cobaltstrike | f9e48cb48338f50df428ef34201a88ef96072b78e972ba7dff4900c76de81e6c

Analysis

max time kernel
148s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2023 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

ffe0086570cb0371fa39400197cca667
SHA1

090b870f91ad747919657346eb87b33a5c2ed93b
SHA256

f9e48cb48338f50df428ef34201a88ef96072b78e972ba7dff4900c76de81e6c
SHA512

11be8a644991ab2efc53a8e712033c91073b378a513d851c341180b2fb8e4d2dc204f482cf0a80c7c369d6dae5ca631ac6e5740c4a54ead7c038de9b0c090aea
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lb:RWWBibf56utgpPFotBER/mQ32lUn

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 43 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000022d86-6.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000022d86-4.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022d93-10.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022d93-12.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022d95-11.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022d95-18.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022d95-17.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022d96-22.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022d96-23.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022d98-29.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022d98-30.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022d9a-35.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022d9a-37.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022d9b-42.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022d9c-49.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022d9d-54.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022d9d-55.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022d9f-65.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022d9e-67.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022da0-74.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022da1-77.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022da1-80.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022da2-82.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022da3-94.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022da4-98.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022da5-109.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022da5-104.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022da4-93.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022da3-90.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022da0-89.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022da2-84.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022d9f-70.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022d9e-64.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022d9c-47.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022d9b-41.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022da6-116.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022da6-115.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022da7-125.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022da8-132.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022da9-136.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022da8-133.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022da9-138.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022da7-127.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/1644-48-0x00007FF7BF790000-0x00007FF7BFAE1000-memory.dmp	xmrig
behavioral2/memory/3824-58-0x00007FF6992E0000-0x00007FF699631000-memory.dmp	xmrig
behavioral2/memory/3100-83-0x00007FF6E73D0000-0x00007FF6E7721000-memory.dmp	xmrig
behavioral2/memory/1292-97-0x00007FF6F8650000-0x00007FF6F89A1000-memory.dmp	xmrig
behavioral2/memory/856-100-0x00007FF688B20000-0x00007FF688E71000-memory.dmp	xmrig
behavioral2/memory/3212-103-0x00007FF7D4350000-0x00007FF7D46A1000-memory.dmp	xmrig
behavioral2/memory/652-105-0x00007FF683A90000-0x00007FF683DE1000-memory.dmp	xmrig
behavioral2/memory/1892-106-0x00007FF682B60000-0x00007FF682EB1000-memory.dmp	xmrig
behavioral2/memory/2456-108-0x00007FF794B00000-0x00007FF794E51000-memory.dmp	xmrig
behavioral2/memory/860-61-0x00007FF69C5F0000-0x00007FF69C941000-memory.dmp	xmrig
behavioral2/memory/3436-57-0x00007FF794470000-0x00007FF7947C1000-memory.dmp	xmrig
behavioral2/memory/4912-122-0x00007FF7E04F0000-0x00007FF7E0841000-memory.dmp	xmrig
behavioral2/memory/1000-123-0x00007FF719730000-0x00007FF719A81000-memory.dmp	xmrig
behavioral2/memory/1564-137-0x00007FF729600000-0x00007FF729951000-memory.dmp	xmrig
behavioral2/memory/3452-140-0x00007FF6090E0000-0x00007FF609431000-memory.dmp	xmrig
behavioral2/memory/3936-142-0x00007FF63E1D0000-0x00007FF63E521000-memory.dmp	xmrig
behavioral2/memory/3352-143-0x00007FF6D4C90000-0x00007FF6D4FE1000-memory.dmp	xmrig
behavioral2/memory/2560-146-0x00007FF738DA0000-0x00007FF7390F1000-memory.dmp	xmrig
behavioral2/memory/4480-147-0x00007FF7A3640000-0x00007FF7A3991000-memory.dmp	xmrig
behavioral2/memory/396-148-0x00007FF7B1D20000-0x00007FF7B2071000-memory.dmp	xmrig
behavioral2/memory/1292-150-0x00007FF6F8650000-0x00007FF6F89A1000-memory.dmp	xmrig
behavioral2/memory/5008-153-0x00007FF768360000-0x00007FF7686B1000-memory.dmp	xmrig
behavioral2/memory/1644-154-0x00007FF7BF790000-0x00007FF7BFAE1000-memory.dmp	xmrig
behavioral2/memory/3240-162-0x00007FF777800000-0x00007FF777B51000-memory.dmp	xmrig
behavioral2/memory/1644-176-0x00007FF7BF790000-0x00007FF7BFAE1000-memory.dmp	xmrig
behavioral2/memory/3436-204-0x00007FF794470000-0x00007FF7947C1000-memory.dmp	xmrig
behavioral2/memory/3824-206-0x00007FF6992E0000-0x00007FF699631000-memory.dmp	xmrig
behavioral2/memory/3100-208-0x00007FF6E73D0000-0x00007FF6E7721000-memory.dmp	xmrig
behavioral2/memory/3212-212-0x00007FF7D4350000-0x00007FF7D46A1000-memory.dmp	xmrig
behavioral2/memory/2456-214-0x00007FF794B00000-0x00007FF794E51000-memory.dmp	xmrig
behavioral2/memory/4912-225-0x00007FF7E04F0000-0x00007FF7E0841000-memory.dmp	xmrig
behavioral2/memory/1564-230-0x00007FF729600000-0x00007FF729951000-memory.dmp	xmrig
behavioral2/memory/3352-234-0x00007FF6D4C90000-0x00007FF6D4FE1000-memory.dmp	xmrig
behavioral2/memory/860-235-0x00007FF69C5F0000-0x00007FF69C941000-memory.dmp	xmrig
behavioral2/memory/2560-239-0x00007FF738DA0000-0x00007FF7390F1000-memory.dmp	xmrig
behavioral2/memory/4480-238-0x00007FF7A3640000-0x00007FF7A3991000-memory.dmp	xmrig
behavioral2/memory/856-243-0x00007FF688B20000-0x00007FF688E71000-memory.dmp	xmrig
behavioral2/memory/396-250-0x00007FF7B1D20000-0x00007FF7B2071000-memory.dmp	xmrig
behavioral2/memory/1292-248-0x00007FF6F8650000-0x00007FF6F89A1000-memory.dmp	xmrig
behavioral2/memory/652-247-0x00007FF683A90000-0x00007FF683DE1000-memory.dmp	xmrig
behavioral2/memory/1892-251-0x00007FF682B60000-0x00007FF682EB1000-memory.dmp	xmrig
behavioral2/memory/5008-253-0x00007FF768360000-0x00007FF7686B1000-memory.dmp	xmrig
behavioral2/memory/1000-257-0x00007FF719730000-0x00007FF719A81000-memory.dmp	xmrig
behavioral2/memory/3240-262-0x00007FF777800000-0x00007FF777B51000-memory.dmp	xmrig
behavioral2/memory/3452-264-0x00007FF6090E0000-0x00007FF609431000-memory.dmp	xmrig
behavioral2/memory/3936-266-0x00007FF63E1D0000-0x00007FF63E521000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3436	DSSjEhY.exe
3824	kalIdnI.exe
3100	FgxJnkV.exe
3212	DqccsFK.exe
2456	dJHzQOU.exe
4912	WQIMANB.exe
1564	Kqhhgyj.exe
3352	fpVGngY.exe
860	uQmmLfp.exe
2560	TOaPxJU.exe
4480	tZdoGIa.exe
396	IDfGQeo.exe
856	CKcyFoa.exe
1292	PQLwkdG.exe
652	lKnSSOe.exe
1892	XWvRTmy.exe
5008	wAjanoL.exe
1000	ugvkJuP.exe
3240	NnZJwiH.exe
3452	kjDmcPE.exe
3936	RqAzURV.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1644-0-0x00007FF7BF790000-0x00007FF7BFAE1000-memory.dmp	upx
behavioral2/files/0x0008000000022d86-6.dat	upx
behavioral2/memory/3436-8-0x00007FF794470000-0x00007FF7947C1000-memory.dmp	upx
behavioral2/files/0x0008000000022d86-4.dat	upx
behavioral2/files/0x0006000000022d93-10.dat	upx
behavioral2/files/0x0006000000022d93-12.dat	upx
behavioral2/files/0x0006000000022d95-11.dat	upx
behavioral2/files/0x0006000000022d95-18.dat	upx
behavioral2/files/0x0006000000022d95-17.dat	upx
behavioral2/files/0x0006000000022d96-22.dat	upx
behavioral2/memory/3100-20-0x00007FF6E73D0000-0x00007FF6E7721000-memory.dmp	upx
behavioral2/memory/3212-24-0x00007FF7D4350000-0x00007FF7D46A1000-memory.dmp	upx
behavioral2/files/0x0006000000022d96-23.dat	upx
behavioral2/memory/3824-14-0x00007FF6992E0000-0x00007FF699631000-memory.dmp	upx
behavioral2/files/0x0006000000022d98-29.dat	upx
behavioral2/files/0x0006000000022d98-30.dat	upx
behavioral2/memory/2456-32-0x00007FF794B00000-0x00007FF794E51000-memory.dmp	upx
behavioral2/files/0x0006000000022d9a-35.dat	upx
behavioral2/files/0x0006000000022d9a-37.dat	upx
behavioral2/memory/4912-36-0x00007FF7E04F0000-0x00007FF7E0841000-memory.dmp	upx
behavioral2/memory/1564-44-0x00007FF729600000-0x00007FF729951000-memory.dmp	upx
behavioral2/files/0x0006000000022d9b-42.dat	upx
behavioral2/memory/1644-48-0x00007FF7BF790000-0x00007FF7BFAE1000-memory.dmp	upx
behavioral2/files/0x0006000000022d9c-49.dat	upx
behavioral2/memory/3352-50-0x00007FF6D4C90000-0x00007FF6D4FE1000-memory.dmp	upx
behavioral2/files/0x0006000000022d9d-54.dat	upx
behavioral2/files/0x0006000000022d9d-55.dat	upx
behavioral2/memory/3824-58-0x00007FF6992E0000-0x00007FF699631000-memory.dmp	upx
behavioral2/files/0x0006000000022d9f-65.dat	upx
behavioral2/memory/4480-66-0x00007FF7A3640000-0x00007FF7A3991000-memory.dmp	upx
behavioral2/files/0x0006000000022d9e-67.dat	upx
behavioral2/files/0x0006000000022da0-74.dat	upx
behavioral2/files/0x0006000000022da1-77.dat	upx
behavioral2/files/0x0006000000022da1-80.dat	upx
behavioral2/memory/3100-83-0x00007FF6E73D0000-0x00007FF6E7721000-memory.dmp	upx
behavioral2/files/0x0006000000022da2-82.dat	upx
behavioral2/memory/396-86-0x00007FF7B1D20000-0x00007FF7B2071000-memory.dmp	upx
behavioral2/files/0x0006000000022da3-94.dat	upx
behavioral2/memory/1292-97-0x00007FF6F8650000-0x00007FF6F89A1000-memory.dmp	upx
behavioral2/files/0x0006000000022da4-98.dat	upx
behavioral2/memory/856-100-0x00007FF688B20000-0x00007FF688E71000-memory.dmp	upx
behavioral2/memory/3212-103-0x00007FF7D4350000-0x00007FF7D46A1000-memory.dmp	upx
behavioral2/memory/652-105-0x00007FF683A90000-0x00007FF683DE1000-memory.dmp	upx
behavioral2/memory/1892-106-0x00007FF682B60000-0x00007FF682EB1000-memory.dmp	upx
behavioral2/memory/2456-108-0x00007FF794B00000-0x00007FF794E51000-memory.dmp	upx
behavioral2/files/0x0006000000022da5-109.dat	upx
behavioral2/memory/5008-107-0x00007FF768360000-0x00007FF7686B1000-memory.dmp	upx
behavioral2/files/0x0006000000022da5-104.dat	upx
behavioral2/files/0x0006000000022da4-93.dat	upx
behavioral2/files/0x0006000000022da3-90.dat	upx
behavioral2/files/0x0006000000022da0-89.dat	upx
behavioral2/files/0x0006000000022da2-84.dat	upx
behavioral2/memory/2560-73-0x00007FF738DA0000-0x00007FF7390F1000-memory.dmp	upx
behavioral2/files/0x0006000000022d9f-70.dat	upx
behavioral2/files/0x0006000000022d9e-64.dat	upx
behavioral2/memory/860-61-0x00007FF69C5F0000-0x00007FF69C941000-memory.dmp	upx
behavioral2/memory/3436-57-0x00007FF794470000-0x00007FF7947C1000-memory.dmp	upx
behavioral2/files/0x0006000000022d9c-47.dat	upx
behavioral2/files/0x0006000000022d9b-41.dat	upx
behavioral2/files/0x0006000000022da6-116.dat	upx
behavioral2/files/0x0006000000022da6-115.dat	upx
behavioral2/memory/4912-122-0x00007FF7E04F0000-0x00007FF7E0841000-memory.dmp	upx
behavioral2/memory/1000-123-0x00007FF719730000-0x00007FF719A81000-memory.dmp	upx
behavioral2/files/0x0006000000022da7-125.dat	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\lKnSSOe.exe	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DSSjEhY.exe	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dJHzQOU.exe	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uQmmLfp.exe	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CKcyFoa.exe	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IDfGQeo.exe	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wAjanoL.exe	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NnZJwiH.exe	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RqAzURV.exe	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DqccsFK.exe	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WQIMANB.exe	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fpVGngY.exe	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tZdoGIa.exe	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\Kqhhgyj.exe	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PQLwkdG.exe	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ugvkJuP.exe	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kjDmcPE.exe	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kalIdnI.exe	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FgxJnkV.exe	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TOaPxJU.exe	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XWvRTmy.exe	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 3436	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	85
PID 1644 wrote to memory of 3436	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	85
PID 1644 wrote to memory of 3824	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	86
PID 1644 wrote to memory of 3824	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	86
PID 1644 wrote to memory of 3100	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	89
PID 1644 wrote to memory of 3100	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	89
PID 1644 wrote to memory of 3212	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	87
PID 1644 wrote to memory of 3212	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	87
PID 1644 wrote to memory of 2456	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	88
PID 1644 wrote to memory of 2456	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	88
PID 1644 wrote to memory of 4912	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	90
PID 1644 wrote to memory of 4912	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	90
PID 1644 wrote to memory of 1564	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	91
PID 1644 wrote to memory of 1564	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	91
PID 1644 wrote to memory of 3352	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	92
PID 1644 wrote to memory of 3352	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	92
PID 1644 wrote to memory of 860	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	93
PID 1644 wrote to memory of 860	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	93
PID 1644 wrote to memory of 2560	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	94
PID 1644 wrote to memory of 2560	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	94
PID 1644 wrote to memory of 4480	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	95
PID 1644 wrote to memory of 4480	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	95
PID 1644 wrote to memory of 396	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	101
PID 1644 wrote to memory of 396	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	101
PID 1644 wrote to memory of 856	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	100
PID 1644 wrote to memory of 856	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	100
PID 1644 wrote to memory of 1292	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	96
PID 1644 wrote to memory of 1292	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	96
PID 1644 wrote to memory of 652	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	99
PID 1644 wrote to memory of 652	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	99
PID 1644 wrote to memory of 1892	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	98
PID 1644 wrote to memory of 1892	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	98
PID 1644 wrote to memory of 5008	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	97
PID 1644 wrote to memory of 5008	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	97
PID 1644 wrote to memory of 1000	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	104
PID 1644 wrote to memory of 1000	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	104
PID 1644 wrote to memory of 3240	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	106
PID 1644 wrote to memory of 3240	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	106
PID 1644 wrote to memory of 3452	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	108
PID 1644 wrote to memory of 3452	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	108
PID 1644 wrote to memory of 3936	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	109
PID 1644 wrote to memory of 3936	1644	NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe	109

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-27_ffe0086570cb0371fa39400197cca667_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\System\DSSjEhY.exe
  C:\Windows\System\DSSjEhY.exe
  2⤵
  - Executes dropped EXE
  PID:3436
- C:\Windows\System\kalIdnI.exe
  C:\Windows\System\kalIdnI.exe
  2⤵
  - Executes dropped EXE
  PID:3824
- C:\Windows\System\DqccsFK.exe
  C:\Windows\System\DqccsFK.exe
  2⤵
  - Executes dropped EXE
  PID:3212
- C:\Windows\System\dJHzQOU.exe
  C:\Windows\System\dJHzQOU.exe
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\System\FgxJnkV.exe
  C:\Windows\System\FgxJnkV.exe
  2⤵
  - Executes dropped EXE
  PID:3100
- C:\Windows\System\WQIMANB.exe
  C:\Windows\System\WQIMANB.exe
  2⤵
  - Executes dropped EXE
  PID:4912
- C:\Windows\System\Kqhhgyj.exe
  C:\Windows\System\Kqhhgyj.exe
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\System\fpVGngY.exe
  C:\Windows\System\fpVGngY.exe
  2⤵
  - Executes dropped EXE
  PID:3352
- C:\Windows\System\uQmmLfp.exe
  C:\Windows\System\uQmmLfp.exe
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Windows\System\TOaPxJU.exe
  C:\Windows\System\TOaPxJU.exe
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\System\tZdoGIa.exe
  C:\Windows\System\tZdoGIa.exe
  2⤵
  - Executes dropped EXE
  PID:4480
- C:\Windows\System\PQLwkdG.exe
  C:\Windows\System\PQLwkdG.exe
  2⤵
  - Executes dropped EXE
  PID:1292
- C:\Windows\System\wAjanoL.exe
  C:\Windows\System\wAjanoL.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System\XWvRTmy.exe
  C:\Windows\System\XWvRTmy.exe
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Windows\System\lKnSSOe.exe
  C:\Windows\System\lKnSSOe.exe
  2⤵
  - Executes dropped EXE
  PID:652
- C:\Windows\System\CKcyFoa.exe
  C:\Windows\System\CKcyFoa.exe
  2⤵
  - Executes dropped EXE
  PID:856
- C:\Windows\System\IDfGQeo.exe
  C:\Windows\System\IDfGQeo.exe
  2⤵
  - Executes dropped EXE
  PID:396
- C:\Windows\System\ugvkJuP.exe
  C:\Windows\System\ugvkJuP.exe
  2⤵
  - Executes dropped EXE
  PID:1000
- C:\Windows\System\NnZJwiH.exe
  C:\Windows\System\NnZJwiH.exe
  2⤵
  - Executes dropped EXE
  PID:3240
- C:\Windows\System\kjDmcPE.exe
  C:\Windows\System\kjDmcPE.exe
  2⤵
  - Executes dropped EXE
  PID:3452
- C:\Windows\System\RqAzURV.exe
  C:\Windows\System\RqAzURV.exe
  2⤵
  - Executes dropped EXE
  PID:3936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CKcyFoa.exe

Filesize
5.2MB

MD5
30fce838c6977a15e8c2ea09d2c0e3e1

SHA1
d2b85f5c3fd1507785cc65f116d3575862cd68f0

SHA256
7c266129068a4db9b5f41d5295b44319b8ba32e3d3cfc4449a6eb0c3e447ffab

SHA512
c4132ce257336522083d6231f640d8a0b48b4502021274d832379a420e65276553a60c0c2ba1134d594cbe02447553b5b2d9fd20366a75766d796213db3308e2

Download Submit
C:\Windows\System\CKcyFoa.exe

Filesize
5.2MB

MD5
30fce838c6977a15e8c2ea09d2c0e3e1

SHA1
d2b85f5c3fd1507785cc65f116d3575862cd68f0

SHA256
7c266129068a4db9b5f41d5295b44319b8ba32e3d3cfc4449a6eb0c3e447ffab

SHA512
c4132ce257336522083d6231f640d8a0b48b4502021274d832379a420e65276553a60c0c2ba1134d594cbe02447553b5b2d9fd20366a75766d796213db3308e2

Download Submit
C:\Windows\System\DSSjEhY.exe

Filesize
5.2MB

MD5
2a379dc366d1dc6fd3baf6b95afb47fa

SHA1
cebeb6ac1f96556f0b977eefe9bdb576bbaba51f

SHA256
9d52256062473f79c4f62b826d7e590957c1504a6e645dc3fd94443cd5c7cbad

SHA512
bb6bc6ea1dce198b83911f37cbc7ff0a06550ff1b4706ba3f4c70314a81322d435911b4ea6492c6598287b91afecce916d8433181477c8e06fa9a390a64bdd36

Download Submit
C:\Windows\System\DSSjEhY.exe

Filesize
5.2MB

MD5
2a379dc366d1dc6fd3baf6b95afb47fa

SHA1
cebeb6ac1f96556f0b977eefe9bdb576bbaba51f

SHA256
9d52256062473f79c4f62b826d7e590957c1504a6e645dc3fd94443cd5c7cbad

SHA512
bb6bc6ea1dce198b83911f37cbc7ff0a06550ff1b4706ba3f4c70314a81322d435911b4ea6492c6598287b91afecce916d8433181477c8e06fa9a390a64bdd36

Download Submit
C:\Windows\System\DqccsFK.exe

Filesize
5.2MB

MD5
d671d6db1d59c73c408b01e8b2f1079c

SHA1
f3a7b47af4651e79df46acb3641023c87961aaa1

SHA256
b76c171fae1e539b38fdc3d72a72544d154f383d1898f850aea5216ba0b7e86e

SHA512
160daafb48f8d6e3cef7a60c625c828f2fa923940596c80f6865fb08c92afe66ecaaa8114d3e731fdfb53cabd4d531f7817e2ac04e6dfc56f088938e66176c60

Download Submit
C:\Windows\System\DqccsFK.exe

Filesize
5.2MB

MD5
d671d6db1d59c73c408b01e8b2f1079c

SHA1
f3a7b47af4651e79df46acb3641023c87961aaa1

SHA256
b76c171fae1e539b38fdc3d72a72544d154f383d1898f850aea5216ba0b7e86e

SHA512
160daafb48f8d6e3cef7a60c625c828f2fa923940596c80f6865fb08c92afe66ecaaa8114d3e731fdfb53cabd4d531f7817e2ac04e6dfc56f088938e66176c60

Download Submit
C:\Windows\System\FgxJnkV.exe

Filesize
5.2MB

MD5
fadf044eaee53c56c0b35d2dbfad2389

SHA1
d32311be7652786b5c0ffa7e42b287ca576ea185

SHA256
b4fdded3870aa4bbee44ba888703c88865cf7ecfda82fc94d1aa51a96c9d838c

SHA512
8b51cc1d0c8a797413cd64b04d3f14a7684de7bd20faa34bab55131c0b9ceef52e29195d1b2fcd44cf472dc4212b0237af4a5fce44b5bbcd9faac2bb027ad33b

Download Submit
C:\Windows\System\FgxJnkV.exe

Filesize
5.2MB

MD5
fadf044eaee53c56c0b35d2dbfad2389

SHA1
d32311be7652786b5c0ffa7e42b287ca576ea185

SHA256
b4fdded3870aa4bbee44ba888703c88865cf7ecfda82fc94d1aa51a96c9d838c

SHA512
8b51cc1d0c8a797413cd64b04d3f14a7684de7bd20faa34bab55131c0b9ceef52e29195d1b2fcd44cf472dc4212b0237af4a5fce44b5bbcd9faac2bb027ad33b

Download Submit
C:\Windows\System\FgxJnkV.exe

Filesize
5.2MB

MD5
fadf044eaee53c56c0b35d2dbfad2389

SHA1
d32311be7652786b5c0ffa7e42b287ca576ea185

SHA256
b4fdded3870aa4bbee44ba888703c88865cf7ecfda82fc94d1aa51a96c9d838c

SHA512
8b51cc1d0c8a797413cd64b04d3f14a7684de7bd20faa34bab55131c0b9ceef52e29195d1b2fcd44cf472dc4212b0237af4a5fce44b5bbcd9faac2bb027ad33b

Download Submit
C:\Windows\System\IDfGQeo.exe

Filesize
5.2MB

MD5
f198d1895635f0c24de48ae6dafabfdf

SHA1
3c251fe704751742a155f62e8f04031f11f2befe

SHA256
fcf6f6f08a9ab02789d7cbc32dfc5145bab160cc1d3730ce6bb750aef266d3f7

SHA512
53aa2bbb5f814e1966b1e3a4b87a6f582286a4b951b874f3960d2f7cdaaebd2e293d83d91e6ec8aa2de30bcf551587194f06fd34cb2b694b67833e45fa2e5616

Download Submit
C:\Windows\System\IDfGQeo.exe

Filesize
5.2MB

MD5
f198d1895635f0c24de48ae6dafabfdf

SHA1
3c251fe704751742a155f62e8f04031f11f2befe

SHA256
fcf6f6f08a9ab02789d7cbc32dfc5145bab160cc1d3730ce6bb750aef266d3f7

SHA512
53aa2bbb5f814e1966b1e3a4b87a6f582286a4b951b874f3960d2f7cdaaebd2e293d83d91e6ec8aa2de30bcf551587194f06fd34cb2b694b67833e45fa2e5616

Download Submit
C:\Windows\System\Kqhhgyj.exe

Filesize
5.2MB

MD5
378ebc915710a4990eabe03644b71836

SHA1
adcc25de7a3ee22bc3f17a8c96ef1b52b77bdbd4

SHA256
03753b16d303a94ea9164e0e7faaa19536df55f68189670d557dde242699fbd3

SHA512
17ae05c112c0fac3f5ea5a5c3788a5f3452f1320c0f201f94aae15327e6738e84fdd8e59e8ebe3fd5d2afc6dc7284e6c66ca85b6e8178d8740ebe9c8413355dc

Download Submit
C:\Windows\System\Kqhhgyj.exe

Filesize
5.2MB

MD5
378ebc915710a4990eabe03644b71836

SHA1
adcc25de7a3ee22bc3f17a8c96ef1b52b77bdbd4

SHA256
03753b16d303a94ea9164e0e7faaa19536df55f68189670d557dde242699fbd3

SHA512
17ae05c112c0fac3f5ea5a5c3788a5f3452f1320c0f201f94aae15327e6738e84fdd8e59e8ebe3fd5d2afc6dc7284e6c66ca85b6e8178d8740ebe9c8413355dc

Download Submit
C:\Windows\System\NnZJwiH.exe

Filesize
5.2MB

MD5
6e8016f89b1ef5973c587678f0f1ceee

SHA1
5b61e7d941bb1882296665e7a8550350ba24c50e

SHA256
4e2dd34f765e8988b6eaff5530818d1fdfecb9a2d9ef2eadecbb34c8a615a7fc

SHA512
f81fd4e356b977a8c06000dc9bbcfcf0bead5a62a23c5c6dcef95ee90fb11f1ed76af4e7a32cb8a10aa7ac0da6809097c6f68ccbe9f444d6ed5baf188e3886d3

Download Submit
C:\Windows\System\NnZJwiH.exe

Filesize
5.2MB

MD5
6e8016f89b1ef5973c587678f0f1ceee

SHA1
5b61e7d941bb1882296665e7a8550350ba24c50e

SHA256
4e2dd34f765e8988b6eaff5530818d1fdfecb9a2d9ef2eadecbb34c8a615a7fc

SHA512
f81fd4e356b977a8c06000dc9bbcfcf0bead5a62a23c5c6dcef95ee90fb11f1ed76af4e7a32cb8a10aa7ac0da6809097c6f68ccbe9f444d6ed5baf188e3886d3

Download Submit
C:\Windows\System\PQLwkdG.exe

Filesize
5.2MB

MD5
02631d4402abe925d085ce85b772f5fb

SHA1
85c87fb277651167d304c9d7f5065ec574c7a98c

SHA256
5d62078ab444ae10ff3987300f446eb777f532f779998a9dd81f28f3c98d6b67

SHA512
6153b2d48d0ba4e9c1d378729feb9baa26e4fbbfca3e1f59b8543481d41103239b7c0bc1e0425d0f48852176b7b8530181d45d566952806167da441267db8a0a

Download Submit
C:\Windows\System\PQLwkdG.exe

Filesize
5.2MB

MD5
02631d4402abe925d085ce85b772f5fb

SHA1
85c87fb277651167d304c9d7f5065ec574c7a98c

SHA256
5d62078ab444ae10ff3987300f446eb777f532f779998a9dd81f28f3c98d6b67

SHA512
6153b2d48d0ba4e9c1d378729feb9baa26e4fbbfca3e1f59b8543481d41103239b7c0bc1e0425d0f48852176b7b8530181d45d566952806167da441267db8a0a

Download Submit
C:\Windows\System\RqAzURV.exe

Filesize
5.2MB

MD5
004ce4a566ef3b1414b5b0fa102b4cb2

SHA1
26eeb66e03dc72967137bbc10cf843d9736ebf65

SHA256
6f8d6ccb40941739eec06b4e77dbca86dd234290ee84d456bc7f399f958ff2ba

SHA512
e5b03971a2b39603aacab45c42c267c26b6b33637ca92e9ae3968ec08785ca17bca998f832fc28d49b653effd290f2cd9a9043216b8ba8726235458179ab40f9

Download Submit
C:\Windows\System\RqAzURV.exe

Filesize
5.2MB

MD5
004ce4a566ef3b1414b5b0fa102b4cb2

SHA1
26eeb66e03dc72967137bbc10cf843d9736ebf65

SHA256
6f8d6ccb40941739eec06b4e77dbca86dd234290ee84d456bc7f399f958ff2ba

SHA512
e5b03971a2b39603aacab45c42c267c26b6b33637ca92e9ae3968ec08785ca17bca998f832fc28d49b653effd290f2cd9a9043216b8ba8726235458179ab40f9

Download Submit
C:\Windows\System\TOaPxJU.exe

Filesize
5.2MB

MD5
0eae8795c05d49d6b7b3febc5e5cc899

SHA1
b6d33c00c8f50e26e125631e88d3660129581608

SHA256
dd1575cb0f12a892473998cff4ceb4b3d4d27ffd1b8922a00a931e23eec0f25d

SHA512
db72fbf7a72548c47b113da350097aba4efc4397919ec7fbec939b07707ac8fb0939879de1887fdd722790b27bf0c4249d7488def6fa724482c4d867002a0da7

Download Submit
C:\Windows\System\TOaPxJU.exe

Filesize
5.2MB

MD5
0eae8795c05d49d6b7b3febc5e5cc899

SHA1
b6d33c00c8f50e26e125631e88d3660129581608

SHA256
dd1575cb0f12a892473998cff4ceb4b3d4d27ffd1b8922a00a931e23eec0f25d

SHA512
db72fbf7a72548c47b113da350097aba4efc4397919ec7fbec939b07707ac8fb0939879de1887fdd722790b27bf0c4249d7488def6fa724482c4d867002a0da7

Download Submit
C:\Windows\System\WQIMANB.exe

Filesize
5.2MB

MD5
0367c17fc523daf0c99db162ac7bc352

SHA1
115aef25de3d36a2d333fe6dbe797b707d096500

SHA256
eb78f4d5bea207651d0a8373726f3488b1940b344caa10af6c603a974cb264c6

SHA512
39c069832d5e47afbe0c07df20af1108c6507313a3a35f4ade0562326048f792aa06faca0e97a037aafffa08f3fed16912d320b80d14250a3397f231e14f5bad

Download Submit
C:\Windows\System\WQIMANB.exe

Filesize
5.2MB

MD5
0367c17fc523daf0c99db162ac7bc352

SHA1
115aef25de3d36a2d333fe6dbe797b707d096500

SHA256
eb78f4d5bea207651d0a8373726f3488b1940b344caa10af6c603a974cb264c6

SHA512
39c069832d5e47afbe0c07df20af1108c6507313a3a35f4ade0562326048f792aa06faca0e97a037aafffa08f3fed16912d320b80d14250a3397f231e14f5bad

Download Submit
C:\Windows\System\XWvRTmy.exe

Filesize
5.2MB

MD5
5e4589c4abffb2043f8c13f988e6beba

SHA1
0919e5ce8830642d90c29700816498160aae4399

SHA256
302801ecd38758024e0bc3efa5db4854fdd69e220e50cc17ada0c617313768f4

SHA512
f366f96af06374fcc15c6453a53989feff6cc1e8bc10c05ecc92f840cb0eafbd0749814dc185bc7d1a7529400852488618713e235f2f030efac8e208199e7e21

Download Submit
C:\Windows\System\XWvRTmy.exe

Filesize
5.2MB

MD5
5e4589c4abffb2043f8c13f988e6beba

SHA1
0919e5ce8830642d90c29700816498160aae4399

SHA256
302801ecd38758024e0bc3efa5db4854fdd69e220e50cc17ada0c617313768f4

SHA512
f366f96af06374fcc15c6453a53989feff6cc1e8bc10c05ecc92f840cb0eafbd0749814dc185bc7d1a7529400852488618713e235f2f030efac8e208199e7e21

Download Submit
C:\Windows\System\dJHzQOU.exe

Filesize
5.2MB

MD5
cec29496e9f3d78ffa343b2aaf6ec6c8

SHA1
2da8a35a2634e8421cb2e2f6e77aefef728d37cb

SHA256
1e0d7c74ac3a325730cf13edcbe7e2eea275f11edf4333f79c63e927730907ab

SHA512
2d2fda30c35d40b48a1f0d64c5458f4d37790c6504e155098f677af45649632bb25ad03b3681a4b89447c5e8571b2f19c50573dcaf30e54a12b8872293111197

Download Submit
C:\Windows\System\dJHzQOU.exe

Filesize
5.2MB

MD5
cec29496e9f3d78ffa343b2aaf6ec6c8

SHA1
2da8a35a2634e8421cb2e2f6e77aefef728d37cb

SHA256
1e0d7c74ac3a325730cf13edcbe7e2eea275f11edf4333f79c63e927730907ab

SHA512
2d2fda30c35d40b48a1f0d64c5458f4d37790c6504e155098f677af45649632bb25ad03b3681a4b89447c5e8571b2f19c50573dcaf30e54a12b8872293111197

Download Submit
C:\Windows\System\fpVGngY.exe

Filesize
5.2MB

MD5
4ad0646e5eded86e63eab9e9ba995af8

SHA1
0ec82521646f2f112a5d963436aa361f67b69105

SHA256
0c766b2df674d1375129559286b8d7169cd33608deb6f2f4629318f5ea7a9ebb

SHA512
10833259779170cc2b2353f04788fc09b648dadd1e314f5acc8baa9266d9bd0187f3dc6285e819bf494df524500e4da65921017a18eeff986bf8d099d301ba99

Download Submit
C:\Windows\System\fpVGngY.exe

Filesize
5.2MB

MD5
4ad0646e5eded86e63eab9e9ba995af8

SHA1
0ec82521646f2f112a5d963436aa361f67b69105

SHA256
0c766b2df674d1375129559286b8d7169cd33608deb6f2f4629318f5ea7a9ebb

SHA512
10833259779170cc2b2353f04788fc09b648dadd1e314f5acc8baa9266d9bd0187f3dc6285e819bf494df524500e4da65921017a18eeff986bf8d099d301ba99

Download Submit
C:\Windows\System\kalIdnI.exe

Filesize
5.2MB

MD5
3cc4288ccd5b05cf15df00f5c55c1013

SHA1
18d570481c43989c7247a3544f2ec45b7f3937e4

SHA256
de3d5562bc5a35a7168a050a7f39225c7db774e3c08f2ed1fafee1f12a4d9b52

SHA512
e090764e80822e23559b7a24eb8e22c1b114e5e6c43f4a76ba708462e76800f291ba95ac653421a811ab2576081ecc549d79fd00d68a3fa3cb37148c09caf561

Download Submit
C:\Windows\System\kalIdnI.exe

Filesize
5.2MB

MD5
3cc4288ccd5b05cf15df00f5c55c1013

SHA1
18d570481c43989c7247a3544f2ec45b7f3937e4

SHA256
de3d5562bc5a35a7168a050a7f39225c7db774e3c08f2ed1fafee1f12a4d9b52

SHA512
e090764e80822e23559b7a24eb8e22c1b114e5e6c43f4a76ba708462e76800f291ba95ac653421a811ab2576081ecc549d79fd00d68a3fa3cb37148c09caf561

Download Submit
C:\Windows\System\kjDmcPE.exe

Filesize
5.2MB

MD5
0850f206aca348d7547b8d023d657ec6

SHA1
13a0bb6be0c5743e749ae63064bf8f3137445d6d

SHA256
1e3aaa9a777b7c1b042da964ec6b9449f30f6d8a579b339ff33bd7a5b24fbf91

SHA512
e69d9a3624b5b47747aa8eeb844cf751a33f096b9475778c78258053dc94a8d47de27969bdf2bdaabb1e2c22270b9e927c253762a95237276d76d43d29c5234f

Download Submit
C:\Windows\System\kjDmcPE.exe

Filesize
5.2MB

MD5
0850f206aca348d7547b8d023d657ec6

SHA1
13a0bb6be0c5743e749ae63064bf8f3137445d6d

SHA256
1e3aaa9a777b7c1b042da964ec6b9449f30f6d8a579b339ff33bd7a5b24fbf91

SHA512
e69d9a3624b5b47747aa8eeb844cf751a33f096b9475778c78258053dc94a8d47de27969bdf2bdaabb1e2c22270b9e927c253762a95237276d76d43d29c5234f

Download Submit
C:\Windows\System\lKnSSOe.exe

Filesize
5.2MB

MD5
d48905b89b13f629660ecd26f8db2432

SHA1
4a1bfe9c0dee50b10be4450f0cc2268d73779bda

SHA256
d556efb8a16c16648ea5541ab5c675a895651118a7dd5354d8bf865a847a5103

SHA512
16c33543f1f43f57e20cbf836d50994f281443feca6edd80c4193c3e0d5079d866df2f417cd9b5a626c3de91119ee85c0b6c947de7b749ce369f41929203659f

Download Submit
C:\Windows\System\lKnSSOe.exe

Filesize
5.2MB

MD5
d48905b89b13f629660ecd26f8db2432

SHA1
4a1bfe9c0dee50b10be4450f0cc2268d73779bda

SHA256
d556efb8a16c16648ea5541ab5c675a895651118a7dd5354d8bf865a847a5103

SHA512
16c33543f1f43f57e20cbf836d50994f281443feca6edd80c4193c3e0d5079d866df2f417cd9b5a626c3de91119ee85c0b6c947de7b749ce369f41929203659f

Download Submit
C:\Windows\System\tZdoGIa.exe

Filesize
5.2MB

MD5
e9a887838920106b158ce8b5f3a5ac60

SHA1
88402fabf8c9a2edc5a672d107025ef5cb5f200d

SHA256
3bfd8f0384980de616d92611413b90c9c35a62a2cce8050dcfd15031d994bd79

SHA512
917e83d39128a986fa67a049fde1b364aa58446cebb9e307fb21e64df9a1ba88d10860f7ec0486faa0150514a70441b70d9a5786991e3f6578b51aabb4d6d047

Download Submit
C:\Windows\System\tZdoGIa.exe

Filesize
5.2MB

MD5
e9a887838920106b158ce8b5f3a5ac60

SHA1
88402fabf8c9a2edc5a672d107025ef5cb5f200d

SHA256
3bfd8f0384980de616d92611413b90c9c35a62a2cce8050dcfd15031d994bd79

SHA512
917e83d39128a986fa67a049fde1b364aa58446cebb9e307fb21e64df9a1ba88d10860f7ec0486faa0150514a70441b70d9a5786991e3f6578b51aabb4d6d047

Download Submit
C:\Windows\System\uQmmLfp.exe

Filesize
5.2MB

MD5
60c23222e4d7b4ce0f913d792b9cb41f

SHA1
191ef42a64df55a076d04b2d85e9d24ab9385e81

SHA256
57b7f2f3aaf11718f5d6a782f623fc64ccd8e919eb3a9feba2076aca4697c8fa

SHA512
007a5b25fcaead759de3c3de8411ae9eddda4da460512ea15c6edb071849048d8290d1ad2fb5cc17b1aac4296b6ca2d43791a3293964339a4779941f1b30aaf6

Download Submit
C:\Windows\System\uQmmLfp.exe

Filesize
5.2MB

MD5
60c23222e4d7b4ce0f913d792b9cb41f

SHA1
191ef42a64df55a076d04b2d85e9d24ab9385e81

SHA256
57b7f2f3aaf11718f5d6a782f623fc64ccd8e919eb3a9feba2076aca4697c8fa

SHA512
007a5b25fcaead759de3c3de8411ae9eddda4da460512ea15c6edb071849048d8290d1ad2fb5cc17b1aac4296b6ca2d43791a3293964339a4779941f1b30aaf6

Download Submit
C:\Windows\System\ugvkJuP.exe

Filesize
5.2MB

MD5
134355152a476a4fdd26725b6b45eeb3

SHA1
9745c18bdbdead9be3575bec33227fdd970e64d5

SHA256
5521e98f05ef8167031b6840ad07677f1de6707876cced553eab7002ca265c49

SHA512
f95b7b48d5be0d37dd5d7e72623b24c7ad8b82c60c173915e0a69538d35a5590bef353b0c0888c9003fff7bf9e2c66a0b63c9fa9ae878d54d4bde5dd49c93e77

Download Submit
C:\Windows\System\ugvkJuP.exe

Filesize
5.2MB

MD5
134355152a476a4fdd26725b6b45eeb3

SHA1
9745c18bdbdead9be3575bec33227fdd970e64d5

SHA256
5521e98f05ef8167031b6840ad07677f1de6707876cced553eab7002ca265c49

SHA512
f95b7b48d5be0d37dd5d7e72623b24c7ad8b82c60c173915e0a69538d35a5590bef353b0c0888c9003fff7bf9e2c66a0b63c9fa9ae878d54d4bde5dd49c93e77

Download Submit
C:\Windows\System\wAjanoL.exe

Filesize
5.2MB

MD5
d77f32667b721ebf217c274c7466f403

SHA1
ccec7b6e602591e8412f4738aefe4c9f613158dc

SHA256
142cab37fa7d69a1b09dc0713c1eeb45804e84666fc8d3a2ddeaeed200479f66

SHA512
b5b8cf046e4ae09b86d2616c7fd96e38b6a05ea6a3f36599a53d7fde6ece1fd4157e0192515bb0ee7e000bb6d1cfa0cc8e8d0a62c2be0b4a70f2d1198c4b1402

Download Submit
C:\Windows\System\wAjanoL.exe

Filesize
5.2MB

MD5
d77f32667b721ebf217c274c7466f403

SHA1
ccec7b6e602591e8412f4738aefe4c9f613158dc

SHA256
142cab37fa7d69a1b09dc0713c1eeb45804e84666fc8d3a2ddeaeed200479f66

SHA512
b5b8cf046e4ae09b86d2616c7fd96e38b6a05ea6a3f36599a53d7fde6ece1fd4157e0192515bb0ee7e000bb6d1cfa0cc8e8d0a62c2be0b4a70f2d1198c4b1402

Download Submit
memory/396-86-0x00007FF7B1D20000-0x00007FF7B2071000-memory.dmp

Filesize
3.3MB

Download
memory/396-148-0x00007FF7B1D20000-0x00007FF7B2071000-memory.dmp

Filesize
3.3MB

Download
memory/396-250-0x00007FF7B1D20000-0x00007FF7B2071000-memory.dmp

Filesize
3.3MB

Download
memory/652-105-0x00007FF683A90000-0x00007FF683DE1000-memory.dmp

Filesize
3.3MB

Download
memory/652-247-0x00007FF683A90000-0x00007FF683DE1000-memory.dmp

Filesize
3.3MB

Download
memory/856-243-0x00007FF688B20000-0x00007FF688E71000-memory.dmp

Filesize
3.3MB

Download
memory/856-100-0x00007FF688B20000-0x00007FF688E71000-memory.dmp

Filesize
3.3MB

Download
memory/860-235-0x00007FF69C5F0000-0x00007FF69C941000-memory.dmp

Filesize
3.3MB

Download
memory/860-61-0x00007FF69C5F0000-0x00007FF69C941000-memory.dmp

Filesize
3.3MB

Download
memory/1000-257-0x00007FF719730000-0x00007FF719A81000-memory.dmp

Filesize
3.3MB

Download
memory/1000-123-0x00007FF719730000-0x00007FF719A81000-memory.dmp

Filesize
3.3MB

Download
memory/1292-248-0x00007FF6F8650000-0x00007FF6F89A1000-memory.dmp

Filesize
3.3MB

Download
memory/1292-150-0x00007FF6F8650000-0x00007FF6F89A1000-memory.dmp

Filesize
3.3MB

Download
memory/1292-97-0x00007FF6F8650000-0x00007FF6F89A1000-memory.dmp

Filesize
3.3MB

Download
memory/1564-230-0x00007FF729600000-0x00007FF729951000-memory.dmp

Filesize
3.3MB

Download
memory/1564-137-0x00007FF729600000-0x00007FF729951000-memory.dmp

Filesize
3.3MB

Download
memory/1564-44-0x00007FF729600000-0x00007FF729951000-memory.dmp

Filesize
3.3MB

Download
memory/1644-1-0x000001507D900000-0x000001507D910000-memory.dmp

Filesize
64KB

Download
memory/1644-0-0x00007FF7BF790000-0x00007FF7BFAE1000-memory.dmp

Filesize
3.3MB

Download
memory/1644-154-0x00007FF7BF790000-0x00007FF7BFAE1000-memory.dmp

Filesize
3.3MB

Download
memory/1644-48-0x00007FF7BF790000-0x00007FF7BFAE1000-memory.dmp

Filesize
3.3MB

Download
memory/1644-176-0x00007FF7BF790000-0x00007FF7BFAE1000-memory.dmp

Filesize
3.3MB

Download
memory/1892-106-0x00007FF682B60000-0x00007FF682EB1000-memory.dmp

Filesize
3.3MB

Download
memory/1892-251-0x00007FF682B60000-0x00007FF682EB1000-memory.dmp

Filesize
3.3MB

Download
memory/2456-32-0x00007FF794B00000-0x00007FF794E51000-memory.dmp

Filesize
3.3MB

Download
memory/2456-108-0x00007FF794B00000-0x00007FF794E51000-memory.dmp

Filesize
3.3MB

Download
memory/2456-214-0x00007FF794B00000-0x00007FF794E51000-memory.dmp

Filesize
3.3MB

Download
memory/2560-73-0x00007FF738DA0000-0x00007FF7390F1000-memory.dmp

Filesize
3.3MB

Download
memory/2560-239-0x00007FF738DA0000-0x00007FF7390F1000-memory.dmp

Filesize
3.3MB

Download
memory/2560-146-0x00007FF738DA0000-0x00007FF7390F1000-memory.dmp

Filesize
3.3MB

Download
memory/3100-20-0x00007FF6E73D0000-0x00007FF6E7721000-memory.dmp

Filesize
3.3MB

Download
memory/3100-208-0x00007FF6E73D0000-0x00007FF6E7721000-memory.dmp

Filesize
3.3MB

Download
memory/3100-83-0x00007FF6E73D0000-0x00007FF6E7721000-memory.dmp

Filesize
3.3MB

Download
memory/3212-24-0x00007FF7D4350000-0x00007FF7D46A1000-memory.dmp

Filesize
3.3MB

Download
memory/3212-212-0x00007FF7D4350000-0x00007FF7D46A1000-memory.dmp

Filesize
3.3MB

Download
memory/3212-103-0x00007FF7D4350000-0x00007FF7D46A1000-memory.dmp

Filesize
3.3MB

Download
memory/3240-131-0x00007FF777800000-0x00007FF777B51000-memory.dmp

Filesize
3.3MB

Download
memory/3240-262-0x00007FF777800000-0x00007FF777B51000-memory.dmp

Filesize
3.3MB

Download
memory/3240-162-0x00007FF777800000-0x00007FF777B51000-memory.dmp

Filesize
3.3MB

Download
memory/3352-50-0x00007FF6D4C90000-0x00007FF6D4FE1000-memory.dmp

Filesize
3.3MB

Download
memory/3352-143-0x00007FF6D4C90000-0x00007FF6D4FE1000-memory.dmp

Filesize
3.3MB

Download
memory/3352-234-0x00007FF6D4C90000-0x00007FF6D4FE1000-memory.dmp

Filesize
3.3MB

Download
memory/3436-8-0x00007FF794470000-0x00007FF7947C1000-memory.dmp

Filesize
3.3MB

Download
memory/3436-57-0x00007FF794470000-0x00007FF7947C1000-memory.dmp

Filesize
3.3MB

Download
memory/3436-204-0x00007FF794470000-0x00007FF7947C1000-memory.dmp

Filesize
3.3MB

Download
memory/3452-264-0x00007FF6090E0000-0x00007FF609431000-memory.dmp

Filesize
3.3MB

Download
memory/3452-140-0x00007FF6090E0000-0x00007FF609431000-memory.dmp

Filesize
3.3MB

Download
memory/3824-206-0x00007FF6992E0000-0x00007FF699631000-memory.dmp

Filesize
3.3MB

Download
memory/3824-58-0x00007FF6992E0000-0x00007FF699631000-memory.dmp

Filesize
3.3MB

Download
memory/3824-14-0x00007FF6992E0000-0x00007FF699631000-memory.dmp

Filesize
3.3MB

Download
memory/3936-266-0x00007FF63E1D0000-0x00007FF63E521000-memory.dmp

Filesize
3.3MB

Download
memory/3936-142-0x00007FF63E1D0000-0x00007FF63E521000-memory.dmp

Filesize
3.3MB

Download
memory/4480-238-0x00007FF7A3640000-0x00007FF7A3991000-memory.dmp

Filesize
3.3MB

Download
memory/4480-66-0x00007FF7A3640000-0x00007FF7A3991000-memory.dmp

Filesize
3.3MB

Download
memory/4480-147-0x00007FF7A3640000-0x00007FF7A3991000-memory.dmp

Filesize
3.3MB

Download
memory/4912-36-0x00007FF7E04F0000-0x00007FF7E0841000-memory.dmp

Filesize
3.3MB

Download
memory/4912-225-0x00007FF7E04F0000-0x00007FF7E0841000-memory.dmp

Filesize
3.3MB

Download
memory/4912-122-0x00007FF7E04F0000-0x00007FF7E0841000-memory.dmp

Filesize
3.3MB

Download
memory/5008-107-0x00007FF768360000-0x00007FF7686B1000-memory.dmp

Filesize
3.3MB

Download
memory/5008-253-0x00007FF768360000-0x00007FF7686B1000-memory.dmp

Filesize
3.3MB

Download
memory/5008-153-0x00007FF768360000-0x00007FF7686B1000-memory.dmp

Filesize
3.3MB

Download