Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
06-06-2024 10:02
Behavioral task
behavioral1
Sample
2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe
Resource
win7-20240508-en
General
-
Target
2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe
-
Size
5.9MB
-
MD5
633ff58c2470ae6e49db3c439077d2cd
-
SHA1
1ef92e34c8950d55d8e803d06a7c5a06348cc606
-
SHA256
0f8c4b87434281a7cbbe5d8412c8bfa9808567abc4bee020dca65d8841c9e1a0
-
SHA512
76bf31c58bc0a319830941a36d0dcd24c6e4ea292ef7f976a18543edb95c3c98ae07ea58cf6bd2a9edf00458a71b1cd1eb4ca3a6e2ff2bae83af5cd4111153ff
-
SSDEEP
98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUg:Q+856utgpPF8u/7g
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
Processes:
resource yara_rule \Windows\system\kpwmblG.exe cobalt_reflective_dll \Windows\system\vnxbNmr.exe cobalt_reflective_dll \Windows\system\mnFPKiT.exe cobalt_reflective_dll C:\Windows\system\ezxingF.exe cobalt_reflective_dll C:\Windows\system\ppRjPcf.exe cobalt_reflective_dll C:\Windows\system\cJKKLHm.exe cobalt_reflective_dll C:\Windows\system\iXJsqBS.exe cobalt_reflective_dll C:\Windows\system\liSocVH.exe cobalt_reflective_dll C:\Windows\system\eeXjzjd.exe cobalt_reflective_dll C:\Windows\system\qkDyCSu.exe cobalt_reflective_dll \Windows\system\KQlKddt.exe cobalt_reflective_dll C:\Windows\system\SFXcBXP.exe cobalt_reflective_dll C:\Windows\system\IdibMTM.exe cobalt_reflective_dll C:\Windows\system\SAKTVMw.exe cobalt_reflective_dll C:\Windows\system\aWPZtBg.exe cobalt_reflective_dll C:\Windows\system\oTeJmnY.exe cobalt_reflective_dll C:\Windows\system\EjVcuQS.exe cobalt_reflective_dll C:\Windows\system\HsYtIPU.exe cobalt_reflective_dll C:\Windows\system\fNjkSEg.exe cobalt_reflective_dll C:\Windows\system\aBpFMbp.exe cobalt_reflective_dll C:\Windows\system\cotNido.exe cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Detects Reflective DLL injection artifacts 21 IoCs
Processes:
resource yara_rule \Windows\system\kpwmblG.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\vnxbNmr.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\mnFPKiT.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\ezxingF.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\ppRjPcf.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\cJKKLHm.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\iXJsqBS.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\liSocVH.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\eeXjzjd.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\qkDyCSu.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\KQlKddt.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\SFXcBXP.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\IdibMTM.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\SAKTVMw.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\aWPZtBg.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\oTeJmnY.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\EjVcuQS.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\HsYtIPU.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\fNjkSEg.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\aBpFMbp.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\cotNido.exe INDICATOR_SUSPICIOUS_ReflectiveLoader -
UPX dump on OEP (original entry point) 61 IoCs
Processes:
resource yara_rule behavioral1/memory/1304-0-0x000000013F070000-0x000000013F3C4000-memory.dmp UPX \Windows\system\kpwmblG.exe UPX behavioral1/memory/1124-8-0x000000013F6D0000-0x000000013FA24000-memory.dmp UPX \Windows\system\vnxbNmr.exe UPX behavioral1/memory/2800-13-0x000000013F430000-0x000000013F784000-memory.dmp UPX \Windows\system\mnFPKiT.exe UPX behavioral1/memory/2572-21-0x000000013FAA0000-0x000000013FDF4000-memory.dmp UPX C:\Windows\system\ezxingF.exe UPX behavioral1/memory/2584-28-0x000000013FC80000-0x000000013FFD4000-memory.dmp UPX C:\Windows\system\ppRjPcf.exe UPX C:\Windows\system\cJKKLHm.exe UPX behavioral1/memory/2748-48-0x000000013F830000-0x000000013FB84000-memory.dmp UPX behavioral1/memory/2612-41-0x000000013FC50000-0x000000013FFA4000-memory.dmp UPX behavioral1/memory/2696-34-0x000000013F540000-0x000000013F894000-memory.dmp UPX C:\Windows\system\iXJsqBS.exe UPX C:\Windows\system\liSocVH.exe UPX behavioral1/memory/2660-54-0x000000013F7F0000-0x000000013FB44000-memory.dmp UPX behavioral1/memory/1304-53-0x000000013F070000-0x000000013F3C4000-memory.dmp UPX behavioral1/memory/1124-67-0x000000013F6D0000-0x000000013FA24000-memory.dmp UPX behavioral1/memory/2128-68-0x000000013F410000-0x000000013F764000-memory.dmp UPX C:\Windows\system\eeXjzjd.exe UPX behavioral1/memory/2904-89-0x000000013FF10000-0x0000000140264000-memory.dmp UPX C:\Windows\system\qkDyCSu.exe UPX \Windows\system\KQlKddt.exe UPX C:\Windows\system\SFXcBXP.exe UPX C:\Windows\system\IdibMTM.exe UPX C:\Windows\system\SAKTVMw.exe UPX behavioral1/memory/2696-102-0x000000013F540000-0x000000013F894000-memory.dmp UPX C:\Windows\system\aWPZtBg.exe UPX C:\Windows\system\oTeJmnY.exe UPX behavioral1/memory/2612-134-0x000000013FC50000-0x000000013FFA4000-memory.dmp UPX behavioral1/memory/2368-94-0x000000013F0B0000-0x000000013F404000-memory.dmp UPX C:\Windows\system\EjVcuQS.exe UPX C:\Windows\system\HsYtIPU.exe UPX behavioral1/memory/2008-81-0x000000013F670000-0x000000013F9C4000-memory.dmp UPX behavioral1/memory/2800-79-0x000000013F430000-0x000000013F784000-memory.dmp UPX C:\Windows\system\fNjkSEg.exe UPX behavioral1/memory/1676-74-0x000000013FDD0000-0x0000000140124000-memory.dmp UPX C:\Windows\system\aBpFMbp.exe UPX behavioral1/memory/2492-62-0x000000013FC30000-0x000000013FF84000-memory.dmp UPX C:\Windows\system\cotNido.exe UPX behavioral1/memory/2660-135-0x000000013F7F0000-0x000000013FB44000-memory.dmp UPX behavioral1/memory/2128-137-0x000000013F410000-0x000000013F764000-memory.dmp UPX behavioral1/memory/1676-138-0x000000013FDD0000-0x0000000140124000-memory.dmp UPX behavioral1/memory/2008-140-0x000000013F670000-0x000000013F9C4000-memory.dmp UPX behavioral1/memory/2904-142-0x000000013FF10000-0x0000000140264000-memory.dmp UPX behavioral1/memory/2368-144-0x000000013F0B0000-0x000000013F404000-memory.dmp UPX behavioral1/memory/1124-146-0x000000013F6D0000-0x000000013FA24000-memory.dmp UPX behavioral1/memory/2572-147-0x000000013FAA0000-0x000000013FDF4000-memory.dmp UPX behavioral1/memory/2800-148-0x000000013F430000-0x000000013F784000-memory.dmp UPX behavioral1/memory/2584-149-0x000000013FC80000-0x000000013FFD4000-memory.dmp UPX behavioral1/memory/2696-150-0x000000013F540000-0x000000013F894000-memory.dmp UPX behavioral1/memory/2612-151-0x000000013FC50000-0x000000013FFA4000-memory.dmp UPX behavioral1/memory/2660-152-0x000000013F7F0000-0x000000013FB44000-memory.dmp UPX behavioral1/memory/2492-153-0x000000013FC30000-0x000000013FF84000-memory.dmp UPX behavioral1/memory/2128-154-0x000000013F410000-0x000000013F764000-memory.dmp UPX behavioral1/memory/1676-155-0x000000013FDD0000-0x0000000140124000-memory.dmp UPX behavioral1/memory/2008-156-0x000000013F670000-0x000000013F9C4000-memory.dmp UPX behavioral1/memory/2368-157-0x000000013F0B0000-0x000000013F404000-memory.dmp UPX behavioral1/memory/2904-158-0x000000013FF10000-0x0000000140264000-memory.dmp UPX behavioral1/memory/2748-159-0x000000013F830000-0x000000013FB84000-memory.dmp UPX -
XMRig Miner payload 63 IoCs
Processes:
resource yara_rule behavioral1/memory/1304-0-0x000000013F070000-0x000000013F3C4000-memory.dmp xmrig \Windows\system\kpwmblG.exe xmrig behavioral1/memory/1124-8-0x000000013F6D0000-0x000000013FA24000-memory.dmp xmrig \Windows\system\vnxbNmr.exe xmrig behavioral1/memory/2800-13-0x000000013F430000-0x000000013F784000-memory.dmp xmrig \Windows\system\mnFPKiT.exe xmrig behavioral1/memory/2572-21-0x000000013FAA0000-0x000000013FDF4000-memory.dmp xmrig C:\Windows\system\ezxingF.exe xmrig behavioral1/memory/2584-28-0x000000013FC80000-0x000000013FFD4000-memory.dmp xmrig C:\Windows\system\ppRjPcf.exe xmrig C:\Windows\system\cJKKLHm.exe xmrig behavioral1/memory/2748-48-0x000000013F830000-0x000000013FB84000-memory.dmp xmrig behavioral1/memory/2612-41-0x000000013FC50000-0x000000013FFA4000-memory.dmp xmrig behavioral1/memory/2696-34-0x000000013F540000-0x000000013F894000-memory.dmp xmrig C:\Windows\system\iXJsqBS.exe xmrig C:\Windows\system\liSocVH.exe xmrig behavioral1/memory/2660-54-0x000000013F7F0000-0x000000013FB44000-memory.dmp xmrig behavioral1/memory/1304-53-0x000000013F070000-0x000000013F3C4000-memory.dmp xmrig behavioral1/memory/1124-67-0x000000013F6D0000-0x000000013FA24000-memory.dmp xmrig behavioral1/memory/2128-68-0x000000013F410000-0x000000013F764000-memory.dmp xmrig C:\Windows\system\eeXjzjd.exe xmrig behavioral1/memory/1304-80-0x000000013F670000-0x000000013F9C4000-memory.dmp xmrig behavioral1/memory/2904-89-0x000000013FF10000-0x0000000140264000-memory.dmp xmrig C:\Windows\system\qkDyCSu.exe xmrig \Windows\system\KQlKddt.exe xmrig C:\Windows\system\SFXcBXP.exe xmrig C:\Windows\system\IdibMTM.exe xmrig C:\Windows\system\SAKTVMw.exe xmrig behavioral1/memory/2696-102-0x000000013F540000-0x000000013F894000-memory.dmp xmrig C:\Windows\system\aWPZtBg.exe xmrig C:\Windows\system\oTeJmnY.exe xmrig behavioral1/memory/2612-134-0x000000013FC50000-0x000000013FFA4000-memory.dmp xmrig behavioral1/memory/2368-94-0x000000013F0B0000-0x000000013F404000-memory.dmp xmrig C:\Windows\system\EjVcuQS.exe xmrig C:\Windows\system\HsYtIPU.exe xmrig behavioral1/memory/2008-81-0x000000013F670000-0x000000013F9C4000-memory.dmp xmrig behavioral1/memory/2800-79-0x000000013F430000-0x000000013F784000-memory.dmp xmrig C:\Windows\system\fNjkSEg.exe xmrig behavioral1/memory/1676-74-0x000000013FDD0000-0x0000000140124000-memory.dmp xmrig C:\Windows\system\aBpFMbp.exe xmrig behavioral1/memory/2492-62-0x000000013FC30000-0x000000013FF84000-memory.dmp xmrig C:\Windows\system\cotNido.exe xmrig behavioral1/memory/2660-135-0x000000013F7F0000-0x000000013FB44000-memory.dmp xmrig behavioral1/memory/2128-137-0x000000013F410000-0x000000013F764000-memory.dmp xmrig behavioral1/memory/1676-138-0x000000013FDD0000-0x0000000140124000-memory.dmp xmrig behavioral1/memory/1304-139-0x000000013F670000-0x000000013F9C4000-memory.dmp xmrig behavioral1/memory/2008-140-0x000000013F670000-0x000000013F9C4000-memory.dmp xmrig behavioral1/memory/2904-142-0x000000013FF10000-0x0000000140264000-memory.dmp xmrig behavioral1/memory/2368-144-0x000000013F0B0000-0x000000013F404000-memory.dmp xmrig behavioral1/memory/1124-146-0x000000013F6D0000-0x000000013FA24000-memory.dmp xmrig behavioral1/memory/2572-147-0x000000013FAA0000-0x000000013FDF4000-memory.dmp xmrig behavioral1/memory/2800-148-0x000000013F430000-0x000000013F784000-memory.dmp xmrig behavioral1/memory/2584-149-0x000000013FC80000-0x000000013FFD4000-memory.dmp xmrig behavioral1/memory/2696-150-0x000000013F540000-0x000000013F894000-memory.dmp xmrig behavioral1/memory/2612-151-0x000000013FC50000-0x000000013FFA4000-memory.dmp xmrig behavioral1/memory/2660-152-0x000000013F7F0000-0x000000013FB44000-memory.dmp xmrig behavioral1/memory/2492-153-0x000000013FC30000-0x000000013FF84000-memory.dmp xmrig behavioral1/memory/2128-154-0x000000013F410000-0x000000013F764000-memory.dmp xmrig behavioral1/memory/1676-155-0x000000013FDD0000-0x0000000140124000-memory.dmp xmrig behavioral1/memory/2008-156-0x000000013F670000-0x000000013F9C4000-memory.dmp xmrig behavioral1/memory/2368-157-0x000000013F0B0000-0x000000013F404000-memory.dmp xmrig behavioral1/memory/2904-158-0x000000013FF10000-0x0000000140264000-memory.dmp xmrig behavioral1/memory/2748-159-0x000000013F830000-0x000000013FB84000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
Processes:
kpwmblG.exevnxbNmr.exemnFPKiT.exeezxingF.exeiXJsqBS.exeppRjPcf.execJKKLHm.exeliSocVH.execotNido.exeaBpFMbp.exeeeXjzjd.exefNjkSEg.exeHsYtIPU.exeEjVcuQS.exeaWPZtBg.exeoTeJmnY.exeSAKTVMw.exeIdibMTM.exeSFXcBXP.exeqkDyCSu.exeKQlKddt.exepid process 1124 kpwmblG.exe 2800 vnxbNmr.exe 2572 mnFPKiT.exe 2584 ezxingF.exe 2696 iXJsqBS.exe 2612 ppRjPcf.exe 2748 cJKKLHm.exe 2660 liSocVH.exe 2492 cotNido.exe 2128 aBpFMbp.exe 1676 eeXjzjd.exe 2008 fNjkSEg.exe 2904 HsYtIPU.exe 2368 EjVcuQS.exe 352 aWPZtBg.exe 1788 oTeJmnY.exe 2000 SAKTVMw.exe 348 IdibMTM.exe 1780 SFXcBXP.exe 1968 qkDyCSu.exe 2468 KQlKddt.exe -
Loads dropped DLL 21 IoCs
Processes:
2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exepid process 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe -
Processes:
resource yara_rule behavioral1/memory/1304-0-0x000000013F070000-0x000000013F3C4000-memory.dmp upx \Windows\system\kpwmblG.exe upx behavioral1/memory/1124-8-0x000000013F6D0000-0x000000013FA24000-memory.dmp upx \Windows\system\vnxbNmr.exe upx behavioral1/memory/2800-13-0x000000013F430000-0x000000013F784000-memory.dmp upx \Windows\system\mnFPKiT.exe upx behavioral1/memory/2572-21-0x000000013FAA0000-0x000000013FDF4000-memory.dmp upx C:\Windows\system\ezxingF.exe upx behavioral1/memory/2584-28-0x000000013FC80000-0x000000013FFD4000-memory.dmp upx C:\Windows\system\ppRjPcf.exe upx C:\Windows\system\cJKKLHm.exe upx behavioral1/memory/2748-48-0x000000013F830000-0x000000013FB84000-memory.dmp upx behavioral1/memory/2612-41-0x000000013FC50000-0x000000013FFA4000-memory.dmp upx behavioral1/memory/2696-34-0x000000013F540000-0x000000013F894000-memory.dmp upx C:\Windows\system\iXJsqBS.exe upx C:\Windows\system\liSocVH.exe upx behavioral1/memory/2660-54-0x000000013F7F0000-0x000000013FB44000-memory.dmp upx behavioral1/memory/1304-53-0x000000013F070000-0x000000013F3C4000-memory.dmp upx behavioral1/memory/1124-67-0x000000013F6D0000-0x000000013FA24000-memory.dmp upx behavioral1/memory/2128-68-0x000000013F410000-0x000000013F764000-memory.dmp upx C:\Windows\system\eeXjzjd.exe upx behavioral1/memory/2904-89-0x000000013FF10000-0x0000000140264000-memory.dmp upx C:\Windows\system\qkDyCSu.exe upx \Windows\system\KQlKddt.exe upx C:\Windows\system\SFXcBXP.exe upx C:\Windows\system\IdibMTM.exe upx C:\Windows\system\SAKTVMw.exe upx behavioral1/memory/2696-102-0x000000013F540000-0x000000013F894000-memory.dmp upx C:\Windows\system\aWPZtBg.exe upx C:\Windows\system\oTeJmnY.exe upx behavioral1/memory/2612-134-0x000000013FC50000-0x000000013FFA4000-memory.dmp upx behavioral1/memory/2368-94-0x000000013F0B0000-0x000000013F404000-memory.dmp upx C:\Windows\system\EjVcuQS.exe upx C:\Windows\system\HsYtIPU.exe upx behavioral1/memory/2008-81-0x000000013F670000-0x000000013F9C4000-memory.dmp upx behavioral1/memory/2800-79-0x000000013F430000-0x000000013F784000-memory.dmp upx C:\Windows\system\fNjkSEg.exe upx behavioral1/memory/1676-74-0x000000013FDD0000-0x0000000140124000-memory.dmp upx C:\Windows\system\aBpFMbp.exe upx behavioral1/memory/2492-62-0x000000013FC30000-0x000000013FF84000-memory.dmp upx C:\Windows\system\cotNido.exe upx behavioral1/memory/2660-135-0x000000013F7F0000-0x000000013FB44000-memory.dmp upx behavioral1/memory/2128-137-0x000000013F410000-0x000000013F764000-memory.dmp upx behavioral1/memory/1676-138-0x000000013FDD0000-0x0000000140124000-memory.dmp upx behavioral1/memory/2008-140-0x000000013F670000-0x000000013F9C4000-memory.dmp upx behavioral1/memory/2904-142-0x000000013FF10000-0x0000000140264000-memory.dmp upx behavioral1/memory/2368-144-0x000000013F0B0000-0x000000013F404000-memory.dmp upx behavioral1/memory/1124-146-0x000000013F6D0000-0x000000013FA24000-memory.dmp upx behavioral1/memory/2572-147-0x000000013FAA0000-0x000000013FDF4000-memory.dmp upx behavioral1/memory/2800-148-0x000000013F430000-0x000000013F784000-memory.dmp upx behavioral1/memory/2584-149-0x000000013FC80000-0x000000013FFD4000-memory.dmp upx behavioral1/memory/2696-150-0x000000013F540000-0x000000013F894000-memory.dmp upx behavioral1/memory/2612-151-0x000000013FC50000-0x000000013FFA4000-memory.dmp upx behavioral1/memory/2660-152-0x000000013F7F0000-0x000000013FB44000-memory.dmp upx behavioral1/memory/2492-153-0x000000013FC30000-0x000000013FF84000-memory.dmp upx behavioral1/memory/2128-154-0x000000013F410000-0x000000013F764000-memory.dmp upx behavioral1/memory/1676-155-0x000000013FDD0000-0x0000000140124000-memory.dmp upx behavioral1/memory/2008-156-0x000000013F670000-0x000000013F9C4000-memory.dmp upx behavioral1/memory/2368-157-0x000000013F0B0000-0x000000013F404000-memory.dmp upx behavioral1/memory/2904-158-0x000000013FF10000-0x0000000140264000-memory.dmp upx behavioral1/memory/2748-159-0x000000013F830000-0x000000013FB84000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
Processes:
2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exedescription ioc process File created C:\Windows\System\EjVcuQS.exe 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\aWPZtBg.exe 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\oTeJmnY.exe 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\qkDyCSu.exe 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\iXJsqBS.exe 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\liSocVH.exe 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\SAKTVMw.exe 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\SFXcBXP.exe 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\KQlKddt.exe 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\vnxbNmr.exe 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\HsYtIPU.exe 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\ppRjPcf.exe 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\aBpFMbp.exe 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\fNjkSEg.exe 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\IdibMTM.exe 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\kpwmblG.exe 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\mnFPKiT.exe 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\cotNido.exe 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\eeXjzjd.exe 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\ezxingF.exe 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\cJKKLHm.exe 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exedescription pid process Token: SeLockMemoryPrivilege 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe Token: SeLockMemoryPrivilege 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exedescription pid process target process PID 1304 wrote to memory of 1124 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe kpwmblG.exe PID 1304 wrote to memory of 1124 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe kpwmblG.exe PID 1304 wrote to memory of 1124 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe kpwmblG.exe PID 1304 wrote to memory of 2800 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe vnxbNmr.exe PID 1304 wrote to memory of 2800 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe vnxbNmr.exe PID 1304 wrote to memory of 2800 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe vnxbNmr.exe PID 1304 wrote to memory of 2572 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe mnFPKiT.exe PID 1304 wrote to memory of 2572 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe mnFPKiT.exe PID 1304 wrote to memory of 2572 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe mnFPKiT.exe PID 1304 wrote to memory of 2584 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe ezxingF.exe PID 1304 wrote to memory of 2584 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe ezxingF.exe PID 1304 wrote to memory of 2584 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe ezxingF.exe PID 1304 wrote to memory of 2696 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe iXJsqBS.exe PID 1304 wrote to memory of 2696 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe iXJsqBS.exe PID 1304 wrote to memory of 2696 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe iXJsqBS.exe PID 1304 wrote to memory of 2612 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe ppRjPcf.exe PID 1304 wrote to memory of 2612 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe ppRjPcf.exe PID 1304 wrote to memory of 2612 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe ppRjPcf.exe PID 1304 wrote to memory of 2748 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe cJKKLHm.exe PID 1304 wrote to memory of 2748 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe cJKKLHm.exe PID 1304 wrote to memory of 2748 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe cJKKLHm.exe PID 1304 wrote to memory of 2660 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe liSocVH.exe PID 1304 wrote to memory of 2660 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe liSocVH.exe PID 1304 wrote to memory of 2660 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe liSocVH.exe PID 1304 wrote to memory of 2492 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe cotNido.exe PID 1304 wrote to memory of 2492 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe cotNido.exe PID 1304 wrote to memory of 2492 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe cotNido.exe PID 1304 wrote to memory of 2128 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe aBpFMbp.exe PID 1304 wrote to memory of 2128 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe aBpFMbp.exe PID 1304 wrote to memory of 2128 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe aBpFMbp.exe PID 1304 wrote to memory of 1676 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe eeXjzjd.exe PID 1304 wrote to memory of 1676 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe eeXjzjd.exe PID 1304 wrote to memory of 1676 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe eeXjzjd.exe PID 1304 wrote to memory of 2008 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe fNjkSEg.exe PID 1304 wrote to memory of 2008 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe fNjkSEg.exe PID 1304 wrote to memory of 2008 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe fNjkSEg.exe PID 1304 wrote to memory of 2904 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe HsYtIPU.exe PID 1304 wrote to memory of 2904 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe HsYtIPU.exe PID 1304 wrote to memory of 2904 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe HsYtIPU.exe PID 1304 wrote to memory of 2368 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe EjVcuQS.exe PID 1304 wrote to memory of 2368 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe EjVcuQS.exe PID 1304 wrote to memory of 2368 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe EjVcuQS.exe PID 1304 wrote to memory of 352 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe aWPZtBg.exe PID 1304 wrote to memory of 352 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe aWPZtBg.exe PID 1304 wrote to memory of 352 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe aWPZtBg.exe PID 1304 wrote to memory of 1788 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe oTeJmnY.exe PID 1304 wrote to memory of 1788 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe oTeJmnY.exe PID 1304 wrote to memory of 1788 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe oTeJmnY.exe PID 1304 wrote to memory of 2000 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe SAKTVMw.exe PID 1304 wrote to memory of 2000 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe SAKTVMw.exe PID 1304 wrote to memory of 2000 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe SAKTVMw.exe PID 1304 wrote to memory of 348 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe IdibMTM.exe PID 1304 wrote to memory of 348 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe IdibMTM.exe PID 1304 wrote to memory of 348 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe IdibMTM.exe PID 1304 wrote to memory of 1780 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe SFXcBXP.exe PID 1304 wrote to memory of 1780 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe SFXcBXP.exe PID 1304 wrote to memory of 1780 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe SFXcBXP.exe PID 1304 wrote to memory of 1968 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe qkDyCSu.exe PID 1304 wrote to memory of 1968 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe qkDyCSu.exe PID 1304 wrote to memory of 1968 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe qkDyCSu.exe PID 1304 wrote to memory of 2468 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe KQlKddt.exe PID 1304 wrote to memory of 2468 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe KQlKddt.exe PID 1304 wrote to memory of 2468 1304 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe KQlKddt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\System\kpwmblG.exeC:\Windows\System\kpwmblG.exe2⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\System\vnxbNmr.exeC:\Windows\System\vnxbNmr.exe2⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\System\mnFPKiT.exeC:\Windows\System\mnFPKiT.exe2⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\System\ezxingF.exeC:\Windows\System\ezxingF.exe2⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\System\iXJsqBS.exeC:\Windows\System\iXJsqBS.exe2⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\System\ppRjPcf.exeC:\Windows\System\ppRjPcf.exe2⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\System\cJKKLHm.exeC:\Windows\System\cJKKLHm.exe2⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\System\liSocVH.exeC:\Windows\System\liSocVH.exe2⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\System\cotNido.exeC:\Windows\System\cotNido.exe2⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\System\aBpFMbp.exeC:\Windows\System\aBpFMbp.exe2⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\System\eeXjzjd.exeC:\Windows\System\eeXjzjd.exe2⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\System\fNjkSEg.exeC:\Windows\System\fNjkSEg.exe2⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\System\HsYtIPU.exeC:\Windows\System\HsYtIPU.exe2⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\System\EjVcuQS.exeC:\Windows\System\EjVcuQS.exe2⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\System\aWPZtBg.exeC:\Windows\System\aWPZtBg.exe2⤵
- Executes dropped EXE
PID:352 -
C:\Windows\System\oTeJmnY.exeC:\Windows\System\oTeJmnY.exe2⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\System\SAKTVMw.exeC:\Windows\System\SAKTVMw.exe2⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\System\IdibMTM.exeC:\Windows\System\IdibMTM.exe2⤵
- Executes dropped EXE
PID:348 -
C:\Windows\System\SFXcBXP.exeC:\Windows\System\SFXcBXP.exe2⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\System\qkDyCSu.exeC:\Windows\System\qkDyCSu.exe2⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\System\KQlKddt.exeC:\Windows\System\KQlKddt.exe2⤵
- Executes dropped EXE
PID:2468
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD54205d924db15b96931e3f8e3ee010ebd
SHA1f608dd76d0b0b4f49a343285f4a2e0168fd8aff2
SHA256a15a0be79a9f344b0333fd64bfbc8db855d893fc589e5c7eb805f85fcac5e552
SHA5126f2f55cea2d48726155aea8a40724c6b80dfd37c7a2f3f41e786a58950c6dbe93ca55ed545c71f3af541f114512cb7f98fc8ca407dfc0495b8cf2307664f72ff
-
Filesize
5.9MB
MD51887d59f836215f4cfc2eac43d509d5c
SHA1ed492e54b67bba32d1d22d06b12ca1a11430edff
SHA25654436bbc0b519d273d760e5a2103fa2e126c2c4563def4f065a8a63e6b1b36ac
SHA5126241ccc9697e72d9ff202249c53683fe5a16e898237b666a3e964514d7aad5d710168fef074f9cf108f957a39af47bdf34389102937659cb6acd6e2952a9ca70
-
Filesize
5.9MB
MD5a4d99d8e28b3460058493ab4e7620943
SHA104549dd3e1cc24f401aa1b1b2fa7a1a42ffab15e
SHA256aba1566dfd739381680ae475602b91ef2308cf006b8923a8a290fc79835089d7
SHA5127291092a0685a0aa2f08979cfadad911d374ffadb8ec797f8eeb976549fbc0a4425aaa0f3e5ace18e3af783ea0869a36a952154bc06d0a77f1d2e16cd3473eb8
-
Filesize
5.9MB
MD5ea9830f52020eeeb1a5c6c795d18f9fb
SHA1af019f7aa2857a9e220a847655b4811fee341200
SHA2560cca41fd5cca9e7a3a541e476e9814218adac107de6585f692a03f83d6011f77
SHA512050e12b858a2ed506057c2e63284bdfac6029b7da66be42c0bf6a8356d6dca8be0adb55b7c59759ec2eeafc663e80360aa10c10f3a5a38f99c51887fbbf4e3e0
-
Filesize
5.9MB
MD591e00eb71f0457127c139ba107081ff7
SHA1a8ecc70f340fe71d9b22c8e4bff57e1fa0c335f9
SHA256fbd6e5f6b127a1fd7c054c2effe5ad1b3894cfe163f73da1534caa8be38026a0
SHA5127cb49c6aa638bd1d66615d137495692f7072b82aeea8752adf2bb63f28a9b958b4cffb1a4c22682c63770731bc7658ddf6b2c47fd2580f2b534ffd1c9a3fb2b0
-
Filesize
5.9MB
MD51e0caa8a134fd288cf80720669a43bcc
SHA1a48a4615bd5decd8d0741b48d6a65d3fbb212bc2
SHA2567e77add69eb876484250a332e22bd9989588c1930c66604cd4904145f92bed1d
SHA51263eb6c9087f6c2f5b1c0209fde8328db540899852f9fb71148c01401ce5e429168b0376783d9ae94601e0f244ee4a5083d05e98ef57c835601779f06e22814b2
-
Filesize
5.9MB
MD5603da57fbff33774ddb4e3ca18bf6327
SHA199e2b8df479e699af3dd079e011aecf4389503e2
SHA256b51ea46e41470e4616e777c70adbc7491394963d5c46836a3bb2a4093885ea91
SHA512eb31ed11d20b2907f43286a0b3453958dcfa0baea08da563cebfa821b9833b1152a52569672533d8a0078cb65bfd8f090a013f1a4758c1afd65c3a4b7984a04a
-
Filesize
5.9MB
MD5230efe91e2c4e04f7f1744b4a090680e
SHA1cfb1051dad0b75665f2572067231545b4524c595
SHA256648c7ef245ee986e409674b9ab4788905c11e325645d7684f5d3269099933582
SHA5126704aa69f5dc8b4cc35696d96365b048be8e99abb0ee1ce3bdea62cb714497e759a879dfd34c6b826c7367e93bbd56256148315af786430830ca6a70dddfdec8
-
Filesize
5.9MB
MD5ff690eac1e6a2429d49b33222296c0eb
SHA1e9725ec719fb7b0d0703afce500349cb67e2c2a8
SHA25610b9da7ef80b08205876a4853ff6489f9d5fb7bec4e646deb20d1b668709c50a
SHA51285d75327325c4b2329f3b91c43940fd5617a2b828669744b13e262322574ce180c7901811e184d733a99fecc6a49049cdefd273c5ee5040af04adf91a23b71ed
-
Filesize
5.9MB
MD5cc2b843d6ad299dae4f8eec46bd2b76e
SHA141f4e15b283bcd7dad171edae4b4f2ef826d9aea
SHA2562a906ef9714b5543d35974724331af149202ec32ff4947a992f7b69ad68e48fc
SHA5128415f2e555fd32274e934732e6cc584f87c3090c6ba40d5d4a5e9bbaf1f64171062384cdec073833a7d77cae44c193b9103baedbd19aa6406b8629e455cd9741
-
Filesize
5.9MB
MD5c77eb68985d24d817823cb51c8e69524
SHA1f0a3a28b52c407ceeb352f65fc5353316f07db51
SHA256fb48cccb7df87f6ce0ba620254dbf004c96ff912728f2e242a88635fe49936a0
SHA5127373bcd94095a56b19640dd5665f5e5aee82312b96f01de1c7a84f2b36b3a0b11bf67d24fd44fe39616c8441cf8a29db53d30d520793eb0e1f8c83d47baa840c
-
Filesize
5.9MB
MD5a06b7b3ec27c0b0660a98ba335a86df0
SHA1bf3f0d3fc36c39db814e590f6ee9ff49ffdd170e
SHA256e91509cd6ee2900faade58e98c0c786161ed8cc46de0d36a9751cc1c85c77cba
SHA512e5b01bc46dfd1b6a3edc1454919104fd699b6daad0484df6a085479598f131c81b90ce5afe70e49b0420d6c1193bc07394469f99b694a9047685eeadfe74a39e
-
Filesize
5.9MB
MD5faf4fda482659c3d161736b9500c5301
SHA11f150ae49ad90337dffcd90368b9be067e69cd0e
SHA256798e6b22408c4185f6c47929433d5fb63a25f31a69317f1262654028edae6135
SHA5127fc0763290bc62f4cfcc0e29b8519295e6c15b1c19d5c95bceae7a5d5af7d1c4421e0882ae7c1fa958f008dfb4430189f467c1afc2f4bae1ffd9f5450186fd6d
-
Filesize
5.9MB
MD599a7c9d4852ac1822dda7e82ddb7beef
SHA1c786cadc9df1a04a6bc8d903fc17ec0b7cef6b59
SHA2565f70010039e75583dabae478d8574cfe8b488c3d8c36dc35bb06476b91d4804f
SHA512d73f30999180b2dbc20b9df3f838a9a6f57c9ef15ce8cb6949ad1e2aa48d0da37110cdd522b3876ff465a59b30d7810ea9d6be8e6fe15e962432afd86c3d560c
-
Filesize
5.9MB
MD5efc2fe7b4ff2aad73016febff93eef08
SHA1e6d996ac4b31e6b71c404112545a3b0543383812
SHA256d32c61b88c243510d06eb0d2ee4998dbacdcd1a2451dabb9265f8eafd3c433d6
SHA5123e0c909140806256fc37333dc470ca39199633ceb80dacba25e8c00922a6d372d0a9a91b82142d8784b042de32b3cfad23491cc203671fc6c196f4a5a8198e54
-
Filesize
5.9MB
MD5f27dbee688ba83195d5d45582c5c4901
SHA1922da6f068766fc97f12f27b780c4c0f12e661f5
SHA256f489de39ae815b99fb02353b1480fd87c51bb68f5213c50b649296dc1c5c5840
SHA51285adad51121ce6301fd07fb42afe6fef71e4dba7e678b1f5f6e449ad788294f09d27e00b5d76c02d090edac0345da33f17d15a929a449940bff364759e867a46
-
Filesize
5.9MB
MD548e95301b25af1aee6772b42ae00e512
SHA1207dbaf0b29b0e83d2b2857e6b98c2e55f736128
SHA256a543ae2ee29803acf4343d522c8aa567b97a255a4fc7ed17da4a5626e2c5b7c2
SHA512d54a4037e866dbe8411ef4656eb632e6e9025024a07608a4e3433a7f233ca021f9076b5ea04e4020b8c198da1042ae0ee4fef9dffd6dcf0b56e5c95cdde98639
-
Filesize
5.9MB
MD5b2ff9dd3e96cdb96540cc3f4ae134ea5
SHA13be343861441bd54a1a20d053cd386fbf46031d0
SHA256ea24c3450b7c80fbdeb062b801ee708f4d70b902b5b36773c09dbf79b59dc2f3
SHA512e10813832f3c9cd55cfd71b8691c46ef8719127e51e2174ba39e2776b02777e57690e0e2fe55cb962d24926d28abe7ecba4afd0b954540256cb54b28e77d436d
-
Filesize
5.9MB
MD5de698868c9f6a940b9171beaf489e234
SHA1734ee341786e2b38c3a72cf0590164a5c153e70a
SHA25660694ccb00b1cfa76a8dbe5d9c66c4b969121c888853b6fb4cd3217044deb4c4
SHA51256af4c24b905829600e81433f1cd1cd01c7489c6dd05a49954a2807b83f433f73bac0239a07821158f205c275497cad02ddd19ab4c1065e38feb38f8d3bd4ce7
-
Filesize
5.9MB
MD52b0dedaeb2254b982771ed333d8b7df5
SHA1a447c2be6bc0e4c84fe6b6e1305737f6cc354ea6
SHA2567a96963d8e56fcef8f085fa2469791bb825c32fcf18a72003d37584b796e999f
SHA512ce22b85bb8a1e6c45d433b303d9850a6dd7bfdb97c1c3f1c21521d72a85c4bbeb643e34b890a90d39d3a32f967dedbcdb92e67d0f705460832dfa98420f18c8a
-
Filesize
5.9MB
MD5a775e03d15ea05f58009898033b3188a
SHA18fede999cf7fe5ce6900fdcafe471a18861a05b9
SHA25654d7df3bb2bba128bf3d671c67a11689e7bf445e7e87cb4444f4909956f0bd88
SHA512290afcf376d512c0ce744032c7c29ee278d9ec4c87660f9a891a930add8e0baef647328a73b2d9a546803d7c4bc1acf979a2b280de46f172a9edb17eab2f34a1