cobaltstrike | e6a01fcc8309bc070ad9ae44c8256794770588170d7ba9c431c3c94f833949d5

Analysis

max time kernel
141s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

4c6de339cac051a6638b0ecbc1271746
SHA1

f9d3a6cab59636be26a904896c62a7a570dc8104
SHA256

e6a01fcc8309bc070ad9ae44c8256794770588170d7ba9c431c3c94f833949d5
SHA512

443de7dea64d54d1b95c810e07c6effec823d74adb56ca40d6a9fe9c240783993bc7cbdac34c5ea5ba08bcdb0df5f6c4a63d3960feb03c730486f10159cd28a3
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lA:RWWBibf56utgpPFotBER/mQ32lUk

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\USTbfLY.exe	cobalt_reflective_dll
C:\Windows\System\ehdQbyT.exe	cobalt_reflective_dll
C:\Windows\System\kIrhpwq.exe	cobalt_reflective_dll
C:\Windows\System\GRbsPuy.exe	cobalt_reflective_dll
C:\Windows\System\MSwRJeD.exe	cobalt_reflective_dll
C:\Windows\System\czyThEZ.exe	cobalt_reflective_dll
C:\Windows\System\gYtzJBu.exe	cobalt_reflective_dll
C:\Windows\System\HVooefM.exe	cobalt_reflective_dll
C:\Windows\System\ThYAqAu.exe	cobalt_reflective_dll
C:\Windows\System\jnnPANM.exe	cobalt_reflective_dll
C:\Windows\System\qtLJwvm.exe	cobalt_reflective_dll
C:\Windows\System\nSZOBei.exe	cobalt_reflective_dll
C:\Windows\System\bFoPSgm.exe	cobalt_reflective_dll
C:\Windows\System\bHkZyoT.exe	cobalt_reflective_dll
C:\Windows\System\iIogZvr.exe	cobalt_reflective_dll
C:\Windows\System\RGqyema.exe	cobalt_reflective_dll
C:\Windows\System\EEIVsuA.exe	cobalt_reflective_dll
C:\Windows\System\cjlzISG.exe	cobalt_reflective_dll
C:\Windows\System\NXjroZh.exe	cobalt_reflective_dll
C:\Windows\System\nZrnsJp.exe	cobalt_reflective_dll
C:\Windows\System\jEfRIJh.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\USTbfLY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ehdQbyT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\kIrhpwq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\GRbsPuy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\MSwRJeD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\czyThEZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\gYtzJBu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\HVooefM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ThYAqAu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\jnnPANM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\qtLJwvm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\nSZOBei.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\bFoPSgm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\bHkZyoT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\iIogZvr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\RGqyema.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\EEIVsuA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\cjlzISG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\NXjroZh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\nZrnsJp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\jEfRIJh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4604-0-0x00007FF6AC5C0000-0x00007FF6AC911000-memory.dmp	UPX
C:\Windows\System\USTbfLY.exe	UPX
behavioral2/memory/2448-14-0x00007FF7580B0000-0x00007FF758401000-memory.dmp	UPX
C:\Windows\System\ehdQbyT.exe	UPX
C:\Windows\System\kIrhpwq.exe	UPX
C:\Windows\System\GRbsPuy.exe	UPX
C:\Windows\System\MSwRJeD.exe	UPX
C:\Windows\System\czyThEZ.exe	UPX
C:\Windows\System\gYtzJBu.exe	UPX
C:\Windows\System\HVooefM.exe	UPX
C:\Windows\System\ThYAqAu.exe	UPX
behavioral2/memory/4648-115-0x00007FF666E70000-0x00007FF6671C1000-memory.dmp	UPX
behavioral2/memory/2648-118-0x00007FF674180000-0x00007FF6744D1000-memory.dmp	UPX
behavioral2/memory/4700-121-0x00007FF70E5E0000-0x00007FF70E931000-memory.dmp	UPX
behavioral2/memory/5052-124-0x00007FF784A70000-0x00007FF784DC1000-memory.dmp	UPX
behavioral2/memory/4724-126-0x00007FF789AD0000-0x00007FF789E21000-memory.dmp	UPX
behavioral2/memory/464-127-0x00007FF73D680000-0x00007FF73D9D1000-memory.dmp	UPX
behavioral2/memory/3256-125-0x00007FF654230000-0x00007FF654581000-memory.dmp	UPX
behavioral2/memory/1296-123-0x00007FF63A6A0000-0x00007FF63A9F1000-memory.dmp	UPX
behavioral2/memory/4968-122-0x00007FF787360000-0x00007FF7876B1000-memory.dmp	UPX
behavioral2/memory/452-120-0x00007FF6D7C80000-0x00007FF6D7FD1000-memory.dmp	UPX
behavioral2/memory/2716-119-0x00007FF646F80000-0x00007FF6472D1000-memory.dmp	UPX
behavioral2/memory/2172-114-0x00007FF7183A0000-0x00007FF7186F1000-memory.dmp	UPX
C:\Windows\System\jnnPANM.exe	UPX
behavioral2/memory/2012-108-0x00007FF610C20000-0x00007FF610F71000-memory.dmp	UPX
C:\Windows\System\qtLJwvm.exe	UPX
behavioral2/memory/1152-104-0x00007FF6395E0000-0x00007FF639931000-memory.dmp	UPX
C:\Windows\System\nSZOBei.exe	UPX
C:\Windows\System\bFoPSgm.exe	UPX
behavioral2/memory/1500-96-0x00007FF7A5B60000-0x00007FF7A5EB1000-memory.dmp	UPX
C:\Windows\System\bHkZyoT.exe	UPX
behavioral2/memory/1944-80-0x00007FF74CB00000-0x00007FF74CE51000-memory.dmp	UPX
C:\Windows\System\iIogZvr.exe	UPX
behavioral2/memory/3752-70-0x00007FF738370000-0x00007FF7386C1000-memory.dmp	UPX
C:\Windows\System\RGqyema.exe	UPX
behavioral2/memory/3324-54-0x00007FF683FB0000-0x00007FF684301000-memory.dmp	UPX
C:\Windows\System\EEIVsuA.exe	UPX
C:\Windows\System\cjlzISG.exe	UPX
C:\Windows\System\NXjroZh.exe	UPX
behavioral2/memory/3580-40-0x00007FF6253B0000-0x00007FF625701000-memory.dmp	UPX
behavioral2/memory/3268-25-0x00007FF7039D0000-0x00007FF703D21000-memory.dmp	UPX
C:\Windows\System\nZrnsJp.exe	UPX
C:\Windows\System\jEfRIJh.exe	UPX
behavioral2/memory/4604-128-0x00007FF6AC5C0000-0x00007FF6AC911000-memory.dmp	UPX
behavioral2/memory/2448-129-0x00007FF7580B0000-0x00007FF758401000-memory.dmp	UPX
behavioral2/memory/3268-131-0x00007FF7039D0000-0x00007FF703D21000-memory.dmp	UPX
behavioral2/memory/3580-133-0x00007FF6253B0000-0x00007FF625701000-memory.dmp	UPX
behavioral2/memory/3324-135-0x00007FF683FB0000-0x00007FF684301000-memory.dmp	UPX
behavioral2/memory/3752-136-0x00007FF738370000-0x00007FF7386C1000-memory.dmp	UPX
behavioral2/memory/1500-140-0x00007FF7A5B60000-0x00007FF7A5EB1000-memory.dmp	UPX
behavioral2/memory/4604-150-0x00007FF6AC5C0000-0x00007FF6AC911000-memory.dmp	UPX
behavioral2/memory/4604-172-0x00007FF6AC5C0000-0x00007FF6AC911000-memory.dmp	UPX
behavioral2/memory/2448-196-0x00007FF7580B0000-0x00007FF758401000-memory.dmp	UPX
behavioral2/memory/452-198-0x00007FF6D7C80000-0x00007FF6D7FD1000-memory.dmp	UPX
behavioral2/memory/3268-205-0x00007FF7039D0000-0x00007FF703D21000-memory.dmp	UPX
behavioral2/memory/3324-214-0x00007FF683FB0000-0x00007FF684301000-memory.dmp	UPX
behavioral2/memory/1944-209-0x00007FF74CB00000-0x00007FF74CE51000-memory.dmp	UPX
behavioral2/memory/3580-217-0x00007FF6253B0000-0x00007FF625701000-memory.dmp	UPX
behavioral2/memory/4968-216-0x00007FF787360000-0x00007FF7876B1000-memory.dmp	UPX
behavioral2/memory/4700-218-0x00007FF70E5E0000-0x00007FF70E931000-memory.dmp	UPX
behavioral2/memory/3752-224-0x00007FF738370000-0x00007FF7386C1000-memory.dmp	UPX
behavioral2/memory/1152-232-0x00007FF6395E0000-0x00007FF639931000-memory.dmp	UPX
behavioral2/memory/5052-230-0x00007FF784A70000-0x00007FF784DC1000-memory.dmp	UPX
behavioral2/memory/1296-225-0x00007FF63A6A0000-0x00007FF63A9F1000-memory.dmp	UPX

XMRig Miner payload 48 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4648-115-0x00007FF666E70000-0x00007FF6671C1000-memory.dmp	xmrig
behavioral2/memory/2648-118-0x00007FF674180000-0x00007FF6744D1000-memory.dmp	xmrig
behavioral2/memory/4700-121-0x00007FF70E5E0000-0x00007FF70E931000-memory.dmp	xmrig
behavioral2/memory/5052-124-0x00007FF784A70000-0x00007FF784DC1000-memory.dmp	xmrig
behavioral2/memory/4724-126-0x00007FF789AD0000-0x00007FF789E21000-memory.dmp	xmrig
behavioral2/memory/464-127-0x00007FF73D680000-0x00007FF73D9D1000-memory.dmp	xmrig
behavioral2/memory/3256-125-0x00007FF654230000-0x00007FF654581000-memory.dmp	xmrig
behavioral2/memory/1296-123-0x00007FF63A6A0000-0x00007FF63A9F1000-memory.dmp	xmrig
behavioral2/memory/4968-122-0x00007FF787360000-0x00007FF7876B1000-memory.dmp	xmrig
behavioral2/memory/452-120-0x00007FF6D7C80000-0x00007FF6D7FD1000-memory.dmp	xmrig
behavioral2/memory/2716-119-0x00007FF646F80000-0x00007FF6472D1000-memory.dmp	xmrig
behavioral2/memory/2172-114-0x00007FF7183A0000-0x00007FF7186F1000-memory.dmp	xmrig
behavioral2/memory/2012-108-0x00007FF610C20000-0x00007FF610F71000-memory.dmp	xmrig
behavioral2/memory/1152-104-0x00007FF6395E0000-0x00007FF639931000-memory.dmp	xmrig
behavioral2/memory/1500-96-0x00007FF7A5B60000-0x00007FF7A5EB1000-memory.dmp	xmrig
behavioral2/memory/1944-80-0x00007FF74CB00000-0x00007FF74CE51000-memory.dmp	xmrig
behavioral2/memory/3752-70-0x00007FF738370000-0x00007FF7386C1000-memory.dmp	xmrig
behavioral2/memory/3324-54-0x00007FF683FB0000-0x00007FF684301000-memory.dmp	xmrig
behavioral2/memory/4604-128-0x00007FF6AC5C0000-0x00007FF6AC911000-memory.dmp	xmrig
behavioral2/memory/2448-129-0x00007FF7580B0000-0x00007FF758401000-memory.dmp	xmrig
behavioral2/memory/3268-131-0x00007FF7039D0000-0x00007FF703D21000-memory.dmp	xmrig
behavioral2/memory/3580-133-0x00007FF6253B0000-0x00007FF625701000-memory.dmp	xmrig
behavioral2/memory/3324-135-0x00007FF683FB0000-0x00007FF684301000-memory.dmp	xmrig
behavioral2/memory/3752-136-0x00007FF738370000-0x00007FF7386C1000-memory.dmp	xmrig
behavioral2/memory/1500-140-0x00007FF7A5B60000-0x00007FF7A5EB1000-memory.dmp	xmrig
behavioral2/memory/4604-150-0x00007FF6AC5C0000-0x00007FF6AC911000-memory.dmp	xmrig
behavioral2/memory/4604-172-0x00007FF6AC5C0000-0x00007FF6AC911000-memory.dmp	xmrig
behavioral2/memory/2448-196-0x00007FF7580B0000-0x00007FF758401000-memory.dmp	xmrig
behavioral2/memory/452-198-0x00007FF6D7C80000-0x00007FF6D7FD1000-memory.dmp	xmrig
behavioral2/memory/3268-205-0x00007FF7039D0000-0x00007FF703D21000-memory.dmp	xmrig
behavioral2/memory/3324-214-0x00007FF683FB0000-0x00007FF684301000-memory.dmp	xmrig
behavioral2/memory/1944-209-0x00007FF74CB00000-0x00007FF74CE51000-memory.dmp	xmrig
behavioral2/memory/3580-217-0x00007FF6253B0000-0x00007FF625701000-memory.dmp	xmrig
behavioral2/memory/4968-216-0x00007FF787360000-0x00007FF7876B1000-memory.dmp	xmrig
behavioral2/memory/4700-218-0x00007FF70E5E0000-0x00007FF70E931000-memory.dmp	xmrig
behavioral2/memory/3752-224-0x00007FF738370000-0x00007FF7386C1000-memory.dmp	xmrig
behavioral2/memory/1152-232-0x00007FF6395E0000-0x00007FF639931000-memory.dmp	xmrig
behavioral2/memory/5052-230-0x00007FF784A70000-0x00007FF784DC1000-memory.dmp	xmrig
behavioral2/memory/1296-225-0x00007FF63A6A0000-0x00007FF63A9F1000-memory.dmp	xmrig
behavioral2/memory/1500-236-0x00007FF7A5B60000-0x00007FF7A5EB1000-memory.dmp	xmrig
behavioral2/memory/2648-237-0x00007FF674180000-0x00007FF6744D1000-memory.dmp	xmrig
behavioral2/memory/2012-239-0x00007FF610C20000-0x00007FF610F71000-memory.dmp	xmrig
behavioral2/memory/3256-243-0x00007FF654230000-0x00007FF654581000-memory.dmp	xmrig
behavioral2/memory/464-250-0x00007FF73D680000-0x00007FF73D9D1000-memory.dmp	xmrig
behavioral2/memory/4648-252-0x00007FF666E70000-0x00007FF6671C1000-memory.dmp	xmrig
behavioral2/memory/2716-254-0x00007FF646F80000-0x00007FF6472D1000-memory.dmp	xmrig
behavioral2/memory/4724-251-0x00007FF789AD0000-0x00007FF789E21000-memory.dmp	xmrig
behavioral2/memory/2172-242-0x00007FF7183A0000-0x00007FF7186F1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

jEfRIJh.exenZrnsJp.exeUSTbfLY.exeehdQbyT.exeNXjroZh.exeGRbsPuy.exekIrhpwq.exeEEIVsuA.execjlzISG.exeRGqyema.exeiIogZvr.exebHkZyoT.exeMSwRJeD.exebFoPSgm.exegYtzJBu.exenSZOBei.exeqtLJwvm.execzyThEZ.exeThYAqAu.exejnnPANM.exeHVooefM.exe

pid	process
2448	jEfRIJh.exe
452	nZrnsJp.exe
3268	USTbfLY.exe
3580	ehdQbyT.exe
4700	NXjroZh.exe
3324	GRbsPuy.exe
3752	kIrhpwq.exe
4968	EEIVsuA.exe
1944	cjlzISG.exe
1296	RGqyema.exe
1500	iIogZvr.exe
1152	bHkZyoT.exe
5052	MSwRJeD.exe
2012	bFoPSgm.exe
2172	gYtzJBu.exe
4648	nSZOBei.exe
3256	qtLJwvm.exe
2648	czyThEZ.exe
4724	ThYAqAu.exe
2716	jnnPANM.exe
464	HVooefM.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4604-0-0x00007FF6AC5C0000-0x00007FF6AC911000-memory.dmp	upx
C:\Windows\System\USTbfLY.exe	upx
behavioral2/memory/2448-14-0x00007FF7580B0000-0x00007FF758401000-memory.dmp	upx
C:\Windows\System\ehdQbyT.exe	upx
C:\Windows\System\kIrhpwq.exe	upx
C:\Windows\System\GRbsPuy.exe	upx
C:\Windows\System\MSwRJeD.exe	upx
C:\Windows\System\czyThEZ.exe	upx
C:\Windows\System\gYtzJBu.exe	upx
C:\Windows\System\HVooefM.exe	upx
C:\Windows\System\ThYAqAu.exe	upx
behavioral2/memory/4648-115-0x00007FF666E70000-0x00007FF6671C1000-memory.dmp	upx
behavioral2/memory/2648-118-0x00007FF674180000-0x00007FF6744D1000-memory.dmp	upx
behavioral2/memory/4700-121-0x00007FF70E5E0000-0x00007FF70E931000-memory.dmp	upx
behavioral2/memory/5052-124-0x00007FF784A70000-0x00007FF784DC1000-memory.dmp	upx
behavioral2/memory/4724-126-0x00007FF789AD0000-0x00007FF789E21000-memory.dmp	upx
behavioral2/memory/464-127-0x00007FF73D680000-0x00007FF73D9D1000-memory.dmp	upx
behavioral2/memory/3256-125-0x00007FF654230000-0x00007FF654581000-memory.dmp	upx
behavioral2/memory/1296-123-0x00007FF63A6A0000-0x00007FF63A9F1000-memory.dmp	upx
behavioral2/memory/4968-122-0x00007FF787360000-0x00007FF7876B1000-memory.dmp	upx
behavioral2/memory/452-120-0x00007FF6D7C80000-0x00007FF6D7FD1000-memory.dmp	upx
behavioral2/memory/2716-119-0x00007FF646F80000-0x00007FF6472D1000-memory.dmp	upx
behavioral2/memory/2172-114-0x00007FF7183A0000-0x00007FF7186F1000-memory.dmp	upx
C:\Windows\System\jnnPANM.exe	upx
behavioral2/memory/2012-108-0x00007FF610C20000-0x00007FF610F71000-memory.dmp	upx
C:\Windows\System\qtLJwvm.exe	upx
behavioral2/memory/1152-104-0x00007FF6395E0000-0x00007FF639931000-memory.dmp	upx
C:\Windows\System\nSZOBei.exe	upx
C:\Windows\System\bFoPSgm.exe	upx
behavioral2/memory/1500-96-0x00007FF7A5B60000-0x00007FF7A5EB1000-memory.dmp	upx
C:\Windows\System\bHkZyoT.exe	upx
behavioral2/memory/1944-80-0x00007FF74CB00000-0x00007FF74CE51000-memory.dmp	upx
C:\Windows\System\iIogZvr.exe	upx
behavioral2/memory/3752-70-0x00007FF738370000-0x00007FF7386C1000-memory.dmp	upx
C:\Windows\System\RGqyema.exe	upx
behavioral2/memory/3324-54-0x00007FF683FB0000-0x00007FF684301000-memory.dmp	upx
C:\Windows\System\EEIVsuA.exe	upx
C:\Windows\System\cjlzISG.exe	upx
C:\Windows\System\NXjroZh.exe	upx
behavioral2/memory/3580-40-0x00007FF6253B0000-0x00007FF625701000-memory.dmp	upx
behavioral2/memory/3268-25-0x00007FF7039D0000-0x00007FF703D21000-memory.dmp	upx
C:\Windows\System\nZrnsJp.exe	upx
C:\Windows\System\jEfRIJh.exe	upx
behavioral2/memory/4604-128-0x00007FF6AC5C0000-0x00007FF6AC911000-memory.dmp	upx
behavioral2/memory/2448-129-0x00007FF7580B0000-0x00007FF758401000-memory.dmp	upx
behavioral2/memory/3268-131-0x00007FF7039D0000-0x00007FF703D21000-memory.dmp	upx
behavioral2/memory/3580-133-0x00007FF6253B0000-0x00007FF625701000-memory.dmp	upx
behavioral2/memory/3324-135-0x00007FF683FB0000-0x00007FF684301000-memory.dmp	upx
behavioral2/memory/3752-136-0x00007FF738370000-0x00007FF7386C1000-memory.dmp	upx
behavioral2/memory/1500-140-0x00007FF7A5B60000-0x00007FF7A5EB1000-memory.dmp	upx
behavioral2/memory/4604-150-0x00007FF6AC5C0000-0x00007FF6AC911000-memory.dmp	upx
behavioral2/memory/4604-172-0x00007FF6AC5C0000-0x00007FF6AC911000-memory.dmp	upx
behavioral2/memory/2448-196-0x00007FF7580B0000-0x00007FF758401000-memory.dmp	upx
behavioral2/memory/452-198-0x00007FF6D7C80000-0x00007FF6D7FD1000-memory.dmp	upx
behavioral2/memory/3268-205-0x00007FF7039D0000-0x00007FF703D21000-memory.dmp	upx
behavioral2/memory/3324-214-0x00007FF683FB0000-0x00007FF684301000-memory.dmp	upx
behavioral2/memory/1944-209-0x00007FF74CB00000-0x00007FF74CE51000-memory.dmp	upx
behavioral2/memory/3580-217-0x00007FF6253B0000-0x00007FF625701000-memory.dmp	upx
behavioral2/memory/4968-216-0x00007FF787360000-0x00007FF7876B1000-memory.dmp	upx
behavioral2/memory/4700-218-0x00007FF70E5E0000-0x00007FF70E931000-memory.dmp	upx
behavioral2/memory/3752-224-0x00007FF738370000-0x00007FF7386C1000-memory.dmp	upx
behavioral2/memory/1152-232-0x00007FF6395E0000-0x00007FF639931000-memory.dmp	upx
behavioral2/memory/5052-230-0x00007FF784A70000-0x00007FF784DC1000-memory.dmp	upx
behavioral2/memory/1296-225-0x00007FF63A6A0000-0x00007FF63A9F1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\USTbfLY.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nSZOBei.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ThYAqAu.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jnnPANM.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EEIVsuA.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kIrhpwq.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bFoPSgm.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qtLJwvm.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HVooefM.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MSwRJeD.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jEfRIJh.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ehdQbyT.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GRbsPuy.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RGqyema.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bHkZyoT.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\czyThEZ.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nZrnsJp.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NXjroZh.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cjlzISG.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iIogZvr.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gYtzJBu.exe	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 4604 wrote to memory of 2448	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	jEfRIJh.exe
PID 4604 wrote to memory of 2448	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	jEfRIJh.exe
PID 4604 wrote to memory of 452	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	nZrnsJp.exe
PID 4604 wrote to memory of 452	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	nZrnsJp.exe
PID 4604 wrote to memory of 3268	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	USTbfLY.exe
PID 4604 wrote to memory of 3268	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	USTbfLY.exe
PID 4604 wrote to memory of 4700	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	NXjroZh.exe
PID 4604 wrote to memory of 4700	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	NXjroZh.exe
PID 4604 wrote to memory of 3580	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	ehdQbyT.exe
PID 4604 wrote to memory of 3580	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	ehdQbyT.exe
PID 4604 wrote to memory of 4968	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	EEIVsuA.exe
PID 4604 wrote to memory of 4968	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	EEIVsuA.exe
PID 4604 wrote to memory of 3324	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	GRbsPuy.exe
PID 4604 wrote to memory of 3324	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	GRbsPuy.exe
PID 4604 wrote to memory of 3752	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	kIrhpwq.exe
PID 4604 wrote to memory of 3752	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	kIrhpwq.exe
PID 4604 wrote to memory of 1296	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	RGqyema.exe
PID 4604 wrote to memory of 1296	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	RGqyema.exe
PID 4604 wrote to memory of 1944	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	cjlzISG.exe
PID 4604 wrote to memory of 1944	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	cjlzISG.exe
PID 4604 wrote to memory of 2012	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	bFoPSgm.exe
PID 4604 wrote to memory of 2012	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	bFoPSgm.exe
PID 4604 wrote to memory of 1500	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	iIogZvr.exe
PID 4604 wrote to memory of 1500	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	iIogZvr.exe
PID 4604 wrote to memory of 1152	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	bHkZyoT.exe
PID 4604 wrote to memory of 1152	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	bHkZyoT.exe
PID 4604 wrote to memory of 4648	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	nSZOBei.exe
PID 4604 wrote to memory of 4648	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	nSZOBei.exe
PID 4604 wrote to memory of 5052	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	MSwRJeD.exe
PID 4604 wrote to memory of 5052	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	MSwRJeD.exe
PID 4604 wrote to memory of 2172	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	gYtzJBu.exe
PID 4604 wrote to memory of 2172	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	gYtzJBu.exe
PID 4604 wrote to memory of 3256	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	qtLJwvm.exe
PID 4604 wrote to memory of 3256	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	qtLJwvm.exe
PID 4604 wrote to memory of 2648	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	czyThEZ.exe
PID 4604 wrote to memory of 2648	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	czyThEZ.exe
PID 4604 wrote to memory of 4724	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	ThYAqAu.exe
PID 4604 wrote to memory of 4724	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	ThYAqAu.exe
PID 4604 wrote to memory of 2716	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	jnnPANM.exe
PID 4604 wrote to memory of 2716	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	jnnPANM.exe
PID 4604 wrote to memory of 464	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	HVooefM.exe
PID 4604 wrote to memory of 464	4604	2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe	HVooefM.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-16_4c6de339cac051a6638b0ecbc1271746_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\System\jEfRIJh.exe
C:\Windows\System\jEfRIJh.exe
2⤵
- Executes dropped EXE
PID:2448

C:\Windows\System\nZrnsJp.exe
C:\Windows\System\nZrnsJp.exe
2⤵
- Executes dropped EXE
PID:452

C:\Windows\System\USTbfLY.exe
C:\Windows\System\USTbfLY.exe
2⤵
- Executes dropped EXE
PID:3268

C:\Windows\System\NXjroZh.exe
C:\Windows\System\NXjroZh.exe
2⤵
- Executes dropped EXE
PID:4700

C:\Windows\System\ehdQbyT.exe
C:\Windows\System\ehdQbyT.exe
2⤵
- Executes dropped EXE
PID:3580

C:\Windows\System\EEIVsuA.exe
C:\Windows\System\EEIVsuA.exe
2⤵
- Executes dropped EXE
PID:4968

C:\Windows\System\GRbsPuy.exe
C:\Windows\System\GRbsPuy.exe
2⤵
- Executes dropped EXE
PID:3324

C:\Windows\System\kIrhpwq.exe
C:\Windows\System\kIrhpwq.exe
2⤵
- Executes dropped EXE
PID:3752

C:\Windows\System\RGqyema.exe
C:\Windows\System\RGqyema.exe
2⤵
- Executes dropped EXE
PID:1296

C:\Windows\System\cjlzISG.exe
C:\Windows\System\cjlzISG.exe
2⤵
- Executes dropped EXE
PID:1944

C:\Windows\System\bFoPSgm.exe
C:\Windows\System\bFoPSgm.exe
2⤵
- Executes dropped EXE
PID:2012

C:\Windows\System\iIogZvr.exe
C:\Windows\System\iIogZvr.exe
2⤵
- Executes dropped EXE
PID:1500

C:\Windows\System\bHkZyoT.exe
C:\Windows\System\bHkZyoT.exe
2⤵
- Executes dropped EXE
PID:1152

C:\Windows\System\nSZOBei.exe
C:\Windows\System\nSZOBei.exe
2⤵
- Executes dropped EXE
PID:4648

C:\Windows\System\MSwRJeD.exe
C:\Windows\System\MSwRJeD.exe
2⤵
- Executes dropped EXE
PID:5052

C:\Windows\System\gYtzJBu.exe
C:\Windows\System\gYtzJBu.exe
2⤵
- Executes dropped EXE
PID:2172

C:\Windows\System\qtLJwvm.exe
C:\Windows\System\qtLJwvm.exe
2⤵
- Executes dropped EXE
PID:3256

C:\Windows\System\czyThEZ.exe
C:\Windows\System\czyThEZ.exe
2⤵
- Executes dropped EXE
PID:2648

C:\Windows\System\ThYAqAu.exe
C:\Windows\System\ThYAqAu.exe
2⤵
- Executes dropped EXE
PID:4724

C:\Windows\System\jnnPANM.exe
C:\Windows\System\jnnPANM.exe
2⤵
- Executes dropped EXE
PID:2716

C:\Windows\System\HVooefM.exe
C:\Windows\System\HVooefM.exe
2⤵
- Executes dropped EXE
PID:464

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EEIVsuA.exe
Filesize
5.2MB

MD5
4bad63b1aa209e3e8a05f31fd136b3dd

SHA1
4d4119b8915fac70a71462bd7dacce723a0b9ee5

SHA256
ec74edeb5250d2d8bef370b0b79025eadc264f186f8eb9d2960497b75e30555e

SHA512
11095e2dc5e8b88bb971546c0288fba52fb68ca067b1c136ff1ac584fef3364ceefa43673cea8bf085e0b6a622d8d513f5d15a3fbe622a5918f59eef17e05f61

Download Submit
C:\Windows\System\GRbsPuy.exe
Filesize
5.2MB

MD5
49aa7cbd370767ccfd3d1b6e226fefe7

SHA1
b29672e68d2764f6de0b461c835121ddc47b2039

SHA256
785b27685f504b5494a07ce17a74e311815a7e27d1ed19984c354a5a803e2822

SHA512
5fc36983a10b4b7fd3b14892c698c29d73d4f6c369490517dfc208c11af4b26419eb5720e30d07c3d327762a670af82908e1ad3d355423d5ea6a8a0734529fe5

Download Submit
C:\Windows\System\HVooefM.exe
Filesize
5.2MB

MD5
b410f66c5c98d45d61fb016e7f427dd4

SHA1
e02a4ef720d2cb3be8d74af2f8586474a5f61486

SHA256
2f854e7a6e9a0e66d958103a3dd619cc168d4cd15cab4a72249059fcb1105c89

SHA512
20f5d1e8b323a6be20a976200c86a5c4687db7c353dedeb375f6f4165cc21528ca27b92f37959f3fbf50b07df8e137a00fc963a6f8c539b66d1c61ce57b1f5a9

Download Submit
C:\Windows\System\MSwRJeD.exe
Filesize
5.2MB

MD5
b9779011e3da354448eff763c4554189

SHA1
986ac0ecf903b659b6048e6c17f1035877125382

SHA256
4b157a86f4ebcda43ab33ded02dfed3c6cfa1961761d1ca7cba43933044c49ec

SHA512
8e089757da7033558ca10aaf3d690dbed78860e330f52630af3a6e82fae1fee2a36024e486e30cbede195e8c85c7f3e5fa8f30fd4667e4e92466cc8bde29cc0b

Download Submit
C:\Windows\System\NXjroZh.exe
Filesize
5.2MB

MD5
b683d7a329c448068f5a94553c9a6831

SHA1
b24f89cc52aa67f4023edbb897329d508c5ce633

SHA256
67d4ff1b93df4482dc27ab14e0c35d5e623e99ad9f0c3c944cf5a0ef0cdbae18

SHA512
33fc0b16916a01564de4abe6ef98a0cd80fb1d96f38acde1d017fa365ec275b01b5ced9588e4873981cbc7c609f432dde2de8ad2868186002cea53025be1e36d

Download Submit
C:\Windows\System\RGqyema.exe
Filesize
5.2MB

MD5
5056865a1cfefc44e4f90df68371968d

SHA1
c94944fc2f39b56662a3d9807760c38bf8b03f4a

SHA256
ac8da915e31ed447104e5a5585ee800db331eaf6c3b5792a0592cc6e84bf41bb

SHA512
fb48f0f0061f9824877a73b7efea2515bb36a54d86698a0426bc2ba3fcbfe82f20a098cf641fe45dc18e72b5c51c6d5cb68ff121ded46954482f486d4694db00

Download Submit
C:\Windows\System\ThYAqAu.exe
Filesize
5.2MB

MD5
cbee1fed5ae9b6552cb3b798f8017f09

SHA1
2a646989c971c9b0529fe0298812077232855213

SHA256
3a1d50dd19d47aa96e5e2e614bf7e2fe522d669c99678dfc6ab78d6dd16e9a95

SHA512
42b3abbd6cdb8d55a57034bd268a7da122875f828d0c7ae36f96994041e55268f6aa58751a5718bcddcdacb89120f1023310ad8d3c7b8c856cddfe9c6e8826b9

Download Submit
C:\Windows\System\USTbfLY.exe
Filesize
5.2MB

MD5
4828bbd4af5e0dc0f3dde887fbc4cf43

SHA1
bf8bbca397c6ce9acb01dfc75292dcdb457c7d84

SHA256
c43fada87758d6def4aac71e64a4734f37d430f69c6ef918511e41c705f3b001

SHA512
b02c15120c90b031eb83ca02efa2b4cd8275f4c9b3f33553c6e826fb2f9f33632bf12474a01c6666007b701d12da745057287adb0c838995b49c2c7abe99c238

Download Submit
C:\Windows\System\bFoPSgm.exe
Filesize
5.2MB

MD5
d5ccff3290500f5432b5efd6213cfdbf

SHA1
4786852718245022c03c4bc8af52eab29b6e8870

SHA256
c46873adc85c0de221847c6683d707f1c978edb71907a61fba792e4d733ae75d

SHA512
115b64db4790429799bd774ca9da0a73cbdd5e7e06ad14f51e7f1782d56e75ef8e6dc9d73dbece38933650e13fab6d57291dc9b402de1e73501a2acf9404a8e7

Download Submit
C:\Windows\System\bHkZyoT.exe
Filesize
5.2MB

MD5
ced502d6eaf612ec3a8869844c5ba4ce

SHA1
0cb1901dd43348f77e718def8cceab540c7cd967

SHA256
e702499d767dd44bb9f2362e987b45b31ea3f69b8ce29bdf9ecbe730704b4f63

SHA512
75ffd57528c4ec8c1bc917aa140a813889dede695755b6a131c8a9092382a7818958b4943e7f2036aa9e204b822d2a90344e99f295337f789f7bd99306899e5a

Download Submit
C:\Windows\System\cjlzISG.exe
Filesize
5.2MB

MD5
50f8e6c5cb877e3116e2739d8d188a87

SHA1
6cf3921662f9f4a5932500379fb1d95afa1cc91b

SHA256
d63614b83e4e3d3a14e62bc2b78238c6aeb5ca0f1d91a622e27b368341acf37f

SHA512
cc8ea9fa934ced4e814bac82a44320225c74c721fd8143ac5968ecfa38d00cca1d4793f61d53d1b3e528d419b4aa265dffc103a5b37a9d0d1d30211769adda55

Download Submit
C:\Windows\System\czyThEZ.exe
Filesize
5.2MB

MD5
fe274c0b3bc81a5d9bcc48b4d8ba9896

SHA1
6e8a197399e99f1b9a80a02a6ef747ae19fafa96

SHA256
b08fcfd6502d1feda89e32aed1b883986304c17166145064d17b4af0f3fbe6ed

SHA512
d9f963a891a19ca613e00ef1380daa243aeb491191f39b14ef079a53d006b9e38e01ee87215ea26f08b69a1cbd6a6e78d0dff18ca070a93ff418465ba7f2960e

Download Submit
C:\Windows\System\ehdQbyT.exe
Filesize
5.2MB

MD5
4b7d363c25ab3117ef0deba88b6d8c65

SHA1
fc0e85fa5820a03a7ca94a0515630d14cbc127b3

SHA256
6e764533afbb5ea4c6ef4ccb5d2fa5670c9edf1625dba1f386f25ed39aa9843e

SHA512
250dc7b71e568b1d9986725ccb3d0b8c93c6f07807ae3d3b79519fa617ba10ac9ea506a25b79cc2b236a6848b6b2fa23391226ac6fd321f4bf2396a17eac659e

Download Submit
C:\Windows\System\gYtzJBu.exe
Filesize
5.2MB

MD5
9e63aeb887d24e832cc5f6d0250a578d

SHA1
8eddf68a722c9b4b25a9872cc33177c6738b29b5

SHA256
c46a05496de0b1fd0a41366cfde715136b95205545ec24a3a98697752ce47870

SHA512
5e2ab36be2ec25ad94edb902467ff93b780bff76e70510b9d1af5adcefdef81ec7356e6c7690da681dbcacfc62ee8b0a07b78e736f86dc41d1c07555d7073d2c

Download Submit
C:\Windows\System\iIogZvr.exe
Filesize
5.2MB

MD5
43543dbdfc229d0e32090a7d8bbbe2e3

SHA1
4d78562d99b2177acb552dd4fd8fa58b186f6569

SHA256
cdb6fd5865d4a4b48f6dbb545844aed45aca94232c200aca99549a478bca5b4f

SHA512
bfd37728c3844a53902982fb35b0167b7bd3972082ba60134cdde8e54a69c0066c1282d1be5d4d2157185b7e69bce32caa2caeb33230118cc926f11a8451490c

Download Submit
C:\Windows\System\jEfRIJh.exe
Filesize
5.2MB

MD5
6efabcc421b594e1275c964da1350216

SHA1
87db1d2963864dc0d8bc27b76955bf546cc8cc7e

SHA256
1a73047c8f3ec404acd1fd6d65e864caa098e6fa6c26cfc67ca562c5ec001cd6

SHA512
2a64f3b3f8898144256c0bee454af9c4352772f9ac6c211855ca8927928cea427f6ab935061a131e31b046a69d299e4529e8d6ff44429220adae926a9032f3b1

Download Submit
C:\Windows\System\jnnPANM.exe
Filesize
5.2MB

MD5
45058b5061d40a4d1251b49586dbb0a8

SHA1
d7208b3365a8ba41f4edded0bdf1e79e0a6ee242

SHA256
9f3b109d90691221ec4f5154efe9921a4962601655c32ff6d8397dcada29ee15

SHA512
528c3976ec4022467a9d7bbc8d11ad9ef8d425754cee3f741534ddcbb8ce28eac1d3f4b3086725078ae0a085ba82c5a4c8a4ac9eb142359b4c92f55d8b4edff9

Download Submit
C:\Windows\System\kIrhpwq.exe
Filesize
5.2MB

MD5
caa03ccb64e876b98ab65054bf9f9a1d

SHA1
3b96645fb9668cd62d2da29191f6eba6f9c9a5a4

SHA256
b99a8f8d93aed0b26d40360839f4d66fe2faf218b2a53648b850141ca6c54173

SHA512
0015c382d4c6e4f7b484d92cc0090e151d8577bff4226a396f455f752d0cf3f990d14e6e8305c6fae4cf3dc24de10dad57e11e4600f14f5452285e716e262319

Download Submit
C:\Windows\System\nSZOBei.exe
Filesize
5.2MB

MD5
638d2a355cb2477a5d1949c5abf38a65

SHA1
402caad41b06eda6d20d272a96b792b39e97cc54

SHA256
56ce384f52289b283a7a5377cbad1c7d7152ccad07f47415de924a89ce66f7e4

SHA512
75e46096b469d00083c60393d29fcd4d2c7973aa2d9de2dc2a5fb843d3cffd039449a0ae4a3811c3190effff014cfe94e8e54504b31ecc5d723be946a0146233

Download Submit
C:\Windows\System\nZrnsJp.exe
Filesize
5.2MB

MD5
41fd07146e579a4bb0fe93a8a0364b28

SHA1
bcf414c380fc30d3b5630a3305d3f02a24f2223d

SHA256
e49c37c2b63fc18978f63be7a7f7dcc89bf1190ef9f835b2ef2d2b7a60a79b31

SHA512
69ade6a20fdc80d32bcda7610eb25d150d7c3daefbcd0b23c5acec26ba0d487344f4f8b84dc2bdac5f7faba58c3cd2450193ec0c3b7df18299c7f2c4a0a5e7c5

Download Submit
C:\Windows\System\qtLJwvm.exe
Filesize
5.2MB

MD5
088aa4861d516d7fd2786231c5c5e00a

SHA1
a769b54a3de176017065c3d3b4a0e5c4a60aadbd

SHA256
589f8ffe9d384bc9ff5ea302b406521f17fb77bda4642a187231065b434d136b

SHA512
d5dd87f4ea2ee398e50ea017c17eda098a4f1ac1c4a6bd9e7fc33136dad973d2c764b1987760aa0c53ec58fda3315b49b199e37d231b4145add2a9435ed7ab3d

Download Submit
memory/452-198-0x00007FF6D7C80000-0x00007FF6D7FD1000-memory.dmp

Filesize
3.3MB

Download
memory/452-120-0x00007FF6D7C80000-0x00007FF6D7FD1000-memory.dmp

Filesize
3.3MB

Download
memory/464-127-0x00007FF73D680000-0x00007FF73D9D1000-memory.dmp

Filesize
3.3MB

Download
memory/464-250-0x00007FF73D680000-0x00007FF73D9D1000-memory.dmp

Filesize
3.3MB

Download
memory/1152-232-0x00007FF6395E0000-0x00007FF639931000-memory.dmp

Filesize
3.3MB

Download
memory/1152-104-0x00007FF6395E0000-0x00007FF639931000-memory.dmp

Filesize
3.3MB

Download
memory/1296-123-0x00007FF63A6A0000-0x00007FF63A9F1000-memory.dmp

Filesize
3.3MB

Download
memory/1296-225-0x00007FF63A6A0000-0x00007FF63A9F1000-memory.dmp

Filesize
3.3MB

Download
memory/1500-96-0x00007FF7A5B60000-0x00007FF7A5EB1000-memory.dmp

Filesize
3.3MB

Download
memory/1500-140-0x00007FF7A5B60000-0x00007FF7A5EB1000-memory.dmp

Filesize
3.3MB

Download
memory/1500-236-0x00007FF7A5B60000-0x00007FF7A5EB1000-memory.dmp

Filesize
3.3MB

Download
memory/1944-209-0x00007FF74CB00000-0x00007FF74CE51000-memory.dmp

Filesize
3.3MB

Download
memory/1944-80-0x00007FF74CB00000-0x00007FF74CE51000-memory.dmp

Filesize
3.3MB

Download
memory/2012-239-0x00007FF610C20000-0x00007FF610F71000-memory.dmp

Filesize
3.3MB

Download
memory/2012-108-0x00007FF610C20000-0x00007FF610F71000-memory.dmp

Filesize
3.3MB

Download
memory/2172-114-0x00007FF7183A0000-0x00007FF7186F1000-memory.dmp

Filesize
3.3MB

Download
memory/2172-242-0x00007FF7183A0000-0x00007FF7186F1000-memory.dmp

Filesize
3.3MB

Download
memory/2448-14-0x00007FF7580B0000-0x00007FF758401000-memory.dmp

Filesize
3.3MB

Download
memory/2448-196-0x00007FF7580B0000-0x00007FF758401000-memory.dmp

Filesize
3.3MB

Download
memory/2448-129-0x00007FF7580B0000-0x00007FF758401000-memory.dmp

Filesize
3.3MB

Download
memory/2648-118-0x00007FF674180000-0x00007FF6744D1000-memory.dmp

Filesize
3.3MB

Download
memory/2648-237-0x00007FF674180000-0x00007FF6744D1000-memory.dmp

Filesize
3.3MB

Download
memory/2716-254-0x00007FF646F80000-0x00007FF6472D1000-memory.dmp

Filesize
3.3MB

Download
memory/2716-119-0x00007FF646F80000-0x00007FF6472D1000-memory.dmp

Filesize
3.3MB

Download
memory/3256-125-0x00007FF654230000-0x00007FF654581000-memory.dmp

Filesize
3.3MB

Download
memory/3256-243-0x00007FF654230000-0x00007FF654581000-memory.dmp

Filesize
3.3MB

Download
memory/3268-131-0x00007FF7039D0000-0x00007FF703D21000-memory.dmp

Filesize
3.3MB

Download
memory/3268-25-0x00007FF7039D0000-0x00007FF703D21000-memory.dmp

Filesize
3.3MB

Download
memory/3268-205-0x00007FF7039D0000-0x00007FF703D21000-memory.dmp

Filesize
3.3MB

Download
memory/3324-54-0x00007FF683FB0000-0x00007FF684301000-memory.dmp

Filesize
3.3MB

Download
memory/3324-135-0x00007FF683FB0000-0x00007FF684301000-memory.dmp

Filesize
3.3MB

Download
memory/3324-214-0x00007FF683FB0000-0x00007FF684301000-memory.dmp

Filesize
3.3MB

Download
memory/3580-133-0x00007FF6253B0000-0x00007FF625701000-memory.dmp

Filesize
3.3MB

Download
memory/3580-217-0x00007FF6253B0000-0x00007FF625701000-memory.dmp

Filesize
3.3MB

Download
memory/3580-40-0x00007FF6253B0000-0x00007FF625701000-memory.dmp

Filesize
3.3MB

Download
memory/3752-224-0x00007FF738370000-0x00007FF7386C1000-memory.dmp

Filesize
3.3MB

Download
memory/3752-136-0x00007FF738370000-0x00007FF7386C1000-memory.dmp

Filesize
3.3MB

Download
memory/3752-70-0x00007FF738370000-0x00007FF7386C1000-memory.dmp

Filesize
3.3MB

Download
memory/4604-1-0x000001E49DC50000-0x000001E49DC60000-memory.dmp

Filesize
64KB

Download
memory/4604-150-0x00007FF6AC5C0000-0x00007FF6AC911000-memory.dmp

Filesize
3.3MB

Download
memory/4604-128-0x00007FF6AC5C0000-0x00007FF6AC911000-memory.dmp

Filesize
3.3MB

Download
memory/4604-0-0x00007FF6AC5C0000-0x00007FF6AC911000-memory.dmp

Filesize
3.3MB

Download
memory/4604-172-0x00007FF6AC5C0000-0x00007FF6AC911000-memory.dmp

Filesize
3.3MB

Download
memory/4648-115-0x00007FF666E70000-0x00007FF6671C1000-memory.dmp

Filesize
3.3MB

Download
memory/4648-252-0x00007FF666E70000-0x00007FF6671C1000-memory.dmp

Filesize
3.3MB

Download
memory/4700-218-0x00007FF70E5E0000-0x00007FF70E931000-memory.dmp

Filesize
3.3MB

Download
memory/4700-121-0x00007FF70E5E0000-0x00007FF70E931000-memory.dmp

Filesize
3.3MB

Download
memory/4724-251-0x00007FF789AD0000-0x00007FF789E21000-memory.dmp

Filesize
3.3MB

Download
memory/4724-126-0x00007FF789AD0000-0x00007FF789E21000-memory.dmp

Filesize
3.3MB

Download
memory/4968-216-0x00007FF787360000-0x00007FF7876B1000-memory.dmp

Filesize
3.3MB

Download
memory/4968-122-0x00007FF787360000-0x00007FF7876B1000-memory.dmp

Filesize
3.3MB

Download
memory/5052-230-0x00007FF784A70000-0x00007FF784DC1000-memory.dmp

Filesize
3.3MB

Download
memory/5052-124-0x00007FF784A70000-0x00007FF784DC1000-memory.dmp

Filesize
3.3MB

Download