cobaltstrike | 43066b7f544a52df663693f265e6881bc8f5cafd7a7bea69bbc173bac4b695df

Resubmissions

11-06-2024 12:46

240611-pzqqwsxcna 10

11-06-2024 12:38

240611-pt2afaxeqj 10

Analysis

max time kernel
140s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 12:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

673d8b4bc5c4ae22db5852a3b922a1f5
SHA1

867e4c7e622b0b5e243ee61e9f08e6c1a6d7d9f9
SHA256

43066b7f544a52df663693f265e6881bc8f5cafd7a7bea69bbc173bac4b695df
SHA512

08e3c65c427284c8b93f079b4370f3aa6983b6932d55c66b6e17767c8e6e7cc1bfd24a5453523fa10197a6070866d20abd8c322d0d0849fdaf61db8f76d41d25
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUj:Q+856utgpPF8u/7j

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\rfFTJVU.exe	cobalt_reflective_dll
C:\Windows\System\uonfHVl.exe	cobalt_reflective_dll
C:\Windows\System\FoOYJwx.exe	cobalt_reflective_dll
C:\Windows\System\joefGHJ.exe	cobalt_reflective_dll
C:\Windows\System\IwsSrYg.exe	cobalt_reflective_dll
C:\Windows\System\WyqHKmZ.exe	cobalt_reflective_dll
C:\Windows\System\XRuErRg.exe	cobalt_reflective_dll
C:\Windows\System\nFOtQMS.exe	cobalt_reflective_dll
C:\Windows\System\iEXhIRQ.exe	cobalt_reflective_dll
C:\Windows\System\bhwtRyH.exe	cobalt_reflective_dll
C:\Windows\System\BRoEWGo.exe	cobalt_reflective_dll
C:\Windows\System\WuddcLA.exe	cobalt_reflective_dll
C:\Windows\System\LWwDaVl.exe	cobalt_reflective_dll
C:\Windows\System\XRImhOb.exe	cobalt_reflective_dll
C:\Windows\System\tSlrvHa.exe	cobalt_reflective_dll
C:\Windows\System\mXgiWzj.exe	cobalt_reflective_dll
C:\Windows\System\efjfeYX.exe	cobalt_reflective_dll
C:\Windows\System\URCLAdu.exe	cobalt_reflective_dll
C:\Windows\System\KGcCAaP.exe	cobalt_reflective_dll
C:\Windows\System\rtYIAMK.exe	cobalt_reflective_dll
C:\Windows\System\DFyYHLM.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\rfFTJVU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\uonfHVl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\FoOYJwx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\joefGHJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\IwsSrYg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\WyqHKmZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\XRuErRg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\nFOtQMS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\iEXhIRQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\bhwtRyH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\BRoEWGo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\WuddcLA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\LWwDaVl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\XRImhOb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\tSlrvHa.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\mXgiWzj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\efjfeYX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\URCLAdu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\KGcCAaP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\rtYIAMK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\DFyYHLM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4352-0-0x00007FF700F70000-0x00007FF7012C4000-memory.dmp	UPX
C:\Windows\System\rfFTJVU.exe	UPX
behavioral2/memory/1492-8-0x00007FF786E90000-0x00007FF7871E4000-memory.dmp	UPX
C:\Windows\System\uonfHVl.exe	UPX
C:\Windows\System\FoOYJwx.exe	UPX
behavioral2/memory/4520-14-0x00007FF7DB830000-0x00007FF7DBB84000-memory.dmp	UPX
C:\Windows\System\joefGHJ.exe	UPX
behavioral2/memory/2956-26-0x00007FF77E630000-0x00007FF77E984000-memory.dmp	UPX
behavioral2/memory/544-22-0x00007FF7AEE60000-0x00007FF7AF1B4000-memory.dmp	UPX
C:\Windows\System\IwsSrYg.exe	UPX
behavioral2/memory/3716-32-0x00007FF68DDE0000-0x00007FF68E134000-memory.dmp	UPX
C:\Windows\System\WyqHKmZ.exe	UPX
behavioral2/memory/4676-43-0x00007FF7B3850000-0x00007FF7B3BA4000-memory.dmp	UPX
behavioral2/memory/4648-44-0x00007FF6ACBA0000-0x00007FF6ACEF4000-memory.dmp	UPX
C:\Windows\System\XRuErRg.exe	UPX
C:\Windows\System\nFOtQMS.exe	UPX
behavioral2/memory/808-50-0x00007FF676120000-0x00007FF676474000-memory.dmp	UPX
C:\Windows\System\iEXhIRQ.exe	UPX
behavioral2/memory/3092-54-0x00007FF7DE270000-0x00007FF7DE5C4000-memory.dmp	UPX
C:\Windows\System\bhwtRyH.exe	UPX
behavioral2/memory/4352-62-0x00007FF700F70000-0x00007FF7012C4000-memory.dmp	UPX
C:\Windows\System\BRoEWGo.exe	UPX
C:\Windows\System\WuddcLA.exe	UPX
behavioral2/memory/3224-79-0x00007FF701270000-0x00007FF7015C4000-memory.dmp	UPX
behavioral2/memory/4744-80-0x00007FF7B8A50000-0x00007FF7B8DA4000-memory.dmp	UPX
behavioral2/memory/324-77-0x00007FF60D100000-0x00007FF60D454000-memory.dmp	UPX
behavioral2/memory/1492-75-0x00007FF786E90000-0x00007FF7871E4000-memory.dmp	UPX
C:\Windows\System\LWwDaVl.exe	UPX
behavioral2/memory/1560-64-0x00007FF63B420000-0x00007FF63B774000-memory.dmp	UPX
C:\Windows\System\XRImhOb.exe	UPX
behavioral2/memory/4028-88-0x00007FF7218C0000-0x00007FF721C14000-memory.dmp	UPX
C:\Windows\System\tSlrvHa.exe	UPX
C:\Windows\System\mXgiWzj.exe	UPX
behavioral2/memory/2196-105-0x00007FF708020000-0x00007FF708374000-memory.dmp	UPX
C:\Windows\System\efjfeYX.exe	UPX
C:\Windows\System\URCLAdu.exe	UPX
behavioral2/memory/3564-106-0x00007FF793890000-0x00007FF793BE4000-memory.dmp	UPX
behavioral2/memory/3392-94-0x00007FF7345C0000-0x00007FF734914000-memory.dmp	UPX
C:\Windows\System\KGcCAaP.exe	UPX
behavioral2/memory/3492-114-0x00007FF70BCA0000-0x00007FF70BFF4000-memory.dmp	UPX
C:\Windows\System\rtYIAMK.exe	UPX
behavioral2/memory/5032-119-0x00007FF7CD350000-0x00007FF7CD6A4000-memory.dmp	UPX
behavioral2/memory/3092-124-0x00007FF7DE270000-0x00007FF7DE5C4000-memory.dmp	UPX
C:\Windows\System\DFyYHLM.exe	UPX
behavioral2/memory/1724-130-0x00007FF73C420000-0x00007FF73C774000-memory.dmp	UPX
behavioral2/memory/2372-127-0x00007FF747550000-0x00007FF7478A4000-memory.dmp	UPX
behavioral2/memory/4744-131-0x00007FF7B8A50000-0x00007FF7B8DA4000-memory.dmp	UPX
behavioral2/memory/2196-132-0x00007FF708020000-0x00007FF708374000-memory.dmp	UPX
behavioral2/memory/3564-133-0x00007FF793890000-0x00007FF793BE4000-memory.dmp	UPX
behavioral2/memory/1724-134-0x00007FF73C420000-0x00007FF73C774000-memory.dmp	UPX
behavioral2/memory/1492-135-0x00007FF786E90000-0x00007FF7871E4000-memory.dmp	UPX
behavioral2/memory/4520-136-0x00007FF7DB830000-0x00007FF7DBB84000-memory.dmp	UPX
behavioral2/memory/544-137-0x00007FF7AEE60000-0x00007FF7AF1B4000-memory.dmp	UPX
behavioral2/memory/2956-138-0x00007FF77E630000-0x00007FF77E984000-memory.dmp	UPX
behavioral2/memory/3716-139-0x00007FF68DDE0000-0x00007FF68E134000-memory.dmp	UPX
behavioral2/memory/4676-140-0x00007FF7B3850000-0x00007FF7B3BA4000-memory.dmp	UPX
behavioral2/memory/4648-141-0x00007FF6ACBA0000-0x00007FF6ACEF4000-memory.dmp	UPX
behavioral2/memory/3092-143-0x00007FF7DE270000-0x00007FF7DE5C4000-memory.dmp	UPX
behavioral2/memory/808-142-0x00007FF676120000-0x00007FF676474000-memory.dmp	UPX
behavioral2/memory/1560-144-0x00007FF63B420000-0x00007FF63B774000-memory.dmp	UPX
behavioral2/memory/324-145-0x00007FF60D100000-0x00007FF60D454000-memory.dmp	UPX
behavioral2/memory/3224-146-0x00007FF701270000-0x00007FF7015C4000-memory.dmp	UPX
behavioral2/memory/4744-147-0x00007FF7B8A50000-0x00007FF7B8DA4000-memory.dmp	UPX
behavioral2/memory/4028-148-0x00007FF7218C0000-0x00007FF721C14000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4352-0-0x00007FF700F70000-0x00007FF7012C4000-memory.dmp	xmrig
C:\Windows\System\rfFTJVU.exe	xmrig
behavioral2/memory/1492-8-0x00007FF786E90000-0x00007FF7871E4000-memory.dmp	xmrig
C:\Windows\System\uonfHVl.exe	xmrig
C:\Windows\System\FoOYJwx.exe	xmrig
behavioral2/memory/4520-14-0x00007FF7DB830000-0x00007FF7DBB84000-memory.dmp	xmrig
C:\Windows\System\joefGHJ.exe	xmrig
behavioral2/memory/2956-26-0x00007FF77E630000-0x00007FF77E984000-memory.dmp	xmrig
behavioral2/memory/544-22-0x00007FF7AEE60000-0x00007FF7AF1B4000-memory.dmp	xmrig
C:\Windows\System\IwsSrYg.exe	xmrig
behavioral2/memory/3716-32-0x00007FF68DDE0000-0x00007FF68E134000-memory.dmp	xmrig
C:\Windows\System\WyqHKmZ.exe	xmrig
behavioral2/memory/4676-43-0x00007FF7B3850000-0x00007FF7B3BA4000-memory.dmp	xmrig
behavioral2/memory/4648-44-0x00007FF6ACBA0000-0x00007FF6ACEF4000-memory.dmp	xmrig
C:\Windows\System\XRuErRg.exe	xmrig
C:\Windows\System\nFOtQMS.exe	xmrig
behavioral2/memory/808-50-0x00007FF676120000-0x00007FF676474000-memory.dmp	xmrig
C:\Windows\System\iEXhIRQ.exe	xmrig
behavioral2/memory/3092-54-0x00007FF7DE270000-0x00007FF7DE5C4000-memory.dmp	xmrig
C:\Windows\System\bhwtRyH.exe	xmrig
behavioral2/memory/4352-62-0x00007FF700F70000-0x00007FF7012C4000-memory.dmp	xmrig
C:\Windows\System\BRoEWGo.exe	xmrig
C:\Windows\System\WuddcLA.exe	xmrig
behavioral2/memory/3224-79-0x00007FF701270000-0x00007FF7015C4000-memory.dmp	xmrig
behavioral2/memory/4744-80-0x00007FF7B8A50000-0x00007FF7B8DA4000-memory.dmp	xmrig
behavioral2/memory/324-77-0x00007FF60D100000-0x00007FF60D454000-memory.dmp	xmrig
behavioral2/memory/1492-75-0x00007FF786E90000-0x00007FF7871E4000-memory.dmp	xmrig
C:\Windows\System\LWwDaVl.exe	xmrig
behavioral2/memory/1560-64-0x00007FF63B420000-0x00007FF63B774000-memory.dmp	xmrig
C:\Windows\System\XRImhOb.exe	xmrig
behavioral2/memory/4028-88-0x00007FF7218C0000-0x00007FF721C14000-memory.dmp	xmrig
C:\Windows\System\tSlrvHa.exe	xmrig
C:\Windows\System\mXgiWzj.exe	xmrig
behavioral2/memory/2196-105-0x00007FF708020000-0x00007FF708374000-memory.dmp	xmrig
C:\Windows\System\efjfeYX.exe	xmrig
C:\Windows\System\URCLAdu.exe	xmrig
behavioral2/memory/3564-106-0x00007FF793890000-0x00007FF793BE4000-memory.dmp	xmrig
behavioral2/memory/3392-94-0x00007FF7345C0000-0x00007FF734914000-memory.dmp	xmrig
C:\Windows\System\KGcCAaP.exe	xmrig
behavioral2/memory/3492-114-0x00007FF70BCA0000-0x00007FF70BFF4000-memory.dmp	xmrig
C:\Windows\System\rtYIAMK.exe	xmrig
behavioral2/memory/5032-119-0x00007FF7CD350000-0x00007FF7CD6A4000-memory.dmp	xmrig
behavioral2/memory/3092-124-0x00007FF7DE270000-0x00007FF7DE5C4000-memory.dmp	xmrig
C:\Windows\System\DFyYHLM.exe	xmrig
behavioral2/memory/1724-130-0x00007FF73C420000-0x00007FF73C774000-memory.dmp	xmrig
behavioral2/memory/2372-127-0x00007FF747550000-0x00007FF7478A4000-memory.dmp	xmrig
behavioral2/memory/4744-131-0x00007FF7B8A50000-0x00007FF7B8DA4000-memory.dmp	xmrig
behavioral2/memory/2196-132-0x00007FF708020000-0x00007FF708374000-memory.dmp	xmrig
behavioral2/memory/3564-133-0x00007FF793890000-0x00007FF793BE4000-memory.dmp	xmrig
behavioral2/memory/1724-134-0x00007FF73C420000-0x00007FF73C774000-memory.dmp	xmrig
behavioral2/memory/1492-135-0x00007FF786E90000-0x00007FF7871E4000-memory.dmp	xmrig
behavioral2/memory/4520-136-0x00007FF7DB830000-0x00007FF7DBB84000-memory.dmp	xmrig
behavioral2/memory/544-137-0x00007FF7AEE60000-0x00007FF7AF1B4000-memory.dmp	xmrig
behavioral2/memory/2956-138-0x00007FF77E630000-0x00007FF77E984000-memory.dmp	xmrig
behavioral2/memory/3716-139-0x00007FF68DDE0000-0x00007FF68E134000-memory.dmp	xmrig
behavioral2/memory/4676-140-0x00007FF7B3850000-0x00007FF7B3BA4000-memory.dmp	xmrig
behavioral2/memory/4648-141-0x00007FF6ACBA0000-0x00007FF6ACEF4000-memory.dmp	xmrig
behavioral2/memory/3092-143-0x00007FF7DE270000-0x00007FF7DE5C4000-memory.dmp	xmrig
behavioral2/memory/808-142-0x00007FF676120000-0x00007FF676474000-memory.dmp	xmrig
behavioral2/memory/1560-144-0x00007FF63B420000-0x00007FF63B774000-memory.dmp	xmrig
behavioral2/memory/324-145-0x00007FF60D100000-0x00007FF60D454000-memory.dmp	xmrig
behavioral2/memory/3224-146-0x00007FF701270000-0x00007FF7015C4000-memory.dmp	xmrig
behavioral2/memory/4744-147-0x00007FF7B8A50000-0x00007FF7B8DA4000-memory.dmp	xmrig
behavioral2/memory/4028-148-0x00007FF7218C0000-0x00007FF721C14000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

rfFTJVU.exeuonfHVl.exeFoOYJwx.exejoefGHJ.exeIwsSrYg.exeXRuErRg.exeWyqHKmZ.exenFOtQMS.exeiEXhIRQ.exebhwtRyH.exeBRoEWGo.exeLWwDaVl.exeWuddcLA.exeXRImhOb.exetSlrvHa.exemXgiWzj.exeefjfeYX.exeURCLAdu.exeKGcCAaP.exertYIAMK.exeDFyYHLM.exe

pid	process
1492	rfFTJVU.exe
4520	uonfHVl.exe
544	FoOYJwx.exe
2956	joefGHJ.exe
3716	IwsSrYg.exe
4676	XRuErRg.exe
4648	WyqHKmZ.exe
808	nFOtQMS.exe
3092	iEXhIRQ.exe
1560	bhwtRyH.exe
324	BRoEWGo.exe
3224	LWwDaVl.exe
4744	WuddcLA.exe
4028	XRImhOb.exe
3392	tSlrvHa.exe
2196	mXgiWzj.exe
3564	efjfeYX.exe
3492	URCLAdu.exe
5032	KGcCAaP.exe
2372	rtYIAMK.exe
1724	DFyYHLM.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4352-0-0x00007FF700F70000-0x00007FF7012C4000-memory.dmp	upx
C:\Windows\System\rfFTJVU.exe	upx
behavioral2/memory/1492-8-0x00007FF786E90000-0x00007FF7871E4000-memory.dmp	upx
C:\Windows\System\uonfHVl.exe	upx
C:\Windows\System\FoOYJwx.exe	upx
behavioral2/memory/4520-14-0x00007FF7DB830000-0x00007FF7DBB84000-memory.dmp	upx
C:\Windows\System\joefGHJ.exe	upx
behavioral2/memory/2956-26-0x00007FF77E630000-0x00007FF77E984000-memory.dmp	upx
behavioral2/memory/544-22-0x00007FF7AEE60000-0x00007FF7AF1B4000-memory.dmp	upx
C:\Windows\System\IwsSrYg.exe	upx
behavioral2/memory/3716-32-0x00007FF68DDE0000-0x00007FF68E134000-memory.dmp	upx
C:\Windows\System\WyqHKmZ.exe	upx
behavioral2/memory/4676-43-0x00007FF7B3850000-0x00007FF7B3BA4000-memory.dmp	upx
behavioral2/memory/4648-44-0x00007FF6ACBA0000-0x00007FF6ACEF4000-memory.dmp	upx
C:\Windows\System\XRuErRg.exe	upx
C:\Windows\System\nFOtQMS.exe	upx
behavioral2/memory/808-50-0x00007FF676120000-0x00007FF676474000-memory.dmp	upx
C:\Windows\System\iEXhIRQ.exe	upx
behavioral2/memory/3092-54-0x00007FF7DE270000-0x00007FF7DE5C4000-memory.dmp	upx
C:\Windows\System\bhwtRyH.exe	upx
behavioral2/memory/4352-62-0x00007FF700F70000-0x00007FF7012C4000-memory.dmp	upx
C:\Windows\System\BRoEWGo.exe	upx
C:\Windows\System\WuddcLA.exe	upx
behavioral2/memory/3224-79-0x00007FF701270000-0x00007FF7015C4000-memory.dmp	upx
behavioral2/memory/4744-80-0x00007FF7B8A50000-0x00007FF7B8DA4000-memory.dmp	upx
behavioral2/memory/324-77-0x00007FF60D100000-0x00007FF60D454000-memory.dmp	upx
behavioral2/memory/1492-75-0x00007FF786E90000-0x00007FF7871E4000-memory.dmp	upx
C:\Windows\System\LWwDaVl.exe	upx
behavioral2/memory/1560-64-0x00007FF63B420000-0x00007FF63B774000-memory.dmp	upx
C:\Windows\System\XRImhOb.exe	upx
behavioral2/memory/4028-88-0x00007FF7218C0000-0x00007FF721C14000-memory.dmp	upx
C:\Windows\System\tSlrvHa.exe	upx
C:\Windows\System\mXgiWzj.exe	upx
behavioral2/memory/2196-105-0x00007FF708020000-0x00007FF708374000-memory.dmp	upx
C:\Windows\System\efjfeYX.exe	upx
C:\Windows\System\URCLAdu.exe	upx
behavioral2/memory/3564-106-0x00007FF793890000-0x00007FF793BE4000-memory.dmp	upx
behavioral2/memory/3392-94-0x00007FF7345C0000-0x00007FF734914000-memory.dmp	upx
C:\Windows\System\KGcCAaP.exe	upx
behavioral2/memory/3492-114-0x00007FF70BCA0000-0x00007FF70BFF4000-memory.dmp	upx
C:\Windows\System\rtYIAMK.exe	upx
behavioral2/memory/5032-119-0x00007FF7CD350000-0x00007FF7CD6A4000-memory.dmp	upx
behavioral2/memory/3092-124-0x00007FF7DE270000-0x00007FF7DE5C4000-memory.dmp	upx
C:\Windows\System\DFyYHLM.exe	upx
behavioral2/memory/1724-130-0x00007FF73C420000-0x00007FF73C774000-memory.dmp	upx
behavioral2/memory/2372-127-0x00007FF747550000-0x00007FF7478A4000-memory.dmp	upx
behavioral2/memory/4744-131-0x00007FF7B8A50000-0x00007FF7B8DA4000-memory.dmp	upx
behavioral2/memory/2196-132-0x00007FF708020000-0x00007FF708374000-memory.dmp	upx
behavioral2/memory/3564-133-0x00007FF793890000-0x00007FF793BE4000-memory.dmp	upx
behavioral2/memory/1724-134-0x00007FF73C420000-0x00007FF73C774000-memory.dmp	upx
behavioral2/memory/1492-135-0x00007FF786E90000-0x00007FF7871E4000-memory.dmp	upx
behavioral2/memory/4520-136-0x00007FF7DB830000-0x00007FF7DBB84000-memory.dmp	upx
behavioral2/memory/544-137-0x00007FF7AEE60000-0x00007FF7AF1B4000-memory.dmp	upx
behavioral2/memory/2956-138-0x00007FF77E630000-0x00007FF77E984000-memory.dmp	upx
behavioral2/memory/3716-139-0x00007FF68DDE0000-0x00007FF68E134000-memory.dmp	upx
behavioral2/memory/4676-140-0x00007FF7B3850000-0x00007FF7B3BA4000-memory.dmp	upx
behavioral2/memory/4648-141-0x00007FF6ACBA0000-0x00007FF6ACEF4000-memory.dmp	upx
behavioral2/memory/3092-143-0x00007FF7DE270000-0x00007FF7DE5C4000-memory.dmp	upx
behavioral2/memory/808-142-0x00007FF676120000-0x00007FF676474000-memory.dmp	upx
behavioral2/memory/1560-144-0x00007FF63B420000-0x00007FF63B774000-memory.dmp	upx
behavioral2/memory/324-145-0x00007FF60D100000-0x00007FF60D454000-memory.dmp	upx
behavioral2/memory/3224-146-0x00007FF701270000-0x00007FF7015C4000-memory.dmp	upx
behavioral2/memory/4744-147-0x00007FF7B8A50000-0x00007FF7B8DA4000-memory.dmp	upx
behavioral2/memory/4028-148-0x00007FF7218C0000-0x00007FF721C14000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\FoOYJwx.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IwsSrYg.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WyqHKmZ.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XRImhOb.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mXgiWzj.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KGcCAaP.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DFyYHLM.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uonfHVl.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\URCLAdu.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LWwDaVl.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WuddcLA.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tSlrvHa.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\efjfeYX.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XRuErRg.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\joefGHJ.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nFOtQMS.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iEXhIRQ.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bhwtRyH.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BRoEWGo.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rtYIAMK.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rfFTJVU.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 4352 wrote to memory of 1492	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	rfFTJVU.exe
PID 4352 wrote to memory of 1492	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	rfFTJVU.exe
PID 4352 wrote to memory of 4520	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	uonfHVl.exe
PID 4352 wrote to memory of 4520	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	uonfHVl.exe
PID 4352 wrote to memory of 544	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	FoOYJwx.exe
PID 4352 wrote to memory of 544	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	FoOYJwx.exe
PID 4352 wrote to memory of 2956	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	joefGHJ.exe
PID 4352 wrote to memory of 2956	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	joefGHJ.exe
PID 4352 wrote to memory of 3716	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	IwsSrYg.exe
PID 4352 wrote to memory of 3716	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	IwsSrYg.exe
PID 4352 wrote to memory of 4676	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	XRuErRg.exe
PID 4352 wrote to memory of 4676	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	XRuErRg.exe
PID 4352 wrote to memory of 4648	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	WyqHKmZ.exe
PID 4352 wrote to memory of 4648	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	WyqHKmZ.exe
PID 4352 wrote to memory of 808	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	nFOtQMS.exe
PID 4352 wrote to memory of 808	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	nFOtQMS.exe
PID 4352 wrote to memory of 3092	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	iEXhIRQ.exe
PID 4352 wrote to memory of 3092	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	iEXhIRQ.exe
PID 4352 wrote to memory of 1560	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	bhwtRyH.exe
PID 4352 wrote to memory of 1560	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	bhwtRyH.exe
PID 4352 wrote to memory of 324	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	BRoEWGo.exe
PID 4352 wrote to memory of 324	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	BRoEWGo.exe
PID 4352 wrote to memory of 3224	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	LWwDaVl.exe
PID 4352 wrote to memory of 3224	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	LWwDaVl.exe
PID 4352 wrote to memory of 4744	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	WuddcLA.exe
PID 4352 wrote to memory of 4744	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	WuddcLA.exe
PID 4352 wrote to memory of 4028	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	XRImhOb.exe
PID 4352 wrote to memory of 4028	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	XRImhOb.exe
PID 4352 wrote to memory of 3392	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	tSlrvHa.exe
PID 4352 wrote to memory of 3392	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	tSlrvHa.exe
PID 4352 wrote to memory of 2196	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	mXgiWzj.exe
PID 4352 wrote to memory of 2196	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	mXgiWzj.exe
PID 4352 wrote to memory of 3564	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	efjfeYX.exe
PID 4352 wrote to memory of 3564	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	efjfeYX.exe
PID 4352 wrote to memory of 3492	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	URCLAdu.exe
PID 4352 wrote to memory of 3492	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	URCLAdu.exe
PID 4352 wrote to memory of 5032	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	KGcCAaP.exe
PID 4352 wrote to memory of 5032	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	KGcCAaP.exe
PID 4352 wrote to memory of 2372	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	rtYIAMK.exe
PID 4352 wrote to memory of 2372	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	rtYIAMK.exe
PID 4352 wrote to memory of 1724	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	DFyYHLM.exe
PID 4352 wrote to memory of 1724	4352	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	DFyYHLM.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4352

C:\Windows\System\rfFTJVU.exe
C:\Windows\System\rfFTJVU.exe
2⤵
- Executes dropped EXE
PID:1492

C:\Windows\System\uonfHVl.exe
C:\Windows\System\uonfHVl.exe
2⤵
- Executes dropped EXE
PID:4520

C:\Windows\System\FoOYJwx.exe
C:\Windows\System\FoOYJwx.exe
2⤵
- Executes dropped EXE
PID:544

C:\Windows\System\joefGHJ.exe
C:\Windows\System\joefGHJ.exe
2⤵
- Executes dropped EXE
PID:2956

C:\Windows\System\IwsSrYg.exe
C:\Windows\System\IwsSrYg.exe
2⤵
- Executes dropped EXE
PID:3716

C:\Windows\System\XRuErRg.exe
C:\Windows\System\XRuErRg.exe
2⤵
- Executes dropped EXE
PID:4676

C:\Windows\System\WyqHKmZ.exe
C:\Windows\System\WyqHKmZ.exe
2⤵
- Executes dropped EXE
PID:4648

C:\Windows\System\nFOtQMS.exe
C:\Windows\System\nFOtQMS.exe
2⤵
- Executes dropped EXE
PID:808

C:\Windows\System\iEXhIRQ.exe
C:\Windows\System\iEXhIRQ.exe
2⤵
- Executes dropped EXE
PID:3092

C:\Windows\System\bhwtRyH.exe
C:\Windows\System\bhwtRyH.exe
2⤵
- Executes dropped EXE
PID:1560

C:\Windows\System\BRoEWGo.exe
C:\Windows\System\BRoEWGo.exe
2⤵
- Executes dropped EXE
PID:324

C:\Windows\System\LWwDaVl.exe
C:\Windows\System\LWwDaVl.exe
2⤵
- Executes dropped EXE
PID:3224

C:\Windows\System\WuddcLA.exe
C:\Windows\System\WuddcLA.exe
2⤵
- Executes dropped EXE
PID:4744

C:\Windows\System\XRImhOb.exe
C:\Windows\System\XRImhOb.exe
2⤵
- Executes dropped EXE
PID:4028

C:\Windows\System\tSlrvHa.exe
C:\Windows\System\tSlrvHa.exe
2⤵
- Executes dropped EXE
PID:3392

C:\Windows\System\mXgiWzj.exe
C:\Windows\System\mXgiWzj.exe
2⤵
- Executes dropped EXE
PID:2196

C:\Windows\System\efjfeYX.exe
C:\Windows\System\efjfeYX.exe
2⤵
- Executes dropped EXE
PID:3564

C:\Windows\System\URCLAdu.exe
C:\Windows\System\URCLAdu.exe
2⤵
- Executes dropped EXE
PID:3492

C:\Windows\System\KGcCAaP.exe
C:\Windows\System\KGcCAaP.exe
2⤵
- Executes dropped EXE
PID:5032

C:\Windows\System\rtYIAMK.exe
C:\Windows\System\rtYIAMK.exe
2⤵
- Executes dropped EXE
PID:2372

C:\Windows\System\DFyYHLM.exe
C:\Windows\System\DFyYHLM.exe
2⤵
- Executes dropped EXE
PID:1724

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BRoEWGo.exe
Filesize
5.9MB

MD5
5defc89c837c8ecfa40047e9e4ba991c

SHA1
2cf51484a9f041e67c3cf5edfddea4eeaf07b4b2

SHA256
cab5433a7aa9488b5ef06c1c28e5d8dd6f2ca801a2185b8a5d087cbed8b3b70c

SHA512
0fe0c7dc963a6ffcac1948aa55b89456d16ad72af31cba475937612dc08a43bc2f7aa5f9227453ced753d2f742ba104a28d131714a76a980bc1f6d3053eb54fc

Download Submit
C:\Windows\System\DFyYHLM.exe
Filesize
5.9MB

MD5
7da4567e816f0c3d450e730dfc88f1bd

SHA1
0a3e40f4900f83dab2a52b70f08e9444ee4128b5

SHA256
19ee3667e2973024ad6ab80979d94256bc9bc7d7b3635515867bc1883d292c62

SHA512
d556827c470b617543dcbc4cc87039599c84efe1b4a4d2319927d9778a1d87f76b8e86d963b607f1350d6a1a1a67a73df1b548dd6ba125a61c463df7047a24f9

Download Submit
C:\Windows\System\FoOYJwx.exe
Filesize
5.9MB

MD5
47038c17802787e52748c7e1d1e53e75

SHA1
0967cd007fbbbe0cc9c5027ff994ae1d464add97

SHA256
2f8b380a2d5a4eadf4ce26b741e6825875d3c19a822e06163dd221c5d6e708e4

SHA512
a3beafd9784e223997ddda94eb4f2fcfc30361d14986172aa3ca49134d1a3ca19895369b6a7b5a010432b3d29739dae59797a4df42e776ab78c11e9b6573b97f

Download Submit
C:\Windows\System\IwsSrYg.exe
Filesize
5.9MB

MD5
2470f8bb6dd710bf16ea3797ece674eb

SHA1
8e559368ed6f1560d5abbc31d19794e436ee9586

SHA256
5b9bfa80dbaacdaf1d99b3f83ed6e41dfee8688b4a2eab02c311198266bf442d

SHA512
cc8c94038b34e34cc6a23cb86bbfa0195dfbc4bad76a0e7ca769cd4ffe2e24d4d29cbe014eb7eb1267870d2c157e9c17c8ee5fc24b5222e0ff5f9d5504a0c932

Download Submit
C:\Windows\System\KGcCAaP.exe
Filesize
5.9MB

MD5
177fe385553b9b8c3a7eaa07273aae95

SHA1
1b09e5b4f9a5d75c107dad1b0fd9fbd6e2e8c5b1

SHA256
8276a28efafe0e28e3778e1310411cad54ff149036a67dbeb9019d9fd7ab4db1

SHA512
9cc1a9089f4e3237eff555a28e242da25e6584750e190fdebb4e914c93a0528d36286a3f8306ff137c63349ac5edd1454d13afaaee4c5aa56bce458413898677

Download Submit
C:\Windows\System\LWwDaVl.exe
Filesize
5.9MB

MD5
c341bd24e3073fd103e0f85de02aac10

SHA1
09c77c0770a42f73b2e0356ecb071dadc8fc6cf6

SHA256
ee4b9f94e4d7220687cc6235987d3fe97b04947a345ecf31ea39589bb4c10d18

SHA512
bd2865c6068bd74a465741555dbc9104f7303f92e9dbc99dd77890b63374b041019e748998b46dd91fe4709a7511aba90e2f0a96036b139a1a0e478650f14d3a

Download Submit
C:\Windows\System\URCLAdu.exe
Filesize
5.9MB

MD5
69fff7c3a79eb5a955c09e9fb7a4261b

SHA1
84d5ebf19686546a859ee3e87b49afd5d9d86c22

SHA256
b1e6278649a533b8ef2198196313f22eb3b307828e9d826cc9cd502f3ce51ef7

SHA512
cac5b2108c2dc43f711c9370bb9418eb295a699105333f79d603a85c3fc11944dd3614a67e182326948f2852348e3598d08aa1be10c4a1d49f83292b0e26e43f

Download Submit
C:\Windows\System\WuddcLA.exe
Filesize
5.9MB

MD5
dc9dba19cb551b6e3bbda5748af3f87a

SHA1
b8a23e7e657d08635483bbd1e1849e7b6e7f2481

SHA256
9e77d176a7a8742adc5b2723f998fbbef50b2bcd40148bb6dd7c0fb5b73107d8

SHA512
4a85c86435730970c7bc26c1f2cf3a150589d57e73add2bd74f64619e355b65f02e007fb6c177f89212047b2e555ae4dfbe4df14220fb04c4f0902fb0d0fc624

Download Submit
C:\Windows\System\WyqHKmZ.exe
Filesize
5.9MB

MD5
2f7e550f1bb529f03f2f721960dc48ce

SHA1
de3001b483682af15b47944909f5376a22ce6f88

SHA256
eae3deaa4d1483b17f8252424238e7940922818962fe579ae5af20e07f98f704

SHA512
b060d48d5171719fdc58a3396b219937f96cd72ce3920f3f1410df5ea8e2473179c0a07cde751e38ef05abc71bd11af3468bdd1a0d8c13abe0c24eaec8c957c1

Download Submit
C:\Windows\System\XRImhOb.exe
Filesize
5.9MB

MD5
df963e0034ff99d86bd96f8f01139e0a

SHA1
1451a0a61a4f008264bf6f0ba32ffe601960418a

SHA256
e0e3d805b1900f8ddfde51cfd21a016670fa9875eb7a1e07e5ce0dfb6d38bab6

SHA512
392833ba1a0b49e068a3991ff10170668edaaaa45dd6918b92b814846e7db5101c544ba3235b447f7da37c04a08788221c579e579b7dcd82ca7190f412c013d4

Download Submit
C:\Windows\System\XRuErRg.exe
Filesize
5.9MB

MD5
48a96244ab8b90784b5ce8e20339920d

SHA1
30039da8c49389deb5d8e6d777c7b8fc69f28fa4

SHA256
f93c5226dff407dbb9dfb5aa77b772e6eaf19765bf6ea4ffb76f05be69318709

SHA512
1b39f8763b466a38a1fea73d7cc1a77d7b9551830c401418f4c189817e4b02b5317d18d24aebdad16262d504d55a18efe16a23130a562f3ad90715063aeadd2f

Download Submit
C:\Windows\System\bhwtRyH.exe
Filesize
5.9MB

MD5
15a85f22055d6a5c4bc10a677656ce7e

SHA1
6017323dff95a4a2d37024e5fef521843c4e4cb8

SHA256
cd2e46f3c23146dc586490ad991345b4eb4aa3d7f303b0afd42dae00f4043dc1

SHA512
98b65ca898d8b418572a2f9ddd3506c473abec33b89fea739a1230ac79e50d2ba761b2c53b2e2f44916d9b6fa6bbc0b1106e53175abfb1312f821794781e0c65

Download Submit
C:\Windows\System\efjfeYX.exe
Filesize
5.9MB

MD5
c290096be14b7938e4bcde72cd651e23

SHA1
dc077ba0438f1afebe685a616cc2ebbae7f4b9f1

SHA256
61183a35011f6fc127b823d81f9a96882185ebb2faaeb8167c561960d547e132

SHA512
8134f8b8878c85b27a5f6ac539dcf678ccba155bb71cfe89c2007ac222bda00e91dce5aa912d91f319cb70e9ce967a89d79a177303b8c72b501b88ce95e85e3b

Download Submit
C:\Windows\System\iEXhIRQ.exe
Filesize
5.9MB

MD5
2ad850fea8ff3c9519bebbd0f6a8c703

SHA1
f97b71fe1cdc7bf520f1e4f315382821027893fc

SHA256
5c16754a0b70bfc4c709cc550a6c352f62ebc827838db8bc6a9d61ac098108b3

SHA512
ff15afec9394d5b52d4adf2a5c2e27fb558765c657989eade1fe53dcaffcc193150170647e17148445ca1e79c7f976160c0c33e82c96554d6823d2167724f2b9

Download Submit
C:\Windows\System\joefGHJ.exe
Filesize
5.9MB

MD5
3a050b2b66492744ce12f01ca09e0437

SHA1
3e8bbc6057f87a7a93803434a5de1002e3e37ab1

SHA256
9029724521579cda25a910db09efeeb3db989a88ed241704d4cc77abe0d50482

SHA512
33d61e034fadb5074862720c7ec4ab44c57236fba8081ac23becc29eb56f71a5513b2bd50a8a89985c99fc42c848b268e381855ed2991b9a2afb12e548b7954d

Download Submit
C:\Windows\System\mXgiWzj.exe
Filesize
5.9MB

MD5
aee7802d4c98ed0cbc8383c329acb782

SHA1
ad1c25b4a03484d60430af19f8ce99b3a13eb498

SHA256
62123f1d62374b9dd8bbe0c55dcb7590688347c616ac13bcad447a1da27643fa

SHA512
57dead9cc7f963d4188c2e242158d8d47e1afbca4ff28a3d9ff17e70a45aaa852886adae1e6688642b103a592eb2a0154148943962b0981f381692c8a3a79df5

Download Submit
C:\Windows\System\nFOtQMS.exe
Filesize
5.9MB

MD5
206e9dae120b1c2c5c5670dada5f13f4

SHA1
57a007c7a7aeaf4712a572e4f4959a1c63752fd2

SHA256
f6e3624de13b1a0bb3f6234cf0d4356b66cff84d1f0bb724acdccc0dfe2dce17

SHA512
2e609be3e849d9ba60be95d94d3c69bfe32c3b2a14b48eaa081c1fd75eeb58cde678d401d5dd9ea18b81870170307bf3f240874cb5371741208ce31b87148ff1

Download Submit
C:\Windows\System\rfFTJVU.exe
Filesize
5.9MB

MD5
9f87cc4730b344ee0a5a0baf3819e3b5

SHA1
6ea3cefd6d695667bbafdd875dcb1f6d337cef5e

SHA256
91b654f5bdf4f876c1bb93ea2c1c91fc08c579bdf8355eabaead88a7ad956da4

SHA512
024a1a27f45447a636a405cce15d004dbb648c37ba5aaff320eb942f48d8cc9815f79cdb7ff0547261de907ada2918eff48685cb34934f988a10dcf2b5c3a132

Download Submit
C:\Windows\System\rtYIAMK.exe
Filesize
5.9MB

MD5
7c911f7a09ae6469a7089606fd4e9c42

SHA1
0d1100148fe7c114358ffae499ffddf5808d383f

SHA256
c8120b8c45875f6f4103de7dd19decc53637617db0b4686e122247f67d0581d7

SHA512
acddfe8d992bb7337ec2bb3884194fe1f70d4b673b44c6e0fdf5f9c7fc3b3a55775e6dbb5c52a5b3d914a1a29f199bf2728077fb0786df3bea9a4a3ec5d1cfab

Download Submit
C:\Windows\System\tSlrvHa.exe
Filesize
5.9MB

MD5
6fc5a4046d2f9e3bb2025a84f3b1355a

SHA1
47539b5ad33bba3c4764d3eee79096d5e72a14ba

SHA256
188084104de0d0953c9dba0827da1f6c704379f664a758bc00fb1857b3c21bfb

SHA512
60534643fae195784df4eec28801538e15a0a36d9d1e7a64bca37ea239a44e28bb223081d6e9c01cc9c1907889559f260913c54c757265d37df501614a35b241

Download Submit
C:\Windows\System\uonfHVl.exe
Filesize
5.9MB

MD5
5bb55459adfe47c53454033beed6d9c5

SHA1
b560679fdd4e1917b00786fc06ef26e01487d6cd

SHA256
c0bf27037df18fc94b4fef1b11f3232a9b0389f0f277fba00301d8aed21b2262

SHA512
dbbe6d568f48ed352aff12877b557dae3e6fcc68e81da2e63bb118063fefd049207593476272f50108f6a18b4fdb67b7fa163a152efaa61930b2ef1724ac637e

Download Submit
memory/324-77-0x00007FF60D100000-0x00007FF60D454000-memory.dmp

Filesize
3.3MB

Download
memory/324-145-0x00007FF60D100000-0x00007FF60D454000-memory.dmp

Filesize
3.3MB

Download
memory/544-22-0x00007FF7AEE60000-0x00007FF7AF1B4000-memory.dmp

Filesize
3.3MB

Download
memory/544-137-0x00007FF7AEE60000-0x00007FF7AF1B4000-memory.dmp

Filesize
3.3MB

Download
memory/808-50-0x00007FF676120000-0x00007FF676474000-memory.dmp

Filesize
3.3MB

Download
memory/808-142-0x00007FF676120000-0x00007FF676474000-memory.dmp

Filesize
3.3MB

Download
memory/1492-75-0x00007FF786E90000-0x00007FF7871E4000-memory.dmp

Filesize
3.3MB

Download
memory/1492-8-0x00007FF786E90000-0x00007FF7871E4000-memory.dmp

Filesize
3.3MB

Download
memory/1492-135-0x00007FF786E90000-0x00007FF7871E4000-memory.dmp

Filesize
3.3MB

Download
memory/1560-64-0x00007FF63B420000-0x00007FF63B774000-memory.dmp

Filesize
3.3MB

Download
memory/1560-144-0x00007FF63B420000-0x00007FF63B774000-memory.dmp

Filesize
3.3MB

Download
memory/1724-130-0x00007FF73C420000-0x00007FF73C774000-memory.dmp

Filesize
3.3MB

Download
memory/1724-155-0x00007FF73C420000-0x00007FF73C774000-memory.dmp

Filesize
3.3MB

Download
memory/1724-134-0x00007FF73C420000-0x00007FF73C774000-memory.dmp

Filesize
3.3MB

Download
memory/2196-132-0x00007FF708020000-0x00007FF708374000-memory.dmp

Filesize
3.3MB

Download
memory/2196-150-0x00007FF708020000-0x00007FF708374000-memory.dmp

Filesize
3.3MB

Download
memory/2196-105-0x00007FF708020000-0x00007FF708374000-memory.dmp

Filesize
3.3MB

Download
memory/2372-154-0x00007FF747550000-0x00007FF7478A4000-memory.dmp

Filesize
3.3MB

Download
memory/2372-127-0x00007FF747550000-0x00007FF7478A4000-memory.dmp

Filesize
3.3MB

Download
memory/2956-138-0x00007FF77E630000-0x00007FF77E984000-memory.dmp

Filesize
3.3MB

Download
memory/2956-26-0x00007FF77E630000-0x00007FF77E984000-memory.dmp

Filesize
3.3MB

Download
memory/3092-143-0x00007FF7DE270000-0x00007FF7DE5C4000-memory.dmp

Filesize
3.3MB

Download
memory/3092-54-0x00007FF7DE270000-0x00007FF7DE5C4000-memory.dmp

Filesize
3.3MB

Download
memory/3092-124-0x00007FF7DE270000-0x00007FF7DE5C4000-memory.dmp

Filesize
3.3MB

Download
memory/3224-79-0x00007FF701270000-0x00007FF7015C4000-memory.dmp

Filesize
3.3MB

Download
memory/3224-146-0x00007FF701270000-0x00007FF7015C4000-memory.dmp

Filesize
3.3MB

Download
memory/3392-94-0x00007FF7345C0000-0x00007FF734914000-memory.dmp

Filesize
3.3MB

Download
memory/3392-149-0x00007FF7345C0000-0x00007FF734914000-memory.dmp

Filesize
3.3MB

Download
memory/3492-152-0x00007FF70BCA0000-0x00007FF70BFF4000-memory.dmp

Filesize
3.3MB

Download
memory/3492-114-0x00007FF70BCA0000-0x00007FF70BFF4000-memory.dmp

Filesize
3.3MB

Download
memory/3564-151-0x00007FF793890000-0x00007FF793BE4000-memory.dmp

Filesize
3.3MB

Download
memory/3564-133-0x00007FF793890000-0x00007FF793BE4000-memory.dmp

Filesize
3.3MB

Download
memory/3564-106-0x00007FF793890000-0x00007FF793BE4000-memory.dmp

Filesize
3.3MB

Download
memory/3716-32-0x00007FF68DDE0000-0x00007FF68E134000-memory.dmp

Filesize
3.3MB

Download
memory/3716-139-0x00007FF68DDE0000-0x00007FF68E134000-memory.dmp

Filesize
3.3MB

Download
memory/4028-88-0x00007FF7218C0000-0x00007FF721C14000-memory.dmp

Filesize
3.3MB

Download
memory/4028-148-0x00007FF7218C0000-0x00007FF721C14000-memory.dmp

Filesize
3.3MB

Download
memory/4352-0-0x00007FF700F70000-0x00007FF7012C4000-memory.dmp

Filesize
3.3MB

Download
memory/4352-62-0x00007FF700F70000-0x00007FF7012C4000-memory.dmp

Filesize
3.3MB

Download
memory/4352-1-0x0000018F02920000-0x0000018F02930000-memory.dmp

Filesize
64KB

Download
memory/4520-14-0x00007FF7DB830000-0x00007FF7DBB84000-memory.dmp

Filesize
3.3MB

Download
memory/4520-136-0x00007FF7DB830000-0x00007FF7DBB84000-memory.dmp

Filesize
3.3MB

Download
memory/4648-44-0x00007FF6ACBA0000-0x00007FF6ACEF4000-memory.dmp

Filesize
3.3MB

Download
memory/4648-141-0x00007FF6ACBA0000-0x00007FF6ACEF4000-memory.dmp

Filesize
3.3MB

Download
memory/4676-140-0x00007FF7B3850000-0x00007FF7B3BA4000-memory.dmp

Filesize
3.3MB

Download
memory/4676-43-0x00007FF7B3850000-0x00007FF7B3BA4000-memory.dmp

Filesize
3.3MB

Download
memory/4744-147-0x00007FF7B8A50000-0x00007FF7B8DA4000-memory.dmp

Filesize
3.3MB

Download
memory/4744-80-0x00007FF7B8A50000-0x00007FF7B8DA4000-memory.dmp

Filesize
3.3MB

Download
memory/4744-131-0x00007FF7B8A50000-0x00007FF7B8DA4000-memory.dmp

Filesize
3.3MB

Download
memory/5032-153-0x00007FF7CD350000-0x00007FF7CD6A4000-memory.dmp

Filesize
3.3MB

Download
memory/5032-119-0x00007FF7CD350000-0x00007FF7CD6A4000-memory.dmp

Filesize
3.3MB

Download