cobaltstrike | 15f24b5aa5013c6881d9c0802a27af972e42de5047472d32d827acbf8f5308e3

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

5b2c5dabf9197182f332b41ce31aef09
SHA1

ee9aec982d9d9695c1ea5376275b8cb34154eab5
SHA256

15f24b5aa5013c6881d9c0802a27af972e42de5047472d32d827acbf8f5308e3
SHA512

e067d0d70bcabbac3ac759fbfc5ab44bf240dca4663d79325d67bd8545f448b777e77cc8e95fd498f035b6133045cfc752b3d69c1eef7b22f99ccfab1e6ef666
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUa:Q+856utgpPF8u/7a

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\pqSSlZM.exe	cobalt_reflective_dll
C:\Windows\System\ihYoFKS.exe	cobalt_reflective_dll
C:\Windows\System\sZRwWqr.exe	cobalt_reflective_dll
C:\Windows\System\tsgqlQR.exe	cobalt_reflective_dll
C:\Windows\System\WXsaUbE.exe	cobalt_reflective_dll
C:\Windows\System\NEMRlBo.exe	cobalt_reflective_dll
C:\Windows\System\dWYHfem.exe	cobalt_reflective_dll
C:\Windows\System\GSpislx.exe	cobalt_reflective_dll
C:\Windows\System\CGZRxrG.exe	cobalt_reflective_dll
C:\Windows\System\BjlYNxe.exe	cobalt_reflective_dll
C:\Windows\System\lVvfKUB.exe	cobalt_reflective_dll
C:\Windows\System\yXyahai.exe	cobalt_reflective_dll
C:\Windows\System\HKdLQmt.exe	cobalt_reflective_dll
C:\Windows\System\vdfNkwm.exe	cobalt_reflective_dll
C:\Windows\System\DMGZRpA.exe	cobalt_reflective_dll
C:\Windows\System\NQoSaGj.exe	cobalt_reflective_dll
C:\Windows\System\fqJuZQZ.exe	cobalt_reflective_dll
C:\Windows\System\UtXhBeM.exe	cobalt_reflective_dll
C:\Windows\System\VUlTxej.exe	cobalt_reflective_dll
C:\Windows\System\VAlFYil.exe	cobalt_reflective_dll
C:\Windows\System\VxJhAaj.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\pqSSlZM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ihYoFKS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\sZRwWqr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\tsgqlQR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\WXsaUbE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\NEMRlBo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\dWYHfem.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\GSpislx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\CGZRxrG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\BjlYNxe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\lVvfKUB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\yXyahai.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\HKdLQmt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\vdfNkwm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\DMGZRpA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\NQoSaGj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\fqJuZQZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\UtXhBeM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\VUlTxej.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\VAlFYil.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\VxJhAaj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/116-0-0x00007FF6C1EF0000-0x00007FF6C2244000-memory.dmp	UPX
C:\Windows\System\pqSSlZM.exe	UPX
C:\Windows\System\ihYoFKS.exe	UPX
C:\Windows\System\sZRwWqr.exe	UPX
C:\Windows\System\tsgqlQR.exe	UPX
C:\Windows\System\WXsaUbE.exe	UPX
C:\Windows\System\NEMRlBo.exe	UPX
C:\Windows\System\dWYHfem.exe	UPX
behavioral2/memory/4376-66-0x00007FF60E480000-0x00007FF60E7D4000-memory.dmp	UPX
C:\Windows\System\GSpislx.exe	UPX
C:\Windows\System\CGZRxrG.exe	UPX
behavioral2/memory/4628-115-0x00007FF7F7270000-0x00007FF7F75C4000-memory.dmp	UPX
behavioral2/memory/2240-116-0x00007FF783160000-0x00007FF7834B4000-memory.dmp	UPX
C:\Windows\System\BjlYNxe.exe	UPX
C:\Windows\System\lVvfKUB.exe	UPX
behavioral2/memory/3972-114-0x00007FF6F1D60000-0x00007FF6F20B4000-memory.dmp	UPX
C:\Windows\System\yXyahai.exe	UPX
C:\Windows\System\HKdLQmt.exe	UPX
C:\Windows\System\vdfNkwm.exe	UPX
behavioral2/memory/2176-107-0x00007FF67B790000-0x00007FF67BAE4000-memory.dmp	UPX
behavioral2/memory/2804-104-0x00007FF6DB5A0000-0x00007FF6DB8F4000-memory.dmp	UPX
C:\Windows\System\DMGZRpA.exe	UPX
behavioral2/memory/5032-96-0x00007FF7B43D0000-0x00007FF7B4724000-memory.dmp	UPX
behavioral2/memory/1344-85-0x00007FF6227F0000-0x00007FF622B44000-memory.dmp	UPX
behavioral2/memory/4172-83-0x00007FF6A12D0000-0x00007FF6A1624000-memory.dmp	UPX
C:\Windows\System\NQoSaGj.exe	UPX
C:\Windows\System\fqJuZQZ.exe	UPX
behavioral2/memory/3056-74-0x00007FF651B80000-0x00007FF651ED4000-memory.dmp	UPX
behavioral2/memory/1672-71-0x00007FF6B69B0000-0x00007FF6B6D04000-memory.dmp	UPX
behavioral2/memory/4484-67-0x00007FF766440000-0x00007FF766794000-memory.dmp	UPX
behavioral2/memory/4816-62-0x00007FF77BB10000-0x00007FF77BE64000-memory.dmp	UPX
C:\Windows\System\UtXhBeM.exe	UPX
C:\Windows\System\VUlTxej.exe	UPX
C:\Windows\System\VAlFYil.exe	UPX
behavioral2/memory/4516-49-0x00007FF770530000-0x00007FF770884000-memory.dmp	UPX
behavioral2/memory/4752-46-0x00007FF6EA2D0000-0x00007FF6EA624000-memory.dmp	UPX
behavioral2/memory/1080-45-0x00007FF70F3E0000-0x00007FF70F734000-memory.dmp	UPX
behavioral2/memory/220-36-0x00007FF679400000-0x00007FF679754000-memory.dmp	UPX
C:\Windows\System\VxJhAaj.exe	UPX
behavioral2/memory/4956-18-0x00007FF7A5230000-0x00007FF7A5584000-memory.dmp	UPX
behavioral2/memory/3040-9-0x00007FF7F6400000-0x00007FF7F6754000-memory.dmp	UPX
behavioral2/memory/4432-127-0x00007FF606920000-0x00007FF606C74000-memory.dmp	UPX
behavioral2/memory/1260-126-0x00007FF6889C0000-0x00007FF688D14000-memory.dmp	UPX
behavioral2/memory/116-128-0x00007FF6C1EF0000-0x00007FF6C2244000-memory.dmp	UPX
behavioral2/memory/4956-129-0x00007FF7A5230000-0x00007FF7A5584000-memory.dmp	UPX
behavioral2/memory/4752-130-0x00007FF6EA2D0000-0x00007FF6EA624000-memory.dmp	UPX
behavioral2/memory/220-131-0x00007FF679400000-0x00007FF679754000-memory.dmp	UPX
behavioral2/memory/4816-132-0x00007FF77BB10000-0x00007FF77BE64000-memory.dmp	UPX
behavioral2/memory/4516-133-0x00007FF770530000-0x00007FF770884000-memory.dmp	UPX
behavioral2/memory/1672-134-0x00007FF6B69B0000-0x00007FF6B6D04000-memory.dmp	UPX
behavioral2/memory/5032-135-0x00007FF7B43D0000-0x00007FF7B4724000-memory.dmp	UPX
behavioral2/memory/2804-136-0x00007FF6DB5A0000-0x00007FF6DB8F4000-memory.dmp	UPX
behavioral2/memory/3972-138-0x00007FF6F1D60000-0x00007FF6F20B4000-memory.dmp	UPX
behavioral2/memory/2176-137-0x00007FF67B790000-0x00007FF67BAE4000-memory.dmp	UPX
behavioral2/memory/3040-139-0x00007FF7F6400000-0x00007FF7F6754000-memory.dmp	UPX
behavioral2/memory/4956-140-0x00007FF7A5230000-0x00007FF7A5584000-memory.dmp	UPX
behavioral2/memory/220-141-0x00007FF679400000-0x00007FF679754000-memory.dmp	UPX
behavioral2/memory/1080-143-0x00007FF70F3E0000-0x00007FF70F734000-memory.dmp	UPX
behavioral2/memory/4376-142-0x00007FF60E480000-0x00007FF60E7D4000-memory.dmp	UPX
behavioral2/memory/4752-145-0x00007FF6EA2D0000-0x00007FF6EA624000-memory.dmp	UPX
behavioral2/memory/4516-146-0x00007FF770530000-0x00007FF770884000-memory.dmp	UPX
behavioral2/memory/4484-144-0x00007FF766440000-0x00007FF766794000-memory.dmp	UPX
behavioral2/memory/4816-147-0x00007FF77BB10000-0x00007FF77BE64000-memory.dmp	UPX
behavioral2/memory/3056-148-0x00007FF651B80000-0x00007FF651ED4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/116-0-0x00007FF6C1EF0000-0x00007FF6C2244000-memory.dmp	xmrig
C:\Windows\System\pqSSlZM.exe	xmrig
C:\Windows\System\ihYoFKS.exe	xmrig
C:\Windows\System\sZRwWqr.exe	xmrig
C:\Windows\System\tsgqlQR.exe	xmrig
C:\Windows\System\WXsaUbE.exe	xmrig
C:\Windows\System\NEMRlBo.exe	xmrig
C:\Windows\System\dWYHfem.exe	xmrig
behavioral2/memory/4376-66-0x00007FF60E480000-0x00007FF60E7D4000-memory.dmp	xmrig
C:\Windows\System\GSpislx.exe	xmrig
C:\Windows\System\CGZRxrG.exe	xmrig
behavioral2/memory/4628-115-0x00007FF7F7270000-0x00007FF7F75C4000-memory.dmp	xmrig
behavioral2/memory/2240-116-0x00007FF783160000-0x00007FF7834B4000-memory.dmp	xmrig
C:\Windows\System\BjlYNxe.exe	xmrig
C:\Windows\System\lVvfKUB.exe	xmrig
behavioral2/memory/3972-114-0x00007FF6F1D60000-0x00007FF6F20B4000-memory.dmp	xmrig
C:\Windows\System\yXyahai.exe	xmrig
C:\Windows\System\HKdLQmt.exe	xmrig
C:\Windows\System\vdfNkwm.exe	xmrig
behavioral2/memory/2176-107-0x00007FF67B790000-0x00007FF67BAE4000-memory.dmp	xmrig
behavioral2/memory/2804-104-0x00007FF6DB5A0000-0x00007FF6DB8F4000-memory.dmp	xmrig
C:\Windows\System\DMGZRpA.exe	xmrig
behavioral2/memory/5032-96-0x00007FF7B43D0000-0x00007FF7B4724000-memory.dmp	xmrig
behavioral2/memory/1344-85-0x00007FF6227F0000-0x00007FF622B44000-memory.dmp	xmrig
behavioral2/memory/4172-83-0x00007FF6A12D0000-0x00007FF6A1624000-memory.dmp	xmrig
C:\Windows\System\NQoSaGj.exe	xmrig
C:\Windows\System\fqJuZQZ.exe	xmrig
behavioral2/memory/3056-74-0x00007FF651B80000-0x00007FF651ED4000-memory.dmp	xmrig
behavioral2/memory/1672-71-0x00007FF6B69B0000-0x00007FF6B6D04000-memory.dmp	xmrig
behavioral2/memory/4484-67-0x00007FF766440000-0x00007FF766794000-memory.dmp	xmrig
behavioral2/memory/4816-62-0x00007FF77BB10000-0x00007FF77BE64000-memory.dmp	xmrig
C:\Windows\System\UtXhBeM.exe	xmrig
C:\Windows\System\VUlTxej.exe	xmrig
C:\Windows\System\VAlFYil.exe	xmrig
behavioral2/memory/4516-49-0x00007FF770530000-0x00007FF770884000-memory.dmp	xmrig
behavioral2/memory/4752-46-0x00007FF6EA2D0000-0x00007FF6EA624000-memory.dmp	xmrig
behavioral2/memory/1080-45-0x00007FF70F3E0000-0x00007FF70F734000-memory.dmp	xmrig
behavioral2/memory/220-36-0x00007FF679400000-0x00007FF679754000-memory.dmp	xmrig
C:\Windows\System\VxJhAaj.exe	xmrig
behavioral2/memory/4956-18-0x00007FF7A5230000-0x00007FF7A5584000-memory.dmp	xmrig
behavioral2/memory/3040-9-0x00007FF7F6400000-0x00007FF7F6754000-memory.dmp	xmrig
behavioral2/memory/4432-127-0x00007FF606920000-0x00007FF606C74000-memory.dmp	xmrig
behavioral2/memory/1260-126-0x00007FF6889C0000-0x00007FF688D14000-memory.dmp	xmrig
behavioral2/memory/116-128-0x00007FF6C1EF0000-0x00007FF6C2244000-memory.dmp	xmrig
behavioral2/memory/4956-129-0x00007FF7A5230000-0x00007FF7A5584000-memory.dmp	xmrig
behavioral2/memory/4752-130-0x00007FF6EA2D0000-0x00007FF6EA624000-memory.dmp	xmrig
behavioral2/memory/220-131-0x00007FF679400000-0x00007FF679754000-memory.dmp	xmrig
behavioral2/memory/4816-132-0x00007FF77BB10000-0x00007FF77BE64000-memory.dmp	xmrig
behavioral2/memory/4516-133-0x00007FF770530000-0x00007FF770884000-memory.dmp	xmrig
behavioral2/memory/1672-134-0x00007FF6B69B0000-0x00007FF6B6D04000-memory.dmp	xmrig
behavioral2/memory/5032-135-0x00007FF7B43D0000-0x00007FF7B4724000-memory.dmp	xmrig
behavioral2/memory/2804-136-0x00007FF6DB5A0000-0x00007FF6DB8F4000-memory.dmp	xmrig
behavioral2/memory/3972-138-0x00007FF6F1D60000-0x00007FF6F20B4000-memory.dmp	xmrig
behavioral2/memory/2176-137-0x00007FF67B790000-0x00007FF67BAE4000-memory.dmp	xmrig
behavioral2/memory/3040-139-0x00007FF7F6400000-0x00007FF7F6754000-memory.dmp	xmrig
behavioral2/memory/4956-140-0x00007FF7A5230000-0x00007FF7A5584000-memory.dmp	xmrig
behavioral2/memory/220-141-0x00007FF679400000-0x00007FF679754000-memory.dmp	xmrig
behavioral2/memory/1080-143-0x00007FF70F3E0000-0x00007FF70F734000-memory.dmp	xmrig
behavioral2/memory/4376-142-0x00007FF60E480000-0x00007FF60E7D4000-memory.dmp	xmrig
behavioral2/memory/4752-145-0x00007FF6EA2D0000-0x00007FF6EA624000-memory.dmp	xmrig
behavioral2/memory/4516-146-0x00007FF770530000-0x00007FF770884000-memory.dmp	xmrig
behavioral2/memory/4484-144-0x00007FF766440000-0x00007FF766794000-memory.dmp	xmrig
behavioral2/memory/4816-147-0x00007FF77BB10000-0x00007FF77BE64000-memory.dmp	xmrig
behavioral2/memory/3056-148-0x00007FF651B80000-0x00007FF651ED4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

pqSSlZM.exesZRwWqr.exeihYoFKS.exetsgqlQR.exeVxJhAaj.exeVAlFYil.exeVUlTxej.exeUtXhBeM.exeWXsaUbE.exeNEMRlBo.exedWYHfem.exefqJuZQZ.exeNQoSaGj.exeGSpislx.exeDMGZRpA.exeCGZRxrG.exevdfNkwm.exeHKdLQmt.exeyXyahai.exelVvfKUB.exeBjlYNxe.exe

pid	process
3040	pqSSlZM.exe
4956	sZRwWqr.exe
220	ihYoFKS.exe
4376	tsgqlQR.exe
1080	VxJhAaj.exe
4484	VAlFYil.exe
4752	VUlTxej.exe
4516	UtXhBeM.exe
4816	WXsaUbE.exe
1672	NEMRlBo.exe
3056	dWYHfem.exe
1344	fqJuZQZ.exe
4172	NQoSaGj.exe
5032	GSpislx.exe
4628	DMGZRpA.exe
2240	CGZRxrG.exe
2804	vdfNkwm.exe
2176	HKdLQmt.exe
3972	yXyahai.exe
1260	lVvfKUB.exe
4432	BjlYNxe.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/116-0-0x00007FF6C1EF0000-0x00007FF6C2244000-memory.dmp	upx
C:\Windows\System\pqSSlZM.exe	upx
C:\Windows\System\ihYoFKS.exe	upx
C:\Windows\System\sZRwWqr.exe	upx
C:\Windows\System\tsgqlQR.exe	upx
C:\Windows\System\WXsaUbE.exe	upx
C:\Windows\System\NEMRlBo.exe	upx
C:\Windows\System\dWYHfem.exe	upx
behavioral2/memory/4376-66-0x00007FF60E480000-0x00007FF60E7D4000-memory.dmp	upx
C:\Windows\System\GSpislx.exe	upx
C:\Windows\System\CGZRxrG.exe	upx
behavioral2/memory/4628-115-0x00007FF7F7270000-0x00007FF7F75C4000-memory.dmp	upx
behavioral2/memory/2240-116-0x00007FF783160000-0x00007FF7834B4000-memory.dmp	upx
C:\Windows\System\BjlYNxe.exe	upx
C:\Windows\System\lVvfKUB.exe	upx
behavioral2/memory/3972-114-0x00007FF6F1D60000-0x00007FF6F20B4000-memory.dmp	upx
C:\Windows\System\yXyahai.exe	upx
C:\Windows\System\HKdLQmt.exe	upx
C:\Windows\System\vdfNkwm.exe	upx
behavioral2/memory/2176-107-0x00007FF67B790000-0x00007FF67BAE4000-memory.dmp	upx
behavioral2/memory/2804-104-0x00007FF6DB5A0000-0x00007FF6DB8F4000-memory.dmp	upx
C:\Windows\System\DMGZRpA.exe	upx
behavioral2/memory/5032-96-0x00007FF7B43D0000-0x00007FF7B4724000-memory.dmp	upx
behavioral2/memory/1344-85-0x00007FF6227F0000-0x00007FF622B44000-memory.dmp	upx
behavioral2/memory/4172-83-0x00007FF6A12D0000-0x00007FF6A1624000-memory.dmp	upx
C:\Windows\System\NQoSaGj.exe	upx
C:\Windows\System\fqJuZQZ.exe	upx
behavioral2/memory/3056-74-0x00007FF651B80000-0x00007FF651ED4000-memory.dmp	upx
behavioral2/memory/1672-71-0x00007FF6B69B0000-0x00007FF6B6D04000-memory.dmp	upx
behavioral2/memory/4484-67-0x00007FF766440000-0x00007FF766794000-memory.dmp	upx
behavioral2/memory/4816-62-0x00007FF77BB10000-0x00007FF77BE64000-memory.dmp	upx
C:\Windows\System\UtXhBeM.exe	upx
C:\Windows\System\VUlTxej.exe	upx
C:\Windows\System\VAlFYil.exe	upx
behavioral2/memory/4516-49-0x00007FF770530000-0x00007FF770884000-memory.dmp	upx
behavioral2/memory/4752-46-0x00007FF6EA2D0000-0x00007FF6EA624000-memory.dmp	upx
behavioral2/memory/1080-45-0x00007FF70F3E0000-0x00007FF70F734000-memory.dmp	upx
behavioral2/memory/220-36-0x00007FF679400000-0x00007FF679754000-memory.dmp	upx
C:\Windows\System\VxJhAaj.exe	upx
behavioral2/memory/4956-18-0x00007FF7A5230000-0x00007FF7A5584000-memory.dmp	upx
behavioral2/memory/3040-9-0x00007FF7F6400000-0x00007FF7F6754000-memory.dmp	upx
behavioral2/memory/4432-127-0x00007FF606920000-0x00007FF606C74000-memory.dmp	upx
behavioral2/memory/1260-126-0x00007FF6889C0000-0x00007FF688D14000-memory.dmp	upx
behavioral2/memory/116-128-0x00007FF6C1EF0000-0x00007FF6C2244000-memory.dmp	upx
behavioral2/memory/4956-129-0x00007FF7A5230000-0x00007FF7A5584000-memory.dmp	upx
behavioral2/memory/4752-130-0x00007FF6EA2D0000-0x00007FF6EA624000-memory.dmp	upx
behavioral2/memory/220-131-0x00007FF679400000-0x00007FF679754000-memory.dmp	upx
behavioral2/memory/4816-132-0x00007FF77BB10000-0x00007FF77BE64000-memory.dmp	upx
behavioral2/memory/4516-133-0x00007FF770530000-0x00007FF770884000-memory.dmp	upx
behavioral2/memory/1672-134-0x00007FF6B69B0000-0x00007FF6B6D04000-memory.dmp	upx
behavioral2/memory/5032-135-0x00007FF7B43D0000-0x00007FF7B4724000-memory.dmp	upx
behavioral2/memory/2804-136-0x00007FF6DB5A0000-0x00007FF6DB8F4000-memory.dmp	upx
behavioral2/memory/3972-138-0x00007FF6F1D60000-0x00007FF6F20B4000-memory.dmp	upx
behavioral2/memory/2176-137-0x00007FF67B790000-0x00007FF67BAE4000-memory.dmp	upx
behavioral2/memory/3040-139-0x00007FF7F6400000-0x00007FF7F6754000-memory.dmp	upx
behavioral2/memory/4956-140-0x00007FF7A5230000-0x00007FF7A5584000-memory.dmp	upx
behavioral2/memory/220-141-0x00007FF679400000-0x00007FF679754000-memory.dmp	upx
behavioral2/memory/1080-143-0x00007FF70F3E0000-0x00007FF70F734000-memory.dmp	upx
behavioral2/memory/4376-142-0x00007FF60E480000-0x00007FF60E7D4000-memory.dmp	upx
behavioral2/memory/4752-145-0x00007FF6EA2D0000-0x00007FF6EA624000-memory.dmp	upx
behavioral2/memory/4516-146-0x00007FF770530000-0x00007FF770884000-memory.dmp	upx
behavioral2/memory/4484-144-0x00007FF766440000-0x00007FF766794000-memory.dmp	upx
behavioral2/memory/4816-147-0x00007FF77BB10000-0x00007FF77BE64000-memory.dmp	upx
behavioral2/memory/3056-148-0x00007FF651B80000-0x00007FF651ED4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\UtXhBeM.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WXsaUbE.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dWYHfem.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CGZRxrG.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HKdLQmt.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tsgqlQR.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NEMRlBo.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VUlTxej.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yXyahai.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lVvfKUB.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BjlYNxe.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VxJhAaj.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NQoSaGj.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vdfNkwm.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VAlFYil.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fqJuZQZ.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DMGZRpA.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GSpislx.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pqSSlZM.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sZRwWqr.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ihYoFKS.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 116 wrote to memory of 3040	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	pqSSlZM.exe
PID 116 wrote to memory of 3040	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	pqSSlZM.exe
PID 116 wrote to memory of 4956	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	sZRwWqr.exe
PID 116 wrote to memory of 4956	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	sZRwWqr.exe
PID 116 wrote to memory of 220	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	ihYoFKS.exe
PID 116 wrote to memory of 220	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	ihYoFKS.exe
PID 116 wrote to memory of 4376	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	tsgqlQR.exe
PID 116 wrote to memory of 4376	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	tsgqlQR.exe
PID 116 wrote to memory of 1080	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	VxJhAaj.exe
PID 116 wrote to memory of 1080	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	VxJhAaj.exe
PID 116 wrote to memory of 1672	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	NEMRlBo.exe
PID 116 wrote to memory of 1672	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	NEMRlBo.exe
PID 116 wrote to memory of 4484	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	VAlFYil.exe
PID 116 wrote to memory of 4484	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	VAlFYil.exe
PID 116 wrote to memory of 4752	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	VUlTxej.exe
PID 116 wrote to memory of 4752	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	VUlTxej.exe
PID 116 wrote to memory of 4516	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	UtXhBeM.exe
PID 116 wrote to memory of 4516	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	UtXhBeM.exe
PID 116 wrote to memory of 4816	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	WXsaUbE.exe
PID 116 wrote to memory of 4816	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	WXsaUbE.exe
PID 116 wrote to memory of 3056	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	dWYHfem.exe
PID 116 wrote to memory of 3056	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	dWYHfem.exe
PID 116 wrote to memory of 4172	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	NQoSaGj.exe
PID 116 wrote to memory of 4172	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	NQoSaGj.exe
PID 116 wrote to memory of 1344	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	fqJuZQZ.exe
PID 116 wrote to memory of 1344	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	fqJuZQZ.exe
PID 116 wrote to memory of 4628	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	DMGZRpA.exe
PID 116 wrote to memory of 4628	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	DMGZRpA.exe
PID 116 wrote to memory of 5032	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	GSpislx.exe
PID 116 wrote to memory of 5032	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	GSpislx.exe
PID 116 wrote to memory of 2240	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	CGZRxrG.exe
PID 116 wrote to memory of 2240	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	CGZRxrG.exe
PID 116 wrote to memory of 2804	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	vdfNkwm.exe
PID 116 wrote to memory of 2804	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	vdfNkwm.exe
PID 116 wrote to memory of 2176	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	HKdLQmt.exe
PID 116 wrote to memory of 2176	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	HKdLQmt.exe
PID 116 wrote to memory of 3972	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	yXyahai.exe
PID 116 wrote to memory of 3972	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	yXyahai.exe
PID 116 wrote to memory of 1260	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	lVvfKUB.exe
PID 116 wrote to memory of 1260	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	lVvfKUB.exe
PID 116 wrote to memory of 4432	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	BjlYNxe.exe
PID 116 wrote to memory of 4432	116	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	BjlYNxe.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:116

C:\Windows\System\pqSSlZM.exe
C:\Windows\System\pqSSlZM.exe
2⤵
- Executes dropped EXE
PID:3040

C:\Windows\System\sZRwWqr.exe
C:\Windows\System\sZRwWqr.exe
2⤵
- Executes dropped EXE
PID:4956

C:\Windows\System\ihYoFKS.exe
C:\Windows\System\ihYoFKS.exe
2⤵
- Executes dropped EXE
PID:220

C:\Windows\System\tsgqlQR.exe
C:\Windows\System\tsgqlQR.exe
2⤵
- Executes dropped EXE
PID:4376

C:\Windows\System\VxJhAaj.exe
C:\Windows\System\VxJhAaj.exe
2⤵
- Executes dropped EXE
PID:1080

C:\Windows\System\NEMRlBo.exe
C:\Windows\System\NEMRlBo.exe
2⤵
- Executes dropped EXE
PID:1672

C:\Windows\System\VAlFYil.exe
C:\Windows\System\VAlFYil.exe
2⤵
- Executes dropped EXE
PID:4484

C:\Windows\System\VUlTxej.exe
C:\Windows\System\VUlTxej.exe
2⤵
- Executes dropped EXE
PID:4752

C:\Windows\System\UtXhBeM.exe
C:\Windows\System\UtXhBeM.exe
2⤵
- Executes dropped EXE
PID:4516

C:\Windows\System\WXsaUbE.exe
C:\Windows\System\WXsaUbE.exe
2⤵
- Executes dropped EXE
PID:4816

C:\Windows\System\dWYHfem.exe
C:\Windows\System\dWYHfem.exe
2⤵
- Executes dropped EXE
PID:3056

C:\Windows\System\NQoSaGj.exe
C:\Windows\System\NQoSaGj.exe
2⤵
- Executes dropped EXE
PID:4172

C:\Windows\System\fqJuZQZ.exe
C:\Windows\System\fqJuZQZ.exe
2⤵
- Executes dropped EXE
PID:1344

C:\Windows\System\DMGZRpA.exe
C:\Windows\System\DMGZRpA.exe
2⤵
- Executes dropped EXE
PID:4628

C:\Windows\System\GSpislx.exe
C:\Windows\System\GSpislx.exe
2⤵
- Executes dropped EXE
PID:5032

C:\Windows\System\CGZRxrG.exe
C:\Windows\System\CGZRxrG.exe
2⤵
- Executes dropped EXE
PID:2240

C:\Windows\System\vdfNkwm.exe
C:\Windows\System\vdfNkwm.exe
2⤵
- Executes dropped EXE
PID:2804

C:\Windows\System\HKdLQmt.exe
C:\Windows\System\HKdLQmt.exe
2⤵
- Executes dropped EXE
PID:2176

C:\Windows\System\yXyahai.exe
C:\Windows\System\yXyahai.exe
2⤵
- Executes dropped EXE
PID:3972

C:\Windows\System\lVvfKUB.exe
C:\Windows\System\lVvfKUB.exe
2⤵
- Executes dropped EXE
PID:1260

C:\Windows\System\BjlYNxe.exe
C:\Windows\System\BjlYNxe.exe
2⤵
- Executes dropped EXE
PID:4432

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BjlYNxe.exe
Filesize
5.9MB

MD5
68d5426641efb4db1a2954d3ad020195

SHA1
ee257d30b5fc954a432e573849972f0a8e6e97cb

SHA256
c5572d320f980f855a5a8659328cb2a0efa7811f2e8d9294c07c7b03385e9ebb

SHA512
8cb3edb5774c82cf3bdeb2576db07515049f2471fd22a673a508f9a70ec829758709096fc5bd36e5d8434aa9b43bbfb46fcab80f5e0fc9bdd8592c7baf974ab8

Download Submit
C:\Windows\System\CGZRxrG.exe
Filesize
5.9MB

MD5
368005177623e05e176c8369f17c6dcf

SHA1
178d9b95334d070afaf9476ec3205e91424244fe

SHA256
35b6563ccab6fc20bcd355601bcaa730bc8cdcca09338a95db8fbb4a80d6aa6c

SHA512
77af24e4935c144dc9cee720850dadacdf4e5365cb9190b3582cefc1866038871706c9c104f306c1c125bf413bc9aa941a240d562177218d2288e02015678b47

Download Submit
C:\Windows\System\DMGZRpA.exe
Filesize
5.9MB

MD5
bade5d650b1fcfaf3372afdeda423ed8

SHA1
56c068e8a6a4cb05eeab873e084fe8c957200754

SHA256
701752b22a675f6fa92f38702a3fe35a75335ecf459d85e61f40e14d41968d96

SHA512
f8a2982cd27b094fed5492de3761cf8449ea924f3fc90a9e48ae5e304c9d5559b6e02c82dc7dce94212e9798b5c84abe5ceb5535ec2eef0f0ccaa3dcf6280520

Download Submit
C:\Windows\System\GSpislx.exe
Filesize
5.9MB

MD5
60efe542952f4528030d41e44773eecd

SHA1
c38d0673ece0ebc3031efeb4b1fd25bc546230ee

SHA256
aeb6734171d4d8798368ce44f6ab31bf2d5843529726009dca139105aa020343

SHA512
118ddb3ff7e576e905d28370afba72ecc8e26e19dfba2d6f2e947fff6d045210ec986b391fee45ced8e8f10f57033c0f358a3f3d29613e71910984b543e2f96f

Download Submit
C:\Windows\System\HKdLQmt.exe
Filesize
5.9MB

MD5
d22b6e3c78a43db26ec54aedd87cca32

SHA1
e8b586b82c855ae91279864d09aaba485ec93dee

SHA256
8bd58ad90d010777975dcdf3cd0e2ae719d115b7f5e8ca4ca748b677cfe3ef96

SHA512
55e0aa3d6759fb0e98bc281076df88a38bbea68e425b36cbe4909cf395b3a77bbd5d32fb45ada3961d7e34fa36335d763d9d5b9341ff9a37b53f5a8963b389ce

Download Submit
C:\Windows\System\NEMRlBo.exe
Filesize
5.9MB

MD5
03de567986abb9cfd760174e84416438

SHA1
6f52d8d7f9bd345c247de4256b3b86e9b6155707

SHA256
b023b5733bb2445542bd3c35acbc6dc62be973d9b6b0e3692cef28884bdfadff

SHA512
d360d5863f71e0591325c648c32591ec3bb54acb0afa51924dbe4d207839cd38d8402958b49549199bc45313a1818b1bd9b96f8e1dcd2884fce665ca69a10edd

Download Submit
C:\Windows\System\NQoSaGj.exe
Filesize
5.9MB

MD5
c7151f24d3141df3b1d91a3ef6a9be53

SHA1
568942750d9547644b83252a8ac4295ca9c1d73c

SHA256
0e8788233594b00b233158aa997b44bd86143c5318c6b4bc4ca603bf8ec73bce

SHA512
bbe6ce1540fc1b139229a32781a05d6efadbc7d8ee55f6d84ef897a6704f8b9db9b55147fd9f99ddbddbe96c215dd809ede6cdee3c86ec0d9e172420a397ec05

Download Submit
C:\Windows\System\UtXhBeM.exe
Filesize
5.9MB

MD5
9dad78d67b7f1525418f4218e9fcc9a8

SHA1
f08a86dc638d24bd17f2ba30ad94432a8654f353

SHA256
b98dfacbaa7beab56f6ae408e7e17bde05f74d0afcfe1456fd0f79453f09c43d

SHA512
628951d92523750f64511c28916e938a9fa3abf75e81633c90a8bd05b0932cf4eeb7f45c83102fc9c3eb148fbc83ac355c192bdbad1622f3a14e74cb3bde88aa

Download Submit
C:\Windows\System\VAlFYil.exe
Filesize
5.9MB

MD5
91c1660850d18270d3d31bbf5ce97545

SHA1
77ce7a21b3b62b9afe2b0286b1701e4d03034cc9

SHA256
e26de3e5da8de43715f10b8111c1d2ff5363a6de0e449c2c4533481d31a7d9a7

SHA512
57517abb422b316963dfdf7e6cb5c60057a6e90a7c22708bccab7982031d54523d80868fdc1d89fc2cff3ccf4d2c83ade42da9c8d2028290e82505f3d6425bfb

Download Submit
C:\Windows\System\VUlTxej.exe
Filesize
5.9MB

MD5
2617356bd7219e078525bb6a6e25a089

SHA1
1fc3bb5b2448ffcce37b0c256acc58ef81965bdc

SHA256
f4208076a4325f5dd09af2badc69e9944d30597b787d5cb8d70fd2e5b1a1b350

SHA512
588c9e60d541464dc3c079ff7cc48f9fbc8e2c357eb51eba65c418265bb9ba8f2d282ff0f739f794af1286ba23ac16c401335be043319eaaf5c258568257d961

Download Submit
C:\Windows\System\VxJhAaj.exe
Filesize
5.9MB

MD5
b8279073387f53dfc484bc309e347eb6

SHA1
3dd9053b32c16a664120000d28c78bb974ee5765

SHA256
90594333bb10d735e7445e9f7cf3f434f604a6ad59ff144adf4b5075cd130ba3

SHA512
8035ce99bcafe5081d08fb8867340c5223dbc0f8bfbb38a30d1245d603915c6cc87371c0b2dac8880bedc1da9538187a5051b60d6551146d4a0dab661fbd7c7e

Download Submit
C:\Windows\System\WXsaUbE.exe
Filesize
5.9MB

MD5
89ad9129d88651c3975f8f4fedba857a

SHA1
f4a49efda301ae24f207ec84be79f605690b403c

SHA256
c0108b00d3941cd7de9b6d88441b73a36afcd396e5ec455a440a5c517916447e

SHA512
d609ace7df0c7d70dda7a72bddc075b6eae3ac59d5460f8ce52a7dd965619d3c01f21da6fc0357b6a800e64308711065f96762c7e568bcd19aeca9e4d3517a4b

Download Submit
C:\Windows\System\dWYHfem.exe
Filesize
5.9MB

MD5
ed37b1b41c9755c5bf587398b976c431

SHA1
6b97264629cf8c1731a0d35da7ac2fe5363cc17b

SHA256
a51e5b9bb37222b5e47933b5d6695442ebe5ea0d7a5ec1569b13c95f5ea3b96e

SHA512
7e302fc7e3c228693da27d64be2529984cc1535b1b586d7805afb4052f4c254b46c31624395c492c17c3e1c7441ba68e5cbc65ba4c3b78812cb7b6d989a22a41

Download Submit
C:\Windows\System\fqJuZQZ.exe
Filesize
5.9MB

MD5
178875a883d1d0ccfcc5dd61dd2712c2

SHA1
0da9f0d17a6718a249109ff2b727ac1f03ebfe8d

SHA256
ce9f46a0f25612f36c556e2c1d6c32816fb1611a333ca52334f38ffc4b982ce7

SHA512
77ac9c256dafeff7d97c0381db2af3adb4455de90505e400d3bcf66f85d8ade2dbb6aa358e5e543eed2abc219e479b07e277e4918bed99944c37a2ecebfd8a1a

Download Submit
C:\Windows\System\ihYoFKS.exe
Filesize
5.9MB

MD5
8dcd74649ddf5d5f4b6beffb17dba502

SHA1
444de198a9504829ff84ec092bcd8ed98c0d0e28

SHA256
ce7cb3b99c68fa10a1e39924c24fa88c4a749a40d9aa046f6129e084dd553d8b

SHA512
3e3d2b3387bb76e6d7118148dada3428bce4193847257d8bb588b91ee807bd9b08f8adf771a1d2c898b06aff1b8cfae1a2f1132895829762ecd87ecb923b4e6b

Download Submit
C:\Windows\System\lVvfKUB.exe
Filesize
5.9MB

MD5
a70d0b205ca3b77500c70f09714311cb

SHA1
664ba0649ba9831d8fbe7cd23ac34d9eb81b5ca1

SHA256
d5f39677eb02dfab9d1825f3a8174ce701d05eb64582075e305dbaea8dc8bcf6

SHA512
41d706af05e48c0ca51b2fc9245e3bb0ecef29d127e330122675c6a00710e63dbe788bf239c07a980ee0dc784f79b6f742f25629fe910ce2462bc7dc545c5704

Download Submit
C:\Windows\System\pqSSlZM.exe
Filesize
5.9MB

MD5
41ca49f1593ef2fa8fd2cb53389fbf00

SHA1
3a1c0a4da7d1cd364ebec361910586d8d585f3fc

SHA256
f0da27f8f7be3254a6ce57c2bfea47c851c427a778b946321b6f8a2e244b31ae

SHA512
87a2383db3df4acb77972d97194d3a690f3c3bfeb851c92dfdef4481bc0499b62fe2a5678f0ec0ed355383efdaa2d7d3b95ada6e95bea973492dd195fefd9b65

Download Submit
C:\Windows\System\sZRwWqr.exe
Filesize
5.9MB

MD5
f239eb7b1d2138595a0ee9ea88c78ccb

SHA1
3e5c6fadeaa182c52fa246b6e6d20130be41f3cb

SHA256
eaa218f07558ef946ec065c260884db0209c097bfcb1b8a54b430dc805ea2fef

SHA512
9278f173ec963a94035c4ecc07ecd8a88b780edf61fe36955f3b4e615cdc18d55632f65436273d786eef2b600736098519b1ce2779044fd420704c69239b9246

Download Submit
C:\Windows\System\tsgqlQR.exe
Filesize
5.9MB

MD5
b7dacb49e03177b9c4024896c1cef494

SHA1
67c492ea76090d348b10307e0a02110abdbba240

SHA256
9f3e18530ed45e359ff16fcaf2a3c200451b19c2eb21140fbf59f0a96641061e

SHA512
7e841e8fcde7c18d7aa4920449527443044d02fa8b39744532bbd7c9da64f67230babcea16776a2c473ce5eb591f30a29eb71d6e5c0185364e14bed206d89c5a

Download Submit
C:\Windows\System\vdfNkwm.exe
Filesize
5.9MB

MD5
60562d07889b59d0f494bd896f8f9174

SHA1
8d17cde7b29b7105f44b8ffd9f8c14acd8a40919

SHA256
9f982195ce41b30f9bc3156c9796385442f972b08f3b797c08c65bd6ba4d1f4c

SHA512
d3522c3f0ebeed821b2cf200f809503830b1d2fe7f9fcad59350fc16f121ecf3bff86f47cfe91fb29cd39fff48af4a59a41e88b4ca188ffc6a6281186ce92a00

Download Submit
C:\Windows\System\yXyahai.exe
Filesize
5.9MB

MD5
70ac081b22faf0113950ca67a18c0520

SHA1
85796cef387f6c8eab80a03bdab63483251be50d

SHA256
e4373463ab8357bd0e05f9b2403ad13933ccf5fdd522433bb6656e018a84cf05

SHA512
5545aafcca00a3d213e90df12b8c1ae76ea77449907bc92eb8ac54b0d4b0168a72bf24a0d90ed2e2c81cb5c77df0cd9ea93c9c90defac690eea8a31c06ef454a

Download Submit
memory/116-128-0x00007FF6C1EF0000-0x00007FF6C2244000-memory.dmp

Filesize
3.3MB

Download
memory/116-1-0x000001EF7D740000-0x000001EF7D750000-memory.dmp

Filesize
64KB

Download
memory/116-0-0x00007FF6C1EF0000-0x00007FF6C2244000-memory.dmp

Filesize
3.3MB

Download
memory/220-36-0x00007FF679400000-0x00007FF679754000-memory.dmp

Filesize
3.3MB

Download
memory/220-141-0x00007FF679400000-0x00007FF679754000-memory.dmp

Filesize
3.3MB

Download
memory/220-131-0x00007FF679400000-0x00007FF679754000-memory.dmp

Filesize
3.3MB

Download
memory/1080-45-0x00007FF70F3E0000-0x00007FF70F734000-memory.dmp

Filesize
3.3MB

Download
memory/1080-143-0x00007FF70F3E0000-0x00007FF70F734000-memory.dmp

Filesize
3.3MB

Download
memory/1260-159-0x00007FF6889C0000-0x00007FF688D14000-memory.dmp

Filesize
3.3MB

Download
memory/1260-126-0x00007FF6889C0000-0x00007FF688D14000-memory.dmp

Filesize
3.3MB

Download
memory/1344-85-0x00007FF6227F0000-0x00007FF622B44000-memory.dmp

Filesize
3.3MB

Download
memory/1344-151-0x00007FF6227F0000-0x00007FF622B44000-memory.dmp

Filesize
3.3MB

Download
memory/1672-71-0x00007FF6B69B0000-0x00007FF6B6D04000-memory.dmp

Filesize
3.3MB

Download
memory/1672-134-0x00007FF6B69B0000-0x00007FF6B6D04000-memory.dmp

Filesize
3.3MB

Download
memory/1672-149-0x00007FF6B69B0000-0x00007FF6B6D04000-memory.dmp

Filesize
3.3MB

Download
memory/2176-157-0x00007FF67B790000-0x00007FF67BAE4000-memory.dmp

Filesize
3.3MB

Download
memory/2176-107-0x00007FF67B790000-0x00007FF67BAE4000-memory.dmp

Filesize
3.3MB

Download
memory/2176-137-0x00007FF67B790000-0x00007FF67BAE4000-memory.dmp

Filesize
3.3MB

Download
memory/2240-116-0x00007FF783160000-0x00007FF7834B4000-memory.dmp

Filesize
3.3MB

Download
memory/2240-154-0x00007FF783160000-0x00007FF7834B4000-memory.dmp

Filesize
3.3MB

Download
memory/2804-136-0x00007FF6DB5A0000-0x00007FF6DB8F4000-memory.dmp

Filesize
3.3MB

Download
memory/2804-155-0x00007FF6DB5A0000-0x00007FF6DB8F4000-memory.dmp

Filesize
3.3MB

Download
memory/2804-104-0x00007FF6DB5A0000-0x00007FF6DB8F4000-memory.dmp

Filesize
3.3MB

Download
memory/3040-9-0x00007FF7F6400000-0x00007FF7F6754000-memory.dmp

Filesize
3.3MB

Download
memory/3040-139-0x00007FF7F6400000-0x00007FF7F6754000-memory.dmp

Filesize
3.3MB

Download
memory/3056-74-0x00007FF651B80000-0x00007FF651ED4000-memory.dmp

Filesize
3.3MB

Download
memory/3056-148-0x00007FF651B80000-0x00007FF651ED4000-memory.dmp

Filesize
3.3MB

Download
memory/3972-138-0x00007FF6F1D60000-0x00007FF6F20B4000-memory.dmp

Filesize
3.3MB

Download
memory/3972-156-0x00007FF6F1D60000-0x00007FF6F20B4000-memory.dmp

Filesize
3.3MB

Download
memory/3972-114-0x00007FF6F1D60000-0x00007FF6F20B4000-memory.dmp

Filesize
3.3MB

Download
memory/4172-150-0x00007FF6A12D0000-0x00007FF6A1624000-memory.dmp

Filesize
3.3MB

Download
memory/4172-83-0x00007FF6A12D0000-0x00007FF6A1624000-memory.dmp

Filesize
3.3MB

Download
memory/4376-142-0x00007FF60E480000-0x00007FF60E7D4000-memory.dmp

Filesize
3.3MB

Download
memory/4376-66-0x00007FF60E480000-0x00007FF60E7D4000-memory.dmp

Filesize
3.3MB

Download
memory/4432-158-0x00007FF606920000-0x00007FF606C74000-memory.dmp

Filesize
3.3MB

Download
memory/4432-127-0x00007FF606920000-0x00007FF606C74000-memory.dmp

Filesize
3.3MB

Download
memory/4484-144-0x00007FF766440000-0x00007FF766794000-memory.dmp

Filesize
3.3MB

Download
memory/4484-67-0x00007FF766440000-0x00007FF766794000-memory.dmp

Filesize
3.3MB

Download
memory/4516-133-0x00007FF770530000-0x00007FF770884000-memory.dmp

Filesize
3.3MB

Download
memory/4516-49-0x00007FF770530000-0x00007FF770884000-memory.dmp

Filesize
3.3MB

Download
memory/4516-146-0x00007FF770530000-0x00007FF770884000-memory.dmp

Filesize
3.3MB

Download
memory/4628-115-0x00007FF7F7270000-0x00007FF7F75C4000-memory.dmp

Filesize
3.3MB

Download
memory/4628-153-0x00007FF7F7270000-0x00007FF7F75C4000-memory.dmp

Filesize
3.3MB

Download
memory/4752-130-0x00007FF6EA2D0000-0x00007FF6EA624000-memory.dmp

Filesize
3.3MB

Download
memory/4752-145-0x00007FF6EA2D0000-0x00007FF6EA624000-memory.dmp

Filesize
3.3MB

Download
memory/4752-46-0x00007FF6EA2D0000-0x00007FF6EA624000-memory.dmp

Filesize
3.3MB

Download
memory/4816-132-0x00007FF77BB10000-0x00007FF77BE64000-memory.dmp

Filesize
3.3MB

Download
memory/4816-62-0x00007FF77BB10000-0x00007FF77BE64000-memory.dmp

Filesize
3.3MB

Download
memory/4816-147-0x00007FF77BB10000-0x00007FF77BE64000-memory.dmp

Filesize
3.3MB

Download
memory/4956-129-0x00007FF7A5230000-0x00007FF7A5584000-memory.dmp

Filesize
3.3MB

Download
memory/4956-18-0x00007FF7A5230000-0x00007FF7A5584000-memory.dmp

Filesize
3.3MB

Download
memory/4956-140-0x00007FF7A5230000-0x00007FF7A5584000-memory.dmp

Filesize
3.3MB

Download
memory/5032-135-0x00007FF7B43D0000-0x00007FF7B4724000-memory.dmp

Filesize
3.3MB

Download
memory/5032-152-0x00007FF7B43D0000-0x00007FF7B4724000-memory.dmp

Filesize
3.3MB

Download
memory/5032-96-0x00007FF7B43D0000-0x00007FF7B4724000-memory.dmp

Filesize
3.3MB

Download