cobaltstrike | 643c97d607099d62fd026d9f94549dc6297bd2bb200f850cd0a408c69ef40d03

Analysis

max time kernel
139s
max time network
148s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
11-06-2024 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

257886e5c477a94f8fc4428aa3400d91
SHA1

542f276d6f1a047e89508fb5f55b2da0b7ad3c02
SHA256

643c97d607099d62fd026d9f94549dc6297bd2bb200f850cd0a408c69ef40d03
SHA512

8a532b49c5bf1cc0c381764f677dc95cf7a4c3e70ff44ba0d984693d359474ccc78c9efabaa306b9148ef6c51f9796e3f515bb93abeca9cf573efa44088567ee
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUm:Q+856utgpPF8u/7m

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\JFHAFrP.exe	cobalt_reflective_dll
\Windows\system\yKKhqvV.exe	cobalt_reflective_dll
C:\Windows\system\YidIICM.exe	cobalt_reflective_dll
C:\Windows\system\hQsULnN.exe	cobalt_reflective_dll
C:\Windows\system\pgdFZxk.exe	cobalt_reflective_dll
C:\Windows\system\wAeGgMS.exe	cobalt_reflective_dll
C:\Windows\system\qWGUNda.exe	cobalt_reflective_dll
C:\Windows\system\dWerXbU.exe	cobalt_reflective_dll
C:\Windows\system\xCJFBzG.exe	cobalt_reflective_dll
C:\Windows\system\gSErCeE.exe	cobalt_reflective_dll
C:\Windows\system\QIYndEi.exe	cobalt_reflective_dll
C:\Windows\system\xEoyJuc.exe	cobalt_reflective_dll
C:\Windows\system\xAkiZXA.exe	cobalt_reflective_dll
C:\Windows\system\oaakXom.exe	cobalt_reflective_dll
\Windows\system\bfGSnRv.exe	cobalt_reflective_dll
\Windows\system\YlZbtsE.exe	cobalt_reflective_dll
C:\Windows\system\gXZkyRh.exe	cobalt_reflective_dll
C:\Windows\system\NMFdfpo.exe	cobalt_reflective_dll
C:\Windows\system\RSsTTqJ.exe	cobalt_reflective_dll
C:\Windows\system\iTXGfQm.exe	cobalt_reflective_dll
C:\Windows\system\NIgvoDX.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\JFHAFrP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\yKKhqvV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\YidIICM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\hQsULnN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\pgdFZxk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\wAeGgMS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\qWGUNda.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\dWerXbU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\xCJFBzG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\gSErCeE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\QIYndEi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\xEoyJuc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\xAkiZXA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\oaakXom.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\bfGSnRv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\YlZbtsE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\gXZkyRh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\NMFdfpo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\RSsTTqJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\iTXGfQm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\NIgvoDX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 51 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1640-0-0x000000013F100000-0x000000013F454000-memory.dmp	UPX
\Windows\system\JFHAFrP.exe	UPX
\Windows\system\yKKhqvV.exe	UPX
C:\Windows\system\YidIICM.exe	UPX
C:\Windows\system\hQsULnN.exe	UPX
C:\Windows\system\pgdFZxk.exe	UPX
C:\Windows\system\wAeGgMS.exe	UPX
C:\Windows\system\qWGUNda.exe	UPX
C:\Windows\system\dWerXbU.exe	UPX
C:\Windows\system\xCJFBzG.exe	UPX
C:\Windows\system\gSErCeE.exe	UPX
C:\Windows\system\QIYndEi.exe	UPX
C:\Windows\system\xEoyJuc.exe	UPX
C:\Windows\system\xAkiZXA.exe	UPX
C:\Windows\system\oaakXom.exe	UPX
\Windows\system\bfGSnRv.exe	UPX
\Windows\system\YlZbtsE.exe	UPX
C:\Windows\system\gXZkyRh.exe	UPX
C:\Windows\system\NMFdfpo.exe	UPX
C:\Windows\system\RSsTTqJ.exe	UPX
C:\Windows\system\iTXGfQm.exe	UPX
C:\Windows\system\NIgvoDX.exe	UPX
behavioral1/memory/2252-107-0x000000013F0B0000-0x000000013F404000-memory.dmp	UPX
behavioral1/memory/2168-108-0x000000013F9E0000-0x000000013FD34000-memory.dmp	UPX
behavioral1/memory/2724-114-0x000000013FFB0000-0x0000000140304000-memory.dmp	UPX
behavioral1/memory/2884-124-0x000000013FB70000-0x000000013FEC4000-memory.dmp	UPX
behavioral1/memory/2692-126-0x000000013F740000-0x000000013FA94000-memory.dmp	UPX
behavioral1/memory/2576-128-0x000000013FC50000-0x000000013FFA4000-memory.dmp	UPX
behavioral1/memory/2540-129-0x000000013F020000-0x000000013F374000-memory.dmp	UPX
behavioral1/memory/2112-122-0x000000013F3D0000-0x000000013F724000-memory.dmp	UPX
behavioral1/memory/1992-121-0x000000013FCF0000-0x0000000140044000-memory.dmp	UPX
behavioral1/memory/2652-119-0x000000013F600000-0x000000013F954000-memory.dmp	UPX
behavioral1/memory/2668-117-0x000000013FE50000-0x00000001401A4000-memory.dmp	UPX
behavioral1/memory/2916-115-0x000000013F150000-0x000000013F4A4000-memory.dmp	UPX
behavioral1/memory/2664-112-0x000000013FB70000-0x000000013FEC4000-memory.dmp	UPX
behavioral1/memory/2612-110-0x000000013F050000-0x000000013F3A4000-memory.dmp	UPX
behavioral1/memory/1640-132-0x000000013F100000-0x000000013F454000-memory.dmp	UPX
behavioral1/memory/2168-136-0x000000013F9E0000-0x000000013FD34000-memory.dmp	UPX
behavioral1/memory/2540-140-0x000000013F020000-0x000000013F374000-memory.dmp	UPX
behavioral1/memory/2252-141-0x000000013F0B0000-0x000000013F404000-memory.dmp	UPX
behavioral1/memory/2668-144-0x000000013FE50000-0x00000001401A4000-memory.dmp	UPX
behavioral1/memory/1992-145-0x000000013FCF0000-0x0000000140044000-memory.dmp	UPX
behavioral1/memory/2576-147-0x000000013FC50000-0x000000013FFA4000-memory.dmp	UPX
behavioral1/memory/2884-146-0x000000013FB70000-0x000000013FEC4000-memory.dmp	UPX
behavioral1/memory/2724-143-0x000000013FFB0000-0x0000000140304000-memory.dmp	UPX
behavioral1/memory/2612-142-0x000000013F050000-0x000000013F3A4000-memory.dmp	UPX
behavioral1/memory/2692-139-0x000000013F740000-0x000000013FA94000-memory.dmp	UPX
behavioral1/memory/2112-138-0x000000013F3D0000-0x000000013F724000-memory.dmp	UPX
behavioral1/memory/2652-137-0x000000013F600000-0x000000013F954000-memory.dmp	UPX
behavioral1/memory/2916-135-0x000000013F150000-0x000000013F4A4000-memory.dmp	UPX
behavioral1/memory/2664-134-0x000000013FB70000-0x000000013FEC4000-memory.dmp	UPX

XMRig Miner payload 53 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1640-0-0x000000013F100000-0x000000013F454000-memory.dmp	xmrig
\Windows\system\JFHAFrP.exe	xmrig
\Windows\system\yKKhqvV.exe	xmrig
C:\Windows\system\YidIICM.exe	xmrig
C:\Windows\system\hQsULnN.exe	xmrig
C:\Windows\system\pgdFZxk.exe	xmrig
C:\Windows\system\wAeGgMS.exe	xmrig
C:\Windows\system\qWGUNda.exe	xmrig
C:\Windows\system\dWerXbU.exe	xmrig
C:\Windows\system\xCJFBzG.exe	xmrig
C:\Windows\system\gSErCeE.exe	xmrig
C:\Windows\system\QIYndEi.exe	xmrig
C:\Windows\system\xEoyJuc.exe	xmrig
C:\Windows\system\xAkiZXA.exe	xmrig
C:\Windows\system\oaakXom.exe	xmrig
\Windows\system\bfGSnRv.exe	xmrig
\Windows\system\YlZbtsE.exe	xmrig
C:\Windows\system\gXZkyRh.exe	xmrig
C:\Windows\system\NMFdfpo.exe	xmrig
C:\Windows\system\RSsTTqJ.exe	xmrig
C:\Windows\system\iTXGfQm.exe	xmrig
C:\Windows\system\NIgvoDX.exe	xmrig
behavioral1/memory/2252-107-0x000000013F0B0000-0x000000013F404000-memory.dmp	xmrig
behavioral1/memory/2168-108-0x000000013F9E0000-0x000000013FD34000-memory.dmp	xmrig
behavioral1/memory/2724-114-0x000000013FFB0000-0x0000000140304000-memory.dmp	xmrig
behavioral1/memory/2884-124-0x000000013FB70000-0x000000013FEC4000-memory.dmp	xmrig
behavioral1/memory/2692-126-0x000000013F740000-0x000000013FA94000-memory.dmp	xmrig
behavioral1/memory/2576-128-0x000000013FC50000-0x000000013FFA4000-memory.dmp	xmrig
behavioral1/memory/1640-130-0x000000013F580000-0x000000013F8D4000-memory.dmp	xmrig
behavioral1/memory/2540-129-0x000000013F020000-0x000000013F374000-memory.dmp	xmrig
behavioral1/memory/1640-127-0x000000013FC50000-0x000000013FFA4000-memory.dmp	xmrig
behavioral1/memory/2112-122-0x000000013F3D0000-0x000000013F724000-memory.dmp	xmrig
behavioral1/memory/1992-121-0x000000013FCF0000-0x0000000140044000-memory.dmp	xmrig
behavioral1/memory/2652-119-0x000000013F600000-0x000000013F954000-memory.dmp	xmrig
behavioral1/memory/2668-117-0x000000013FE50000-0x00000001401A4000-memory.dmp	xmrig
behavioral1/memory/2916-115-0x000000013F150000-0x000000013F4A4000-memory.dmp	xmrig
behavioral1/memory/2664-112-0x000000013FB70000-0x000000013FEC4000-memory.dmp	xmrig
behavioral1/memory/2612-110-0x000000013F050000-0x000000013F3A4000-memory.dmp	xmrig
behavioral1/memory/1640-132-0x000000013F100000-0x000000013F454000-memory.dmp	xmrig
behavioral1/memory/2168-136-0x000000013F9E0000-0x000000013FD34000-memory.dmp	xmrig
behavioral1/memory/2540-140-0x000000013F020000-0x000000013F374000-memory.dmp	xmrig
behavioral1/memory/2252-141-0x000000013F0B0000-0x000000013F404000-memory.dmp	xmrig
behavioral1/memory/2668-144-0x000000013FE50000-0x00000001401A4000-memory.dmp	xmrig
behavioral1/memory/1992-145-0x000000013FCF0000-0x0000000140044000-memory.dmp	xmrig
behavioral1/memory/2576-147-0x000000013FC50000-0x000000013FFA4000-memory.dmp	xmrig
behavioral1/memory/2884-146-0x000000013FB70000-0x000000013FEC4000-memory.dmp	xmrig
behavioral1/memory/2724-143-0x000000013FFB0000-0x0000000140304000-memory.dmp	xmrig
behavioral1/memory/2612-142-0x000000013F050000-0x000000013F3A4000-memory.dmp	xmrig
behavioral1/memory/2692-139-0x000000013F740000-0x000000013FA94000-memory.dmp	xmrig
behavioral1/memory/2112-138-0x000000013F3D0000-0x000000013F724000-memory.dmp	xmrig
behavioral1/memory/2652-137-0x000000013F600000-0x000000013F954000-memory.dmp	xmrig
behavioral1/memory/2916-135-0x000000013F150000-0x000000013F4A4000-memory.dmp	xmrig
behavioral1/memory/2664-134-0x000000013FB70000-0x000000013FEC4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

JFHAFrP.exeyKKhqvV.exeYidIICM.exehQsULnN.exepgdFZxk.exewAeGgMS.exeqWGUNda.exedWerXbU.exexCJFBzG.exeNIgvoDX.exeiTXGfQm.exegSErCeE.exeRSsTTqJ.exeQIYndEi.exeNMFdfpo.exexEoyJuc.exegXZkyRh.exexAkiZXA.exeoaakXom.exebfGSnRv.exeYlZbtsE.exe

pid	process
2252	JFHAFrP.exe
2168	yKKhqvV.exe
2612	YidIICM.exe
2664	hQsULnN.exe
2724	pgdFZxk.exe
2916	wAeGgMS.exe
2668	qWGUNda.exe
2652	dWerXbU.exe
1992	xCJFBzG.exe
2112	NIgvoDX.exe
2884	iTXGfQm.exe
2692	gSErCeE.exe
2576	RSsTTqJ.exe
2540	QIYndEi.exe
2444	NMFdfpo.exe
2788	xEoyJuc.exe
3000	gXZkyRh.exe
1820	xAkiZXA.exe
2620	oaakXom.exe
2808	bfGSnRv.exe
2240	YlZbtsE.exe

Loads dropped DLL 21 IoCs

Processes:

2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe

pid	process
1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe

UPX packed file 51 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1640-0-0x000000013F100000-0x000000013F454000-memory.dmp	upx
\Windows\system\JFHAFrP.exe	upx
\Windows\system\yKKhqvV.exe	upx
C:\Windows\system\YidIICM.exe	upx
C:\Windows\system\hQsULnN.exe	upx
C:\Windows\system\pgdFZxk.exe	upx
C:\Windows\system\wAeGgMS.exe	upx
C:\Windows\system\qWGUNda.exe	upx
C:\Windows\system\dWerXbU.exe	upx
C:\Windows\system\xCJFBzG.exe	upx
C:\Windows\system\gSErCeE.exe	upx
C:\Windows\system\QIYndEi.exe	upx
C:\Windows\system\xEoyJuc.exe	upx
C:\Windows\system\xAkiZXA.exe	upx
C:\Windows\system\oaakXom.exe	upx
\Windows\system\bfGSnRv.exe	upx
\Windows\system\YlZbtsE.exe	upx
C:\Windows\system\gXZkyRh.exe	upx
C:\Windows\system\NMFdfpo.exe	upx
C:\Windows\system\RSsTTqJ.exe	upx
C:\Windows\system\iTXGfQm.exe	upx
C:\Windows\system\NIgvoDX.exe	upx
behavioral1/memory/2252-107-0x000000013F0B0000-0x000000013F404000-memory.dmp	upx
behavioral1/memory/2168-108-0x000000013F9E0000-0x000000013FD34000-memory.dmp	upx
behavioral1/memory/2724-114-0x000000013FFB0000-0x0000000140304000-memory.dmp	upx
behavioral1/memory/2884-124-0x000000013FB70000-0x000000013FEC4000-memory.dmp	upx
behavioral1/memory/2692-126-0x000000013F740000-0x000000013FA94000-memory.dmp	upx
behavioral1/memory/2576-128-0x000000013FC50000-0x000000013FFA4000-memory.dmp	upx
behavioral1/memory/2540-129-0x000000013F020000-0x000000013F374000-memory.dmp	upx
behavioral1/memory/2112-122-0x000000013F3D0000-0x000000013F724000-memory.dmp	upx
behavioral1/memory/1992-121-0x000000013FCF0000-0x0000000140044000-memory.dmp	upx
behavioral1/memory/2652-119-0x000000013F600000-0x000000013F954000-memory.dmp	upx
behavioral1/memory/2668-117-0x000000013FE50000-0x00000001401A4000-memory.dmp	upx
behavioral1/memory/2916-115-0x000000013F150000-0x000000013F4A4000-memory.dmp	upx
behavioral1/memory/2664-112-0x000000013FB70000-0x000000013FEC4000-memory.dmp	upx
behavioral1/memory/2612-110-0x000000013F050000-0x000000013F3A4000-memory.dmp	upx
behavioral1/memory/1640-132-0x000000013F100000-0x000000013F454000-memory.dmp	upx
behavioral1/memory/2168-136-0x000000013F9E0000-0x000000013FD34000-memory.dmp	upx
behavioral1/memory/2540-140-0x000000013F020000-0x000000013F374000-memory.dmp	upx
behavioral1/memory/2252-141-0x000000013F0B0000-0x000000013F404000-memory.dmp	upx
behavioral1/memory/2668-144-0x000000013FE50000-0x00000001401A4000-memory.dmp	upx
behavioral1/memory/1992-145-0x000000013FCF0000-0x0000000140044000-memory.dmp	upx
behavioral1/memory/2576-147-0x000000013FC50000-0x000000013FFA4000-memory.dmp	upx
behavioral1/memory/2884-146-0x000000013FB70000-0x000000013FEC4000-memory.dmp	upx
behavioral1/memory/2724-143-0x000000013FFB0000-0x0000000140304000-memory.dmp	upx
behavioral1/memory/2612-142-0x000000013F050000-0x000000013F3A4000-memory.dmp	upx
behavioral1/memory/2692-139-0x000000013F740000-0x000000013FA94000-memory.dmp	upx
behavioral1/memory/2112-138-0x000000013F3D0000-0x000000013F724000-memory.dmp	upx
behavioral1/memory/2652-137-0x000000013F600000-0x000000013F954000-memory.dmp	upx
behavioral1/memory/2916-135-0x000000013F150000-0x000000013F4A4000-memory.dmp	upx
behavioral1/memory/2664-134-0x000000013FB70000-0x000000013FEC4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\YidIICM.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qWGUNda.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gSErCeE.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NMFdfpo.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YlZbtsE.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gXZkyRh.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xAkiZXA.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JFHAFrP.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hQsULnN.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wAeGgMS.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dWerXbU.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xCJFBzG.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NIgvoDX.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iTXGfQm.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QIYndEi.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oaakXom.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yKKhqvV.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pgdFZxk.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RSsTTqJ.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xEoyJuc.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bfGSnRv.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 1640 wrote to memory of 2252	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	JFHAFrP.exe
PID 1640 wrote to memory of 2252	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	JFHAFrP.exe
PID 1640 wrote to memory of 2252	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	JFHAFrP.exe
PID 1640 wrote to memory of 2168	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	yKKhqvV.exe
PID 1640 wrote to memory of 2168	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	yKKhqvV.exe
PID 1640 wrote to memory of 2168	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	yKKhqvV.exe
PID 1640 wrote to memory of 2612	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	YidIICM.exe
PID 1640 wrote to memory of 2612	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	YidIICM.exe
PID 1640 wrote to memory of 2612	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	YidIICM.exe
PID 1640 wrote to memory of 2664	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	hQsULnN.exe
PID 1640 wrote to memory of 2664	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	hQsULnN.exe
PID 1640 wrote to memory of 2664	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	hQsULnN.exe
PID 1640 wrote to memory of 2724	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	pgdFZxk.exe
PID 1640 wrote to memory of 2724	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	pgdFZxk.exe
PID 1640 wrote to memory of 2724	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	pgdFZxk.exe
PID 1640 wrote to memory of 2916	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	wAeGgMS.exe
PID 1640 wrote to memory of 2916	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	wAeGgMS.exe
PID 1640 wrote to memory of 2916	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	wAeGgMS.exe
PID 1640 wrote to memory of 2668	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	qWGUNda.exe
PID 1640 wrote to memory of 2668	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	qWGUNda.exe
PID 1640 wrote to memory of 2668	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	qWGUNda.exe
PID 1640 wrote to memory of 2652	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	dWerXbU.exe
PID 1640 wrote to memory of 2652	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	dWerXbU.exe
PID 1640 wrote to memory of 2652	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	dWerXbU.exe
PID 1640 wrote to memory of 1992	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	xCJFBzG.exe
PID 1640 wrote to memory of 1992	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	xCJFBzG.exe
PID 1640 wrote to memory of 1992	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	xCJFBzG.exe
PID 1640 wrote to memory of 2112	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	NIgvoDX.exe
PID 1640 wrote to memory of 2112	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	NIgvoDX.exe
PID 1640 wrote to memory of 2112	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	NIgvoDX.exe
PID 1640 wrote to memory of 2884	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	iTXGfQm.exe
PID 1640 wrote to memory of 2884	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	iTXGfQm.exe
PID 1640 wrote to memory of 2884	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	iTXGfQm.exe
PID 1640 wrote to memory of 2692	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	gSErCeE.exe
PID 1640 wrote to memory of 2692	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	gSErCeE.exe
PID 1640 wrote to memory of 2692	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	gSErCeE.exe
PID 1640 wrote to memory of 2576	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	RSsTTqJ.exe
PID 1640 wrote to memory of 2576	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	RSsTTqJ.exe
PID 1640 wrote to memory of 2576	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	RSsTTqJ.exe
PID 1640 wrote to memory of 2540	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	QIYndEi.exe
PID 1640 wrote to memory of 2540	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	QIYndEi.exe
PID 1640 wrote to memory of 2540	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	QIYndEi.exe
PID 1640 wrote to memory of 2444	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	NMFdfpo.exe
PID 1640 wrote to memory of 2444	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	NMFdfpo.exe
PID 1640 wrote to memory of 2444	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	NMFdfpo.exe
PID 1640 wrote to memory of 2788	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	xEoyJuc.exe
PID 1640 wrote to memory of 2788	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	xEoyJuc.exe
PID 1640 wrote to memory of 2788	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	xEoyJuc.exe
PID 1640 wrote to memory of 3000	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	gXZkyRh.exe
PID 1640 wrote to memory of 3000	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	gXZkyRh.exe
PID 1640 wrote to memory of 3000	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	gXZkyRh.exe
PID 1640 wrote to memory of 1820	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	xAkiZXA.exe
PID 1640 wrote to memory of 1820	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	xAkiZXA.exe
PID 1640 wrote to memory of 1820	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	xAkiZXA.exe
PID 1640 wrote to memory of 2808	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	bfGSnRv.exe
PID 1640 wrote to memory of 2808	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	bfGSnRv.exe
PID 1640 wrote to memory of 2808	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	bfGSnRv.exe
PID 1640 wrote to memory of 2620	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	oaakXom.exe
PID 1640 wrote to memory of 2620	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	oaakXom.exe
PID 1640 wrote to memory of 2620	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	oaakXom.exe
PID 1640 wrote to memory of 2240	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	YlZbtsE.exe
PID 1640 wrote to memory of 2240	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	YlZbtsE.exe
PID 1640 wrote to memory of 2240	1640	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	YlZbtsE.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\System\JFHAFrP.exe
C:\Windows\System\JFHAFrP.exe
2⤵
- Executes dropped EXE
PID:2252

C:\Windows\System\yKKhqvV.exe
C:\Windows\System\yKKhqvV.exe
2⤵
- Executes dropped EXE
PID:2168

C:\Windows\System\YidIICM.exe
C:\Windows\System\YidIICM.exe
2⤵
- Executes dropped EXE
PID:2612

C:\Windows\System\hQsULnN.exe
C:\Windows\System\hQsULnN.exe
2⤵
- Executes dropped EXE
PID:2664

C:\Windows\System\pgdFZxk.exe
C:\Windows\System\pgdFZxk.exe
2⤵
- Executes dropped EXE
PID:2724

C:\Windows\System\wAeGgMS.exe
C:\Windows\System\wAeGgMS.exe
2⤵
- Executes dropped EXE
PID:2916

C:\Windows\System\qWGUNda.exe
C:\Windows\System\qWGUNda.exe
2⤵
- Executes dropped EXE
PID:2668

C:\Windows\System\dWerXbU.exe
C:\Windows\System\dWerXbU.exe
2⤵
- Executes dropped EXE
PID:2652

C:\Windows\System\xCJFBzG.exe
C:\Windows\System\xCJFBzG.exe
2⤵
- Executes dropped EXE
PID:1992

C:\Windows\System\NIgvoDX.exe
C:\Windows\System\NIgvoDX.exe
2⤵
- Executes dropped EXE
PID:2112

C:\Windows\System\iTXGfQm.exe
C:\Windows\System\iTXGfQm.exe
2⤵
- Executes dropped EXE
PID:2884

C:\Windows\System\gSErCeE.exe
C:\Windows\System\gSErCeE.exe
2⤵
- Executes dropped EXE
PID:2692

C:\Windows\System\RSsTTqJ.exe
C:\Windows\System\RSsTTqJ.exe
2⤵
- Executes dropped EXE
PID:2576

C:\Windows\System\QIYndEi.exe
C:\Windows\System\QIYndEi.exe
2⤵
- Executes dropped EXE
PID:2540

C:\Windows\System\NMFdfpo.exe
C:\Windows\System\NMFdfpo.exe
2⤵
- Executes dropped EXE
PID:2444

C:\Windows\System\xEoyJuc.exe
C:\Windows\System\xEoyJuc.exe
2⤵
- Executes dropped EXE
PID:2788

C:\Windows\System\gXZkyRh.exe
C:\Windows\System\gXZkyRh.exe
2⤵
- Executes dropped EXE
PID:3000

C:\Windows\System\xAkiZXA.exe
C:\Windows\System\xAkiZXA.exe
2⤵
- Executes dropped EXE
PID:1820

C:\Windows\System\bfGSnRv.exe
C:\Windows\System\bfGSnRv.exe
2⤵
- Executes dropped EXE
PID:2808

C:\Windows\System\oaakXom.exe
C:\Windows\System\oaakXom.exe
2⤵
- Executes dropped EXE
PID:2620

C:\Windows\System\YlZbtsE.exe
C:\Windows\System\YlZbtsE.exe
2⤵
- Executes dropped EXE
PID:2240

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\NIgvoDX.exe
Filesize
5.9MB

MD5
52d72f96e70b351968844a043ead1302

SHA1
69b840364fec3240f4c722774d55c66113bd0d1f

SHA256
b1f481b586cba0f9cd63e0b0828e08e838244d973d2ec5ceff5ee5578f4adc51

SHA512
86eafd3a252c320a77ce36432b5b81bcc81c901cc12c9c04ab1dff2c33824e50fa863e00d71448a6cd80d90a1243186c07828737881d86b9a4116de068b1e6a7

Download Submit
C:\Windows\system\NMFdfpo.exe
Filesize
5.9MB

MD5
a411ea605c4016c3a7cee294f39e7a79

SHA1
0a74063245b64a1f55fa8da1ea2b3a2ed5a605d7

SHA256
894165712cb995bdd264696f7e0e875b793a225f093e6fe0f0a8b4cf94dd3239

SHA512
8eb3e60af57586800ae2f4021395d7a54a3bc1442add2407c73f33126dc862f15f73df0213ed966a3e86c2e9d2038d8a37a511ae198e38542e06f68885351b7d

Download Submit
C:\Windows\system\QIYndEi.exe
Filesize
5.9MB

MD5
f8950d81a7d28c909826221d4be97822

SHA1
7d4e9f67cbc1223729459882086a1dffd0b513a9

SHA256
813703af6f97d8d92abcc954386e11e9197c36e949aec0cb3a5feb02f661b7b3

SHA512
78adb240a8ad44055324316cf1a636645dd68303a452edc04df2c576dee7dbcf1e13c34880c3284c56b29833a59b7741b8eb22d5e6ecc88fdde3ad2893f8f45f

Download Submit
C:\Windows\system\RSsTTqJ.exe
Filesize
5.9MB

MD5
b7b6bb62f898e75a2786b12f404e21d7

SHA1
9d3cfffbefd028e1094ff1fa11b26630eb10bea2

SHA256
468a93d1574c9c6bc6a347a5ce940e40e1571b1816bb5cd74d0a265bad7598b2

SHA512
2fc8967233d1bef888d6582b8b05d2a805dbec4cc35bf603eded864400ea73ccd2fdf16ed666c1202d784be1499a2eabb8bdacf2bb5d4ba867461ab662bd86b9

Download Submit
C:\Windows\system\YidIICM.exe
Filesize
5.9MB

MD5
881e96f2959839f7a419019f52b7d9cf

SHA1
4c89e863ea72de529d2e3e6b78b38c06d662ac32

SHA256
8127126c83d97499ed113076aefa26b742551245a4ba2fa7ff6aa9f9de436c39

SHA512
9e97de43a56a7758f0f9225d77a234344406916648b29973edb8195b9a519147b65114f1931397d15c380bd5398487110896ccdc2e379ff081fd9d954694e260

Download Submit
C:\Windows\system\dWerXbU.exe
Filesize
5.9MB

MD5
41f8b146a43264b8701604047e58f09f

SHA1
71e25033f71e2d959d2a4402d4c5e7d58e5b4b71

SHA256
24a6d3053b537b29b38e4a1bcc6ea510f1b56206d5738684aef5eafa5935d464

SHA512
534a8d2d605a1b4dd379c9e75afa24cef8cb6a3164bfb078e21770de3d2536baba941478446c8be9b8837c30f07f871a7839b17c68afbaa9d55f3035df635c59

Download Submit
C:\Windows\system\gSErCeE.exe
Filesize
5.9MB

MD5
856f46aadae7d1015c660761d95f3d88

SHA1
e9000aad25a378f19afc1f3235b1092df7a2b71b

SHA256
1ecb240effb2a4ab2d99f64c111105b23ba085270152fe09b1ba531233b7ba9c

SHA512
10c47881c744b3ded43d1e8cd4e992a3e7eb49e18b14bc38efbd294d645eee59a4b75182720921a4b7350bd3ea5e894d65149ac7c4361fc987ba0b0577b05f6d

Download Submit
C:\Windows\system\gXZkyRh.exe
Filesize
5.9MB

MD5
ba291f15fa34edd8f46351c7dd0b6d29

SHA1
33fe2de349e2b1d4b43b53c25b8bf2f00b6a058b

SHA256
e1b9fcd53366d4e1d716e9ee35738ede5c5a88b8a0801b3f169aef3d475b1d89

SHA512
2b2ac6bb1485f7c830f39612052728bf51e9f376c5bd7ec549911f20264c81182c3cdc799f3f2c7423c1026995329678b58b2d107287a2cdc096a3c54956f7f9

Download Submit
C:\Windows\system\hQsULnN.exe
Filesize
5.9MB

MD5
b3f1ed1573c4da8ee182b66b34cbd422

SHA1
f3947cc71b8eec41860cd57452efbd255c0fa887

SHA256
6b836d086c64e2f4e42f6e46ea4cdd7fb7de5b760ba3c19a8e7a17ae7da5f763

SHA512
98ce0164f13c083223f454f4d3cc2d1204eeefdd94bd4d70214a5ddf8c07e7a87e5556f2eedf927bac4cba9330b525be2dfaa4b67648a8946136c8961c40748f

Download Submit
C:\Windows\system\iTXGfQm.exe
Filesize
5.9MB

MD5
faefa57c83b68ea609d516c7054cb25b

SHA1
f7c9ff94d91628458609bda9cad1fcba88f8a5bd

SHA256
b76ccc0dbb3babeaa98a8aa0763472e35200b3db105fd04102b1841cbc1ccbc3

SHA512
1f723c0e8d8aaa6c95f57d21233a5c5a98d83c73a91a339a97345136a317943498daa3993d0ad60a6c386aaff5e6578250cb84e6f3fa84ab71f9a2a7b542ddae

Download Submit
C:\Windows\system\oaakXom.exe
Filesize
5.9MB

MD5
7f08a22876db05639ca9f467f4b1fbc5

SHA1
6abb41b608415d390561d1b1179460d0e8e8f117

SHA256
16c3b798c08f8b02e2c6e7956fbcb8b2e3a1bcccf13a81829e9773d9f568284d

SHA512
a406b7384fff0b97d29de12080b996dc5ba3dd0025daeb999242fe3acdd15bb19198a059a76087e648a0fd4840f001629e3c0143ae366f7c71dc176fe927d40a

Download Submit
C:\Windows\system\pgdFZxk.exe
Filesize
5.9MB

MD5
555ff28bf7da3ae1488ece69e137fb14

SHA1
8af7a2715d9ff247ad3acf726be0ee01e4099b56

SHA256
2b13ba58b1cd88d6ef97d74862f9156c20f46ae14da391d259719c0bffd3297f

SHA512
1535affe3b002e3fb9a6f9eb2dabe80b1b5a8a8ab9abe8318a4537a7eb8f60c711e8161a7f2251871dff89ed55fb56661c8e4a302c37b6e19885bb8562e5b651

Download Submit
C:\Windows\system\qWGUNda.exe
Filesize
5.9MB

MD5
7873ddcd6f50f332a0fe0090738beb5a

SHA1
18d2efae95c049124c5377542a70b4214e3c2d9a

SHA256
fba41f34f3cf4a40100455f538c2c74799472f9e9ea95ddc6487435412e94877

SHA512
9d330a226a6546f71f711034f80e52e5337aa858a784fc8e4459a366c1d908b4494cba7288c9d94c9d5f9326a43758d239690ec6b510ac51cd4a80cf19f755c3

Download Submit
C:\Windows\system\wAeGgMS.exe
Filesize
5.9MB

MD5
2ad03d7c5b8908a7dec35c17ad11dc32

SHA1
ecb96f3ad8ca4b8dfe14f9d2432c10b02e313863

SHA256
165206adb88ae580074da500ac4c44dcaa0cc77b287cc37f5d426f0340e11b22

SHA512
d169c1fe40d1cd8754a9e6d171482bdffc80513c4f4e0fe3ec3ecb9fad860cf53298c12ff326f039634cff6f4ec4c04510dd3e9dcbf789491f1f57c0b23f17f3

Download Submit
C:\Windows\system\xAkiZXA.exe
Filesize
5.9MB

MD5
44e79d35874f80d1349b1f0f0cddbaef

SHA1
d8f32fd8ec478b5c3b40ac76b06e19c26d2afcee

SHA256
974199b67d5b8f164f37feceaec3b07a4f687babf86b87973139e707a91dabf9

SHA512
872f598605681e5800b8f131294c1cdb9d466bb2b194b85b5852960335b6b1fcd4da3dfea364bdb3903286576a862baf837b270a54cf379bcd7dc51572a8d4ae

Download Submit
C:\Windows\system\xCJFBzG.exe
Filesize
5.9MB

MD5
756b7280eb5b3217388c28418879333b

SHA1
54e049272b1b67a1979b75bc3869e185c3c15a8e

SHA256
2a3fe943f9614f9c55f3b2edf4639a7381d9cf3a453bf8a2b108b3ed5746ae8e

SHA512
1971252d101f55a5014f9eb39826689ed4dae1edc3513db686dda8514c1ce3f890b666482a9f4a7c68a1df079070bbf0b4b81d52ff11d6557507456455ef2b02

Download Submit
C:\Windows\system\xEoyJuc.exe
Filesize
5.9MB

MD5
79d8d3b75852e856feded904475a91ba

SHA1
d5dccb8bcc2627e7e339cc2821017be753823d45

SHA256
d1c63f8ec390a2c944192a86834c2febe22475bd1007d1fdd27ac4f8bd9358ce

SHA512
c51b36a05cf9848d11532f12acff1b52f456b406050988223b3b0b5f51f6eb1e154c740fbe9ca48aca88bc3074c5d76e79edb0d4503c8bf011cefe0607d1617a

Download Submit
\Windows\system\JFHAFrP.exe
Filesize
5.9MB

MD5
5dc45f1983a40145c31b4ffccc437c3c

SHA1
f5acbb6f26466342baa8626bc9b5f525a5ead664

SHA256
625a348cc547a385b853be1f4fb854a6f7b10f81b72dcbce9844d08dfbaea00e

SHA512
9d95c02c3f84f1a54a8f76c0eb7136d54428caeccbae45a52411a34212d74784f3890c2eb6a4d4e5201d0779c251b754ec1eff39bfe28ecaed2b7ca7f1316a0f

Download Submit
\Windows\system\YlZbtsE.exe
Filesize
5.9MB

MD5
570240bc8d7a9fe5763bf40419fc9ee0

SHA1
cc3304a0c1fb2cea4fca9a244d33f53973a38ec6

SHA256
b5629a1838fa15e2986be7542db1e565b73e6965176b40f06be627031486c7c7

SHA512
82fc894a73606ce921cfd109c92978122cc0ed1c9a633ef419031ed1192156b26558174934c6ea747700fee6ebb09bbb067f6ef805b550ef86bd5fbbce12bc4f

Download Submit
\Windows\system\bfGSnRv.exe
Filesize
5.9MB

MD5
c92ca80669d348cf783acafd40b509d9

SHA1
310d9d6c5b98211423af9cbd8f9b870e739e9255

SHA256
a43c3573bc75b97f61a0b2c10dfb14f81e3591b74f915f5681402df8d9ebbfd5

SHA512
5c4fbc191404979079733290344422dee78f1ce4086c7081e5ef34c00c9f8a4d13c740bdc51f3f6d61fd5f921a02af213f0f7e2ef41093ce7a4c0dd18425aba9

Download Submit
\Windows\system\yKKhqvV.exe
Filesize
5.9MB

MD5
aa1756b717328a0ecd4f3e5aa54b7de5

SHA1
b10e6ad127d16ac298908e79c160ed04fb993e43

SHA256
d6e7f77d0154fa673a563e8007dfa463c202a53a883b6009f8a430bee0e05964

SHA512
306c6b863baa8d8e56ddc1360d30fafa02afca0e33ae905540d6c484288c530ddd885b1cafb83bc9cb365272ae4ebc7edb43678f283cf44d3cead992bdf0bac6

Download Submit
memory/1640-130-0x000000013F580000-0x000000013F8D4000-memory.dmp

Filesize
3.3MB

Download
memory/1640-123-0x000000013FB70000-0x000000013FEC4000-memory.dmp

Filesize
3.3MB

Download
memory/1640-118-0x000000013F600000-0x000000013F954000-memory.dmp

Filesize
3.3MB

Download
memory/1640-113-0x000000013FFB0000-0x0000000140304000-memory.dmp

Filesize
3.3MB

Download
memory/1640-109-0x00000000022B0000-0x0000000002604000-memory.dmp

Filesize
3.3MB

Download
memory/1640-111-0x000000013FB70000-0x000000013FEC4000-memory.dmp

Filesize
3.3MB

Download
memory/1640-116-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download
memory/1640-120-0x000000013FCF0000-0x0000000140044000-memory.dmp

Filesize
3.3MB

Download
memory/1640-1-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/1640-125-0x000000013F740000-0x000000013FA94000-memory.dmp

Filesize
3.3MB

Download
memory/1640-133-0x000000013FB70000-0x000000013FEC4000-memory.dmp

Filesize
3.3MB

Download
memory/1640-131-0x000000013F9E0000-0x000000013FD34000-memory.dmp

Filesize
3.3MB

Download
memory/1640-0-0x000000013F100000-0x000000013F454000-memory.dmp

Filesize
3.3MB

Download
memory/1640-132-0x000000013F100000-0x000000013F454000-memory.dmp

Filesize
3.3MB

Download
memory/1640-127-0x000000013FC50000-0x000000013FFA4000-memory.dmp

Filesize
3.3MB

Download
memory/1992-145-0x000000013FCF0000-0x0000000140044000-memory.dmp

Filesize
3.3MB

Download
memory/1992-121-0x000000013FCF0000-0x0000000140044000-memory.dmp

Filesize
3.3MB

Download
memory/2112-122-0x000000013F3D0000-0x000000013F724000-memory.dmp

Filesize
3.3MB

Download
memory/2112-138-0x000000013F3D0000-0x000000013F724000-memory.dmp

Filesize
3.3MB

Download
memory/2168-136-0x000000013F9E0000-0x000000013FD34000-memory.dmp

Filesize
3.3MB

Download
memory/2168-108-0x000000013F9E0000-0x000000013FD34000-memory.dmp

Filesize
3.3MB

Download
memory/2252-141-0x000000013F0B0000-0x000000013F404000-memory.dmp

Filesize
3.3MB

Download
memory/2252-107-0x000000013F0B0000-0x000000013F404000-memory.dmp

Filesize
3.3MB

Download
memory/2540-129-0x000000013F020000-0x000000013F374000-memory.dmp

Filesize
3.3MB

Download
memory/2540-140-0x000000013F020000-0x000000013F374000-memory.dmp

Filesize
3.3MB

Download
memory/2576-147-0x000000013FC50000-0x000000013FFA4000-memory.dmp

Filesize
3.3MB

Download
memory/2576-128-0x000000013FC50000-0x000000013FFA4000-memory.dmp

Filesize
3.3MB

Download
memory/2612-142-0x000000013F050000-0x000000013F3A4000-memory.dmp

Filesize
3.3MB

Download
memory/2612-110-0x000000013F050000-0x000000013F3A4000-memory.dmp

Filesize
3.3MB

Download
memory/2652-119-0x000000013F600000-0x000000013F954000-memory.dmp

Filesize
3.3MB

Download
memory/2652-137-0x000000013F600000-0x000000013F954000-memory.dmp

Filesize
3.3MB

Download
memory/2664-134-0x000000013FB70000-0x000000013FEC4000-memory.dmp

Filesize
3.3MB

Download
memory/2664-112-0x000000013FB70000-0x000000013FEC4000-memory.dmp

Filesize
3.3MB

Download
memory/2668-117-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download
memory/2668-144-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download
memory/2692-139-0x000000013F740000-0x000000013FA94000-memory.dmp

Filesize
3.3MB

Download
memory/2692-126-0x000000013F740000-0x000000013FA94000-memory.dmp

Filesize
3.3MB

Download
memory/2724-114-0x000000013FFB0000-0x0000000140304000-memory.dmp

Filesize
3.3MB

Download
memory/2724-143-0x000000013FFB0000-0x0000000140304000-memory.dmp

Filesize
3.3MB

Download
memory/2884-146-0x000000013FB70000-0x000000013FEC4000-memory.dmp

Filesize
3.3MB

Download
memory/2884-124-0x000000013FB70000-0x000000013FEC4000-memory.dmp

Filesize
3.3MB

Download
memory/2916-115-0x000000013F150000-0x000000013F4A4000-memory.dmp

Filesize
3.3MB

Download
memory/2916-135-0x000000013F150000-0x000000013F4A4000-memory.dmp

Filesize
3.3MB

Download