cobaltstrike | dfbbabbd265577e338b6d54438bcd7f63b0cc9645bccef2f40b8a4d2820ae7d0

Analysis

max time kernel
140s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2024 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

6f713228f63c1b6a5ca7cb7dabcab1e0
SHA1

75f0ab9ca658fef8019622585c2ad05d6beb3580
SHA256

dfbbabbd265577e338b6d54438bcd7f63b0cc9645bccef2f40b8a4d2820ae7d0
SHA512

aa25d15120f712ed41c62d0f3fae607c1286ea6718177283be54837e021fd5bf5f481ba59942e346510c10ee62fc50dd67ed95e16e94efdd0aed66769dcf6175
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lm:RWWBibf56utgpPFotBER/mQ32lUa

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\XwJNMIw.exe	cobalt_reflective_dll
C:\Windows\System\oAtlXEO.exe	cobalt_reflective_dll
C:\Windows\System\Bnsylzl.exe	cobalt_reflective_dll
C:\Windows\System\jtalXYj.exe	cobalt_reflective_dll
C:\Windows\System\IloshUm.exe	cobalt_reflective_dll
C:\Windows\System\tLZyWyg.exe	cobalt_reflective_dll
C:\Windows\System\PBCXYqR.exe	cobalt_reflective_dll
C:\Windows\System\VFBNNPf.exe	cobalt_reflective_dll
C:\Windows\System\rcVzNUc.exe	cobalt_reflective_dll
C:\Windows\System\tjXIiYe.exe	cobalt_reflective_dll
C:\Windows\System\QuECSHP.exe	cobalt_reflective_dll
C:\Windows\System\KJwZSpc.exe	cobalt_reflective_dll
C:\Windows\System\ehWQCsR.exe	cobalt_reflective_dll
C:\Windows\System\dDybWja.exe	cobalt_reflective_dll
C:\Windows\System\pBhmSGd.exe	cobalt_reflective_dll
C:\Windows\System\rURDDEG.exe	cobalt_reflective_dll
C:\Windows\System\yTqNygY.exe	cobalt_reflective_dll
C:\Windows\System\TDzKKQd.exe	cobalt_reflective_dll
C:\Windows\System\sEYGlde.exe	cobalt_reflective_dll
C:\Windows\System\mkUwXoe.exe	cobalt_reflective_dll
C:\Windows\System\LnRYaOZ.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\XwJNMIw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\oAtlXEO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\Bnsylzl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\jtalXYj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\IloshUm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\tLZyWyg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\PBCXYqR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\VFBNNPf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\rcVzNUc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\tjXIiYe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QuECSHP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\KJwZSpc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ehWQCsR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\dDybWja.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\pBhmSGd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\rURDDEG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\yTqNygY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\TDzKKQd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\sEYGlde.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\mkUwXoe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\LnRYaOZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4488-0-0x00007FF635B40000-0x00007FF635E91000-memory.dmp	UPX
C:\Windows\System\XwJNMIw.exe	UPX
behavioral2/memory/4880-8-0x00007FF757C80000-0x00007FF757FD1000-memory.dmp	UPX
C:\Windows\System\oAtlXEO.exe	UPX
C:\Windows\System\Bnsylzl.exe	UPX
behavioral2/memory/2932-16-0x00007FF6F6E60000-0x00007FF6F71B1000-memory.dmp	UPX
behavioral2/memory/4148-21-0x00007FF6C8D60000-0x00007FF6C90B1000-memory.dmp	UPX
C:\Windows\System\jtalXYj.exe	UPX
behavioral2/memory/316-38-0x00007FF69F6F0000-0x00007FF69FA41000-memory.dmp	UPX
behavioral2/memory/4680-44-0x00007FF63A060000-0x00007FF63A3B1000-memory.dmp	UPX
C:\Windows\System\IloshUm.exe	UPX
C:\Windows\System\tLZyWyg.exe	UPX
behavioral2/memory/212-57-0x00007FF7CF020000-0x00007FF7CF371000-memory.dmp	UPX
C:\Windows\System\PBCXYqR.exe	UPX
behavioral2/memory/2356-61-0x00007FF6DD620000-0x00007FF6DD971000-memory.dmp	UPX
C:\Windows\System\VFBNNPf.exe	UPX
C:\Windows\System\rcVzNUc.exe	UPX
behavioral2/memory/4904-53-0x00007FF729D70000-0x00007FF72A0C1000-memory.dmp	UPX
C:\Windows\System\tjXIiYe.exe	UPX
behavioral2/memory/1920-30-0x00007FF6F6530000-0x00007FF6F6881000-memory.dmp	UPX
behavioral2/memory/4732-27-0x00007FF651CD0000-0x00007FF652021000-memory.dmp	UPX
C:\Windows\System\QuECSHP.exe	UPX
C:\Windows\System\KJwZSpc.exe	UPX
behavioral2/memory/3576-65-0x00007FF771D80000-0x00007FF7720D1000-memory.dmp	UPX
behavioral2/memory/4488-77-0x00007FF635B40000-0x00007FF635E91000-memory.dmp	UPX
C:\Windows\System\ehWQCsR.exe	UPX
behavioral2/memory/4880-95-0x00007FF757C80000-0x00007FF757FD1000-memory.dmp	UPX
C:\Windows\System\dDybWja.exe	UPX
C:\Windows\System\pBhmSGd.exe	UPX
C:\Windows\System\rURDDEG.exe	UPX
behavioral2/memory/1048-123-0x00007FF6C33B0000-0x00007FF6C3701000-memory.dmp	UPX
behavioral2/memory/4844-125-0x00007FF67EAF0000-0x00007FF67EE41000-memory.dmp	UPX
behavioral2/memory/4148-129-0x00007FF6C8D60000-0x00007FF6C90B1000-memory.dmp	UPX
behavioral2/memory/4732-131-0x00007FF651CD0000-0x00007FF652021000-memory.dmp	UPX
behavioral2/memory/4348-132-0x00007FF6946F0000-0x00007FF694A41000-memory.dmp	UPX
behavioral2/memory/4824-130-0x00007FF78FBA0000-0x00007FF78FEF1000-memory.dmp	UPX
behavioral2/memory/1072-128-0x00007FF60F4F0000-0x00007FF60F841000-memory.dmp	UPX
behavioral2/memory/5096-127-0x00007FF6A97D0000-0x00007FF6A9B21000-memory.dmp	UPX
behavioral2/memory/1392-120-0x00007FF69B570000-0x00007FF69B8C1000-memory.dmp	UPX
C:\Windows\System\yTqNygY.exe	UPX
behavioral2/memory/2608-116-0x00007FF7663D0000-0x00007FF766721000-memory.dmp	UPX
behavioral2/memory/2932-113-0x00007FF6F6E60000-0x00007FF6F71B1000-memory.dmp	UPX
C:\Windows\System\TDzKKQd.exe	UPX
C:\Windows\System\sEYGlde.exe	UPX
C:\Windows\System\mkUwXoe.exe	UPX
C:\Windows\System\LnRYaOZ.exe	UPX
behavioral2/memory/4264-79-0x00007FF7C02A0000-0x00007FF7C05F1000-memory.dmp	UPX
behavioral2/memory/3016-75-0x00007FF62ED70000-0x00007FF62F0C1000-memory.dmp	UPX
behavioral2/memory/1920-133-0x00007FF6F6530000-0x00007FF6F6881000-memory.dmp	UPX
behavioral2/memory/4488-134-0x00007FF635B40000-0x00007FF635E91000-memory.dmp	UPX
behavioral2/memory/316-140-0x00007FF69F6F0000-0x00007FF69FA41000-memory.dmp	UPX
behavioral2/memory/212-142-0x00007FF7CF020000-0x00007FF7CF371000-memory.dmp	UPX
behavioral2/memory/4680-141-0x00007FF63A060000-0x00007FF63A3B1000-memory.dmp	UPX
behavioral2/memory/4904-143-0x00007FF729D70000-0x00007FF72A0C1000-memory.dmp	UPX
behavioral2/memory/2356-144-0x00007FF6DD620000-0x00007FF6DD971000-memory.dmp	UPX
behavioral2/memory/3576-145-0x00007FF771D80000-0x00007FF7720D1000-memory.dmp	UPX
behavioral2/memory/4264-147-0x00007FF7C02A0000-0x00007FF7C05F1000-memory.dmp	UPX
behavioral2/memory/3016-146-0x00007FF62ED70000-0x00007FF62F0C1000-memory.dmp	UPX
behavioral2/memory/4488-156-0x00007FF635B40000-0x00007FF635E91000-memory.dmp	UPX
behavioral2/memory/4880-201-0x00007FF757C80000-0x00007FF757FD1000-memory.dmp	UPX
behavioral2/memory/2932-203-0x00007FF6F6E60000-0x00007FF6F71B1000-memory.dmp	UPX
behavioral2/memory/4732-210-0x00007FF651CD0000-0x00007FF652021000-memory.dmp	UPX
behavioral2/memory/4148-214-0x00007FF6C8D60000-0x00007FF6C90B1000-memory.dmp	UPX
behavioral2/memory/1920-218-0x00007FF6F6530000-0x00007FF6F6881000-memory.dmp	UPX

XMRig Miner payload 48 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4880-8-0x00007FF757C80000-0x00007FF757FD1000-memory.dmp	xmrig
behavioral2/memory/2932-16-0x00007FF6F6E60000-0x00007FF6F71B1000-memory.dmp	xmrig
behavioral2/memory/4732-27-0x00007FF651CD0000-0x00007FF652021000-memory.dmp	xmrig
behavioral2/memory/4488-77-0x00007FF635B40000-0x00007FF635E91000-memory.dmp	xmrig
behavioral2/memory/4880-95-0x00007FF757C80000-0x00007FF757FD1000-memory.dmp	xmrig
behavioral2/memory/1048-123-0x00007FF6C33B0000-0x00007FF6C3701000-memory.dmp	xmrig
behavioral2/memory/4844-125-0x00007FF67EAF0000-0x00007FF67EE41000-memory.dmp	xmrig
behavioral2/memory/4148-129-0x00007FF6C8D60000-0x00007FF6C90B1000-memory.dmp	xmrig
behavioral2/memory/4732-131-0x00007FF651CD0000-0x00007FF652021000-memory.dmp	xmrig
behavioral2/memory/4348-132-0x00007FF6946F0000-0x00007FF694A41000-memory.dmp	xmrig
behavioral2/memory/4824-130-0x00007FF78FBA0000-0x00007FF78FEF1000-memory.dmp	xmrig
behavioral2/memory/1072-128-0x00007FF60F4F0000-0x00007FF60F841000-memory.dmp	xmrig
behavioral2/memory/5096-127-0x00007FF6A97D0000-0x00007FF6A9B21000-memory.dmp	xmrig
behavioral2/memory/1392-120-0x00007FF69B570000-0x00007FF69B8C1000-memory.dmp	xmrig
behavioral2/memory/2608-116-0x00007FF7663D0000-0x00007FF766721000-memory.dmp	xmrig
behavioral2/memory/2932-113-0x00007FF6F6E60000-0x00007FF6F71B1000-memory.dmp	xmrig
behavioral2/memory/1920-133-0x00007FF6F6530000-0x00007FF6F6881000-memory.dmp	xmrig
behavioral2/memory/4488-134-0x00007FF635B40000-0x00007FF635E91000-memory.dmp	xmrig
behavioral2/memory/316-140-0x00007FF69F6F0000-0x00007FF69FA41000-memory.dmp	xmrig
behavioral2/memory/212-142-0x00007FF7CF020000-0x00007FF7CF371000-memory.dmp	xmrig
behavioral2/memory/4680-141-0x00007FF63A060000-0x00007FF63A3B1000-memory.dmp	xmrig
behavioral2/memory/4904-143-0x00007FF729D70000-0x00007FF72A0C1000-memory.dmp	xmrig
behavioral2/memory/2356-144-0x00007FF6DD620000-0x00007FF6DD971000-memory.dmp	xmrig
behavioral2/memory/3576-145-0x00007FF771D80000-0x00007FF7720D1000-memory.dmp	xmrig
behavioral2/memory/4264-147-0x00007FF7C02A0000-0x00007FF7C05F1000-memory.dmp	xmrig
behavioral2/memory/3016-146-0x00007FF62ED70000-0x00007FF62F0C1000-memory.dmp	xmrig
behavioral2/memory/4488-156-0x00007FF635B40000-0x00007FF635E91000-memory.dmp	xmrig
behavioral2/memory/4880-201-0x00007FF757C80000-0x00007FF757FD1000-memory.dmp	xmrig
behavioral2/memory/2932-203-0x00007FF6F6E60000-0x00007FF6F71B1000-memory.dmp	xmrig
behavioral2/memory/4732-210-0x00007FF651CD0000-0x00007FF652021000-memory.dmp	xmrig
behavioral2/memory/4148-214-0x00007FF6C8D60000-0x00007FF6C90B1000-memory.dmp	xmrig
behavioral2/memory/1920-218-0x00007FF6F6530000-0x00007FF6F6881000-memory.dmp	xmrig
behavioral2/memory/316-222-0x00007FF69F6F0000-0x00007FF69FA41000-memory.dmp	xmrig
behavioral2/memory/4680-227-0x00007FF63A060000-0x00007FF63A3B1000-memory.dmp	xmrig
behavioral2/memory/212-233-0x00007FF7CF020000-0x00007FF7CF371000-memory.dmp	xmrig
behavioral2/memory/2356-237-0x00007FF6DD620000-0x00007FF6DD971000-memory.dmp	xmrig
behavioral2/memory/4904-240-0x00007FF729D70000-0x00007FF72A0C1000-memory.dmp	xmrig
behavioral2/memory/3576-241-0x00007FF771D80000-0x00007FF7720D1000-memory.dmp	xmrig
behavioral2/memory/2608-246-0x00007FF7663D0000-0x00007FF766721000-memory.dmp	xmrig
behavioral2/memory/3016-251-0x00007FF62ED70000-0x00007FF62F0C1000-memory.dmp	xmrig
behavioral2/memory/1072-254-0x00007FF60F4F0000-0x00007FF60F841000-memory.dmp	xmrig
behavioral2/memory/1048-250-0x00007FF6C33B0000-0x00007FF6C3701000-memory.dmp	xmrig
behavioral2/memory/4264-247-0x00007FF7C02A0000-0x00007FF7C05F1000-memory.dmp	xmrig
behavioral2/memory/1392-245-0x00007FF69B570000-0x00007FF69B8C1000-memory.dmp	xmrig
behavioral2/memory/4844-255-0x00007FF67EAF0000-0x00007FF67EE41000-memory.dmp	xmrig
behavioral2/memory/4824-261-0x00007FF78FBA0000-0x00007FF78FEF1000-memory.dmp	xmrig
behavioral2/memory/5096-260-0x00007FF6A97D0000-0x00007FF6A9B21000-memory.dmp	xmrig
behavioral2/memory/4348-259-0x00007FF6946F0000-0x00007FF694A41000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

XwJNMIw.exeoAtlXEO.exeBnsylzl.exeQuECSHP.exejtalXYj.exetjXIiYe.exeIloshUm.exercVzNUc.exeVFBNNPf.exetLZyWyg.exePBCXYqR.exeKJwZSpc.exeLnRYaOZ.exeehWQCsR.exemkUwXoe.exesEYGlde.exeTDzKKQd.exedDybWja.exeyTqNygY.exepBhmSGd.exerURDDEG.exe

pid	process
4880	XwJNMIw.exe
2932	oAtlXEO.exe
4732	Bnsylzl.exe
4148	QuECSHP.exe
1920	jtalXYj.exe
316	tjXIiYe.exe
4680	IloshUm.exe
212	rcVzNUc.exe
4904	VFBNNPf.exe
2356	tLZyWyg.exe
3576	PBCXYqR.exe
3016	KJwZSpc.exe
4264	LnRYaOZ.exe
2608	ehWQCsR.exe
1392	mkUwXoe.exe
1048	sEYGlde.exe
1072	TDzKKQd.exe
4844	dDybWja.exe
4824	yTqNygY.exe
5096	pBhmSGd.exe
4348	rURDDEG.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4488-0-0x00007FF635B40000-0x00007FF635E91000-memory.dmp	upx
C:\Windows\System\XwJNMIw.exe	upx
behavioral2/memory/4880-8-0x00007FF757C80000-0x00007FF757FD1000-memory.dmp	upx
C:\Windows\System\oAtlXEO.exe	upx
C:\Windows\System\Bnsylzl.exe	upx
behavioral2/memory/2932-16-0x00007FF6F6E60000-0x00007FF6F71B1000-memory.dmp	upx
behavioral2/memory/4148-21-0x00007FF6C8D60000-0x00007FF6C90B1000-memory.dmp	upx
C:\Windows\System\jtalXYj.exe	upx
behavioral2/memory/316-38-0x00007FF69F6F0000-0x00007FF69FA41000-memory.dmp	upx
behavioral2/memory/4680-44-0x00007FF63A060000-0x00007FF63A3B1000-memory.dmp	upx
C:\Windows\System\IloshUm.exe	upx
C:\Windows\System\tLZyWyg.exe	upx
behavioral2/memory/212-57-0x00007FF7CF020000-0x00007FF7CF371000-memory.dmp	upx
C:\Windows\System\PBCXYqR.exe	upx
behavioral2/memory/2356-61-0x00007FF6DD620000-0x00007FF6DD971000-memory.dmp	upx
C:\Windows\System\VFBNNPf.exe	upx
C:\Windows\System\rcVzNUc.exe	upx
behavioral2/memory/4904-53-0x00007FF729D70000-0x00007FF72A0C1000-memory.dmp	upx
C:\Windows\System\tjXIiYe.exe	upx
behavioral2/memory/1920-30-0x00007FF6F6530000-0x00007FF6F6881000-memory.dmp	upx
behavioral2/memory/4732-27-0x00007FF651CD0000-0x00007FF652021000-memory.dmp	upx
C:\Windows\System\QuECSHP.exe	upx
C:\Windows\System\KJwZSpc.exe	upx
behavioral2/memory/3576-65-0x00007FF771D80000-0x00007FF7720D1000-memory.dmp	upx
behavioral2/memory/4488-77-0x00007FF635B40000-0x00007FF635E91000-memory.dmp	upx
C:\Windows\System\ehWQCsR.exe	upx
behavioral2/memory/4880-95-0x00007FF757C80000-0x00007FF757FD1000-memory.dmp	upx
C:\Windows\System\dDybWja.exe	upx
C:\Windows\System\pBhmSGd.exe	upx
C:\Windows\System\rURDDEG.exe	upx
behavioral2/memory/1048-123-0x00007FF6C33B0000-0x00007FF6C3701000-memory.dmp	upx
behavioral2/memory/4844-125-0x00007FF67EAF0000-0x00007FF67EE41000-memory.dmp	upx
behavioral2/memory/4148-129-0x00007FF6C8D60000-0x00007FF6C90B1000-memory.dmp	upx
behavioral2/memory/4732-131-0x00007FF651CD0000-0x00007FF652021000-memory.dmp	upx
behavioral2/memory/4348-132-0x00007FF6946F0000-0x00007FF694A41000-memory.dmp	upx
behavioral2/memory/4824-130-0x00007FF78FBA0000-0x00007FF78FEF1000-memory.dmp	upx
behavioral2/memory/1072-128-0x00007FF60F4F0000-0x00007FF60F841000-memory.dmp	upx
behavioral2/memory/5096-127-0x00007FF6A97D0000-0x00007FF6A9B21000-memory.dmp	upx
behavioral2/memory/1392-120-0x00007FF69B570000-0x00007FF69B8C1000-memory.dmp	upx
C:\Windows\System\yTqNygY.exe	upx
behavioral2/memory/2608-116-0x00007FF7663D0000-0x00007FF766721000-memory.dmp	upx
behavioral2/memory/2932-113-0x00007FF6F6E60000-0x00007FF6F71B1000-memory.dmp	upx
C:\Windows\System\TDzKKQd.exe	upx
C:\Windows\System\sEYGlde.exe	upx
C:\Windows\System\mkUwXoe.exe	upx
C:\Windows\System\LnRYaOZ.exe	upx
behavioral2/memory/4264-79-0x00007FF7C02A0000-0x00007FF7C05F1000-memory.dmp	upx
behavioral2/memory/3016-75-0x00007FF62ED70000-0x00007FF62F0C1000-memory.dmp	upx
behavioral2/memory/1920-133-0x00007FF6F6530000-0x00007FF6F6881000-memory.dmp	upx
behavioral2/memory/4488-134-0x00007FF635B40000-0x00007FF635E91000-memory.dmp	upx
behavioral2/memory/316-140-0x00007FF69F6F0000-0x00007FF69FA41000-memory.dmp	upx
behavioral2/memory/212-142-0x00007FF7CF020000-0x00007FF7CF371000-memory.dmp	upx
behavioral2/memory/4680-141-0x00007FF63A060000-0x00007FF63A3B1000-memory.dmp	upx
behavioral2/memory/4904-143-0x00007FF729D70000-0x00007FF72A0C1000-memory.dmp	upx
behavioral2/memory/2356-144-0x00007FF6DD620000-0x00007FF6DD971000-memory.dmp	upx
behavioral2/memory/3576-145-0x00007FF771D80000-0x00007FF7720D1000-memory.dmp	upx
behavioral2/memory/4264-147-0x00007FF7C02A0000-0x00007FF7C05F1000-memory.dmp	upx
behavioral2/memory/3016-146-0x00007FF62ED70000-0x00007FF62F0C1000-memory.dmp	upx
behavioral2/memory/4488-156-0x00007FF635B40000-0x00007FF635E91000-memory.dmp	upx
behavioral2/memory/4880-201-0x00007FF757C80000-0x00007FF757FD1000-memory.dmp	upx
behavioral2/memory/2932-203-0x00007FF6F6E60000-0x00007FF6F71B1000-memory.dmp	upx
behavioral2/memory/4732-210-0x00007FF651CD0000-0x00007FF652021000-memory.dmp	upx
behavioral2/memory/4148-214-0x00007FF6C8D60000-0x00007FF6C90B1000-memory.dmp	upx
behavioral2/memory/1920-218-0x00007FF6F6530000-0x00007FF6F6881000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\LnRYaOZ.exe	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yTqNygY.exe	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pBhmSGd.exe	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tLZyWyg.exe	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VFBNNPf.exe	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ehWQCsR.exe	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mkUwXoe.exe	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TDzKKQd.exe	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rcVzNUc.exe	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\Bnsylzl.exe	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QuECSHP.exe	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jtalXYj.exe	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dDybWja.exe	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rURDDEG.exe	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XwJNMIw.exe	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tjXIiYe.exe	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IloshUm.exe	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PBCXYqR.exe	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KJwZSpc.exe	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sEYGlde.exe	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oAtlXEO.exe	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 4488 wrote to memory of 4880	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	XwJNMIw.exe
PID 4488 wrote to memory of 4880	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	XwJNMIw.exe
PID 4488 wrote to memory of 2932	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	oAtlXEO.exe
PID 4488 wrote to memory of 2932	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	oAtlXEO.exe
PID 4488 wrote to memory of 4732	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	Bnsylzl.exe
PID 4488 wrote to memory of 4732	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	Bnsylzl.exe
PID 4488 wrote to memory of 4148	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	QuECSHP.exe
PID 4488 wrote to memory of 4148	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	QuECSHP.exe
PID 4488 wrote to memory of 1920	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	jtalXYj.exe
PID 4488 wrote to memory of 1920	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	jtalXYj.exe
PID 4488 wrote to memory of 316	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	tjXIiYe.exe
PID 4488 wrote to memory of 316	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	tjXIiYe.exe
PID 4488 wrote to memory of 4680	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	IloshUm.exe
PID 4488 wrote to memory of 4680	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	IloshUm.exe
PID 4488 wrote to memory of 212	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	rcVzNUc.exe
PID 4488 wrote to memory of 212	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	rcVzNUc.exe
PID 4488 wrote to memory of 4904	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	VFBNNPf.exe
PID 4488 wrote to memory of 4904	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	VFBNNPf.exe
PID 4488 wrote to memory of 2356	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	tLZyWyg.exe
PID 4488 wrote to memory of 2356	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	tLZyWyg.exe
PID 4488 wrote to memory of 3576	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	PBCXYqR.exe
PID 4488 wrote to memory of 3576	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	PBCXYqR.exe
PID 4488 wrote to memory of 3016	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	KJwZSpc.exe
PID 4488 wrote to memory of 3016	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	KJwZSpc.exe
PID 4488 wrote to memory of 4264	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	LnRYaOZ.exe
PID 4488 wrote to memory of 4264	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	LnRYaOZ.exe
PID 4488 wrote to memory of 2608	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	ehWQCsR.exe
PID 4488 wrote to memory of 2608	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	ehWQCsR.exe
PID 4488 wrote to memory of 1392	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	mkUwXoe.exe
PID 4488 wrote to memory of 1392	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	mkUwXoe.exe
PID 4488 wrote to memory of 1048	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	sEYGlde.exe
PID 4488 wrote to memory of 1048	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	sEYGlde.exe
PID 4488 wrote to memory of 1072	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	TDzKKQd.exe
PID 4488 wrote to memory of 1072	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	TDzKKQd.exe
PID 4488 wrote to memory of 4844	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	dDybWja.exe
PID 4488 wrote to memory of 4844	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	dDybWja.exe
PID 4488 wrote to memory of 4824	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	yTqNygY.exe
PID 4488 wrote to memory of 4824	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	yTqNygY.exe
PID 4488 wrote to memory of 5096	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	pBhmSGd.exe
PID 4488 wrote to memory of 5096	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	pBhmSGd.exe
PID 4488 wrote to memory of 4348	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	rURDDEG.exe
PID 4488 wrote to memory of 4348	4488	2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe	rURDDEG.exe

C:\Users\Admin\AppData\Local\Temp\2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-31_6f713228f63c1b6a5ca7cb7dabcab1e0_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4488

C:\Windows\System\XwJNMIw.exe
C:\Windows\System\XwJNMIw.exe
2⤵
- Executes dropped EXE
PID:4880

C:\Windows\System\oAtlXEO.exe
C:\Windows\System\oAtlXEO.exe
2⤵
- Executes dropped EXE
PID:2932

C:\Windows\System\Bnsylzl.exe
C:\Windows\System\Bnsylzl.exe
2⤵
- Executes dropped EXE
PID:4732

C:\Windows\System\QuECSHP.exe
C:\Windows\System\QuECSHP.exe
2⤵
- Executes dropped EXE
PID:4148

C:\Windows\System\jtalXYj.exe
C:\Windows\System\jtalXYj.exe
2⤵
- Executes dropped EXE
PID:1920

C:\Windows\System\tjXIiYe.exe
C:\Windows\System\tjXIiYe.exe
2⤵
- Executes dropped EXE
PID:316

C:\Windows\System\IloshUm.exe
C:\Windows\System\IloshUm.exe
2⤵
- Executes dropped EXE
PID:4680

C:\Windows\System\rcVzNUc.exe
C:\Windows\System\rcVzNUc.exe
2⤵
- Executes dropped EXE
PID:212

C:\Windows\System\VFBNNPf.exe
C:\Windows\System\VFBNNPf.exe
2⤵
- Executes dropped EXE
PID:4904

C:\Windows\System\tLZyWyg.exe
C:\Windows\System\tLZyWyg.exe
2⤵
- Executes dropped EXE
PID:2356

C:\Windows\System\PBCXYqR.exe
C:\Windows\System\PBCXYqR.exe
2⤵
- Executes dropped EXE
PID:3576

C:\Windows\System\KJwZSpc.exe
C:\Windows\System\KJwZSpc.exe
2⤵
- Executes dropped EXE
PID:3016

C:\Windows\System\LnRYaOZ.exe
C:\Windows\System\LnRYaOZ.exe
2⤵
- Executes dropped EXE
PID:4264

C:\Windows\System\ehWQCsR.exe
C:\Windows\System\ehWQCsR.exe
2⤵
- Executes dropped EXE
PID:2608

C:\Windows\System\mkUwXoe.exe
C:\Windows\System\mkUwXoe.exe
2⤵
- Executes dropped EXE
PID:1392

C:\Windows\System\sEYGlde.exe
C:\Windows\System\sEYGlde.exe
2⤵
- Executes dropped EXE
PID:1048

C:\Windows\System\TDzKKQd.exe
C:\Windows\System\TDzKKQd.exe
2⤵
- Executes dropped EXE
PID:1072

C:\Windows\System\dDybWja.exe
C:\Windows\System\dDybWja.exe
2⤵
- Executes dropped EXE
PID:4844

C:\Windows\System\yTqNygY.exe
C:\Windows\System\yTqNygY.exe
2⤵
- Executes dropped EXE
PID:4824

C:\Windows\System\pBhmSGd.exe
C:\Windows\System\pBhmSGd.exe
2⤵
- Executes dropped EXE
PID:5096

C:\Windows\System\rURDDEG.exe
C:\Windows\System\rURDDEG.exe
2⤵
- Executes dropped EXE
PID:4348

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\Bnsylzl.exe
Filesize
5.2MB

MD5
cbfeca02b86fba68ab830ae209847f6b

SHA1
f837aab8370072832146828a2e9e201fb2deea2e

SHA256
f88ca97adc0b9eb92f567cc2eddffafdab1d05ec27ac328801271bad0120eec4

SHA512
fcba1cdfcfa6ba17db12e9c234c4e806739dd94f06bac866fad3f004265a9f2790d6977e5005fa1ab98af8a05b4499f00b03a50ebb0d9c6648fccc5b2491c83d

Download Submit
C:\Windows\System\IloshUm.exe
Filesize
5.2MB

MD5
f35726659269c019da7a54a842b99ade

SHA1
a5f3f1b72fed9cea597349ada59b77a127e90a78

SHA256
3b3036f1fd91974debb45fa5479665612b8d8f3ca8c18a18bd8ec183e402ef10

SHA512
6bb2319f722ffdce2d8d99339bdeae3afe53f47ceeeb5d7b18ff21d79038757a23df0adec9b2cf086bdc5453bc53c77ca5ed417d8eabf2d405304ceee8ba1041

Download Submit
C:\Windows\System\KJwZSpc.exe
Filesize
5.2MB

MD5
c34f3556b7d4cdfe0f0863bd5c087b97

SHA1
d7c133970ae08920a856f3361a8c9e6d3f258464

SHA256
c5991460d34a8196282a7c59bc8cbe63f7ac69b0333bedc12e54c04d419905d2

SHA512
0236b1b2891778bb3c2946fbc4cbcc8eecad808d3f70b60cd434cd12aa3f54d2d762c9cf9b01d1b18c0a13e68e3e59255449bcbeaacb9a6a4766edd24625fce7

Download Submit
C:\Windows\System\LnRYaOZ.exe
Filesize
5.2MB

MD5
2cc254564daa5e6a77a7eea153ed22f9

SHA1
7b0aecd12081e4906581e2368abf09cc7d63238c

SHA256
f22db81240795f5f64f89dfd263a59a2ddbd648cb488160222569e6563427d9d

SHA512
5405f2ada720d45a56460fa7ba12138d7fbb16b79e314ffbc733b86bbb56d962f0a1572aec8517f2029e2a2f732f22bbd2a6dd80977a9292910052638cb85eb1

Download Submit
C:\Windows\System\PBCXYqR.exe
Filesize
5.2MB

MD5
290e984d3cedc7436c9f0196f29b7beb

SHA1
17212c91115e029104c20077c685a8720ebbeb69

SHA256
4c3505f2f121dc8b6a170ae0e793829f65f0b69640deeed6f251d40855a80a07

SHA512
819195d44e950af70b22b29f12466e440b3c3bcbeba3e62b258477e05a02a6ff0614a169e527451a0f2a74d7c3eb87ef3e12a263ecd81252b594ec514c3ea304

Download Submit
C:\Windows\System\QuECSHP.exe
Filesize
5.2MB

MD5
8d0bf29866732bd7f3ce7d957c4e0cf7

SHA1
b9faba78abea0b19c44d9b88adb1649673311ea4

SHA256
8cce8e62064bb28da68b9cf2dbe1de083d59587730f1b8e7f3b3288505acca4c

SHA512
474bacb38748a85203059eeac8f209ccb216547057041b92f86976fde001293a0a0c6f1f538ee345764b2c65a54c965ff50ef2616d9ee54705a74f87479b839c

Download Submit
C:\Windows\System\TDzKKQd.exe
Filesize
5.2MB

MD5
bcdb24bec50959f59ac0ca3725cf4266

SHA1
0e9650cc2d680b1658c4ec0d3c3c9ed7df667841

SHA256
c48cac080ebf53f230a10dca0c01be8c6f823da6c15b2badc0d0f055f3807aeb

SHA512
d301dfe34ceb99b246591322c8fc47aa6b2110b022d01a8ecfb831920e8db2f49403667fbe166bc654ddf0cb3d9689fa19fdda0a4cfc9e418fa055281efe701c

Download Submit
C:\Windows\System\VFBNNPf.exe
Filesize
5.2MB

MD5
290b3742c055d9aa1729a7772f9d9d7d

SHA1
93b25e8bf30720bd5ac1a7fc150c45f0516e6fc6

SHA256
f181e1a2acdd841899ef5cf30567a5a3452aeaa01b602a80b13fc1c018ef7afa

SHA512
3363e37b2b1ebec03a2a91bfd7ee8fc351b1fa8edb6b859ace170b20ad8eba7ac632f2663a89c687f9e09d550b0e07b6a8deeefbf316ede2d2e110e96621377a

Download Submit
C:\Windows\System\XwJNMIw.exe
Filesize
5.2MB

MD5
be0e8dd1cab32fd742cb9598593ce682

SHA1
0b5ebcd5d5bcb63ce8c66fb2facc06216a1b3c85

SHA256
19692b1658bbb731a2312029bc4b059517c46c861d5b9b7838362732ce7cb2bf

SHA512
b345318b58d11e3ffc2f45a2a212019159b30352e1ae417d72de71b6b00006dbc782e66ca4108f5c8166489c0772b016311f72d458f9c99ac7fa150940547157

Download Submit
C:\Windows\System\dDybWja.exe
Filesize
5.2MB

MD5
ef1a8b7bea6bccb6856e6f782a459305

SHA1
29a7330505939f55d7974826f9cfe686015274aa

SHA256
429620365f92781e5bc10355ce4db0781586af77e1f84a64dba6cc693a564399

SHA512
b08ba634893f32a5f8427d4cc48c46659b1b3eb541a2cdb9ca2c0f957dc24258effe347abd6f28f75e120254518654b2b798da43b16231e808e26eab4b778836

Download Submit
C:\Windows\System\ehWQCsR.exe
Filesize
5.2MB

MD5
cdf95e6a0d92b7d50c10d7e141f79e48

SHA1
d20d3eb055ac4e153f989fcc64883d26799ca396

SHA256
beee19fd4d9265d725596a5155345c3ca845c4a484a531807704eb3398004f09

SHA512
f3cd0e6f3828d4efe8b4d73b9cf4a19d264cfb192d99cebd663923f58c1fd07026cefb3793f57bff911bc9ae0f59626927b6940247e79cc4ca9c2213448296f8

Download Submit
C:\Windows\System\jtalXYj.exe
Filesize
5.2MB

MD5
9f32d4333505fd29eb89592df462396f

SHA1
69781b22985abd8238e39e531cde140c96bf00a9

SHA256
1de788893194b7368cb27ec6b58f7828335860412e5b56c0d6bc84494b04f3f4

SHA512
ba392c2b8b6a35264cda57778be4fa16412fc3263104fc6408924e554bf252e47870b1c0254498c93b762e38a82021c61b22d7aca17981b1d4beb4ec8b26913b

Download Submit
C:\Windows\System\mkUwXoe.exe
Filesize
5.2MB

MD5
fec19e3afd9f45c253fd24853bf83342

SHA1
95bceb8e07d14b3bcf4d9030bc15d1675d6f79fd

SHA256
27e9ef4ea8fef909e65395af095f00d56945325ffefc7ae72d3d4b6674bed42f

SHA512
9c22da6a2ceb39eeac345808a106f92943502e7f8c2e0580b74817f4859395f15f16f849fd74ecdfd4f54688b37269f4d7134400e501ba60b90f3953abf007c9

Download Submit
C:\Windows\System\oAtlXEO.exe
Filesize
5.2MB

MD5
6dfd665f13933d59e60351c5c99efd1c

SHA1
9dbe940a146e3bfa23fce3a8d15afe72ddcd201c

SHA256
0944e8461b7e627a4f0a13ae9a0a6d1df412335027cf291d3365ebb7cf238319

SHA512
0a541b02b9857c3d5f755101327737435fe0f3140c5c456c35f60c75cfe5656444d19d7856631b1630576b1eae9e5e640eba732cf9df73dfddd8a685841a37d4

Download Submit
C:\Windows\System\pBhmSGd.exe
Filesize
5.2MB

MD5
b581f5eecb6092867be5d8525996917c

SHA1
9a7dfa83588bf14a5018f06098d13db1a2870b9c

SHA256
b5d87d6875080d569194a94312a15a6f90af8d9dbc88327a69690a1923d59732

SHA512
8739fb58c1b9cc26dffd5c8be50dccd06948825484aa716d4203afab5082cc07d54a1a921cefa1445c413db0c6a495db9c41459dbf1c4d68db3251a1d0190816

Download Submit
C:\Windows\System\rURDDEG.exe
Filesize
5.2MB

MD5
a99efbf42ac8abcffb7ae770ce5a346b

SHA1
865ad5c92c0fb0d0d451e416c60c671b8b1721fb

SHA256
0183897f8451a418e4e966de11bef2ccf16752980c4f4d1a0998e2acf5e07562

SHA512
d439a265f9fd13b66a7c7fb895f49d65367c13e0f8128fbb3466980e9121af598f6cfa296c79f8298357d26a072634f2b61158bd2356e1e42e4ac8e260bf9c5a

Download Submit
C:\Windows\System\rcVzNUc.exe
Filesize
5.2MB

MD5
170bdd7fab4f5a9407f93592cdfe2449

SHA1
fbb97adee5bf622ebd91713be2c7b3035e814b74

SHA256
5dd499eef068c48e3d84b14212e753ebd3d8dfe9b47041e72922c0e0643f3f0b

SHA512
041f9c81c146516f54c054dc99819ca1a19279ba83c5044951dfd0cec5382a760592b6bfd83b830d7ac32216a7935a08c7d7b1c24e16dfc5092f04c877259676

Download Submit
C:\Windows\System\sEYGlde.exe
Filesize
5.2MB

MD5
1c497986586af7a402ffe6613109c356

SHA1
523320c3dcaf3ec932b74e34305191f393ac7613

SHA256
c49a675e409f65847a430b89298c36b646e29678494db30e55fe171eef281404

SHA512
f50d00511d982a38f01d3c08f397584846ee3033e2bae1ab3bc5f3a51b1d20dc7c7f4dbbb51bc30c40a96eb1e9d62e29c334fea18a610858296161361df451b8

Download Submit
C:\Windows\System\tLZyWyg.exe
Filesize
5.2MB

MD5
0ce38874e520162667eb7ddb774c6dcd

SHA1
d6bbf8a2e97dee714150a54367f92a898bab6303

SHA256
c5ff7445527ea77baa0d64fca3406c029c5537957a724cff3b8af6ab372f1503

SHA512
eec6a72ebf50c878e14f2155328e32b37b5797a4b22af75fafe94b1ccd801ac5d631c82c5395349898ecde647048025d9045fc454572be6b2aa598c5244f52a2

Download Submit
C:\Windows\System\tjXIiYe.exe
Filesize
5.2MB

MD5
74a4791c52cffbf99e9f1e0b3a5c15b4

SHA1
984b48e06df727c1a214093b3f1ea9308ab5b48d

SHA256
c3cc38007c04d1a696f0d4950fa81d19dc21b113c1902355937dbe40687409ea

SHA512
dff5600b5404162ca5f4da4d8552e6b4f8220695b72f0f5485b3abbcd7d62643ad14364f1111c1d03a73772b3d10f2c4bf341b4e68331ffe629b7e223783789e

Download Submit
C:\Windows\System\yTqNygY.exe
Filesize
5.2MB

MD5
29be3f93763aab6f958234c96967a3e2

SHA1
152c44ec94db095caa7a954e3f274c51194ee585

SHA256
47dd7a506bb00ff9d2ea56c31be63805b43e7fa600741384a90923a998217f94

SHA512
90a1430b5dc3ffc73126450be89691401b4ed42cbbced6e8e7caef616bcd30d9ed7a2e951582d5dd653672c4919b856b722626a8b7929282c6722baea0982695

Download Submit
memory/212-233-0x00007FF7CF020000-0x00007FF7CF371000-memory.dmp

Filesize
3.3MB

Download
memory/212-142-0x00007FF7CF020000-0x00007FF7CF371000-memory.dmp

Filesize
3.3MB

Download
memory/212-57-0x00007FF7CF020000-0x00007FF7CF371000-memory.dmp

Filesize
3.3MB

Download
memory/316-140-0x00007FF69F6F0000-0x00007FF69FA41000-memory.dmp

Filesize
3.3MB

Download
memory/316-38-0x00007FF69F6F0000-0x00007FF69FA41000-memory.dmp

Filesize
3.3MB

Download
memory/316-222-0x00007FF69F6F0000-0x00007FF69FA41000-memory.dmp

Filesize
3.3MB

Download
memory/1048-250-0x00007FF6C33B0000-0x00007FF6C3701000-memory.dmp

Filesize
3.3MB

Download
memory/1048-123-0x00007FF6C33B0000-0x00007FF6C3701000-memory.dmp

Filesize
3.3MB

Download
memory/1072-128-0x00007FF60F4F0000-0x00007FF60F841000-memory.dmp

Filesize
3.3MB

Download
memory/1072-254-0x00007FF60F4F0000-0x00007FF60F841000-memory.dmp

Filesize
3.3MB

Download
memory/1392-245-0x00007FF69B570000-0x00007FF69B8C1000-memory.dmp

Filesize
3.3MB

Download
memory/1392-120-0x00007FF69B570000-0x00007FF69B8C1000-memory.dmp

Filesize
3.3MB

Download
memory/1920-30-0x00007FF6F6530000-0x00007FF6F6881000-memory.dmp

Filesize
3.3MB

Download
memory/1920-133-0x00007FF6F6530000-0x00007FF6F6881000-memory.dmp

Filesize
3.3MB

Download
memory/1920-218-0x00007FF6F6530000-0x00007FF6F6881000-memory.dmp

Filesize
3.3MB

Download
memory/2356-237-0x00007FF6DD620000-0x00007FF6DD971000-memory.dmp

Filesize
3.3MB

Download
memory/2356-144-0x00007FF6DD620000-0x00007FF6DD971000-memory.dmp

Filesize
3.3MB

Download
memory/2356-61-0x00007FF6DD620000-0x00007FF6DD971000-memory.dmp

Filesize
3.3MB

Download
memory/2608-246-0x00007FF7663D0000-0x00007FF766721000-memory.dmp

Filesize
3.3MB

Download
memory/2608-116-0x00007FF7663D0000-0x00007FF766721000-memory.dmp

Filesize
3.3MB

Download
memory/2932-113-0x00007FF6F6E60000-0x00007FF6F71B1000-memory.dmp

Filesize
3.3MB

Download
memory/2932-203-0x00007FF6F6E60000-0x00007FF6F71B1000-memory.dmp

Filesize
3.3MB

Download
memory/2932-16-0x00007FF6F6E60000-0x00007FF6F71B1000-memory.dmp

Filesize
3.3MB

Download
memory/3016-251-0x00007FF62ED70000-0x00007FF62F0C1000-memory.dmp

Filesize
3.3MB

Download
memory/3016-146-0x00007FF62ED70000-0x00007FF62F0C1000-memory.dmp

Filesize
3.3MB

Download
memory/3016-75-0x00007FF62ED70000-0x00007FF62F0C1000-memory.dmp

Filesize
3.3MB

Download
memory/3576-241-0x00007FF771D80000-0x00007FF7720D1000-memory.dmp

Filesize
3.3MB

Download
memory/3576-145-0x00007FF771D80000-0x00007FF7720D1000-memory.dmp

Filesize
3.3MB

Download
memory/3576-65-0x00007FF771D80000-0x00007FF7720D1000-memory.dmp

Filesize
3.3MB

Download
memory/4148-21-0x00007FF6C8D60000-0x00007FF6C90B1000-memory.dmp

Filesize
3.3MB

Download
memory/4148-214-0x00007FF6C8D60000-0x00007FF6C90B1000-memory.dmp

Filesize
3.3MB

Download
memory/4148-129-0x00007FF6C8D60000-0x00007FF6C90B1000-memory.dmp

Filesize
3.3MB

Download
memory/4264-247-0x00007FF7C02A0000-0x00007FF7C05F1000-memory.dmp

Filesize
3.3MB

Download
memory/4264-79-0x00007FF7C02A0000-0x00007FF7C05F1000-memory.dmp

Filesize
3.3MB

Download
memory/4264-147-0x00007FF7C02A0000-0x00007FF7C05F1000-memory.dmp

Filesize
3.3MB

Download
memory/4348-259-0x00007FF6946F0000-0x00007FF694A41000-memory.dmp

Filesize
3.3MB

Download
memory/4348-132-0x00007FF6946F0000-0x00007FF694A41000-memory.dmp

Filesize
3.3MB

Download
memory/4488-0-0x00007FF635B40000-0x00007FF635E91000-memory.dmp

Filesize
3.3MB

Download
memory/4488-1-0x000001F75B3B0000-0x000001F75B3C0000-memory.dmp

Filesize
64KB

Download
memory/4488-156-0x00007FF635B40000-0x00007FF635E91000-memory.dmp

Filesize
3.3MB

Download
memory/4488-77-0x00007FF635B40000-0x00007FF635E91000-memory.dmp

Filesize
3.3MB

Download
memory/4488-134-0x00007FF635B40000-0x00007FF635E91000-memory.dmp

Filesize
3.3MB

Download
memory/4680-227-0x00007FF63A060000-0x00007FF63A3B1000-memory.dmp

Filesize
3.3MB

Download
memory/4680-141-0x00007FF63A060000-0x00007FF63A3B1000-memory.dmp

Filesize
3.3MB

Download
memory/4680-44-0x00007FF63A060000-0x00007FF63A3B1000-memory.dmp

Filesize
3.3MB

Download
memory/4732-27-0x00007FF651CD0000-0x00007FF652021000-memory.dmp

Filesize
3.3MB

Download
memory/4732-131-0x00007FF651CD0000-0x00007FF652021000-memory.dmp

Filesize
3.3MB

Download
memory/4732-210-0x00007FF651CD0000-0x00007FF652021000-memory.dmp

Filesize
3.3MB

Download
memory/4824-261-0x00007FF78FBA0000-0x00007FF78FEF1000-memory.dmp

Filesize
3.3MB

Download
memory/4824-130-0x00007FF78FBA0000-0x00007FF78FEF1000-memory.dmp

Filesize
3.3MB

Download
memory/4844-125-0x00007FF67EAF0000-0x00007FF67EE41000-memory.dmp

Filesize
3.3MB

Download
memory/4844-255-0x00007FF67EAF0000-0x00007FF67EE41000-memory.dmp

Filesize
3.3MB

Download
memory/4880-95-0x00007FF757C80000-0x00007FF757FD1000-memory.dmp

Filesize
3.3MB

Download
memory/4880-8-0x00007FF757C80000-0x00007FF757FD1000-memory.dmp

Filesize
3.3MB

Download
memory/4880-201-0x00007FF757C80000-0x00007FF757FD1000-memory.dmp

Filesize
3.3MB

Download
memory/4904-53-0x00007FF729D70000-0x00007FF72A0C1000-memory.dmp

Filesize
3.3MB

Download
memory/4904-240-0x00007FF729D70000-0x00007FF72A0C1000-memory.dmp

Filesize
3.3MB

Download
memory/4904-143-0x00007FF729D70000-0x00007FF72A0C1000-memory.dmp

Filesize
3.3MB

Download
memory/5096-127-0x00007FF6A97D0000-0x00007FF6A9B21000-memory.dmp

Filesize
3.3MB

Download
memory/5096-260-0x00007FF6A97D0000-0x00007FF6A9B21000-memory.dmp

Filesize
3.3MB

Download