cobaltstrike | 06a63e434ad133556c169e9ad28a4ca9f253f2d4651bae8829c0db074c98f72b

Analysis

max time kernel
151s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 08:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

f331dd85b89422d342110e49bf45601c
SHA1

2591f3af784ff26093e998ebbc235a13f2de59ef
SHA256

06a63e434ad133556c169e9ad28a4ca9f253f2d4651bae8829c0db074c98f72b
SHA512

82d5499171b709a1416a7996a36a17a2a1fcca3fafd97a734c93b8f927592f7617bc305782a0479ce91f3de8a879ec37d3931b2ed7b4d1eaf814b1abd470682c
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU6:Q+856utgpPF8u/76

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 15 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\ConhODl.exe	cobalt_reflective_dll
C:\Windows\System\AjMxssH.exe	cobalt_reflective_dll
C:\Windows\System\UJyOqyJ.exe	cobalt_reflective_dll
C:\Windows\System\dykDgSP.exe	cobalt_reflective_dll
C:\Windows\System\uPmfmTF.exe	cobalt_reflective_dll
C:\Windows\System\uKvzogZ.exe	cobalt_reflective_dll
C:\Windows\System\IYvfsxN.exe	cobalt_reflective_dll
C:\Windows\System\hBRPzqf.exe	cobalt_reflective_dll
C:\Windows\System\iInDzyy.exe	cobalt_reflective_dll
C:\Windows\System\KOlrdHx.exe	cobalt_reflective_dll
C:\Windows\System\OSlbLYa.exe	cobalt_reflective_dll
C:\Windows\System\jwrlCaa.exe	cobalt_reflective_dll
C:\Windows\System\AxrSgPL.exe	cobalt_reflective_dll
C:\Windows\System\NqMthaI.exe	cobalt_reflective_dll
C:\Windows\System\EoDLUIk.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 15 IoCs

Processes:

resource	yara_rule
C:\Windows\System\ConhODl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\AjMxssH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\UJyOqyJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\dykDgSP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\uPmfmTF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\uKvzogZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\IYvfsxN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\hBRPzqf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\iInDzyy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\KOlrdHx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\OSlbLYa.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\jwrlCaa.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\AxrSgPL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\NqMthaI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\EoDLUIk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5020-0-0x00007FF67ACB0000-0x00007FF67B004000-memory.dmp	UPX
C:\Windows\System\ConhODl.exe	UPX
behavioral2/memory/3480-8-0x00007FF68DE30000-0x00007FF68E184000-memory.dmp	UPX
C:\Windows\System\AjMxssH.exe	UPX
behavioral2/memory/5016-14-0x00007FF7EB750000-0x00007FF7EBAA4000-memory.dmp	UPX
C:\Windows\System\UJyOqyJ.exe	UPX
C:\Windows\System\UJyOqyJ.exe	UPX
behavioral2/memory/2228-20-0x00007FF6F2A00000-0x00007FF6F2D54000-memory.dmp	UPX
C:\Windows\System\dykDgSP.exe	UPX
C:\Windows\System\dykDgSP.exe	UPX
behavioral2/memory/2348-26-0x00007FF7AAC90000-0x00007FF7AAFE4000-memory.dmp	UPX
C:\Windows\System\uPmfmTF.exe	UPX
behavioral2/memory/4272-32-0x00007FF65A990000-0x00007FF65ACE4000-memory.dmp	UPX
C:\Windows\System\WEetvbz.exe	UPX
behavioral2/memory/4596-42-0x00007FF6D1D00000-0x00007FF6D2054000-memory.dmp	UPX
C:\Windows\System\uKvzogZ.exe	UPX
C:\Windows\System\uKvzogZ.exe	UPX
behavioral2/memory/4648-38-0x00007FF6BD5A0000-0x00007FF6BD8F4000-memory.dmp	UPX
C:\Windows\System\WYrDbJK.exe	UPX
C:\Windows\System\IYvfsxN.exe	UPX
C:\Windows\System\IYvfsxN.exe	UPX
behavioral2/memory/2076-57-0x00007FF7F86D0000-0x00007FF7F8A24000-memory.dmp	UPX
C:\Windows\System\LKOuKvO.exe	UPX
C:\Windows\System\emlwhFZ.exe	UPX
C:\Windows\System\IZgTvUA.exe	UPX
C:\Windows\System\hBRPzqf.exe	UPX
C:\Windows\System\iInDzyy.exe	UPX
C:\Windows\System\KOlrdHx.exe	UPX
C:\Windows\System\OSlbLYa.exe	UPX
C:\Windows\System\jwrlCaa.exe	UPX
C:\Windows\System\OSlbLYa.exe	UPX
C:\Windows\System\KOlrdHx.exe	UPX
C:\Windows\System\AxrSgPL.exe	UPX
C:\Windows\System\AxrSgPL.exe	UPX
C:\Windows\System\NqMthaI.exe	UPX
C:\Windows\System\NqMthaI.exe	UPX
C:\Windows\System\qwgEHtX.exe	UPX
C:\Windows\System\EoDLUIk.exe	UPX
C:\Windows\System\EoDLUIk.exe	UPX
behavioral2/memory/3480-118-0x00007FF68DE30000-0x00007FF68E184000-memory.dmp	UPX
behavioral2/memory/1748-119-0x00007FF612E50000-0x00007FF6131A4000-memory.dmp	UPX
behavioral2/memory/3008-122-0x00007FF730CE0000-0x00007FF731034000-memory.dmp	UPX
behavioral2/memory/1708-121-0x00007FF7DFF00000-0x00007FF7E0254000-memory.dmp	UPX
behavioral2/memory/1776-123-0x00007FF73B320000-0x00007FF73B674000-memory.dmp	UPX
behavioral2/memory/4336-124-0x00007FF6AFFF0000-0x00007FF6B0344000-memory.dmp	UPX
behavioral2/memory/4548-125-0x00007FF705230000-0x00007FF705584000-memory.dmp	UPX
behavioral2/memory/400-126-0x00007FF7EC520000-0x00007FF7EC874000-memory.dmp	UPX
behavioral2/memory/4148-128-0x00007FF7AA6E0000-0x00007FF7AAA34000-memory.dmp	UPX
behavioral2/memory/1980-129-0x00007FF746C90000-0x00007FF746FE4000-memory.dmp	UPX
behavioral2/memory/4876-120-0x00007FF6605A0000-0x00007FF6608F4000-memory.dmp	UPX
behavioral2/memory/2228-131-0x00007FF6F2A00000-0x00007FF6F2D54000-memory.dmp	UPX
behavioral2/memory/2348-132-0x00007FF7AAC90000-0x00007FF7AAFE4000-memory.dmp	UPX
behavioral2/memory/4272-133-0x00007FF65A990000-0x00007FF65ACE4000-memory.dmp	UPX
behavioral2/memory/4648-134-0x00007FF6BD5A0000-0x00007FF6BD8F4000-memory.dmp	UPX
behavioral2/memory/4596-135-0x00007FF6D1D00000-0x00007FF6D2054000-memory.dmp	UPX
behavioral2/memory/1376-136-0x00007FF763F20000-0x00007FF764274000-memory.dmp	UPX
behavioral2/memory/3480-137-0x00007FF68DE30000-0x00007FF68E184000-memory.dmp	UPX
behavioral2/memory/5016-138-0x00007FF7EB750000-0x00007FF7EBAA4000-memory.dmp	UPX
behavioral2/memory/2228-139-0x00007FF6F2A00000-0x00007FF6F2D54000-memory.dmp	UPX
behavioral2/memory/2348-140-0x00007FF7AAC90000-0x00007FF7AAFE4000-memory.dmp	UPX
behavioral2/memory/4272-141-0x00007FF65A990000-0x00007FF65ACE4000-memory.dmp	UPX
behavioral2/memory/4648-142-0x00007FF6BD5A0000-0x00007FF6BD8F4000-memory.dmp	UPX
behavioral2/memory/4596-143-0x00007FF6D1D00000-0x00007FF6D2054000-memory.dmp	UPX
behavioral2/memory/1376-144-0x00007FF763F20000-0x00007FF764274000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/5020-0-0x00007FF67ACB0000-0x00007FF67B004000-memory.dmp	xmrig
C:\Windows\System\ConhODl.exe	xmrig
behavioral2/memory/3480-8-0x00007FF68DE30000-0x00007FF68E184000-memory.dmp	xmrig
C:\Windows\System\AjMxssH.exe	xmrig
behavioral2/memory/5016-14-0x00007FF7EB750000-0x00007FF7EBAA4000-memory.dmp	xmrig
C:\Windows\System\UJyOqyJ.exe	xmrig
C:\Windows\System\UJyOqyJ.exe	xmrig
behavioral2/memory/2228-20-0x00007FF6F2A00000-0x00007FF6F2D54000-memory.dmp	xmrig
C:\Windows\System\dykDgSP.exe	xmrig
C:\Windows\System\dykDgSP.exe	xmrig
behavioral2/memory/2348-26-0x00007FF7AAC90000-0x00007FF7AAFE4000-memory.dmp	xmrig
C:\Windows\System\uPmfmTF.exe	xmrig
behavioral2/memory/4272-32-0x00007FF65A990000-0x00007FF65ACE4000-memory.dmp	xmrig
C:\Windows\System\WEetvbz.exe	xmrig
behavioral2/memory/4596-42-0x00007FF6D1D00000-0x00007FF6D2054000-memory.dmp	xmrig
C:\Windows\System\uKvzogZ.exe	xmrig
C:\Windows\System\uKvzogZ.exe	xmrig
behavioral2/memory/4648-38-0x00007FF6BD5A0000-0x00007FF6BD8F4000-memory.dmp	xmrig
C:\Windows\System\WYrDbJK.exe	xmrig
behavioral2/memory/1376-50-0x00007FF763F20000-0x00007FF764274000-memory.dmp	xmrig
C:\Windows\System\IYvfsxN.exe	xmrig
C:\Windows\System\IYvfsxN.exe	xmrig
behavioral2/memory/5020-56-0x00007FF67ACB0000-0x00007FF67B004000-memory.dmp	xmrig
behavioral2/memory/2076-57-0x00007FF7F86D0000-0x00007FF7F8A24000-memory.dmp	xmrig
C:\Windows\System\LKOuKvO.exe	xmrig
behavioral2/memory/1556-65-0x00007FF77F470000-0x00007FF77F7C4000-memory.dmp	xmrig
C:\Windows\System\emlwhFZ.exe	xmrig
C:\Windows\System\emlwhFZ.exe	xmrig
C:\Windows\System\IZgTvUA.exe	xmrig
C:\Windows\System\hBRPzqf.exe	xmrig
C:\Windows\System\iInDzyy.exe	xmrig
C:\Windows\System\KOlrdHx.exe	xmrig
C:\Windows\System\OSlbLYa.exe	xmrig
C:\Windows\System\jwrlCaa.exe	xmrig
C:\Windows\System\OSlbLYa.exe	xmrig
C:\Windows\System\KOlrdHx.exe	xmrig
C:\Windows\System\AxrSgPL.exe	xmrig
C:\Windows\System\AxrSgPL.exe	xmrig
C:\Windows\System\NqMthaI.exe	xmrig
C:\Windows\System\NqMthaI.exe	xmrig
C:\Windows\System\qwgEHtX.exe	xmrig
C:\Windows\System\EoDLUIk.exe	xmrig
C:\Windows\System\EoDLUIk.exe	xmrig
behavioral2/memory/3480-118-0x00007FF68DE30000-0x00007FF68E184000-memory.dmp	xmrig
behavioral2/memory/1748-119-0x00007FF612E50000-0x00007FF6131A4000-memory.dmp	xmrig
behavioral2/memory/3008-122-0x00007FF730CE0000-0x00007FF731034000-memory.dmp	xmrig
behavioral2/memory/1708-121-0x00007FF7DFF00000-0x00007FF7E0254000-memory.dmp	xmrig
behavioral2/memory/1776-123-0x00007FF73B320000-0x00007FF73B674000-memory.dmp	xmrig
behavioral2/memory/4336-124-0x00007FF6AFFF0000-0x00007FF6B0344000-memory.dmp	xmrig
behavioral2/memory/4548-125-0x00007FF705230000-0x00007FF705584000-memory.dmp	xmrig
behavioral2/memory/400-126-0x00007FF7EC520000-0x00007FF7EC874000-memory.dmp	xmrig
behavioral2/memory/4148-128-0x00007FF7AA6E0000-0x00007FF7AAA34000-memory.dmp	xmrig
behavioral2/memory/1980-129-0x00007FF746C90000-0x00007FF746FE4000-memory.dmp	xmrig
behavioral2/memory/4572-127-0x00007FF646E40000-0x00007FF647194000-memory.dmp	xmrig
behavioral2/memory/4876-120-0x00007FF6605A0000-0x00007FF6608F4000-memory.dmp	xmrig
behavioral2/memory/5016-130-0x00007FF7EB750000-0x00007FF7EBAA4000-memory.dmp	xmrig
behavioral2/memory/2228-131-0x00007FF6F2A00000-0x00007FF6F2D54000-memory.dmp	xmrig
behavioral2/memory/2348-132-0x00007FF7AAC90000-0x00007FF7AAFE4000-memory.dmp	xmrig
behavioral2/memory/4272-133-0x00007FF65A990000-0x00007FF65ACE4000-memory.dmp	xmrig
behavioral2/memory/4648-134-0x00007FF6BD5A0000-0x00007FF6BD8F4000-memory.dmp	xmrig
behavioral2/memory/4596-135-0x00007FF6D1D00000-0x00007FF6D2054000-memory.dmp	xmrig
behavioral2/memory/1376-136-0x00007FF763F20000-0x00007FF764274000-memory.dmp	xmrig
behavioral2/memory/3480-137-0x00007FF68DE30000-0x00007FF68E184000-memory.dmp	xmrig
behavioral2/memory/5016-138-0x00007FF7EB750000-0x00007FF7EBAA4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

ConhODl.exeAjMxssH.exeUJyOqyJ.exedykDgSP.exeuPmfmTF.exeWEetvbz.exeuKvzogZ.exeWYrDbJK.exeIYvfsxN.exeLKOuKvO.exeemlwhFZ.exeIZgTvUA.exehBRPzqf.exeEoDLUIk.exeiInDzyy.exeqwgEHtX.exeNqMthaI.exeAxrSgPL.exeKOlrdHx.exeOSlbLYa.exejwrlCaa.exe

pid	process
3480	ConhODl.exe
5016	AjMxssH.exe
2228	UJyOqyJ.exe
2348	dykDgSP.exe
4272	uPmfmTF.exe
4648	WEetvbz.exe
4596	uKvzogZ.exe
1376	WYrDbJK.exe
2076	IYvfsxN.exe
1556	LKOuKvO.exe
1748	emlwhFZ.exe
4876	IZgTvUA.exe
1708	hBRPzqf.exe
3008	EoDLUIk.exe
1776	iInDzyy.exe
4336	qwgEHtX.exe
4548	NqMthaI.exe
400	AxrSgPL.exe
4572	KOlrdHx.exe
4148	OSlbLYa.exe
1980	jwrlCaa.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5020-0-0x00007FF67ACB0000-0x00007FF67B004000-memory.dmp	upx
C:\Windows\System\ConhODl.exe	upx
behavioral2/memory/3480-8-0x00007FF68DE30000-0x00007FF68E184000-memory.dmp	upx
C:\Windows\System\AjMxssH.exe	upx
behavioral2/memory/5016-14-0x00007FF7EB750000-0x00007FF7EBAA4000-memory.dmp	upx
C:\Windows\System\UJyOqyJ.exe	upx
C:\Windows\System\UJyOqyJ.exe	upx
behavioral2/memory/2228-20-0x00007FF6F2A00000-0x00007FF6F2D54000-memory.dmp	upx
C:\Windows\System\dykDgSP.exe	upx
C:\Windows\System\dykDgSP.exe	upx
behavioral2/memory/2348-26-0x00007FF7AAC90000-0x00007FF7AAFE4000-memory.dmp	upx
C:\Windows\System\uPmfmTF.exe	upx
behavioral2/memory/4272-32-0x00007FF65A990000-0x00007FF65ACE4000-memory.dmp	upx
C:\Windows\System\WEetvbz.exe	upx
behavioral2/memory/4596-42-0x00007FF6D1D00000-0x00007FF6D2054000-memory.dmp	upx
C:\Windows\System\uKvzogZ.exe	upx
C:\Windows\System\uKvzogZ.exe	upx
behavioral2/memory/4648-38-0x00007FF6BD5A0000-0x00007FF6BD8F4000-memory.dmp	upx
C:\Windows\System\WYrDbJK.exe	upx
behavioral2/memory/1376-50-0x00007FF763F20000-0x00007FF764274000-memory.dmp	upx
C:\Windows\System\IYvfsxN.exe	upx
C:\Windows\System\IYvfsxN.exe	upx
behavioral2/memory/5020-56-0x00007FF67ACB0000-0x00007FF67B004000-memory.dmp	upx
behavioral2/memory/2076-57-0x00007FF7F86D0000-0x00007FF7F8A24000-memory.dmp	upx
C:\Windows\System\LKOuKvO.exe	upx
behavioral2/memory/1556-65-0x00007FF77F470000-0x00007FF77F7C4000-memory.dmp	upx
C:\Windows\System\emlwhFZ.exe	upx
C:\Windows\System\emlwhFZ.exe	upx
C:\Windows\System\IZgTvUA.exe	upx
C:\Windows\System\hBRPzqf.exe	upx
C:\Windows\System\iInDzyy.exe	upx
C:\Windows\System\KOlrdHx.exe	upx
C:\Windows\System\OSlbLYa.exe	upx
C:\Windows\System\jwrlCaa.exe	upx
C:\Windows\System\OSlbLYa.exe	upx
C:\Windows\System\KOlrdHx.exe	upx
C:\Windows\System\AxrSgPL.exe	upx
C:\Windows\System\AxrSgPL.exe	upx
C:\Windows\System\NqMthaI.exe	upx
C:\Windows\System\NqMthaI.exe	upx
C:\Windows\System\qwgEHtX.exe	upx
C:\Windows\System\EoDLUIk.exe	upx
C:\Windows\System\EoDLUIk.exe	upx
behavioral2/memory/3480-118-0x00007FF68DE30000-0x00007FF68E184000-memory.dmp	upx
behavioral2/memory/1748-119-0x00007FF612E50000-0x00007FF6131A4000-memory.dmp	upx
behavioral2/memory/3008-122-0x00007FF730CE0000-0x00007FF731034000-memory.dmp	upx
behavioral2/memory/1708-121-0x00007FF7DFF00000-0x00007FF7E0254000-memory.dmp	upx
behavioral2/memory/1776-123-0x00007FF73B320000-0x00007FF73B674000-memory.dmp	upx
behavioral2/memory/4336-124-0x00007FF6AFFF0000-0x00007FF6B0344000-memory.dmp	upx
behavioral2/memory/4548-125-0x00007FF705230000-0x00007FF705584000-memory.dmp	upx
behavioral2/memory/400-126-0x00007FF7EC520000-0x00007FF7EC874000-memory.dmp	upx
behavioral2/memory/4148-128-0x00007FF7AA6E0000-0x00007FF7AAA34000-memory.dmp	upx
behavioral2/memory/1980-129-0x00007FF746C90000-0x00007FF746FE4000-memory.dmp	upx
behavioral2/memory/4572-127-0x00007FF646E40000-0x00007FF647194000-memory.dmp	upx
behavioral2/memory/4876-120-0x00007FF6605A0000-0x00007FF6608F4000-memory.dmp	upx
behavioral2/memory/5016-130-0x00007FF7EB750000-0x00007FF7EBAA4000-memory.dmp	upx
behavioral2/memory/2228-131-0x00007FF6F2A00000-0x00007FF6F2D54000-memory.dmp	upx
behavioral2/memory/2348-132-0x00007FF7AAC90000-0x00007FF7AAFE4000-memory.dmp	upx
behavioral2/memory/4272-133-0x00007FF65A990000-0x00007FF65ACE4000-memory.dmp	upx
behavioral2/memory/4648-134-0x00007FF6BD5A0000-0x00007FF6BD8F4000-memory.dmp	upx
behavioral2/memory/4596-135-0x00007FF6D1D00000-0x00007FF6D2054000-memory.dmp	upx
behavioral2/memory/1376-136-0x00007FF763F20000-0x00007FF764274000-memory.dmp	upx
behavioral2/memory/3480-137-0x00007FF68DE30000-0x00007FF68E184000-memory.dmp	upx
behavioral2/memory/5016-138-0x00007FF7EB750000-0x00007FF7EBAA4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\WYrDbJK.exe	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KOlrdHx.exe	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OSlbLYa.exe	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AjMxssH.exe	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WEetvbz.exe	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uKvzogZ.exe	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\emlwhFZ.exe	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IZgTvUA.exe	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hBRPzqf.exe	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iInDzyy.exe	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qwgEHtX.exe	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uPmfmTF.exe	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IYvfsxN.exe	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LKOuKvO.exe	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NqMthaI.exe	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AxrSgPL.exe	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ConhODl.exe	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dykDgSP.exe	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EoDLUIk.exe	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jwrlCaa.exe	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UJyOqyJ.exe	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 5020 wrote to memory of 3480	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	ConhODl.exe
PID 5020 wrote to memory of 3480	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	ConhODl.exe
PID 5020 wrote to memory of 5016	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	AjMxssH.exe
PID 5020 wrote to memory of 5016	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	AjMxssH.exe
PID 5020 wrote to memory of 2228	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	UJyOqyJ.exe
PID 5020 wrote to memory of 2228	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	UJyOqyJ.exe
PID 5020 wrote to memory of 2348	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	dykDgSP.exe
PID 5020 wrote to memory of 2348	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	dykDgSP.exe
PID 5020 wrote to memory of 4272	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	uPmfmTF.exe
PID 5020 wrote to memory of 4272	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	uPmfmTF.exe
PID 5020 wrote to memory of 4648	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	WEetvbz.exe
PID 5020 wrote to memory of 4648	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	WEetvbz.exe
PID 5020 wrote to memory of 4596	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	uKvzogZ.exe
PID 5020 wrote to memory of 4596	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	uKvzogZ.exe
PID 5020 wrote to memory of 1376	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	WYrDbJK.exe
PID 5020 wrote to memory of 1376	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	WYrDbJK.exe
PID 5020 wrote to memory of 2076	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	IYvfsxN.exe
PID 5020 wrote to memory of 2076	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	IYvfsxN.exe
PID 5020 wrote to memory of 1556	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	LKOuKvO.exe
PID 5020 wrote to memory of 1556	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	LKOuKvO.exe
PID 5020 wrote to memory of 1748	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	emlwhFZ.exe
PID 5020 wrote to memory of 1748	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	emlwhFZ.exe
PID 5020 wrote to memory of 4876	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	IZgTvUA.exe
PID 5020 wrote to memory of 4876	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	IZgTvUA.exe
PID 5020 wrote to memory of 1708	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	hBRPzqf.exe
PID 5020 wrote to memory of 1708	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	hBRPzqf.exe
PID 5020 wrote to memory of 3008	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	EoDLUIk.exe
PID 5020 wrote to memory of 3008	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	EoDLUIk.exe
PID 5020 wrote to memory of 1776	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	iInDzyy.exe
PID 5020 wrote to memory of 1776	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	iInDzyy.exe
PID 5020 wrote to memory of 4336	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	qwgEHtX.exe
PID 5020 wrote to memory of 4336	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	qwgEHtX.exe
PID 5020 wrote to memory of 4548	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	NqMthaI.exe
PID 5020 wrote to memory of 4548	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	NqMthaI.exe
PID 5020 wrote to memory of 400	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	AxrSgPL.exe
PID 5020 wrote to memory of 400	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	AxrSgPL.exe
PID 5020 wrote to memory of 4572	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	KOlrdHx.exe
PID 5020 wrote to memory of 4572	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	KOlrdHx.exe
PID 5020 wrote to memory of 4148	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	OSlbLYa.exe
PID 5020 wrote to memory of 4148	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	OSlbLYa.exe
PID 5020 wrote to memory of 1980	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	jwrlCaa.exe
PID 5020 wrote to memory of 1980	5020	2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe	jwrlCaa.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5020

C:\Windows\System\ConhODl.exe
C:\Windows\System\ConhODl.exe
2⤵
- Executes dropped EXE
PID:3480

C:\Windows\System\AjMxssH.exe
C:\Windows\System\AjMxssH.exe
2⤵
- Executes dropped EXE
PID:5016

C:\Windows\System\UJyOqyJ.exe
C:\Windows\System\UJyOqyJ.exe
2⤵
- Executes dropped EXE
PID:2228

C:\Windows\System\dykDgSP.exe
C:\Windows\System\dykDgSP.exe
2⤵
- Executes dropped EXE
PID:2348

C:\Windows\System\uPmfmTF.exe
C:\Windows\System\uPmfmTF.exe
2⤵
- Executes dropped EXE
PID:4272

C:\Windows\System\WEetvbz.exe
C:\Windows\System\WEetvbz.exe
2⤵
- Executes dropped EXE
PID:4648

C:\Windows\System\uKvzogZ.exe
C:\Windows\System\uKvzogZ.exe
2⤵
- Executes dropped EXE
PID:4596

C:\Windows\System\WYrDbJK.exe
C:\Windows\System\WYrDbJK.exe
2⤵
- Executes dropped EXE
PID:1376

C:\Windows\System\IYvfsxN.exe
C:\Windows\System\IYvfsxN.exe
2⤵
- Executes dropped EXE
PID:2076

C:\Windows\System\LKOuKvO.exe
C:\Windows\System\LKOuKvO.exe
2⤵
- Executes dropped EXE
PID:1556

C:\Windows\System\emlwhFZ.exe
C:\Windows\System\emlwhFZ.exe
2⤵
- Executes dropped EXE
PID:1748

C:\Windows\System\IZgTvUA.exe
C:\Windows\System\IZgTvUA.exe
2⤵
- Executes dropped EXE
PID:4876

C:\Windows\System\hBRPzqf.exe
C:\Windows\System\hBRPzqf.exe
2⤵
- Executes dropped EXE
PID:1708

C:\Windows\System\EoDLUIk.exe
C:\Windows\System\EoDLUIk.exe
2⤵
- Executes dropped EXE
PID:3008

C:\Windows\System\iInDzyy.exe
C:\Windows\System\iInDzyy.exe
2⤵
- Executes dropped EXE
PID:1776

C:\Windows\System\qwgEHtX.exe
C:\Windows\System\qwgEHtX.exe
2⤵
- Executes dropped EXE
PID:4336

C:\Windows\System\NqMthaI.exe
C:\Windows\System\NqMthaI.exe
2⤵
- Executes dropped EXE
PID:4548

C:\Windows\System\AxrSgPL.exe
C:\Windows\System\AxrSgPL.exe
2⤵
- Executes dropped EXE
PID:400

C:\Windows\System\KOlrdHx.exe
C:\Windows\System\KOlrdHx.exe
2⤵
- Executes dropped EXE
PID:4572

C:\Windows\System\OSlbLYa.exe
C:\Windows\System\OSlbLYa.exe
2⤵
- Executes dropped EXE
PID:4148

C:\Windows\System\jwrlCaa.exe
C:\Windows\System\jwrlCaa.exe
2⤵
- Executes dropped EXE
PID:1980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:448

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AjMxssH.exe
Filesize
5.9MB

MD5
64a038543757b11441e422483903ec93

SHA1
b2e66bd945325594f96c5e6a57a72a23fbdc2910

SHA256
2ca086933acaa6ae6c0dd2897aaa426bca4b96d3b7b287164b77e8bef14b92ec

SHA512
f755ce3af17a38865b84367b64ee3d915ce2080124a9ab3e0bf22f799dc7ac007109776475e990028019a45609ac6dcd73991743bc2a4d6e7539710637b4a2bf

Download Submit
C:\Windows\System\AxrSgPL.exe
Filesize
1.4MB

MD5
c2630368f2b0f1676e4f1cfe1abe40fe

SHA1
1a1ea934cad8c04d2d7cb52f6d24efa72171b9bb

SHA256
ba2b6ec7283487518598a85cf876bd237f0f22469f9ddb98503daa3b393dd952

SHA512
0aab36dba19a00b9153d667bd13a12f0f52c3bc100eb4b39808efd5f028076649453c97409b4e3cd94bf4c0fd01aceb1a9a9bb93111ac83c147c79b204a0dec0

Download Submit
C:\Windows\System\AxrSgPL.exe
Filesize
5.9MB

MD5
1fbb254910d663dc7082aa5583d1245a

SHA1
65d9cebf3057c4a9be1ef9a72574e53bfe4acd9b

SHA256
e8ae4be318545fe127f51d5a78fedc6fbd6040df16bee7561152fd0dadfe832f

SHA512
1f0de5061b5fb73262baf2874710d7937b06cfe133e9e44d4abd8ea9e91e7c1bc7fe467739eebb1f300dbf82e7afda705ee5bda9e21b3f178f4a9116ae58cbb7

Download Submit
C:\Windows\System\ConhODl.exe
Filesize
5.9MB

MD5
9490f9d7b3ea7a251aa3973258adf4bb

SHA1
e912af415f5e94d159ceb7c8a48f41b07d47f057

SHA256
72d75bf2813655fdd8e7e35fe3f1ef16cd81737a2a71bab167525cbfb7eacac4

SHA512
8c93371817e6ccc4ab435a005654f4ccb6c8876c4cd326b923b8b181dcb31b3eafd04e0e287ce7caa45c8a89248a2e7792c736bca86574041f0d9edc0f5bd23a

Download Submit
C:\Windows\System\EoDLUIk.exe
Filesize
1.2MB

MD5
3ed5a609fc99609f477b127cb1075f8e

SHA1
efbe9eae011603d0818e0ea87d848f4505a8ca00

SHA256
f5c7ed548f4ba98079252e02c14f981d3b1b5468313f0be262b25ccc06a1f939

SHA512
adf3c7526c8d008f32ef1391728203330e532d5ab3157f9a2a7fe21b8a1324527c1ba05f5b2198a9d7b1cc621dddfe091207ec334b309442cd5608fc15d0fd18

Download Submit
C:\Windows\System\EoDLUIk.exe
Filesize
5.9MB

MD5
0fdfb9aa1d683604451f093ae844b48b

SHA1
ac2f38897e9d002b90fb2266d2ae08ab0c0b6306

SHA256
bfc698e6020173dbf7fdd84bbecc961c7057d1c6b1e4d741fe064b053949b583

SHA512
58575cc0bacc832ff14ff436a0b69db01ace7597ca6032681e9061298559b162c7d64b9e8e53083bcdf9086c362438e05fa4f3cbecb91d7acd04ee0600ae1bca

Download Submit
C:\Windows\System\IYvfsxN.exe
Filesize
5.9MB

MD5
32a8bb1921aefd3c0ed7458ba16b58e5

SHA1
41a6e99bb67c1d706027a69e2849cbaa2ef6d6b4

SHA256
85d94db272f4ca07fc7f7ddfc8dead334f8d437e269294dd0bf82ded8780e983

SHA512
a7fd61a36e0a520af4182e495f23b61941686657a59ef40d3bb36dadd9e0bba99e1ff3ae639b62da0e6701b08158f3fed6c2f8d5186679eb7cde9229cafd4768

Download Submit
C:\Windows\System\IYvfsxN.exe
Filesize
1.2MB

MD5
711965c0ed770375b388ea9b5ea57c70

SHA1
21f7ffc0c96b29ee6bc8176dc97f6fd049d110a2

SHA256
c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666

SHA512
1805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428

Download Submit
C:\Windows\System\IZgTvUA.exe
Filesize
2.6MB

MD5
2e820f8af7aa3bf225d37608a0a87341

SHA1
b813ceb09756bee341a57c9525bd3abdbe863ab8

SHA256
de3ecb3b5fcb41244e0ad238c42dbdcdb420cd69a0a9fd4969c3c2c21a4688aa

SHA512
94100e338184f7a3ae15a222a1475fa5698953edd851085d3fd0ba1cff9c8ac4fea1d0ffc946527b9efc401e37d9d7afc7e865918e1dcb595782d3b4242cf2f4

Download Submit
C:\Windows\System\KOlrdHx.exe
Filesize
5.9MB

MD5
bf4ff823726c77f50f927dd893d30c75

SHA1
4901c596d03492fd5b9429bbca0fdbc1640ac3d0

SHA256
10533bfcb38bd8c015ada46548bb3979866777c40d716074bd30968f8805f6e4

SHA512
5916bce0ddb110758678c9d48b36f6c30454e985a7f4c0e19512af2ebbed3251ba1d162cb3b139bb7e0eff1e745843e639d66b36950b58610d274eaacf7ab01d

Download Submit
C:\Windows\System\KOlrdHx.exe
Filesize
2.7MB

MD5
93bacfc3d845f374627b012c3a61a1e5

SHA1
f08219d5f19196fbc7a3a1e7ffbfb44e344c21ae

SHA256
4fd1d5231f529c0710d6a6cd40036ebe10563700b5f25c50aacacf0ccbeb0b9d

SHA512
63e909e0f694f7072b09c22815e6279a7448ff3ee9b219e1f03fa23b70411a9de5cd54205f2b9fac218aee1fe5bb1761b1d6308bcade318f7b85c7b720112b83

Download Submit
C:\Windows\System\LKOuKvO.exe
Filesize
1.8MB

MD5
c665d55523745ebd550a2c4296ad8ec9

SHA1
43f72a8e93454ded742dbec7a7c84f59cb0d6520

SHA256
4ce197747d9fbeeec8496c26db012627d7ce7e6aa1a732a7c731d6ef8431204b

SHA512
57b316ce017c765c9f224c8ed85aafffadf3e3509d0b9d8b28c09b7a506bf84dd5216ab3d5048ad1f637628cef7585aca82701224766df2dd48aff33618c1454

Download Submit
C:\Windows\System\NqMthaI.exe
Filesize
5.9MB

MD5
47960b34aac461d46c5cfe709bbf201c

SHA1
814c9fd6874e6133667a71a323d009060ff93ed8

SHA256
eb9c79a1c1428661ffbec1d4e0bdf10ad3c4de3d97f2348bfc791528fd4e13b7

SHA512
623975850b2068cd617805c85749f4c281afb1d5a6f26f56cb894ad621af8aa09cb79dd23e81a791413e7fe5fe485f7d48dc097599b3f8cc5ec632abf8a77760

Download Submit
C:\Windows\System\NqMthaI.exe
Filesize
5.6MB

MD5
38e1b7b0b9aa649f5c14f03127a6d132

SHA1
3917ca36707cd2c4dba6b6926d34a14a7bb117b1

SHA256
ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72

SHA512
47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0

Download Submit
C:\Windows\System\OSlbLYa.exe
Filesize
5.9MB

MD5
0783b3b28ba90cc7856f369d2be9c3c7

SHA1
652c770cd2fba5fb2a49dcb29d7f26b77aff61b2

SHA256
095ed1a49d60002aec92213f47d28502275cfda8092b43aa6fead2cc2924d94c

SHA512
639a05515d748569f172a66582a26012c71555182d87a4960a96c1cfaf7ede05ed58d06ae026147cf25da3668f9e91728f3d9a57ebf9c24cb63e62ebc7baa443

Download Submit
C:\Windows\System\OSlbLYa.exe
Filesize
5.6MB

MD5
1e2459942327eb396bd8cd9cbc885d14

SHA1
b979cbcb517509c30843efb1d91bef30f1f24a44

SHA256
54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a

SHA512
62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7

Download Submit
C:\Windows\System\UJyOqyJ.exe
Filesize
5.9MB

MD5
8cfcc19b6b1dd9517b393a722c34ed17

SHA1
aa3b70cd4a2c112f6df9602a726b6ddd783b29f0

SHA256
4e9f7a36ed265d261d72fb83afbcf59e3b42880dc6b623d5c73930113f117f85

SHA512
32421e0bffdd5148ef2cbe169288524124236a6c3b5f25599414d9c9e5d2fd1a2e0196d3755cef4af4971e4e8e50bc70b4aa0e06995472ea555233ccc78e0b99

Download Submit
C:\Windows\System\UJyOqyJ.exe
Filesize
5.8MB

MD5
984a8cf637fc9f46a5be1646493a183b

SHA1
eff3045fcb5d0b4a9321004fdd3e94f3f336f5af

SHA256
0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068

SHA512
f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d

Download Submit
C:\Windows\System\WEetvbz.exe
Filesize
5.7MB

MD5
1d51a6f9f8f706d40a78f27cac287065

SHA1
981c2096ede4558d1ebc91ef5d6ea849a5e05a26

SHA256
15b21f96ab3bc949c328ae89ca4b8971cb600187d8a414a03ad62deea81f4ef1

SHA512
f88e4c79c055461a937a826fa6bbc551f208f7399466fa47521581ae4db3bc5d256e1bf01ae134b570a11c9d09f89930e6add7d4c8135ba334d8b29af2c44c97

Download Submit
C:\Windows\System\WYrDbJK.exe
Filesize
3.6MB

MD5
0628374c349921c969043e8b725a574d

SHA1
d4d4b61d7abb11c25e423140f9a833a035819e3d

SHA256
6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0

SHA512
2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1

Download Submit
C:\Windows\System\dykDgSP.exe
Filesize
5.9MB

MD5
f6cdfb3d88537b367792cbd894bd98ed

SHA1
3d3f99c94c72c456dffcf949bc5d30603a7e936c

SHA256
05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86

SHA512
0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3

Download Submit
C:\Windows\System\dykDgSP.exe
Filesize
5.9MB

MD5
b770806e36199997912b9f88447357fa

SHA1
d5569b5b34841ced5935f203b25892543d2220ee

SHA256
3eb567f9c446a3c046a6bd410f2e8d35cc94a0099fc612c1b46771650a2d24d0

SHA512
c053b0a02b6fc2b6b2fd970db2d59d78b714525df0ea7a6345bb5a9e289cf145b04306fb906d15bcd973500a0541d980d7fb2b8a9c503355be415254b92c6fca

Download Submit
C:\Windows\System\emlwhFZ.exe
Filesize
960KB

MD5
180ec18cff675908ea09fb02b8edeae7

SHA1
908a0fde6e66598e819044f800d2fb12a2c2d5e4

SHA256
35e0571c2720559fc2e392ef1ac01a4890a7f5a52de790fe0560ba1ddb8b0978

SHA512
f4efca4f8c80307ac309f06271cca1b553bd93330b442aaa71749f3ce5f3d47dab778dbee66162c088762bb8f4726a65ed8e5313f9bd8da09d951b910b9f8e49

Download Submit
C:\Windows\System\emlwhFZ.exe
Filesize
2.4MB

MD5
3c4936ba91eaa69f7fdbfccc9b857022

SHA1
d97c8ba6655ec64594f86192c6bdb9c832040c3a

SHA256
f647e481490f98c412386808e010fe7c22bcbe8d3cebe4c6aae38fd2d6003c10

SHA512
327dd607eb26134ae7933735d6de926b79e86a7c2a97c4f64919c1cdded613dd5e13b9c7b209f5d7e94d70772d16c0aa412b8bf1f7d9435384a504f194d13cc9

Download Submit
C:\Windows\System\hBRPzqf.exe
Filesize
5.9MB

MD5
9a0d01c6e389b01a8296100ed127da0a

SHA1
c9412b36d795472d04c4f9c7a57b73542df027fb

SHA256
0670ffd1bd4ff923f5d7be87c361b016bf995a8eb377cdb4c4f5b7b3e51960a6

SHA512
e7c3ed851ec2a3b0a93121dfbf21ba1cb13b39993aa70cb85ad1c2c4f13ea3eb268dcc33d4c0b84af545de6add593a08466984c2a4af6ebae62e57f4ed2394ca

Download Submit
C:\Windows\System\iInDzyy.exe
Filesize
5.9MB

MD5
4cf8952abd6b021a9820a2ef9addf575

SHA1
ff68bdf1c692e671585b1ed088509d14090c6a34

SHA256
f0f3c9b385a4d05d91b774fa727568f66df7ece6a2431c05b1fb9ecc473f4a81

SHA512
2724b6ef705dbb65fe5dd3b4a43c1e409e81f1d8f35c1eef985144d6f0940eef9a1d3e4b941827a0079297f1ce605c8d91c8d8ceef9687d98d6daedf92092e0a

Download Submit
C:\Windows\System\jwrlCaa.exe
Filesize
5.9MB

MD5
026ea13872fc04c177d4b92226038799

SHA1
0c9a5da8cb017adf9d5182e85bf8a4195683bb04

SHA256
9d1477100effde3432ac0d189173c8f78615613ba44042f1c911eefe461e0d69

SHA512
1f1d0d8b04e5e4fb39538d8c403f29c544ea9435cf9ce0fa91b5eb8f6e8444c4545db2df079761f32b0e684dba64ec7a0ac0543464f075b0ebf2d9f67a7dd303

Download Submit
C:\Windows\System\qwgEHtX.exe
Filesize
1.4MB

MD5
0003cb25d8e5fcf51d1ea8407b9410fc

SHA1
fc0940ac8a56e45a19f31c325aba00f814dae439

SHA256
f5fa7230c7358dee6dd18f92cbc76b430b9f4ae3743c5a87ae43ab57b0f17dc2

SHA512
3e0a7f0919968a398f15d36d7bf5f20d80e4d21e13f2a12bc61387d700f7223beda84fce19bb9725494efe691fdd480b4475f6cce34df5d279cf37a6a2663e87

Download Submit
C:\Windows\System\uKvzogZ.exe
Filesize
5.2MB

MD5
03686cfd6bbb43c8ac4dc50889b137b9

SHA1
6800d5588f6a43ca169ee2c40a9fceeb5a54e5ee

SHA256
ca47b446aecd91112038d34e552b47a5f46c4644080b07ddbdc37007b9159471

SHA512
529d5e858f06c4743cb789c3a961b0d51ebcf4e4349ad70aece2c30ac43062a7b4932080525c55fc8af3690ae2760c5e4efdce79b5b27264e9b359474abc77a2

Download Submit
C:\Windows\System\uKvzogZ.exe
Filesize
5.9MB

MD5
22a9fa2b1630a97ed5d62a5891280c11

SHA1
625f8fef9f8da1f1a43003acb6f8fbf92f87f574

SHA256
b16543db8e2fbd174f55c84709cba152ba58e15677abe10703277463e592aff4

SHA512
8939e83a1c4428cc85b97de8cdb7668c4146a0c4be053e14b326ca24408b92fec81e755f3f40a487bbe52c6cb92294080e27614c944856aa41b247ed5051cddf

Download Submit
C:\Windows\System\uPmfmTF.exe
Filesize
5.9MB

MD5
80309fb805c8dabb81a8dcbd68ba3158

SHA1
e86c9da40977f4cd9af82800c0efc6657e769cee

SHA256
f656faf24bfeca768a1e8f324bd771b78f5b7b9102be0b5ee19510f6c0249bee

SHA512
2e44c63abd771e1f204f50d37ee5f891a5ac30d311e0a074efeae1d3d59314af9ae14fb8ac397b8f3b02be51b765432e47ee7a88725fa6df1622f65246c55018

Download Submit
memory/400-154-0x00007FF7EC520000-0x00007FF7EC874000-memory.dmp

Filesize
3.3MB

Download
memory/400-126-0x00007FF7EC520000-0x00007FF7EC874000-memory.dmp

Filesize
3.3MB

Download
memory/1376-144-0x00007FF763F20000-0x00007FF764274000-memory.dmp

Filesize
3.3MB

Download
memory/1376-50-0x00007FF763F20000-0x00007FF764274000-memory.dmp

Filesize
3.3MB

Download
memory/1376-136-0x00007FF763F20000-0x00007FF764274000-memory.dmp

Filesize
3.3MB

Download
memory/1556-65-0x00007FF77F470000-0x00007FF77F7C4000-memory.dmp

Filesize
3.3MB

Download
memory/1556-146-0x00007FF77F470000-0x00007FF77F7C4000-memory.dmp

Filesize
3.3MB

Download
memory/1708-121-0x00007FF7DFF00000-0x00007FF7E0254000-memory.dmp

Filesize
3.3MB

Download
memory/1708-149-0x00007FF7DFF00000-0x00007FF7E0254000-memory.dmp

Filesize
3.3MB

Download
memory/1748-147-0x00007FF612E50000-0x00007FF6131A4000-memory.dmp

Filesize
3.3MB

Download
memory/1748-119-0x00007FF612E50000-0x00007FF6131A4000-memory.dmp

Filesize
3.3MB

Download
memory/1776-123-0x00007FF73B320000-0x00007FF73B674000-memory.dmp

Filesize
3.3MB

Download
memory/1776-151-0x00007FF73B320000-0x00007FF73B674000-memory.dmp

Filesize
3.3MB

Download
memory/1980-129-0x00007FF746C90000-0x00007FF746FE4000-memory.dmp

Filesize
3.3MB

Download
memory/1980-157-0x00007FF746C90000-0x00007FF746FE4000-memory.dmp

Filesize
3.3MB

Download
memory/2076-145-0x00007FF7F86D0000-0x00007FF7F8A24000-memory.dmp

Filesize
3.3MB

Download
memory/2076-57-0x00007FF7F86D0000-0x00007FF7F8A24000-memory.dmp

Filesize
3.3MB

Download
memory/2228-20-0x00007FF6F2A00000-0x00007FF6F2D54000-memory.dmp

Filesize
3.3MB

Download
memory/2228-139-0x00007FF6F2A00000-0x00007FF6F2D54000-memory.dmp

Filesize
3.3MB

Download
memory/2228-131-0x00007FF6F2A00000-0x00007FF6F2D54000-memory.dmp

Filesize
3.3MB

Download
memory/2348-132-0x00007FF7AAC90000-0x00007FF7AAFE4000-memory.dmp

Filesize
3.3MB

Download
memory/2348-26-0x00007FF7AAC90000-0x00007FF7AAFE4000-memory.dmp

Filesize
3.3MB

Download
memory/2348-140-0x00007FF7AAC90000-0x00007FF7AAFE4000-memory.dmp

Filesize
3.3MB

Download
memory/3008-150-0x00007FF730CE0000-0x00007FF731034000-memory.dmp

Filesize
3.3MB

Download
memory/3008-122-0x00007FF730CE0000-0x00007FF731034000-memory.dmp

Filesize
3.3MB

Download
memory/3480-137-0x00007FF68DE30000-0x00007FF68E184000-memory.dmp

Filesize
3.3MB

Download
memory/3480-118-0x00007FF68DE30000-0x00007FF68E184000-memory.dmp

Filesize
3.3MB

Download
memory/3480-8-0x00007FF68DE30000-0x00007FF68E184000-memory.dmp

Filesize
3.3MB

Download
memory/4148-128-0x00007FF7AA6E0000-0x00007FF7AAA34000-memory.dmp

Filesize
3.3MB

Download
memory/4148-156-0x00007FF7AA6E0000-0x00007FF7AAA34000-memory.dmp

Filesize
3.3MB

Download
memory/4272-141-0x00007FF65A990000-0x00007FF65ACE4000-memory.dmp

Filesize
3.3MB

Download
memory/4272-133-0x00007FF65A990000-0x00007FF65ACE4000-memory.dmp

Filesize
3.3MB

Download
memory/4272-32-0x00007FF65A990000-0x00007FF65ACE4000-memory.dmp

Filesize
3.3MB

Download
memory/4336-124-0x00007FF6AFFF0000-0x00007FF6B0344000-memory.dmp

Filesize
3.3MB

Download
memory/4336-152-0x00007FF6AFFF0000-0x00007FF6B0344000-memory.dmp

Filesize
3.3MB

Download
memory/4548-153-0x00007FF705230000-0x00007FF705584000-memory.dmp

Filesize
3.3MB

Download
memory/4548-125-0x00007FF705230000-0x00007FF705584000-memory.dmp

Filesize
3.3MB

Download
memory/4572-127-0x00007FF646E40000-0x00007FF647194000-memory.dmp

Filesize
3.3MB

Download
memory/4572-155-0x00007FF646E40000-0x00007FF647194000-memory.dmp

Filesize
3.3MB

Download
memory/4596-42-0x00007FF6D1D00000-0x00007FF6D2054000-memory.dmp

Filesize
3.3MB

Download
memory/4596-135-0x00007FF6D1D00000-0x00007FF6D2054000-memory.dmp

Filesize
3.3MB

Download
memory/4596-143-0x00007FF6D1D00000-0x00007FF6D2054000-memory.dmp

Filesize
3.3MB

Download
memory/4648-134-0x00007FF6BD5A0000-0x00007FF6BD8F4000-memory.dmp

Filesize
3.3MB

Download
memory/4648-38-0x00007FF6BD5A0000-0x00007FF6BD8F4000-memory.dmp

Filesize
3.3MB

Download
memory/4648-142-0x00007FF6BD5A0000-0x00007FF6BD8F4000-memory.dmp

Filesize
3.3MB

Download
memory/4876-148-0x00007FF6605A0000-0x00007FF6608F4000-memory.dmp

Filesize
3.3MB

Download
memory/4876-120-0x00007FF6605A0000-0x00007FF6608F4000-memory.dmp

Filesize
3.3MB

Download
memory/5016-130-0x00007FF7EB750000-0x00007FF7EBAA4000-memory.dmp

Filesize
3.3MB

Download
memory/5016-14-0x00007FF7EB750000-0x00007FF7EBAA4000-memory.dmp

Filesize
3.3MB

Download
memory/5016-138-0x00007FF7EB750000-0x00007FF7EBAA4000-memory.dmp

Filesize
3.3MB

Download
memory/5020-0-0x00007FF67ACB0000-0x00007FF67B004000-memory.dmp

Filesize
3.3MB

Download
memory/5020-1-0x000001570E280000-0x000001570E290000-memory.dmp

Filesize
64KB

Download
memory/5020-56-0x00007FF67ACB0000-0x00007FF67B004000-memory.dmp

Filesize
3.3MB

Download