cobaltstrike | 627441b8fb74b80ea9dc0e3317b2fd868aad37082d095abfdac4677d406196cf

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 08:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

4d2eb23d2f086e43dc4660cf5672a7f4
SHA1

3083efdb4b3bb401a3ec08f04edff76aeb59fb85
SHA256

627441b8fb74b80ea9dc0e3317b2fd868aad37082d095abfdac4677d406196cf
SHA512

d1e41512bb857f318bebd00acf41294886bd86d66a4cff3b0f2699927ce28ffe79446130976706df0e6767b68af44f0e83d213a750abcb0bfd462023a944f034
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUM:Q+856utgpPF8u/7M

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\coYszFH.exe	cobalt_reflective_dll
C:\Windows\System\UlKzBeH.exe	cobalt_reflective_dll
C:\Windows\System\BLlFHOV.exe	cobalt_reflective_dll
C:\Windows\System\enGpoSK.exe	cobalt_reflective_dll
C:\Windows\System\VnEFeeG.exe	cobalt_reflective_dll
C:\Windows\System\jHOOSxz.exe	cobalt_reflective_dll
C:\Windows\System\usriZsc.exe	cobalt_reflective_dll
C:\Windows\System\YpxpGFN.exe	cobalt_reflective_dll
C:\Windows\System\rbZcyiO.exe	cobalt_reflective_dll
C:\Windows\System\IATnFbK.exe	cobalt_reflective_dll
C:\Windows\System\TPoRxlb.exe	cobalt_reflective_dll
C:\Windows\System\HgDmItt.exe	cobalt_reflective_dll
C:\Windows\System\NaCeFOs.exe	cobalt_reflective_dll
C:\Windows\System\hKLhrpO.exe	cobalt_reflective_dll
C:\Windows\System\MESrFEZ.exe	cobalt_reflective_dll
C:\Windows\System\umiYyDK.exe	cobalt_reflective_dll
C:\Windows\System\uiqXnXH.exe	cobalt_reflective_dll
C:\Windows\System\wxsqWtz.exe	cobalt_reflective_dll
C:\Windows\System\dMctXor.exe	cobalt_reflective_dll
C:\Windows\System\aeeSGPl.exe	cobalt_reflective_dll
C:\Windows\System\MCrUMzw.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\coYszFH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\UlKzBeH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\BLlFHOV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\enGpoSK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\VnEFeeG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\jHOOSxz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\usriZsc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\YpxpGFN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\rbZcyiO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\IATnFbK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\TPoRxlb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\HgDmItt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\NaCeFOs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\hKLhrpO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\MESrFEZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\umiYyDK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\uiqXnXH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\wxsqWtz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\dMctXor.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\aeeSGPl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\MCrUMzw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4452-0-0x00007FF69CE00000-0x00007FF69D154000-memory.dmp	UPX
C:\Windows\System\coYszFH.exe	UPX
C:\Windows\System\UlKzBeH.exe	UPX
behavioral2/memory/892-9-0x00007FF7FBFC0000-0x00007FF7FC314000-memory.dmp	UPX
behavioral2/memory/2508-12-0x00007FF6175C0000-0x00007FF617914000-memory.dmp	UPX
behavioral2/memory/4180-20-0x00007FF609260000-0x00007FF6095B4000-memory.dmp	UPX
C:\Windows\System\BLlFHOV.exe	UPX
C:\Windows\System\enGpoSK.exe	UPX
C:\Windows\System\VnEFeeG.exe	UPX
behavioral2/memory/3212-34-0x00007FF6AD330000-0x00007FF6AD684000-memory.dmp	UPX
behavioral2/memory/3288-28-0x00007FF673E20000-0x00007FF674174000-memory.dmp	UPX
behavioral2/memory/1076-24-0x00007FF7F4AA0000-0x00007FF7F4DF4000-memory.dmp	UPX
C:\Windows\System\jHOOSxz.exe	UPX
C:\Windows\System\usriZsc.exe	UPX
behavioral2/memory/4328-44-0x00007FF76F0D0000-0x00007FF76F424000-memory.dmp	UPX
C:\Windows\System\YpxpGFN.exe	UPX
C:\Windows\System\rbZcyiO.exe	UPX
behavioral2/memory/1984-48-0x00007FF66E5C0000-0x00007FF66E914000-memory.dmp	UPX
behavioral2/memory/620-56-0x00007FF62E9A0000-0x00007FF62ECF4000-memory.dmp	UPX
behavioral2/memory/4452-60-0x00007FF69CE00000-0x00007FF69D154000-memory.dmp	UPX
C:\Windows\System\IATnFbK.exe	UPX
behavioral2/memory/4144-61-0x00007FF762BF0000-0x00007FF762F44000-memory.dmp	UPX
C:\Windows\System\TPoRxlb.exe	UPX
behavioral2/memory/3432-71-0x00007FF636520000-0x00007FF636874000-memory.dmp	UPX
C:\Windows\System\HgDmItt.exe	UPX
C:\Windows\System\NaCeFOs.exe	UPX
C:\Windows\System\hKLhrpO.exe	UPX
C:\Windows\System\MESrFEZ.exe	UPX
behavioral2/memory/1772-103-0x00007FF72F030000-0x00007FF72F384000-memory.dmp	UPX
C:\Windows\System\umiYyDK.exe	UPX
behavioral2/memory/4988-108-0x00007FF7999C0000-0x00007FF799D14000-memory.dmp	UPX
behavioral2/memory/3212-107-0x00007FF6AD330000-0x00007FF6AD684000-memory.dmp	UPX
behavioral2/memory/3288-102-0x00007FF673E20000-0x00007FF674174000-memory.dmp	UPX
C:\Windows\System\uiqXnXH.exe	UPX
behavioral2/memory/4472-96-0x00007FF77F480000-0x00007FF77F7D4000-memory.dmp	UPX
behavioral2/memory/1376-93-0x00007FF6C5970000-0x00007FF6C5CC4000-memory.dmp	UPX
behavioral2/memory/1076-88-0x00007FF7F4AA0000-0x00007FF7F4DF4000-memory.dmp	UPX
behavioral2/memory/4180-85-0x00007FF609260000-0x00007FF6095B4000-memory.dmp	UPX
behavioral2/memory/4548-84-0x00007FF668510000-0x00007FF668864000-memory.dmp	UPX
behavioral2/memory/4848-82-0x00007FF77FCB0000-0x00007FF780004000-memory.dmp	UPX
behavioral2/memory/2508-77-0x00007FF6175C0000-0x00007FF617914000-memory.dmp	UPX
C:\Windows\System\wxsqWtz.exe	UPX
behavioral2/memory/1984-118-0x00007FF66E5C0000-0x00007FF66E914000-memory.dmp	UPX
C:\Windows\System\dMctXor.exe	UPX
C:\Windows\System\aeeSGPl.exe	UPX
behavioral2/memory/2284-132-0x00007FF683170000-0x00007FF6834C4000-memory.dmp	UPX
behavioral2/memory/2360-133-0x00007FF71F420000-0x00007FF71F774000-memory.dmp	UPX
C:\Windows\System\MCrUMzw.exe	UPX
behavioral2/memory/696-119-0x00007FF770AD0000-0x00007FF770E24000-memory.dmp	UPX
behavioral2/memory/5044-117-0x00007FF761430000-0x00007FF761784000-memory.dmp	UPX
behavioral2/memory/4144-135-0x00007FF762BF0000-0x00007FF762F44000-memory.dmp	UPX
behavioral2/memory/4548-136-0x00007FF668510000-0x00007FF668864000-memory.dmp	UPX
behavioral2/memory/4472-137-0x00007FF77F480000-0x00007FF77F7D4000-memory.dmp	UPX
behavioral2/memory/4988-138-0x00007FF7999C0000-0x00007FF799D14000-memory.dmp	UPX
behavioral2/memory/5044-139-0x00007FF761430000-0x00007FF761784000-memory.dmp	UPX
behavioral2/memory/696-140-0x00007FF770AD0000-0x00007FF770E24000-memory.dmp	UPX
behavioral2/memory/892-141-0x00007FF7FBFC0000-0x00007FF7FC314000-memory.dmp	UPX
behavioral2/memory/2508-142-0x00007FF6175C0000-0x00007FF617914000-memory.dmp	UPX
behavioral2/memory/4180-143-0x00007FF609260000-0x00007FF6095B4000-memory.dmp	UPX
behavioral2/memory/1076-144-0x00007FF7F4AA0000-0x00007FF7F4DF4000-memory.dmp	UPX
behavioral2/memory/3212-145-0x00007FF6AD330000-0x00007FF6AD684000-memory.dmp	UPX
behavioral2/memory/3288-146-0x00007FF673E20000-0x00007FF674174000-memory.dmp	UPX
behavioral2/memory/4328-147-0x00007FF76F0D0000-0x00007FF76F424000-memory.dmp	UPX
behavioral2/memory/1984-148-0x00007FF66E5C0000-0x00007FF66E914000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4452-0-0x00007FF69CE00000-0x00007FF69D154000-memory.dmp	xmrig
C:\Windows\System\coYszFH.exe	xmrig
C:\Windows\System\UlKzBeH.exe	xmrig
behavioral2/memory/892-9-0x00007FF7FBFC0000-0x00007FF7FC314000-memory.dmp	xmrig
behavioral2/memory/2508-12-0x00007FF6175C0000-0x00007FF617914000-memory.dmp	xmrig
behavioral2/memory/4180-20-0x00007FF609260000-0x00007FF6095B4000-memory.dmp	xmrig
C:\Windows\System\BLlFHOV.exe	xmrig
C:\Windows\System\enGpoSK.exe	xmrig
C:\Windows\System\VnEFeeG.exe	xmrig
behavioral2/memory/3212-34-0x00007FF6AD330000-0x00007FF6AD684000-memory.dmp	xmrig
behavioral2/memory/3288-28-0x00007FF673E20000-0x00007FF674174000-memory.dmp	xmrig
behavioral2/memory/1076-24-0x00007FF7F4AA0000-0x00007FF7F4DF4000-memory.dmp	xmrig
C:\Windows\System\jHOOSxz.exe	xmrig
C:\Windows\System\usriZsc.exe	xmrig
behavioral2/memory/4328-44-0x00007FF76F0D0000-0x00007FF76F424000-memory.dmp	xmrig
C:\Windows\System\YpxpGFN.exe	xmrig
C:\Windows\System\rbZcyiO.exe	xmrig
behavioral2/memory/1984-48-0x00007FF66E5C0000-0x00007FF66E914000-memory.dmp	xmrig
behavioral2/memory/620-56-0x00007FF62E9A0000-0x00007FF62ECF4000-memory.dmp	xmrig
behavioral2/memory/4452-60-0x00007FF69CE00000-0x00007FF69D154000-memory.dmp	xmrig
C:\Windows\System\IATnFbK.exe	xmrig
behavioral2/memory/4144-61-0x00007FF762BF0000-0x00007FF762F44000-memory.dmp	xmrig
C:\Windows\System\TPoRxlb.exe	xmrig
behavioral2/memory/3432-71-0x00007FF636520000-0x00007FF636874000-memory.dmp	xmrig
C:\Windows\System\HgDmItt.exe	xmrig
C:\Windows\System\NaCeFOs.exe	xmrig
C:\Windows\System\hKLhrpO.exe	xmrig
C:\Windows\System\MESrFEZ.exe	xmrig
behavioral2/memory/1772-103-0x00007FF72F030000-0x00007FF72F384000-memory.dmp	xmrig
C:\Windows\System\umiYyDK.exe	xmrig
behavioral2/memory/4988-108-0x00007FF7999C0000-0x00007FF799D14000-memory.dmp	xmrig
behavioral2/memory/3212-107-0x00007FF6AD330000-0x00007FF6AD684000-memory.dmp	xmrig
behavioral2/memory/3288-102-0x00007FF673E20000-0x00007FF674174000-memory.dmp	xmrig
C:\Windows\System\uiqXnXH.exe	xmrig
behavioral2/memory/4472-96-0x00007FF77F480000-0x00007FF77F7D4000-memory.dmp	xmrig
behavioral2/memory/1376-93-0x00007FF6C5970000-0x00007FF6C5CC4000-memory.dmp	xmrig
behavioral2/memory/1076-88-0x00007FF7F4AA0000-0x00007FF7F4DF4000-memory.dmp	xmrig
behavioral2/memory/4180-85-0x00007FF609260000-0x00007FF6095B4000-memory.dmp	xmrig
behavioral2/memory/4548-84-0x00007FF668510000-0x00007FF668864000-memory.dmp	xmrig
behavioral2/memory/4848-82-0x00007FF77FCB0000-0x00007FF780004000-memory.dmp	xmrig
behavioral2/memory/2508-77-0x00007FF6175C0000-0x00007FF617914000-memory.dmp	xmrig
C:\Windows\System\wxsqWtz.exe	xmrig
behavioral2/memory/1984-118-0x00007FF66E5C0000-0x00007FF66E914000-memory.dmp	xmrig
C:\Windows\System\dMctXor.exe	xmrig
C:\Windows\System\aeeSGPl.exe	xmrig
behavioral2/memory/2284-132-0x00007FF683170000-0x00007FF6834C4000-memory.dmp	xmrig
behavioral2/memory/2360-133-0x00007FF71F420000-0x00007FF71F774000-memory.dmp	xmrig
C:\Windows\System\MCrUMzw.exe	xmrig
behavioral2/memory/696-119-0x00007FF770AD0000-0x00007FF770E24000-memory.dmp	xmrig
behavioral2/memory/5044-117-0x00007FF761430000-0x00007FF761784000-memory.dmp	xmrig
behavioral2/memory/4144-135-0x00007FF762BF0000-0x00007FF762F44000-memory.dmp	xmrig
behavioral2/memory/4548-136-0x00007FF668510000-0x00007FF668864000-memory.dmp	xmrig
behavioral2/memory/4472-137-0x00007FF77F480000-0x00007FF77F7D4000-memory.dmp	xmrig
behavioral2/memory/4988-138-0x00007FF7999C0000-0x00007FF799D14000-memory.dmp	xmrig
behavioral2/memory/5044-139-0x00007FF761430000-0x00007FF761784000-memory.dmp	xmrig
behavioral2/memory/696-140-0x00007FF770AD0000-0x00007FF770E24000-memory.dmp	xmrig
behavioral2/memory/892-141-0x00007FF7FBFC0000-0x00007FF7FC314000-memory.dmp	xmrig
behavioral2/memory/2508-142-0x00007FF6175C0000-0x00007FF617914000-memory.dmp	xmrig
behavioral2/memory/4180-143-0x00007FF609260000-0x00007FF6095B4000-memory.dmp	xmrig
behavioral2/memory/1076-144-0x00007FF7F4AA0000-0x00007FF7F4DF4000-memory.dmp	xmrig
behavioral2/memory/3212-145-0x00007FF6AD330000-0x00007FF6AD684000-memory.dmp	xmrig
behavioral2/memory/3288-146-0x00007FF673E20000-0x00007FF674174000-memory.dmp	xmrig
behavioral2/memory/4328-147-0x00007FF76F0D0000-0x00007FF76F424000-memory.dmp	xmrig
behavioral2/memory/1984-148-0x00007FF66E5C0000-0x00007FF66E914000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

coYszFH.exeUlKzBeH.exejHOOSxz.exeBLlFHOV.exeenGpoSK.exeVnEFeeG.exeusriZsc.exeYpxpGFN.exerbZcyiO.exeIATnFbK.exeTPoRxlb.exeHgDmItt.exehKLhrpO.exeNaCeFOs.exeuiqXnXH.exeMESrFEZ.exeumiYyDK.exewxsqWtz.exeMCrUMzw.exedMctXor.exeaeeSGPl.exe

pid	process
892	coYszFH.exe
2508	UlKzBeH.exe
4180	jHOOSxz.exe
1076	BLlFHOV.exe
3288	enGpoSK.exe
3212	VnEFeeG.exe
4328	usriZsc.exe
1984	YpxpGFN.exe
620	rbZcyiO.exe
4144	IATnFbK.exe
3432	TPoRxlb.exe
4848	HgDmItt.exe
1376	hKLhrpO.exe
4548	NaCeFOs.exe
4472	uiqXnXH.exe
1772	MESrFEZ.exe
4988	umiYyDK.exe
5044	wxsqWtz.exe
696	MCrUMzw.exe
2284	dMctXor.exe
2360	aeeSGPl.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4452-0-0x00007FF69CE00000-0x00007FF69D154000-memory.dmp	upx
C:\Windows\System\coYszFH.exe	upx
C:\Windows\System\UlKzBeH.exe	upx
behavioral2/memory/892-9-0x00007FF7FBFC0000-0x00007FF7FC314000-memory.dmp	upx
behavioral2/memory/2508-12-0x00007FF6175C0000-0x00007FF617914000-memory.dmp	upx
behavioral2/memory/4180-20-0x00007FF609260000-0x00007FF6095B4000-memory.dmp	upx
C:\Windows\System\BLlFHOV.exe	upx
C:\Windows\System\enGpoSK.exe	upx
C:\Windows\System\VnEFeeG.exe	upx
behavioral2/memory/3212-34-0x00007FF6AD330000-0x00007FF6AD684000-memory.dmp	upx
behavioral2/memory/3288-28-0x00007FF673E20000-0x00007FF674174000-memory.dmp	upx
behavioral2/memory/1076-24-0x00007FF7F4AA0000-0x00007FF7F4DF4000-memory.dmp	upx
C:\Windows\System\jHOOSxz.exe	upx
C:\Windows\System\usriZsc.exe	upx
behavioral2/memory/4328-44-0x00007FF76F0D0000-0x00007FF76F424000-memory.dmp	upx
C:\Windows\System\YpxpGFN.exe	upx
C:\Windows\System\rbZcyiO.exe	upx
behavioral2/memory/1984-48-0x00007FF66E5C0000-0x00007FF66E914000-memory.dmp	upx
behavioral2/memory/620-56-0x00007FF62E9A0000-0x00007FF62ECF4000-memory.dmp	upx
behavioral2/memory/4452-60-0x00007FF69CE00000-0x00007FF69D154000-memory.dmp	upx
C:\Windows\System\IATnFbK.exe	upx
behavioral2/memory/4144-61-0x00007FF762BF0000-0x00007FF762F44000-memory.dmp	upx
C:\Windows\System\TPoRxlb.exe	upx
behavioral2/memory/3432-71-0x00007FF636520000-0x00007FF636874000-memory.dmp	upx
C:\Windows\System\HgDmItt.exe	upx
C:\Windows\System\NaCeFOs.exe	upx
C:\Windows\System\hKLhrpO.exe	upx
C:\Windows\System\MESrFEZ.exe	upx
behavioral2/memory/1772-103-0x00007FF72F030000-0x00007FF72F384000-memory.dmp	upx
C:\Windows\System\umiYyDK.exe	upx
behavioral2/memory/4988-108-0x00007FF7999C0000-0x00007FF799D14000-memory.dmp	upx
behavioral2/memory/3212-107-0x00007FF6AD330000-0x00007FF6AD684000-memory.dmp	upx
behavioral2/memory/3288-102-0x00007FF673E20000-0x00007FF674174000-memory.dmp	upx
C:\Windows\System\uiqXnXH.exe	upx
behavioral2/memory/4472-96-0x00007FF77F480000-0x00007FF77F7D4000-memory.dmp	upx
behavioral2/memory/1376-93-0x00007FF6C5970000-0x00007FF6C5CC4000-memory.dmp	upx
behavioral2/memory/1076-88-0x00007FF7F4AA0000-0x00007FF7F4DF4000-memory.dmp	upx
behavioral2/memory/4180-85-0x00007FF609260000-0x00007FF6095B4000-memory.dmp	upx
behavioral2/memory/4548-84-0x00007FF668510000-0x00007FF668864000-memory.dmp	upx
behavioral2/memory/4848-82-0x00007FF77FCB0000-0x00007FF780004000-memory.dmp	upx
behavioral2/memory/2508-77-0x00007FF6175C0000-0x00007FF617914000-memory.dmp	upx
C:\Windows\System\wxsqWtz.exe	upx
behavioral2/memory/1984-118-0x00007FF66E5C0000-0x00007FF66E914000-memory.dmp	upx
C:\Windows\System\dMctXor.exe	upx
C:\Windows\System\aeeSGPl.exe	upx
behavioral2/memory/2284-132-0x00007FF683170000-0x00007FF6834C4000-memory.dmp	upx
behavioral2/memory/2360-133-0x00007FF71F420000-0x00007FF71F774000-memory.dmp	upx
C:\Windows\System\MCrUMzw.exe	upx
behavioral2/memory/696-119-0x00007FF770AD0000-0x00007FF770E24000-memory.dmp	upx
behavioral2/memory/5044-117-0x00007FF761430000-0x00007FF761784000-memory.dmp	upx
behavioral2/memory/4144-135-0x00007FF762BF0000-0x00007FF762F44000-memory.dmp	upx
behavioral2/memory/4548-136-0x00007FF668510000-0x00007FF668864000-memory.dmp	upx
behavioral2/memory/4472-137-0x00007FF77F480000-0x00007FF77F7D4000-memory.dmp	upx
behavioral2/memory/4988-138-0x00007FF7999C0000-0x00007FF799D14000-memory.dmp	upx
behavioral2/memory/5044-139-0x00007FF761430000-0x00007FF761784000-memory.dmp	upx
behavioral2/memory/696-140-0x00007FF770AD0000-0x00007FF770E24000-memory.dmp	upx
behavioral2/memory/892-141-0x00007FF7FBFC0000-0x00007FF7FC314000-memory.dmp	upx
behavioral2/memory/2508-142-0x00007FF6175C0000-0x00007FF617914000-memory.dmp	upx
behavioral2/memory/4180-143-0x00007FF609260000-0x00007FF6095B4000-memory.dmp	upx
behavioral2/memory/1076-144-0x00007FF7F4AA0000-0x00007FF7F4DF4000-memory.dmp	upx
behavioral2/memory/3212-145-0x00007FF6AD330000-0x00007FF6AD684000-memory.dmp	upx
behavioral2/memory/3288-146-0x00007FF673E20000-0x00007FF674174000-memory.dmp	upx
behavioral2/memory/4328-147-0x00007FF76F0D0000-0x00007FF76F424000-memory.dmp	upx
behavioral2/memory/1984-148-0x00007FF66E5C0000-0x00007FF66E914000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\YpxpGFN.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NaCeFOs.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aeeSGPl.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jHOOSxz.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VnEFeeG.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\usriZsc.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rbZcyiO.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TPoRxlb.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\umiYyDK.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wxsqWtz.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\coYszFH.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BLlFHOV.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IATnFbK.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uiqXnXH.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MCrUMzw.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dMctXor.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UlKzBeH.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\enGpoSK.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HgDmItt.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hKLhrpO.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MESrFEZ.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 4452 wrote to memory of 892	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	coYszFH.exe
PID 4452 wrote to memory of 892	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	coYszFH.exe
PID 4452 wrote to memory of 2508	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	UlKzBeH.exe
PID 4452 wrote to memory of 2508	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	UlKzBeH.exe
PID 4452 wrote to memory of 4180	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	jHOOSxz.exe
PID 4452 wrote to memory of 4180	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	jHOOSxz.exe
PID 4452 wrote to memory of 1076	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	BLlFHOV.exe
PID 4452 wrote to memory of 1076	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	BLlFHOV.exe
PID 4452 wrote to memory of 3288	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	enGpoSK.exe
PID 4452 wrote to memory of 3288	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	enGpoSK.exe
PID 4452 wrote to memory of 3212	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	VnEFeeG.exe
PID 4452 wrote to memory of 3212	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	VnEFeeG.exe
PID 4452 wrote to memory of 4328	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	usriZsc.exe
PID 4452 wrote to memory of 4328	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	usriZsc.exe
PID 4452 wrote to memory of 1984	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	YpxpGFN.exe
PID 4452 wrote to memory of 1984	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	YpxpGFN.exe
PID 4452 wrote to memory of 620	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	rbZcyiO.exe
PID 4452 wrote to memory of 620	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	rbZcyiO.exe
PID 4452 wrote to memory of 4144	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	IATnFbK.exe
PID 4452 wrote to memory of 4144	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	IATnFbK.exe
PID 4452 wrote to memory of 3432	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	TPoRxlb.exe
PID 4452 wrote to memory of 3432	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	TPoRxlb.exe
PID 4452 wrote to memory of 4848	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	HgDmItt.exe
PID 4452 wrote to memory of 4848	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	HgDmItt.exe
PID 4452 wrote to memory of 1376	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	hKLhrpO.exe
PID 4452 wrote to memory of 1376	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	hKLhrpO.exe
PID 4452 wrote to memory of 4548	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	NaCeFOs.exe
PID 4452 wrote to memory of 4548	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	NaCeFOs.exe
PID 4452 wrote to memory of 4472	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	uiqXnXH.exe
PID 4452 wrote to memory of 4472	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	uiqXnXH.exe
PID 4452 wrote to memory of 1772	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	MESrFEZ.exe
PID 4452 wrote to memory of 1772	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	MESrFEZ.exe
PID 4452 wrote to memory of 4988	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	umiYyDK.exe
PID 4452 wrote to memory of 4988	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	umiYyDK.exe
PID 4452 wrote to memory of 5044	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	wxsqWtz.exe
PID 4452 wrote to memory of 5044	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	wxsqWtz.exe
PID 4452 wrote to memory of 696	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	MCrUMzw.exe
PID 4452 wrote to memory of 696	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	MCrUMzw.exe
PID 4452 wrote to memory of 2284	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	dMctXor.exe
PID 4452 wrote to memory of 2284	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	dMctXor.exe
PID 4452 wrote to memory of 2360	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	aeeSGPl.exe
PID 4452 wrote to memory of 2360	4452	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	aeeSGPl.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4452

C:\Windows\System\coYszFH.exe
C:\Windows\System\coYszFH.exe
2⤵
- Executes dropped EXE
PID:892

C:\Windows\System\UlKzBeH.exe
C:\Windows\System\UlKzBeH.exe
2⤵
- Executes dropped EXE
PID:2508

C:\Windows\System\jHOOSxz.exe
C:\Windows\System\jHOOSxz.exe
2⤵
- Executes dropped EXE
PID:4180

C:\Windows\System\BLlFHOV.exe
C:\Windows\System\BLlFHOV.exe
2⤵
- Executes dropped EXE
PID:1076

C:\Windows\System\enGpoSK.exe
C:\Windows\System\enGpoSK.exe
2⤵
- Executes dropped EXE
PID:3288

C:\Windows\System\VnEFeeG.exe
C:\Windows\System\VnEFeeG.exe
2⤵
- Executes dropped EXE
PID:3212

C:\Windows\System\usriZsc.exe
C:\Windows\System\usriZsc.exe
2⤵
- Executes dropped EXE
PID:4328

C:\Windows\System\YpxpGFN.exe
C:\Windows\System\YpxpGFN.exe
2⤵
- Executes dropped EXE
PID:1984

C:\Windows\System\rbZcyiO.exe
C:\Windows\System\rbZcyiO.exe
2⤵
- Executes dropped EXE
PID:620

C:\Windows\System\IATnFbK.exe
C:\Windows\System\IATnFbK.exe
2⤵
- Executes dropped EXE
PID:4144

C:\Windows\System\TPoRxlb.exe
C:\Windows\System\TPoRxlb.exe
2⤵
- Executes dropped EXE
PID:3432

C:\Windows\System\HgDmItt.exe
C:\Windows\System\HgDmItt.exe
2⤵
- Executes dropped EXE
PID:4848

C:\Windows\System\hKLhrpO.exe
C:\Windows\System\hKLhrpO.exe
2⤵
- Executes dropped EXE
PID:1376

C:\Windows\System\NaCeFOs.exe
C:\Windows\System\NaCeFOs.exe
2⤵
- Executes dropped EXE
PID:4548

C:\Windows\System\uiqXnXH.exe
C:\Windows\System\uiqXnXH.exe
2⤵
- Executes dropped EXE
PID:4472

C:\Windows\System\MESrFEZ.exe
C:\Windows\System\MESrFEZ.exe
2⤵
- Executes dropped EXE
PID:1772

C:\Windows\System\umiYyDK.exe
C:\Windows\System\umiYyDK.exe
2⤵
- Executes dropped EXE
PID:4988

C:\Windows\System\wxsqWtz.exe
C:\Windows\System\wxsqWtz.exe
2⤵
- Executes dropped EXE
PID:5044

C:\Windows\System\MCrUMzw.exe
C:\Windows\System\MCrUMzw.exe
2⤵
- Executes dropped EXE
PID:696

C:\Windows\System\dMctXor.exe
C:\Windows\System\dMctXor.exe
2⤵
- Executes dropped EXE
PID:2284

C:\Windows\System\aeeSGPl.exe
C:\Windows\System\aeeSGPl.exe
2⤵
- Executes dropped EXE
PID:2360

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BLlFHOV.exe
Filesize
5.9MB

MD5
53fd22c82d2bab2fbfb1bebc40687dbb

SHA1
86dddabc64826d01b034269d9486fa98ce88572a

SHA256
87930baf22fab7f70585713e5edf658bbbffcd152834e556f27235fec25b5b9e

SHA512
c8f4b8a68e905aa395507e1c20b1333872fde46111332dc53c0f1616065755458674950c9c359563c4e9d37773b69f3aef334915b1f8b5573eadbcb05d2d2a37

Download Submit
C:\Windows\System\HgDmItt.exe
Filesize
5.9MB

MD5
55df1bf576bb05a55e831e0606117a10

SHA1
5a1b1c57a1c6a326caf52b56f9a0cffa855b8da9

SHA256
2e4fb0eee170d2a5193dd66c7c2441592ba9d4df3ea1254d6651ff9631281522

SHA512
e2b4fe5eb3d64f89d4da15505adea5ab0c6e97a299c528dc4c6dc2814906257d75ee79304f35438c9a80d02f09fd22de09072fe8ff85f7c18b3bee16e1a8b875

Download Submit
C:\Windows\System\IATnFbK.exe
Filesize
5.9MB

MD5
27dcb202402eff4110c480359077ebac

SHA1
5792c50bb2d70d9b4308573283d4d67c6b0f4001

SHA256
933b389d34d78834a5d19f192f2adf9c960393e9376f9f8e0148aaf2767fd28b

SHA512
364c069a050108a4b3b43fe574f1b763c3ad11a618908fae67daa2fa28d4b1177372410c65a3aeb9a839c807e02e84e4ee9d718c02e2022d0b5fd435667f49fc

Download Submit
C:\Windows\System\MCrUMzw.exe
Filesize
5.9MB

MD5
6346b534a40ee4c329e4059e42e9a5bb

SHA1
e9e357bb87b2f125df3a01a16e278f6d81782af1

SHA256
f5876b0e9652fc50bee4ae5ded8ae840d776ed5aafde9354f586b77a76d24d38

SHA512
a0035da8310c5696b1d09fa72fc83d67ba01fbc3ef5fe9e34040a4abde3d22cf0a86b09ddec3c5ce32c3c81f76cc7b03da3e0c5c5564ea88937aaf136e75db76

Download Submit
C:\Windows\System\MESrFEZ.exe
Filesize
5.9MB

MD5
365277cc074e1160558a917dbe778aeb

SHA1
d830c45468aae549aed2789a19b46265b5637c3b

SHA256
b78373471219f631c191ef4b9ba2cec46ce06a882847b0039fb383a0074566b6

SHA512
4f44da3864bd22c3fa087fa69249840a5144dd5caed1f006fce77c115c43e6d579c60db541d4d212c8e490af8ec659db5b685c3ee561c5e533c4b6432aabdcb5

Download Submit
C:\Windows\System\NaCeFOs.exe
Filesize
5.9MB

MD5
1aaac901d2aeb9596868f60e9b5d7a57

SHA1
c48fd56533205207fe74ac3ed257112f0ac610e5

SHA256
e3443c02e4a342350e6e71d34d7825f824a01b8cf47117e3ceb7d79a337a1bac

SHA512
01bbc73183a1eeddd36d0986e80641257ff929d9f82e8bc66a5a371a23a33227c759d8a277a00c1e698d904f4e6de9983f2d7ba89255138ea68822ad513717b4

Download Submit
C:\Windows\System\TPoRxlb.exe
Filesize
5.9MB

MD5
192dd3a8f7f4b3e78b8092362c6eb5da

SHA1
66ac675dc2e5bf65b9b308f8876c9f8ed397c161

SHA256
755fdca0a78e3974c5e18ddd70db49b3b83e1bb1c6f6e8ab57b9722dca1ef0ec

SHA512
a4e48c36eadce426304353569cbc9bc489605ae141bd03e3dfb1b576e8c8cc0adbdd7e83cb942d516c77fc829c5320bd161b5bbafd4cf6638aaecb3b8b7fa47b

Download Submit
C:\Windows\System\UlKzBeH.exe
Filesize
5.9MB

MD5
f0334ec97f56630cf70fd9de4a80fd47

SHA1
911f01b3c2fa51f2965e90f9012320cf7b1c622d

SHA256
0af8d9512752b98fde63f15c7daa4e1eae540184ecf5e79256b6424c83c3de92

SHA512
8c68020be6956ee642ded5e58b922daac8a7003d41e9c08f9e328400ecbfbc6a212f3ae3c72a84d6246b82661f86855920c813aa0fa19ed46b930e6a64a659d5

Download Submit
C:\Windows\System\VnEFeeG.exe
Filesize
5.9MB

MD5
8c656edc4b527520db144f405d410721

SHA1
250f537f653660c81025aaab799ed560bf059337

SHA256
3cb6eca7024a75e8889e24b6c2d9f42c0e4330894ac7e0bfa4491d6e4f76e39f

SHA512
489e3ab4a3efb612717f36641af02835f3e1accb33fad39b14032b2f15fd1b56fb3118eaf884557de04c57db999c56a0d492201469d235aeed19df753f136853

Download Submit
C:\Windows\System\YpxpGFN.exe
Filesize
5.9MB

MD5
67684eb90f898fac8e094ef671090031

SHA1
30758c13b69caeb0ddf9d3d3a76c05af8dbc6fac

SHA256
ab5c4e24d6ece48632abdb3b265c7b6d6e7dbac3d0283b8efe0993f205c6de15

SHA512
d85942f49f5b269a163cf5a9fee3de277b927fd836fbbf0f179dbcea4ca2b88bdc4b417e80da2c4f3bafa2e64e95791860da1d275bcc49e4215c4582ff898580

Download Submit
C:\Windows\System\aeeSGPl.exe
Filesize
5.9MB

MD5
af347fc4e6cf1b880ab08a5b01efccff

SHA1
2b288ff0c3640b7fd55436f2a2a16fad787fa418

SHA256
cc98abf5305abcf14a6f3914db1e4af6cfb61db11a277244db4d122c6e5d0808

SHA512
5787cf3bcffd6a06d9b4cf8f0b8fc0f621f2e4f9d2b02738cd5d76a6bafd800b7b0800ac2d3226cdf7f808e3ae4992baa8b4fde72bda8ccf3efe7d66753cc059

Download Submit
C:\Windows\System\coYszFH.exe
Filesize
5.9MB

MD5
5e0f51ec301e68921e5197f0087397f0

SHA1
a10156817588aa3b85638c07781e8a1273d40ac8

SHA256
04d4000b6fe3df43c89432b31e1e0e8f99d83e51ebdae8f84eaf8f041e3ac4f6

SHA512
df3967eb47e93190743c650c8d419f809789d8f3d20c281295f40353fb16b6ac73f2b22052a72feab0e668ae4ba62888907c3a19101d9bc135c8b0af5d235ff3

Download Submit
C:\Windows\System\dMctXor.exe
Filesize
5.9MB

MD5
66c63e7ef1380dec549a87065447a246

SHA1
57ddcffaf5ba90e920642b0602fd275528fe67cd

SHA256
d4bd23491a647941ebc31534d070c5527f50c5950ca58d9d7783a856722e42eb

SHA512
8448dd050b1c41fb3f2f4015408cda96fca848427b6576996d33b181ac541a33a602d001b2c4e31d2534138e42b7622802fb2faf406c726299df1ca40fa41b5d

Download Submit
C:\Windows\System\enGpoSK.exe
Filesize
5.9MB

MD5
50cda4deb86b473d3cbf21ccc778a45a

SHA1
1b5b426a13424651a9492d2a76405a8f47f2b041

SHA256
03150c6037d9de6e2ecf64d047ac816f2ee5f772fc8961b315ccaa1dcb906705

SHA512
6efacdb2ad40c63f5680635943e9faa7f06456a2f92e172f4d04378a77629ef813eb3c22ca6f287a530c37f146473dc8640c681423db68a8d5fd0b5b985f4984

Download Submit
C:\Windows\System\hKLhrpO.exe
Filesize
5.9MB

MD5
d5def9607caab912439b0e9ee6c06f4d

SHA1
5632c0daaaf5640b808aa121ef41ee9df8f48316

SHA256
b6cd5d6b55e707dce53103c8c76d112fe71ee55b5ff802349d7cb11272a4cdb8

SHA512
a61b30f808d543c0c46027f07a2e0ff6aac28ad82ceaa1aea8b89a4d4e91c0271acb32ccaab8e1aa3ca1d524b93f910f4538a77acff1f122eda7bb8a4c02566a

Download Submit
C:\Windows\System\jHOOSxz.exe
Filesize
5.9MB

MD5
b405e7aefbfa1941f91be089a10308d7

SHA1
d4dfad8d0f48bbf3aa6731f7d7bef36bd48a9839

SHA256
f70d05de7b00f211b398821b53390e022b7de19c6fe4bd8b71a9be6eea964085

SHA512
5a5fbaddb1a67654adf077eed65467757df1c1e5f632aaab182bf58c2115573a2e52a43133a44f5566d078cad0b7e93d1c91aa24bd9334af2b5eec50b9a5ca6d

Download Submit
C:\Windows\System\rbZcyiO.exe
Filesize
5.9MB

MD5
b53da18190572d4aebdfee3fc25016c9

SHA1
77348f4f02585102a892054faa5c0a5717079f29

SHA256
1c47dadd7f1221d201ce6c1b8588b3852d94d42a6915efde4611b509da1b83c4

SHA512
5725383cb013772273904e9a7d45b9de09bc2420e2e5fe962b71d5024faba638ea34764b37be2e972562e70ccbbf54dedafb6d90077f92e30436650b8aea8148

Download Submit
C:\Windows\System\uiqXnXH.exe
Filesize
5.9MB

MD5
dd267a146e29603140d2e8ac2491dabe

SHA1
3c293eb6ceac6ab7f81af2f0444867cf20c16e91

SHA256
cbec0599ad45197ef2855749706f016b0451452466d4d99b8d83900ec36d1688

SHA512
bdd33fa0c762ec7866ddb9e62bcee85ac550bb01e14a4c752a60807e2cb94167924ec7d396f8d1c5862e789da4d0ca12bc3bd9728c04f81abe2aca17ee2895a3

Download Submit
C:\Windows\System\umiYyDK.exe
Filesize
5.9MB

MD5
4c713f3ec2797833e0ebcc98ac70f589

SHA1
b72cdb40ad3b6c1b01ac44dabaafd167bcb3f041

SHA256
18e7374e573c61c26ad58a99d696fa7c87b4779859b0654e9cd5bcad5b99dabf

SHA512
4b87221149984c10d5366c622626a3c2685394b9401e947391105c8e415cc7abee2649041e0a0e95e401e70c62bb997e8a131ee57aa86f032494f456fe4c2094

Download Submit
C:\Windows\System\usriZsc.exe
Filesize
5.9MB

MD5
bd6e7dc140ecd9040702e53eda9f4cfb

SHA1
802737691fc02424e16df5ca7d46c4d0dc927a44

SHA256
3fded91e4df03144c0bfe3c60dde5c3fb36d997d460ed121ffbd7f1fa4201d0c

SHA512
b76564b47b389395016151bae0ff656caeb7c661701b9ac20d9c81b7b6978f5012bb843e55b841a0296a35deaecbf26efff1c1f6cfc7302ee6f98ece8db83784

Download Submit
C:\Windows\System\wxsqWtz.exe
Filesize
5.9MB

MD5
4b5369b57964bf8ebef6254559085395

SHA1
564771c99be621df7dbdd67c3f6c79492f9650b7

SHA256
6de4e77f68710e0c02017020b45c66549e8e6cbcfb396ee06b3ad57b83bbe79e

SHA512
80a99aee3c4f6f46fcf4964f03c7127b9b234ab0b322a7cda948bc75ab8fa5e1b86db82cadcd950fd695245d4a49d3c8a0365e5b89a1066d781b71a8c58bf6a2

Download Submit
memory/620-56-0x00007FF62E9A0000-0x00007FF62ECF4000-memory.dmp

Filesize
3.3MB

Download
memory/620-149-0x00007FF62E9A0000-0x00007FF62ECF4000-memory.dmp

Filesize
3.3MB

Download
memory/696-159-0x00007FF770AD0000-0x00007FF770E24000-memory.dmp

Filesize
3.3MB

Download
memory/696-140-0x00007FF770AD0000-0x00007FF770E24000-memory.dmp

Filesize
3.3MB

Download
memory/696-119-0x00007FF770AD0000-0x00007FF770E24000-memory.dmp

Filesize
3.3MB

Download
memory/892-9-0x00007FF7FBFC0000-0x00007FF7FC314000-memory.dmp

Filesize
3.3MB

Download
memory/892-141-0x00007FF7FBFC0000-0x00007FF7FC314000-memory.dmp

Filesize
3.3MB

Download
memory/1076-88-0x00007FF7F4AA0000-0x00007FF7F4DF4000-memory.dmp

Filesize
3.3MB

Download
memory/1076-144-0x00007FF7F4AA0000-0x00007FF7F4DF4000-memory.dmp

Filesize
3.3MB

Download
memory/1076-24-0x00007FF7F4AA0000-0x00007FF7F4DF4000-memory.dmp

Filesize
3.3MB

Download
memory/1376-93-0x00007FF6C5970000-0x00007FF6C5CC4000-memory.dmp

Filesize
3.3MB

Download
memory/1376-153-0x00007FF6C5970000-0x00007FF6C5CC4000-memory.dmp

Filesize
3.3MB

Download
memory/1772-156-0x00007FF72F030000-0x00007FF72F384000-memory.dmp

Filesize
3.3MB

Download
memory/1772-103-0x00007FF72F030000-0x00007FF72F384000-memory.dmp

Filesize
3.3MB

Download
memory/1984-48-0x00007FF66E5C0000-0x00007FF66E914000-memory.dmp

Filesize
3.3MB

Download
memory/1984-148-0x00007FF66E5C0000-0x00007FF66E914000-memory.dmp

Filesize
3.3MB

Download
memory/1984-118-0x00007FF66E5C0000-0x00007FF66E914000-memory.dmp

Filesize
3.3MB

Download
memory/2284-132-0x00007FF683170000-0x00007FF6834C4000-memory.dmp

Filesize
3.3MB

Download
memory/2284-160-0x00007FF683170000-0x00007FF6834C4000-memory.dmp

Filesize
3.3MB

Download
memory/2360-158-0x00007FF71F420000-0x00007FF71F774000-memory.dmp

Filesize
3.3MB

Download
memory/2360-133-0x00007FF71F420000-0x00007FF71F774000-memory.dmp

Filesize
3.3MB

Download
memory/2508-12-0x00007FF6175C0000-0x00007FF617914000-memory.dmp

Filesize
3.3MB

Download
memory/2508-77-0x00007FF6175C0000-0x00007FF617914000-memory.dmp

Filesize
3.3MB

Download
memory/2508-142-0x00007FF6175C0000-0x00007FF617914000-memory.dmp

Filesize
3.3MB

Download
memory/3212-34-0x00007FF6AD330000-0x00007FF6AD684000-memory.dmp

Filesize
3.3MB

Download
memory/3212-107-0x00007FF6AD330000-0x00007FF6AD684000-memory.dmp

Filesize
3.3MB

Download
memory/3212-145-0x00007FF6AD330000-0x00007FF6AD684000-memory.dmp

Filesize
3.3MB

Download
memory/3288-102-0x00007FF673E20000-0x00007FF674174000-memory.dmp

Filesize
3.3MB

Download
memory/3288-146-0x00007FF673E20000-0x00007FF674174000-memory.dmp

Filesize
3.3MB

Download
memory/3288-28-0x00007FF673E20000-0x00007FF674174000-memory.dmp

Filesize
3.3MB

Download
memory/3432-71-0x00007FF636520000-0x00007FF636874000-memory.dmp

Filesize
3.3MB

Download
memory/3432-151-0x00007FF636520000-0x00007FF636874000-memory.dmp

Filesize
3.3MB

Download
memory/4144-150-0x00007FF762BF0000-0x00007FF762F44000-memory.dmp

Filesize
3.3MB

Download
memory/4144-61-0x00007FF762BF0000-0x00007FF762F44000-memory.dmp

Filesize
3.3MB

Download
memory/4144-135-0x00007FF762BF0000-0x00007FF762F44000-memory.dmp

Filesize
3.3MB

Download
memory/4180-143-0x00007FF609260000-0x00007FF6095B4000-memory.dmp

Filesize
3.3MB

Download
memory/4180-20-0x00007FF609260000-0x00007FF6095B4000-memory.dmp

Filesize
3.3MB

Download
memory/4180-85-0x00007FF609260000-0x00007FF6095B4000-memory.dmp

Filesize
3.3MB

Download
memory/4328-44-0x00007FF76F0D0000-0x00007FF76F424000-memory.dmp

Filesize
3.3MB

Download
memory/4328-147-0x00007FF76F0D0000-0x00007FF76F424000-memory.dmp

Filesize
3.3MB

Download
memory/4452-0-0x00007FF69CE00000-0x00007FF69D154000-memory.dmp

Filesize
3.3MB

Download
memory/4452-60-0x00007FF69CE00000-0x00007FF69D154000-memory.dmp

Filesize
3.3MB

Download
memory/4452-1-0x000001CE169B0000-0x000001CE169C0000-memory.dmp

Filesize
64KB

Download
memory/4472-137-0x00007FF77F480000-0x00007FF77F7D4000-memory.dmp

Filesize
3.3MB

Download
memory/4472-155-0x00007FF77F480000-0x00007FF77F7D4000-memory.dmp

Filesize
3.3MB

Download
memory/4472-96-0x00007FF77F480000-0x00007FF77F7D4000-memory.dmp

Filesize
3.3MB

Download
memory/4548-136-0x00007FF668510000-0x00007FF668864000-memory.dmp

Filesize
3.3MB

Download
memory/4548-154-0x00007FF668510000-0x00007FF668864000-memory.dmp

Filesize
3.3MB

Download
memory/4548-84-0x00007FF668510000-0x00007FF668864000-memory.dmp

Filesize
3.3MB

Download
memory/4848-152-0x00007FF77FCB0000-0x00007FF780004000-memory.dmp

Filesize
3.3MB

Download
memory/4848-82-0x00007FF77FCB0000-0x00007FF780004000-memory.dmp

Filesize
3.3MB

Download
memory/4988-108-0x00007FF7999C0000-0x00007FF799D14000-memory.dmp

Filesize
3.3MB

Download
memory/4988-157-0x00007FF7999C0000-0x00007FF799D14000-memory.dmp

Filesize
3.3MB

Download
memory/4988-138-0x00007FF7999C0000-0x00007FF799D14000-memory.dmp

Filesize
3.3MB

Download
memory/5044-117-0x00007FF761430000-0x00007FF761784000-memory.dmp

Filesize
3.3MB

Download
memory/5044-139-0x00007FF761430000-0x00007FF761784000-memory.dmp

Filesize
3.3MB

Download
memory/5044-161-0x00007FF761430000-0x00007FF761784000-memory.dmp

Filesize
3.3MB

Download