Analysis
-
max time kernel
136s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
06-06-2024 14:32
Behavioral task
behavioral1
Sample
2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe
Resource
win7-20240220-en
General
-
Target
2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe
-
Size
5.9MB
-
MD5
a0ee1c10495cb52bf410da9d5444d96a
-
SHA1
e16fe6e2f115349fb47ce62a7f8f9890dc1532f7
-
SHA256
3aad0af3bf85b006f9b859e3ccdfb7ff233b3fbfd95fb1227d8eeb46cb57df99
-
SHA512
4ca49c9e0e8fd996df0ac4a340f98e6cda00758c194d3ea2597f088b8b1ef12b31f0d396b9f2824598d439a1d436c771d83ab02904c00647f466376a5c538f90
-
SSDEEP
98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUG:Q+856utgpPF8u/7G
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
Processes:
resource yara_rule \Windows\system\AQxHoYR.exe cobalt_reflective_dll \Windows\system\rMAFwHQ.exe cobalt_reflective_dll \Windows\system\fQQJFtm.exe cobalt_reflective_dll C:\Windows\system\riZTMEp.exe cobalt_reflective_dll \Windows\system\WBoUYvR.exe cobalt_reflective_dll C:\Windows\system\tHTeaqT.exe cobalt_reflective_dll \Windows\system\YcwrfBK.exe cobalt_reflective_dll C:\Windows\system\euEXSVI.exe cobalt_reflective_dll C:\Windows\system\ZQSWJWM.exe cobalt_reflective_dll C:\Windows\system\THsfzmp.exe cobalt_reflective_dll C:\Windows\system\qcbliwa.exe cobalt_reflective_dll \Windows\system\KwhzLOi.exe cobalt_reflective_dll C:\Windows\system\gqlyPNC.exe cobalt_reflective_dll C:\Windows\system\GohwhZx.exe cobalt_reflective_dll C:\Windows\system\tCuEaLa.exe cobalt_reflective_dll C:\Windows\system\eWlKuUw.exe cobalt_reflective_dll C:\Windows\system\ULnIwZq.exe cobalt_reflective_dll C:\Windows\system\LnnKxkw.exe cobalt_reflective_dll C:\Windows\system\qETdfOk.exe cobalt_reflective_dll C:\Windows\system\bjywSbF.exe cobalt_reflective_dll C:\Windows\system\lHeMGvb.exe cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Detects Reflective DLL injection artifacts 21 IoCs
Processes:
resource yara_rule \Windows\system\AQxHoYR.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\rMAFwHQ.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\fQQJFtm.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\riZTMEp.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\WBoUYvR.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\tHTeaqT.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\YcwrfBK.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\euEXSVI.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\ZQSWJWM.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\THsfzmp.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\qcbliwa.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\KwhzLOi.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\gqlyPNC.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\GohwhZx.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\tCuEaLa.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\eWlKuUw.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\ULnIwZq.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\LnnKxkw.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\qETdfOk.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\bjywSbF.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\lHeMGvb.exe INDICATOR_SUSPICIOUS_ReflectiveLoader -
UPX dump on OEP (original entry point) 60 IoCs
Processes:
resource yara_rule behavioral1/memory/2192-1-0x000000013F150000-0x000000013F4A4000-memory.dmp UPX \Windows\system\AQxHoYR.exe UPX behavioral1/memory/1788-8-0x000000013FC50000-0x000000013FFA4000-memory.dmp UPX \Windows\system\rMAFwHQ.exe UPX \Windows\system\fQQJFtm.exe UPX behavioral1/memory/2984-18-0x000000013FC50000-0x000000013FFA4000-memory.dmp UPX behavioral1/memory/2476-20-0x000000013FB50000-0x000000013FEA4000-memory.dmp UPX C:\Windows\system\riZTMEp.exe UPX behavioral1/memory/2600-28-0x000000013F5B0000-0x000000013F904000-memory.dmp UPX \Windows\system\WBoUYvR.exe UPX C:\Windows\system\tHTeaqT.exe UPX behavioral1/memory/2192-39-0x000000013F150000-0x000000013F4A4000-memory.dmp UPX behavioral1/memory/2660-40-0x000000013FFD0000-0x0000000140324000-memory.dmp UPX behavioral1/memory/2512-35-0x000000013F0B0000-0x000000013F404000-memory.dmp UPX \Windows\system\YcwrfBK.exe UPX C:\Windows\system\euEXSVI.exe UPX behavioral1/memory/2448-47-0x000000013F1D0000-0x000000013F524000-memory.dmp UPX behavioral1/memory/2404-56-0x000000013FA10000-0x000000013FD64000-memory.dmp UPX behavioral1/memory/2864-70-0x000000013FEA0000-0x00000001401F4000-memory.dmp UPX C:\Windows\system\ZQSWJWM.exe UPX behavioral1/memory/2640-86-0x000000013FED0000-0x0000000140224000-memory.dmp UPX C:\Windows\system\THsfzmp.exe UPX C:\Windows\system\qcbliwa.exe UPX \Windows\system\KwhzLOi.exe UPX C:\Windows\system\gqlyPNC.exe UPX C:\Windows\system\GohwhZx.exe UPX C:\Windows\system\tCuEaLa.exe UPX C:\Windows\system\eWlKuUw.exe UPX C:\Windows\system\ULnIwZq.exe UPX behavioral1/memory/2844-99-0x000000013F250000-0x000000013F5A4000-memory.dmp UPX behavioral1/memory/2820-93-0x000000013FF00000-0x0000000140254000-memory.dmp UPX behavioral1/memory/2600-91-0x000000013F5B0000-0x000000013F904000-memory.dmp UPX C:\Windows\system\LnnKxkw.exe UPX behavioral1/memory/2476-84-0x000000013FB50000-0x000000013FEA4000-memory.dmp UPX behavioral1/memory/2044-77-0x000000013F0B0000-0x000000013F404000-memory.dmp UPX behavioral1/memory/2984-75-0x000000013FC50000-0x000000013FFA4000-memory.dmp UPX C:\Windows\system\qETdfOk.exe UPX behavioral1/memory/2660-136-0x000000013FFD0000-0x0000000140324000-memory.dmp UPX C:\Windows\system\bjywSbF.exe UPX behavioral1/memory/2856-62-0x000000013FF30000-0x0000000140284000-memory.dmp UPX C:\Windows\system\lHeMGvb.exe UPX behavioral1/memory/2448-137-0x000000013F1D0000-0x000000013F524000-memory.dmp UPX behavioral1/memory/2856-139-0x000000013FF30000-0x0000000140284000-memory.dmp UPX behavioral1/memory/2044-141-0x000000013F0B0000-0x000000013F404000-memory.dmp UPX behavioral1/memory/2820-144-0x000000013FF00000-0x0000000140254000-memory.dmp UPX behavioral1/memory/2844-145-0x000000013F250000-0x000000013F5A4000-memory.dmp UPX behavioral1/memory/1788-146-0x000000013FC50000-0x000000013FFA4000-memory.dmp UPX behavioral1/memory/2984-147-0x000000013FC50000-0x000000013FFA4000-memory.dmp UPX behavioral1/memory/2476-148-0x000000013FB50000-0x000000013FEA4000-memory.dmp UPX behavioral1/memory/2600-149-0x000000013F5B0000-0x000000013F904000-memory.dmp UPX behavioral1/memory/2512-150-0x000000013F0B0000-0x000000013F404000-memory.dmp UPX behavioral1/memory/2660-151-0x000000013FFD0000-0x0000000140324000-memory.dmp UPX behavioral1/memory/2404-152-0x000000013FA10000-0x000000013FD64000-memory.dmp UPX behavioral1/memory/2448-153-0x000000013F1D0000-0x000000013F524000-memory.dmp UPX behavioral1/memory/2856-154-0x000000013FF30000-0x0000000140284000-memory.dmp UPX behavioral1/memory/2864-155-0x000000013FEA0000-0x00000001401F4000-memory.dmp UPX behavioral1/memory/2044-156-0x000000013F0B0000-0x000000013F404000-memory.dmp UPX behavioral1/memory/2640-157-0x000000013FED0000-0x0000000140224000-memory.dmp UPX behavioral1/memory/2820-158-0x000000013FF00000-0x0000000140254000-memory.dmp UPX behavioral1/memory/2844-159-0x000000013F250000-0x000000013F5A4000-memory.dmp UPX -
XMRig Miner payload 62 IoCs
Processes:
resource yara_rule behavioral1/memory/2192-1-0x000000013F150000-0x000000013F4A4000-memory.dmp xmrig \Windows\system\AQxHoYR.exe xmrig behavioral1/memory/1788-8-0x000000013FC50000-0x000000013FFA4000-memory.dmp xmrig \Windows\system\rMAFwHQ.exe xmrig \Windows\system\fQQJFtm.exe xmrig behavioral1/memory/2984-18-0x000000013FC50000-0x000000013FFA4000-memory.dmp xmrig behavioral1/memory/2476-20-0x000000013FB50000-0x000000013FEA4000-memory.dmp xmrig C:\Windows\system\riZTMEp.exe xmrig behavioral1/memory/2600-28-0x000000013F5B0000-0x000000013F904000-memory.dmp xmrig \Windows\system\WBoUYvR.exe xmrig C:\Windows\system\tHTeaqT.exe xmrig behavioral1/memory/2192-39-0x000000013F150000-0x000000013F4A4000-memory.dmp xmrig behavioral1/memory/2192-37-0x000000013FFD0000-0x0000000140324000-memory.dmp xmrig behavioral1/memory/2660-40-0x000000013FFD0000-0x0000000140324000-memory.dmp xmrig behavioral1/memory/2512-35-0x000000013F0B0000-0x000000013F404000-memory.dmp xmrig \Windows\system\YcwrfBK.exe xmrig C:\Windows\system\euEXSVI.exe xmrig behavioral1/memory/2448-47-0x000000013F1D0000-0x000000013F524000-memory.dmp xmrig behavioral1/memory/2404-56-0x000000013FA10000-0x000000013FD64000-memory.dmp xmrig behavioral1/memory/2864-70-0x000000013FEA0000-0x00000001401F4000-memory.dmp xmrig C:\Windows\system\ZQSWJWM.exe xmrig behavioral1/memory/2640-86-0x000000013FED0000-0x0000000140224000-memory.dmp xmrig C:\Windows\system\THsfzmp.exe xmrig C:\Windows\system\qcbliwa.exe xmrig \Windows\system\KwhzLOi.exe xmrig C:\Windows\system\gqlyPNC.exe xmrig C:\Windows\system\GohwhZx.exe xmrig C:\Windows\system\tCuEaLa.exe xmrig C:\Windows\system\eWlKuUw.exe xmrig C:\Windows\system\ULnIwZq.exe xmrig behavioral1/memory/2844-99-0x000000013F250000-0x000000013F5A4000-memory.dmp xmrig behavioral1/memory/2820-93-0x000000013FF00000-0x0000000140254000-memory.dmp xmrig behavioral1/memory/2600-91-0x000000013F5B0000-0x000000013F904000-memory.dmp xmrig C:\Windows\system\LnnKxkw.exe xmrig behavioral1/memory/2476-84-0x000000013FB50000-0x000000013FEA4000-memory.dmp xmrig behavioral1/memory/2044-77-0x000000013F0B0000-0x000000013F404000-memory.dmp xmrig behavioral1/memory/2192-76-0x0000000002460000-0x00000000027B4000-memory.dmp xmrig behavioral1/memory/2984-75-0x000000013FC50000-0x000000013FFA4000-memory.dmp xmrig C:\Windows\system\qETdfOk.exe xmrig behavioral1/memory/2660-136-0x000000013FFD0000-0x0000000140324000-memory.dmp xmrig C:\Windows\system\bjywSbF.exe xmrig behavioral1/memory/2856-62-0x000000013FF30000-0x0000000140284000-memory.dmp xmrig C:\Windows\system\lHeMGvb.exe xmrig behavioral1/memory/2448-137-0x000000013F1D0000-0x000000013F524000-memory.dmp xmrig behavioral1/memory/2856-139-0x000000013FF30000-0x0000000140284000-memory.dmp xmrig behavioral1/memory/2044-141-0x000000013F0B0000-0x000000013F404000-memory.dmp xmrig behavioral1/memory/2820-144-0x000000013FF00000-0x0000000140254000-memory.dmp xmrig behavioral1/memory/2844-145-0x000000013F250000-0x000000013F5A4000-memory.dmp xmrig behavioral1/memory/1788-146-0x000000013FC50000-0x000000013FFA4000-memory.dmp xmrig behavioral1/memory/2984-147-0x000000013FC50000-0x000000013FFA4000-memory.dmp xmrig behavioral1/memory/2476-148-0x000000013FB50000-0x000000013FEA4000-memory.dmp xmrig behavioral1/memory/2600-149-0x000000013F5B0000-0x000000013F904000-memory.dmp xmrig behavioral1/memory/2512-150-0x000000013F0B0000-0x000000013F404000-memory.dmp xmrig behavioral1/memory/2660-151-0x000000013FFD0000-0x0000000140324000-memory.dmp xmrig behavioral1/memory/2404-152-0x000000013FA10000-0x000000013FD64000-memory.dmp xmrig behavioral1/memory/2448-153-0x000000013F1D0000-0x000000013F524000-memory.dmp xmrig behavioral1/memory/2856-154-0x000000013FF30000-0x0000000140284000-memory.dmp xmrig behavioral1/memory/2864-155-0x000000013FEA0000-0x00000001401F4000-memory.dmp xmrig behavioral1/memory/2044-156-0x000000013F0B0000-0x000000013F404000-memory.dmp xmrig behavioral1/memory/2640-157-0x000000013FED0000-0x0000000140224000-memory.dmp xmrig behavioral1/memory/2820-158-0x000000013FF00000-0x0000000140254000-memory.dmp xmrig behavioral1/memory/2844-159-0x000000013F250000-0x000000013F5A4000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
Processes:
AQxHoYR.exefQQJFtm.exerMAFwHQ.exeriZTMEp.exetHTeaqT.exeWBoUYvR.exeYcwrfBK.exeeuEXSVI.exelHeMGvb.exebjywSbF.exeqETdfOk.exeZQSWJWM.exeLnnKxkw.exeTHsfzmp.exeULnIwZq.exeeWlKuUw.exetCuEaLa.exeGohwhZx.exegqlyPNC.exeqcbliwa.exeKwhzLOi.exepid process 1788 AQxHoYR.exe 2984 fQQJFtm.exe 2476 rMAFwHQ.exe 2600 riZTMEp.exe 2512 tHTeaqT.exe 2660 WBoUYvR.exe 2448 YcwrfBK.exe 2404 euEXSVI.exe 2856 lHeMGvb.exe 2864 bjywSbF.exe 2044 qETdfOk.exe 2640 ZQSWJWM.exe 2820 LnnKxkw.exe 2844 THsfzmp.exe 928 ULnIwZq.exe 1568 eWlKuUw.exe 2116 tCuEaLa.exe 2180 GohwhZx.exe 860 gqlyPNC.exe 2160 qcbliwa.exe 2028 KwhzLOi.exe -
Loads dropped DLL 21 IoCs
Processes:
2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exepid process 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe -
Processes:
resource yara_rule behavioral1/memory/2192-1-0x000000013F150000-0x000000013F4A4000-memory.dmp upx \Windows\system\AQxHoYR.exe upx behavioral1/memory/1788-8-0x000000013FC50000-0x000000013FFA4000-memory.dmp upx \Windows\system\rMAFwHQ.exe upx \Windows\system\fQQJFtm.exe upx behavioral1/memory/2984-18-0x000000013FC50000-0x000000013FFA4000-memory.dmp upx behavioral1/memory/2476-20-0x000000013FB50000-0x000000013FEA4000-memory.dmp upx C:\Windows\system\riZTMEp.exe upx behavioral1/memory/2600-28-0x000000013F5B0000-0x000000013F904000-memory.dmp upx \Windows\system\WBoUYvR.exe upx C:\Windows\system\tHTeaqT.exe upx behavioral1/memory/2192-39-0x000000013F150000-0x000000013F4A4000-memory.dmp upx behavioral1/memory/2660-40-0x000000013FFD0000-0x0000000140324000-memory.dmp upx behavioral1/memory/2512-35-0x000000013F0B0000-0x000000013F404000-memory.dmp upx \Windows\system\YcwrfBK.exe upx C:\Windows\system\euEXSVI.exe upx behavioral1/memory/2448-47-0x000000013F1D0000-0x000000013F524000-memory.dmp upx behavioral1/memory/2404-56-0x000000013FA10000-0x000000013FD64000-memory.dmp upx behavioral1/memory/2864-70-0x000000013FEA0000-0x00000001401F4000-memory.dmp upx C:\Windows\system\ZQSWJWM.exe upx behavioral1/memory/2640-86-0x000000013FED0000-0x0000000140224000-memory.dmp upx C:\Windows\system\THsfzmp.exe upx C:\Windows\system\qcbliwa.exe upx \Windows\system\KwhzLOi.exe upx C:\Windows\system\gqlyPNC.exe upx C:\Windows\system\GohwhZx.exe upx C:\Windows\system\tCuEaLa.exe upx C:\Windows\system\eWlKuUw.exe upx C:\Windows\system\ULnIwZq.exe upx behavioral1/memory/2844-99-0x000000013F250000-0x000000013F5A4000-memory.dmp upx behavioral1/memory/2820-93-0x000000013FF00000-0x0000000140254000-memory.dmp upx behavioral1/memory/2600-91-0x000000013F5B0000-0x000000013F904000-memory.dmp upx C:\Windows\system\LnnKxkw.exe upx behavioral1/memory/2476-84-0x000000013FB50000-0x000000013FEA4000-memory.dmp upx behavioral1/memory/2044-77-0x000000013F0B0000-0x000000013F404000-memory.dmp upx behavioral1/memory/2984-75-0x000000013FC50000-0x000000013FFA4000-memory.dmp upx C:\Windows\system\qETdfOk.exe upx behavioral1/memory/2660-136-0x000000013FFD0000-0x0000000140324000-memory.dmp upx C:\Windows\system\bjywSbF.exe upx behavioral1/memory/2856-62-0x000000013FF30000-0x0000000140284000-memory.dmp upx C:\Windows\system\lHeMGvb.exe upx behavioral1/memory/2448-137-0x000000013F1D0000-0x000000013F524000-memory.dmp upx behavioral1/memory/2856-139-0x000000013FF30000-0x0000000140284000-memory.dmp upx behavioral1/memory/2044-141-0x000000013F0B0000-0x000000013F404000-memory.dmp upx behavioral1/memory/2820-144-0x000000013FF00000-0x0000000140254000-memory.dmp upx behavioral1/memory/2844-145-0x000000013F250000-0x000000013F5A4000-memory.dmp upx behavioral1/memory/1788-146-0x000000013FC50000-0x000000013FFA4000-memory.dmp upx behavioral1/memory/2984-147-0x000000013FC50000-0x000000013FFA4000-memory.dmp upx behavioral1/memory/2476-148-0x000000013FB50000-0x000000013FEA4000-memory.dmp upx behavioral1/memory/2600-149-0x000000013F5B0000-0x000000013F904000-memory.dmp upx behavioral1/memory/2512-150-0x000000013F0B0000-0x000000013F404000-memory.dmp upx behavioral1/memory/2660-151-0x000000013FFD0000-0x0000000140324000-memory.dmp upx behavioral1/memory/2404-152-0x000000013FA10000-0x000000013FD64000-memory.dmp upx behavioral1/memory/2448-153-0x000000013F1D0000-0x000000013F524000-memory.dmp upx behavioral1/memory/2856-154-0x000000013FF30000-0x0000000140284000-memory.dmp upx behavioral1/memory/2864-155-0x000000013FEA0000-0x00000001401F4000-memory.dmp upx behavioral1/memory/2044-156-0x000000013F0B0000-0x000000013F404000-memory.dmp upx behavioral1/memory/2640-157-0x000000013FED0000-0x0000000140224000-memory.dmp upx behavioral1/memory/2820-158-0x000000013FF00000-0x0000000140254000-memory.dmp upx behavioral1/memory/2844-159-0x000000013F250000-0x000000013F5A4000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
Processes:
2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exedescription ioc process File created C:\Windows\System\THsfzmp.exe 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\ULnIwZq.exe 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\eWlKuUw.exe 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\tCuEaLa.exe 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\euEXSVI.exe 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\riZTMEp.exe 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\bjywSbF.exe 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\ZQSWJWM.exe 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\gqlyPNC.exe 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\KwhzLOi.exe 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\fQQJFtm.exe 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\YcwrfBK.exe 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\lHeMGvb.exe 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\qETdfOk.exe 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\LnnKxkw.exe 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\GohwhZx.exe 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\qcbliwa.exe 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\tHTeaqT.exe 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\rMAFwHQ.exe 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\WBoUYvR.exe 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\AQxHoYR.exe 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exedescription pid process Token: SeLockMemoryPrivilege 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe Token: SeLockMemoryPrivilege 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exedescription pid process target process PID 2192 wrote to memory of 1788 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe AQxHoYR.exe PID 2192 wrote to memory of 1788 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe AQxHoYR.exe PID 2192 wrote to memory of 1788 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe AQxHoYR.exe PID 2192 wrote to memory of 2476 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe rMAFwHQ.exe PID 2192 wrote to memory of 2476 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe rMAFwHQ.exe PID 2192 wrote to memory of 2476 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe rMAFwHQ.exe PID 2192 wrote to memory of 2984 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe fQQJFtm.exe PID 2192 wrote to memory of 2984 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe fQQJFtm.exe PID 2192 wrote to memory of 2984 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe fQQJFtm.exe PID 2192 wrote to memory of 2600 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe riZTMEp.exe PID 2192 wrote to memory of 2600 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe riZTMEp.exe PID 2192 wrote to memory of 2600 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe riZTMEp.exe PID 2192 wrote to memory of 2512 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe tHTeaqT.exe PID 2192 wrote to memory of 2512 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe tHTeaqT.exe PID 2192 wrote to memory of 2512 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe tHTeaqT.exe PID 2192 wrote to memory of 2660 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe WBoUYvR.exe PID 2192 wrote to memory of 2660 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe WBoUYvR.exe PID 2192 wrote to memory of 2660 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe WBoUYvR.exe PID 2192 wrote to memory of 2448 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe YcwrfBK.exe PID 2192 wrote to memory of 2448 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe YcwrfBK.exe PID 2192 wrote to memory of 2448 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe YcwrfBK.exe PID 2192 wrote to memory of 2404 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe euEXSVI.exe PID 2192 wrote to memory of 2404 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe euEXSVI.exe PID 2192 wrote to memory of 2404 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe euEXSVI.exe PID 2192 wrote to memory of 2856 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe lHeMGvb.exe PID 2192 wrote to memory of 2856 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe lHeMGvb.exe PID 2192 wrote to memory of 2856 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe lHeMGvb.exe PID 2192 wrote to memory of 2864 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe bjywSbF.exe PID 2192 wrote to memory of 2864 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe bjywSbF.exe PID 2192 wrote to memory of 2864 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe bjywSbF.exe PID 2192 wrote to memory of 2044 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe qETdfOk.exe PID 2192 wrote to memory of 2044 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe qETdfOk.exe PID 2192 wrote to memory of 2044 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe qETdfOk.exe PID 2192 wrote to memory of 2640 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe ZQSWJWM.exe PID 2192 wrote to memory of 2640 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe ZQSWJWM.exe PID 2192 wrote to memory of 2640 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe ZQSWJWM.exe PID 2192 wrote to memory of 2820 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe LnnKxkw.exe PID 2192 wrote to memory of 2820 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe LnnKxkw.exe PID 2192 wrote to memory of 2820 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe LnnKxkw.exe PID 2192 wrote to memory of 2844 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe THsfzmp.exe PID 2192 wrote to memory of 2844 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe THsfzmp.exe PID 2192 wrote to memory of 2844 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe THsfzmp.exe PID 2192 wrote to memory of 928 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe ULnIwZq.exe PID 2192 wrote to memory of 928 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe ULnIwZq.exe PID 2192 wrote to memory of 928 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe ULnIwZq.exe PID 2192 wrote to memory of 1568 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe eWlKuUw.exe PID 2192 wrote to memory of 1568 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe eWlKuUw.exe PID 2192 wrote to memory of 1568 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe eWlKuUw.exe PID 2192 wrote to memory of 2116 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe tCuEaLa.exe PID 2192 wrote to memory of 2116 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe tCuEaLa.exe PID 2192 wrote to memory of 2116 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe tCuEaLa.exe PID 2192 wrote to memory of 2180 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe GohwhZx.exe PID 2192 wrote to memory of 2180 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe GohwhZx.exe PID 2192 wrote to memory of 2180 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe GohwhZx.exe PID 2192 wrote to memory of 860 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe gqlyPNC.exe PID 2192 wrote to memory of 860 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe gqlyPNC.exe PID 2192 wrote to memory of 860 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe gqlyPNC.exe PID 2192 wrote to memory of 2160 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe qcbliwa.exe PID 2192 wrote to memory of 2160 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe qcbliwa.exe PID 2192 wrote to memory of 2160 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe qcbliwa.exe PID 2192 wrote to memory of 2028 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe KwhzLOi.exe PID 2192 wrote to memory of 2028 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe KwhzLOi.exe PID 2192 wrote to memory of 2028 2192 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe KwhzLOi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\System\AQxHoYR.exeC:\Windows\System\AQxHoYR.exe2⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\System\rMAFwHQ.exeC:\Windows\System\rMAFwHQ.exe2⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\System\fQQJFtm.exeC:\Windows\System\fQQJFtm.exe2⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\System\riZTMEp.exeC:\Windows\System\riZTMEp.exe2⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\System\tHTeaqT.exeC:\Windows\System\tHTeaqT.exe2⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\System\WBoUYvR.exeC:\Windows\System\WBoUYvR.exe2⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\System\YcwrfBK.exeC:\Windows\System\YcwrfBK.exe2⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\System\euEXSVI.exeC:\Windows\System\euEXSVI.exe2⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\System\lHeMGvb.exeC:\Windows\System\lHeMGvb.exe2⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\System\bjywSbF.exeC:\Windows\System\bjywSbF.exe2⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\System\qETdfOk.exeC:\Windows\System\qETdfOk.exe2⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\System\ZQSWJWM.exeC:\Windows\System\ZQSWJWM.exe2⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\System\LnnKxkw.exeC:\Windows\System\LnnKxkw.exe2⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\System\THsfzmp.exeC:\Windows\System\THsfzmp.exe2⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\System\ULnIwZq.exeC:\Windows\System\ULnIwZq.exe2⤵
- Executes dropped EXE
PID:928 -
C:\Windows\System\eWlKuUw.exeC:\Windows\System\eWlKuUw.exe2⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\System\tCuEaLa.exeC:\Windows\System\tCuEaLa.exe2⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\System\GohwhZx.exeC:\Windows\System\GohwhZx.exe2⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\System\gqlyPNC.exeC:\Windows\System\gqlyPNC.exe2⤵
- Executes dropped EXE
PID:860 -
C:\Windows\System\qcbliwa.exeC:\Windows\System\qcbliwa.exe2⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\System\KwhzLOi.exeC:\Windows\System\KwhzLOi.exe2⤵
- Executes dropped EXE
PID:2028
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD58201f60366b58ca5e3c27de050db4107
SHA1fb4537af0c04c496ac85ec335686115fe54efd90
SHA256553262e2f1c913571b3189da05122c87349e6f12d059a79e4fab873345a264e8
SHA51280e7af1ba118a71d684c83ac7121f0f0645a6ce030274970605a7209cdac1a316285758ef3de10c0e5842bea17df2bf8fbfddf4d4945bd494444b11fb9220843
-
Filesize
5.9MB
MD5f300f4ec2c3c3149846e79a45b9aa607
SHA177796be619439d28e40bb9ed54e5098296e8c743
SHA2560fb3034731e7c7a9fed7ef0ad0f344c847e0c783276b982a0d28018ec8bae975
SHA512a9aa2c8473b98d44aa86f312df889f9c01495984cd758d37283805ed9d6b49578fd89e11f510eb791aa8bfa4cfe60d1700ced4be0a3d8141b80018cd7938f1d1
-
Filesize
5.9MB
MD5632af46332d3a819c99267ce065ef96e
SHA106e8cb68c24043f801dfdda21814709d8a1ed1a8
SHA2565bf77b946069bedaca18fd4055310ba733607af0c8bfa0cd5d40ea8bc1b081f2
SHA512aee7b4f421a7a5b9e72ed4511ca033f366343390d82afb18b1f54b8d8cb90eef716a0dbd999ea840689cf2937e3426cba7e9572afca4de2402a4600333634b59
-
Filesize
5.9MB
MD536f695a3f4d33d9b5b7a2510393c6c65
SHA1f13e01e88926f3f63ce3964a22d254628eaa4e26
SHA256010c6762a347d80e1d6af530578be22a8f3985f38ccbd1ab0b1e2609c81bc68e
SHA5127cdad55b95fa57b8c08ecd539c681dde1c4994cf21d4381537fd2382524fa67ab92b1ecdfd77aa43e1c4773735c450483253396a415ed93e8a9763a141e496f6
-
Filesize
5.9MB
MD5b525b5a6463fd1688eb4aef1a6581ba6
SHA1ab4f3b8b2cbdf486a31e0bdbf9337cf0e9136658
SHA256f3b4241db761fb0e04e1ca09d1c73b919c02ffcfeb6ded98173779abbc0b46ef
SHA51237dfd45d327bc34cc76611df04574b1cdb01a4bdd840aa19683a5ec8ebaa29e3472fba2c24bfa6d8993371f102ddaf378b82b5d3d3cfac6f144d8db9ae6fc26e
-
Filesize
5.9MB
MD542227e40c23b12fefe00607a5c21861f
SHA17f1e35b0aac5fbc2628bf4ce125c8d9ec13ac64d
SHA256b117345dd357ad728950579464e913754c8a61f361c4fbc032b419a257285f55
SHA51204e520ca40342f9a152069c9bea110b575a043aad1625b13c0d12ceded82657d98a9e8e17eaa22aab213a396b4b82eb815f8986898b3e9206a791ed08eb0e7ab
-
Filesize
5.9MB
MD584695b42b75ace417fa6b5fcddc8eca9
SHA172ddaf9d9d590b3343c7b3a69adfbf17a0977c37
SHA256037fb13da6460e3cddf732c5c62fc30efc126511199b9035426575c71df36d5c
SHA51241a1f0e50422fb5fbf1ec17e0e00667c754b4937e57c388e84a855f22bd9f0c13976bafdcc0382ae5e90d4d1125839f4df232daeec65e9013e48a1bdfe5c5146
-
Filesize
5.9MB
MD53ed58b0a0865f64926b19ad4363dafcc
SHA1e196d688500431bdd5b9f1db24682529da3593b2
SHA256312f81ab7612d84fe05158d73807ce6e09a496fa1ffce4a54145ffe4babaecab
SHA512dbef5632b4960a0417c7d545415572cbd402d2ce708b088a0f526d6a479d67da3d157e719a1a2e7e48b09db0b2ca682676c25ca6116d12bd7896b0a0f086b4e7
-
Filesize
5.9MB
MD54c6dc55ac1a1afb29b8afda37e174388
SHA11481d9c830d9784850c8e4f1be760221482c3985
SHA2569182a335b50d042524e4533a72f56bdb51e0feb5a92cb1d79413fdc3f2ba5f98
SHA5120640e6fbea85d79723bc0b113dcd209245ff147b6f05ed372490768cf7df37561862cccd40f2102ac589cf9e6aeab4ba38206f1e8b7d53c548bd68139b5c2fcf
-
Filesize
5.9MB
MD5fd758c80ca265ba8f9d2fd0144aa6b0f
SHA1895b1e1e9a93e3e913171721b2c9ff891adf7c9a
SHA256f604756d2e40cfd0b3d712355b43993c1f422b78c9047adbb2016a2d6c618b07
SHA512b5a10f8bcf8826388f91c22a268a76d2d8d49384056278789e61ec9c8ca95b7ca0c56c4bfefe089f64fa3d4546def5f9686c7317405a0d23cbf48653d14bc69f
-
Filesize
5.9MB
MD5868b2e8b4453c3bed6d30d9bc91b7a2b
SHA13101e7ef6e640a7c44fc9953715e72bfbb27bbd6
SHA256600892c2ee1c53976b53096b1d0521065a3d04b07746b9396aca0a5f5eac676a
SHA512d10a4093e1e62b6eb643c33bbee655ee370798dc9e605d9edf59916290851736dc4701448ba5af8866f0b7796505bda48020738c51efd85ad8ec75308a6256e6
-
Filesize
5.9MB
MD5e3860b7f5f3f291b57c51dbf1f6ac746
SHA15de754ee16ad12f40b463b810c57881e4f449ff8
SHA256155d9c8abb5b00c1dc89ae360f01b1d1d2ddee9ede71f46c532511f8f85eec4d
SHA5129d88302643034a82ee5f115732f06d7e3ce05b154b402d6157ed42eca50cc6f99d2073faaeb9adfc6c085f3b8ccdd217e92effdcf34fb95ee940817db6cc008e
-
Filesize
5.9MB
MD553c98b2869214f870dc48cd2d8fe5f76
SHA16d16cccbee3d841d3f68f4d26d118c53d3ceed09
SHA256b0686a3b685aeb6208f14657d9d20d8be6242362ebdb5b892a2b15171b339cb8
SHA512ca1bfbec3eb10ddd9b1f90c45c1a7df66fbf5c78b2cf8794efe62af5aaead66a375bde49faf96738b8f9f4713c831eb752a6b2bac2b1e6ec91d167f2ff6fa6b0
-
Filesize
5.9MB
MD5575bc57cf00b28e5fc86ef00a96b54a9
SHA19d7f87a40da32a42040df9e881afc468a581e9d2
SHA25649ceb941cd965f9ac8a5e463bd198702bc9a6b8a18fecd104f2b8d0376e4e9ff
SHA51295caf032c30c027ca6cde123947bebe0ba00b48ac07c0cc5e73705f0ceac2f8d09a8250a1199b4782bebbf52a26d498b497ceb7c3362926dd3f5a9bdbc728115
-
Filesize
5.9MB
MD5ce07c93c75dff7a92ec1296bfb3fdabd
SHA17d79d978a1e1a2fcfee7922f7ca93abfb5259c01
SHA256b6c2323f9926d0e8d92594de77797dda75d7229f98b944662940412cf44e7432
SHA512910fca4eb18c46cd8ba02b44499684f56d887c84601f3bee5e23f479ad588491f9703083a50a0f935dfed6fc030d6775ecb97d775453290f86c1e48f2c5bd005
-
Filesize
5.9MB
MD56e866f380fa41dc76616efafff8e235a
SHA13090f34486bc41de8dc7cd457f522a6a915d8f70
SHA2561a04c59793c81e611d41909a8079cd018ed7a320f46e8ba28cb3aa9b3daef2db
SHA512ab0e053eb00742fc9f5ede60fb840b8116256e334436deed5d0e920558043c94c00b3eb64758083035914511d229748a609478ad34b8181083af7d00ab4d0333
-
Filesize
5.9MB
MD5b00dd81c5b8dbcbda1ec3c34b6c1380b
SHA11fc54012c433a1a66d7df76c220c1f825f5428af
SHA2568b530a6adb03610bc3ba10d469c72d4f6a00bf67d6c027d7fb55561f578e5694
SHA5125e35491dfba712dcf50b5af4182a3aa3e136a162270dc7fa536911457dde49ba33fe1fc722afea9c4f52ba73b7d916ab5be7cd2c4d017a812ba39f4a5517a807
-
Filesize
5.9MB
MD502511534d1f0c68052e07b24e7e0d538
SHA1f7b0bef0ad0fe35592fcd94cb119d4dff4bcaeb9
SHA256eb8283cfc743899b0baf8b9ee5fe9dc490426f09e1a3d2ae01f1de6ee48c967d
SHA5124565e6db2374e3ae7718ede79da3042940c683c00652260b3afc5692163ef77fbd9db663e86f946007f8afedd87d45b67e15154519d2056d9923ebace3d53776
-
Filesize
5.9MB
MD502e80e2e087b178ca9bf391459eef256
SHA1de1e3b71e8cb5a70d7cde96f1de3c2e8fb5f81e5
SHA25676258342d3c22a839e22e77c5d593876da62d055dd41a0b4a08e056b394777b5
SHA5129e257cea5412fab8d385974a20cdbca0e4fd46310c8f54a4713524ed3f2036830012a869a07908a5af89ed2d00038e2bd8220cc5e46f323fc3c15a3ce1946ca9
-
Filesize
5.9MB
MD5c5a2cb7a1c3f5988ad32fcb84b0e940a
SHA178bc9244c2ea8f621b129551d838e215f0be3c1f
SHA2565866f9028ea038c55bcbd41355f8623082aa00df275166175a1bf4d70ec30566
SHA512dddf68a081b145016e78e9421fcb83eb2c8c7c9d7f0992dd4d27c3faf0beab9ee95278984e0b7f822dc2bbf8ccc57927e540a5e21ff3624e72335f17c0f99672
-
Filesize
5.9MB
MD50991882a009703c19fbd00959f5fdd2a
SHA1a2f7b01f9c6bc629051241635c92378c60e5fdeb
SHA2564599a819dd1a64e05780135151954760f0cd7da72ceff494cdaa23626dd1ace0
SHA51229663f7e5e300c2488ab17a96cc3242ecb1ba824263694f387fc96c2789560f867cb215b72a8ffd177e14284db0861c4965eab0f849df0d19993ae8d496f2cb2