000013FE94000-memory.dmp upx behavioral1/memory/2708-153-0x000000013F5E0000-0x000000013F934000-memory.dmp upx behavioral1/memory/3064-154-0x000000013F110000-0x000000013F464000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
Processes:
2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exedescription ioc process File created C:\Windows\System\QpnDeVx.exe 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\UyfBiBv.exe 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\xlqrnOm.exe 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\YALPepz.exe 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\ENKqZwX.exe 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\pTlqmPv.exe 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\TEdRDLP.exe 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\HKpZmvG.exe 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\qguPOBv.exe 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\YDPMtEU.exe 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\QJYtFxs.exe 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\EQkMxPM.exe 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\xYPvAcd.exe 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\fEJhSwf.exe 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\HllWRzS.exe 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\uTDnJmr.exe 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\DdzpJxE.exe 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\XhbnuLS.exe 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\nEmgDWy.exe 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\kucIuBg.exe 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\kmgJXkx.exe 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exedescription pid process Token: SeLockMemoryPrivilege 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe Token: SeLockMemoryPrivilege 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exedescription pid process target process PID 2952 wrote to memory of 2476 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe nEmgDWy.exe PID 2952 wrote to memory of 2476 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe nEmgDWy.exe PID 2952 wrote to memory of 2476 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe nEmgDWy.exe PID 2952 wrote to memory of 2128 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe YALPepz.exe PID 2952 wrote to memory of 2128 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe YALPepz.exe PID 2952 wrote to memory of 2128 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe YALPepz.exe PID 2952 wrote to memory of 2372 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe HKpZmvG.exe PID 2952 wrote to memory of 2372 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe HKpZmvG.exe PID 2952 wrote to memory of 2372 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe HKpZmvG.exe PID 2952 wrote to memory of 2632 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe ENKqZwX.exe PID 2952 wrote to memory of 2632 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe ENKqZwX.exe PID 2952 wrote to memory of 2632 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe ENKqZwX.exe PID 2952 wrote to memory of 2096 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe xYPvAcd.exe PID 2952 wrote to memory of 2096 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe xYPvAcd.exe PID 2952 wrote to memory of 2096 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe xYPvAcd.exe PID 2952 wrote to memory of 2788 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe fEJhSwf.exe PID 2952 wrote to memory of 2788 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe fEJhSwf.exe PID 2952 wrote to memory of 2788 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe fEJhSwf.exe PID 2952 wrote to memory of 2784 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe pTlqmPv.exe PID 2952 wrote to memory of 2784 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe pTlqmPv.exe PID 2952 wrote to memory of 2784 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe pTlqmPv.exe PID 2952 wrote to memory of 2688 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe kucIuBg.exe PID 2952 wrote to memory of 2688 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe kucIuBg.exe PID 2952 wrote to memory of 2688 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe kucIuBg.exe PID 2952 wrote to memory of 2536 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe kmgJXkx.exe PID 2952 wrote to memory of 2536 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe kmgJXkx.exe PID 2952 wrote to memory of 2536 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe kmgJXkx.exe PID 2952 wrote to memory of 1360 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe QpnDeVx.exe PID 2952 wrote to memory of 1360 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe QpnDeVx.exe PID 2952 wrote to memory of 1360 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe QpnDeVx.exe PID 2952 wrote to memory of 1688 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe qguPOBv.exe PID 2952 wrote to memory of 1688 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe qguPOBv.exe PID 2952 wrote to memory of 1688 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe qguPOBv.exe PID 2952 wrote to memory of 2832 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe YDPMtEU.exe PID 2952 wrote to memory of 2832 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe YDPMtEU.exe PID 2952 wrote to memory of 2832 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe YDPMtEU.exe PID 2952 wrote to memory of 2880 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe TEdRDLP.exe PID 2952 wrote to memory of 2880 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe TEdRDLP.exe PID 2952 wrote to memory of 2880 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe TEdRDLP.exe PID 2952 wrote to memory of 2708 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe HllWRzS.exe PID 2952 wrote to memory of 2708 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe HllWRzS.exe PID 2952 wrote to memory of 2708 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe HllWRzS.exe PID 2952 wrote to memory of 2936 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe uTDnJmr.exe PID 2952 wrote to memory of 2936 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe uTDnJmr.exe PID 2952 wrote to memory of 2936 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe uTDnJmr.exe PID 2952 wrote to memory of 3064 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe QJYtFxs.exe PID 2952 wrote to memory of 3064 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe QJYtFxs.exe PID 2952 wrote to memory of 3064 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe QJYtFxs.exe PID 2952 wrote to memory of 288 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe UyfBiBv.exe PID 2952 wrote to memory of 288 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe UyfBiBv.exe PID 2952 wrote to memory of 288 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe UyfBiBv.exe PID 2952 wrote to memory of 1740 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe EQkMxPM.exe PID 2952 wrote to memory of 1740 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe EQkMxPM.exe PID 2952 wrote to memory of 1740 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe EQkMxPM.exe PID 2952 wrote to memory of 1952 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe DdzpJxE.exe PID 2952 wrote to memory of 1952 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe DdzpJxE.exe PID 2952 wrote to memory of 1952 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe DdzpJxE.exe PID 2952 wrote to memory of 2824 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe XhbnuLS.exe PID 2952 wrote to memory of 2824 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe XhbnuLS.exe PID 2952 wrote to memory of 2824 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe XhbnuLS.exe PID 2952 wrote to memory of 2840 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe xlqrnOm.exe PID 2952 wrote to memory of 2840 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe xlqrnOm.exe PID 2952 wrote to memory of 2840 2952 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe xlqrnOm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\System\nEmgDWy.exeC:\Windows\System\nEmgDWy.exe2⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\System\YALPepz.exeC:\Windows\System\YALPepz.exe2⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\System\HKpZmvG.exeC:\Windows\System\HKpZmvG.exe2⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\System\ENKqZwX.exeC:\Windows\System\ENKqZwX.exe2⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\System\xYPvAcd.exeC:\Windows\System\xYPvAcd.exe2⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\System\fEJhSwf.exeC:\Windows\System\fEJhSwf.exe2⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\System\pTlqmPv.exeC:\Windows\System\pTlqmPv.exe2⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\System\kucIuBg.exeC:\Windows\System\kucIuBg.exe2⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\System\kmgJXkx.exeC:\Windows\System\kmgJXkx.exe2⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\System\QpnDeVx.exeC:\Windows\System\QpnDeVx.exe2⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\System\qguPOBv.exeC:\Windows\System\qguPOBv.exe2⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\System\YDPMtEU.exeC:\Windows\System\YDPMtEU.exe2⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\System\TEdRDLP.exeC:\Windows\System\TEdRDLP.exe2⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\System\HllWRzS.exeC:\Windows\System\HllWRzS.exe2⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\System\uTDnJmr.exeC:\Windows\System\uTDnJmr.exe2⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\System\QJYtFxs.exeC:\Windows\System\QJYtFxs.exe2⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\System\UyfBiBv.exeC:\Windows\System\UyfBiBv.exe2⤵
- Executes dropped EXE
PID:288 -
C:\Windows\System\EQkMxPM.exeC:\Windows\System\EQkMxPM.exe2⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\System\DdzpJxE.exeC:\Windows\System\DdzpJxE.exe2⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\System\XhbnuLS.exeC:\Windows\System\XhbnuLS.exe2⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\System\xlqrnOm.exeC:\Windows\System\xlqrnOm.exe2⤵
- Executes dropped EXE
PID:2840
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD5c35887cd42805e73e956a60537a2d925
SHA1efe1a35dd3b3184cd9cad64241c3f6d06df71e69
SHA256ffb584e029b5e8fb636bf33d87a5c114d9bc4fac83a38090db8a9b9654503f0b
SHA5127ea28d25e0683e1026dd54c0c47c0ab160d485223bfd5dea7450a65afc40e89694e84702f5b7b30fdc1dd549594ca37c42ff0cd29d0d86f36234ab4043d7d285
-
Filesize
5.9MB
MD5e9a4aaf1cb53d32f234770f1445ed676
SHA10d5089e1efbf083a4a620ba13ad6a116efe030cc
SHA256336103cc8deadc474973f27e73cf446b4079f42debcc3fc2e36287f05ff8c7e1
SHA5120081d8363c9b7f917a665f980aa7bd44bfceeaea7300f4a273f9c8d458b36cbbe6b75b416f0afeb380abf42d317391c375d554028d24011820479d153cbb5d49
-
Filesize
5.9MB
MD5a11b4946cf46b89a022aef3a20b3c5d6
SHA1846d187ae29d3f98da46dde35c4deb3036e3dfa3
SHA256840a20a45f804658b842e1cc7ab493e98d8b41737f5c1e2732a9382f97d26c53
SHA5127e0da2608a6a2b2f649f8c588d955925c618362390cd8c14a38bea0774706f475df625842337d91be83ac04fff7d10352d4c3b13b32f9986fd12db53c7caecea
-
Filesize
5.9MB
MD54c6d7ef80dde89da8f05b10f9502bab2
SHA104773605a4a3a9388eb90ccc286204f8b832a4f4
SHA256dad328323f743014993a1f9ac6b15563e88d2fb8beba9300c760c426dc2bc6fe
SHA5121d326145185d9c42d3b7a0be9f9561c5a28447a054e5d7fcd5a5cb2ba0aad493905bcb0d11815ea00ee189db39b47e5f0221789020ac9be0a6fea439e4e2cc70
-
Filesize
5.9MB
MD507586515ef6f483dddadd12a2efe7429
SHA14b932a37f193e096bc08d2df5b47b008ae169921
SHA2562601f1c8799fb47a2970c0d271e3685dceeb9c067c4733d625c37a964632584d
SHA5120eabcadf11b8d05f039e75804632e826718fe0ff1f75edc8003c3369d15374ed95d01f483b35b6b1a2f999882184cfea21a317d2a366242c96a5f1b9622498f8
-
Filesize
5.9MB
MD5aad6cd8fcc3b31aec54f5a34b6a13c2a
SHA1b7a3fcb0401bc98715d725c686428768f0d30da1
SHA256cfe5dd0488a94f9079937fb594deebd7411373f2d289910e5a84abf5a720c301
SHA51202e9de3bc455b680dce3bc39648c46abf111f53c1e15c29e5f627f9e34be35a5dae356919aa4bf1774063eab65eb1ca8291a62c17524e753d85f5cb07de980f7
-
Filesize
5.9MB
MD51d7326579af738e5dd3ad4aaeebb6817
SHA15ab957d6bcc18ae02f5e7fcb0f993ffe394886ff
SHA2567b7cf8d4b4e3e29f2cb88faa31d2a3913e419f600820be9f1cf19be7fc7c2e76
SHA512905ab2b800170f2e687a883451178b5f7af5972c5594ed2cd5e57cfe570f809a956c7a15302e0f3b34dd68ca221628b7dc87419e1f28cca8de2e18f6cab178a6
-
Filesize
5.9MB
MD5cad131e4ee29d5e06ab62b160ead46c6
SHA1ed7fe8f00332640283513c5a3b392c2a52755125
SHA256e6438eaa44981bf022a06c30c5a97192e422054822f4be9167bc5fd483e5df90
SHA512b9512c1ca5e46f3252cbbdbf27f5446afc05808d126bdb7636668c59f1e8ef5c42752cd604937dd2f65448f4af6b4b1772031062b7a6f024aefd15e7a3fa6d16
-
Filesize
5.9MB
MD500c853582444007c73312046456d18ba
SHA18e0e5412094e25963efb147076ee34fa4bc7a082
SHA2561960a9cdbd541c0a63b893cf5edf6bc9b3172ea277e3a02ab031776ea42a2429
SHA5120a558659f5e2fc62619bd437dff4364e1b661579ac117ca5f0d189957621907721d98a69baa1965884a2947f362e8ab40f265bf16618ed86a2fbffc5973d45d4
-
Filesize
5.9MB
MD5b332bac768f5efbf4b8ddcb2adc39872
SHA18e1d14340dc6381935e3b755ae83a0f910f4e22f
SHA25684bd5d37aa483d4a3570e327d4ffa89818790d69436fc5d3355d831813bbddbe
SHA5126b1702416658978590f29de8d0fc28fb49516878e770eab1cdb1743027e1cd965ed3db1ac40cd5a146c9334893ecc49977825ddbb196e471e445755d3b08bd24
-
Filesize
5.9MB
MD5228815067a226e1207434d3d519bd5f2
SHA15984e3d5525a408de388df8f8641464e0c71222b
SHA256dfd3b8c282f214c2d0794bd4e73cc6aee95ddc364f01d4300de0f78b4054ce28
SHA5122c937bacd53bf17484ad40ab5fcce058044399da6d31be3c10bd81f235700d2a157bf74dfcd5e03019705459076497cbd407bc0bd34e37b7642da65a23c5ab74
-
Filesize
5.9MB
MD50963fab59afcdf2b59f2cefc4cccd654
SHA11897b31be452ced36abd4d7d45a6010b6a7db553
SHA256a281ee5158f1e1ca7fabcbbc46af6134ba1a454cfdbb4743cec047162d563e05
SHA5122fe8eba8abb156d0dad5f4f809b5f404ddbb0dd2fc862bbda79202117b8cd6caf2eacacee96e50ca166a8eb4ddfee4e792db783eb2eb40ba363142c4197efc4f
-
Filesize
5.9MB
MD57252a10b864f326c3f29a1ba0e882bc5
SHA1c6e043af6dff9bb129b9f08876e2ac20e969fcc0
SHA2565cacbaf77b5a6bfa86d09058d6322dd3d5afd50300b02e324a974d9ab0faaada
SHA5121dde1973bcca03f306e74a24444b9f49d62f2400cd725462249d316db9c5fda667b0c00e074d247fc4708d9a4abd95e713f46313e6e8c777eac6880c9ef7d9d2
-
Filesize
5.9MB
MD571c4e41f95003b42a17daf8b776afae0
SHA1fa72241a4b92d4ea030a3fb616d2577f966e599a
SHA256b7a7dc1322b8e76cb0b51540c0657fa06f84c43b5a1d71bcc57ab29efaa7e2d7
SHA512d032fa4180fae0ea1d95aed58698e9ac4179b15a0f5c41c242f307b412b191eca0403009475d0df0750afd342b880cea2c56609874483a4d32c98af3c65afade
-
Filesize
5.9MB
MD514234ae3d4d313e7faeea7b590c40030
SHA1691fe545c234827055818878c9397b796c7656e7
SHA2564a5a7961c0454d413c4a1b5742cbe858947a625b6f9520beed7b60e0e699de56
SHA51240427f9557a88487a1db896f982b1ea91b7a60d3af685a5f5c379647476dfd1483c65cf718de197ed1970df5f3d7b8a9ecb704c0fd66d77af32793463418e5f9
-
Filesize
5.9MB
MD5d9e14003c87d696c667c9766d9e05557
SHA1aecd060ba0ee97c9fc8c45946ad4772acf64a430
SHA256172449f0de4057066062a723f425e3e7942eb19369ed92fed869bc7e4fae6490
SHA512922353791c1a11253d7c1bd7a43b447e05d7c494080f7a2e4a0cb5c7b504843cc351ccd28adbd300c702500f0b25a878deeefc2adb228daa7522a5c943a81065
-
Filesize
5.9MB
MD5698908fa998bfa287e55779777cb068c
SHA114dcdff184778a807f5e2827e04b68d06e7c842b
SHA256e6d49822475bf5073e1c3248910e20e473864dc4a54d747626394c6d45dbdd49
SHA512195cedcd7cc189d540570eae687c436d4bb25f53e17f223c6fef42b8c69bd9b145f8ba8acc25165b9426fa20028bfe8ae9d2fab73e59933ba0df3f528107adb1
-
Filesize
5.9MB
MD57fa7c7a7d4087848bfcb2738f78cdae1
SHA1c4b529f260f01b0e6a2cfb1532d0d78799925e41
SHA256f02cf6b971bf385e3a6821954f21af290b3b37041ae5e31acb5f4bc0804367c3
SHA5125243a3d8e5ea00b219a07a8ee3a443e6ad626794ceb2352bc72b2495628305647f51c73fe1dad0db8784b30020f444fc1c2ea0db283b8ed55d8705f29e2131a3
-
Filesize
5.9MB
MD59784d0b21d42b071c723ec5a65e2442d
SHA1f22913a033c5f08cd8b133a26e8e6f4648927dcc
SHA25649e26e47a07b243449b77a73261144e2454c2019aec923d1d16d5871a9a406cb
SHA512c8568def626367b3102eeee1cfdc144b7111e332a47d53f3553b02fc7e3d4dc5ba062c5122b121169c422fb46e7c0f8473a9caf81a796b7ebba7f3a33be8b97c
-
Filesize
5.9MB
MD5ea3fee1ef9e7045d08e481b5ae1a760a
SHA1d89759746b78f94f86a2c7a96ca7df5ce5e56526
SHA256f44cbe7a3dcf8b12d7b3c650b154cd15c9b2f8e3ca57c934349ca2c06d76af70
SHA512564d0e7ed2a0ac800c42d31cfd27d8acb4505a46bcfe70c161953a3c2c09558eb15f23ed88294b7d9b4d57b0b8d630ad89d2b18258ae53cfbe07a9f922a8e504
-
Filesize
5.9MB
MD583f25c324aad80e6d0341b768a04908c
SHA14c7138ac87d0bb2550190733296b4c503640f3da
SHA2569814515eaf74b54e9f6d07c68053a374bf9007860d74b346a6f4c3eb6e7c09b3
SHA512399553d29373259eab1669ccb1a5cb1fdda84ee2248ece9b17a4ff5d8f3a52828ffda0c8a9b660a66a0e3b168c2814c524fc2746b83368927a8ac7adc722a56c