cobaltstrike | 6f363651bc0816e6207946884514f4777457a05222915859aa0da6ed4e939d99

Analysis

max time kernel
138s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 08:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

288f7dc4adce13ca2b84d1d3c62f2390
SHA1

4fc8b672f3e37361d2b4312076e1101f52924516
SHA256

6f363651bc0816e6207946884514f4777457a05222915859aa0da6ed4e939d99
SHA512

8974ddbe0a579e3e2754f19d3f55c08f02ae9a1afbb1d56cdea2f032d1dab0294b7420e1d61d84e3f232d5c231cb40f7b4fa554e4d55efa2f2b81547a60596d6
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUK:Q+856utgpPF8u/7K

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\QYVCDqs.exe	cobalt_reflective_dll
C:\Windows\System\PYkfFHY.exe	cobalt_reflective_dll
C:\Windows\System\ICeCLNe.exe	cobalt_reflective_dll
C:\Windows\System\ffddBCa.exe	cobalt_reflective_dll
C:\Windows\System\jLJxVrX.exe	cobalt_reflective_dll
C:\Windows\System\JUgunKm.exe	cobalt_reflective_dll
C:\Windows\System\WVCrVDZ.exe	cobalt_reflective_dll
C:\Windows\System\cVFPVZs.exe	cobalt_reflective_dll
C:\Windows\System\DxAhiKv.exe	cobalt_reflective_dll
C:\Windows\System\JMyNUSj.exe	cobalt_reflective_dll
C:\Windows\System\upAbAYw.exe	cobalt_reflective_dll
C:\Windows\System\wtcwyhj.exe	cobalt_reflective_dll
C:\Windows\System\ZlrCAHt.exe	cobalt_reflective_dll
C:\Windows\System\BsGWfwy.exe	cobalt_reflective_dll
C:\Windows\System\eqAlXMQ.exe	cobalt_reflective_dll
C:\Windows\System\bOjfOBI.exe	cobalt_reflective_dll
C:\Windows\System\phcFkza.exe	cobalt_reflective_dll
C:\Windows\System\NmghlLV.exe	cobalt_reflective_dll
C:\Windows\System\qDAOPab.exe	cobalt_reflective_dll
C:\Windows\System\tHPCWhQ.exe	cobalt_reflective_dll
C:\Windows\System\xRBGTkJ.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\QYVCDqs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\PYkfFHY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ICeCLNe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ffddBCa.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\jLJxVrX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\JUgunKm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\WVCrVDZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\cVFPVZs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\DxAhiKv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\JMyNUSj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\upAbAYw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\wtcwyhj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ZlrCAHt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\BsGWfwy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\eqAlXMQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\bOjfOBI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\phcFkza.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\NmghlLV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\qDAOPab.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\tHPCWhQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\xRBGTkJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2696-0-0x00007FF63C5B0000-0x00007FF63C904000-memory.dmp	UPX
C:\Windows\System\QYVCDqs.exe	UPX
behavioral2/memory/4556-7-0x00007FF716B20000-0x00007FF716E74000-memory.dmp	UPX
C:\Windows\System\PYkfFHY.exe	UPX
behavioral2/memory/3020-12-0x00007FF6E57A0000-0x00007FF6E5AF4000-memory.dmp	UPX
C:\Windows\System\ICeCLNe.exe	UPX
behavioral2/memory/4580-18-0x00007FF78EB90000-0x00007FF78EEE4000-memory.dmp	UPX
C:\Windows\System\ffddBCa.exe	UPX
behavioral2/memory/3372-26-0x00007FF7CD430000-0x00007FF7CD784000-memory.dmp	UPX
C:\Windows\System\jLJxVrX.exe	UPX
behavioral2/memory/5112-34-0x00007FF717510000-0x00007FF717864000-memory.dmp	UPX
C:\Windows\System\JUgunKm.exe	UPX
C:\Windows\System\WVCrVDZ.exe	UPX
behavioral2/memory/1856-38-0x00007FF6D3460000-0x00007FF6D37B4000-memory.dmp	UPX
C:\Windows\System\cVFPVZs.exe	UPX
behavioral2/memory/3284-56-0x00007FF7CAED0000-0x00007FF7CB224000-memory.dmp	UPX
C:\Windows\System\DxAhiKv.exe	UPX
C:\Windows\System\JMyNUSj.exe	UPX
behavioral2/memory/2696-63-0x00007FF63C5B0000-0x00007FF63C904000-memory.dmp	UPX
behavioral2/memory/3756-67-0x00007FF6E41C0000-0x00007FF6E4514000-memory.dmp	UPX
behavioral2/memory/4556-69-0x00007FF716B20000-0x00007FF716E74000-memory.dmp	UPX
behavioral2/memory/4928-68-0x00007FF6A5540000-0x00007FF6A5894000-memory.dmp	UPX
C:\Windows\System\upAbAYw.exe	UPX
behavioral2/memory/2232-51-0x00007FF784D00000-0x00007FF785054000-memory.dmp	UPX
behavioral2/memory/1772-45-0x00007FF7E60A0000-0x00007FF7E63F4000-memory.dmp	UPX
C:\Windows\System\wtcwyhj.exe	UPX
behavioral2/memory/3468-77-0x00007FF694EC0000-0x00007FF695214000-memory.dmp	UPX
behavioral2/memory/3020-75-0x00007FF6E57A0000-0x00007FF6E5AF4000-memory.dmp	UPX
behavioral2/memory/4580-83-0x00007FF78EB90000-0x00007FF78EEE4000-memory.dmp	UPX
C:\Windows\System\ZlrCAHt.exe	UPX
behavioral2/memory/1824-85-0x00007FF690040000-0x00007FF690394000-memory.dmp	UPX
behavioral2/memory/3372-90-0x00007FF7CD430000-0x00007FF7CD784000-memory.dmp	UPX
C:\Windows\System\BsGWfwy.exe	UPX
C:\Windows\System\eqAlXMQ.exe	UPX
behavioral2/memory/4092-93-0x00007FF7C6A30000-0x00007FF7C6D84000-memory.dmp	UPX
C:\Windows\System\bOjfOBI.exe	UPX
behavioral2/memory/628-102-0x00007FF73F320000-0x00007FF73F674000-memory.dmp	UPX
C:\Windows\System\phcFkza.exe	UPX
behavioral2/memory/2232-116-0x00007FF784D00000-0x00007FF785054000-memory.dmp	UPX
behavioral2/memory/5076-123-0x00007FF7DBD80000-0x00007FF7DC0D4000-memory.dmp	UPX
C:\Windows\System\NmghlLV.exe	UPX
behavioral2/memory/3284-131-0x00007FF7CAED0000-0x00007FF7CB224000-memory.dmp	UPX
behavioral2/memory/232-132-0x00007FF6EA1E0000-0x00007FF6EA534000-memory.dmp	UPX
behavioral2/memory/4260-130-0x00007FF678BA0000-0x00007FF678EF4000-memory.dmp	UPX
C:\Windows\System\qDAOPab.exe	UPX
behavioral2/memory/4220-125-0x00007FF7D9F40000-0x00007FF7DA294000-memory.dmp	UPX
behavioral2/memory/3636-120-0x00007FF734170000-0x00007FF7344C4000-memory.dmp	UPX
C:\Windows\System\tHPCWhQ.exe	UPX
C:\Windows\System\xRBGTkJ.exe	UPX
behavioral2/memory/3608-105-0x00007FF7B9560000-0x00007FF7B98B4000-memory.dmp	UPX
behavioral2/memory/4928-135-0x00007FF6A5540000-0x00007FF6A5894000-memory.dmp	UPX
behavioral2/memory/3636-136-0x00007FF734170000-0x00007FF7344C4000-memory.dmp	UPX
behavioral2/memory/4260-137-0x00007FF678BA0000-0x00007FF678EF4000-memory.dmp	UPX
behavioral2/memory/232-138-0x00007FF6EA1E0000-0x00007FF6EA534000-memory.dmp	UPX
behavioral2/memory/4556-139-0x00007FF716B20000-0x00007FF716E74000-memory.dmp	UPX
behavioral2/memory/3020-140-0x00007FF6E57A0000-0x00007FF6E5AF4000-memory.dmp	UPX
behavioral2/memory/4580-141-0x00007FF78EB90000-0x00007FF78EEE4000-memory.dmp	UPX
behavioral2/memory/3372-142-0x00007FF7CD430000-0x00007FF7CD784000-memory.dmp	UPX
behavioral2/memory/5112-143-0x00007FF717510000-0x00007FF717864000-memory.dmp	UPX
behavioral2/memory/1856-144-0x00007FF6D3460000-0x00007FF6D37B4000-memory.dmp	UPX
behavioral2/memory/1772-145-0x00007FF7E60A0000-0x00007FF7E63F4000-memory.dmp	UPX
behavioral2/memory/2232-146-0x00007FF784D00000-0x00007FF785054000-memory.dmp	UPX
behavioral2/memory/3284-147-0x00007FF7CAED0000-0x00007FF7CB224000-memory.dmp	UPX
behavioral2/memory/3756-148-0x00007FF6E41C0000-0x00007FF6E4514000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2696-0-0x00007FF63C5B0000-0x00007FF63C904000-memory.dmp	xmrig
C:\Windows\System\QYVCDqs.exe	xmrig
behavioral2/memory/4556-7-0x00007FF716B20000-0x00007FF716E74000-memory.dmp	xmrig
C:\Windows\System\PYkfFHY.exe	xmrig
behavioral2/memory/3020-12-0x00007FF6E57A0000-0x00007FF6E5AF4000-memory.dmp	xmrig
C:\Windows\System\ICeCLNe.exe	xmrig
behavioral2/memory/4580-18-0x00007FF78EB90000-0x00007FF78EEE4000-memory.dmp	xmrig
C:\Windows\System\ffddBCa.exe	xmrig
behavioral2/memory/3372-26-0x00007FF7CD430000-0x00007FF7CD784000-memory.dmp	xmrig
C:\Windows\System\jLJxVrX.exe	xmrig
behavioral2/memory/5112-34-0x00007FF717510000-0x00007FF717864000-memory.dmp	xmrig
C:\Windows\System\JUgunKm.exe	xmrig
C:\Windows\System\WVCrVDZ.exe	xmrig
behavioral2/memory/1856-38-0x00007FF6D3460000-0x00007FF6D37B4000-memory.dmp	xmrig
C:\Windows\System\cVFPVZs.exe	xmrig
behavioral2/memory/3284-56-0x00007FF7CAED0000-0x00007FF7CB224000-memory.dmp	xmrig
C:\Windows\System\DxAhiKv.exe	xmrig
C:\Windows\System\JMyNUSj.exe	xmrig
behavioral2/memory/2696-63-0x00007FF63C5B0000-0x00007FF63C904000-memory.dmp	xmrig
behavioral2/memory/3756-67-0x00007FF6E41C0000-0x00007FF6E4514000-memory.dmp	xmrig
behavioral2/memory/4556-69-0x00007FF716B20000-0x00007FF716E74000-memory.dmp	xmrig
behavioral2/memory/4928-68-0x00007FF6A5540000-0x00007FF6A5894000-memory.dmp	xmrig
C:\Windows\System\upAbAYw.exe	xmrig
behavioral2/memory/2232-51-0x00007FF784D00000-0x00007FF785054000-memory.dmp	xmrig
behavioral2/memory/1772-45-0x00007FF7E60A0000-0x00007FF7E63F4000-memory.dmp	xmrig
C:\Windows\System\wtcwyhj.exe	xmrig
behavioral2/memory/3468-77-0x00007FF694EC0000-0x00007FF695214000-memory.dmp	xmrig
behavioral2/memory/3020-75-0x00007FF6E57A0000-0x00007FF6E5AF4000-memory.dmp	xmrig
behavioral2/memory/4580-83-0x00007FF78EB90000-0x00007FF78EEE4000-memory.dmp	xmrig
C:\Windows\System\ZlrCAHt.exe	xmrig
behavioral2/memory/1824-85-0x00007FF690040000-0x00007FF690394000-memory.dmp	xmrig
behavioral2/memory/3372-90-0x00007FF7CD430000-0x00007FF7CD784000-memory.dmp	xmrig
C:\Windows\System\BsGWfwy.exe	xmrig
C:\Windows\System\eqAlXMQ.exe	xmrig
behavioral2/memory/4092-93-0x00007FF7C6A30000-0x00007FF7C6D84000-memory.dmp	xmrig
C:\Windows\System\bOjfOBI.exe	xmrig
behavioral2/memory/628-102-0x00007FF73F320000-0x00007FF73F674000-memory.dmp	xmrig
C:\Windows\System\phcFkza.exe	xmrig
behavioral2/memory/2232-116-0x00007FF784D00000-0x00007FF785054000-memory.dmp	xmrig
behavioral2/memory/5076-123-0x00007FF7DBD80000-0x00007FF7DC0D4000-memory.dmp	xmrig
C:\Windows\System\NmghlLV.exe	xmrig
behavioral2/memory/3284-131-0x00007FF7CAED0000-0x00007FF7CB224000-memory.dmp	xmrig
behavioral2/memory/232-132-0x00007FF6EA1E0000-0x00007FF6EA534000-memory.dmp	xmrig
behavioral2/memory/4260-130-0x00007FF678BA0000-0x00007FF678EF4000-memory.dmp	xmrig
C:\Windows\System\qDAOPab.exe	xmrig
behavioral2/memory/4220-125-0x00007FF7D9F40000-0x00007FF7DA294000-memory.dmp	xmrig
behavioral2/memory/3636-120-0x00007FF734170000-0x00007FF7344C4000-memory.dmp	xmrig
C:\Windows\System\tHPCWhQ.exe	xmrig
C:\Windows\System\xRBGTkJ.exe	xmrig
behavioral2/memory/3608-105-0x00007FF7B9560000-0x00007FF7B98B4000-memory.dmp	xmrig
behavioral2/memory/4928-135-0x00007FF6A5540000-0x00007FF6A5894000-memory.dmp	xmrig
behavioral2/memory/3636-136-0x00007FF734170000-0x00007FF7344C4000-memory.dmp	xmrig
behavioral2/memory/4260-137-0x00007FF678BA0000-0x00007FF678EF4000-memory.dmp	xmrig
behavioral2/memory/232-138-0x00007FF6EA1E0000-0x00007FF6EA534000-memory.dmp	xmrig
behavioral2/memory/4556-139-0x00007FF716B20000-0x00007FF716E74000-memory.dmp	xmrig
behavioral2/memory/3020-140-0x00007FF6E57A0000-0x00007FF6E5AF4000-memory.dmp	xmrig
behavioral2/memory/4580-141-0x00007FF78EB90000-0x00007FF78EEE4000-memory.dmp	xmrig
behavioral2/memory/3372-142-0x00007FF7CD430000-0x00007FF7CD784000-memory.dmp	xmrig
behavioral2/memory/5112-143-0x00007FF717510000-0x00007FF717864000-memory.dmp	xmrig
behavioral2/memory/1856-144-0x00007FF6D3460000-0x00007FF6D37B4000-memory.dmp	xmrig
behavioral2/memory/1772-145-0x00007FF7E60A0000-0x00007FF7E63F4000-memory.dmp	xmrig
behavioral2/memory/2232-146-0x00007FF784D00000-0x00007FF785054000-memory.dmp	xmrig
behavioral2/memory/3284-147-0x00007FF7CAED0000-0x00007FF7CB224000-memory.dmp	xmrig
behavioral2/memory/3756-148-0x00007FF6E41C0000-0x00007FF6E4514000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

QYVCDqs.exeICeCLNe.exePYkfFHY.exeffddBCa.exejLJxVrX.exeJUgunKm.exeWVCrVDZ.execVFPVZs.exeDxAhiKv.exeJMyNUSj.exeupAbAYw.exewtcwyhj.exebOjfOBI.exeZlrCAHt.exeBsGWfwy.exeeqAlXMQ.exexRBGTkJ.exephcFkza.exetHPCWhQ.exeqDAOPab.exeNmghlLV.exe

pid	process
4556	QYVCDqs.exe
3020	ICeCLNe.exe
4580	PYkfFHY.exe
3372	ffddBCa.exe
5112	jLJxVrX.exe
1856	JUgunKm.exe
1772	WVCrVDZ.exe
2232	cVFPVZs.exe
3284	DxAhiKv.exe
3756	JMyNUSj.exe
4928	upAbAYw.exe
3468	wtcwyhj.exe
1824	bOjfOBI.exe
4092	ZlrCAHt.exe
628	BsGWfwy.exe
3608	eqAlXMQ.exe
3636	xRBGTkJ.exe
5076	phcFkza.exe
4220	tHPCWhQ.exe
4260	qDAOPab.exe
232	NmghlLV.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2696-0-0x00007FF63C5B0000-0x00007FF63C904000-memory.dmp	upx
C:\Windows\System\QYVCDqs.exe	upx
behavioral2/memory/4556-7-0x00007FF716B20000-0x00007FF716E74000-memory.dmp	upx
C:\Windows\System\PYkfFHY.exe	upx
behavioral2/memory/3020-12-0x00007FF6E57A0000-0x00007FF6E5AF4000-memory.dmp	upx
C:\Windows\System\ICeCLNe.exe	upx
behavioral2/memory/4580-18-0x00007FF78EB90000-0x00007FF78EEE4000-memory.dmp	upx
C:\Windows\System\ffddBCa.exe	upx
behavioral2/memory/3372-26-0x00007FF7CD430000-0x00007FF7CD784000-memory.dmp	upx
C:\Windows\System\jLJxVrX.exe	upx
behavioral2/memory/5112-34-0x00007FF717510000-0x00007FF717864000-memory.dmp	upx
C:\Windows\System\JUgunKm.exe	upx
C:\Windows\System\WVCrVDZ.exe	upx
behavioral2/memory/1856-38-0x00007FF6D3460000-0x00007FF6D37B4000-memory.dmp	upx
C:\Windows\System\cVFPVZs.exe	upx
behavioral2/memory/3284-56-0x00007FF7CAED0000-0x00007FF7CB224000-memory.dmp	upx
C:\Windows\System\DxAhiKv.exe	upx
C:\Windows\System\JMyNUSj.exe	upx
behavioral2/memory/2696-63-0x00007FF63C5B0000-0x00007FF63C904000-memory.dmp	upx
behavioral2/memory/3756-67-0x00007FF6E41C0000-0x00007FF6E4514000-memory.dmp	upx
behavioral2/memory/4556-69-0x00007FF716B20000-0x00007FF716E74000-memory.dmp	upx
behavioral2/memory/4928-68-0x00007FF6A5540000-0x00007FF6A5894000-memory.dmp	upx
C:\Windows\System\upAbAYw.exe	upx
behavioral2/memory/2232-51-0x00007FF784D00000-0x00007FF785054000-memory.dmp	upx
behavioral2/memory/1772-45-0x00007FF7E60A0000-0x00007FF7E63F4000-memory.dmp	upx
C:\Windows\System\wtcwyhj.exe	upx
behavioral2/memory/3468-77-0x00007FF694EC0000-0x00007FF695214000-memory.dmp	upx
behavioral2/memory/3020-75-0x00007FF6E57A0000-0x00007FF6E5AF4000-memory.dmp	upx
behavioral2/memory/4580-83-0x00007FF78EB90000-0x00007FF78EEE4000-memory.dmp	upx
C:\Windows\System\ZlrCAHt.exe	upx
behavioral2/memory/1824-85-0x00007FF690040000-0x00007FF690394000-memory.dmp	upx
behavioral2/memory/3372-90-0x00007FF7CD430000-0x00007FF7CD784000-memory.dmp	upx
C:\Windows\System\BsGWfwy.exe	upx
C:\Windows\System\eqAlXMQ.exe	upx
behavioral2/memory/4092-93-0x00007FF7C6A30000-0x00007FF7C6D84000-memory.dmp	upx
C:\Windows\System\bOjfOBI.exe	upx
behavioral2/memory/628-102-0x00007FF73F320000-0x00007FF73F674000-memory.dmp	upx
C:\Windows\System\phcFkza.exe	upx
behavioral2/memory/2232-116-0x00007FF784D00000-0x00007FF785054000-memory.dmp	upx
behavioral2/memory/5076-123-0x00007FF7DBD80000-0x00007FF7DC0D4000-memory.dmp	upx
C:\Windows\System\NmghlLV.exe	upx
behavioral2/memory/3284-131-0x00007FF7CAED0000-0x00007FF7CB224000-memory.dmp	upx
behavioral2/memory/232-132-0x00007FF6EA1E0000-0x00007FF6EA534000-memory.dmp	upx
behavioral2/memory/4260-130-0x00007FF678BA0000-0x00007FF678EF4000-memory.dmp	upx
C:\Windows\System\qDAOPab.exe	upx
behavioral2/memory/4220-125-0x00007FF7D9F40000-0x00007FF7DA294000-memory.dmp	upx
behavioral2/memory/3636-120-0x00007FF734170000-0x00007FF7344C4000-memory.dmp	upx
C:\Windows\System\tHPCWhQ.exe	upx
C:\Windows\System\xRBGTkJ.exe	upx
behavioral2/memory/3608-105-0x00007FF7B9560000-0x00007FF7B98B4000-memory.dmp	upx
behavioral2/memory/4928-135-0x00007FF6A5540000-0x00007FF6A5894000-memory.dmp	upx
behavioral2/memory/3636-136-0x00007FF734170000-0x00007FF7344C4000-memory.dmp	upx
behavioral2/memory/4260-137-0x00007FF678BA0000-0x00007FF678EF4000-memory.dmp	upx
behavioral2/memory/232-138-0x00007FF6EA1E0000-0x00007FF6EA534000-memory.dmp	upx
behavioral2/memory/4556-139-0x00007FF716B20000-0x00007FF716E74000-memory.dmp	upx
behavioral2/memory/3020-140-0x00007FF6E57A0000-0x00007FF6E5AF4000-memory.dmp	upx
behavioral2/memory/4580-141-0x00007FF78EB90000-0x00007FF78EEE4000-memory.dmp	upx
behavioral2/memory/3372-142-0x00007FF7CD430000-0x00007FF7CD784000-memory.dmp	upx
behavioral2/memory/5112-143-0x00007FF717510000-0x00007FF717864000-memory.dmp	upx
behavioral2/memory/1856-144-0x00007FF6D3460000-0x00007FF6D37B4000-memory.dmp	upx
behavioral2/memory/1772-145-0x00007FF7E60A0000-0x00007FF7E63F4000-memory.dmp	upx
behavioral2/memory/2232-146-0x00007FF784D00000-0x00007FF785054000-memory.dmp	upx
behavioral2/memory/3284-147-0x00007FF7CAED0000-0x00007FF7CB224000-memory.dmp	upx
behavioral2/memory/3756-148-0x00007FF6E41C0000-0x00007FF6E4514000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\phcFkza.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ICeCLNe.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cVFPVZs.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DxAhiKv.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JMyNUSj.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BsGWfwy.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eqAlXMQ.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PYkfFHY.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ffddBCa.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NmghlLV.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZlrCAHt.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xRBGTkJ.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QYVCDqs.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JUgunKm.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WVCrVDZ.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\upAbAYw.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wtcwyhj.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bOjfOBI.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tHPCWhQ.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qDAOPab.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jLJxVrX.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2696 wrote to memory of 4556	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	QYVCDqs.exe
PID 2696 wrote to memory of 4556	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	QYVCDqs.exe
PID 2696 wrote to memory of 3020	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	ICeCLNe.exe
PID 2696 wrote to memory of 3020	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	ICeCLNe.exe
PID 2696 wrote to memory of 4580	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	PYkfFHY.exe
PID 2696 wrote to memory of 4580	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	PYkfFHY.exe
PID 2696 wrote to memory of 3372	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	ffddBCa.exe
PID 2696 wrote to memory of 3372	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	ffddBCa.exe
PID 2696 wrote to memory of 5112	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	jLJxVrX.exe
PID 2696 wrote to memory of 5112	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	jLJxVrX.exe
PID 2696 wrote to memory of 1856	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	JUgunKm.exe
PID 2696 wrote to memory of 1856	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	JUgunKm.exe
PID 2696 wrote to memory of 1772	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	WVCrVDZ.exe
PID 2696 wrote to memory of 1772	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	WVCrVDZ.exe
PID 2696 wrote to memory of 2232	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	cVFPVZs.exe
PID 2696 wrote to memory of 2232	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	cVFPVZs.exe
PID 2696 wrote to memory of 3284	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	DxAhiKv.exe
PID 2696 wrote to memory of 3284	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	DxAhiKv.exe
PID 2696 wrote to memory of 3756	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	JMyNUSj.exe
PID 2696 wrote to memory of 3756	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	JMyNUSj.exe
PID 2696 wrote to memory of 4928	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	upAbAYw.exe
PID 2696 wrote to memory of 4928	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	upAbAYw.exe
PID 2696 wrote to memory of 3468	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	wtcwyhj.exe
PID 2696 wrote to memory of 3468	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	wtcwyhj.exe
PID 2696 wrote to memory of 1824	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	bOjfOBI.exe
PID 2696 wrote to memory of 1824	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	bOjfOBI.exe
PID 2696 wrote to memory of 4092	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	ZlrCAHt.exe
PID 2696 wrote to memory of 4092	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	ZlrCAHt.exe
PID 2696 wrote to memory of 628	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	BsGWfwy.exe
PID 2696 wrote to memory of 628	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	BsGWfwy.exe
PID 2696 wrote to memory of 3608	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	eqAlXMQ.exe
PID 2696 wrote to memory of 3608	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	eqAlXMQ.exe
PID 2696 wrote to memory of 3636	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	xRBGTkJ.exe
PID 2696 wrote to memory of 3636	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	xRBGTkJ.exe
PID 2696 wrote to memory of 5076	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	phcFkza.exe
PID 2696 wrote to memory of 5076	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	phcFkza.exe
PID 2696 wrote to memory of 4220	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	tHPCWhQ.exe
PID 2696 wrote to memory of 4220	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	tHPCWhQ.exe
PID 2696 wrote to memory of 4260	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	qDAOPab.exe
PID 2696 wrote to memory of 4260	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	qDAOPab.exe
PID 2696 wrote to memory of 232	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	NmghlLV.exe
PID 2696 wrote to memory of 232	2696	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	NmghlLV.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\System\QYVCDqs.exe
C:\Windows\System\QYVCDqs.exe
2⤵
- Executes dropped EXE
PID:4556

C:\Windows\System\ICeCLNe.exe
C:\Windows\System\ICeCLNe.exe
2⤵
- Executes dropped EXE
PID:3020

C:\Windows\System\PYkfFHY.exe
C:\Windows\System\PYkfFHY.exe
2⤵
- Executes dropped EXE
PID:4580

C:\Windows\System\ffddBCa.exe
C:\Windows\System\ffddBCa.exe
2⤵
- Executes dropped EXE
PID:3372

C:\Windows\System\jLJxVrX.exe
C:\Windows\System\jLJxVrX.exe
2⤵
- Executes dropped EXE
PID:5112

C:\Windows\System\JUgunKm.exe
C:\Windows\System\JUgunKm.exe
2⤵
- Executes dropped EXE
PID:1856

C:\Windows\System\WVCrVDZ.exe
C:\Windows\System\WVCrVDZ.exe
2⤵
- Executes dropped EXE
PID:1772

C:\Windows\System\cVFPVZs.exe
C:\Windows\System\cVFPVZs.exe
2⤵
- Executes dropped EXE
PID:2232

C:\Windows\System\DxAhiKv.exe
C:\Windows\System\DxAhiKv.exe
2⤵
- Executes dropped EXE
PID:3284

C:\Windows\System\JMyNUSj.exe
C:\Windows\System\JMyNUSj.exe
2⤵
- Executes dropped EXE
PID:3756

C:\Windows\System\upAbAYw.exe
C:\Windows\System\upAbAYw.exe
2⤵
- Executes dropped EXE
PID:4928

C:\Windows\System\wtcwyhj.exe
C:\Windows\System\wtcwyhj.exe
2⤵
- Executes dropped EXE
PID:3468

C:\Windows\System\bOjfOBI.exe
C:\Windows\System\bOjfOBI.exe
2⤵
- Executes dropped EXE
PID:1824

C:\Windows\System\ZlrCAHt.exe
C:\Windows\System\ZlrCAHt.exe
2⤵
- Executes dropped EXE
PID:4092

C:\Windows\System\BsGWfwy.exe
C:\Windows\System\BsGWfwy.exe
2⤵
- Executes dropped EXE
PID:628

C:\Windows\System\eqAlXMQ.exe
C:\Windows\System\eqAlXMQ.exe
2⤵
- Executes dropped EXE
PID:3608

C:\Windows\System\xRBGTkJ.exe
C:\Windows\System\xRBGTkJ.exe
2⤵
- Executes dropped EXE
PID:3636

C:\Windows\System\phcFkza.exe
C:\Windows\System\phcFkza.exe
2⤵
- Executes dropped EXE
PID:5076

C:\Windows\System\tHPCWhQ.exe
C:\Windows\System\tHPCWhQ.exe
2⤵
- Executes dropped EXE
PID:4220

C:\Windows\System\qDAOPab.exe
C:\Windows\System\qDAOPab.exe
2⤵
- Executes dropped EXE
PID:4260

C:\Windows\System\NmghlLV.exe
C:\Windows\System\NmghlLV.exe
2⤵
- Executes dropped EXE
PID:232

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BsGWfwy.exe
Filesize
5.9MB

MD5
c15901a484b8058bb494adbef5b9f6e3

SHA1
0521ab3b0fc78055e8fb59a8973f737a4c50e62f

SHA256
6cbefaf321dbec6d6f363605f9a8413a7c53ec94b773a04e5deb33cb394e9614

SHA512
64606d1c1b1f3785b656710d4ec287b4a3455b3b30a98401ed3416d74cd8c6c7a8616923ea22a23befd30a38c10966ab4f7bb48bb60379c230faaef39b0103ff

Download Submit
C:\Windows\System\DxAhiKv.exe
Filesize
5.9MB

MD5
8ec64f9e15ec81a5330f821e5b281306

SHA1
26f19d0aed88259f05fe11c145c7f94ab160ab8e

SHA256
3bfa05ddc4894c64c25332756d3358b50dfc9094ee65fafe01a1f672b5a1cb57

SHA512
2a59a74fe8ee82cd429eede754e166bffc7aecced1dfc7c1c95542cf45737da3e12eda9c72e08ff9d03e6da2d742ab2f552307a1cd2908c5ebd9077550e9e162

Download Submit
C:\Windows\System\ICeCLNe.exe
Filesize
5.9MB

MD5
3a0b111b8e1c40be242c79572987c0c5

SHA1
1b5acae105f1369cdc12eb0dc4baeeb62c72a2e3

SHA256
b7d62f786a142044f8a04eb84219be0704e8d8e6197761d73034a505d551bc35

SHA512
c22122e619015a0670634bdc6cf7d400979d17268b2dc00eddb9c667a4b860a37dc6958c46cf56cec70157799e7fc2b286c894d6e6a6fe93cf846fd0c6029558

Download Submit
C:\Windows\System\JMyNUSj.exe
Filesize
5.9MB

MD5
8c5f7feb26dd2365753725cc00f25633

SHA1
1863979080324c34ef875999100d34fdc624b5ee

SHA256
14931023c87bfc4322b6f8068c54a6d40a590170aff363bd1a84a8f6b956c2a5

SHA512
2e7a45c0cd1ee8d9b8f05cdad4a1c2345210875d54803f148dd5ba7a458462e65e2fc41d8fabb5469ed565748a393d21ff84e912c8af6cda628480f227116000

Download Submit
C:\Windows\System\JUgunKm.exe
Filesize
5.9MB

MD5
1bb16a8a871e6b550090d673acdf8a31

SHA1
fe4609720369dc29941af0298041e09696a31938

SHA256
827ac2514b8ec23d8d7f509d4f7b74b903748365f1c8931aaaa315af3a9894cd

SHA512
7e07a033d96f4a06865f95d2aaf13a44046dd4f9d6e176988004962b38ba3364b5dbe03a51770d335378b64f2a81cb3c1d5c11cef961d375ac03cbb9bff7896e

Download Submit
C:\Windows\System\NmghlLV.exe
Filesize
5.9MB

MD5
dc31e22fa3802cfc10460ec38efd8fee

SHA1
28e29199a9db6f11e1a818181269a3c09a53b25a

SHA256
a37cf7c889370f3cfa30732111779148aabb2b3f5f740d0bcb659ee738fc3299

SHA512
be5fb5ab6cc0a03d386337dd3c537d67b26ae8ec7a0603d64398ab71d2786a99c8283d5ac321f1a9089523e1405642661424cb038e478182d50837b84a6a243e

Download Submit
C:\Windows\System\PYkfFHY.exe
Filesize
5.9MB

MD5
4d8d25c118c5bf98db667c8d50519ff2

SHA1
5d70c35a98bc4533f58506c6a843069ec9aeeaef

SHA256
00d27e6867a81df0fde91dbc6e31529fe4db30faa8925f32962d0f0e23aeff3b

SHA512
d3f63c5c23020179ab84f3c9db5b07d44792b49902b5143cc6e23906e3db77ef27bd8f320b42b3a282e3882140f6356b4991fa29f1e884afad3f6d6d75d4b592

Download Submit
C:\Windows\System\QYVCDqs.exe
Filesize
5.9MB

MD5
8875b2126ff80a083b02e744e2f9c3cd

SHA1
a00f3ecec1e0cce2adfe8d3b83c3ff8a0147139d

SHA256
d720430c4f8f2539e8a77da5d521f2e18fb8335c8cd3e2dce131d654fcb0ed93

SHA512
2968fe821769af41e97b86ffcff3508bce554df289d3270f13b842fa72e49dfe485c1a39bfdd4537d1b430c306aaf879c251129b9b667a4e0563cb6cb43fb8d9

Download Submit
C:\Windows\System\WVCrVDZ.exe
Filesize
5.9MB

MD5
657dc9950cb431fc56c529696ed84998

SHA1
4f762d1c4ee8715002f977aaff385638849741ef

SHA256
4f2a0d56ad1ec96f6f18263c89046d107a058bed70b16795a64b2bc7e50a11c8

SHA512
187d95574ddcbc06697dfbf8f6b78df6ba94f698232f5da20bd0eabb8f40ac6814aaad0595ac158ca01667336ea5a6659ffe6fa5ac1f8719413a9538ba38f2fa

Download Submit
C:\Windows\System\ZlrCAHt.exe
Filesize
5.9MB

MD5
bb13da2c92094f38433e17f79892b533

SHA1
f031dc6143fcba595fe0e0ce8bc467d124cdd6b9

SHA256
acb00fae7c2ca5ff9c2fcb7ba3e45f3c29e9ea7cad299667030d802bdf8dc0bd

SHA512
882223592e7a9e8bdbd5c6d85b58617fc7325d047477690525c0e071a8f7cd95e5c45e3215187c0d20d3c5b5e607ba122e0645f1e03e50178f21736abe344d98

Download Submit
C:\Windows\System\bOjfOBI.exe
Filesize
5.9MB

MD5
e8d6519cfbd570ed7947ca662bff7d6f

SHA1
db97158e44449ce44e6d53edd184ebb4deaf261d

SHA256
934a0070ec6569e5f159e14abd0da06f06d2c5c4f97e4def401e91c37db0574b

SHA512
2954729a2541a4dac83bc264cab273d135f8b766f62a2eb088ce014c6f6fd1ae8821d61c6e83bb9bb708c892066c2910c2fa0d3c0689e99363b78f970972da93

Download Submit
C:\Windows\System\cVFPVZs.exe
Filesize
5.9MB

MD5
3a02dbce0667ecf6da7b8db96967d8fb

SHA1
668cd9b36cf5b865aa230035d39d6280963c7877

SHA256
c7c23417f1676a27f8e189283131ffd991e2632b9c95bcc048b057a59f8a6838

SHA512
0ec570dd4bedf04228a60a62ffa5bd26cbca396807b8ac838a9300d9fd781338a435a10e18de6b0b179923c7071e5f1fb84f0b434e31453275b48e6bc8caddf0

Download Submit
C:\Windows\System\eqAlXMQ.exe
Filesize
5.9MB

MD5
8a5cb4df9613f11ba90675ba6ffcb283

SHA1
73ba4db5a2a55c7b15329667c4e9cf20da33bb09

SHA256
fde8d0751599cfde962a7617da60c9c11d6ac92d9d9466c3caf2f83a80da962e

SHA512
42ae14066167521c5d10d15c3a224550699d162a81e5582600d65e9913bf57d7962afcb195d76b9b7b67bc26f75f3d52a81e902e9d5eab87d0efa26fb10eb705

Download Submit
C:\Windows\System\ffddBCa.exe
Filesize
5.9MB

MD5
4f88caa2d7b27725a76cf30e65be0eeb

SHA1
35968e289e3a212ea239e1c77be6b62ef78a3870

SHA256
c25c7b213dd8e1f69ef967895ea91088ae181fcb346661d51efacd89e602d812

SHA512
6967bc85fc332d2882ffb0ab1428ba954166e81b389b6b32ff132a6d48675332c54ac39b432e9a1cb3421f85d96c0b51ee4bf28292898747df847f93ee16c578

Download Submit
C:\Windows\System\jLJxVrX.exe
Filesize
5.9MB

MD5
1eadaab65f5595fa94dde7c7c9153474

SHA1
21c98146a8c1c925dce9fe2c6cce48c72a4232cb

SHA256
9bca224c392feed092645b3c4c0293fb50429b2384195b37ce0d6e64ef547ec5

SHA512
79094959a814614201f75a6bef961baefc4c7f1c06b30d4de17cd5f3bb1718f930e7d9f4b43c52cd37d3e80c870ade9d085d8fdbbfd6a19f021b78ae333c2b14

Download Submit
C:\Windows\System\phcFkza.exe
Filesize
5.9MB

MD5
673c7b79b37aa8e8505984383c26da8e

SHA1
d40ff46f2ac4180de1405544b5b2b1607cd5a31d

SHA256
87292a7d7f24a776820e036c4d3162eade7a521981bb78f220ca51f6b27faadf

SHA512
1dd782835fde420b800dbc920bffabe7b2179ef89a7bf0cbae2af376ee270dcf9611b4cbf893cc758e477d62ccdfc9c1e8778d68ba2eef69ffb8639b7c51e994

Download Submit
C:\Windows\System\qDAOPab.exe
Filesize
5.9MB

MD5
8d914b101384c4405c7cce93d31ef572

SHA1
8663fba72553d6eed5fdd83ba27329d43c8d3514

SHA256
c18af714290781811f13ef005141bb2e73871034b17bc35f65cae9dbd4b93540

SHA512
c00b56b9b5a9d3259bca303113b6716c0744bc2120d6fc434bb36857340bc57338867adb2d92db08d0bca7af928ba8853088fd389a944cfac242f30e134f8555

Download Submit
C:\Windows\System\tHPCWhQ.exe
Filesize
5.9MB

MD5
162b158a4e5616c127873188568a7c60

SHA1
d27ab524cc8046568360de634f5038e810e0ba9a

SHA256
76d8c784398b65d53739553c4149baf280b16b9eb89b6d78d54077160cf78776

SHA512
0cbd243df0ea161c3a419da2cde7d236b019db81d55619d5b38517e9b0370258fa1bc9fb01b45ae095b8e30e9f31803174e752a1003089a6bf8ac6b009cc8c78

Download Submit
C:\Windows\System\upAbAYw.exe
Filesize
5.9MB

MD5
f05afb84152c4443d9751d6be4be244d

SHA1
b13e6f2961b14144ecfdbe093801de566270f8a7

SHA256
43dc37e3bde00c77d1021e743538be85efb476c50e47ead66d8d8cd0312aad99

SHA512
3439986e8d14a150dddca6fb2dd18e82c4c8fa9a0ca3a287d9932d174beb77d5262000548b3e698fd3082f1f377cd56342b33b989c69d5fbe6079363b57ebcb4

Download Submit
C:\Windows\System\wtcwyhj.exe
Filesize
5.9MB

MD5
e65923a78a9a9d4ba1368409b08114b7

SHA1
2936a6d0ac4ae937f7ad46828ac0d405282154e1

SHA256
5b1472d49f1fff5d639c5b4cf3331ea3a138413fcb20cffc642d53f5f9d48ab0

SHA512
d4a0c4e36c27966ff4aaa6b870117232f2bf15bef664c914aeefda0588ec9dc418deb5108e14a2ebdc82e236304909c2d85d76910fa2db7d8c28e8ade94b1447

Download Submit
C:\Windows\System\xRBGTkJ.exe
Filesize
5.9MB

MD5
60dc21af09638006297c05bee0c2f730

SHA1
13d19822931659b043b843bbdcecf4b22d49c17d

SHA256
034ee4738e42c648c4e67f95837c6380b135b8477c82e38a8e5eae7743873926

SHA512
6c079cdfa9e01993fff2f10c0bac50f58475f78a330ac2a3b5d9715dcb5c0c37d1e5a8f361f2c9791a5199bc90ca043dfc38d0506c0361a602a53d8b492a980d

Download Submit
memory/232-138-0x00007FF6EA1E0000-0x00007FF6EA534000-memory.dmp

Filesize
3.3MB

Download
memory/232-132-0x00007FF6EA1E0000-0x00007FF6EA534000-memory.dmp

Filesize
3.3MB

Download
memory/232-159-0x00007FF6EA1E0000-0x00007FF6EA534000-memory.dmp

Filesize
3.3MB

Download
memory/628-153-0x00007FF73F320000-0x00007FF73F674000-memory.dmp

Filesize
3.3MB

Download
memory/628-102-0x00007FF73F320000-0x00007FF73F674000-memory.dmp

Filesize
3.3MB

Download
memory/1772-45-0x00007FF7E60A0000-0x00007FF7E63F4000-memory.dmp

Filesize
3.3MB

Download
memory/1772-145-0x00007FF7E60A0000-0x00007FF7E63F4000-memory.dmp

Filesize
3.3MB

Download
memory/1824-85-0x00007FF690040000-0x00007FF690394000-memory.dmp

Filesize
3.3MB

Download
memory/1824-151-0x00007FF690040000-0x00007FF690394000-memory.dmp

Filesize
3.3MB

Download
memory/1856-144-0x00007FF6D3460000-0x00007FF6D37B4000-memory.dmp

Filesize
3.3MB

Download
memory/1856-38-0x00007FF6D3460000-0x00007FF6D37B4000-memory.dmp

Filesize
3.3MB

Download
memory/2232-146-0x00007FF784D00000-0x00007FF785054000-memory.dmp

Filesize
3.3MB

Download
memory/2232-116-0x00007FF784D00000-0x00007FF785054000-memory.dmp

Filesize
3.3MB

Download
memory/2232-51-0x00007FF784D00000-0x00007FF785054000-memory.dmp

Filesize
3.3MB

Download
memory/2696-63-0x00007FF63C5B0000-0x00007FF63C904000-memory.dmp

Filesize
3.3MB

Download
memory/2696-0-0x00007FF63C5B0000-0x00007FF63C904000-memory.dmp

Filesize
3.3MB

Download
memory/2696-1-0x000001D365AF0000-0x000001D365B00000-memory.dmp

Filesize
64KB

Download
memory/3020-75-0x00007FF6E57A0000-0x00007FF6E5AF4000-memory.dmp

Filesize
3.3MB

Download
memory/3020-12-0x00007FF6E57A0000-0x00007FF6E5AF4000-memory.dmp

Filesize
3.3MB

Download
memory/3020-140-0x00007FF6E57A0000-0x00007FF6E5AF4000-memory.dmp

Filesize
3.3MB

Download
memory/3284-147-0x00007FF7CAED0000-0x00007FF7CB224000-memory.dmp

Filesize
3.3MB

Download
memory/3284-131-0x00007FF7CAED0000-0x00007FF7CB224000-memory.dmp

Filesize
3.3MB

Download
memory/3284-56-0x00007FF7CAED0000-0x00007FF7CB224000-memory.dmp

Filesize
3.3MB

Download
memory/3372-90-0x00007FF7CD430000-0x00007FF7CD784000-memory.dmp

Filesize
3.3MB

Download
memory/3372-26-0x00007FF7CD430000-0x00007FF7CD784000-memory.dmp

Filesize
3.3MB

Download
memory/3372-142-0x00007FF7CD430000-0x00007FF7CD784000-memory.dmp

Filesize
3.3MB

Download
memory/3468-150-0x00007FF694EC0000-0x00007FF695214000-memory.dmp

Filesize
3.3MB

Download
memory/3468-77-0x00007FF694EC0000-0x00007FF695214000-memory.dmp

Filesize
3.3MB

Download
memory/3608-105-0x00007FF7B9560000-0x00007FF7B98B4000-memory.dmp

Filesize
3.3MB

Download
memory/3608-154-0x00007FF7B9560000-0x00007FF7B98B4000-memory.dmp

Filesize
3.3MB

Download
memory/3636-120-0x00007FF734170000-0x00007FF7344C4000-memory.dmp

Filesize
3.3MB

Download
memory/3636-136-0x00007FF734170000-0x00007FF7344C4000-memory.dmp

Filesize
3.3MB

Download
memory/3636-157-0x00007FF734170000-0x00007FF7344C4000-memory.dmp

Filesize
3.3MB

Download
memory/3756-67-0x00007FF6E41C0000-0x00007FF6E4514000-memory.dmp

Filesize
3.3MB

Download
memory/3756-148-0x00007FF6E41C0000-0x00007FF6E4514000-memory.dmp

Filesize
3.3MB

Download
memory/4092-93-0x00007FF7C6A30000-0x00007FF7C6D84000-memory.dmp

Filesize
3.3MB

Download
memory/4092-152-0x00007FF7C6A30000-0x00007FF7C6D84000-memory.dmp

Filesize
3.3MB

Download
memory/4220-125-0x00007FF7D9F40000-0x00007FF7DA294000-memory.dmp

Filesize
3.3MB

Download
memory/4220-156-0x00007FF7D9F40000-0x00007FF7DA294000-memory.dmp

Filesize
3.3MB

Download
memory/4260-130-0x00007FF678BA0000-0x00007FF678EF4000-memory.dmp

Filesize
3.3MB

Download
memory/4260-137-0x00007FF678BA0000-0x00007FF678EF4000-memory.dmp

Filesize
3.3MB

Download
memory/4260-158-0x00007FF678BA0000-0x00007FF678EF4000-memory.dmp

Filesize
3.3MB

Download
memory/4556-7-0x00007FF716B20000-0x00007FF716E74000-memory.dmp

Filesize
3.3MB

Download
memory/4556-69-0x00007FF716B20000-0x00007FF716E74000-memory.dmp

Filesize
3.3MB

Download
memory/4556-139-0x00007FF716B20000-0x00007FF716E74000-memory.dmp

Filesize
3.3MB

Download
memory/4580-18-0x00007FF78EB90000-0x00007FF78EEE4000-memory.dmp

Filesize
3.3MB

Download
memory/4580-141-0x00007FF78EB90000-0x00007FF78EEE4000-memory.dmp

Filesize
3.3MB

Download
memory/4580-83-0x00007FF78EB90000-0x00007FF78EEE4000-memory.dmp

Filesize
3.3MB

Download
memory/4928-149-0x00007FF6A5540000-0x00007FF6A5894000-memory.dmp

Filesize
3.3MB

Download
memory/4928-68-0x00007FF6A5540000-0x00007FF6A5894000-memory.dmp

Filesize
3.3MB

Download
memory/4928-135-0x00007FF6A5540000-0x00007FF6A5894000-memory.dmp

Filesize
3.3MB

Download
memory/5076-123-0x00007FF7DBD80000-0x00007FF7DC0D4000-memory.dmp

Filesize
3.3MB

Download
memory/5076-155-0x00007FF7DBD80000-0x00007FF7DC0D4000-memory.dmp

Filesize
3.3MB

Download
memory/5112-34-0x00007FF717510000-0x00007FF717864000-memory.dmp

Filesize
3.3MB

Download
memory/5112-143-0x00007FF717510000-0x00007FF717864000-memory.dmp

Filesize
3.3MB

Download