Analysis
-
max time kernel
138s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08-06-2024 12:36
Behavioral task
behavioral1
Sample
2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe
Resource
win7-20240221-en
General
-
Target
2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe
-
Size
5.9MB
-
MD5
9e022ed75a8f2fa53f6c988e98fe6ad1
-
SHA1
36d2f2c5cafadd145209f74f4f3a974318e12bed
-
SHA256
ac50e7ca93e199e177e6471425847e4ebc9a25214c96896985a726ec9493db22
-
SHA512
5dab0916858f4f49a6d3d30170ba854a342ca15be521ff2b37c7897c54f45745699c151b86054352f8cfffd03f3b6f6a8fb1d9dc11d137e12d6f18317b7e2fd5
-
SSDEEP
98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUH:Q+856utgpPF8u/7H
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
Processes:
resource yara_rule \Windows\system\vmyXzRf.exe cobalt_reflective_dll C:\Windows\system\OTEuVUz.exe cobalt_reflective_dll C:\Windows\system\PjnmIzj.exe cobalt_reflective_dll C:\Windows\system\vLkwPoc.exe cobalt_reflective_dll C:\Windows\system\feXqrgt.exe cobalt_reflective_dll C:\Windows\system\ockHrkR.exe cobalt_reflective_dll C:\Windows\system\GWQHzhT.exe cobalt_reflective_dll C:\Windows\system\INKZVkb.exe cobalt_reflective_dll C:\Windows\system\XrAyDHM.exe cobalt_reflective_dll \Windows\system\FprZOuL.exe cobalt_reflective_dll C:\Windows\system\kxMwVhj.exe cobalt_reflective_dll C:\Windows\system\uoqkODq.exe cobalt_reflective_dll C:\Windows\system\NsTndpb.exe cobalt_reflective_dll C:\Windows\system\nPMUIIh.exe cobalt_reflective_dll C:\Windows\system\TZNBWyH.exe cobalt_reflective_dll C:\Windows\system\xJrTfZK.exe cobalt_reflective_dll C:\Windows\system\ANHofLM.exe cobalt_reflective_dll C:\Windows\system\uiGiUxh.exe cobalt_reflective_dll C:\Windows\system\CYXzbAc.exe cobalt_reflective_dll C:\Windows\system\rZrJwOZ.exe cobalt_reflective_dll C:\Windows\system\LosdpiY.exe cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Detects Reflective DLL injection artifacts 21 IoCs
Processes:
resource yara_rule \Windows\system\vmyXzRf.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\OTEuVUz.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\PjnmIzj.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\vLkwPoc.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\feXqrgt.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\ockHrkR.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\GWQHzhT.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\INKZVkb.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\XrAyDHM.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\FprZOuL.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\kxMwVhj.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\uoqkODq.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\NsTndpb.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\nPMUIIh.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\TZNBWyH.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\xJrTfZK.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\ANHofLM.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\uiGiUxh.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\CYXzbAc.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\rZrJwOZ.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\LosdpiY.exe INDICATOR_SUSPICIOUS_ReflectiveLoader -
UPX dump on OEP (original entry point) 58 IoCs
Processes:
resource yara_rule behavioral1/memory/1984-0-0x000000013FBC0000-0x000000013FF14000-memory.dmp UPX \Windows\system\vmyXzRf.exe UPX C:\Windows\system\OTEuVUz.exe UPX C:\Windows\system\PjnmIzj.exe UPX C:\Windows\system\vLkwPoc.exe UPX behavioral1/memory/2620-36-0x000000013F340000-0x000000013F694000-memory.dmp UPX behavioral1/memory/2912-25-0x000000013F270000-0x000000013F5C4000-memory.dmp UPX C:\Windows\system\feXqrgt.exe UPX behavioral1/memory/2348-56-0x000000013F670000-0x000000013F9C4000-memory.dmp UPX C:\Windows\system\ockHrkR.exe UPX behavioral1/memory/2820-72-0x000000013F6F0000-0x000000013FA44000-memory.dmp UPX behavioral1/memory/640-79-0x000000013FA50000-0x000000013FDA4000-memory.dmp UPX behavioral1/memory/2516-98-0x000000013F1C0000-0x000000013F514000-memory.dmp UPX C:\Windows\system\GWQHzhT.exe UPX C:\Windows\system\INKZVkb.exe UPX C:\Windows\system\XrAyDHM.exe UPX \Windows\system\FprZOuL.exe UPX C:\Windows\system\kxMwVhj.exe UPX C:\Windows\system\uoqkODq.exe UPX C:\Windows\system\NsTndpb.exe UPX behavioral1/memory/2692-100-0x000000013F930000-0x000000013FC84000-memory.dmp UPX behavioral1/memory/2584-99-0x000000013FAC0000-0x000000013FE14000-memory.dmp UPX behavioral1/memory/2664-93-0x000000013F050000-0x000000013F3A4000-memory.dmp UPX C:\Windows\system\nPMUIIh.exe UPX C:\Windows\system\TZNBWyH.exe UPX behavioral1/memory/2912-77-0x000000013F270000-0x000000013F5C4000-memory.dmp UPX C:\Windows\system\xJrTfZK.exe UPX behavioral1/memory/1356-84-0x000000013FC40000-0x000000013FF94000-memory.dmp UPX C:\Windows\system\ANHofLM.exe UPX C:\Windows\system\uiGiUxh.exe UPX behavioral1/memory/2428-65-0x000000013F660000-0x000000013F9B4000-memory.dmp UPX behavioral1/memory/1984-63-0x000000013FBC0000-0x000000013FF14000-memory.dmp UPX behavioral1/memory/2524-51-0x000000013F570000-0x000000013F8C4000-memory.dmp UPX C:\Windows\system\CYXzbAc.exe UPX behavioral1/memory/2584-42-0x000000013FAC0000-0x000000013FE14000-memory.dmp UPX behavioral1/memory/2516-41-0x000000013F1C0000-0x000000013F514000-memory.dmp UPX behavioral1/memory/2588-34-0x000000013FD50000-0x00000001400A4000-memory.dmp UPX C:\Windows\system\rZrJwOZ.exe UPX behavioral1/memory/3044-15-0x000000013F100000-0x000000013F454000-memory.dmp UPX behavioral1/memory/2348-138-0x000000013F670000-0x000000013F9C4000-memory.dmp UPX C:\Windows\system\LosdpiY.exe UPX behavioral1/memory/640-141-0x000000013FA50000-0x000000013FDA4000-memory.dmp UPX behavioral1/memory/1356-142-0x000000013FC40000-0x000000013FF94000-memory.dmp UPX behavioral1/memory/2692-143-0x000000013F930000-0x000000013FC84000-memory.dmp UPX behavioral1/memory/3044-144-0x000000013F100000-0x000000013F454000-memory.dmp UPX behavioral1/memory/2588-145-0x000000013FD50000-0x00000001400A4000-memory.dmp UPX behavioral1/memory/2912-146-0x000000013F270000-0x000000013F5C4000-memory.dmp UPX behavioral1/memory/2620-147-0x000000013F340000-0x000000013F694000-memory.dmp UPX behavioral1/memory/2516-148-0x000000013F1C0000-0x000000013F514000-memory.dmp UPX behavioral1/memory/2584-149-0x000000013FAC0000-0x000000013FE14000-memory.dmp UPX behavioral1/memory/2524-150-0x000000013F570000-0x000000013F8C4000-memory.dmp UPX behavioral1/memory/2348-151-0x000000013F670000-0x000000013F9C4000-memory.dmp UPX behavioral1/memory/2428-152-0x000000013F660000-0x000000013F9B4000-memory.dmp UPX behavioral1/memory/2820-153-0x000000013F6F0000-0x000000013FA44000-memory.dmp UPX behavioral1/memory/640-155-0x000000013FA50000-0x000000013FDA4000-memory.dmp UPX behavioral1/memory/1356-154-0x000000013FC40000-0x000000013FF94000-memory.dmp UPX behavioral1/memory/2664-156-0x000000013F050000-0x000000013F3A4000-memory.dmp UPX behavioral1/memory/2692-157-0x000000013F930000-0x000000013FC84000-memory.dmp UPX -
XMRig Miner payload 59 IoCs
Processes:
resource yara_rule behavioral1/memory/1984-0-0x000000013FBC0000-0x000000013FF14000-memory.dmp xmrig \Windows\system\vmyXzRf.exe xmrig C:\Windows\system\OTEuVUz.exe xmrig C:\Windows\system\PjnmIzj.exe xmrig C:\Windows\system\vLkwPoc.exe xmrig behavioral1/memory/2620-36-0x000000013F340000-0x000000013F694000-memory.dmp xmrig behavioral1/memory/2912-25-0x000000013F270000-0x000000013F5C4000-memory.dmp xmrig C:\Windows\system\feXqrgt.exe xmrig behavioral1/memory/2348-56-0x000000013F670000-0x000000013F9C4000-memory.dmp xmrig C:\Windows\system\ockHrkR.exe xmrig behavioral1/memory/2820-72-0x000000013F6F0000-0x000000013FA44000-memory.dmp xmrig behavioral1/memory/640-79-0x000000013FA50000-0x000000013FDA4000-memory.dmp xmrig behavioral1/memory/2516-98-0x000000013F1C0000-0x000000013F514000-memory.dmp xmrig C:\Windows\system\GWQHzhT.exe xmrig C:\Windows\system\INKZVkb.exe xmrig C:\Windows\system\XrAyDHM.exe xmrig \Windows\system\FprZOuL.exe xmrig C:\Windows\system\kxMwVhj.exe xmrig C:\Windows\system\uoqkODq.exe xmrig C:\Windows\system\NsTndpb.exe xmrig behavioral1/memory/2692-100-0x000000013F930000-0x000000013FC84000-memory.dmp xmrig behavioral1/memory/2584-99-0x000000013FAC0000-0x000000013FE14000-memory.dmp xmrig behavioral1/memory/2664-93-0x000000013F050000-0x000000013F3A4000-memory.dmp xmrig C:\Windows\system\nPMUIIh.exe xmrig C:\Windows\system\TZNBWyH.exe xmrig behavioral1/memory/2912-77-0x000000013F270000-0x000000013F5C4000-memory.dmp xmrig C:\Windows\system\xJrTfZK.exe xmrig behavioral1/memory/1356-84-0x000000013FC40000-0x000000013FF94000-memory.dmp xmrig C:\Windows\system\ANHofLM.exe xmrig C:\Windows\system\uiGiUxh.exe xmrig behavioral1/memory/2428-65-0x000000013F660000-0x000000013F9B4000-memory.dmp xmrig behavioral1/memory/1984-63-0x000000013FBC0000-0x000000013FF14000-memory.dmp xmrig behavioral1/memory/2524-51-0x000000013F570000-0x000000013F8C4000-memory.dmp xmrig C:\Windows\system\CYXzbAc.exe xmrig behavioral1/memory/2584-42-0x000000013FAC0000-0x000000013FE14000-memory.dmp xmrig behavioral1/memory/2516-41-0x000000013F1C0000-0x000000013F514000-memory.dmp xmrig behavioral1/memory/2588-34-0x000000013FD50000-0x00000001400A4000-memory.dmp xmrig C:\Windows\system\rZrJwOZ.exe xmrig behavioral1/memory/1984-27-0x000000013F1C0000-0x000000013F514000-memory.dmp xmrig behavioral1/memory/3044-15-0x000000013F100000-0x000000013F454000-memory.dmp xmrig behavioral1/memory/2348-138-0x000000013F670000-0x000000013F9C4000-memory.dmp xmrig C:\Windows\system\LosdpiY.exe xmrig behavioral1/memory/640-141-0x000000013FA50000-0x000000013FDA4000-memory.dmp xmrig behavioral1/memory/1356-142-0x000000013FC40000-0x000000013FF94000-memory.dmp xmrig behavioral1/memory/2692-143-0x000000013F930000-0x000000013FC84000-memory.dmp xmrig behavioral1/memory/3044-144-0x000000013F100000-0x000000013F454000-memory.dmp xmrig behavioral1/memory/2588-145-0x000000013FD50000-0x00000001400A4000-memory.dmp xmrig behavioral1/memory/2912-146-0x000000013F270000-0x000000013F5C4000-memory.dmp xmrig behavioral1/memory/2620-147-0x000000013F340000-0x000000013F694000-memory.dmp xmrig behavioral1/memory/2516-148-0x000000013F1C0000-0x000000013F514000-memory.dmp xmrig behavioral1/memory/2584-149-0x000000013FAC0000-0x000000013FE14000-memory.dmp xmrig behavioral1/memory/2524-150-0x000000013F570000-0x000000013F8C4000-memory.dmp xmrig behavioral1/memory/2348-151-0x000000013F670000-0x000000013F9C4000-memory.dmp xmrig behavioral1/memory/2428-152-0x000000013F660000-0x000000013F9B4000-memory.dmp xmrig behavioral1/memory/2820-153-0x000000013F6F0000-0x000000013FA44000-memory.dmp xmrig behavioral1/memory/640-155-0x000000013FA50000-0x000000013FDA4000-memory.dmp xmrig behavioral1/memory/1356-154-0x000000013FC40000-0x000000013FF94000-memory.dmp xmrig behavioral1/memory/2664-156-0x000000013F050000-0x000000013F3A4000-memory.dmp xmrig behavioral1/memory/2692-157-0x000000013F930000-0x000000013FC84000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
Processes:
LosdpiY.exevmyXzRf.exerZrJwOZ.exeOTEuVUz.exePjnmIzj.exevLkwPoc.exefeXqrgt.exeCYXzbAc.exeockHrkR.exeuiGiUxh.exexJrTfZK.exeANHofLM.exenPMUIIh.exeTZNBWyH.exeGWQHzhT.exeNsTndpb.exeuoqkODq.exekxMwVhj.exeXrAyDHM.exeINKZVkb.exeFprZOuL.exepid process 3044 LosdpiY.exe 2912 vmyXzRf.exe 2588 rZrJwOZ.exe 2620 OTEuVUz.exe 2516 PjnmIzj.exe 2584 vLkwPoc.exe 2524 feXqrgt.exe 2348 CYXzbAc.exe 2428 ockHrkR.exe 2820 uiGiUxh.exe 640 xJrTfZK.exe 1356 ANHofLM.exe 2664 nPMUIIh.exe 2692 TZNBWyH.exe 1608 GWQHzhT.exe 1748 NsTndpb.exe 108 uoqkODq.exe 2132 kxMwVhj.exe 1588 XrAyDHM.exe 2640 INKZVkb.exe 2452 FprZOuL.exe -
Loads dropped DLL 21 IoCs
Processes:
2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exepid process 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe -
Processes:
resource yara_rule behavioral1/memory/1984-0-0x000000013FBC0000-0x000000013FF14000-memory.dmp upx \Windows\system\vmyXzRf.exe upx C:\Windows\system\OTEuVUz.exe upx C:\Windows\system\PjnmIzj.exe upx C:\Windows\system\vLkwPoc.exe upx behavioral1/memory/2620-36-0x000000013F340000-0x000000013F694000-memory.dmp upx behavioral1/memory/2912-25-0x000000013F270000-0x000000013F5C4000-memory.dmp upx C:\Windows\system\feXqrgt.exe upx behavioral1/memory/2348-56-0x000000013F670000-0x000000013F9C4000-memory.dmp upx C:\Windows\system\ockHrkR.exe upx behavioral1/memory/2820-72-0x000000013F6F0000-0x000000013FA44000-memory.dmp upx behavioral1/memory/640-79-0x000000013FA50000-0x000000013FDA4000-memory.dmp upx behavioral1/memory/2516-98-0x000000013F1C0000-0x000000013F514000-memory.dmp upx C:\Windows\system\GWQHzhT.exe upx C:\Windows\system\INKZVkb.exe upx C:\Windows\system\XrAyDHM.exe upx \Windows\system\FprZOuL.exe upx C:\Windows\system\kxMwVhj.exe upx C:\Windows\system\uoqkODq.exe upx C:\Windows\system\NsTndpb.exe upx behavioral1/memory/2692-100-0x000000013F930000-0x000000013FC84000-memory.dmp upx behavioral1/memory/2584-99-0x000000013FAC0000-0x000000013FE14000-memory.dmp upx behavioral1/memory/2664-93-0x000000013F050000-0x000000013F3A4000-memory.dmp upx C:\Windows\system\nPMUIIh.exe upx C:\Windows\system\TZNBWyH.exe upx behavioral1/memory/2912-77-0x000000013F270000-0x000000013F5C4000-memory.dmp upx C:\Windows\system\xJrTfZK.exe upx behavioral1/memory/1356-84-0x000000013FC40000-0x000000013FF94000-memory.dmp upx C:\Windows\system\ANHofLM.exe upx C:\Windows\system\uiGiUxh.exe upx behavioral1/memory/2428-65-0x000000013F660000-0x000000013F9B4000-memory.dmp upx behavioral1/memory/1984-63-0x000000013FBC0000-0x000000013FF14000-memory.dmp upx behavioral1/memory/2524-51-0x000000013F570000-0x000000013F8C4000-memory.dmp upx C:\Windows\system\CYXzbAc.exe upx behavioral1/memory/2584-42-0x000000013FAC0000-0x000000013FE14000-memory.dmp upx behavioral1/memory/2516-41-0x000000013F1C0000-0x000000013F514000-memory.dmp upx behavioral1/memory/2588-34-0x000000013FD50000-0x00000001400A4000-memory.dmp upx C:\Windows\system\rZrJwOZ.exe upx behavioral1/memory/3044-15-0x000000013F100000-0x000000013F454000-memory.dmp upx behavioral1/memory/2348-138-0x000000013F670000-0x000000013F9C4000-memory.dmp upx C:\Windows\system\LosdpiY.exe upx behavioral1/memory/640-141-0x000000013FA50000-0x000000013FDA4000-memory.dmp upx behavioral1/memory/1356-142-0x000000013FC40000-0x000000013FF94000-memory.dmp upx behavioral1/memory/2692-143-0x000000013F930000-0x000000013FC84000-memory.dmp upx behavioral1/memory/3044-144-0x000000013F100000-0x000000013F454000-memory.dmp upx behavioral1/memory/2588-145-0x000000013FD50000-0x00000001400A4000-memory.dmp upx behavioral1/memory/2912-146-0x000000013F270000-0x000000013F5C4000-memory.dmp upx behavioral1/memory/2620-147-0x000000013F340000-0x000000013F694000-memory.dmp upx behavioral1/memory/2516-148-0x000000013F1C0000-0x000000013F514000-memory.dmp upx behavioral1/memory/2584-149-0x000000013FAC0000-0x000000013FE14000-memory.dmp upx behavioral1/memory/2524-150-0x000000013F570000-0x000000013F8C4000-memory.dmp upx behavioral1/memory/2348-151-0x000000013F670000-0x000000013F9C4000-memory.dmp upx behavioral1/memory/2428-152-0x000000013F660000-0x000000013F9B4000-memory.dmp upx behavioral1/memory/2820-153-0x000000013F6F0000-0x000000013FA44000-memory.dmp upx behavioral1/memory/640-155-0x000000013FA50000-0x000000013FDA4000-memory.dmp upx behavioral1/memory/1356-154-0x000000013FC40000-0x000000013FF94000-memory.dmp upx behavioral1/memory/2664-156-0x000000013F050000-0x000000013F3A4000-memory.dmp upx behavioral1/memory/2692-157-0x000000013F930000-0x000000013FC84000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
Processes:
2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exedescription ioc process File created C:\Windows\System\vmyXzRf.exe 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\OTEuVUz.exe 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\vLkwPoc.exe 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\CYXzbAc.exe 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\kxMwVhj.exe 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\FprZOuL.exe 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\GWQHzhT.exe 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\XrAyDHM.exe 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\NsTndpb.exe 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\uoqkODq.exe 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\LosdpiY.exe 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\rZrJwOZ.exe 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\PjnmIzj.exe 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\feXqrgt.exe 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\ockHrkR.exe 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\ANHofLM.exe 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\uiGiUxh.exe 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\xJrTfZK.exe 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\nPMUIIh.exe 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\TZNBWyH.exe 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\INKZVkb.exe 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exedescription pid process Token: SeLockMemoryPrivilege 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe Token: SeLockMemoryPrivilege 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exedescription pid process target process PID 1984 wrote to memory of 3044 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe LosdpiY.exe PID 1984 wrote to memory of 3044 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe LosdpiY.exe PID 1984 wrote to memory of 3044 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe LosdpiY.exe PID 1984 wrote to memory of 2912 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe vmyXzRf.exe PID 1984 wrote to memory of 2912 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe vmyXzRf.exe PID 1984 wrote to memory of 2912 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe vmyXzRf.exe PID 1984 wrote to memory of 2588 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe rZrJwOZ.exe PID 1984 wrote to memory of 2588 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe rZrJwOZ.exe PID 1984 wrote to memory of 2588 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe rZrJwOZ.exe PID 1984 wrote to memory of 2620 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe OTEuVUz.exe PID 1984 wrote to memory of 2620 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe OTEuVUz.exe PID 1984 wrote to memory of 2620 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe OTEuVUz.exe PID 1984 wrote to memory of 2516 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe PjnmIzj.exe PID 1984 wrote to memory of 2516 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe PjnmIzj.exe PID 1984 wrote to memory of 2516 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe PjnmIzj.exe PID 1984 wrote to memory of 2584 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe vLkwPoc.exe PID 1984 wrote to memory of 2584 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe vLkwPoc.exe PID 1984 wrote to memory of 2584 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe vLkwPoc.exe PID 1984 wrote to memory of 2524 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe feXqrgt.exe PID 1984 wrote to memory of 2524 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe feXqrgt.exe PID 1984 wrote to memory of 2524 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe feXqrgt.exe PID 1984 wrote to memory of 2348 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe CYXzbAc.exe PID 1984 wrote to memory of 2348 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe CYXzbAc.exe PID 1984 wrote to memory of 2348 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe CYXzbAc.exe PID 1984 wrote to memory of 2428 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe ockHrkR.exe PID 1984 wrote to memory of 2428 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe ockHrkR.exe PID 1984 wrote to memory of 2428 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe ockHrkR.exe PID 1984 wrote to memory of 2820 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe uiGiUxh.exe PID 1984 wrote to memory of 2820 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe uiGiUxh.exe PID 1984 wrote to memory of 2820 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe uiGiUxh.exe PID 1984 wrote to memory of 640 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe xJrTfZK.exe PID 1984 wrote to memory of 640 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe xJrTfZK.exe PID 1984 wrote to memory of 640 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe xJrTfZK.exe PID 1984 wrote to memory of 1356 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe ANHofLM.exe PID 1984 wrote to memory of 1356 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe ANHofLM.exe PID 1984 wrote to memory of 1356 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe ANHofLM.exe PID 1984 wrote to memory of 2664 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe nPMUIIh.exe PID 1984 wrote to memory of 2664 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe nPMUIIh.exe PID 1984 wrote to memory of 2664 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe nPMUIIh.exe PID 1984 wrote to memory of 2692 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe TZNBWyH.exe PID 1984 wrote to memory of 2692 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe TZNBWyH.exe PID 1984 wrote to memory of 2692 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe TZNBWyH.exe PID 1984 wrote to memory of 1608 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe GWQHzhT.exe PID 1984 wrote to memory of 1608 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe GWQHzhT.exe PID 1984 wrote to memory of 1608 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe GWQHzhT.exe PID 1984 wrote to memory of 1748 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe NsTndpb.exe PID 1984 wrote to memory of 1748 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe NsTndpb.exe PID 1984 wrote to memory of 1748 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe NsTndpb.exe PID 1984 wrote to memory of 108 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe uoqkODq.exe PID 1984 wrote to memory of 108 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe uoqkODq.exe PID 1984 wrote to memory of 108 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe uoqkODq.exe PID 1984 wrote to memory of 2132 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe kxMwVhj.exe PID 1984 wrote to memory of 2132 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe kxMwVhj.exe PID 1984 wrote to memory of 2132 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe kxMwVhj.exe PID 1984 wrote to memory of 1588 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe XrAyDHM.exe PID 1984 wrote to memory of 1588 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe XrAyDHM.exe PID 1984 wrote to memory of 1588 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe XrAyDHM.exe PID 1984 wrote to memory of 2640 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe INKZVkb.exe PID 1984 wrote to memory of 2640 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe INKZVkb.exe PID 1984 wrote to memory of 2640 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe INKZVkb.exe PID 1984 wrote to memory of 2452 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe FprZOuL.exe PID 1984 wrote to memory of 2452 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe FprZOuL.exe PID 1984 wrote to memory of 2452 1984 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe FprZOuL.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\System\LosdpiY.exeC:\Windows\System\LosdpiY.exe2⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\System\vmyXzRf.exeC:\Windows\System\vmyXzRf.exe2⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\System\rZrJwOZ.exeC:\Windows\System\rZrJwOZ.exe2⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\System\OTEuVUz.exeC:\Windows\System\OTEuVUz.exe2⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\System\PjnmIzj.exeC:\Windows\System\PjnmIzj.exe2⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\System\vLkwPoc.exeC:\Windows\System\vLkwPoc.exe2⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\System\feXqrgt.exeC:\Windows\System\feXqrgt.exe2⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\System\CYXzbAc.exeC:\Windows\System\CYXzbAc.exe2⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\System\ockHrkR.exeC:\Windows\System\ockHrkR.exe2⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\System\uiGiUxh.exeC:\Windows\System\uiGiUxh.exe2⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\System\xJrTfZK.exeC:\Windows\System\xJrTfZK.exe2⤵
- Executes dropped EXE
PID:640 -
C:\Windows\System\ANHofLM.exeC:\Windows\System\ANHofLM.exe2⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\System\nPMUIIh.exeC:\Windows\System\nPMUIIh.exe2⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\System\TZNBWyH.exeC:\Windows\System\TZNBWyH.exe2⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\System\GWQHzhT.exeC:\Windows\System\GWQHzhT.exe2⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\System\NsTndpb.exeC:\Windows\System\NsTndpb.exe2⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\System\uoqkODq.exeC:\Windows\System\uoqkODq.exe2⤵
- Executes dropped EXE
PID:108 -
C:\Windows\System\kxMwVhj.exeC:\Windows\System\kxMwVhj.exe2⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\System\XrAyDHM.exeC:\Windows\System\XrAyDHM.exe2⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\System\INKZVkb.exeC:\Windows\System\INKZVkb.exe2⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\System\FprZOuL.exeC:\Windows\System\FprZOuL.exe2⤵
- Executes dropped EXE
PID:2452
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD5764a81c5dc9a890dfbf1dca4dc603729
SHA15022f5f67a089f6c0fd9ffd0816e3f412f71f80b
SHA25653d942ea337fef3d832c2cf10915323fee4ce5bdbb0e4ddfb93733a542294349
SHA512396fd14a6afb1fd4767238e6903abbd9e002abc45eb2c12d4b6345a24e86a19f6b263e86b9d446cb6bda55d88c5bbb2611242a44ae7d6768bbff4818f7d53a9c
-
Filesize
5.9MB
MD5dc0a94eaf1bca21ffb15febc1f15ef55
SHA1fc4d6c637075d64e386489ce99c052f38e01eb59
SHA256c3b609e2f24b547f24d9ceceeeb78d4b968180a9e5db097f669bbba4ea0b55af
SHA512c4f5bb7817fcbb94484621de05cce06c972a530a45f2ea96f7f683cbd4cdc0468bc8ced9ca0b231b2d77d7b77b6b2f798aa4fd4f155da20919d91e20eae91d85
-
Filesize
5.9MB
MD583ebeb2c7ddee8c6b46597c6cd4df1fc
SHA1345e338dbcabcf31fd23d51abd81a838bd7a6a14
SHA256d4dfe76cb67512257720bc257cef10d435fadd23bd6e0472084305d2675138b2
SHA5120a7e7ebc7334972725b5852b628414ea2c236e598fe59dcc2bda881a64195472153043483f36270bb6a58927865e28bc0994294855bd7151071b6b0e7fe9d6a7
-
Filesize
5.9MB
MD53081eb1f5fa8d417003a3d839bcf1f7f
SHA17d46fd4e1296e1ad234e2bac225903b5fa2d4506
SHA2561de95474feb63fbc5cfaadf591307fd0eee9cde0ae673b693a3ea6f60bae9e71
SHA5127d84e6b9c49bfd09006089eb63bca84d9999dd8e91ac930afd3dbb955f0b19c461c02ef320b918a1180cbe5aa202b64666ec273a96ad563ed3392cc723ab9ea6
-
Filesize
5.9MB
MD54269671564194ae52627ee0884990d8b
SHA156dde78423e7b6b41fc7eb8589341d1013ae006d
SHA2562cf747115782882e6e42a9bb97a714d04766c6b8b5a7b76a766c71ba588f2e27
SHA51233cf6bf4528bbfc4c5901b99fcf9fe5b0447c82bd856f592ea4fbeeefd7e75a5c13887dbb3ea69da5df3bf9a021d3293f4618f4416c2c91cdfa4b92e78a31d44
-
Filesize
5.9MB
MD56d36d68da44d9c2d3f0c5f716e8cd6f9
SHA122f58ffc8fa540630ba4293ca27abbf4c6627198
SHA256ccab98ca5391dd5318f3e67f1158c5eea07d8d1ea1a174e65607e142db4ac20d
SHA5120c72e698142cced620d312f2c95116f2f80f8c6b95f2064314869affd4f27cd24425dcd3861b82bcb7cca7ea24c20c60827139cfde5d07a100e4efff94dc0ea2
-
Filesize
5.9MB
MD593601547a84534600b3005f8985281a5
SHA13acd3c8cf38e0614fd4c69579e1bcf8f4522b8db
SHA256e6d879a078fb7608f948817667060f20c1d4c0155f343cd98ae6d02dd34acda4
SHA51275963bf81952a33478ef6f6fa39057e0f6da644c3a235bd426f8a16953381d0691ce5f27e09aa11c4fd86252a314c93d98b2b3a1f1365e7b714f28607d4ceadf
-
Filesize
5.9MB
MD532466adffb1861a1c881bdc9c4dccb24
SHA1634d0e69e9502ee2d60a1a0df2128780d5b4ec33
SHA256ad6687e517016abff65051e8a000d39586de101c1860199a39a96c1a76b42406
SHA51248477f85b7583ce04d4a597caa8fd86ede4be2c98ccae431f5a943e154b270eb52a48fae8ad909237dd25e3303503b67ecfd09fbe54b5a65177101e2fbe3346e
-
Filesize
5.9MB
MD5eb090510d87cda9f5a1579175d8c80b9
SHA1ea6ad65017d223b5e030d6ab8c777b997378f0ea
SHA2568f08027c2b7f6137a444fae9ae20ebd8088c086a67febeb9da30aeecaba0ddc3
SHA512860dc651e18c4a8b743f609b7414c562bf7cdcf2da5a986b37a3ea7176737b16065f345d7f0361668a6f89933927122840f9eb3f7fe167173e777c860745fcc0
-
Filesize
5.9MB
MD595aa19f6dbdf29e2f55f139ce18cdfca
SHA12769ac0b4adaff43efdbcc2c6f53f034bbd0a2d1
SHA2566fc53f3a64bbe634348cf83d5b431e04c131ac10c86643b7c723fa442ed826c9
SHA512a9debd3c32019da7f553bcfd600bff666ac7d24d42cf7ae419abec5514da45a669aa05ddde0743995c6632ace7fd0e885a41592abbbe4bf5c0a065ad1fbfe98b
-
Filesize
5.9MB
MD5719013a90d2522d6ad78aa918b0531ba
SHA10007555e2e199cc5ea75dfe08992979486a09400
SHA2566c9b05d1e12e2ebfc4cc81d6638100f4d0c15a5445cda3f637f0138b121c1917
SHA512d4a4248f150481db28892ce64f90b92dfe548a6b2ec4e2f2b92c88701c3b9ed232ecf1dea06452c0244889474c9f702c844932e1c9cd4695063e74103ffc2555
-
Filesize
5.9MB
MD5a973bd1746a972b361368f4bde6b6dca
SHA1f64a3847b02d53594f2a664e3b2e1d22663ff4d5
SHA256d8c6b3116b1dfbabc790304ae2000eff1d74ec658b9f0c26338cd757768bb919
SHA512a0713774bc5f6afe8cdb6749d796bb02d4043b27791e956cf61286c54145c427ac3a3ee284feee53ee86d02dfd1913459ea335d1fb99a082f8df42af93aedcb9
-
Filesize
5.9MB
MD56af5ce0049c5a0226b3d792cc6653354
SHA1cfb0d8133dfd0f938aa7f16e860f467f989e81b0
SHA2565e82da46d4ba995c6a79111579d809400d0655e3c08f0286835564ce82487a17
SHA51214b29b6101bc9a6a3c4c1d36d45d3d799b43799fb35254bf10178d65c647ecc0ba39ef5c6aee3b6afba6d55b8f36a0ec803c5b315193c377e7d47bcf430b1999
-
Filesize
5.9MB
MD5e2b0d46ecc1b6526fa3897e098ff087e
SHA1f95d71d3510b8115cc2fb1daf289e796d38582a3
SHA25621bc417b4d29781b0cb421595f360571bbc0b3964ec1343d98f9c36035b22001
SHA5126fe7448fe051cdffaec1ed37acede9de191b70b9da103ea23a31d33bc9bee0f07f5128b269e0aba036588e08a77766f615f70b83a9cf72c9e53062d0f7a5ee81
-
Filesize
5.9MB
MD5ff5e3f1f47ed732e045ec4845aa67984
SHA1a87ef7421b17b26b50c98e1c1c14a35b1e03a127
SHA256ba65667d5bb0c3c619c3cebf8fdda08e915513db94da09997aff91a2eb99fa7e
SHA512e54cfc6286fb7b703e718113db05a7cc72a3749eca9f9026df1a4afbb1dac0c690dae1010fadf6e5ccc919e0c798a2073ecc94fd2ac0540d1aa6a9e2467d786b
-
Filesize
5.9MB
MD58c531b0dcd171ffc991f2e2312f51d2e
SHA189f73bd4b3a19a155d825edec277aefa2de336ee
SHA256ef37e14cdd80db96b4a4fdba3fc1b5d6b2697d2f625b3e0678a2cf62f389fd75
SHA512b6d9fc197c4b38acd5751380f2452ce77bbfb9fa8e58fe34833ca9468195502658e48344ab19cc9d0d2e214185e9eeb5fb7886ee1f4a49798da87b1173ea37a8
-
Filesize
5.9MB
MD5cffff41f4fd9442c233323e29a5e38f3
SHA1dc464c418e1ffed6e83d036651882852d417d046
SHA2563cb687c81d6a6af806fa887069a862f3ddb9637024beb35e4ebeb838881c45eb
SHA512313810560aa3da4e478ff53b25c46b81a79077d1ce89cb2f6a14041e600a6bd490b75cc0687e524551a59d6a450bf3f4351438bd1898afd3853e17cf8b4b8c76
-
Filesize
5.9MB
MD585c2fe618f37eb8c0cc26c9154dacc96
SHA1f63dc625b904d4957620c3007544eb241889eca3
SHA256eaa064bd4f46f781f706f72f4d027294c4eddb9cab80cf4e48203e6ca8992466
SHA512a7a59831841d42c7627136a08c42b97776ae2e64b0479975cffde387132bc04b01ec108861c8a9ed2cde8507ba21d1fa4fd91b114443e350dec8accffd4cb111
-
Filesize
5.9MB
MD5dac460e7570b4e722974a9e9528580b0
SHA113d9a0c59ef87874120d9591f7c1583390cbc807
SHA256b79747208bd7d2ce13d244b83446b5f52bc76bc1fe2ec0ee80fa1c4307931c18
SHA512015f5a38666b8cd897aa3ec5157860e4d40a08618219b61a0796634ec48e4641b7dc642ff6340234973bbe438f3cf355b939bd86be84ddc318f7ea623fef0002
-
Filesize
5.9MB
MD5e0362e3daa9efbeea66ca6a3c8234186
SHA142631daa95f24113db2b8a045857679e8b923397
SHA2568f0bbf8ef3dd57d070a103d18247374d09c75640fb06f2a30308a667c6fe3eaf
SHA512a6ecf93b81a5da63060eaeab44d7a7af922cf009ea7408bb9b72a00cebdac4c8a5a1a29f50f03fd77c0868e8c66dde4513d21b765c659cdcab095517b6dd085b
-
Filesize
5.9MB
MD59c5d32c4afc1843e52b82ebb7e9649e1
SHA147fcde724542a6c741ea1efcba5661220b6f0883
SHA256eef194d431eb488b5ef87ae1228c290ad61b4a44b76ed0f98790cd14400014d6
SHA5121fb9d100536ff158fd560cb794f1fe1187acb61e3fb01baa2dcd723cee5ab0ef9b5f83b4897a8566350a5eb80ba13950905e42b825a91fe7b97e294420d091ce