Analysis
-
max time kernel
139s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
08-06-2024 12:26
Behavioral task
behavioral1
Sample
2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe
Resource
win7-20240508-en
General
-
Target
2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe
-
Size
5.9MB
-
MD5
1967b789ec4e9e4ab9f670ffd1aa2969
-
SHA1
0d8f5c100032b0343adcee8329df07e45f6a49a2
-
SHA256
a92b581c614e7c5ab32dcece872208efda7708e7b2357f182e5c3610c95c5c95
-
SHA512
3149b01f599ef8e042fab91e55d2f23b88d33909b4b888e37acf30256fa9317651e83a4b83a3c02292392430bbe9b028a9be15272707b023afb24b94b307df89
-
SSDEEP
98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUa:Q+856utgpPF8u/7a
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
Processes:
resource yara_rule C:\Windows\system\iNCzGSC.exe cobalt_reflective_dll C:\Windows\system\jZRFwEU.exe cobalt_reflective_dll C:\Windows\system\tdQgUIX.exe cobalt_reflective_dll C:\Windows\system\ifvuHeS.exe cobalt_reflective_dll C:\Windows\system\rHnUquP.exe cobalt_reflective_dll C:\Windows\system\tbJhpLU.exe cobalt_reflective_dll C:\Windows\system\LCYQVfN.exe cobalt_reflective_dll C:\Windows\system\IKzYbtG.exe cobalt_reflective_dll C:\Windows\system\uCxxAos.exe cobalt_reflective_dll C:\Windows\system\eeQkvkc.exe cobalt_reflective_dll C:\Windows\system\QwfcrpB.exe cobalt_reflective_dll C:\Windows\system\tSYCHQB.exe cobalt_reflective_dll C:\Windows\system\ugZzhKb.exe cobalt_reflective_dll C:\Windows\system\yQJFBVW.exe cobalt_reflective_dll C:\Windows\system\dhdrFkn.exe cobalt_reflective_dll C:\Windows\system\pelcpiD.exe cobalt_reflective_dll C:\Windows\system\NAaZSnm.exe cobalt_reflective_dll C:\Windows\system\jhPqurN.exe cobalt_reflective_dll C:\Windows\system\aRNCLmh.exe cobalt_reflective_dll C:\Windows\system\WzIlBQJ.exe cobalt_reflective_dll C:\Windows\system\yFnvZBn.exe cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Detects Reflective DLL injection artifacts 21 IoCs
Processes:
resource yara_rule C:\Windows\system\iNCzGSC.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\jZRFwEU.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\tdQgUIX.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\ifvuHeS.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\rHnUquP.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\tbJhpLU.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\LCYQVfN.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\IKzYbtG.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\uCxxAos.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\eeQkvkc.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\QwfcrpB.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\tSYCHQB.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\ugZzhKb.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\yQJFBVW.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\dhdrFkn.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\pelcpiD.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\NAaZSnm.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\jhPqurN.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\aRNCLmh.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\WzIlBQJ.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\yFnvZBn.exe INDICATOR_SUSPICIOUS_ReflectiveLoader -
UPX dump on OEP (original entry point) 58 IoCs
Processes:
resource yara_rule behavioral1/memory/2972-0-0x000000013F800000-0x000000013FB54000-memory.dmp UPX C:\Windows\system\iNCzGSC.exe UPX C:\Windows\system\jZRFwEU.exe UPX C:\Windows\system\tdQgUIX.exe UPX C:\Windows\system\ifvuHeS.exe UPX C:\Windows\system\rHnUquP.exe UPX C:\Windows\system\tbJhpLU.exe UPX \Windows\system\LCYQVfN.exe UPX C:\Windows\system\LCYQVfN.exe UPX C:\Windows\system\IKzYbtG.exe UPX C:\Windows\system\uCxxAos.exe UPX C:\Windows\system\eeQkvkc.exe UPX C:\Windows\system\QwfcrpB.exe UPX C:\Windows\system\tSYCHQB.exe UPX behavioral1/memory/2100-99-0x000000013FAA0000-0x000000013FDF4000-memory.dmp UPX behavioral1/memory/2928-103-0x000000013FBF0000-0x000000013FF44000-memory.dmp UPX behavioral1/memory/2728-107-0x000000013F4E0000-0x000000013F834000-memory.dmp UPX behavioral1/memory/2584-113-0x000000013FE70000-0x00000001401C4000-memory.dmp UPX behavioral1/memory/2516-111-0x000000013F9D0000-0x000000013FD24000-memory.dmp UPX behavioral1/memory/2632-110-0x000000013F0A0000-0x000000013F3F4000-memory.dmp UPX behavioral1/memory/2772-108-0x000000013F590000-0x000000013F8E4000-memory.dmp UPX behavioral1/memory/2768-106-0x000000013FEC0000-0x0000000140214000-memory.dmp UPX behavioral1/memory/2788-104-0x000000013F740000-0x000000013FA94000-memory.dmp UPX behavioral1/memory/2936-101-0x000000013F4E0000-0x000000013F834000-memory.dmp UPX behavioral1/memory/2720-100-0x000000013F640000-0x000000013F994000-memory.dmp UPX behavioral1/memory/2612-97-0x000000013FF10000-0x0000000140264000-memory.dmp UPX behavioral1/memory/1884-95-0x000000013FF40000-0x0000000140294000-memory.dmp UPX behavioral1/memory/2792-94-0x000000013FD50000-0x00000001400A4000-memory.dmp UPX C:\Windows\system\ugZzhKb.exe UPX C:\Windows\system\yQJFBVW.exe UPX C:\Windows\system\dhdrFkn.exe UPX C:\Windows\system\pelcpiD.exe UPX C:\Windows\system\NAaZSnm.exe UPX C:\Windows\system\jhPqurN.exe UPX C:\Windows\system\aRNCLmh.exe UPX C:\Windows\system\WzIlBQJ.exe UPX C:\Windows\system\yFnvZBn.exe UPX behavioral1/memory/2972-129-0x000000013F800000-0x000000013FB54000-memory.dmp UPX behavioral1/memory/2928-130-0x000000013FBF0000-0x000000013FF44000-memory.dmp UPX behavioral1/memory/2772-133-0x000000013F590000-0x000000013F8E4000-memory.dmp UPX behavioral1/memory/2516-135-0x000000013F9D0000-0x000000013FD24000-memory.dmp UPX behavioral1/memory/2584-136-0x000000013FE70000-0x00000001401C4000-memory.dmp UPX behavioral1/memory/2632-134-0x000000013F0A0000-0x000000013F3F4000-memory.dmp UPX behavioral1/memory/2768-132-0x000000013FEC0000-0x0000000140214000-memory.dmp UPX behavioral1/memory/2792-137-0x000000013FD50000-0x00000001400A4000-memory.dmp UPX behavioral1/memory/1884-138-0x000000013FF40000-0x0000000140294000-memory.dmp UPX behavioral1/memory/2100-139-0x000000013FAA0000-0x000000013FDF4000-memory.dmp UPX behavioral1/memory/2720-140-0x000000013F640000-0x000000013F994000-memory.dmp UPX behavioral1/memory/2936-141-0x000000013F4E0000-0x000000013F834000-memory.dmp UPX behavioral1/memory/2612-142-0x000000013FF10000-0x0000000140264000-memory.dmp UPX behavioral1/memory/2728-143-0x000000013F4E0000-0x000000013F834000-memory.dmp UPX behavioral1/memory/2788-144-0x000000013F740000-0x000000013FA94000-memory.dmp UPX behavioral1/memory/2928-146-0x000000013FBF0000-0x000000013FF44000-memory.dmp UPX behavioral1/memory/2772-148-0x000000013F590000-0x000000013F8E4000-memory.dmp UPX behavioral1/memory/2768-147-0x000000013FEC0000-0x0000000140214000-memory.dmp UPX behavioral1/memory/2632-145-0x000000013F0A0000-0x000000013F3F4000-memory.dmp UPX behavioral1/memory/2584-149-0x000000013FE70000-0x00000001401C4000-memory.dmp UPX behavioral1/memory/2516-150-0x000000013F9D0000-0x000000013FD24000-memory.dmp UPX -
XMRig Miner payload 63 IoCs
Processes:
resource yara_rule behavioral1/memory/2972-0-0x000000013F800000-0x000000013FB54000-memory.dmp xmrig C:\Windows\system\iNCzGSC.exe xmrig C:\Windows\system\jZRFwEU.exe xmrig C:\Windows\system\tdQgUIX.exe xmrig C:\Windows\system\ifvuHeS.exe xmrig C:\Windows\system\rHnUquP.exe xmrig C:\Windows\system\tbJhpLU.exe xmrig \Windows\system\LCYQVfN.exe xmrig C:\Windows\system\LCYQVfN.exe xmrig C:\Windows\system\IKzYbtG.exe xmrig C:\Windows\system\uCxxAos.exe xmrig C:\Windows\system\eeQkvkc.exe xmrig C:\Windows\system\QwfcrpB.exe xmrig C:\Windows\system\tSYCHQB.exe xmrig behavioral1/memory/2100-99-0x000000013FAA0000-0x000000013FDF4000-memory.dmp xmrig behavioral1/memory/2928-103-0x000000013FBF0000-0x000000013FF44000-memory.dmp xmrig behavioral1/memory/2728-107-0x000000013F4E0000-0x000000013F834000-memory.dmp xmrig behavioral1/memory/2584-113-0x000000013FE70000-0x00000001401C4000-memory.dmp xmrig behavioral1/memory/2516-111-0x000000013F9D0000-0x000000013FD24000-memory.dmp xmrig behavioral1/memory/2632-110-0x000000013F0A0000-0x000000013F3F4000-memory.dmp xmrig behavioral1/memory/2972-109-0x000000013F0A0000-0x000000013F3F4000-memory.dmp xmrig behavioral1/memory/2772-108-0x000000013F590000-0x000000013F8E4000-memory.dmp xmrig behavioral1/memory/2768-106-0x000000013FEC0000-0x0000000140214000-memory.dmp xmrig behavioral1/memory/2972-105-0x000000013FEC0000-0x0000000140214000-memory.dmp xmrig behavioral1/memory/2788-104-0x000000013F740000-0x000000013FA94000-memory.dmp xmrig behavioral1/memory/2972-102-0x000000013FBF0000-0x000000013FF44000-memory.dmp xmrig behavioral1/memory/2936-101-0x000000013F4E0000-0x000000013F834000-memory.dmp xmrig behavioral1/memory/2720-100-0x000000013F640000-0x000000013F994000-memory.dmp xmrig behavioral1/memory/2612-97-0x000000013FF10000-0x0000000140264000-memory.dmp xmrig behavioral1/memory/2972-96-0x000000013FF10000-0x0000000140264000-memory.dmp xmrig behavioral1/memory/1884-95-0x000000013FF40000-0x0000000140294000-memory.dmp xmrig behavioral1/memory/2792-94-0x000000013FD50000-0x00000001400A4000-memory.dmp xmrig C:\Windows\system\ugZzhKb.exe xmrig C:\Windows\system\yQJFBVW.exe xmrig C:\Windows\system\dhdrFkn.exe xmrig C:\Windows\system\pelcpiD.exe xmrig C:\Windows\system\NAaZSnm.exe xmrig C:\Windows\system\jhPqurN.exe xmrig C:\Windows\system\aRNCLmh.exe xmrig C:\Windows\system\WzIlBQJ.exe xmrig C:\Windows\system\yFnvZBn.exe xmrig behavioral1/memory/2972-129-0x000000013F800000-0x000000013FB54000-memory.dmp xmrig behavioral1/memory/2928-130-0x000000013FBF0000-0x000000013FF44000-memory.dmp xmrig behavioral1/memory/2788-131-0x000000013F740000-0x000000013FA94000-memory.dmp xmrig behavioral1/memory/2772-133-0x000000013F590000-0x000000013F8E4000-memory.dmp xmrig behavioral1/memory/2516-135-0x000000013F9D0000-0x000000013FD24000-memory.dmp xmrig behavioral1/memory/2584-136-0x000000013FE70000-0x00000001401C4000-memory.dmp xmrig behavioral1/memory/2632-134-0x000000013F0A0000-0x000000013F3F4000-memory.dmp xmrig behavioral1/memory/2768-132-0x000000013FEC0000-0x0000000140214000-memory.dmp xmrig behavioral1/memory/2792-137-0x000000013FD50000-0x00000001400A4000-memory.dmp xmrig behavioral1/memory/1884-138-0x000000013FF40000-0x0000000140294000-memory.dmp xmrig behavioral1/memory/2100-139-0x000000013FAA0000-0x000000013FDF4000-memory.dmp xmrig behavioral1/memory/2720-140-0x000000013F640000-0x000000013F994000-memory.dmp xmrig behavioral1/memory/2936-141-0x000000013F4E0000-0x000000013F834000-memory.dmp xmrig behavioral1/memory/2612-142-0x000000013FF10000-0x0000000140264000-memory.dmp xmrig behavioral1/memory/2728-143-0x000000013F4E0000-0x000000013F834000-memory.dmp xmrig behavioral1/memory/2788-144-0x000000013F740000-0x000000013FA94000-memory.dmp xmrig behavioral1/memory/2928-146-0x000000013FBF0000-0x000000013FF44000-memory.dmp xmrig behavioral1/memory/2772-148-0x000000013F590000-0x000000013F8E4000-memory.dmp xmrig behavioral1/memory/2768-147-0x000000013FEC0000-0x0000000140214000-memory.dmp xmrig behavioral1/memory/2632-145-0x000000013F0A0000-0x000000013F3F4000-memory.dmp xmrig behavioral1/memory/2584-149-0x000000013FE70000-0x00000001401C4000-memory.dmp xmrig behavioral1/memory/2516-150-0x000000013F9D0000-0x000000013FD24000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
Processes:
iNCzGSC.exeyFnvZBn.exejZRFwEU.exetdQgUIX.exeWzIlBQJ.exeaRNCLmh.exejhPqurN.exeifvuHeS.exeNAaZSnm.exepelcpiD.exerHnUquP.exedhdrFkn.exeyQJFBVW.exeugZzhKb.exetSYCHQB.exeQwfcrpB.exetbJhpLU.exeeeQkvkc.exeuCxxAos.exeIKzYbtG.exeLCYQVfN.exepid process 2792 iNCzGSC.exe 1884 yFnvZBn.exe 2612 jZRFwEU.exe 2100 tdQgUIX.exe 2720 WzIlBQJ.exe 2936 aRNCLmh.exe 2928 jhPqurN.exe 2788 ifvuHeS.exe 2768 NAaZSnm.exe 2728 pelcpiD.exe 2772 rHnUquP.exe 2632 dhdrFkn.exe 2516 yQJFBVW.exe 2584 ugZzhKb.exe 468 tSYCHQB.exe 1756 QwfcrpB.exe 1264 tbJhpLU.exe 2836 eeQkvkc.exe 2876 uCxxAos.exe 2996 IKzYbtG.exe 3044 LCYQVfN.exe -
Loads dropped DLL 21 IoCs
Processes:
2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exepid process 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe -
Processes:
resource yara_rule behavioral1/memory/2972-0-0x000000013F800000-0x000000013FB54000-memory.dmp upx C:\Windows\system\iNCzGSC.exe upx C:\Windows\system\jZRFwEU.exe upx C:\Windows\system\tdQgUIX.exe upx C:\Windows\system\ifvuHeS.exe upx C:\Windows\system\rHnUquP.exe upx C:\Windows\system\tbJhpLU.exe upx \Windows\system\LCYQVfN.exe upx C:\Windows\system\LCYQVfN.exe upx C:\Windows\system\IKzYbtG.exe upx C:\Windows\system\uCxxAos.exe upx C:\Windows\system\eeQkvkc.exe upx C:\Windows\system\QwfcrpB.exe upx C:\Windows\system\tSYCHQB.exe upx behavioral1/memory/2100-99-0x000000013FAA0000-0x000000013FDF4000-memory.dmp upx behavioral1/memory/2928-103-0x000000013FBF0000-0x000000013FF44000-memory.dmp upx behavioral1/memory/2728-107-0x000000013F4E0000-0x000000013F834000-memory.dmp upx behavioral1/memory/2584-113-0x000000013FE70000-0x00000001401C4000-memory.dmp upx behavioral1/memory/2516-111-0x000000013F9D0000-0x000000013FD24000-memory.dmp upx behavioral1/memory/2632-110-0x000000013F0A0000-0x000000013F3F4000-memory.dmp upx behavioral1/memory/2772-108-0x000000013F590000-0x000000013F8E4000-memory.dmp upx behavioral1/memory/2768-106-0x000000013FEC0000-0x0000000140214000-memory.dmp upx behavioral1/memory/2788-104-0x000000013F740000-0x000000013FA94000-memory.dmp upx behavioral1/memory/2936-101-0x000000013F4E0000-0x000000013F834000-memory.dmp upx behavioral1/memory/2720-100-0x000000013F640000-0x000000013F994000-memory.dmp upx behavioral1/memory/2612-97-0x000000013FF10000-0x0000000140264000-memory.dmp upx behavioral1/memory/1884-95-0x000000013FF40000-0x0000000140294000-memory.dmp upx behavioral1/memory/2792-94-0x000000013FD50000-0x00000001400A4000-memory.dmp upx C:\Windows\system\ugZzhKb.exe upx C:\Windows\system\yQJFBVW.exe upx C:\Windows\system\dhdrFkn.exe upx C:\Windows\system\pelcpiD.exe upx C:\Windows\system\NAaZSnm.exe upx C:\Windows\system\jhPqurN.exe upx C:\Windows\system\aRNCLmh.exe upx C:\Windows\system\WzIlBQJ.exe upx C:\Windows\system\yFnvZBn.exe upx behavioral1/memory/2972-129-0x000000013F800000-0x000000013FB54000-memory.dmp upx behavioral1/memory/2928-130-0x000000013FBF0000-0x000000013FF44000-memory.dmp upx behavioral1/memory/2788-131-0x000000013F740000-0x000000013FA94000-memory.dmp upx behavioral1/memory/2772-133-0x000000013F590000-0x000000013F8E4000-memory.dmp upx behavioral1/memory/2516-135-0x000000013F9D0000-0x000000013FD24000-memory.dmp upx behavioral1/memory/2584-136-0x000000013FE70000-0x00000001401C4000-memory.dmp upx behavioral1/memory/2632-134-0x000000013F0A0000-0x000000013F3F4000-memory.dmp upx behavioral1/memory/2768-132-0x000000013FEC0000-0x0000000140214000-memory.dmp upx behavioral1/memory/2792-137-0x000000013FD50000-0x00000001400A4000-memory.dmp upx behavioral1/memory/1884-138-0x000000013FF40000-0x0000000140294000-memory.dmp upx behavioral1/memory/2100-139-0x000000013FAA0000-0x000000013FDF4000-memory.dmp upx behavioral1/memory/2720-140-0x000000013F640000-0x000000013F994000-memory.dmp upx behavioral1/memory/2936-141-0x000000013F4E0000-0x000000013F834000-memory.dmp upx behavioral1/memory/2612-142-0x000000013FF10000-0x0000000140264000-memory.dmp upx behavioral1/memory/2728-143-0x000000013F4E0000-0x000000013F834000-memory.dmp upx behavioral1/memory/2788-144-0x000000013F740000-0x000000013FA94000-memory.dmp upx behavioral1/memory/2928-146-0x000000013FBF0000-0x000000013FF44000-memory.dmp upx behavioral1/memory/2772-148-0x000000013F590000-0x000000013F8E4000-memory.dmp upx behavioral1/memory/2768-147-0x000000013FEC0000-0x0000000140214000-memory.dmp upx behavioral1/memory/2632-145-0x000000013F0A0000-0x000000013F3F4000-memory.dmp upx behavioral1/memory/2584-149-0x000000013FE70000-0x00000001401C4000-memory.dmp upx behavioral1/memory/2516-150-0x000000013F9D0000-0x000000013FD24000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
Processes:
2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exedescription ioc process File created C:\Windows\System\jZRFwEU.exe 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\yQJFBVW.exe 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\QwfcrpB.exe 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\iNCzGSC.exe 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\yFnvZBn.exe 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\aRNCLmh.exe 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\rHnUquP.exe 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\tSYCHQB.exe 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\eeQkvkc.exe 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\uCxxAos.exe 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\LCYQVfN.exe 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\tdQgUIX.exe 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\pelcpiD.exe 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\dhdrFkn.exe 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\ugZzhKb.exe 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\tbJhpLU.exe 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\WzIlBQJ.exe 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\jhPqurN.exe 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\ifvuHeS.exe 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\NAaZSnm.exe 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\IKzYbtG.exe 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exedescription pid process Token: SeLockMemoryPrivilege 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe Token: SeLockMemoryPrivilege 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exedescription pid process target process PID 2972 wrote to memory of 2792 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe iNCzGSC.exe PID 2972 wrote to memory of 2792 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe iNCzGSC.exe PID 2972 wrote to memory of 2792 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe iNCzGSC.exe PID 2972 wrote to memory of 1884 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe yFnvZBn.exe PID 2972 wrote to memory of 1884 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe yFnvZBn.exe PID 2972 wrote to memory of 1884 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe yFnvZBn.exe PID 2972 wrote to memory of 2612 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe jZRFwEU.exe PID 2972 wrote to memory of 2612 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe jZRFwEU.exe PID 2972 wrote to memory of 2612 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe jZRFwEU.exe PID 2972 wrote to memory of 2100 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe tdQgUIX.exe PID 2972 wrote to memory of 2100 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe tdQgUIX.exe PID 2972 wrote to memory of 2100 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe tdQgUIX.exe PID 2972 wrote to memory of 2720 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe WzIlBQJ.exe PID 2972 wrote to memory of 2720 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe WzIlBQJ.exe PID 2972 wrote to memory of 2720 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe WzIlBQJ.exe PID 2972 wrote to memory of 2936 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe aRNCLmh.exe PID 2972 wrote to memory of 2936 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe aRNCLmh.exe PID 2972 wrote to memory of 2936 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe aRNCLmh.exe PID 2972 wrote to memory of 2928 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe jhPqurN.exe PID 2972 wrote to memory of 2928 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe jhPqurN.exe PID 2972 wrote to memory of 2928 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe jhPqurN.exe PID 2972 wrote to memory of 2788 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe ifvuHeS.exe PID 2972 wrote to memory of 2788 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe ifvuHeS.exe PID 2972 wrote to memory of 2788 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe ifvuHeS.exe PID 2972 wrote to memory of 2768 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe NAaZSnm.exe PID 2972 wrote to memory of 2768 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe NAaZSnm.exe PID 2972 wrote to memory of 2768 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe NAaZSnm.exe PID 2972 wrote to memory of 2728 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe pelcpiD.exe PID 2972 wrote to memory of 2728 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe pelcpiD.exe PID 2972 wrote to memory of 2728 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe pelcpiD.exe PID 2972 wrote to memory of 2772 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe rHnUquP.exe PID 2972 wrote to memory of 2772 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe rHnUquP.exe PID 2972 wrote to memory of 2772 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe rHnUquP.exe PID 2972 wrote to memory of 2632 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe dhdrFkn.exe PID 2972 wrote to memory of 2632 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe dhdrFkn.exe PID 2972 wrote to memory of 2632 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe dhdrFkn.exe PID 2972 wrote to memory of 2516 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe yQJFBVW.exe PID 2972 wrote to memory of 2516 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe yQJFBVW.exe PID 2972 wrote to memory of 2516 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe yQJFBVW.exe PID 2972 wrote to memory of 2584 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe ugZzhKb.exe PID 2972 wrote to memory of 2584 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe ugZzhKb.exe PID 2972 wrote to memory of 2584 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe ugZzhKb.exe PID 2972 wrote to memory of 468 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe tSYCHQB.exe PID 2972 wrote to memory of 468 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe tSYCHQB.exe PID 2972 wrote to memory of 468 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe tSYCHQB.exe PID 2972 wrote to memory of 1756 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe QwfcrpB.exe PID 2972 wrote to memory of 1756 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe QwfcrpB.exe PID 2972 wrote to memory of 1756 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe QwfcrpB.exe PID 2972 wrote to memory of 1264 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe tbJhpLU.exe PID 2972 wrote to memory of 1264 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe tbJhpLU.exe PID 2972 wrote to memory of 1264 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe tbJhpLU.exe PID 2972 wrote to memory of 2836 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe eeQkvkc.exe PID 2972 wrote to memory of 2836 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe eeQkvkc.exe PID 2972 wrote to memory of 2836 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe eeQkvkc.exe PID 2972 wrote to memory of 2876 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe uCxxAos.exe PID 2972 wrote to memory of 2876 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe uCxxAos.exe PID 2972 wrote to memory of 2876 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe uCxxAos.exe PID 2972 wrote to memory of 2996 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe IKzYbtG.exe PID 2972 wrote to memory of 2996 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe IKzYbtG.exe PID 2972 wrote to memory of 2996 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe IKzYbtG.exe PID 2972 wrote to memory of 3044 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe LCYQVfN.exe PID 2972 wrote to memory of 3044 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe LCYQVfN.exe PID 2972 wrote to memory of 3044 2972 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe LCYQVfN.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\System\iNCzGSC.exeC:\Windows\System\iNCzGSC.exe2⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\System\yFnvZBn.exeC:\Windows\System\yFnvZBn.exe2⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\System\jZRFwEU.exeC:\Windows\System\jZRFwEU.exe2⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\System\tdQgUIX.exeC:\Windows\System\tdQgUIX.exe2⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\System\WzIlBQJ.exeC:\Windows\System\WzIlBQJ.exe2⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\System\aRNCLmh.exeC:\Windows\System\aRNCLmh.exe2⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\System\jhPqurN.exeC:\Windows\System\jhPqurN.exe2⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\System\ifvuHeS.exeC:\Windows\System\ifvuHeS.exe2⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\System\NAaZSnm.exeC:\Windows\System\NAaZSnm.exe2⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\System\pelcpiD.exeC:\Windows\System\pelcpiD.exe2⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\System\rHnUquP.exeC:\Windows\System\rHnUquP.exe2⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\System\dhdrFkn.exeC:\Windows\System\dhdrFkn.exe2⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\System\yQJFBVW.exeC:\Windows\System\yQJFBVW.exe2⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\System\ugZzhKb.exeC:\Windows\System\ugZzhKb.exe2⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\System\tSYCHQB.exeC:\Windows\System\tSYCHQB.exe2⤵
- Executes dropped EXE
PID:468 -
C:\Windows\System\QwfcrpB.exeC:\Windows\System\QwfcrpB.exe2⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\System\tbJhpLU.exeC:\Windows\System\tbJhpLU.exe2⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\System\eeQkvkc.exeC:\Windows\System\eeQkvkc.exe2⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\System\uCxxAos.exeC:\Windows\System\uCxxAos.exe2⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\System\IKzYbtG.exeC:\Windows\System\IKzYbtG.exe2⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\System\LCYQVfN.exeC:\Windows\System\LCYQVfN.exe2⤵
- Executes dropped EXE
PID:3044
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD568feab46483015e28152696c66456b6d
SHA16d26a93457378a77e89a0efd9e831e867aa98d23
SHA256ab35a255a22ce36e9a21e0c6876cf779983f5b3f326f66228e7c464024bfd9ae
SHA512131bdea08da06f581d491b9b0d22891b31365a580841627bdd2b50d802f142fa8d90cdfa8dfd2094bf5166931b577183267187d5433b482fe4f004bacfc37388
-
Filesize
5.9MB
MD57f8a17e87204865cb8294f992f62a8b7
SHA1965d240fdcaff71315ed72fa19a6fb7bcd0cc41b
SHA256d2f6d40eee8aa5eeee364047b92c58e82120eddca6fa2b326a9430322de1d86a
SHA512e3007370624881b1cea1ef29a5575f7be06f05e38d2f7953b9be734b7627ef9829b6897833b5db61638ee69bd5e7c8c0e83d30482dc7ed493651dab40519ecb6
-
Filesize
5.9MB
MD560e0014f58b4f1b8f563b273d2275660
SHA1ea56b85c58ad530b20aa8a599d51724437d905e4
SHA2567a4d89304b2e357e923da059f321e6fc27b507123592d53291ed0e94bdb7faf3
SHA512f29536663b613bd367688f883738a167008d1d5ad181f351d03b4943b811e69d2f9575e6d9afa73a32f1a238ed7ea0073a0567ed1d7d2f84824b806315a32a7f
-
Filesize
5.9MB
MD54923a775c514f3ae0e09865704a76aa9
SHA1fac0cec58bd3556095fbf0e402a5c2a46ed6f41c
SHA256d06e71a7242ab6b20e7ec280322c9d2e8c0dd1445fbd1628a3c5c5cd66930c85
SHA512b6e03ba2f19f231ad0fc573579b9f74d1b09ecf94301bee5cb10099639f08bf588d6844a53aa68ea446ca35de8bd4299766175b0aa4cc66d53e22afc7fdb9f5e
-
Filesize
5.9MB
MD539ae60141b97c03da8c9c1167cd0ec6c
SHA160453bac515d089278de350bbafda296d9a53c43
SHA2561f8be7204df6b0c8e0e79816be05ebb3f3b08a30160d763c6f1abfbba20f1153
SHA51213716d490eba984f8e212fac2f68004c486c0a3b369cc4ac2d72d80e9942d46ba8443c76918e050a0722db5ff0e7dda30d516aa81d66b3fb089af1adee8a2a0c
-
Filesize
5.9MB
MD59866d867ab99dc887d727af1e531b2c0
SHA10a6b886ed9c77abd3b2e4fc40cdd90ed1bd31ecc
SHA2568a3205dd0f60c2683f0da291ea45de167939215f0f96a6f039e7d5b9e828be04
SHA512417f6d96cc5331bedda96ba0524cbd3074861417e9213be3c66050d39690af78c8f3174ab43962bf193a653b6b507bf9b64fffa19ece2070a81fa36cfa065b6e
-
Filesize
5.9MB
MD5787eb7e69ad35aabdeb5368e6da76f1a
SHA1cb322befd7f9c168958d53bc2f49dca2cdbe84bc
SHA2560bf2ae8409c5346b5c7add6eb6f765af178d7d736962e27ffea40ddaccbb2cee
SHA512afbec0b4ded7fea46eaa8d902bdf97979f8c4ae6f8d4d1b0faa7cc2bf31c53eb5c13ef7bd105b1c1a5f390acb69261c5d317c7908e7b5003836d4ecea1fd5ab3
-
Filesize
5.9MB
MD5d2038aace393c2b9f8bcbdafb94cbd87
SHA1fd600884a88cebac326a7e7913d0e0f9f6a83ebe
SHA2569dcf7c6b26bcba96c9bd3a062979c43efe3a50e5409c7256faae119945ca2440
SHA512218ee4173d477d590b4d35eeb444cb47f199e5fb4fd2114a46b5d4a9acaae5df749050a64ed46b09bc6e62aa2d527dabbd8dc4c5dcfe68e37ebedfdccd88cf40
-
Filesize
5.9MB
MD590e69951485f0bb3c1bf4f949de6106d
SHA1db95e5a117cd7d818575604fa811ad9a36829a02
SHA25627a201766ece763dde900c442af719ff131fea401bd6f0bd364c80033a0bad37
SHA5124b68af358ae57fa592f8ff1a28c6f536177e3e76310a1917fe308330a638357f6c48ea1b1a65b33d535c85b015085a85232976d3ef1bcfd5d7881fb1dc9e42be
-
Filesize
5.9MB
MD59273ab9b4d9e65d031e05dc4c6270794
SHA10b83e1bd74b0e20f90ebe4b7a3e4a267e13df0a4
SHA2567b9f92de44c4ee1d5e9231ba8e4bc15b396a4379e0b162e3ea1e4465b3bbccd5
SHA5128415761f36ef7c438406b28669e0069e5f567e2c97f81780ac0bcd579d522ceb3dbdb4675ee569a8c5a782e5bf1860ae591066302d44f520ed8ca5836d2f2d6a
-
Filesize
5.9MB
MD54ae083a6b4718985abd5dfdf40f7aad6
SHA101997fabf7115bbc5b1245b8b8e0fbb956efac0e
SHA256d6400e5de4ec2c02d4b0645de28c87dc890eb3de96fb5f83cc250a4a28b52fbb
SHA512a74f8f37205374a5748fe478c6fda5bd514713c9ebdbc75cd1cfe2457a4c147b06ec62da4009bb80f7c0e31326c2e61bef6c0b9b3ac08295f339ed3de2a35bd1
-
Filesize
5.9MB
MD5b1280a310a974f5ae27fbd448d80fbbf
SHA16dfd05afd5a95953942dbb825b503209427225bf
SHA25697a3d604858127b62202356c2348b3b15e5b74a0deebc433005358b59228794d
SHA5120d9827e0d17fd0a75fe1b9b5890967b518cb03736cfd13326b6e1bfd5cbacd988b2c3db9e2751519a69c5b18ef4e5dc48b40417d082c339aecc546724530ae6f
-
Filesize
5.9MB
MD5db6851f18e18c9d331f14a4ab2784110
SHA1343a598202ed2f17e2de3198d7447fa9d2ec39d8
SHA256ef2f3df8740a17ce7647e34f1fe24e22393b91262174963e835e0a0d0bc0b86d
SHA51205ec16504a167f3e7f39f35393e5ccf8ed0b2d70289f4ff042de697edc939f30414b06ce7ccd589c8fb3148bb42125e014347b22d4007793a3589025c7cb302b
-
Filesize
5.9MB
MD5813990620918b10b69fc589ff6ce7cef
SHA17d6aa4cfb858fdd4873481186ecf7c22b33faa2c
SHA256020d44a835754f30b493a4811c09d0fb498a8837f3101d8112013caa9f5d2d9e
SHA5125ec283567e6debe9d99ec84804e8b48291a962af369fd07b2876625bcbe671ddb723abc09082804dc5d5b863dc6379a15d4107c352f68816717ab6344fa3a20c
-
Filesize
5.9MB
MD55c1ace3cb22fd62e009f274f93254bac
SHA1f4e15bd75d5dfd9ce8919650512849d4e0ed41e7
SHA2562c70f77d3aeba4be2b64d1342a5ad9d822e4f70743ba03893d2cfeeac9496f23
SHA512fec1f3bd0a3d1bb0ec1cbbb093c90ddc13afd3701d9693353edf4b5bc3e14c187849db896783e9378e3d8f4031062afb6b0b07cf171178100f19c1fea57c8213
-
Filesize
5.9MB
MD5def8ecb7e32d64885cfd985f0e95653e
SHA1e627f417e194af756b56f020e83ffd9dc2078e8d
SHA25634da9da346c303c75e21d39408fd1c112c27ed96452e43b64733b7a3d23301e4
SHA512fec4d27994864d6410d1dfa7b40d65517f3e62cb8210784a84b9a0b497f5ea5cd38dc6fe57b5c51a88fb8bb240f97116c155eb58eadaf577946d76f1b7282a9a
-
Filesize
5.9MB
MD5c2f2cc5c541cfdbbb7775fab47ee3ec8
SHA18a5bb7c9db9b3378ec0192708be582b7c73ca8c4
SHA256587028af1a24d1af37cdff6f53f5928f8c993d80e7c30d1b7b59a7d3fa34b15e
SHA51238740ca3a786b57be4b93e55050906776eaa4b2950bf2c4978fab185a5fd3b9f2ede8e216ee94f595cfabdb1e40f7f6fd427642ec8b24e85851059a8bf9745c6
-
Filesize
5.9MB
MD54c89a570703394d57f179e9d3b5b4259
SHA1df94796a3dc473d9a617fbd524ff794ed2d00a11
SHA25612580a187336f0462bdbd08521ad01c5d3fa7a21a526bbe475e250d01fae0f90
SHA5129e12ef4a3effe39ab5098d65ef4cf25b71a461ec1e68c81263db12863061e797dd563f01cd9035a4c75309c54b8396949ee5a7ebca8c39d3d1ca447c9e7a8134
-
Filesize
5.9MB
MD52fcd1ca99b353281ccdb294a4aa1fd61
SHA1c557cd70f6a1a1d99755ddaa4525f6d471ac7aa3
SHA2562a2e633cbfc7a98b13520c5f43884d9826b4d1517852a2ce4f7e4da9e3635a50
SHA51255b05c37dce0b50fbd70ef67374cc1f6d65d1ee5b2189a2c4ab505d843a0f5d56c3f0f41804d6dd8209330baed10f02a15ea3149dc1b14618bce60849a22adb3
-
Filesize
5.9MB
MD5486a613836a4be0e0605adf2faecdb5b
SHA19f984e08e12c8eb76363d99bb260c8bae38a3942
SHA2566534b8b59a89db9de36215b6284699238b047c6e4ee0ae9a1a9c542a649eb4f3
SHA512cfa80b1180e16b74ab0dde3d33c30e502c1a2181a3995dec56ea5b62fee89625aa2e38574a0d3a6a688035bcfa57b1dd85336b590135eb1ec4ffe95bcf65d288
-
Filesize
5.9MB
MD53a46674e5968382f9f4318ac3b0c5c5f
SHA1bc36760ae81497f271790a3adca6cae18cb4163e
SHA256200ad4e4b0adca70a8425d706a1b1efd0c812206cb8a53cda104270cf914f877
SHA5125655642287582fc2a330ab6abdaee31103aeca0e8c7b2de44ba0366a56af25dfd13dd50decdcbe87970c46879291d3fef2cb0f73e1c67a8b3a4bead13dabfc7e
-
Filesize
5.5MB
MD5992e15ebc2245cf970acce9948576d6c
SHA13322f50d4aebf915abc8a5277cd07a23adf5f127
SHA25634aca34b8538d4e7f9b5ca1806b2281a0382769188fd9d2c13b1e312e96b00f5
SHA5122299491ec9c9bd4a6ac0a40bf192f660f0f17c74b61aa4e0097b4c4f83a6d479f7a76f02af36d33e9826debb7591943213a22619c67db9751ef075d87dd44bf7