cobaltstrike | cdce79e68b7d47cda949e72c69a45d7e5bbe34fba232bb5bca34b9a119144fae

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

0d73b00d3b0f3341623a5a10f335a190
SHA1

5587f3f8dab926cab9a7bcfe39fff42534a0e9ca
SHA256

cdce79e68b7d47cda949e72c69a45d7e5bbe34fba232bb5bca34b9a119144fae
SHA512

9a2a4f49b69037069c59b33a6843d52bbf21ee191ca56457e9e920ba054faae2ea965f31d3c058c2a33a1fadd7850d01854925715be8847cd84b30e5cbc89447
SSDEEP

49152:ROdWCCi7/ray56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lo:RWWBibh56utgpPFotBER/mQ32lUk

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\bMDjchF.exe	cobalt_reflective_dll
C:\Windows\System\SfuDfUc.exe	cobalt_reflective_dll
C:\Windows\System\hdvgTTJ.exe	cobalt_reflective_dll
C:\Windows\System\KrexxDB.exe	cobalt_reflective_dll
C:\Windows\System\kIdBImk.exe	cobalt_reflective_dll
C:\Windows\System\XsKqkdh.exe	cobalt_reflective_dll
C:\Windows\System\LJdijDb.exe	cobalt_reflective_dll
C:\Windows\System\PngbmDP.exe	cobalt_reflective_dll
C:\Windows\System\YwFKzZD.exe	cobalt_reflective_dll
C:\Windows\System\GOLJreJ.exe	cobalt_reflective_dll
C:\Windows\System\aCKMgBA.exe	cobalt_reflective_dll
C:\Windows\System\AxjhljT.exe	cobalt_reflective_dll
C:\Windows\System\ZmMsJds.exe	cobalt_reflective_dll
C:\Windows\System\hOozsRB.exe	cobalt_reflective_dll
C:\Windows\System\OJWUtYI.exe	cobalt_reflective_dll
C:\Windows\System\tngvQAd.exe	cobalt_reflective_dll
C:\Windows\System\KuwjKTt.exe	cobalt_reflective_dll
C:\Windows\System\qRZnUnj.exe	cobalt_reflective_dll
C:\Windows\System\QgRwsCF.exe	cobalt_reflective_dll
C:\Windows\System\reLmZqi.exe	cobalt_reflective_dll
C:\Windows\System\cTRBRly.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\bMDjchF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\SfuDfUc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\hdvgTTJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\KrexxDB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\kIdBImk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\XsKqkdh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\LJdijDb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\PngbmDP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\YwFKzZD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\GOLJreJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\aCKMgBA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\AxjhljT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ZmMsJds.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\hOozsRB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\OJWUtYI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\tngvQAd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\KuwjKTt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\qRZnUnj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QgRwsCF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\reLmZqi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\cTRBRly.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4596-0-0x00007FF759FD0000-0x00007FF75A321000-memory.dmp	UPX
C:\Windows\System\bMDjchF.exe	UPX
behavioral2/memory/1916-8-0x00007FF72D9A0000-0x00007FF72DCF1000-memory.dmp	UPX
C:\Windows\System\SfuDfUc.exe	UPX
C:\Windows\System\hdvgTTJ.exe	UPX
C:\Windows\System\KrexxDB.exe	UPX
C:\Windows\System\kIdBImk.exe	UPX
C:\Windows\System\XsKqkdh.exe	UPX
C:\Windows\System\LJdijDb.exe	UPX
C:\Windows\System\PngbmDP.exe	UPX
C:\Windows\System\YwFKzZD.exe	UPX
C:\Windows\System\GOLJreJ.exe	UPX
C:\Windows\System\aCKMgBA.exe	UPX
behavioral2/memory/3352-78-0x00007FF736550000-0x00007FF7368A1000-memory.dmp	UPX
behavioral2/memory/3952-82-0x00007FF67CF50000-0x00007FF67D2A1000-memory.dmp	UPX
C:\Windows\System\AxjhljT.exe	UPX
C:\Windows\System\ZmMsJds.exe	UPX
C:\Windows\System\hOozsRB.exe	UPX
C:\Windows\System\OJWUtYI.exe	UPX
C:\Windows\System\tngvQAd.exe	UPX
C:\Windows\System\KuwjKTt.exe	UPX
C:\Windows\System\qRZnUnj.exe	UPX
C:\Windows\System\QgRwsCF.exe	UPX
behavioral2/memory/1792-83-0x00007FF758510000-0x00007FF758861000-memory.dmp	UPX
C:\Windows\System\reLmZqi.exe	UPX
behavioral2/memory/1632-79-0x00007FF7E9AA0000-0x00007FF7E9DF1000-memory.dmp	UPX
behavioral2/memory/544-76-0x00007FF73A4D0000-0x00007FF73A821000-memory.dmp	UPX
behavioral2/memory/4712-75-0x00007FF6B0290000-0x00007FF6B05E1000-memory.dmp	UPX
behavioral2/memory/3700-64-0x00007FF6EE020000-0x00007FF6EE371000-memory.dmp	UPX
C:\Windows\System\cTRBRly.exe	UPX
behavioral2/memory/4336-46-0x00007FF6200F0000-0x00007FF620441000-memory.dmp	UPX
behavioral2/memory/4708-35-0x00007FF75B5E0000-0x00007FF75B931000-memory.dmp	UPX
behavioral2/memory/3904-27-0x00007FF798160000-0x00007FF7984B1000-memory.dmp	UPX
behavioral2/memory/3920-25-0x00007FF666940000-0x00007FF666C91000-memory.dmp	UPX
behavioral2/memory/4796-23-0x00007FF728340000-0x00007FF728691000-memory.dmp	UPX
behavioral2/memory/1200-14-0x00007FF7859C0000-0x00007FF785D11000-memory.dmp	UPX
behavioral2/memory/4596-121-0x00007FF759FD0000-0x00007FF75A321000-memory.dmp	UPX
behavioral2/memory/1152-124-0x00007FF7A2530000-0x00007FF7A2881000-memory.dmp	UPX
behavioral2/memory/1272-127-0x00007FF68ED10000-0x00007FF68F061000-memory.dmp	UPX
behavioral2/memory/3468-128-0x00007FF773120000-0x00007FF773471000-memory.dmp	UPX
behavioral2/memory/864-126-0x00007FF6FB400000-0x00007FF6FB751000-memory.dmp	UPX
behavioral2/memory/2716-125-0x00007FF706FA0000-0x00007FF7072F1000-memory.dmp	UPX
behavioral2/memory/2008-123-0x00007FF67F470000-0x00007FF67F7C1000-memory.dmp	UPX
behavioral2/memory/1428-122-0x00007FF650570000-0x00007FF6508C1000-memory.dmp	UPX
behavioral2/memory/4796-132-0x00007FF728340000-0x00007FF728691000-memory.dmp	UPX
behavioral2/memory/3904-134-0x00007FF798160000-0x00007FF7984B1000-memory.dmp	UPX
behavioral2/memory/1632-143-0x00007FF7E9AA0000-0x00007FF7E9DF1000-memory.dmp	UPX
behavioral2/memory/4708-135-0x00007FF75B5E0000-0x00007FF75B931000-memory.dmp	UPX
behavioral2/memory/3920-133-0x00007FF666940000-0x00007FF666C91000-memory.dmp	UPX
behavioral2/memory/4596-129-0x00007FF759FD0000-0x00007FF75A321000-memory.dmp	UPX
behavioral2/memory/4596-151-0x00007FF759FD0000-0x00007FF75A321000-memory.dmp	UPX
behavioral2/memory/1916-209-0x00007FF72D9A0000-0x00007FF72DCF1000-memory.dmp	UPX
behavioral2/memory/1200-211-0x00007FF7859C0000-0x00007FF785D11000-memory.dmp	UPX
behavioral2/memory/4796-213-0x00007FF728340000-0x00007FF728691000-memory.dmp	UPX
behavioral2/memory/3920-215-0x00007FF666940000-0x00007FF666C91000-memory.dmp	UPX
behavioral2/memory/3904-218-0x00007FF798160000-0x00007FF7984B1000-memory.dmp	UPX
behavioral2/memory/4708-219-0x00007FF75B5E0000-0x00007FF75B931000-memory.dmp	UPX
behavioral2/memory/4336-221-0x00007FF6200F0000-0x00007FF620441000-memory.dmp	UPX
behavioral2/memory/3700-223-0x00007FF6EE020000-0x00007FF6EE371000-memory.dmp	UPX
behavioral2/memory/4712-225-0x00007FF6B0290000-0x00007FF6B05E1000-memory.dmp	UPX
behavioral2/memory/544-227-0x00007FF73A4D0000-0x00007FF73A821000-memory.dmp	UPX
behavioral2/memory/3952-231-0x00007FF67CF50000-0x00007FF67D2A1000-memory.dmp	UPX
behavioral2/memory/3352-229-0x00007FF736550000-0x00007FF7368A1000-memory.dmp	UPX
behavioral2/memory/1792-233-0x00007FF758510000-0x00007FF758861000-memory.dmp	UPX

XMRig Miner payload 45 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1916-8-0x00007FF72D9A0000-0x00007FF72DCF1000-memory.dmp	xmrig
behavioral2/memory/3352-78-0x00007FF736550000-0x00007FF7368A1000-memory.dmp	xmrig
behavioral2/memory/3952-82-0x00007FF67CF50000-0x00007FF67D2A1000-memory.dmp	xmrig
behavioral2/memory/1792-83-0x00007FF758510000-0x00007FF758861000-memory.dmp	xmrig
behavioral2/memory/544-76-0x00007FF73A4D0000-0x00007FF73A821000-memory.dmp	xmrig
behavioral2/memory/4712-75-0x00007FF6B0290000-0x00007FF6B05E1000-memory.dmp	xmrig
behavioral2/memory/3700-64-0x00007FF6EE020000-0x00007FF6EE371000-memory.dmp	xmrig
behavioral2/memory/4336-46-0x00007FF6200F0000-0x00007FF620441000-memory.dmp	xmrig
behavioral2/memory/1200-14-0x00007FF7859C0000-0x00007FF785D11000-memory.dmp	xmrig
behavioral2/memory/4596-121-0x00007FF759FD0000-0x00007FF75A321000-memory.dmp	xmrig
behavioral2/memory/1152-124-0x00007FF7A2530000-0x00007FF7A2881000-memory.dmp	xmrig
behavioral2/memory/1272-127-0x00007FF68ED10000-0x00007FF68F061000-memory.dmp	xmrig
behavioral2/memory/3468-128-0x00007FF773120000-0x00007FF773471000-memory.dmp	xmrig
behavioral2/memory/864-126-0x00007FF6FB400000-0x00007FF6FB751000-memory.dmp	xmrig
behavioral2/memory/2716-125-0x00007FF706FA0000-0x00007FF7072F1000-memory.dmp	xmrig
behavioral2/memory/2008-123-0x00007FF67F470000-0x00007FF67F7C1000-memory.dmp	xmrig
behavioral2/memory/1428-122-0x00007FF650570000-0x00007FF6508C1000-memory.dmp	xmrig
behavioral2/memory/4796-132-0x00007FF728340000-0x00007FF728691000-memory.dmp	xmrig
behavioral2/memory/3904-134-0x00007FF798160000-0x00007FF7984B1000-memory.dmp	xmrig
behavioral2/memory/1632-143-0x00007FF7E9AA0000-0x00007FF7E9DF1000-memory.dmp	xmrig
behavioral2/memory/4708-135-0x00007FF75B5E0000-0x00007FF75B931000-memory.dmp	xmrig
behavioral2/memory/3920-133-0x00007FF666940000-0x00007FF666C91000-memory.dmp	xmrig
behavioral2/memory/4596-129-0x00007FF759FD0000-0x00007FF75A321000-memory.dmp	xmrig
behavioral2/memory/4596-151-0x00007FF759FD0000-0x00007FF75A321000-memory.dmp	xmrig
behavioral2/memory/1916-209-0x00007FF72D9A0000-0x00007FF72DCF1000-memory.dmp	xmrig
behavioral2/memory/1200-211-0x00007FF7859C0000-0x00007FF785D11000-memory.dmp	xmrig
behavioral2/memory/4796-213-0x00007FF728340000-0x00007FF728691000-memory.dmp	xmrig
behavioral2/memory/3920-215-0x00007FF666940000-0x00007FF666C91000-memory.dmp	xmrig
behavioral2/memory/3904-218-0x00007FF798160000-0x00007FF7984B1000-memory.dmp	xmrig
behavioral2/memory/4708-219-0x00007FF75B5E0000-0x00007FF75B931000-memory.dmp	xmrig
behavioral2/memory/4336-221-0x00007FF6200F0000-0x00007FF620441000-memory.dmp	xmrig
behavioral2/memory/3700-223-0x00007FF6EE020000-0x00007FF6EE371000-memory.dmp	xmrig
behavioral2/memory/4712-225-0x00007FF6B0290000-0x00007FF6B05E1000-memory.dmp	xmrig
behavioral2/memory/544-227-0x00007FF73A4D0000-0x00007FF73A821000-memory.dmp	xmrig
behavioral2/memory/3952-231-0x00007FF67CF50000-0x00007FF67D2A1000-memory.dmp	xmrig
behavioral2/memory/3352-229-0x00007FF736550000-0x00007FF7368A1000-memory.dmp	xmrig
behavioral2/memory/1792-233-0x00007FF758510000-0x00007FF758861000-memory.dmp	xmrig
behavioral2/memory/1632-235-0x00007FF7E9AA0000-0x00007FF7E9DF1000-memory.dmp	xmrig
behavioral2/memory/1428-237-0x00007FF650570000-0x00007FF6508C1000-memory.dmp	xmrig
behavioral2/memory/2008-239-0x00007FF67F470000-0x00007FF67F7C1000-memory.dmp	xmrig
behavioral2/memory/1152-241-0x00007FF7A2530000-0x00007FF7A2881000-memory.dmp	xmrig
behavioral2/memory/2716-243-0x00007FF706FA0000-0x00007FF7072F1000-memory.dmp	xmrig
behavioral2/memory/864-245-0x00007FF6FB400000-0x00007FF6FB751000-memory.dmp	xmrig
behavioral2/memory/3468-249-0x00007FF773120000-0x00007FF773471000-memory.dmp	xmrig
behavioral2/memory/1272-248-0x00007FF68ED10000-0x00007FF68F061000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

bMDjchF.exehdvgTTJ.exeSfuDfUc.exeKrexxDB.exekIdBImk.exeXsKqkdh.exeLJdijDb.exePngbmDP.execTRBRly.exeYwFKzZD.exeGOLJreJ.exeaCKMgBA.exeQgRwsCF.exereLmZqi.exeAxjhljT.exeqRZnUnj.exeZmMsJds.exeKuwjKTt.exehOozsRB.exetngvQAd.exeOJWUtYI.exe

pid	process
1916	bMDjchF.exe
1200	hdvgTTJ.exe
4796	SfuDfUc.exe
3920	KrexxDB.exe
3904	kIdBImk.exe
4708	XsKqkdh.exe
4336	LJdijDb.exe
3700	PngbmDP.exe
4712	cTRBRly.exe
544	YwFKzZD.exe
3352	GOLJreJ.exe
3952	aCKMgBA.exe
1632	QgRwsCF.exe
1792	reLmZqi.exe
1428	AxjhljT.exe
2008	qRZnUnj.exe
1152	ZmMsJds.exe
2716	KuwjKTt.exe
864	hOozsRB.exe
1272	tngvQAd.exe
3468	OJWUtYI.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4596-0-0x00007FF759FD0000-0x00007FF75A321000-memory.dmp	upx
C:\Windows\System\bMDjchF.exe	upx
behavioral2/memory/1916-8-0x00007FF72D9A0000-0x00007FF72DCF1000-memory.dmp	upx
C:\Windows\System\SfuDfUc.exe	upx
C:\Windows\System\hdvgTTJ.exe	upx
C:\Windows\System\KrexxDB.exe	upx
C:\Windows\System\kIdBImk.exe	upx
C:\Windows\System\XsKqkdh.exe	upx
C:\Windows\System\LJdijDb.exe	upx
C:\Windows\System\PngbmDP.exe	upx
C:\Windows\System\YwFKzZD.exe	upx
C:\Windows\System\GOLJreJ.exe	upx
C:\Windows\System\aCKMgBA.exe	upx
behavioral2/memory/3352-78-0x00007FF736550000-0x00007FF7368A1000-memory.dmp	upx
behavioral2/memory/3952-82-0x00007FF67CF50000-0x00007FF67D2A1000-memory.dmp	upx
C:\Windows\System\AxjhljT.exe	upx
C:\Windows\System\ZmMsJds.exe	upx
C:\Windows\System\hOozsRB.exe	upx
C:\Windows\System\OJWUtYI.exe	upx
C:\Windows\System\tngvQAd.exe	upx
C:\Windows\System\KuwjKTt.exe	upx
C:\Windows\System\qRZnUnj.exe	upx
C:\Windows\System\QgRwsCF.exe	upx
behavioral2/memory/1792-83-0x00007FF758510000-0x00007FF758861000-memory.dmp	upx
C:\Windows\System\reLmZqi.exe	upx
behavioral2/memory/1632-79-0x00007FF7E9AA0000-0x00007FF7E9DF1000-memory.dmp	upx
behavioral2/memory/544-76-0x00007FF73A4D0000-0x00007FF73A821000-memory.dmp	upx
behavioral2/memory/4712-75-0x00007FF6B0290000-0x00007FF6B05E1000-memory.dmp	upx
behavioral2/memory/3700-64-0x00007FF6EE020000-0x00007FF6EE371000-memory.dmp	upx
C:\Windows\System\cTRBRly.exe	upx
behavioral2/memory/4336-46-0x00007FF6200F0000-0x00007FF620441000-memory.dmp	upx
behavioral2/memory/4708-35-0x00007FF75B5E0000-0x00007FF75B931000-memory.dmp	upx
behavioral2/memory/3904-27-0x00007FF798160000-0x00007FF7984B1000-memory.dmp	upx
behavioral2/memory/3920-25-0x00007FF666940000-0x00007FF666C91000-memory.dmp	upx
behavioral2/memory/4796-23-0x00007FF728340000-0x00007FF728691000-memory.dmp	upx
behavioral2/memory/1200-14-0x00007FF7859C0000-0x00007FF785D11000-memory.dmp	upx
behavioral2/memory/4596-121-0x00007FF759FD0000-0x00007FF75A321000-memory.dmp	upx
behavioral2/memory/1152-124-0x00007FF7A2530000-0x00007FF7A2881000-memory.dmp	upx
behavioral2/memory/1272-127-0x00007FF68ED10000-0x00007FF68F061000-memory.dmp	upx
behavioral2/memory/3468-128-0x00007FF773120000-0x00007FF773471000-memory.dmp	upx
behavioral2/memory/864-126-0x00007FF6FB400000-0x00007FF6FB751000-memory.dmp	upx
behavioral2/memory/2716-125-0x00007FF706FA0000-0x00007FF7072F1000-memory.dmp	upx
behavioral2/memory/2008-123-0x00007FF67F470000-0x00007FF67F7C1000-memory.dmp	upx
behavioral2/memory/1428-122-0x00007FF650570000-0x00007FF6508C1000-memory.dmp	upx
behavioral2/memory/4796-132-0x00007FF728340000-0x00007FF728691000-memory.dmp	upx
behavioral2/memory/3904-134-0x00007FF798160000-0x00007FF7984B1000-memory.dmp	upx
behavioral2/memory/1632-143-0x00007FF7E9AA0000-0x00007FF7E9DF1000-memory.dmp	upx
behavioral2/memory/4708-135-0x00007FF75B5E0000-0x00007FF75B931000-memory.dmp	upx
behavioral2/memory/3920-133-0x00007FF666940000-0x00007FF666C91000-memory.dmp	upx
behavioral2/memory/4596-129-0x00007FF759FD0000-0x00007FF75A321000-memory.dmp	upx
behavioral2/memory/4596-151-0x00007FF759FD0000-0x00007FF75A321000-memory.dmp	upx
behavioral2/memory/1916-209-0x00007FF72D9A0000-0x00007FF72DCF1000-memory.dmp	upx
behavioral2/memory/1200-211-0x00007FF7859C0000-0x00007FF785D11000-memory.dmp	upx
behavioral2/memory/4796-213-0x00007FF728340000-0x00007FF728691000-memory.dmp	upx
behavioral2/memory/3920-215-0x00007FF666940000-0x00007FF666C91000-memory.dmp	upx
behavioral2/memory/3904-218-0x00007FF798160000-0x00007FF7984B1000-memory.dmp	upx
behavioral2/memory/4708-219-0x00007FF75B5E0000-0x00007FF75B931000-memory.dmp	upx
behavioral2/memory/4336-221-0x00007FF6200F0000-0x00007FF620441000-memory.dmp	upx
behavioral2/memory/3700-223-0x00007FF6EE020000-0x00007FF6EE371000-memory.dmp	upx
behavioral2/memory/4712-225-0x00007FF6B0290000-0x00007FF6B05E1000-memory.dmp	upx
behavioral2/memory/544-227-0x00007FF73A4D0000-0x00007FF73A821000-memory.dmp	upx
behavioral2/memory/3952-231-0x00007FF67CF50000-0x00007FF67D2A1000-memory.dmp	upx
behavioral2/memory/3352-229-0x00007FF736550000-0x00007FF7368A1000-memory.dmp	upx
behavioral2/memory/1792-233-0x00007FF758510000-0x00007FF758861000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\kIdBImk.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PngbmDP.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cTRBRly.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KuwjKTt.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hOozsRB.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tngvQAd.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KrexxDB.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AxjhljT.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OJWUtYI.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aCKMgBA.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hdvgTTJ.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SfuDfUc.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GOLJreJ.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\reLmZqi.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QgRwsCF.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bMDjchF.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LJdijDb.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YwFKzZD.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qRZnUnj.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZmMsJds.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XsKqkdh.exe	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 4596 wrote to memory of 1916	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	bMDjchF.exe
PID 4596 wrote to memory of 1916	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	bMDjchF.exe
PID 4596 wrote to memory of 1200	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	hdvgTTJ.exe
PID 4596 wrote to memory of 1200	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	hdvgTTJ.exe
PID 4596 wrote to memory of 4796	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	SfuDfUc.exe
PID 4596 wrote to memory of 4796	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	SfuDfUc.exe
PID 4596 wrote to memory of 3920	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	KrexxDB.exe
PID 4596 wrote to memory of 3920	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	KrexxDB.exe
PID 4596 wrote to memory of 3904	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	kIdBImk.exe
PID 4596 wrote to memory of 3904	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	kIdBImk.exe
PID 4596 wrote to memory of 4708	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	XsKqkdh.exe
PID 4596 wrote to memory of 4708	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	XsKqkdh.exe
PID 4596 wrote to memory of 4336	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	LJdijDb.exe
PID 4596 wrote to memory of 4336	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	LJdijDb.exe
PID 4596 wrote to memory of 3700	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	PngbmDP.exe
PID 4596 wrote to memory of 3700	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	PngbmDP.exe
PID 4596 wrote to memory of 4712	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	cTRBRly.exe
PID 4596 wrote to memory of 4712	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	cTRBRly.exe
PID 4596 wrote to memory of 544	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	YwFKzZD.exe
PID 4596 wrote to memory of 544	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	YwFKzZD.exe
PID 4596 wrote to memory of 3352	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	GOLJreJ.exe
PID 4596 wrote to memory of 3352	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	GOLJreJ.exe
PID 4596 wrote to memory of 3952	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	aCKMgBA.exe
PID 4596 wrote to memory of 3952	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	aCKMgBA.exe
PID 4596 wrote to memory of 1792	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	reLmZqi.exe
PID 4596 wrote to memory of 1792	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	reLmZqi.exe
PID 4596 wrote to memory of 1632	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	QgRwsCF.exe
PID 4596 wrote to memory of 1632	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	QgRwsCF.exe
PID 4596 wrote to memory of 1428	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	AxjhljT.exe
PID 4596 wrote to memory of 1428	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	AxjhljT.exe
PID 4596 wrote to memory of 2008	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	qRZnUnj.exe
PID 4596 wrote to memory of 2008	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	qRZnUnj.exe
PID 4596 wrote to memory of 1152	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	ZmMsJds.exe
PID 4596 wrote to memory of 1152	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	ZmMsJds.exe
PID 4596 wrote to memory of 2716	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	KuwjKTt.exe
PID 4596 wrote to memory of 2716	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	KuwjKTt.exe
PID 4596 wrote to memory of 864	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	hOozsRB.exe
PID 4596 wrote to memory of 864	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	hOozsRB.exe
PID 4596 wrote to memory of 1272	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	tngvQAd.exe
PID 4596 wrote to memory of 1272	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	tngvQAd.exe
PID 4596 wrote to memory of 3468	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	OJWUtYI.exe
PID 4596 wrote to memory of 3468	4596	2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe	OJWUtYI.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_0d73b00d3b0f3341623a5a10f335a190_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4596

C:\Windows\System\bMDjchF.exe
C:\Windows\System\bMDjchF.exe
2⤵
- Executes dropped EXE
PID:1916

C:\Windows\System\hdvgTTJ.exe
C:\Windows\System\hdvgTTJ.exe
2⤵
- Executes dropped EXE
PID:1200

C:\Windows\System\SfuDfUc.exe
C:\Windows\System\SfuDfUc.exe
2⤵
- Executes dropped EXE
PID:4796

C:\Windows\System\KrexxDB.exe
C:\Windows\System\KrexxDB.exe
2⤵
- Executes dropped EXE
PID:3920

C:\Windows\System\kIdBImk.exe
C:\Windows\System\kIdBImk.exe
2⤵
- Executes dropped EXE
PID:3904

C:\Windows\System\XsKqkdh.exe
C:\Windows\System\XsKqkdh.exe
2⤵
- Executes dropped EXE
PID:4708

C:\Windows\System\LJdijDb.exe
C:\Windows\System\LJdijDb.exe
2⤵
- Executes dropped EXE
PID:4336

C:\Windows\System\PngbmDP.exe
C:\Windows\System\PngbmDP.exe
2⤵
- Executes dropped EXE
PID:3700

C:\Windows\System\cTRBRly.exe
C:\Windows\System\cTRBRly.exe
2⤵
- Executes dropped EXE
PID:4712

C:\Windows\System\YwFKzZD.exe
C:\Windows\System\YwFKzZD.exe
2⤵
- Executes dropped EXE
PID:544

C:\Windows\System\GOLJreJ.exe
C:\Windows\System\GOLJreJ.exe
2⤵
- Executes dropped EXE
PID:3352

C:\Windows\System\aCKMgBA.exe
C:\Windows\System\aCKMgBA.exe
2⤵
- Executes dropped EXE
PID:3952

C:\Windows\System\reLmZqi.exe
C:\Windows\System\reLmZqi.exe
2⤵
- Executes dropped EXE
PID:1792

C:\Windows\System\QgRwsCF.exe
C:\Windows\System\QgRwsCF.exe
2⤵
- Executes dropped EXE
PID:1632

C:\Windows\System\AxjhljT.exe
C:\Windows\System\AxjhljT.exe
2⤵
- Executes dropped EXE
PID:1428

C:\Windows\System\qRZnUnj.exe
C:\Windows\System\qRZnUnj.exe
2⤵
- Executes dropped EXE
PID:2008

C:\Windows\System\ZmMsJds.exe
C:\Windows\System\ZmMsJds.exe
2⤵
- Executes dropped EXE
PID:1152

C:\Windows\System\KuwjKTt.exe
C:\Windows\System\KuwjKTt.exe
2⤵
- Executes dropped EXE
PID:2716

C:\Windows\System\hOozsRB.exe
C:\Windows\System\hOozsRB.exe
2⤵
- Executes dropped EXE
PID:864

C:\Windows\System\tngvQAd.exe
C:\Windows\System\tngvQAd.exe
2⤵
- Executes dropped EXE
PID:1272

C:\Windows\System\OJWUtYI.exe
C:\Windows\System\OJWUtYI.exe
2⤵
- Executes dropped EXE
PID:3468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AxjhljT.exe
Filesize
5.2MB

MD5
2514e69f0c660c90b1034b39268face4

SHA1
3312e67a79b72f13aea4826421645be2e70f2ccb

SHA256
db74e579da8f503e3352b0d60bb96e9cd86c58e9d36e27b19f7bc078ead4bc78

SHA512
397ca083ce51e10c51cc37cc9934684396cf187519513d7a22b9f100b95aecf009d923397a1b9cf59ce2caa46e4e072421204956ae3b33d7bb180f6c79808f94

Download Submit
C:\Windows\System\GOLJreJ.exe
Filesize
5.2MB

MD5
4fded7e84a4c6f2187ec899aad66c36e

SHA1
263faa7e7bd72a743d0dcbd8e4a47554aa1db449

SHA256
ef2ab9a83d1f8b666d4e59f84bac78bfbf9dd4ad994853c6109971115023b191

SHA512
c8526c158115b67e549ce19057cf616b2a435b07fb4161af2b7a57a5fb114d8783b36d5527d0eff7f8ebec58cfba2895aacabdd193376135a80e92367e8ef045

Download Submit
C:\Windows\System\KrexxDB.exe
Filesize
5.2MB

MD5
4044462fa3f9a73afb0222fe18b79101

SHA1
06ee24083880d2a83eeeec4c0eb9cdb33ee9b6fc

SHA256
e08c0f4269ae6f62648c9e3693f63ed99710f95f25573b0d913dad7c9975288f

SHA512
d008bd99fb40a9b3f00ca93c7e31ce18af84d6c86a2d599fbd99b0360a15c9b69df9a580caf504af038a8095a34cfc4a98d321974da989b580184a361c0a597e

Download Submit
C:\Windows\System\KuwjKTt.exe
Filesize
5.2MB

MD5
8f6c2b96faaa20b8f3c1acccf15548d1

SHA1
36311352edd87afc6df8ec7c3d5310fb49beb5b6

SHA256
9eeff2e2fe2251794a3eaa632be7491a3ebcd8be44a0888a5f548037c9d92577

SHA512
02674d2bd234742c237f03e7f54a0f48f0eb9956d41a0d74091532d6b4a08d22280ca62a0a74b2d6017a5241f5dcc97a8afd9ff52b9efb0534773d4bc50d1e76

Download Submit
C:\Windows\System\LJdijDb.exe
Filesize
5.2MB

MD5
d30a1c7455f2786b5f6d44f2970abf4b

SHA1
e11b50312b5e6ed8472a04825d768acf5617d06d

SHA256
d2742a541ca18b68121df96dc38549e7dfa4ebe5edbf3d8139d9929cd2898ff7

SHA512
f029bfd9298812199cd6593b7959084a4f36ac0f334644570e7c494cbe82070d8f02804903ae7d80206ec5356849b16e6a55b97210d28d91372e9b54f6dc4803

Download Submit
C:\Windows\System\OJWUtYI.exe
Filesize
5.2MB

MD5
d58bb2ea795921cd7480689df909c687

SHA1
d7c244cb90358241e8340a5eace1a126213d5505

SHA256
bdfcc5ae9b69344db97a9cce851473c496a8e90ee61f5fc2f9a12044e5975f8b

SHA512
12a94a864c7453c31eb0810c2d0bf5ce069a7bfef741e57e17e4869cc3dd5476ffe06eb8a0dbc638df47be9ce1385825112c1c62dd6d367d7d83436d5ff0333e

Download Submit
C:\Windows\System\PngbmDP.exe
Filesize
5.2MB

MD5
c81e4adca2afd5702d01f4586b296559

SHA1
1c784227c9b39c12a094215766bf317bd5f46fbd

SHA256
9fb8ecad483de823b2e9adcdd92c6350a951b074bb7de3423a7cdb79f4cce9b4

SHA512
d94e30d364c54f98303f7e5e9c442acdb7946981e30370966506f031a08c13dd060f8d3c39524ce5f462646a8712cfb10e695941b8c0fe8efcb4ac933365c91c

Download Submit
C:\Windows\System\QgRwsCF.exe
Filesize
5.2MB

MD5
1a33c11a271a1dd0da3aad7f5e44ad52

SHA1
01de89fb9a077bddf8e9dd6fea342872d72964b0

SHA256
9c72331bede2d40b841007a517cc4b44b373c10eda13a438b20816c9c862e1c5

SHA512
f36b10abb7d05d8a04e735245db8f288a0eb6b19d35a36d222108b27916017f4b26273a414de22776b1be78c9110891c24900428cd78c9b8312ed872d3f75423

Download Submit
C:\Windows\System\SfuDfUc.exe
Filesize
5.2MB

MD5
111eebfce70fa775c54f73ebb20d9687

SHA1
6404306e2517ec1819a387807978673e519f9ea5

SHA256
89d18a978e75079ce081afd75186927c8f150d04536d102615b20ead78a802ae

SHA512
b9f8315e460fc122cfacda23d3bda79b1b562796f7b6e8e91948591c7daa0c203bcd2df9727478d26961de8a9bd3ca69e30d569eabf82f39db00ef30f63b6a1f

Download Submit
C:\Windows\System\XsKqkdh.exe
Filesize
5.2MB

MD5
170f69c597029632e4b7a5c18540cca6

SHA1
d3aa44e033be2542acad2f076c2aadeb32f19000

SHA256
6eed9281f8653a279f9a1b611da18654843aca8d880a472dadbcadc8df5933b9

SHA512
ceb952fa01800f515bcb5e4c965360820bda6bc1d2fa7353853b0a58e45e2fbeb3858663f04c835e32e1e8d59852cd3bcdce188f382006a8fca1508087bf7647

Download Submit
C:\Windows\System\YwFKzZD.exe
Filesize
5.2MB

MD5
130d0aef87d9d5f3a027f6c058c488a2

SHA1
de18cf6d6975086229cd70ac9cf23209793e8fdb

SHA256
f1786d7326244a515f701df1d583dedfd7b8c2aafc09c518286534d530ab66ef

SHA512
7d87460dd5b3d4d0d51ee24e47964c143a64f2cdd282cc0814afa81ae4f7b50491357a045af538321c096faeeb26114f2eb43608f871783aac0d805fc91ed9a9

Download Submit
C:\Windows\System\ZmMsJds.exe
Filesize
5.2MB

MD5
3fc60e6e162eca5b6e3b0cbaafa5ccc9

SHA1
5c86f8f973d8bc5b7fb13468fa8bafa460bc920c

SHA256
a7668453d97a9cc0fb5bfa40a98911f93c979633b372cf7942424ef869a5086b

SHA512
c3d1d13557f80d7dec49258198b853db51a4cd1b8299c94aeab788bbdd3f01b48edfe32e92cb0ddccaa30517e89bfa30048c8a3c0407681c40ec7ac281c11c18

Download Submit
C:\Windows\System\aCKMgBA.exe
Filesize
5.2MB

MD5
5d743aac55aefcf873952e50dcba2cff

SHA1
e460f4e5dc604684032d870bd0cd19167ad2d0ec

SHA256
70fbdd9e8a33c81b375378507d40a17732176b6800da13c2870b17b92a116683

SHA512
06108ac7a31d2db90f5bb957f8878d7e000fefbe2d62adef2dba8f97bc09298a7fc818199dd21164bd751d26aca8b44ba9632dce9e54f6a41f241658799592ee

Download Submit
C:\Windows\System\bMDjchF.exe
Filesize
5.2MB

MD5
34d530f6b932d79967ef2cf1fb44c9e5

SHA1
9e78f630a3d070f887dfcbca5f1fb01ec54c8122

SHA256
2cf76811784a5366fa77c17c9f0ced7f396778a50bd8d235a4590cd1ca61ecf5

SHA512
2b6e919cfad4d5ed5818053833be9fa5c65c46d6e0b83c8eaaaaa6c6f8be3a1016c6eab85172022d8fdddb38e97936b7039362e13120f21be5cb9ff68610ac1c

Download Submit
C:\Windows\System\cTRBRly.exe
Filesize
5.2MB

MD5
56f4a2ca339e0ee14183c2b685f270fc

SHA1
f339b701724a925b115109ef539ce0cbb460d559

SHA256
8d4b2f5cb269d119509204fc7e8d3fa21504a85164e647f95c7897b60603241f

SHA512
131bae2e468efba9dda2ed0cf05e5883d43da30523aca56c9bde71afae04c5945a9254916f4a2301e4b9f311507399535a813810a7a4e3b6142c8156b9c5aa79

Download Submit
C:\Windows\System\hOozsRB.exe
Filesize
5.2MB

MD5
b541698824218631a7c34a4b869f1df1

SHA1
891e585278d0d3a9656ebf74a68bf6c2f0ae9d1a

SHA256
374076e0fecba3587c3bb4f41961d1726514db5bff00c59d7d245706c816350f

SHA512
87d0f6eaa5205229bf258438ad820447e9341d7cd65935b406d86571082a9d3184e26141e30acf2a4167a1918c1eee1c757c94b7286c8758e6c467a4b9efbc5a

Download Submit
C:\Windows\System\hdvgTTJ.exe
Filesize
5.2MB

MD5
f66ef7f6c9176849a75ec364f225879d

SHA1
5f01615cb482f54c9f7b87c232c34a7b95b8c446

SHA256
7c0f21f4bb6c89a7693ea34b488dd86dede198a85bbe99c2c7f547dfe7967b2f

SHA512
173d31ff44b892c23a3b5e81a3b2c1dd8205de04a1871b4249db0f5c295ef1150ba7745b41223bc720da4117e7a5bb9fc4076181e4f7b45e7c94d61e20099959

Download Submit
C:\Windows\System\kIdBImk.exe
Filesize
5.2MB

MD5
9442b36bb1b8b7a7ac92c6082a913202

SHA1
28b7b4a0c7329e2b4b368f1e61b0d08baafbed2d

SHA256
5948da04f6251e6d3a0aecd3eb2e9c948e382205a4c99b4680551e0ba75a987e

SHA512
6e6202094b6efbc3ff482f89ebafd3037577e827555d1dbed9aa67d1cf84240dc90d8e790737f93ee439bdad4b58e4dbcae10f72b4820f0622d48f660ef348ae

Download Submit
C:\Windows\System\qRZnUnj.exe
Filesize
5.2MB

MD5
aac7cda02b4026c7a8c6c46615b38c03

SHA1
392bd51f6854b3ad58802813b6fcfabcc8b9ae39

SHA256
31f3a06b7695a166b62ca8756fd105e132bc20559935681decf359a7ed4d07b7

SHA512
6334afed48bc0877615f9d68bd389a86b5162336e8cae6efd59232abd2fd04132253cd3e9702235268fc70088162d5263065523cf912d3c1fd8bfcf11777db9b

Download Submit
C:\Windows\System\reLmZqi.exe
Filesize
5.2MB

MD5
5b5990436125ed78a31fae95f6da3012

SHA1
d2fd06031378e6ae8dff2741815be4c310afb527

SHA256
ab7faf719e64076b444d74296ea382bb1b20303b4533e4954e1c4933fcc1f822

SHA512
99d38bf04d21a10b6db71d09bf11852f8243894cf859185651c2a1e0826e609e8750e1cda3b376c7a516b020d20f176c353c4c1b22def08244e5b2c43c555ced

Download Submit
C:\Windows\System\tngvQAd.exe
Filesize
5.2MB

MD5
e48d50c95cd42b08e6d81b502fc58bb2

SHA1
a6173118f5c4d92965088e86ba39a276d5bbbb1f

SHA256
f365fc886b688329eee519942275fb8b77063ef17ee93fae7f3db9fdcee948c8

SHA512
305a55fd85198d890e802703d6618e80a7982622ab7906d19e4f524a283558eb2a8a93ea2ea3a5e064ac13da191e449405989e6f685c3b69cb327551c20ac49c

Download Submit
memory/544-76-0x00007FF73A4D0000-0x00007FF73A821000-memory.dmp

Filesize
3.3MB

Download
memory/544-227-0x00007FF73A4D0000-0x00007FF73A821000-memory.dmp

Filesize
3.3MB

Download
memory/864-126-0x00007FF6FB400000-0x00007FF6FB751000-memory.dmp

Filesize
3.3MB

Download
memory/864-245-0x00007FF6FB400000-0x00007FF6FB751000-memory.dmp

Filesize
3.3MB

Download
memory/1152-241-0x00007FF7A2530000-0x00007FF7A2881000-memory.dmp

Filesize
3.3MB

Download
memory/1152-124-0x00007FF7A2530000-0x00007FF7A2881000-memory.dmp

Filesize
3.3MB

Download
memory/1200-14-0x00007FF7859C0000-0x00007FF785D11000-memory.dmp

Filesize
3.3MB

Download
memory/1200-211-0x00007FF7859C0000-0x00007FF785D11000-memory.dmp

Filesize
3.3MB

Download
memory/1272-127-0x00007FF68ED10000-0x00007FF68F061000-memory.dmp

Filesize
3.3MB

Download
memory/1272-248-0x00007FF68ED10000-0x00007FF68F061000-memory.dmp

Filesize
3.3MB

Download
memory/1428-122-0x00007FF650570000-0x00007FF6508C1000-memory.dmp

Filesize
3.3MB

Download
memory/1428-237-0x00007FF650570000-0x00007FF6508C1000-memory.dmp

Filesize
3.3MB

Download
memory/1632-143-0x00007FF7E9AA0000-0x00007FF7E9DF1000-memory.dmp

Filesize
3.3MB

Download
memory/1632-79-0x00007FF7E9AA0000-0x00007FF7E9DF1000-memory.dmp

Filesize
3.3MB

Download
memory/1632-235-0x00007FF7E9AA0000-0x00007FF7E9DF1000-memory.dmp

Filesize
3.3MB

Download
memory/1792-233-0x00007FF758510000-0x00007FF758861000-memory.dmp

Filesize
3.3MB

Download
memory/1792-83-0x00007FF758510000-0x00007FF758861000-memory.dmp

Filesize
3.3MB

Download
memory/1916-8-0x00007FF72D9A0000-0x00007FF72DCF1000-memory.dmp

Filesize
3.3MB

Download
memory/1916-209-0x00007FF72D9A0000-0x00007FF72DCF1000-memory.dmp

Filesize
3.3MB

Download
memory/2008-123-0x00007FF67F470000-0x00007FF67F7C1000-memory.dmp

Filesize
3.3MB

Download
memory/2008-239-0x00007FF67F470000-0x00007FF67F7C1000-memory.dmp

Filesize
3.3MB

Download
memory/2716-125-0x00007FF706FA0000-0x00007FF7072F1000-memory.dmp

Filesize
3.3MB

Download
memory/2716-243-0x00007FF706FA0000-0x00007FF7072F1000-memory.dmp

Filesize
3.3MB

Download
memory/3352-229-0x00007FF736550000-0x00007FF7368A1000-memory.dmp

Filesize
3.3MB

Download
memory/3352-78-0x00007FF736550000-0x00007FF7368A1000-memory.dmp

Filesize
3.3MB

Download
memory/3468-128-0x00007FF773120000-0x00007FF773471000-memory.dmp

Filesize
3.3MB

Download
memory/3468-249-0x00007FF773120000-0x00007FF773471000-memory.dmp

Filesize
3.3MB

Download
memory/3700-64-0x00007FF6EE020000-0x00007FF6EE371000-memory.dmp

Filesize
3.3MB

Download
memory/3700-223-0x00007FF6EE020000-0x00007FF6EE371000-memory.dmp

Filesize
3.3MB

Download
memory/3904-27-0x00007FF798160000-0x00007FF7984B1000-memory.dmp

Filesize
3.3MB

Download
memory/3904-134-0x00007FF798160000-0x00007FF7984B1000-memory.dmp

Filesize
3.3MB

Download
memory/3904-218-0x00007FF798160000-0x00007FF7984B1000-memory.dmp

Filesize
3.3MB

Download
memory/3920-215-0x00007FF666940000-0x00007FF666C91000-memory.dmp

Filesize
3.3MB

Download
memory/3920-133-0x00007FF666940000-0x00007FF666C91000-memory.dmp

Filesize
3.3MB

Download
memory/3920-25-0x00007FF666940000-0x00007FF666C91000-memory.dmp

Filesize
3.3MB

Download
memory/3952-82-0x00007FF67CF50000-0x00007FF67D2A1000-memory.dmp

Filesize
3.3MB

Download
memory/3952-231-0x00007FF67CF50000-0x00007FF67D2A1000-memory.dmp

Filesize
3.3MB

Download
memory/4336-221-0x00007FF6200F0000-0x00007FF620441000-memory.dmp

Filesize
3.3MB

Download
memory/4336-46-0x00007FF6200F0000-0x00007FF620441000-memory.dmp

Filesize
3.3MB

Download
memory/4596-121-0x00007FF759FD0000-0x00007FF75A321000-memory.dmp

Filesize
3.3MB

Download
memory/4596-1-0x000001D6D0E00000-0x000001D6D0E10000-memory.dmp

Filesize
64KB

Download
memory/4596-0-0x00007FF759FD0000-0x00007FF75A321000-memory.dmp

Filesize
3.3MB

Download
memory/4596-129-0x00007FF759FD0000-0x00007FF75A321000-memory.dmp

Filesize
3.3MB

Download
memory/4596-151-0x00007FF759FD0000-0x00007FF75A321000-memory.dmp

Filesize
3.3MB

Download
memory/4708-219-0x00007FF75B5E0000-0x00007FF75B931000-memory.dmp

Filesize
3.3MB

Download
memory/4708-35-0x00007FF75B5E0000-0x00007FF75B931000-memory.dmp

Filesize
3.3MB

Download
memory/4708-135-0x00007FF75B5E0000-0x00007FF75B931000-memory.dmp

Filesize
3.3MB

Download
memory/4712-75-0x00007FF6B0290000-0x00007FF6B05E1000-memory.dmp

Filesize
3.3MB

Download
memory/4712-225-0x00007FF6B0290000-0x00007FF6B05E1000-memory.dmp

Filesize
3.3MB

Download
memory/4796-23-0x00007FF728340000-0x00007FF728691000-memory.dmp

Filesize
3.3MB

Download
memory/4796-132-0x00007FF728340000-0x00007FF728691000-memory.dmp

Filesize
3.3MB

Download
memory/4796-213-0x00007FF728340000-0x00007FF728691000-memory.dmp

Filesize
3.3MB

Download