cobaltstrike | 8dc2c60e98190888a5f77949f0a5cb0291d90b1a9633e65d5de77f7ceb6f439f

Analysis

max time kernel
141s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

8077b6961a3b1255bcceb1be20a073d0
SHA1

756498a4c6f10a0af7c567cd1c15fee71f7d9f12
SHA256

8dc2c60e98190888a5f77949f0a5cb0291d90b1a9633e65d5de77f7ceb6f439f
SHA512

c3334eb0fdfec4c84aa466a26a7cdeb22dfa6302ab964c2dbf4daca64084036a6c0d92ba356af2a6f041137cd3c1f63e1bb9ac15312a6e125769f6b9621f6abf
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lY:RWWBibf56utgpPFotBER/mQ32lUs

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\CBSqzUo.exe	cobalt_reflective_dll
C:\Windows\System\EbwOhDB.exe	cobalt_reflective_dll
C:\Windows\System\GvSSAuh.exe	cobalt_reflective_dll
C:\Windows\System\QOwpCcg.exe	cobalt_reflective_dll
C:\Windows\System\sjmDTWd.exe	cobalt_reflective_dll
C:\Windows\System\FwYlugP.exe	cobalt_reflective_dll
C:\Windows\System\fLhVypc.exe	cobalt_reflective_dll
C:\Windows\System\UcEZQAt.exe	cobalt_reflective_dll
C:\Windows\System\XMvJGzM.exe	cobalt_reflective_dll
C:\Windows\System\fKbewkp.exe	cobalt_reflective_dll
C:\Windows\System\plnHklq.exe	cobalt_reflective_dll
C:\Windows\System\tLXosyw.exe	cobalt_reflective_dll
C:\Windows\System\TspZluu.exe	cobalt_reflective_dll
C:\Windows\System\KdIyJsj.exe	cobalt_reflective_dll
C:\Windows\System\sFvqgMS.exe	cobalt_reflective_dll
C:\Windows\System\FNDCnWZ.exe	cobalt_reflective_dll
C:\Windows\System\IcvWYBw.exe	cobalt_reflective_dll
C:\Windows\System\UolDWTn.exe	cobalt_reflective_dll
C:\Windows\System\zXMYqJK.exe	cobalt_reflective_dll
C:\Windows\System\oxStvrQ.exe	cobalt_reflective_dll
C:\Windows\System\tbWrQNw.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\CBSqzUo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\EbwOhDB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\GvSSAuh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QOwpCcg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\sjmDTWd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\FwYlugP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\fLhVypc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\UcEZQAt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\XMvJGzM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\fKbewkp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\plnHklq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\tLXosyw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\TspZluu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\KdIyJsj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\sFvqgMS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\FNDCnWZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\IcvWYBw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\UolDWTn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\zXMYqJK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\oxStvrQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\tbWrQNw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4988-0-0x00007FF659790000-0x00007FF659AE1000-memory.dmp	UPX
C:\Windows\System\CBSqzUo.exe	UPX
C:\Windows\System\EbwOhDB.exe	UPX
behavioral2/memory/3208-11-0x00007FF680A30000-0x00007FF680D81000-memory.dmp	UPX
C:\Windows\System\GvSSAuh.exe	UPX
C:\Windows\System\QOwpCcg.exe	UPX
behavioral2/memory/4396-27-0x00007FF6116F0000-0x00007FF611A41000-memory.dmp	UPX
C:\Windows\System\sjmDTWd.exe	UPX
C:\Windows\System\FwYlugP.exe	UPX
C:\Windows\System\fLhVypc.exe	UPX
C:\Windows\System\UcEZQAt.exe	UPX
C:\Windows\System\XMvJGzM.exe	UPX
behavioral2/memory/1628-54-0x00007FF7C1510000-0x00007FF7C1861000-memory.dmp	UPX
behavioral2/memory/4832-50-0x00007FF71AE70000-0x00007FF71B1C1000-memory.dmp	UPX
behavioral2/memory/4760-44-0x00007FF79C050000-0x00007FF79C3A1000-memory.dmp	UPX
behavioral2/memory/556-39-0x00007FF630D50000-0x00007FF6310A1000-memory.dmp	UPX
behavioral2/memory/4164-34-0x00007FF7DB0F0000-0x00007FF7DB441000-memory.dmp	UPX
behavioral2/memory/2400-29-0x00007FF6E4AB0000-0x00007FF6E4E01000-memory.dmp	UPX
C:\Windows\System\fKbewkp.exe	UPX
behavioral2/memory/2440-16-0x00007FF7B1700000-0x00007FF7B1A51000-memory.dmp	UPX
C:\Windows\System\plnHklq.exe	UPX
behavioral2/memory/4144-69-0x00007FF78B390000-0x00007FF78B6E1000-memory.dmp	UPX
C:\Windows\System\tLXosyw.exe	UPX
C:\Windows\System\TspZluu.exe	UPX
C:\Windows\System\KdIyJsj.exe	UPX
behavioral2/memory/1324-97-0x00007FF714A50000-0x00007FF714DA1000-memory.dmp	UPX
C:\Windows\System\sFvqgMS.exe	UPX
behavioral2/memory/4012-105-0x00007FF6298D0000-0x00007FF629C21000-memory.dmp	UPX
C:\Windows\System\FNDCnWZ.exe	UPX
behavioral2/memory/4164-112-0x00007FF7DB0F0000-0x00007FF7DB441000-memory.dmp	UPX
C:\Windows\System\IcvWYBw.exe	UPX
C:\Windows\System\UolDWTn.exe	UPX
C:\Windows\System\zXMYqJK.exe	UPX
behavioral2/memory/4852-134-0x00007FF7A2920000-0x00007FF7A2C71000-memory.dmp	UPX
behavioral2/memory/4832-135-0x00007FF71AE70000-0x00007FF71B1C1000-memory.dmp	UPX
behavioral2/memory/556-133-0x00007FF630D50000-0x00007FF6310A1000-memory.dmp	UPX
behavioral2/memory/1976-130-0x00007FF70A3E0000-0x00007FF70A731000-memory.dmp	UPX
behavioral2/memory/4760-127-0x00007FF79C050000-0x00007FF79C3A1000-memory.dmp	UPX
behavioral2/memory/4564-124-0x00007FF746E70000-0x00007FF7471C1000-memory.dmp	UPX
behavioral2/memory/2944-115-0x00007FF6AD4C0000-0x00007FF6AD811000-memory.dmp	UPX
behavioral2/memory/960-107-0x00007FF79B7A0000-0x00007FF79BAF1000-memory.dmp	UPX
behavioral2/memory/2440-100-0x00007FF7B1700000-0x00007FF7B1A51000-memory.dmp	UPX
behavioral2/memory/4396-102-0x00007FF6116F0000-0x00007FF611A41000-memory.dmp	UPX
behavioral2/memory/1812-95-0x00007FF68DC40000-0x00007FF68DF91000-memory.dmp	UPX
behavioral2/memory/3208-87-0x00007FF680A30000-0x00007FF680D81000-memory.dmp	UPX
C:\Windows\System\oxStvrQ.exe	UPX
behavioral2/memory/4988-82-0x00007FF659790000-0x00007FF659AE1000-memory.dmp	UPX
behavioral2/memory/4300-80-0x00007FF6CB210000-0x00007FF6CB561000-memory.dmp	UPX
C:\Windows\System\tbWrQNw.exe	UPX
behavioral2/memory/2276-74-0x00007FF63A980000-0x00007FF63ACD1000-memory.dmp	UPX
behavioral2/memory/1248-72-0x00007FF776330000-0x00007FF776681000-memory.dmp	UPX
behavioral2/memory/4988-136-0x00007FF659790000-0x00007FF659AE1000-memory.dmp	UPX
behavioral2/memory/1812-149-0x00007FF68DC40000-0x00007FF68DF91000-memory.dmp	UPX
behavioral2/memory/960-153-0x00007FF79B7A0000-0x00007FF79BAF1000-memory.dmp	UPX
behavioral2/memory/2944-154-0x00007FF6AD4C0000-0x00007FF6AD811000-memory.dmp	UPX
behavioral2/memory/4012-152-0x00007FF6298D0000-0x00007FF629C21000-memory.dmp	UPX
behavioral2/memory/4300-150-0x00007FF6CB210000-0x00007FF6CB561000-memory.dmp	UPX
behavioral2/memory/2276-148-0x00007FF63A980000-0x00007FF63ACD1000-memory.dmp	UPX
behavioral2/memory/1248-147-0x00007FF776330000-0x00007FF776681000-memory.dmp	UPX
behavioral2/memory/1628-145-0x00007FF7C1510000-0x00007FF7C1861000-memory.dmp	UPX
behavioral2/memory/1976-157-0x00007FF70A3E0000-0x00007FF70A731000-memory.dmp	UPX
behavioral2/memory/4564-155-0x00007FF746E70000-0x00007FF7471C1000-memory.dmp	UPX
behavioral2/memory/4988-158-0x00007FF659790000-0x00007FF659AE1000-memory.dmp	UPX
behavioral2/memory/3208-203-0x00007FF680A30000-0x00007FF680D81000-memory.dmp	UPX

XMRig Miner payload 49 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2400-29-0x00007FF6E4AB0000-0x00007FF6E4E01000-memory.dmp	xmrig
behavioral2/memory/2440-16-0x00007FF7B1700000-0x00007FF7B1A51000-memory.dmp	xmrig
behavioral2/memory/4144-69-0x00007FF78B390000-0x00007FF78B6E1000-memory.dmp	xmrig
behavioral2/memory/1324-97-0x00007FF714A50000-0x00007FF714DA1000-memory.dmp	xmrig
behavioral2/memory/4012-105-0x00007FF6298D0000-0x00007FF629C21000-memory.dmp	xmrig
behavioral2/memory/4164-112-0x00007FF7DB0F0000-0x00007FF7DB441000-memory.dmp	xmrig
behavioral2/memory/4852-134-0x00007FF7A2920000-0x00007FF7A2C71000-memory.dmp	xmrig
behavioral2/memory/4832-135-0x00007FF71AE70000-0x00007FF71B1C1000-memory.dmp	xmrig
behavioral2/memory/556-133-0x00007FF630D50000-0x00007FF6310A1000-memory.dmp	xmrig
behavioral2/memory/4760-127-0x00007FF79C050000-0x00007FF79C3A1000-memory.dmp	xmrig
behavioral2/memory/2440-100-0x00007FF7B1700000-0x00007FF7B1A51000-memory.dmp	xmrig
behavioral2/memory/4396-102-0x00007FF6116F0000-0x00007FF611A41000-memory.dmp	xmrig
behavioral2/memory/1812-95-0x00007FF68DC40000-0x00007FF68DF91000-memory.dmp	xmrig
behavioral2/memory/3208-87-0x00007FF680A30000-0x00007FF680D81000-memory.dmp	xmrig
behavioral2/memory/4988-82-0x00007FF659790000-0x00007FF659AE1000-memory.dmp	xmrig
behavioral2/memory/1248-72-0x00007FF776330000-0x00007FF776681000-memory.dmp	xmrig
behavioral2/memory/4988-136-0x00007FF659790000-0x00007FF659AE1000-memory.dmp	xmrig
behavioral2/memory/1812-149-0x00007FF68DC40000-0x00007FF68DF91000-memory.dmp	xmrig
behavioral2/memory/960-153-0x00007FF79B7A0000-0x00007FF79BAF1000-memory.dmp	xmrig
behavioral2/memory/2944-154-0x00007FF6AD4C0000-0x00007FF6AD811000-memory.dmp	xmrig
behavioral2/memory/4012-152-0x00007FF6298D0000-0x00007FF629C21000-memory.dmp	xmrig
behavioral2/memory/4300-150-0x00007FF6CB210000-0x00007FF6CB561000-memory.dmp	xmrig
behavioral2/memory/2276-148-0x00007FF63A980000-0x00007FF63ACD1000-memory.dmp	xmrig
behavioral2/memory/1248-147-0x00007FF776330000-0x00007FF776681000-memory.dmp	xmrig
behavioral2/memory/1628-145-0x00007FF7C1510000-0x00007FF7C1861000-memory.dmp	xmrig
behavioral2/memory/1976-157-0x00007FF70A3E0000-0x00007FF70A731000-memory.dmp	xmrig
behavioral2/memory/4564-155-0x00007FF746E70000-0x00007FF7471C1000-memory.dmp	xmrig
behavioral2/memory/4988-158-0x00007FF659790000-0x00007FF659AE1000-memory.dmp	xmrig
behavioral2/memory/3208-203-0x00007FF680A30000-0x00007FF680D81000-memory.dmp	xmrig
behavioral2/memory/2440-205-0x00007FF7B1700000-0x00007FF7B1A51000-memory.dmp	xmrig
behavioral2/memory/2400-207-0x00007FF6E4AB0000-0x00007FF6E4E01000-memory.dmp	xmrig
behavioral2/memory/4396-210-0x00007FF6116F0000-0x00007FF611A41000-memory.dmp	xmrig
behavioral2/memory/4164-218-0x00007FF7DB0F0000-0x00007FF7DB441000-memory.dmp	xmrig
behavioral2/memory/556-221-0x00007FF630D50000-0x00007FF6310A1000-memory.dmp	xmrig
behavioral2/memory/4760-223-0x00007FF79C050000-0x00007FF79C3A1000-memory.dmp	xmrig
behavioral2/memory/4832-227-0x00007FF71AE70000-0x00007FF71B1C1000-memory.dmp	xmrig
behavioral2/memory/4144-229-0x00007FF78B390000-0x00007FF78B6E1000-memory.dmp	xmrig
behavioral2/memory/1628-228-0x00007FF7C1510000-0x00007FF7C1861000-memory.dmp	xmrig
behavioral2/memory/1248-231-0x00007FF776330000-0x00007FF776681000-memory.dmp	xmrig
behavioral2/memory/2276-233-0x00007FF63A980000-0x00007FF63ACD1000-memory.dmp	xmrig
behavioral2/memory/4300-236-0x00007FF6CB210000-0x00007FF6CB561000-memory.dmp	xmrig
behavioral2/memory/1812-238-0x00007FF68DC40000-0x00007FF68DF91000-memory.dmp	xmrig
behavioral2/memory/1324-239-0x00007FF714A50000-0x00007FF714DA1000-memory.dmp	xmrig
behavioral2/memory/4012-241-0x00007FF6298D0000-0x00007FF629C21000-memory.dmp	xmrig
behavioral2/memory/960-243-0x00007FF79B7A0000-0x00007FF79BAF1000-memory.dmp	xmrig
behavioral2/memory/2944-245-0x00007FF6AD4C0000-0x00007FF6AD811000-memory.dmp	xmrig
behavioral2/memory/4564-247-0x00007FF746E70000-0x00007FF7471C1000-memory.dmp	xmrig
behavioral2/memory/4852-249-0x00007FF7A2920000-0x00007FF7A2C71000-memory.dmp	xmrig
behavioral2/memory/1976-251-0x00007FF70A3E0000-0x00007FF70A731000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

CBSqzUo.exeEbwOhDB.exeGvSSAuh.exefKbewkp.exeQOwpCcg.exeFwYlugP.exesjmDTWd.exefLhVypc.exeUcEZQAt.exeXMvJGzM.exeplnHklq.exetbWrQNw.exeTspZluu.exetLXosyw.exeoxStvrQ.exeKdIyJsj.exesFvqgMS.exeIcvWYBw.exeFNDCnWZ.exeUolDWTn.exezXMYqJK.exe

pid	process
3208	CBSqzUo.exe
2440	EbwOhDB.exe
2400	GvSSAuh.exe
4396	fKbewkp.exe
4164	QOwpCcg.exe
556	FwYlugP.exe
4760	sjmDTWd.exe
4832	fLhVypc.exe
1628	UcEZQAt.exe
4144	XMvJGzM.exe
1248	plnHklq.exe
2276	tbWrQNw.exe
1812	TspZluu.exe
4300	tLXosyw.exe
1324	oxStvrQ.exe
4012	KdIyJsj.exe
960	sFvqgMS.exe
2944	IcvWYBw.exe
4564	FNDCnWZ.exe
4852	UolDWTn.exe
1976	zXMYqJK.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4988-0-0x00007FF659790000-0x00007FF659AE1000-memory.dmp	upx
C:\Windows\System\CBSqzUo.exe	upx
C:\Windows\System\EbwOhDB.exe	upx
behavioral2/memory/3208-11-0x00007FF680A30000-0x00007FF680D81000-memory.dmp	upx
C:\Windows\System\GvSSAuh.exe	upx
C:\Windows\System\QOwpCcg.exe	upx
behavioral2/memory/4396-27-0x00007FF6116F0000-0x00007FF611A41000-memory.dmp	upx
C:\Windows\System\sjmDTWd.exe	upx
C:\Windows\System\FwYlugP.exe	upx
C:\Windows\System\fLhVypc.exe	upx
C:\Windows\System\UcEZQAt.exe	upx
C:\Windows\System\XMvJGzM.exe	upx
behavioral2/memory/1628-54-0x00007FF7C1510000-0x00007FF7C1861000-memory.dmp	upx
behavioral2/memory/4832-50-0x00007FF71AE70000-0x00007FF71B1C1000-memory.dmp	upx
behavioral2/memory/4760-44-0x00007FF79C050000-0x00007FF79C3A1000-memory.dmp	upx
behavioral2/memory/556-39-0x00007FF630D50000-0x00007FF6310A1000-memory.dmp	upx
behavioral2/memory/4164-34-0x00007FF7DB0F0000-0x00007FF7DB441000-memory.dmp	upx
behavioral2/memory/2400-29-0x00007FF6E4AB0000-0x00007FF6E4E01000-memory.dmp	upx
C:\Windows\System\fKbewkp.exe	upx
behavioral2/memory/2440-16-0x00007FF7B1700000-0x00007FF7B1A51000-memory.dmp	upx
C:\Windows\System\plnHklq.exe	upx
behavioral2/memory/4144-69-0x00007FF78B390000-0x00007FF78B6E1000-memory.dmp	upx
C:\Windows\System\tLXosyw.exe	upx
C:\Windows\System\TspZluu.exe	upx
C:\Windows\System\KdIyJsj.exe	upx
behavioral2/memory/1324-97-0x00007FF714A50000-0x00007FF714DA1000-memory.dmp	upx
C:\Windows\System\sFvqgMS.exe	upx
behavioral2/memory/4012-105-0x00007FF6298D0000-0x00007FF629C21000-memory.dmp	upx
C:\Windows\System\FNDCnWZ.exe	upx
behavioral2/memory/4164-112-0x00007FF7DB0F0000-0x00007FF7DB441000-memory.dmp	upx
C:\Windows\System\IcvWYBw.exe	upx
C:\Windows\System\UolDWTn.exe	upx
C:\Windows\System\zXMYqJK.exe	upx
behavioral2/memory/4852-134-0x00007FF7A2920000-0x00007FF7A2C71000-memory.dmp	upx
behavioral2/memory/4832-135-0x00007FF71AE70000-0x00007FF71B1C1000-memory.dmp	upx
behavioral2/memory/556-133-0x00007FF630D50000-0x00007FF6310A1000-memory.dmp	upx
behavioral2/memory/1976-130-0x00007FF70A3E0000-0x00007FF70A731000-memory.dmp	upx
behavioral2/memory/4760-127-0x00007FF79C050000-0x00007FF79C3A1000-memory.dmp	upx
behavioral2/memory/4564-124-0x00007FF746E70000-0x00007FF7471C1000-memory.dmp	upx
behavioral2/memory/2944-115-0x00007FF6AD4C0000-0x00007FF6AD811000-memory.dmp	upx
behavioral2/memory/960-107-0x00007FF79B7A0000-0x00007FF79BAF1000-memory.dmp	upx
behavioral2/memory/2440-100-0x00007FF7B1700000-0x00007FF7B1A51000-memory.dmp	upx
behavioral2/memory/4396-102-0x00007FF6116F0000-0x00007FF611A41000-memory.dmp	upx
behavioral2/memory/1812-95-0x00007FF68DC40000-0x00007FF68DF91000-memory.dmp	upx
behavioral2/memory/3208-87-0x00007FF680A30000-0x00007FF680D81000-memory.dmp	upx
C:\Windows\System\oxStvrQ.exe	upx
behavioral2/memory/4988-82-0x00007FF659790000-0x00007FF659AE1000-memory.dmp	upx
behavioral2/memory/4300-80-0x00007FF6CB210000-0x00007FF6CB561000-memory.dmp	upx
C:\Windows\System\tbWrQNw.exe	upx
behavioral2/memory/2276-74-0x00007FF63A980000-0x00007FF63ACD1000-memory.dmp	upx
behavioral2/memory/1248-72-0x00007FF776330000-0x00007FF776681000-memory.dmp	upx
behavioral2/memory/4988-136-0x00007FF659790000-0x00007FF659AE1000-memory.dmp	upx
behavioral2/memory/1812-149-0x00007FF68DC40000-0x00007FF68DF91000-memory.dmp	upx
behavioral2/memory/960-153-0x00007FF79B7A0000-0x00007FF79BAF1000-memory.dmp	upx
behavioral2/memory/2944-154-0x00007FF6AD4C0000-0x00007FF6AD811000-memory.dmp	upx
behavioral2/memory/4012-152-0x00007FF6298D0000-0x00007FF629C21000-memory.dmp	upx
behavioral2/memory/4300-150-0x00007FF6CB210000-0x00007FF6CB561000-memory.dmp	upx
behavioral2/memory/2276-148-0x00007FF63A980000-0x00007FF63ACD1000-memory.dmp	upx
behavioral2/memory/1248-147-0x00007FF776330000-0x00007FF776681000-memory.dmp	upx
behavioral2/memory/1628-145-0x00007FF7C1510000-0x00007FF7C1861000-memory.dmp	upx
behavioral2/memory/1976-157-0x00007FF70A3E0000-0x00007FF70A731000-memory.dmp	upx
behavioral2/memory/4564-155-0x00007FF746E70000-0x00007FF7471C1000-memory.dmp	upx
behavioral2/memory/4988-158-0x00007FF659790000-0x00007FF659AE1000-memory.dmp	upx
behavioral2/memory/3208-203-0x00007FF680A30000-0x00007FF680D81000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\zXMYqJK.exe	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CBSqzUo.exe	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sjmDTWd.exe	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tLXosyw.exe	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UcEZQAt.exe	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TspZluu.exe	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oxStvrQ.exe	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FNDCnWZ.exe	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UolDWTn.exe	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GvSSAuh.exe	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fKbewkp.exe	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FwYlugP.exe	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IcvWYBw.exe	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EbwOhDB.exe	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QOwpCcg.exe	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KdIyJsj.exe	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tbWrQNw.exe	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sFvqgMS.exe	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fLhVypc.exe	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XMvJGzM.exe	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\plnHklq.exe	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 4988 wrote to memory of 3208	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	CBSqzUo.exe
PID 4988 wrote to memory of 3208	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	CBSqzUo.exe
PID 4988 wrote to memory of 2440	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	EbwOhDB.exe
PID 4988 wrote to memory of 2440	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	EbwOhDB.exe
PID 4988 wrote to memory of 2400	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	GvSSAuh.exe
PID 4988 wrote to memory of 2400	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	GvSSAuh.exe
PID 4988 wrote to memory of 4396	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	fKbewkp.exe
PID 4988 wrote to memory of 4396	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	fKbewkp.exe
PID 4988 wrote to memory of 4164	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	QOwpCcg.exe
PID 4988 wrote to memory of 4164	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	QOwpCcg.exe
PID 4988 wrote to memory of 556	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	FwYlugP.exe
PID 4988 wrote to memory of 556	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	FwYlugP.exe
PID 4988 wrote to memory of 4760	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	sjmDTWd.exe
PID 4988 wrote to memory of 4760	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	sjmDTWd.exe
PID 4988 wrote to memory of 4832	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	fLhVypc.exe
PID 4988 wrote to memory of 4832	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	fLhVypc.exe
PID 4988 wrote to memory of 1628	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	UcEZQAt.exe
PID 4988 wrote to memory of 1628	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	UcEZQAt.exe
PID 4988 wrote to memory of 4144	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	XMvJGzM.exe
PID 4988 wrote to memory of 4144	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	XMvJGzM.exe
PID 4988 wrote to memory of 1248	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	plnHklq.exe
PID 4988 wrote to memory of 1248	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	plnHklq.exe
PID 4988 wrote to memory of 2276	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	tbWrQNw.exe
PID 4988 wrote to memory of 2276	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	tbWrQNw.exe
PID 4988 wrote to memory of 1812	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	TspZluu.exe
PID 4988 wrote to memory of 1812	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	TspZluu.exe
PID 4988 wrote to memory of 4300	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	tLXosyw.exe
PID 4988 wrote to memory of 4300	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	tLXosyw.exe
PID 4988 wrote to memory of 1324	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	oxStvrQ.exe
PID 4988 wrote to memory of 1324	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	oxStvrQ.exe
PID 4988 wrote to memory of 4012	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	KdIyJsj.exe
PID 4988 wrote to memory of 4012	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	KdIyJsj.exe
PID 4988 wrote to memory of 960	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	sFvqgMS.exe
PID 4988 wrote to memory of 960	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	sFvqgMS.exe
PID 4988 wrote to memory of 2944	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	IcvWYBw.exe
PID 4988 wrote to memory of 2944	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	IcvWYBw.exe
PID 4988 wrote to memory of 4564	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	FNDCnWZ.exe
PID 4988 wrote to memory of 4564	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	FNDCnWZ.exe
PID 4988 wrote to memory of 4852	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	UolDWTn.exe
PID 4988 wrote to memory of 4852	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	UolDWTn.exe
PID 4988 wrote to memory of 1976	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	zXMYqJK.exe
PID 4988 wrote to memory of 1976	4988	2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe	zXMYqJK.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-16_8077b6961a3b1255bcceb1be20a073d0_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\System\CBSqzUo.exe
C:\Windows\System\CBSqzUo.exe
2⤵
- Executes dropped EXE
PID:3208

C:\Windows\System\EbwOhDB.exe
C:\Windows\System\EbwOhDB.exe
2⤵
- Executes dropped EXE
PID:2440

C:\Windows\System\GvSSAuh.exe
C:\Windows\System\GvSSAuh.exe
2⤵
- Executes dropped EXE
PID:2400

C:\Windows\System\fKbewkp.exe
C:\Windows\System\fKbewkp.exe
2⤵
- Executes dropped EXE
PID:4396

C:\Windows\System\QOwpCcg.exe
C:\Windows\System\QOwpCcg.exe
2⤵
- Executes dropped EXE
PID:4164

C:\Windows\System\FwYlugP.exe
C:\Windows\System\FwYlugP.exe
2⤵
- Executes dropped EXE
PID:556

C:\Windows\System\sjmDTWd.exe
C:\Windows\System\sjmDTWd.exe
2⤵
- Executes dropped EXE
PID:4760

C:\Windows\System\fLhVypc.exe
C:\Windows\System\fLhVypc.exe
2⤵
- Executes dropped EXE
PID:4832

C:\Windows\System\UcEZQAt.exe
C:\Windows\System\UcEZQAt.exe
2⤵
- Executes dropped EXE
PID:1628

C:\Windows\System\XMvJGzM.exe
C:\Windows\System\XMvJGzM.exe
2⤵
- Executes dropped EXE
PID:4144

C:\Windows\System\plnHklq.exe
C:\Windows\System\plnHklq.exe
2⤵
- Executes dropped EXE
PID:1248

C:\Windows\System\tbWrQNw.exe
C:\Windows\System\tbWrQNw.exe
2⤵
- Executes dropped EXE
PID:2276

C:\Windows\System\TspZluu.exe
C:\Windows\System\TspZluu.exe
2⤵
- Executes dropped EXE
PID:1812

C:\Windows\System\tLXosyw.exe
C:\Windows\System\tLXosyw.exe
2⤵
- Executes dropped EXE
PID:4300

C:\Windows\System\oxStvrQ.exe
C:\Windows\System\oxStvrQ.exe
2⤵
- Executes dropped EXE
PID:1324

C:\Windows\System\KdIyJsj.exe
C:\Windows\System\KdIyJsj.exe
2⤵
- Executes dropped EXE
PID:4012

C:\Windows\System\sFvqgMS.exe
C:\Windows\System\sFvqgMS.exe
2⤵
- Executes dropped EXE
PID:960

C:\Windows\System\IcvWYBw.exe
C:\Windows\System\IcvWYBw.exe
2⤵
- Executes dropped EXE
PID:2944

C:\Windows\System\FNDCnWZ.exe
C:\Windows\System\FNDCnWZ.exe
2⤵
- Executes dropped EXE
PID:4564

C:\Windows\System\UolDWTn.exe
C:\Windows\System\UolDWTn.exe
2⤵
- Executes dropped EXE
PID:4852

C:\Windows\System\zXMYqJK.exe
C:\Windows\System\zXMYqJK.exe
2⤵
- Executes dropped EXE
PID:1976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CBSqzUo.exe
Filesize
5.2MB

MD5
f6409e08c12c834cdaf8ce19271dcb89

SHA1
2cecd754dc758693f29d66648647e2df21b2a63c

SHA256
6e8a7e5ad3ea4d29d2c9f2c3ba7a6a2cf8a7d97377892cd6a4cfedb2cbd3d12a

SHA512
010dbfb8e55606627089326432e694c82eeacff356e54bd60af8c30dc535a8f418800c195dc1db612ae90c409268632cd0853da1575cb2f41ac5dbe5e32be8c2

Download Submit
C:\Windows\System\EbwOhDB.exe
Filesize
5.2MB

MD5
70c6230d01adc6703bc933efd8fe99a1

SHA1
7d63a43426dbe4163be3797fd85961bcdb1f41a8

SHA256
1b91e606656bf33122a6f509f7929e1f225b7764f225fc263a3cf43a00e0b927

SHA512
c41f2edf94b6bb45a0a920223094a136e89272a4bf92e286d7ad472c10a150dc66d95d89efc4cca4758c9240ab52545e35f84c18a9516f7d0ffd22bec4d28540

Download Submit
C:\Windows\System\FNDCnWZ.exe
Filesize
5.2MB

MD5
1f70a635f2167d228971df0ffbf56971

SHA1
8d18b85138cd7b50b04dda904817cd21c71e6cb0

SHA256
e2840bbc37f65fa07f4e1c0a5e0485615866e741eb2b0d39cb7c72554c412bc5

SHA512
546c3f7d45187363ff71be0fa595faed2b201517e81d91467b56e792a34bbe82149f5163644e4ccaaecc5b53662897be2af7fd387426cab8832a665b58413c65

Download Submit
C:\Windows\System\FwYlugP.exe
Filesize
5.2MB

MD5
276369ca4b7be961544909eb7c38e0ed

SHA1
909aa00627a651b9d2959a2a473e89ef29191db1

SHA256
ecab2f9700e748739cbf923760d1c1bf3be67b6156ee2796a3fe20ca8400538a

SHA512
ac62c04f1e50b4cb9ce8ca67059dd6400ceee9a0337d76237357e74d377729d39c319829b10435206c9947645a3921b848366df8166a910e00e0d9ebe0b3b536

Download Submit
C:\Windows\System\GvSSAuh.exe
Filesize
5.2MB

MD5
e31662c9607640a8ea75f784d7eca31e

SHA1
b66d27b6978fb5f2838863f6d8ae1721da2570c1

SHA256
1fc42ffb45eff38c3f9a3d4a14090384ec41f687dd73ab6b154efb656907c9d1

SHA512
a8f7cb71059c740b17ca986b32419ecd0a2f9001b027adeaaff2bb84468eae3e859a02d3525773ad123b390564769ff7709e8b547df4de9aab41a58c2a01ba3f

Download Submit
C:\Windows\System\IcvWYBw.exe
Filesize
5.2MB

MD5
7587e34e72134433076f9be338f7bab6

SHA1
70712da3cb9ded7aef161e21f297701c72f30d25

SHA256
6f2e053f38c9e91ef2bdbd21d0cd83e0a65e0d7b1c2e2a3263e6030013d9bc3e

SHA512
834f2ca91974826b2cbe936514ee8e91499be54ed44ac63c537605d10c2d1a71ec44735e5a98c44a312106732297a47abaeeeae5e6fb62494f4430e3d111bbc6

Download Submit
C:\Windows\System\KdIyJsj.exe
Filesize
5.2MB

MD5
43ffeac7d1b36f79a193378d7159b3d4

SHA1
3cc4b3fd34e5817bfbd9ecaecc777f14690a20fb

SHA256
e364ff020b1dfa5e66b6cd09f21eed16027879166f60837e38c12a9acb4c5ff0

SHA512
f80041f3011012a2ce907725c959fc44698f5a3afe254456bbfaad2bf23935c41d6f0171a3af8983d025c581b161c406d9d1d2935e3e09db991f539637066db6

Download Submit
C:\Windows\System\QOwpCcg.exe
Filesize
5.2MB

MD5
e67e29f82ceac4679c32729973a53be1

SHA1
18d4d432f78e262371cc55f3a1757b5a30efccc4

SHA256
7bbf502578168aed78bcf0e83387cda055164d6dffe62a46866620f49b4c9da6

SHA512
d0c2eadcaf54704618e099138f4fb26c26b55232237a3231f466ea4c7789452345d0f73a01779ff6d34fc04a679ba3db012ca39f61d2918faa6ab0dccc2df696

Download Submit
C:\Windows\System\TspZluu.exe
Filesize
5.2MB

MD5
5a9e6b4523732a69c213e2ebe5a94de2

SHA1
ff05dcbb532f849b5cd575227231e055936aa446

SHA256
9ba93f9af7fe418a478e53cbb61e7caa081909b0010aa7a10faacb2c3e85f4e1

SHA512
2e3da32a1d01c9f89dca67424f170440752bc369c5d56f025fa56ef98a71fd6f3007530663bbe0bb9e6c51c94d6a197de5cfad0b7569a677feb46092d26f1305

Download Submit
C:\Windows\System\UcEZQAt.exe
Filesize
5.2MB

MD5
0153cde31964f960e83c2188ff33814e

SHA1
51f976dac7f1643a56f164dc671bd412af37bc3e

SHA256
c0f35d1076963f119bfeb437c11b38c21a6532d656dde74677e79f6118e7747c

SHA512
9a69c49f3ec428468c34c497ecc65521954441f481b8c5127493a36f06ad742dcde14276154dec5e34eef467d27fe944f7239c608b413e6a1dc3a4d949a3243c

Download Submit
C:\Windows\System\UolDWTn.exe
Filesize
5.2MB

MD5
5ff6fc8c422e2b9ee5ae4b8319787361

SHA1
b9d3e9c214d665edffa8b86fa4bb3f561cb14127

SHA256
7710751a908476b1134160a6ecc850c9bc14f706b57c2354b2fe22def0eaf4b5

SHA512
859570f738561471e056bea902e030df0dbdac9ef9b075b76a9b8cb54c96d0f36c3cefe3ceaa20a965f1b5e7ee6b2a64fd535b48553b55cb179afdf5dd33694c

Download Submit
C:\Windows\System\XMvJGzM.exe
Filesize
5.2MB

MD5
e84e122aec014b1092fd49f8f7494b75

SHA1
7271eafa2eac7d1b84fd81cc4aee5f039070e917

SHA256
9b066701f18f4663e6e365c9573a8d84748667385ae91ed417a211d5c64df43a

SHA512
f3c5b26b1c0f1f7330241f9256ab00ed0accf0279304b6e468848b3ba8365529767cfc0ec448ff7fe55b08f7e07925f89983ca71bf9739d7d188380705801e9c

Download Submit
C:\Windows\System\fKbewkp.exe
Filesize
5.2MB

MD5
46960fcc603e10dda42d1f5e4258666f

SHA1
58ec12bc81b203d8a66cad0531ca23c24554c720

SHA256
6a0238671721a7fc201a2a869554f815a49a6691e9c5f8a1726f4f0513b21bb7

SHA512
24867407dbecc94e0a8c186d24a2ad23b9efb0660f927de01f27cf8237dcfd42d16ed752e89ea6092d886b1149814438e19eedd38313da25847cdb0d402821bd

Download Submit
C:\Windows\System\fLhVypc.exe
Filesize
5.2MB

MD5
5aa042068c1cce9600d25fd472887574

SHA1
50951fa54ebd96eb26a736b7df736976871a04e6

SHA256
9da39e974c45e6b02bd5ad06ebdff876a5e621e3783133ffd364fa28317942e9

SHA512
eb2d2a37e7f5e7d3148a730f374aa3615099177c467c0d3bf03da5843710cf645808f8ff3ad806c2f293a5b472f6079d04953b7e5f6b57e920f6daa1e0f9a6e0

Download Submit
C:\Windows\System\oxStvrQ.exe
Filesize
5.2MB

MD5
f5f536ebfc3ac56cf43684b6b4f50d92

SHA1
8d982dd6de8c231aac82583c09c1b0d170d0893e

SHA256
d87aafdffc8d6c8f9bd51f443f705d8c52311f4725a462675402d578607d87b5

SHA512
decf12aa51d620f850004a0a1d778fb88e98ce138c84eab24ffa3da55aac2931122e86134336d6244f44e5f32f6e66a6fe902169ccf4424708e4b1d98939bf18

Download Submit
C:\Windows\System\plnHklq.exe
Filesize
5.2MB

MD5
b9b401583d82b1de55f8380f04a4e04a

SHA1
603ca60be22503bc786a792f6be8d7a30ecc99b0

SHA256
b8afc47ec07e39f061543377d5830247306342d2bef88752ee4b4d481975613d

SHA512
ff4289efa52ad6cc17b1c6217a6d6060bd93c34486cbcf0e5120c49b547a5a6b8180e0b33f2598b611653aaceeefcd9394f986c2bea443ad9769bb295dacd0f9

Download Submit
C:\Windows\System\sFvqgMS.exe
Filesize
5.2MB

MD5
c88cf18f141faf9e699bf1284d5d12c1

SHA1
8e9a3a9c0bba32dee6b90da21c2a931a5a58ab90

SHA256
ebecbba979bc7d433ac7fb4ebc3cff41707181e1391c021f793bed30e05779fa

SHA512
a336814c2f1629425acd8377a19ea567f981e51a9d3a92ddfc801d7a611dfaa2799c4278fe55b897ab91207c1132ef602f06b45f90069d0db12f00fa4a7eb682

Download Submit
C:\Windows\System\sjmDTWd.exe
Filesize
5.2MB

MD5
8fafc5459cd3e461aa213f71efafecbf

SHA1
4efce48cd3c3fed7262fd938471df85430aa8e03

SHA256
fcbc01f28d5ea3e400615f42dfec5f87cf04e4776ed921e98336acc7c6843f22

SHA512
d800aebbe80da05d67756f1f73bc0651e32a8a078dab1a834785dd5691b8e9fd9ff762546b37f66ecc243a4084df4211b5f901878468336cf56260fd3ff16ab0

Download Submit
C:\Windows\System\tLXosyw.exe
Filesize
5.2MB

MD5
1fbce60bcfcc82fc24b2dfdbd7446c44

SHA1
0c9ffded44dd51f04bc639a72a23e24d450e77a6

SHA256
c6f8ad50b9acc580e138984d53f2b58a55078d0419b87529a5d53df6bf89cf38

SHA512
edf334bad23dbcae3a039db7613960be5874dfeb66f2ce5d4e769bbfee82880cc0413b413812376416b52b4b592e0a02e477c91a58ae2a622dc39f1002ea6fe5

Download Submit
C:\Windows\System\tbWrQNw.exe
Filesize
5.2MB

MD5
3a40f374452e87eeda0f803616d81643

SHA1
22e6ce3e809d8151cded54cccc5dc06bc7a0074b

SHA256
3df82f24b118968c8a0bf976b813d99189bcb2519c44c265a9bfb5b1295cd894

SHA512
8c096fc78488eef202d79ac9f4c19a6e9807bb95444fac06f5cf34614d7026f5242c5766df210ea3c327dc1207acac0d4a842e00e5490cf820682111c43f0e0d

Download Submit
C:\Windows\System\zXMYqJK.exe
Filesize
5.2MB

MD5
4cf1169efea38079fcc016b3cb77fad8

SHA1
3270dd72d8f068484464f1bd768a270a9cf06c66

SHA256
01cd14c3b4c03bbfb13c6d7d6603bb0a7bc9a0734652520a680a1f5996efae07

SHA512
894c98b7d690678cc38eac582a936ab50e70eb258723c689a9f39ff497bbfd753885f8047b1473da6996be06a62e52a4fdfa294aa94169941fb3c213d183631d

Download Submit
memory/556-39-0x00007FF630D50000-0x00007FF6310A1000-memory.dmp

Filesize
3.3MB

Download
memory/556-221-0x00007FF630D50000-0x00007FF6310A1000-memory.dmp

Filesize
3.3MB

Download
memory/556-133-0x00007FF630D50000-0x00007FF6310A1000-memory.dmp

Filesize
3.3MB

Download
memory/960-153-0x00007FF79B7A0000-0x00007FF79BAF1000-memory.dmp

Filesize
3.3MB

Download
memory/960-107-0x00007FF79B7A0000-0x00007FF79BAF1000-memory.dmp

Filesize
3.3MB

Download
memory/960-243-0x00007FF79B7A0000-0x00007FF79BAF1000-memory.dmp

Filesize
3.3MB

Download
memory/1248-147-0x00007FF776330000-0x00007FF776681000-memory.dmp

Filesize
3.3MB

Download
memory/1248-72-0x00007FF776330000-0x00007FF776681000-memory.dmp

Filesize
3.3MB

Download
memory/1248-231-0x00007FF776330000-0x00007FF776681000-memory.dmp

Filesize
3.3MB

Download
memory/1324-97-0x00007FF714A50000-0x00007FF714DA1000-memory.dmp

Filesize
3.3MB

Download
memory/1324-239-0x00007FF714A50000-0x00007FF714DA1000-memory.dmp

Filesize
3.3MB

Download
memory/1628-228-0x00007FF7C1510000-0x00007FF7C1861000-memory.dmp

Filesize
3.3MB

Download
memory/1628-54-0x00007FF7C1510000-0x00007FF7C1861000-memory.dmp

Filesize
3.3MB

Download
memory/1628-145-0x00007FF7C1510000-0x00007FF7C1861000-memory.dmp

Filesize
3.3MB

Download
memory/1812-149-0x00007FF68DC40000-0x00007FF68DF91000-memory.dmp

Filesize
3.3MB

Download
memory/1812-238-0x00007FF68DC40000-0x00007FF68DF91000-memory.dmp

Filesize
3.3MB

Download
memory/1812-95-0x00007FF68DC40000-0x00007FF68DF91000-memory.dmp

Filesize
3.3MB

Download
memory/1976-130-0x00007FF70A3E0000-0x00007FF70A731000-memory.dmp

Filesize
3.3MB

Download
memory/1976-157-0x00007FF70A3E0000-0x00007FF70A731000-memory.dmp

Filesize
3.3MB

Download
memory/1976-251-0x00007FF70A3E0000-0x00007FF70A731000-memory.dmp

Filesize
3.3MB

Download
memory/2276-148-0x00007FF63A980000-0x00007FF63ACD1000-memory.dmp

Filesize
3.3MB

Download
memory/2276-233-0x00007FF63A980000-0x00007FF63ACD1000-memory.dmp

Filesize
3.3MB

Download
memory/2276-74-0x00007FF63A980000-0x00007FF63ACD1000-memory.dmp

Filesize
3.3MB

Download
memory/2400-29-0x00007FF6E4AB0000-0x00007FF6E4E01000-memory.dmp

Filesize
3.3MB

Download
memory/2400-207-0x00007FF6E4AB0000-0x00007FF6E4E01000-memory.dmp

Filesize
3.3MB

Download
memory/2440-100-0x00007FF7B1700000-0x00007FF7B1A51000-memory.dmp

Filesize
3.3MB

Download
memory/2440-16-0x00007FF7B1700000-0x00007FF7B1A51000-memory.dmp

Filesize
3.3MB

Download
memory/2440-205-0x00007FF7B1700000-0x00007FF7B1A51000-memory.dmp

Filesize
3.3MB

Download
memory/2944-154-0x00007FF6AD4C0000-0x00007FF6AD811000-memory.dmp

Filesize
3.3MB

Download
memory/2944-245-0x00007FF6AD4C0000-0x00007FF6AD811000-memory.dmp

Filesize
3.3MB

Download
memory/2944-115-0x00007FF6AD4C0000-0x00007FF6AD811000-memory.dmp

Filesize
3.3MB

Download
memory/3208-87-0x00007FF680A30000-0x00007FF680D81000-memory.dmp

Filesize
3.3MB

Download
memory/3208-11-0x00007FF680A30000-0x00007FF680D81000-memory.dmp

Filesize
3.3MB

Download
memory/3208-203-0x00007FF680A30000-0x00007FF680D81000-memory.dmp

Filesize
3.3MB

Download
memory/4012-152-0x00007FF6298D0000-0x00007FF629C21000-memory.dmp

Filesize
3.3MB

Download
memory/4012-241-0x00007FF6298D0000-0x00007FF629C21000-memory.dmp

Filesize
3.3MB

Download
memory/4012-105-0x00007FF6298D0000-0x00007FF629C21000-memory.dmp

Filesize
3.3MB

Download
memory/4144-229-0x00007FF78B390000-0x00007FF78B6E1000-memory.dmp

Filesize
3.3MB

Download
memory/4144-69-0x00007FF78B390000-0x00007FF78B6E1000-memory.dmp

Filesize
3.3MB

Download
memory/4164-34-0x00007FF7DB0F0000-0x00007FF7DB441000-memory.dmp

Filesize
3.3MB

Download
memory/4164-218-0x00007FF7DB0F0000-0x00007FF7DB441000-memory.dmp

Filesize
3.3MB

Download
memory/4164-112-0x00007FF7DB0F0000-0x00007FF7DB441000-memory.dmp

Filesize
3.3MB

Download
memory/4300-80-0x00007FF6CB210000-0x00007FF6CB561000-memory.dmp

Filesize
3.3MB

Download
memory/4300-236-0x00007FF6CB210000-0x00007FF6CB561000-memory.dmp

Filesize
3.3MB

Download
memory/4300-150-0x00007FF6CB210000-0x00007FF6CB561000-memory.dmp

Filesize
3.3MB

Download
memory/4396-102-0x00007FF6116F0000-0x00007FF611A41000-memory.dmp

Filesize
3.3MB

Download
memory/4396-210-0x00007FF6116F0000-0x00007FF611A41000-memory.dmp

Filesize
3.3MB

Download
memory/4396-27-0x00007FF6116F0000-0x00007FF611A41000-memory.dmp

Filesize
3.3MB

Download
memory/4564-124-0x00007FF746E70000-0x00007FF7471C1000-memory.dmp

Filesize
3.3MB

Download
memory/4564-155-0x00007FF746E70000-0x00007FF7471C1000-memory.dmp

Filesize
3.3MB

Download
memory/4564-247-0x00007FF746E70000-0x00007FF7471C1000-memory.dmp

Filesize
3.3MB

Download
memory/4760-44-0x00007FF79C050000-0x00007FF79C3A1000-memory.dmp

Filesize
3.3MB

Download
memory/4760-223-0x00007FF79C050000-0x00007FF79C3A1000-memory.dmp

Filesize
3.3MB

Download
memory/4760-127-0x00007FF79C050000-0x00007FF79C3A1000-memory.dmp

Filesize
3.3MB

Download
memory/4832-50-0x00007FF71AE70000-0x00007FF71B1C1000-memory.dmp

Filesize
3.3MB

Download
memory/4832-227-0x00007FF71AE70000-0x00007FF71B1C1000-memory.dmp

Filesize
3.3MB

Download
memory/4832-135-0x00007FF71AE70000-0x00007FF71B1C1000-memory.dmp

Filesize
3.3MB

Download
memory/4852-134-0x00007FF7A2920000-0x00007FF7A2C71000-memory.dmp

Filesize
3.3MB

Download
memory/4852-249-0x00007FF7A2920000-0x00007FF7A2C71000-memory.dmp

Filesize
3.3MB

Download
memory/4988-0-0x00007FF659790000-0x00007FF659AE1000-memory.dmp

Filesize
3.3MB

Download
memory/4988-82-0x00007FF659790000-0x00007FF659AE1000-memory.dmp

Filesize
3.3MB

Download
memory/4988-136-0x00007FF659790000-0x00007FF659AE1000-memory.dmp

Filesize
3.3MB

Download
memory/4988-158-0x00007FF659790000-0x00007FF659AE1000-memory.dmp

Filesize
3.3MB

Download
memory/4988-1-0x00000179BBB70000-0x00000179BBB80000-memory.dmp

Filesize
64KB

Download