cobaltstrike | 12077eca290b6e284194c5b14d6ae2ba686ca37cca4941f45a7eb9376ebfbc8b

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 23:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

f2652cb8ef0d92e8022ddc8d40386e0e
SHA1

241c8d78811d0e047c3e8b3af197cea6a3f247e9
SHA256

12077eca290b6e284194c5b14d6ae2ba686ca37cca4941f45a7eb9376ebfbc8b
SHA512

e8f38fb395866879797783843bf89a1c372d45f99ccf2b20b572f95a3e17e369b7ae2564cf529321ed065fff43c507073d14279670f25e3c5bd4f9234e42d3fb
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lB:RWWBibf56utgpPFotBER/mQ32lUd

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 14 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023200-4.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000023219-15.dat	cobalt_reflective_dll
behavioral2/files/0x000600000002321d-32.dat	cobalt_reflective_dll
behavioral2/files/0x000600000002321b-27.dat	cobalt_reflective_dll
behavioral2/files/0x000600000002321a-10.dat	cobalt_reflective_dll
behavioral2/files/0x000600000002321e-40.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000023226-99.dat	cobalt_reflective_dll
behavioral2/files/0x000600000001db40-114.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000023228-110.dat	cobalt_reflective_dll
behavioral2/files/0x000400000001db39-104.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000023227-102.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000023224-88.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000023222-69.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000023220-63.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 14 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023200-4.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0006000000023219-15.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000600000002321d-32.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000600000002321b-27.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000600000002321a-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000600000002321e-40.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0006000000023226-99.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000600000001db40-114.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0006000000023228-110.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000400000001db39-104.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0006000000023227-102.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0006000000023224-88.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0006000000023222-69.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0006000000023220-63.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/1092-0-0x00007FF610690000-0x00007FF6109E1000-memory.dmp	UPX
behavioral2/files/0x000c000000023200-4.dat	UPX
behavioral2/files/0x000c000000023200-6.dat	UPX
behavioral2/memory/4264-8-0x00007FF630FC0000-0x00007FF631311000-memory.dmp	UPX
behavioral2/memory/2352-13-0x00007FF6CFA40000-0x00007FF6CFD91000-memory.dmp	UPX
behavioral2/files/0x0006000000023219-15.dat	UPX
behavioral2/files/0x000600000002321b-23.dat	UPX
behavioral2/files/0x000600000002321d-32.dat	UPX
behavioral2/files/0x000600000002321c-31.dat	UPX
behavioral2/files/0x000600000002321c-28.dat	UPX
behavioral2/files/0x000600000002321b-27.dat	UPX
behavioral2/files/0x000600000002321a-17.dat	UPX
behavioral2/files/0x000600000002321a-16.dat	UPX
behavioral2/files/0x000600000002321a-10.dat	UPX
behavioral2/files/0x000600000002321e-40.dat	UPX
behavioral2/files/0x000600000002321f-51.dat	UPX
behavioral2/files/0x000600000002321f-54.dat	UPX
behavioral2/files/0x0006000000023221-60.dat	UPX
behavioral2/files/0x0006000000023223-77.dat	UPX
behavioral2/files/0x0006000000023224-85.dat	UPX
behavioral2/files/0x0006000000023226-94.dat	UPX
behavioral2/files/0x0006000000023226-99.dat	UPX
behavioral2/files/0x000400000001db3a-117.dat	UPX
behavioral2/files/0x000600000001db40-121.dat	UPX
behavioral2/memory/1116-127-0x00007FF613730000-0x00007FF613A81000-memory.dmp	UPX
behavioral2/memory/2096-123-0x00007FF717C10000-0x00007FF717F61000-memory.dmp	UPX
behavioral2/memory/4344-120-0x00007FF671060000-0x00007FF6713B1000-memory.dmp	UPX
behavioral2/files/0x000400000001db39-115.dat	UPX
behavioral2/files/0x000600000001db40-114.dat	UPX
behavioral2/files/0x000400000001db3a-112.dat	UPX
behavioral2/files/0x0006000000023228-110.dat	UPX
behavioral2/files/0x000400000001db39-104.dat	UPX
behavioral2/files/0x0006000000023227-102.dat	UPX
behavioral2/files/0x0006000000023227-96.dat	UPX
behavioral2/files/0x0006000000023224-88.dat	UPX
behavioral2/files/0x0006000000023225-86.dat	UPX
behavioral2/files/0x0006000000023225-84.dat	UPX
behavioral2/memory/1400-76-0x00007FF6E4EF0000-0x00007FF6E5241000-memory.dmp	UPX
behavioral2/files/0x0006000000023222-75.dat	UPX
behavioral2/files/0x0006000000023223-73.dat	UPX
behavioral2/memory/4624-71-0x00007FF631860000-0x00007FF631BB1000-memory.dmp	UPX
behavioral2/files/0x0006000000023222-69.dat	UPX
behavioral2/memory/4708-67-0x00007FF7AFAE0000-0x00007FF7AFE31000-memory.dmp	UPX
behavioral2/files/0x0006000000023221-66.dat	UPX
behavioral2/files/0x0006000000023220-63.dat	UPX
behavioral2/memory/2160-62-0x00007FF731AB0000-0x00007FF731E01000-memory.dmp	UPX
behavioral2/memory/2632-59-0x00007FF686540000-0x00007FF686891000-memory.dmp	UPX
behavioral2/files/0x0006000000023220-57.dat	UPX
behavioral2/files/0x0008000000023210-53.dat	UPX
behavioral2/memory/2608-49-0x00007FF6C2C50000-0x00007FF6C2FA1000-memory.dmp	UPX
behavioral2/files/0x0008000000023210-48.dat	UPX
behavioral2/files/0x000600000002321e-44.dat	UPX
behavioral2/files/0x000600000002321d-38.dat	UPX
behavioral2/memory/4720-34-0x00007FF7A0AF0000-0x00007FF7A0E41000-memory.dmp	UPX
behavioral2/files/0x0006000000023219-11.dat	UPX
behavioral2/memory/1092-128-0x00007FF610690000-0x00007FF6109E1000-memory.dmp	UPX
behavioral2/memory/4264-129-0x00007FF630FC0000-0x00007FF631311000-memory.dmp	UPX
behavioral2/memory/4720-135-0x00007FF7A0AF0000-0x00007FF7A0E41000-memory.dmp	UPX
behavioral2/memory/2716-137-0x00007FF6B94B0000-0x00007FF6B9801000-memory.dmp	UPX
behavioral2/memory/2632-140-0x00007FF686540000-0x00007FF686891000-memory.dmp	UPX
behavioral2/memory/4624-141-0x00007FF631860000-0x00007FF631BB1000-memory.dmp	UPX
behavioral2/memory/1092-152-0x00007FF610690000-0x00007FF6109E1000-memory.dmp	UPX
behavioral2/memory/4264-206-0x00007FF630FC0000-0x00007FF631311000-memory.dmp	UPX
behavioral2/memory/4720-214-0x00007FF7A0AF0000-0x00007FF7A0E41000-memory.dmp	UPX

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/4960-20-0x00007FF6A3910000-0x00007FF6A3C61000-memory.dmp	xmrig
behavioral2/memory/3344-113-0x00007FF78ABE0000-0x00007FF78AF31000-memory.dmp	xmrig
behavioral2/memory/1052-124-0x00007FF760A00000-0x00007FF760D51000-memory.dmp	xmrig
behavioral2/memory/2308-126-0x00007FF75FC30000-0x00007FF75FF81000-memory.dmp	xmrig
behavioral2/memory/1116-127-0x00007FF613730000-0x00007FF613A81000-memory.dmp	xmrig
behavioral2/memory/3484-125-0x00007FF74B150000-0x00007FF74B4A1000-memory.dmp	xmrig
behavioral2/memory/2096-123-0x00007FF717C10000-0x00007FF717F61000-memory.dmp	xmrig
behavioral2/memory/4344-120-0x00007FF671060000-0x00007FF6713B1000-memory.dmp	xmrig
behavioral2/memory/4084-108-0x00007FF679990000-0x00007FF679CE1000-memory.dmp	xmrig
behavioral2/memory/1392-92-0x00007FF6EF440000-0x00007FF6EF791000-memory.dmp	xmrig
behavioral2/memory/4624-71-0x00007FF631860000-0x00007FF631BB1000-memory.dmp	xmrig
behavioral2/memory/4708-67-0x00007FF7AFAE0000-0x00007FF7AFE31000-memory.dmp	xmrig
behavioral2/memory/2160-62-0x00007FF731AB0000-0x00007FF731E01000-memory.dmp	xmrig
behavioral2/memory/2608-49-0x00007FF6C2C50000-0x00007FF6C2FA1000-memory.dmp	xmrig
behavioral2/memory/1092-128-0x00007FF610690000-0x00007FF6109E1000-memory.dmp	xmrig
behavioral2/memory/4264-129-0x00007FF630FC0000-0x00007FF631311000-memory.dmp	xmrig
behavioral2/memory/1092-130-0x00007FF610690000-0x00007FF6109E1000-memory.dmp	xmrig
behavioral2/memory/4960-133-0x00007FF6A3910000-0x00007FF6A3C61000-memory.dmp	xmrig
behavioral2/memory/3764-134-0x00007FF7155E0000-0x00007FF715931000-memory.dmp	xmrig
behavioral2/memory/4720-135-0x00007FF7A0AF0000-0x00007FF7A0E41000-memory.dmp	xmrig
behavioral2/memory/2352-132-0x00007FF6CFA40000-0x00007FF6CFD91000-memory.dmp	xmrig
behavioral2/memory/2716-137-0x00007FF6B94B0000-0x00007FF6B9801000-memory.dmp	xmrig
behavioral2/memory/2632-140-0x00007FF686540000-0x00007FF686891000-memory.dmp	xmrig
behavioral2/memory/1400-142-0x00007FF6E4EF0000-0x00007FF6E5241000-memory.dmp	xmrig
behavioral2/memory/1392-143-0x00007FF6EF440000-0x00007FF6EF791000-memory.dmp	xmrig
behavioral2/memory/4624-141-0x00007FF631860000-0x00007FF631BB1000-memory.dmp	xmrig
behavioral2/memory/1092-152-0x00007FF610690000-0x00007FF6109E1000-memory.dmp	xmrig
behavioral2/memory/4264-206-0x00007FF630FC0000-0x00007FF631311000-memory.dmp	xmrig
behavioral2/memory/4960-210-0x00007FF6A3910000-0x00007FF6A3C61000-memory.dmp	xmrig
behavioral2/memory/3764-212-0x00007FF7155E0000-0x00007FF715931000-memory.dmp	xmrig
behavioral2/memory/2608-216-0x00007FF6C2C50000-0x00007FF6C2FA1000-memory.dmp	xmrig
behavioral2/memory/4720-214-0x00007FF7A0AF0000-0x00007FF7A0E41000-memory.dmp	xmrig
behavioral2/memory/2716-218-0x00007FF6B94B0000-0x00007FF6B9801000-memory.dmp	xmrig
behavioral2/memory/4708-222-0x00007FF7AFAE0000-0x00007FF7AFE31000-memory.dmp	xmrig
behavioral2/memory/4624-226-0x00007FF631860000-0x00007FF631BB1000-memory.dmp	xmrig
behavioral2/memory/2632-224-0x00007FF686540000-0x00007FF686891000-memory.dmp	xmrig
behavioral2/memory/2160-221-0x00007FF731AB0000-0x00007FF731E01000-memory.dmp	xmrig
behavioral2/memory/3484-232-0x00007FF74B150000-0x00007FF74B4A1000-memory.dmp	xmrig
behavioral2/memory/4084-234-0x00007FF679990000-0x00007FF679CE1000-memory.dmp	xmrig
behavioral2/memory/1392-230-0x00007FF6EF440000-0x00007FF6EF791000-memory.dmp	xmrig
behavioral2/memory/1400-229-0x00007FF6E4EF0000-0x00007FF6E5241000-memory.dmp	xmrig
behavioral2/memory/3344-236-0x00007FF78ABE0000-0x00007FF78AF31000-memory.dmp	xmrig
behavioral2/memory/4344-238-0x00007FF671060000-0x00007FF6713B1000-memory.dmp	xmrig
behavioral2/memory/2308-240-0x00007FF75FC30000-0x00007FF75FF81000-memory.dmp	xmrig
behavioral2/memory/2096-242-0x00007FF717C10000-0x00007FF717F61000-memory.dmp	xmrig
behavioral2/memory/1116-246-0x00007FF613730000-0x00007FF613A81000-memory.dmp	xmrig
behavioral2/memory/1052-244-0x00007FF760A00000-0x00007FF760D51000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4264	wGvTKNO.exe
2352	oMZkxYV.exe
4960	yavnekL.exe
3764	NzxFhxY.exe
4720	ZTKXwJz.exe
2608	hVaYPxt.exe
2716	fdvpxNo.exe
2160	ziFNtiO.exe
4708	HLnXCIJ.exe
2632	CEJyqLo.exe
4624	bTiFIcZ.exe
1400	CuspEcz.exe
1392	SjLxodM.exe
3484	KfBWqBv.exe
4084	MVCVPMg.exe
3344	lBCsYxm.exe
4344	EvxlrNB.exe
2308	qbJKSEJ.exe
2096	auZbZGk.exe
1052	bEQTesn.exe
1116	DVTdwJH.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1092-0-0x00007FF610690000-0x00007FF6109E1000-memory.dmp	upx
behavioral2/files/0x000c000000023200-4.dat	upx
behavioral2/files/0x000c000000023200-6.dat	upx
behavioral2/memory/4264-8-0x00007FF630FC0000-0x00007FF631311000-memory.dmp	upx
behavioral2/memory/2352-13-0x00007FF6CFA40000-0x00007FF6CFD91000-memory.dmp	upx
behavioral2/files/0x0006000000023219-15.dat	upx
behavioral2/memory/4960-20-0x00007FF6A3910000-0x00007FF6A3C61000-memory.dmp	upx
behavioral2/files/0x000600000002321b-23.dat	upx
behavioral2/memory/3764-24-0x00007FF7155E0000-0x00007FF715931000-memory.dmp	upx
behavioral2/files/0x000600000002321d-32.dat	upx
behavioral2/files/0x000600000002321c-31.dat	upx
behavioral2/files/0x000600000002321c-28.dat	upx
behavioral2/files/0x000600000002321b-27.dat	upx
behavioral2/files/0x000600000002321a-17.dat	upx
behavioral2/files/0x000600000002321a-16.dat	upx
behavioral2/files/0x000600000002321a-10.dat	upx
behavioral2/files/0x000600000002321e-40.dat	upx
behavioral2/files/0x000600000002321f-51.dat	upx
behavioral2/files/0x000600000002321f-54.dat	upx
behavioral2/files/0x0006000000023221-60.dat	upx
behavioral2/files/0x0006000000023223-77.dat	upx
behavioral2/files/0x0006000000023224-85.dat	upx
behavioral2/files/0x0006000000023226-94.dat	upx
behavioral2/files/0x0006000000023226-99.dat	upx
behavioral2/memory/3344-113-0x00007FF78ABE0000-0x00007FF78AF31000-memory.dmp	upx
behavioral2/files/0x000400000001db3a-117.dat	upx
behavioral2/files/0x000600000001db40-121.dat	upx
behavioral2/memory/1052-124-0x00007FF760A00000-0x00007FF760D51000-memory.dmp	upx
behavioral2/memory/2308-126-0x00007FF75FC30000-0x00007FF75FF81000-memory.dmp	upx
behavioral2/memory/1116-127-0x00007FF613730000-0x00007FF613A81000-memory.dmp	upx
behavioral2/memory/3484-125-0x00007FF74B150000-0x00007FF74B4A1000-memory.dmp	upx
behavioral2/memory/2096-123-0x00007FF717C10000-0x00007FF717F61000-memory.dmp	upx
behavioral2/memory/4344-120-0x00007FF671060000-0x00007FF6713B1000-memory.dmp	upx
behavioral2/files/0x000400000001db39-115.dat	upx
behavioral2/files/0x000600000001db40-114.dat	upx
behavioral2/files/0x000400000001db3a-112.dat	upx
behavioral2/files/0x0006000000023228-110.dat	upx
behavioral2/memory/4084-108-0x00007FF679990000-0x00007FF679CE1000-memory.dmp	upx
behavioral2/files/0x000400000001db39-104.dat	upx
behavioral2/files/0x0006000000023227-102.dat	upx
behavioral2/files/0x0006000000023227-96.dat	upx
behavioral2/memory/1392-92-0x00007FF6EF440000-0x00007FF6EF791000-memory.dmp	upx
behavioral2/files/0x0006000000023224-88.dat	upx
behavioral2/files/0x0006000000023225-86.dat	upx
behavioral2/files/0x0006000000023225-84.dat	upx
behavioral2/memory/1400-76-0x00007FF6E4EF0000-0x00007FF6E5241000-memory.dmp	upx
behavioral2/files/0x0006000000023222-75.dat	upx
behavioral2/files/0x0006000000023223-73.dat	upx
behavioral2/memory/4624-71-0x00007FF631860000-0x00007FF631BB1000-memory.dmp	upx
behavioral2/files/0x0006000000023222-69.dat	upx
behavioral2/memory/4708-67-0x00007FF7AFAE0000-0x00007FF7AFE31000-memory.dmp	upx
behavioral2/files/0x0006000000023221-66.dat	upx
behavioral2/files/0x0006000000023220-63.dat	upx
behavioral2/memory/2160-62-0x00007FF731AB0000-0x00007FF731E01000-memory.dmp	upx
behavioral2/memory/2632-59-0x00007FF686540000-0x00007FF686891000-memory.dmp	upx
behavioral2/files/0x0006000000023220-57.dat	upx
behavioral2/files/0x0008000000023210-53.dat	upx
behavioral2/memory/2608-49-0x00007FF6C2C50000-0x00007FF6C2FA1000-memory.dmp	upx
behavioral2/files/0x0008000000023210-48.dat	upx
behavioral2/files/0x000600000002321e-44.dat	upx
behavioral2/memory/2716-43-0x00007FF6B94B0000-0x00007FF6B9801000-memory.dmp	upx
behavioral2/files/0x000600000002321d-38.dat	upx
behavioral2/memory/4720-34-0x00007FF7A0AF0000-0x00007FF7A0E41000-memory.dmp	upx
behavioral2/files/0x0006000000023219-11.dat	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\yavnekL.exe	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bEQTesn.exe	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bTiFIcZ.exe	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SjLxodM.exe	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MVCVPMg.exe	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lBCsYxm.exe	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EvxlrNB.exe	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NzxFhxY.exe	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fdvpxNo.exe	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ziFNtiO.exe	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\auZbZGk.exe	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hVaYPxt.exe	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CuspEcz.exe	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KfBWqBv.exe	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wGvTKNO.exe	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oMZkxYV.exe	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZTKXwJz.exe	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DVTdwJH.exe	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HLnXCIJ.exe	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CEJyqLo.exe	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qbJKSEJ.exe	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 4264	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	89
PID 1092 wrote to memory of 4264	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	89
PID 1092 wrote to memory of 2352	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	90
PID 1092 wrote to memory of 2352	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	90
PID 1092 wrote to memory of 4960	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	91
PID 1092 wrote to memory of 4960	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	91
PID 1092 wrote to memory of 3764	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	94
PID 1092 wrote to memory of 3764	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	94
PID 1092 wrote to memory of 4720	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	92
PID 1092 wrote to memory of 4720	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	92
PID 1092 wrote to memory of 2608	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	93
PID 1092 wrote to memory of 2608	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	93
PID 1092 wrote to memory of 2716	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	96
PID 1092 wrote to memory of 2716	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	96
PID 1092 wrote to memory of 2160	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	95
PID 1092 wrote to memory of 2160	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	95
PID 1092 wrote to memory of 4708	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	110
PID 1092 wrote to memory of 4708	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	110
PID 1092 wrote to memory of 2632	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	97
PID 1092 wrote to memory of 2632	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	97
PID 1092 wrote to memory of 4624	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	109
PID 1092 wrote to memory of 4624	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	109
PID 1092 wrote to memory of 1400	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	108
PID 1092 wrote to memory of 1400	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	108
PID 1092 wrote to memory of 1392	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	98
PID 1092 wrote to memory of 1392	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	98
PID 1092 wrote to memory of 4084	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	99
PID 1092 wrote to memory of 4084	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	99
PID 1092 wrote to memory of 3484	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	106
PID 1092 wrote to memory of 3484	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	106
PID 1092 wrote to memory of 3344	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	105
PID 1092 wrote to memory of 3344	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	105
PID 1092 wrote to memory of 4344	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	100
PID 1092 wrote to memory of 4344	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	100
PID 1092 wrote to memory of 2096	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	104
PID 1092 wrote to memory of 2096	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	104
PID 1092 wrote to memory of 2308	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	103
PID 1092 wrote to memory of 2308	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	103
PID 1092 wrote to memory of 1052	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	102
PID 1092 wrote to memory of 1052	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	102
PID 1092 wrote to memory of 1116	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	101
PID 1092 wrote to memory of 1116	1092	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	101

C:\Users\Admin\AppData\Local\Temp\2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Windows\System\wGvTKNO.exe
  C:\Windows\System\wGvTKNO.exe
  2⤵
  - Executes dropped EXE
  PID:4264
- C:\Windows\System\oMZkxYV.exe
  C:\Windows\System\oMZkxYV.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System\yavnekL.exe
  C:\Windows\System\yavnekL.exe
  2⤵
  - Executes dropped EXE
  PID:4960
- C:\Windows\System\ZTKXwJz.exe
  C:\Windows\System\ZTKXwJz.exe
  2⤵
  - Executes dropped EXE
  PID:4720
- C:\Windows\System\hVaYPxt.exe
  C:\Windows\System\hVaYPxt.exe
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\System\NzxFhxY.exe
  C:\Windows\System\NzxFhxY.exe
  2⤵
  - Executes dropped EXE
  PID:3764
- C:\Windows\System\ziFNtiO.exe
  C:\Windows\System\ziFNtiO.exe
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\System\fdvpxNo.exe
  C:\Windows\System\fdvpxNo.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System\CEJyqLo.exe
  C:\Windows\System\CEJyqLo.exe
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\System\SjLxodM.exe
  C:\Windows\System\SjLxodM.exe
  2⤵
  - Executes dropped EXE
  PID:1392
- C:\Windows\System\MVCVPMg.exe
  C:\Windows\System\MVCVPMg.exe
  2⤵
  - Executes dropped EXE
  PID:4084
- C:\Windows\System\EvxlrNB.exe
  C:\Windows\System\EvxlrNB.exe
  2⤵
  - Executes dropped EXE
  PID:4344
- C:\Windows\System\DVTdwJH.exe
  C:\Windows\System\DVTdwJH.exe
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Windows\System\bEQTesn.exe
  C:\Windows\System\bEQTesn.exe
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\System\qbJKSEJ.exe
  C:\Windows\System\qbJKSEJ.exe
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\System\auZbZGk.exe
  C:\Windows\System\auZbZGk.exe
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\System\lBCsYxm.exe
  C:\Windows\System\lBCsYxm.exe
  2⤵
  - Executes dropped EXE
  PID:3344
- C:\Windows\System\KfBWqBv.exe
  C:\Windows\System\KfBWqBv.exe
  2⤵
  - Executes dropped EXE
  PID:3484
- C:\Windows\System\CuspEcz.exe
  C:\Windows\System\CuspEcz.exe
  2⤵
  - Executes dropped EXE
  PID:1400
- C:\Windows\System\bTiFIcZ.exe
  C:\Windows\System\bTiFIcZ.exe
  2⤵
  - Executes dropped EXE
  PID:4624
- C:\Windows\System\HLnXCIJ.exe
  C:\Windows\System\HLnXCIJ.exe
  2⤵
  - Executes dropped EXE
  PID:4708

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CEJyqLo.exe

Filesize
253KB

MD5
2b57481f1b8dfcb0893617d2605a70c1

SHA1
a443b6fe9ddb6a181955dca4a708fa09ed744699

SHA256
dc0875dc6ace5cc2ad88d6ec1367040406f59296c7ed7b9438f9ef90cacc89ed

SHA512
ab82a43da33ace4ffc7de5d8fcc0a7db6324ade5e2c9c9774b50b3d72da11a9b2150dce7e28fd31e484f8c69ec1a29abe13ae6209a404fa57c36f7e9c915932c

Download Submit
C:\Windows\System\CEJyqLo.exe

Filesize
278KB

MD5
cf3994e13d0712313e55353e60d23726

SHA1
3f63e5233448b235f2afbcbaea4568addfb377b9

SHA256
a3f966c43d1ea7ac681ab7e17da0086408e91ec440a39796267f5b539a24f566

SHA512
b4d2d6964318e9a1b85da60f374b1d3d0958a1eb9c77e031904c5e1cff1fc35448522f1e69de5ba205d3acd6e61c28ad73d223162e1a61d840652f2b6d3666ee

Download Submit
C:\Windows\System\CuspEcz.exe

Filesize
243KB

MD5
562471e841cc39756de4af0f835cd132

SHA1
72ce8f5e7968791bc84511b8a5ef876d218807ce

SHA256
6be4e9c7dda5cf34a9b28cc07d77f50270d788776c196834f0633e3f54c1b60f

SHA512
f97187ba7bb73629d1577c8e393ac3ec051c5d1ff096f23788ee7658cd8746df2665d62225d57b61662c69213f69013185eb32fde8acd01394c58662bdec7c49

Download Submit
C:\Windows\System\CuspEcz.exe

Filesize
259KB

MD5
717063f3fce78b889087840355655c73

SHA1
2ee9ffcffe2ec35b55a7a706b307394a352a4718

SHA256
cdd4410098146965d6751a837959493c13ee51c78a94829ab9762db57cc62b2f

SHA512
e83260cde948bea2fa7caa3c61b02d91667bf49e5e0a8103ae4cef7101d76142b204a62c5af44920d68fbce9d7106dc4fce7cecd90f95ba9eb67ca00cfbf5f4d

Download Submit
C:\Windows\System\DVTdwJH.exe

Filesize
25KB

MD5
ae9a15b32f7e83242633af1150714a70

SHA1
f1f02ff5d569fbb2c05acd395fd796da84043ffa

SHA256
9b15107660468b20ee0a9b821c2ae875dc9b485b2172bde49a5bb82973ca4505

SHA512
83417e187def53d5f88a17e8602f0668cf51ed888fe93287febd26f5447ce57788251aa9a343e8522d6f875a8a03de2d715055b21eff39ef86cf7d9957389d83

Download Submit
C:\Windows\System\DVTdwJH.exe

Filesize
14KB

MD5
d1f28a23387ca4aecf0033813ec459fe

SHA1
eca5598dde02c455163ac931efc0d76eae75d367

SHA256
4ea46e8bebe13b1fde4aa479c356a00648b48a5ca02cf7e6b8ba58de751f899a

SHA512
d542e5d98c0738c318e1731701b4085806fa6ff75ebd1895083ddeaf9ef5afd375830b7503e6730d54410861b7a96f1e827c6a1e3cc547b9b3a51e99d04c3a4d

Download Submit
C:\Windows\System\EvxlrNB.exe

Filesize
76KB

MD5
70030389043e0a9cfd9d8eb4ab610631

SHA1
2d590239481e0b2f6226c416b0c36ddef5df214a

SHA256
2887a25409fe13372614bf6979f4fd92f13cba5e2335646f5a8bd2dec78374c8

SHA512
44f80c67437ef931ba293c8f65c7353320cda2e6e97798a3b45145f4859c9b0c8079e032f974bd32b245278574cad743d7d111806ac667b36d89d311fdbcc522

Download Submit
C:\Windows\System\EvxlrNB.exe

Filesize
262KB

MD5
cbf918ff85cf907f9f91cb97ded3165d

SHA1
99f89ff6515517c1136fa5784b00382a618912f2

SHA256
31bd6917554921fe85d6c090331351e543cb4c9f56c1284837214674fa73ba4c

SHA512
8d67ab558ed75342b5a9d6485b10a081365426173186ea73f2ef325cd761b572b8660e75b749ea0e53dd94cccb28b6c190016bb148f37420dfb462e83a9c391d

Download Submit
C:\Windows\System\HLnXCIJ.exe

Filesize
71KB

MD5
0d892318b8b8edb0b6cdb38f6ffb42b3

SHA1
063a5215cca153dc9c7566ba4d6108c119888b31

SHA256
26159a5a833c056aab64e3b8e59f78e308a1b7323bcb0248254b57d3eec8a5bb

SHA512
ed4e2fcf03f2afda56faa6535db87244fd185f75b3f8c2926afb258edf9a67312c8a331dc1d077c0576849377e2b63656480565ef50a33a60bf3983305afe635

Download Submit
C:\Windows\System\HLnXCIJ.exe

Filesize
67KB

MD5
620530f2e2966656fd9919028d34f2ee

SHA1
f90838eef0e168610194f879e493e04fd41518a3

SHA256
8ec66958e0392bdee6c463ca2e3e35faa17d963e9bfc0c45ad70697a244b94ab

SHA512
76cdb3c6df82e68efbc6b28cc00761ab1d57f6329060c7ad0ae7d1cb16d411d55fd41151aca3984ae02f609a5f6bcceb603698b1b3437c337f16be1152a6081e

Download Submit
C:\Windows\System\KfBWqBv.exe

Filesize
137KB

MD5
0ddb27841c5db78d5d2e3d2f7abd5aa7

SHA1
436475a98251e779303b501b6ebe6cfec706dd4a

SHA256
fa10d822400f04e5c938493a4a2ef19f6eb7ffb00344c36c2c854b5442759c2c

SHA512
48709ff0b9a344077584850593cd87eb83ce12eeea5daa2a14ef84b2d07f7ae667a1b9364f681cb9a380fd44eefa3a9544097d4107a6455ec550388f044c729c

Download Submit
C:\Windows\System\KfBWqBv.exe

Filesize
145KB

MD5
0671878f885734d115f93b03969307ae

SHA1
a3b7e60156db02bd73474523a7fddcee10680699

SHA256
5a543430416e771a20853faf1f0bf6ba81ecc006d44a549804988544ae7126d4

SHA512
cd3b2c0ed1fcc78fd49793cbb342bec852afbea09035cf05bdc9ddcbe0955be295b8ca4d9de519abcc3206b5ee6e242d214853eef024a1f153f1f60592f6ae30

Download Submit
C:\Windows\System\MVCVPMg.exe

Filesize
17KB

MD5
7ba85efb1a2749f5850ef8dba0c07511

SHA1
642ac4a1e3e1a8749abcb2f27760961d0b294d8e

SHA256
3b1193f81bb7e3652ef9a30b080c0aee13bbf2a7781158e86f80e6f03ae9efd9

SHA512
0ca73c31fb643062d9aca422babdf2f5fe12e28fd7f7444b47c404b131aeb9467c6dabedb1b178e4ec04cdbcd1f7cad3b42a6d793e190249743860c1f8d34434

Download Submit
C:\Windows\System\MVCVPMg.exe

Filesize
233KB

MD5
d5476631e6693f18513283f042f4bbf4

SHA1
788f376d7f5b0c6b005ac75327817740a746840c

SHA256
d8c4e342e725e354e45ecee2d1b08708b93ac2000534928459873541f97b8a60

SHA512
156c4dbbf4352803a45722bf20f8fa2b99ee985dfcbfb77b3b161e8a7c9490e00ec7cec4c0b76dc3a228602f19c2e54a6fbb726e9930be302812fe32c0d80714

Download Submit
C:\Windows\System\NzxFhxY.exe

Filesize
97KB

MD5
e00e1d8b6c15e8733845ae2a29458d9b

SHA1
df5c02c8cb20161929342fd56b82336b194c2e12

SHA256
f809cf519a3f3bd4fde3d1f2e451cdce8a6ee51f459acb4a0820b01139a2bc98

SHA512
a30791684dbdb0ec621cac32dfadfc5d30cce47428d1361b1a7cfcda07125b1300c0d0c9baa2dca96c1dfc696227aee8bfe5c3d642d642bd2884c607eb3c04c0

Download Submit
C:\Windows\System\NzxFhxY.exe

Filesize
153KB

MD5
f78f401d53205de16603b12839b4038e

SHA1
dfa5a4afa79e9ffad3e3a8eedd37e2a49514fbcb

SHA256
4ff799267f721473294dd1c680ceac8849994e69069b6d29ab4d0c45cc8f63ee

SHA512
6b1379feb9922ff6750265e3a173585adde344d28950864ef515d28c18e61df279c0fcb7a78295821bc1e877626a5626fce02c00c2b28197b9c50993f9c81ec3

Download Submit
C:\Windows\System\SjLxodM.exe

Filesize
378KB

MD5
eb85b173becf79e3e6de1950f1cf4b79

SHA1
f2602776f79062423201ce844632d221fb67076c

SHA256
73b8a7248fb5a1e7549cb36d1d52445e8833773258b12673fb63815a2af79886

SHA512
9dd3068f2cd2eb4ff81ad1361fbe264fe20b0315b9840052bc42f380ae96d2c8e7a8eacb6cf3d870ebb5f9450dbd7be9aadeaba4e9d3e3fee1b0da6f086870eb

Download Submit
C:\Windows\System\SjLxodM.exe

Filesize
108KB

MD5
a583ff427e799bc0475c0491eb03d08d

SHA1
135bd662388f815c6a13fb6f0bafee7db9f7b7b5

SHA256
a3750176eb0655bf7fcf5ee316ce0debfd5c1834aeab326a8344fe61ebfe3d9a

SHA512
49efcbc490bceb8f95199572a92c3fc2c0dcd32a435d5fff1e66eb4977c43e612e845ac8385a4ab79d8bf8f592fd92e4471bf0decfe0b378bf2bdef1387f507a

Download Submit
C:\Windows\System\ZTKXwJz.exe

Filesize
181KB

MD5
fd25416d57b0e52717bb825d0a1ec450

SHA1
3e2b84bbaa63321756a1b80b06632929989de8cf

SHA256
1ed1b4a260c505d1978cebb48f61881b5556d6c954e18ef102c7c1ab2f1888e3

SHA512
e0f1369f3ea8e58e56198717cfe8a164818422f58cbe8ee13c474c1b8500132cccf5b3aa258104940498b36d58a518153397d08800bb414a9552a68f72f1c2e2

Download Submit
C:\Windows\System\ZTKXwJz.exe

Filesize
112KB

MD5
667517a0dd92cee63012f46d1213a180

SHA1
86cfe600f6662d643a7ce0d094cfa0e1e7c41d03

SHA256
968cd23f4b9586409edafc5f36c9d38bfff6a2cb84a33837d259bba9354a9d88

SHA512
0b448d7b16a51726e8b60d12d122132cf492ec33417b7d7db4fb962cd5ce2e6203a6f48023c8705ff5ec55b5a1e9e34ddcaaf429158875caf9c2867a2c80c547

Download Submit
C:\Windows\System\auZbZGk.exe

Filesize
68KB

MD5
a31960686ce0320af947e5596788ffc6

SHA1
a2a017a079a5efa232d2f646ae485f82a441d982

SHA256
209228a3da8d8b5cd92de360f1d84239c4d5e30153f04341e299d34e7e0e83ce

SHA512
945849ec0b5d71ca93f77e511b3738f02659da0bf9b7e703dfc4f0a005b8d895c345914e94efeb11ef9116eab6eb6f6f0894e39830c8076a1daa0268041fa15c

Download Submit
C:\Windows\System\bEQTesn.exe

Filesize
108KB

MD5
942a2976f777018de509ac333975d489

SHA1
c48d3f2ab9869641e4e34489c3d73b1fd8a83bc0

SHA256
731fc04cc0c9298a70b4f0add5f9765822fcaa5c741f4fe0d09bb0cfbcc05fce

SHA512
65925ad710f18ad4366cc27744dfebdb75f5a9d9df1a63d6ad05543c555d3a8e9c9c92a3ad6872ccb027282e0a7603a8dcff05eb558c217c5ffc863caa7b47ce

Download Submit
C:\Windows\System\bEQTesn.exe

Filesize
38KB

MD5
0ccf77faa522e4fe2805a14e87593230

SHA1
ce5db38c2d6629a4242e35752342b838d085894d

SHA256
9addaca56ab3c2b7e753b9f2128c9e2e329142769f8ab0383a520684f53bd196

SHA512
c3464e1ffa0345bc37fe137e6b89f2f404bb00323dadec66d923ba1b8ce2fe2f6baa80ea2d370d5032e07c51b0e1e1c48398c0d20ad755007135e985ab3b7685

Download Submit
C:\Windows\System\bTiFIcZ.exe

Filesize
27KB

MD5
cc4a8dffc93f27aa8ccbda0bde35eb01

SHA1
3e22ac4bba5d8f64bed738e3df13ba4fae705305

SHA256
dda486a2c9cade5f1cea6ebf8452531e377e2736a7f2045b01dbbaca4caf430d

SHA512
5761bc4722756a5c033ebb1227579697a37ae6fd1180aa06750614717582e8e23b649d825d23853e5605e871fe0db6c4dc947a6e86637c43a27ef894afacebf0

Download Submit
C:\Windows\System\bTiFIcZ.exe

Filesize
211KB

MD5
c8bb17be88084946cc7268bf7c709212

SHA1
4366f02a928842b9d9d52e875ecfcc949deeb64f

SHA256
95354a129695f74a17dd48701717fafd5f730ffab19b5ce46df19ea7dd6b94f3

SHA512
a88864d37c0050fe347bfbbfd51a658a429b963d352e8ad3b631fc0f0dbf5f28d713850be0908ec6982b9574daba238c8281667b813bdff237729ae7d71e7abd

Download Submit
C:\Windows\System\fdvpxNo.exe

Filesize
92KB

MD5
4ca79a495fd4287abd3b58d21f1c496c

SHA1
238551b4001436f28bd2d2a0c52cca12269c83fd

SHA256
72dc44ffd86aad600a2442c742db4d11e54660072ea085a4b892d2d28010354e

SHA512
2690374b2cabdcc12f7d55842e2df32d8ce7552528454d30a1cae4647eb349ebbab96309a36a1e727d14a212483b0a53d0a7ea7c38224addde739159b4e604f3

Download Submit
C:\Windows\System\fdvpxNo.exe

Filesize
414KB

MD5
e073bae34133518d230390a407cb789d

SHA1
0e7ea2b2c28ba633d4e3e34fea4b5bcb2d4e5039

SHA256
27d35faa3970dbd7fb61f59d85f8a73a03bc3f331108cdfd6999be02438593d9

SHA512
813ff5e269d464e2d6ca26f0d84df3e36020935bd0fe48e9372a80a9678dc562fb074b464912cf30a7c5760781f54f492659bb5dc94e5b73baf8e07efe8f3b5e

Download Submit
C:\Windows\System\hVaYPxt.exe

Filesize
183KB

MD5
6115770a1d1624e8d1f182ae07555a5e

SHA1
6e77dbef588cc6c5519b1a5ecf882c03c2a5ff71

SHA256
949ae3718954f5aad1ca0db8e129165c83a52f429a6df0ceffeeb8c45f58490e

SHA512
2e6668eedc73a953fa3d03932a191673f380e5c2eccafa5e2aea6180779610395d11a31031d8b95217f1af228a8abf75c8f0dc1b52a801e8bf242125ff63cbf0

Download Submit
C:\Windows\System\hVaYPxt.exe

Filesize
560KB

MD5
0b40011437253d727883d94cf32aa097

SHA1
d9ac4e4731f6ea31bdcde1202d6dca6cbfbde2fc

SHA256
fa6ff229b6a9bdfd0da129dee6e207ca6184f72b9ba04fb47a7b6537a9482755

SHA512
0e6e573ddc4c76cecd2f347faa15d0c7a48d69dc29995e080d3518dfffd38a1af71287e17469fd35419ea1c09a2b0dbb834417f34b0c53c9bdeb0f6558241b27

Download Submit
C:\Windows\System\lBCsYxm.exe

Filesize
37KB

MD5
e90d999cf65441715ac3e85d0668c4a8

SHA1
59ac8b41602b3892ab3bb89fc50e3fbe70d21280

SHA256
44bb21b35d8608384e7698cb4d0bc73f664e9f39ee28c69ff89a23dd96c6974e

SHA512
e4d6db6005142e96c8b45e202a971312ec353af198ed560f498005029ea26fb17d03adcfd9748310c1d10c95cf9e169f1475d5d8709a2bbb21774530d5446f4a

Download Submit
C:\Windows\System\lBCsYxm.exe

Filesize
41KB

MD5
93afe941f9ddf1745794bf343da6c8fe

SHA1
bc439306426b005bfab6717456704f8430600b37

SHA256
a40b97619235dc86dfcf3738569a98def48ccc413c182d4672ecaa149aab2a33

SHA512
c4aa935566bce5edd1ee87a5ecf8adc314e7f8361cf47e4ab1904574ac539e42e646593ebc3db1890aaf43792d82ead53a33e5661f5a43835d60a7e66d328f14

Download Submit
C:\Windows\System\oMZkxYV.exe

Filesize
610KB

MD5
ba13bf8495c2cae5bf16c0b91c1c3d3c

SHA1
06efb9b2021e70797ef22b26f486686a901c787f

SHA256
6bb086f2eb3ed5a298598400920e541036bba95148a8e6779adac55aa1a090c8

SHA512
822bb953e1e4d95942db2532b801f0474105ef146a9fe342751fe0d006c0d53c94b1f2962bb8ac0021aa9d3b76ff50c7a68c6c1edd3098efe4b9b715098068a4

Download Submit
C:\Windows\System\oMZkxYV.exe

Filesize
177KB

MD5
c35f960b4063b134455ba0e57cc54ec3

SHA1
6fc021142044c2f6d6997ae91d8e3d1ef09a03f4

SHA256
463a96cd84463a05af30341f05ef436013b07bd886f7891ccf9b5c4fd02ca58b

SHA512
5689e33ad045a94d9cd6019f3f54d28f01669e331201bfaa297569403b6a6c56443c32602541610afa23d8393342cb20102dd634c9c2b1940a1c4895f86faec2

Download Submit
C:\Windows\System\qbJKSEJ.exe

Filesize
195KB

MD5
108459c89460edb11eec8685e00a00b8

SHA1
9dc1fd14a9b13c88fd114b99f9f9c4dbc6df9696

SHA256
97c369480fe8e05609a863de74803837fc228538184ea224b17105ecc6622826

SHA512
7a9b06ef4e5d360644a6a5e96016a216931d7c28a635c4af83c584b62f896c0c9bb35983a9ec6e4a82659ac51abbb65087d03778a2f5e6202cd2a7f67edbc2fa

Download Submit
C:\Windows\System\qbJKSEJ.exe

Filesize
47KB

MD5
01010b1712fb584a8d89db1aae01df39

SHA1
47c50dbf5a8742e2561d2e4a18e4c4cdffeb6a69

SHA256
9b21cffbfb8a6d4c9841f74a7aab8fe7f15b876f9e4dee8716792d0a09284fe7

SHA512
0c1f8c32d747ad99da4bd1528f67b81be07e5ec736153e415b6464889cbe93cb344ed36accb21362227d99e23c32fa7180948473d53441a3334bf233ffe1d251

Download Submit
C:\Windows\System\wGvTKNO.exe

Filesize
713KB

MD5
655aafe1f7fe0507b6d3d079ec533dcd

SHA1
db9bfdc6836893fbd39024e28f128c297d2f6e39

SHA256
8963997ca3d39e5413f54b401d96418b7bc85d298a7b792157daf08f6e3a25dd

SHA512
3401dd2b6a6a3c83d153eff431cd5ae9a6224eed7d361284d775298bcebe0e8b3520dd81e4a543b7a635767f976db527e89d4486422bfca0b8ec00bd7d294272

Download Submit
C:\Windows\System\wGvTKNO.exe

Filesize
301KB

MD5
bd6d91e5abbe9656cf4d7de10696c18a

SHA1
abc9a7b94d4e4394f0c2357bef24291ce6c1920b

SHA256
e6da751c76dc76e6a4c26aa6184648a7c6f65e6917919a508883fe07272d7cc0

SHA512
3cbf155a4a4ee7702fe9ba89d5839149a05fd047b9740421aacc4cdf88a00964d9c82fb8070fc01c50ae1666ebee4668ea3aa21bcd675a932f4bd939368bdafb

Download Submit
C:\Windows\System\yavnekL.exe

Filesize
365KB

MD5
55cbf85c69f61eb030505ef95fb32f2c

SHA1
3841f91b9871211197ea041a2c3d1c002cffa7fd

SHA256
6d9420612d2b3de569c4913d5f2e91dd52156bf220e98ac993df3c9432db1d9c

SHA512
3c473040a58fdda49a443d0e8523e20e7846a937e8100b63473978e93143411050c545e3bdbbf36072407a23aecc50a94b70c30299220a3d1a73f59e46fcea12

Download Submit
C:\Windows\System\yavnekL.exe

Filesize
269KB

MD5
f48c5a08d27c176fd4215686332b8427

SHA1
b57afb25d25d077fe761cd17f6d42655b0e1b6e6

SHA256
16544d33231fae1b246701ac7f812e8e4550f2b10aca1033f375e7507f7e28bb

SHA512
7f73813c1f8b27783e569823126802485c6fa00358246a05fcbc1610f86cec6f82a43c4f385ddb9a710eee0257e5b1f8dee6f68c8855406044b34d2365f8a9ef

Download Submit
C:\Windows\System\yavnekL.exe

Filesize
263KB

MD5
ac34e27b6663d531032b7070ed3cf289

SHA1
b690dc81c6487e75a7cc7d35640d1f3eb45f28b0

SHA256
30add7c7f0132351cbeac9f64fc37fe70ccec931463d31713fa08cdd0278a791

SHA512
e8a06ab62202280c3aa473fe42329fe8f54daf28155735cbcccc97aecbc00c61b6fcafbe6245dbb412879d4025572eb81ffb8d57f837b64dc30d06b0b52ba01c

Download Submit
C:\Windows\System\ziFNtiO.exe

Filesize
258KB

MD5
0ffea03d7fe73ca823c96cfc06e5da08

SHA1
e0cdb0e7f104b97e0da155d0c55f7bad9343fce8

SHA256
41b2e03e74fa4e39531088bb7926e4acf0e2f0f5a54edc36739c8c7c0f89a61d

SHA512
e14be439d1c30dc856fe296c9e19692149f1d4cb073c99038c93114bcd8be424721fd3a958f1e8cc7e21982d95cec2cb186ceadcb7d7653840d0b92d9a977bf6

Download Submit
C:\Windows\System\ziFNtiO.exe

Filesize
306KB

MD5
b628f45abd6622af6fb22007c2947f54

SHA1
60b1547cca1186c0d81946d56a88f62cb49bad01

SHA256
ca018c492e1460ae95ffb3a5a8ddec04981a11837f5be888ce24837d6e1d8a63

SHA512
ae8f4de52da86ea5fff8f4e9c16c88332cc5e6d7d2469b40ef4f9fbfba5c6de88d6452b14523ebbd26b9abbe610a2168d66f5a86165dce8f4be78c4da4f4464a

Download Submit
memory/1052-124-0x00007FF760A00000-0x00007FF760D51000-memory.dmp

Filesize
3.3MB

Download
memory/1052-244-0x00007FF760A00000-0x00007FF760D51000-memory.dmp

Filesize
3.3MB

Download
memory/1092-0-0x00007FF610690000-0x00007FF6109E1000-memory.dmp

Filesize
3.3MB

Download
memory/1092-128-0x00007FF610690000-0x00007FF6109E1000-memory.dmp

Filesize
3.3MB

Download
memory/1092-1-0x0000019EA5B80000-0x0000019EA5B90000-memory.dmp

Filesize
64KB

Download
memory/1092-130-0x00007FF610690000-0x00007FF6109E1000-memory.dmp

Filesize
3.3MB

Download
memory/1092-152-0x00007FF610690000-0x00007FF6109E1000-memory.dmp

Filesize
3.3MB

Download
memory/1116-246-0x00007FF613730000-0x00007FF613A81000-memory.dmp

Filesize
3.3MB

Download
memory/1116-127-0x00007FF613730000-0x00007FF613A81000-memory.dmp

Filesize
3.3MB

Download
memory/1392-92-0x00007FF6EF440000-0x00007FF6EF791000-memory.dmp

Filesize
3.3MB

Download
memory/1392-143-0x00007FF6EF440000-0x00007FF6EF791000-memory.dmp

Filesize
3.3MB

Download
memory/1392-230-0x00007FF6EF440000-0x00007FF6EF791000-memory.dmp

Filesize
3.3MB

Download
memory/1400-76-0x00007FF6E4EF0000-0x00007FF6E5241000-memory.dmp

Filesize
3.3MB

Download
memory/1400-142-0x00007FF6E4EF0000-0x00007FF6E5241000-memory.dmp

Filesize
3.3MB

Download
memory/1400-229-0x00007FF6E4EF0000-0x00007FF6E5241000-memory.dmp

Filesize
3.3MB

Download
memory/2096-123-0x00007FF717C10000-0x00007FF717F61000-memory.dmp

Filesize
3.3MB

Download
memory/2096-242-0x00007FF717C10000-0x00007FF717F61000-memory.dmp

Filesize
3.3MB

Download
memory/2160-221-0x00007FF731AB0000-0x00007FF731E01000-memory.dmp

Filesize
3.3MB

Download
memory/2160-62-0x00007FF731AB0000-0x00007FF731E01000-memory.dmp

Filesize
3.3MB

Download
memory/2308-240-0x00007FF75FC30000-0x00007FF75FF81000-memory.dmp

Filesize
3.3MB

Download
memory/2308-126-0x00007FF75FC30000-0x00007FF75FF81000-memory.dmp

Filesize
3.3MB

Download
memory/2352-13-0x00007FF6CFA40000-0x00007FF6CFD91000-memory.dmp

Filesize
3.3MB

Download
memory/2352-132-0x00007FF6CFA40000-0x00007FF6CFD91000-memory.dmp

Filesize
3.3MB

Download
memory/2352-209-0x00007FF6CFA40000-0x00007FF6CFD91000-memory.dmp

Filesize
3.3MB

Download
memory/2608-49-0x00007FF6C2C50000-0x00007FF6C2FA1000-memory.dmp

Filesize
3.3MB

Download
memory/2608-216-0x00007FF6C2C50000-0x00007FF6C2FA1000-memory.dmp

Filesize
3.3MB

Download
memory/2632-224-0x00007FF686540000-0x00007FF686891000-memory.dmp

Filesize
3.3MB

Download
memory/2632-140-0x00007FF686540000-0x00007FF686891000-memory.dmp

Filesize
3.3MB

Download
memory/2632-59-0x00007FF686540000-0x00007FF686891000-memory.dmp

Filesize
3.3MB

Download
memory/2716-218-0x00007FF6B94B0000-0x00007FF6B9801000-memory.dmp

Filesize
3.3MB

Download
memory/2716-137-0x00007FF6B94B0000-0x00007FF6B9801000-memory.dmp

Filesize
3.3MB

Download
memory/2716-43-0x00007FF6B94B0000-0x00007FF6B9801000-memory.dmp

Filesize
3.3MB

Download
memory/3344-113-0x00007FF78ABE0000-0x00007FF78AF31000-memory.dmp

Filesize
3.3MB

Download
memory/3344-236-0x00007FF78ABE0000-0x00007FF78AF31000-memory.dmp

Filesize
3.3MB

Download
memory/3484-232-0x00007FF74B150000-0x00007FF74B4A1000-memory.dmp

Filesize
3.3MB

Download
memory/3484-125-0x00007FF74B150000-0x00007FF74B4A1000-memory.dmp

Filesize
3.3MB

Download
memory/3764-212-0x00007FF7155E0000-0x00007FF715931000-memory.dmp

Filesize
3.3MB

Download
memory/3764-24-0x00007FF7155E0000-0x00007FF715931000-memory.dmp

Filesize
3.3MB

Download
memory/3764-134-0x00007FF7155E0000-0x00007FF715931000-memory.dmp

Filesize
3.3MB

Download
memory/4084-108-0x00007FF679990000-0x00007FF679CE1000-memory.dmp

Filesize
3.3MB

Download
memory/4084-234-0x00007FF679990000-0x00007FF679CE1000-memory.dmp

Filesize
3.3MB

Download
memory/4264-129-0x00007FF630FC0000-0x00007FF631311000-memory.dmp

Filesize
3.3MB

Download
memory/4264-206-0x00007FF630FC0000-0x00007FF631311000-memory.dmp

Filesize
3.3MB

Download
memory/4264-8-0x00007FF630FC0000-0x00007FF631311000-memory.dmp

Filesize
3.3MB

Download
memory/4344-238-0x00007FF671060000-0x00007FF6713B1000-memory.dmp

Filesize
3.3MB

Download
memory/4344-120-0x00007FF671060000-0x00007FF6713B1000-memory.dmp

Filesize
3.3MB

Download
memory/4624-226-0x00007FF631860000-0x00007FF631BB1000-memory.dmp

Filesize
3.3MB

Download
memory/4624-71-0x00007FF631860000-0x00007FF631BB1000-memory.dmp

Filesize
3.3MB

Download
memory/4624-141-0x00007FF631860000-0x00007FF631BB1000-memory.dmp

Filesize
3.3MB

Download
memory/4708-222-0x00007FF7AFAE0000-0x00007FF7AFE31000-memory.dmp

Filesize
3.3MB

Download
memory/4708-67-0x00007FF7AFAE0000-0x00007FF7AFE31000-memory.dmp

Filesize
3.3MB

Download
memory/4720-34-0x00007FF7A0AF0000-0x00007FF7A0E41000-memory.dmp

Filesize
3.3MB

Download
memory/4720-214-0x00007FF7A0AF0000-0x00007FF7A0E41000-memory.dmp

Filesize
3.3MB

Download
memory/4720-135-0x00007FF7A0AF0000-0x00007FF7A0E41000-memory.dmp

Filesize
3.3MB

Download
memory/4960-133-0x00007FF6A3910000-0x00007FF6A3C61000-memory.dmp

Filesize
3.3MB

Download
memory/4960-210-0x00007FF6A3910000-0x00007FF6A3C61000-memory.dmp

Filesize
3.3MB

Download
memory/4960-20-0x00007FF6A3910000-0x00007FF6A3C61000-memory.dmp

Filesize
3.3MB

Download