cobaltstrike | 53aa2abccd9967aa645323fdef3cf9e516f513a6b3669b8cb2606338ec6e6f8a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

27536a56667a94b53b1765999d630c0d
SHA1

2c0d946167b0034847a4a369af451dfddf872bc3
SHA256

53aa2abccd9967aa645323fdef3cf9e516f513a6b3669b8cb2606338ec6e6f8a
SHA512

f46e06ef4e2dfff091c72933aa775257feaf701108b618102f2b3b7466ed16a92fc1d5e21afa5dab36258a2ec9dd65eaf10b02d0c604029fe61c62f3796c8581
SSDEEP

98304:BemTLkNdfE0pZrT56utgpPFotBER/mQ32lUj:Q+u56utgpPF8u/7j

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\emeXVxL.exe	cobalt_reflective_dll
C:\Windows\System\XLzVWjv.exe	cobalt_reflective_dll
C:\Windows\System\vqzxDrz.exe	cobalt_reflective_dll
C:\Windows\System\buWdjCW.exe	cobalt_reflective_dll
C:\Windows\System\cfqOdZk.exe	cobalt_reflective_dll
C:\Windows\System\ydqVMLX.exe	cobalt_reflective_dll
C:\Windows\System\QxfvPPi.exe	cobalt_reflective_dll
C:\Windows\System\aaZJEEp.exe	cobalt_reflective_dll
C:\Windows\System\vpVdBGT.exe	cobalt_reflective_dll
C:\Windows\System\SmksLtK.exe	cobalt_reflective_dll
C:\Windows\System\jjRVBBv.exe	cobalt_reflective_dll
C:\Windows\System\mdKcAEl.exe	cobalt_reflective_dll
C:\Windows\System\OHCgklp.exe	cobalt_reflective_dll
C:\Windows\System\VgPciEp.exe	cobalt_reflective_dll
C:\Windows\System\bfTjydH.exe	cobalt_reflective_dll
C:\Windows\System\CEWGhdc.exe	cobalt_reflective_dll
C:\Windows\System\ppNCGZn.exe	cobalt_reflective_dll
C:\Windows\System\XvJKtzM.exe	cobalt_reflective_dll
C:\Windows\System\pZZZkyM.exe	cobalt_reflective_dll
C:\Windows\System\QUBWBNJ.exe	cobalt_reflective_dll
C:\Windows\System\ZdHAjdg.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\emeXVxL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\XLzVWjv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\vqzxDrz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\buWdjCW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\cfqOdZk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ydqVMLX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QxfvPPi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\aaZJEEp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\vpVdBGT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\SmksLtK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\jjRVBBv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\mdKcAEl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\OHCgklp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\VgPciEp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\bfTjydH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\CEWGhdc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ppNCGZn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\XvJKtzM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\pZZZkyM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QUBWBNJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ZdHAjdg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4876-0-0x00007FF688AE0000-0x00007FF688E34000-memory.dmp	UPX
C:\Windows\System\emeXVxL.exe	UPX
behavioral2/memory/1876-8-0x00007FF69C390000-0x00007FF69C6E4000-memory.dmp	UPX
C:\Windows\System\XLzVWjv.exe	UPX
C:\Windows\System\vqzxDrz.exe	UPX
C:\Windows\System\buWdjCW.exe	UPX
C:\Windows\System\cfqOdZk.exe	UPX
behavioral2/memory/1596-40-0x00007FF7851E0000-0x00007FF785534000-memory.dmp	UPX
C:\Windows\System\ydqVMLX.exe	UPX
behavioral2/memory/4744-48-0x00007FF69F130000-0x00007FF69F484000-memory.dmp	UPX
behavioral2/memory/2420-53-0x00007FF78B0D0000-0x00007FF78B424000-memory.dmp	UPX
C:\Windows\System\QxfvPPi.exe	UPX
C:\Windows\System\aaZJEEp.exe	UPX
behavioral2/memory/3640-68-0x00007FF798D00000-0x00007FF799054000-memory.dmp	UPX
behavioral2/memory/1964-70-0x00007FF701DF0000-0x00007FF702144000-memory.dmp	UPX
C:\Windows\System\vpVdBGT.exe	UPX
behavioral2/memory/2920-69-0x00007FF772D20000-0x00007FF773074000-memory.dmp	UPX
behavioral2/memory/2636-66-0x00007FF620B90000-0x00007FF620EE4000-memory.dmp	UPX
C:\Windows\System\SmksLtK.exe	UPX
behavioral2/memory/3432-41-0x00007FF6779B0000-0x00007FF677D04000-memory.dmp	UPX
C:\Windows\System\jjRVBBv.exe	UPX
behavioral2/memory/4036-38-0x00007FF6C0590000-0x00007FF6C08E4000-memory.dmp	UPX
C:\Windows\System\mdKcAEl.exe	UPX
behavioral2/memory/4388-22-0x00007FF647980000-0x00007FF647CD4000-memory.dmp	UPX
behavioral2/memory/2020-21-0x00007FF6BD660000-0x00007FF6BD9B4000-memory.dmp	UPX
C:\Windows\System\OHCgklp.exe	UPX
behavioral2/memory/4876-78-0x00007FF688AE0000-0x00007FF688E34000-memory.dmp	UPX
C:\Windows\System\VgPciEp.exe	UPX
behavioral2/memory/4224-84-0x00007FF69F360000-0x00007FF69F6B4000-memory.dmp	UPX
behavioral2/memory/1956-81-0x00007FF791FC0000-0x00007FF792314000-memory.dmp	UPX
behavioral2/memory/1876-91-0x00007FF69C390000-0x00007FF69C6E4000-memory.dmp	UPX
C:\Windows\System\bfTjydH.exe	UPX
behavioral2/memory/2908-100-0x00007FF6A2690000-0x00007FF6A29E4000-memory.dmp	UPX
C:\Windows\System\CEWGhdc.exe	UPX
behavioral2/memory/2364-97-0x00007FF780A90000-0x00007FF780DE4000-memory.dmp	UPX
C:\Windows\System\ppNCGZn.exe	UPX
C:\Windows\System\XvJKtzM.exe	UPX
C:\Windows\System\pZZZkyM.exe	UPX
behavioral2/memory/4744-127-0x00007FF69F130000-0x00007FF69F484000-memory.dmp	UPX
behavioral2/memory/4372-128-0x00007FF7F40D0000-0x00007FF7F4424000-memory.dmp	UPX
behavioral2/memory/1236-130-0x00007FF69CD10000-0x00007FF69D064000-memory.dmp	UPX
behavioral2/memory/1672-126-0x00007FF7D4980000-0x00007FF7D4CD4000-memory.dmp	UPX
behavioral2/memory/536-116-0x00007FF78A850000-0x00007FF78ABA4000-memory.dmp	UPX
C:\Windows\System\QUBWBNJ.exe	UPX
behavioral2/memory/1748-115-0x00007FF786EC0000-0x00007FF787214000-memory.dmp	UPX
C:\Windows\System\ZdHAjdg.exe	UPX
behavioral2/memory/2420-131-0x00007FF78B0D0000-0x00007FF78B424000-memory.dmp	UPX
behavioral2/memory/3640-132-0x00007FF798D00000-0x00007FF799054000-memory.dmp	UPX
behavioral2/memory/1964-133-0x00007FF701DF0000-0x00007FF702144000-memory.dmp	UPX
behavioral2/memory/1956-134-0x00007FF791FC0000-0x00007FF792314000-memory.dmp	UPX
behavioral2/memory/4224-135-0x00007FF69F360000-0x00007FF69F6B4000-memory.dmp	UPX
behavioral2/memory/2364-136-0x00007FF780A90000-0x00007FF780DE4000-memory.dmp	UPX
behavioral2/memory/2908-137-0x00007FF6A2690000-0x00007FF6A29E4000-memory.dmp	UPX
behavioral2/memory/1672-139-0x00007FF7D4980000-0x00007FF7D4CD4000-memory.dmp	UPX
behavioral2/memory/1748-138-0x00007FF786EC0000-0x00007FF787214000-memory.dmp	UPX
behavioral2/memory/536-140-0x00007FF78A850000-0x00007FF78ABA4000-memory.dmp	UPX
behavioral2/memory/1876-141-0x00007FF69C390000-0x00007FF69C6E4000-memory.dmp	UPX
behavioral2/memory/2020-142-0x00007FF6BD660000-0x00007FF6BD9B4000-memory.dmp	UPX
behavioral2/memory/4388-143-0x00007FF647980000-0x00007FF647CD4000-memory.dmp	UPX
behavioral2/memory/4036-144-0x00007FF6C0590000-0x00007FF6C08E4000-memory.dmp	UPX
behavioral2/memory/1596-145-0x00007FF7851E0000-0x00007FF785534000-memory.dmp	UPX
behavioral2/memory/3432-146-0x00007FF6779B0000-0x00007FF677D04000-memory.dmp	UPX
behavioral2/memory/4744-147-0x00007FF69F130000-0x00007FF69F484000-memory.dmp	UPX
behavioral2/memory/2420-148-0x00007FF78B0D0000-0x00007FF78B424000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4876-0-0x00007FF688AE0000-0x00007FF688E34000-memory.dmp	xmrig
C:\Windows\System\emeXVxL.exe	xmrig
behavioral2/memory/1876-8-0x00007FF69C390000-0x00007FF69C6E4000-memory.dmp	xmrig
C:\Windows\System\XLzVWjv.exe	xmrig
C:\Windows\System\vqzxDrz.exe	xmrig
C:\Windows\System\buWdjCW.exe	xmrig
C:\Windows\System\cfqOdZk.exe	xmrig
behavioral2/memory/1596-40-0x00007FF7851E0000-0x00007FF785534000-memory.dmp	xmrig
C:\Windows\System\ydqVMLX.exe	xmrig
behavioral2/memory/4744-48-0x00007FF69F130000-0x00007FF69F484000-memory.dmp	xmrig
behavioral2/memory/2420-53-0x00007FF78B0D0000-0x00007FF78B424000-memory.dmp	xmrig
C:\Windows\System\QxfvPPi.exe	xmrig
C:\Windows\System\aaZJEEp.exe	xmrig
behavioral2/memory/3640-68-0x00007FF798D00000-0x00007FF799054000-memory.dmp	xmrig
behavioral2/memory/1964-70-0x00007FF701DF0000-0x00007FF702144000-memory.dmp	xmrig
C:\Windows\System\vpVdBGT.exe	xmrig
behavioral2/memory/2920-69-0x00007FF772D20000-0x00007FF773074000-memory.dmp	xmrig
behavioral2/memory/2636-66-0x00007FF620B90000-0x00007FF620EE4000-memory.dmp	xmrig
C:\Windows\System\SmksLtK.exe	xmrig
behavioral2/memory/3432-41-0x00007FF6779B0000-0x00007FF677D04000-memory.dmp	xmrig
C:\Windows\System\jjRVBBv.exe	xmrig
behavioral2/memory/4036-38-0x00007FF6C0590000-0x00007FF6C08E4000-memory.dmp	xmrig
C:\Windows\System\mdKcAEl.exe	xmrig
behavioral2/memory/4388-22-0x00007FF647980000-0x00007FF647CD4000-memory.dmp	xmrig
behavioral2/memory/2020-21-0x00007FF6BD660000-0x00007FF6BD9B4000-memory.dmp	xmrig
C:\Windows\System\OHCgklp.exe	xmrig
behavioral2/memory/4876-78-0x00007FF688AE0000-0x00007FF688E34000-memory.dmp	xmrig
C:\Windows\System\VgPciEp.exe	xmrig
behavioral2/memory/4224-84-0x00007FF69F360000-0x00007FF69F6B4000-memory.dmp	xmrig
behavioral2/memory/1956-81-0x00007FF791FC0000-0x00007FF792314000-memory.dmp	xmrig
behavioral2/memory/1876-91-0x00007FF69C390000-0x00007FF69C6E4000-memory.dmp	xmrig
C:\Windows\System\bfTjydH.exe	xmrig
behavioral2/memory/2908-100-0x00007FF6A2690000-0x00007FF6A29E4000-memory.dmp	xmrig
C:\Windows\System\CEWGhdc.exe	xmrig
behavioral2/memory/2364-97-0x00007FF780A90000-0x00007FF780DE4000-memory.dmp	xmrig
C:\Windows\System\ppNCGZn.exe	xmrig
C:\Windows\System\XvJKtzM.exe	xmrig
C:\Windows\System\pZZZkyM.exe	xmrig
behavioral2/memory/4744-127-0x00007FF69F130000-0x00007FF69F484000-memory.dmp	xmrig
behavioral2/memory/4372-128-0x00007FF7F40D0000-0x00007FF7F4424000-memory.dmp	xmrig
behavioral2/memory/1236-130-0x00007FF69CD10000-0x00007FF69D064000-memory.dmp	xmrig
behavioral2/memory/1672-126-0x00007FF7D4980000-0x00007FF7D4CD4000-memory.dmp	xmrig
behavioral2/memory/536-116-0x00007FF78A850000-0x00007FF78ABA4000-memory.dmp	xmrig
C:\Windows\System\QUBWBNJ.exe	xmrig
behavioral2/memory/1748-115-0x00007FF786EC0000-0x00007FF787214000-memory.dmp	xmrig
C:\Windows\System\ZdHAjdg.exe	xmrig
behavioral2/memory/2420-131-0x00007FF78B0D0000-0x00007FF78B424000-memory.dmp	xmrig
behavioral2/memory/3640-132-0x00007FF798D00000-0x00007FF799054000-memory.dmp	xmrig
behavioral2/memory/1964-133-0x00007FF701DF0000-0x00007FF702144000-memory.dmp	xmrig
behavioral2/memory/1956-134-0x00007FF791FC0000-0x00007FF792314000-memory.dmp	xmrig
behavioral2/memory/4224-135-0x00007FF69F360000-0x00007FF69F6B4000-memory.dmp	xmrig
behavioral2/memory/2364-136-0x00007FF780A90000-0x00007FF780DE4000-memory.dmp	xmrig
behavioral2/memory/2908-137-0x00007FF6A2690000-0x00007FF6A29E4000-memory.dmp	xmrig
behavioral2/memory/1672-139-0x00007FF7D4980000-0x00007FF7D4CD4000-memory.dmp	xmrig
behavioral2/memory/1748-138-0x00007FF786EC0000-0x00007FF787214000-memory.dmp	xmrig
behavioral2/memory/536-140-0x00007FF78A850000-0x00007FF78ABA4000-memory.dmp	xmrig
behavioral2/memory/1876-141-0x00007FF69C390000-0x00007FF69C6E4000-memory.dmp	xmrig
behavioral2/memory/2020-142-0x00007FF6BD660000-0x00007FF6BD9B4000-memory.dmp	xmrig
behavioral2/memory/4388-143-0x00007FF647980000-0x00007FF647CD4000-memory.dmp	xmrig
behavioral2/memory/4036-144-0x00007FF6C0590000-0x00007FF6C08E4000-memory.dmp	xmrig
behavioral2/memory/1596-145-0x00007FF7851E0000-0x00007FF785534000-memory.dmp	xmrig
behavioral2/memory/3432-146-0x00007FF6779B0000-0x00007FF677D04000-memory.dmp	xmrig
behavioral2/memory/4744-147-0x00007FF69F130000-0x00007FF69F484000-memory.dmp	xmrig
behavioral2/memory/2420-148-0x00007FF78B0D0000-0x00007FF78B424000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

emeXVxL.exevqzxDrz.exeXLzVWjv.execfqOdZk.exebuWdjCW.exemdKcAEl.exejjRVBBv.exeydqVMLX.exeSmksLtK.exeQxfvPPi.exeaaZJEEp.exevpVdBGT.exeOHCgklp.exeVgPciEp.exebfTjydH.exeCEWGhdc.exeZdHAjdg.exeQUBWBNJ.exepZZZkyM.exeppNCGZn.exeXvJKtzM.exe

pid	process
1876	emeXVxL.exe
2020	vqzxDrz.exe
4388	XLzVWjv.exe
4036	cfqOdZk.exe
1596	buWdjCW.exe
3432	mdKcAEl.exe
4744	jjRVBBv.exe
2420	ydqVMLX.exe
2636	SmksLtK.exe
2920	QxfvPPi.exe
3640	aaZJEEp.exe
1964	vpVdBGT.exe
1956	OHCgklp.exe
4224	VgPciEp.exe
2364	bfTjydH.exe
2908	CEWGhdc.exe
1748	ZdHAjdg.exe
4372	QUBWBNJ.exe
536	pZZZkyM.exe
1672	ppNCGZn.exe
1236	XvJKtzM.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4876-0-0x00007FF688AE0000-0x00007FF688E34000-memory.dmp	upx
C:\Windows\System\emeXVxL.exe	upx
behavioral2/memory/1876-8-0x00007FF69C390000-0x00007FF69C6E4000-memory.dmp	upx
C:\Windows\System\XLzVWjv.exe	upx
C:\Windows\System\vqzxDrz.exe	upx
C:\Windows\System\buWdjCW.exe	upx
C:\Windows\System\cfqOdZk.exe	upx
behavioral2/memory/1596-40-0x00007FF7851E0000-0x00007FF785534000-memory.dmp	upx
C:\Windows\System\ydqVMLX.exe	upx
behavioral2/memory/4744-48-0x00007FF69F130000-0x00007FF69F484000-memory.dmp	upx
behavioral2/memory/2420-53-0x00007FF78B0D0000-0x00007FF78B424000-memory.dmp	upx
C:\Windows\System\QxfvPPi.exe	upx
C:\Windows\System\aaZJEEp.exe	upx
behavioral2/memory/3640-68-0x00007FF798D00000-0x00007FF799054000-memory.dmp	upx
behavioral2/memory/1964-70-0x00007FF701DF0000-0x00007FF702144000-memory.dmp	upx
C:\Windows\System\vpVdBGT.exe	upx
behavioral2/memory/2920-69-0x00007FF772D20000-0x00007FF773074000-memory.dmp	upx
behavioral2/memory/2636-66-0x00007FF620B90000-0x00007FF620EE4000-memory.dmp	upx
C:\Windows\System\SmksLtK.exe	upx
behavioral2/memory/3432-41-0x00007FF6779B0000-0x00007FF677D04000-memory.dmp	upx
C:\Windows\System\jjRVBBv.exe	upx
behavioral2/memory/4036-38-0x00007FF6C0590000-0x00007FF6C08E4000-memory.dmp	upx
C:\Windows\System\mdKcAEl.exe	upx
behavioral2/memory/4388-22-0x00007FF647980000-0x00007FF647CD4000-memory.dmp	upx
behavioral2/memory/2020-21-0x00007FF6BD660000-0x00007FF6BD9B4000-memory.dmp	upx
C:\Windows\System\OHCgklp.exe	upx
behavioral2/memory/4876-78-0x00007FF688AE0000-0x00007FF688E34000-memory.dmp	upx
C:\Windows\System\VgPciEp.exe	upx
behavioral2/memory/4224-84-0x00007FF69F360000-0x00007FF69F6B4000-memory.dmp	upx
behavioral2/memory/1956-81-0x00007FF791FC0000-0x00007FF792314000-memory.dmp	upx
behavioral2/memory/1876-91-0x00007FF69C390000-0x00007FF69C6E4000-memory.dmp	upx
C:\Windows\System\bfTjydH.exe	upx
behavioral2/memory/2908-100-0x00007FF6A2690000-0x00007FF6A29E4000-memory.dmp	upx
C:\Windows\System\CEWGhdc.exe	upx
behavioral2/memory/2364-97-0x00007FF780A90000-0x00007FF780DE4000-memory.dmp	upx
C:\Windows\System\ppNCGZn.exe	upx
C:\Windows\System\XvJKtzM.exe	upx
C:\Windows\System\pZZZkyM.exe	upx
behavioral2/memory/4744-127-0x00007FF69F130000-0x00007FF69F484000-memory.dmp	upx
behavioral2/memory/4372-128-0x00007FF7F40D0000-0x00007FF7F4424000-memory.dmp	upx
behavioral2/memory/1236-130-0x00007FF69CD10000-0x00007FF69D064000-memory.dmp	upx
behavioral2/memory/1672-126-0x00007FF7D4980000-0x00007FF7D4CD4000-memory.dmp	upx
behavioral2/memory/536-116-0x00007FF78A850000-0x00007FF78ABA4000-memory.dmp	upx
C:\Windows\System\QUBWBNJ.exe	upx
behavioral2/memory/1748-115-0x00007FF786EC0000-0x00007FF787214000-memory.dmp	upx
C:\Windows\System\ZdHAjdg.exe	upx
behavioral2/memory/2420-131-0x00007FF78B0D0000-0x00007FF78B424000-memory.dmp	upx
behavioral2/memory/3640-132-0x00007FF798D00000-0x00007FF799054000-memory.dmp	upx
behavioral2/memory/1964-133-0x00007FF701DF0000-0x00007FF702144000-memory.dmp	upx
behavioral2/memory/1956-134-0x00007FF791FC0000-0x00007FF792314000-memory.dmp	upx
behavioral2/memory/4224-135-0x00007FF69F360000-0x00007FF69F6B4000-memory.dmp	upx
behavioral2/memory/2364-136-0x00007FF780A90000-0x00007FF780DE4000-memory.dmp	upx
behavioral2/memory/2908-137-0x00007FF6A2690000-0x00007FF6A29E4000-memory.dmp	upx
behavioral2/memory/1672-139-0x00007FF7D4980000-0x00007FF7D4CD4000-memory.dmp	upx
behavioral2/memory/1748-138-0x00007FF786EC0000-0x00007FF787214000-memory.dmp	upx
behavioral2/memory/536-140-0x00007FF78A850000-0x00007FF78ABA4000-memory.dmp	upx
behavioral2/memory/1876-141-0x00007FF69C390000-0x00007FF69C6E4000-memory.dmp	upx
behavioral2/memory/2020-142-0x00007FF6BD660000-0x00007FF6BD9B4000-memory.dmp	upx
behavioral2/memory/4388-143-0x00007FF647980000-0x00007FF647CD4000-memory.dmp	upx
behavioral2/memory/4036-144-0x00007FF6C0590000-0x00007FF6C08E4000-memory.dmp	upx
behavioral2/memory/1596-145-0x00007FF7851E0000-0x00007FF785534000-memory.dmp	upx
behavioral2/memory/3432-146-0x00007FF6779B0000-0x00007FF677D04000-memory.dmp	upx
behavioral2/memory/4744-147-0x00007FF69F130000-0x00007FF69F484000-memory.dmp	upx
behavioral2/memory/2420-148-0x00007FF78B0D0000-0x00007FF78B424000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\QUBWBNJ.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\emeXVxL.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cfqOdZk.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mdKcAEl.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QxfvPPi.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OHCgklp.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ppNCGZn.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vqzxDrz.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ydqVMLX.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aaZJEEp.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CEWGhdc.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pZZZkyM.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZdHAjdg.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XLzVWjv.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\buWdjCW.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vpVdBGT.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VgPciEp.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bfTjydH.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jjRVBBv.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SmksLtK.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XvJKtzM.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 4876 wrote to memory of 1876	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	emeXVxL.exe
PID 4876 wrote to memory of 1876	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	emeXVxL.exe
PID 4876 wrote to memory of 2020	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	vqzxDrz.exe
PID 4876 wrote to memory of 2020	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	vqzxDrz.exe
PID 4876 wrote to memory of 4388	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	XLzVWjv.exe
PID 4876 wrote to memory of 4388	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	XLzVWjv.exe
PID 4876 wrote to memory of 4036	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	cfqOdZk.exe
PID 4876 wrote to memory of 4036	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	cfqOdZk.exe
PID 4876 wrote to memory of 1596	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	buWdjCW.exe
PID 4876 wrote to memory of 1596	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	buWdjCW.exe
PID 4876 wrote to memory of 3432	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	mdKcAEl.exe
PID 4876 wrote to memory of 3432	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	mdKcAEl.exe
PID 4876 wrote to memory of 4744	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	jjRVBBv.exe
PID 4876 wrote to memory of 4744	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	jjRVBBv.exe
PID 4876 wrote to memory of 2420	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	ydqVMLX.exe
PID 4876 wrote to memory of 2420	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	ydqVMLX.exe
PID 4876 wrote to memory of 2636	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	SmksLtK.exe
PID 4876 wrote to memory of 2636	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	SmksLtK.exe
PID 4876 wrote to memory of 2920	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	QxfvPPi.exe
PID 4876 wrote to memory of 2920	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	QxfvPPi.exe
PID 4876 wrote to memory of 3640	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	aaZJEEp.exe
PID 4876 wrote to memory of 3640	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	aaZJEEp.exe
PID 4876 wrote to memory of 1964	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	vpVdBGT.exe
PID 4876 wrote to memory of 1964	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	vpVdBGT.exe
PID 4876 wrote to memory of 1956	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	OHCgklp.exe
PID 4876 wrote to memory of 1956	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	OHCgklp.exe
PID 4876 wrote to memory of 4224	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	VgPciEp.exe
PID 4876 wrote to memory of 4224	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	VgPciEp.exe
PID 4876 wrote to memory of 2364	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	bfTjydH.exe
PID 4876 wrote to memory of 2364	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	bfTjydH.exe
PID 4876 wrote to memory of 2908	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	CEWGhdc.exe
PID 4876 wrote to memory of 2908	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	CEWGhdc.exe
PID 4876 wrote to memory of 1748	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	ZdHAjdg.exe
PID 4876 wrote to memory of 1748	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	ZdHAjdg.exe
PID 4876 wrote to memory of 4372	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	QUBWBNJ.exe
PID 4876 wrote to memory of 4372	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	QUBWBNJ.exe
PID 4876 wrote to memory of 536	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	pZZZkyM.exe
PID 4876 wrote to memory of 536	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	pZZZkyM.exe
PID 4876 wrote to memory of 1672	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	ppNCGZn.exe
PID 4876 wrote to memory of 1672	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	ppNCGZn.exe
PID 4876 wrote to memory of 1236	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	XvJKtzM.exe
PID 4876 wrote to memory of 1236	4876	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	XvJKtzM.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\System\emeXVxL.exe
C:\Windows\System\emeXVxL.exe
2⤵
- Executes dropped EXE
PID:1876

C:\Windows\System\vqzxDrz.exe
C:\Windows\System\vqzxDrz.exe
2⤵
- Executes dropped EXE
PID:2020

C:\Windows\System\XLzVWjv.exe
C:\Windows\System\XLzVWjv.exe
2⤵
- Executes dropped EXE
PID:4388

C:\Windows\System\cfqOdZk.exe
C:\Windows\System\cfqOdZk.exe
2⤵
- Executes dropped EXE
PID:4036

C:\Windows\System\buWdjCW.exe
C:\Windows\System\buWdjCW.exe
2⤵
- Executes dropped EXE
PID:1596

C:\Windows\System\mdKcAEl.exe
C:\Windows\System\mdKcAEl.exe
2⤵
- Executes dropped EXE
PID:3432

C:\Windows\System\jjRVBBv.exe
C:\Windows\System\jjRVBBv.exe
2⤵
- Executes dropped EXE
PID:4744

C:\Windows\System\ydqVMLX.exe
C:\Windows\System\ydqVMLX.exe
2⤵
- Executes dropped EXE
PID:2420

C:\Windows\System\SmksLtK.exe
C:\Windows\System\SmksLtK.exe
2⤵
- Executes dropped EXE
PID:2636

C:\Windows\System\QxfvPPi.exe
C:\Windows\System\QxfvPPi.exe
2⤵
- Executes dropped EXE
PID:2920

C:\Windows\System\aaZJEEp.exe
C:\Windows\System\aaZJEEp.exe
2⤵
- Executes dropped EXE
PID:3640

C:\Windows\System\vpVdBGT.exe
C:\Windows\System\vpVdBGT.exe
2⤵
- Executes dropped EXE
PID:1964

C:\Windows\System\OHCgklp.exe
C:\Windows\System\OHCgklp.exe
2⤵
- Executes dropped EXE
PID:1956

C:\Windows\System\VgPciEp.exe
C:\Windows\System\VgPciEp.exe
2⤵
- Executes dropped EXE
PID:4224

C:\Windows\System\bfTjydH.exe
C:\Windows\System\bfTjydH.exe
2⤵
- Executes dropped EXE
PID:2364

C:\Windows\System\CEWGhdc.exe
C:\Windows\System\CEWGhdc.exe
2⤵
- Executes dropped EXE
PID:2908

C:\Windows\System\ZdHAjdg.exe
C:\Windows\System\ZdHAjdg.exe
2⤵
- Executes dropped EXE
PID:1748

C:\Windows\System\QUBWBNJ.exe
C:\Windows\System\QUBWBNJ.exe
2⤵
- Executes dropped EXE
PID:4372

C:\Windows\System\pZZZkyM.exe
C:\Windows\System\pZZZkyM.exe
2⤵
- Executes dropped EXE
PID:536

C:\Windows\System\ppNCGZn.exe
C:\Windows\System\ppNCGZn.exe
2⤵
- Executes dropped EXE
PID:1672

C:\Windows\System\XvJKtzM.exe
C:\Windows\System\XvJKtzM.exe
2⤵
- Executes dropped EXE
PID:1236

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CEWGhdc.exe
Filesize
5.9MB

MD5
d86ebc6d39894943a08c48cee0838592

SHA1
ae3c957e2049e17eacfe423494c3a4d6062c0274

SHA256
6fc5645dd522c375eb24ec555c817a8fd5e152238396a395b293e2281c9e3b35

SHA512
256a201cbab1f89ccac5faa66b388e903c5a5ad3da201be5061f6edb9e93aa7f034fbd59774ac7aa3b73a42761c1c93ac856ab7f4ec631daa1a2ff60f5e8c7bf

Download Submit
C:\Windows\System\OHCgklp.exe
Filesize
5.9MB

MD5
b0de1cd1aec4091a9cc837ad0dac0079

SHA1
339be024641417633bf9fdc06690aad954b60a87

SHA256
871e384267f5c12538257a15847203ed0de5d5970e568325cec81d817be91694

SHA512
61d8ab1b8cf1cf2fcaf9e737c60830b2047e939bee8134acae841b83245f5d397600e3f51052cbcb5d1815fb4ba65c74e0a87f97bbcc93a55523d1439ec7741a

Download Submit
C:\Windows\System\QUBWBNJ.exe
Filesize
5.9MB

MD5
ec864204a1d8d0b20fa07c5e353c7214

SHA1
40f414b7277471be1f2c194877e62ae448289f97

SHA256
c1f6a580bedfba428d32774ca939779c8df2ba0cc279543b42dfb432cb9a79a3

SHA512
fe37236a2e589a00a0459acba4f6bcf2f5fb5ad984f5c2cfe62353e02408b69b6f1682ed776676b500d973a53a46fa1885972b7d0c833e0d223c8c50103fbc99

Download Submit
C:\Windows\System\QxfvPPi.exe
Filesize
5.9MB

MD5
0fcc4c67ddb30be2bb984a16beaad938

SHA1
a3a1aaea05f53b5c696f2d8b04ce7e7f3bcd94d9

SHA256
53cf744357e58f6df2b98f724ab6883205e60d357b8e6523e8a7b79f47c0ad6c

SHA512
3e72a7ec12bbc8dbfbfd4460625e21899430fa7d9472f28b25a0010e2f85b0f5c339910c5d794d08217b4007c8cbed17ed25e7a28774708eb7d1a414cacfa32b

Download Submit
C:\Windows\System\SmksLtK.exe
Filesize
5.9MB

MD5
a92b6f0cb537f052a918a11539138e11

SHA1
d39f088610795b306b883ecf78ed95e828512fd3

SHA256
5d2f8f720af14a887a0de98922aa334c184af4eb27978f3934adac3175aff201

SHA512
b9fdb60a7a36ba3651635478291adc7edae506b6d86d4365864cf8f18048abcea54491fdc78c71b5e9f7d369e58c973e6aaa6dc593f6dda4d17f4772dfbc2131

Download Submit
C:\Windows\System\VgPciEp.exe
Filesize
5.9MB

MD5
4ea5bf8b9925bcb047217b12b0f3a82d

SHA1
923ce9df3f3f74643414e52e98202b0c3d8dc55d

SHA256
7345e8f482756da246da2217d6ce40c1cba8ec6c1ca5f06fbf62a03795d28343

SHA512
cd7d600c7d364873bec7709048aca7c68288401b6e28ad745796b83ded5d73bfb3664c86a041a170ce2688ebae415cf7cb0ff7115d910177da5c6546ec010b3b

Download Submit
C:\Windows\System\XLzVWjv.exe
Filesize
5.9MB

MD5
b5b6a323245caa23ecfbb24d7e1100a3

SHA1
8c44d6e70caec7993313782d2f8243bf55cfd908

SHA256
f6df7f28dcc6e4290331efb79f9f82d9b5caf9e4f71dac3fc0ebad6cc4dfdf80

SHA512
b71d6ed2781cf8754c11f6191b3f99b5c95d2665ab37cb69b6a4cb23ebb9e906b9ce743f0ca0bc9f422222d180816f4fa1539471ce6c19d1ace7c0567582e97c

Download Submit
C:\Windows\System\XvJKtzM.exe
Filesize
5.9MB

MD5
b58de23e85c3e82ea0ac11128704cfa0

SHA1
2741e9f59475ecd91243620b0d8df0995cce2c65

SHA256
a40fcf98f6c0224fcd7191001ff43cd3dc5ef7b8ce5421313cde757dca4c2de5

SHA512
63312f92c22e395a38e5c7d42e8b8e74fc51d20c97c11017cd726c98e70d12f20a95e3644dc0106aa629499377372d4efa29d21074ddddb2bf55912d561f85ba

Download Submit
C:\Windows\System\ZdHAjdg.exe
Filesize
5.9MB

MD5
3852fb02bb07ad00fca23c5bc7cd78d2

SHA1
088ce8097b80534d1fd64dcda767c7eac74fb7dc

SHA256
75c8dfd1c69f8ca69ca0a6aa7a0ff36d70b333bcf0b1269dedfbd6d70aad09cc

SHA512
1b4e743c8f01cc91af8640070fcd2f4f840da659627dcb12e98b692b7265eb7075f71d5c29c003483d0b5a1ca26095731f6149e67f64e2f4352137be1847655d

Download Submit
C:\Windows\System\aaZJEEp.exe
Filesize
5.9MB

MD5
06a6f4b881cfc4020efddd53773494a0

SHA1
c36405f390408b546beef1561fb528a69f69ee3c

SHA256
9a27cba09715dcc8f3b4e32c93dab8d19067824d44f97c9979aa8c8f6997170a

SHA512
ff144940f0566d18dd58568952d29736b5152b4a6c5ecbb9f080025802997d87b761ccd36e63717878a08edf15dc1bfed1a536df9e822224b2014fd10ec4a463

Download Submit
C:\Windows\System\bfTjydH.exe
Filesize
5.9MB

MD5
9922d581de76ba0ef0d61aecca81374f

SHA1
8f284fbc45560740af49af3b5429bc5ceee00a15

SHA256
7e8ddcba4615f85b6489be4ca5685eecf847d5a3497863a42ddbff8f6df4589d

SHA512
f5e1d488c7bc03746ad8c0a6dab3f6f8e339e51fd5bc705d91f0b71e6910d411dd4450aa152e73c00899c9afaf5e8468615d56f99381c70002835e0025317c23

Download Submit
C:\Windows\System\buWdjCW.exe
Filesize
5.9MB

MD5
1e72da1ae48cef11bd3ee9600b86febf

SHA1
e2e6fb3e475fad74b9a2a4950637e2c5ad3e9462

SHA256
d58cf0e90633b7d6580446884966f9602c77eab1b37b22188270819f1648b695

SHA512
189fce4f6cb9e5eaa481b20c490067a31b0dfd5e0c549f20de643ae9fb12671fc92b524273c4b75c626cc35c6c24191a54fd0f703cd1fc2873519b7e4202a462

Download Submit
C:\Windows\System\cfqOdZk.exe
Filesize
5.9MB

MD5
365e0845446d134c2e6ad9ea4d343664

SHA1
9ef155d64f8de80d6f25ae3ac3216a3d880b6809

SHA256
89e5df68ea4d80f94aa10b5099ce6b62dd115e1b229041ae78f94e5c0b142487

SHA512
ec38331274e393c35362cd16b0819dbd235b90fba40c01b1b5ad97d63163e35790a589c2966a141f6277ad2570a3d3c1aa87f8efe6301345753a3e08dc4829f5

Download Submit
C:\Windows\System\emeXVxL.exe
Filesize
5.9MB

MD5
535fac48e40a7116af7a43378934657f

SHA1
2d83e7a819eee7a16bba69b90596a54b61c5090c

SHA256
a9c289fc967d4e93e44e8fe90a8a6eae6f787b2ef90f7f064dea18bba9e54c35

SHA512
f196aeda2b81e6c30a5bffec495ea440124b06093a7d615c80a5c60fdf584c10f4937ea6d3654d52580e0bf4cec01b2731ede3805ac9fe3602f8717ecc235f17

Download Submit
C:\Windows\System\jjRVBBv.exe
Filesize
5.9MB

MD5
a05b32c1a39b9170cea04e6e2de8790e

SHA1
ff5bad39c1e997b5831a6cb294bbc5b7bcd61c1a

SHA256
8fdbc6f799ef83e9275c3830233a90504288006beb6e74e48f3770f4c35a4eac

SHA512
29e4ee2c1314e9e765c8c64757866e0cb358472d2809201b081ee1200d3d7eb719c1871d38116f49fa27e8c74deeb94e0c17a3884a0a20450faa2c5d226ae21e

Download Submit
C:\Windows\System\mdKcAEl.exe
Filesize
5.9MB

MD5
6a3074ad81a30b32c89879fa4fbad5fe

SHA1
2cc14077271d98a55c7e1176a6c9bdc6a7ead2f8

SHA256
4168c0c6dfbfbee1f244fef294e19620a823ab826d727a77a6b3c36f3fb905c7

SHA512
f37ab4923a5435f2ee6f573b24549b14dc2bef9bcaefc6d07ca5968a0530eaaaca1d7097dfb2d8e5a093ace1bddef2d62fac6da383b7e13cfe8442023c593790

Download Submit
C:\Windows\System\pZZZkyM.exe
Filesize
5.9MB

MD5
f58eee34ffb6ef25460661a18a711a7b

SHA1
f32043d3fb68cc19e6fdba8d812f31d8ac31380e

SHA256
c51fc3f7e9b572e2ddaa495a5a8569b407ac542185e73887ae1f1fb685b99854

SHA512
2cceb7b6a2d7ee0d0e2648d1b3488788608c6f1298fa10ae5b15fce94df4359df4ce8c3458c2c361474214d389f658b76b8496b3ec97f4a23cf5804f0d538db2

Download Submit
C:\Windows\System\ppNCGZn.exe
Filesize
5.9MB

MD5
91f729216c92eb00aabf8b696cef6d4f

SHA1
2b00d5cc599cc18496d7d5cd349f7d8bc279795c

SHA256
3670f3345c9779686e77540f312590a58c61a54284c711f0568d54bd49d3d3d4

SHA512
f67f0137c167a54f388794867d02e519afdf1c82df33e8657716036d58f78752ae59ebe5eabdff42ae699744dce11b58e1b6abd93f3b586633314035201bd0dd

Download Submit
C:\Windows\System\vpVdBGT.exe
Filesize
5.9MB

MD5
a523f928375169e9144be7e68b3fdb1c

SHA1
92bc74bd2ee39ad763af5a0db1c471d728cce424

SHA256
022640a38cabd43e0f6dfa19db02aeaf673dcb872f399d4087636a7a0eeb48af

SHA512
96a38816ce9c829dfdaef2c89303f950c5e1c4525e412747a2c0315997a5decc93a35172f65ac61c5423f8167a1ea29bfd5a8d010ee0dae5c149d41b667309dc

Download Submit
C:\Windows\System\vqzxDrz.exe
Filesize
5.9MB

MD5
e5a4e23c94a2cd62f4b5eab0ff69ccec

SHA1
d2ecf1574f8819ca3bc4a5d9ad785720772859d0

SHA256
7e167473bd094b75653cc1464caa79d05eca9b81ce51501e41a8e6db9e825048

SHA512
149d6bf5e45f8eda595d8c6c6b2e292a29ff44b176f9e59a7f342a03760b323202a81f6a9886c85893fa0e08d6bdd524f960cc9c26c800b45f7353a09fc24301

Download Submit
C:\Windows\System\ydqVMLX.exe
Filesize
5.9MB

MD5
34ffca504647d1ea9ef3d69654f3d769

SHA1
140ee67ac4ad3b082b30fb72930321475231d7ca

SHA256
d39b949fb8a610952c7da66ea758c2cefa9fa77eb8c5867870ed6e5b16d8a956

SHA512
c14171798814f6f5c89d799b32f6b143329506474f8c7fc6d74b444e7535b8f7bbf4e8b88e12f130296787eaa0494015745d36405567c64ada2aa5e37a117519

Download Submit
memory/536-116-0x00007FF78A850000-0x00007FF78ABA4000-memory.dmp

Filesize
3.3MB

Download
memory/536-158-0x00007FF78A850000-0x00007FF78ABA4000-memory.dmp

Filesize
3.3MB

Download
memory/536-140-0x00007FF78A850000-0x00007FF78ABA4000-memory.dmp

Filesize
3.3MB

Download
memory/1236-130-0x00007FF69CD10000-0x00007FF69D064000-memory.dmp

Filesize
3.3MB

Download
memory/1236-159-0x00007FF69CD10000-0x00007FF69D064000-memory.dmp

Filesize
3.3MB

Download
memory/1596-145-0x00007FF7851E0000-0x00007FF785534000-memory.dmp

Filesize
3.3MB

Download
memory/1596-40-0x00007FF7851E0000-0x00007FF785534000-memory.dmp

Filesize
3.3MB

Download
memory/1672-139-0x00007FF7D4980000-0x00007FF7D4CD4000-memory.dmp

Filesize
3.3MB

Download
memory/1672-126-0x00007FF7D4980000-0x00007FF7D4CD4000-memory.dmp

Filesize
3.3MB

Download
memory/1672-161-0x00007FF7D4980000-0x00007FF7D4CD4000-memory.dmp

Filesize
3.3MB

Download
memory/1748-115-0x00007FF786EC0000-0x00007FF787214000-memory.dmp

Filesize
3.3MB

Download
memory/1748-157-0x00007FF786EC0000-0x00007FF787214000-memory.dmp

Filesize
3.3MB

Download
memory/1748-138-0x00007FF786EC0000-0x00007FF787214000-memory.dmp

Filesize
3.3MB

Download
memory/1876-141-0x00007FF69C390000-0x00007FF69C6E4000-memory.dmp

Filesize
3.3MB

Download
memory/1876-91-0x00007FF69C390000-0x00007FF69C6E4000-memory.dmp

Filesize
3.3MB

Download
memory/1876-8-0x00007FF69C390000-0x00007FF69C6E4000-memory.dmp

Filesize
3.3MB

Download
memory/1956-153-0x00007FF791FC0000-0x00007FF792314000-memory.dmp

Filesize
3.3MB

Download
memory/1956-134-0x00007FF791FC0000-0x00007FF792314000-memory.dmp

Filesize
3.3MB

Download
memory/1956-81-0x00007FF791FC0000-0x00007FF792314000-memory.dmp

Filesize
3.3MB

Download
memory/1964-152-0x00007FF701DF0000-0x00007FF702144000-memory.dmp

Filesize
3.3MB

Download
memory/1964-70-0x00007FF701DF0000-0x00007FF702144000-memory.dmp

Filesize
3.3MB

Download
memory/1964-133-0x00007FF701DF0000-0x00007FF702144000-memory.dmp

Filesize
3.3MB

Download
memory/2020-21-0x00007FF6BD660000-0x00007FF6BD9B4000-memory.dmp

Filesize
3.3MB

Download
memory/2020-142-0x00007FF6BD660000-0x00007FF6BD9B4000-memory.dmp

Filesize
3.3MB

Download
memory/2364-97-0x00007FF780A90000-0x00007FF780DE4000-memory.dmp

Filesize
3.3MB

Download
memory/2364-155-0x00007FF780A90000-0x00007FF780DE4000-memory.dmp

Filesize
3.3MB

Download
memory/2364-136-0x00007FF780A90000-0x00007FF780DE4000-memory.dmp

Filesize
3.3MB

Download
memory/2420-131-0x00007FF78B0D0000-0x00007FF78B424000-memory.dmp

Filesize
3.3MB

Download
memory/2420-148-0x00007FF78B0D0000-0x00007FF78B424000-memory.dmp

Filesize
3.3MB

Download
memory/2420-53-0x00007FF78B0D0000-0x00007FF78B424000-memory.dmp

Filesize
3.3MB

Download
memory/2636-149-0x00007FF620B90000-0x00007FF620EE4000-memory.dmp

Filesize
3.3MB

Download
memory/2636-66-0x00007FF620B90000-0x00007FF620EE4000-memory.dmp

Filesize
3.3MB

Download
memory/2908-156-0x00007FF6A2690000-0x00007FF6A29E4000-memory.dmp

Filesize
3.3MB

Download
memory/2908-100-0x00007FF6A2690000-0x00007FF6A29E4000-memory.dmp

Filesize
3.3MB

Download
memory/2908-137-0x00007FF6A2690000-0x00007FF6A29E4000-memory.dmp

Filesize
3.3MB

Download
memory/2920-150-0x00007FF772D20000-0x00007FF773074000-memory.dmp

Filesize
3.3MB

Download
memory/2920-69-0x00007FF772D20000-0x00007FF773074000-memory.dmp

Filesize
3.3MB

Download
memory/3432-146-0x00007FF6779B0000-0x00007FF677D04000-memory.dmp

Filesize
3.3MB

Download
memory/3432-41-0x00007FF6779B0000-0x00007FF677D04000-memory.dmp

Filesize
3.3MB

Download
memory/3640-151-0x00007FF798D00000-0x00007FF799054000-memory.dmp

Filesize
3.3MB

Download
memory/3640-68-0x00007FF798D00000-0x00007FF799054000-memory.dmp

Filesize
3.3MB

Download
memory/3640-132-0x00007FF798D00000-0x00007FF799054000-memory.dmp

Filesize
3.3MB

Download
memory/4036-38-0x00007FF6C0590000-0x00007FF6C08E4000-memory.dmp

Filesize
3.3MB

Download
memory/4036-144-0x00007FF6C0590000-0x00007FF6C08E4000-memory.dmp

Filesize
3.3MB

Download
memory/4224-135-0x00007FF69F360000-0x00007FF69F6B4000-memory.dmp

Filesize
3.3MB

Download
memory/4224-84-0x00007FF69F360000-0x00007FF69F6B4000-memory.dmp

Filesize
3.3MB

Download
memory/4224-154-0x00007FF69F360000-0x00007FF69F6B4000-memory.dmp

Filesize
3.3MB

Download
memory/4372-128-0x00007FF7F40D0000-0x00007FF7F4424000-memory.dmp

Filesize
3.3MB

Download
memory/4372-160-0x00007FF7F40D0000-0x00007FF7F4424000-memory.dmp

Filesize
3.3MB

Download
memory/4388-22-0x00007FF647980000-0x00007FF647CD4000-memory.dmp

Filesize
3.3MB

Download
memory/4388-143-0x00007FF647980000-0x00007FF647CD4000-memory.dmp

Filesize
3.3MB

Download
memory/4744-147-0x00007FF69F130000-0x00007FF69F484000-memory.dmp

Filesize
3.3MB

Download
memory/4744-48-0x00007FF69F130000-0x00007FF69F484000-memory.dmp

Filesize
3.3MB

Download
memory/4744-127-0x00007FF69F130000-0x00007FF69F484000-memory.dmp

Filesize
3.3MB

Download
memory/4876-0-0x00007FF688AE0000-0x00007FF688E34000-memory.dmp

Filesize
3.3MB

Download
memory/4876-78-0x00007FF688AE0000-0x00007FF688E34000-memory.dmp

Filesize
3.3MB

Download
memory/4876-1-0x000001F87E8A0000-0x000001F87E8B0000-memory.dmp

Filesize
64KB

Download