cobaltstrike | 32b75bafe1661a770f8c2b1cacb8e46365891961a95aaef8e58b596cdf07626e

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

8ca3bd3063896a8399abdd5ebb73bd09
SHA1

023aefe22b13f54f4331f9f3a701f5f6d8dd2b4b
SHA256

32b75bafe1661a770f8c2b1cacb8e46365891961a95aaef8e58b596cdf07626e
SHA512

59618a2fdcb0109aa4213a9df62b95a70582a99e705734ed7e37099a5ac420f1fe06232f98511cf1b3103b2fa4a0111496ec3888d2c67a2cfabe1e9b4ef018b1
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lq:RWWBibf56utgpPFotBER/mQ32lUm

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\hXmsbcF.exe	cobalt_reflective_dll
C:\Windows\System\BXtoAHL.exe	cobalt_reflective_dll
C:\Windows\System\YNhJnZY.exe	cobalt_reflective_dll
C:\Windows\System\dNQvTyS.exe	cobalt_reflective_dll
C:\Windows\System\gFuvFcr.exe	cobalt_reflective_dll
C:\Windows\System\bjMwhOK.exe	cobalt_reflective_dll
C:\Windows\System\rKVyIri.exe	cobalt_reflective_dll
C:\Windows\System\rWESeBE.exe	cobalt_reflective_dll
C:\Windows\System\xtmdekA.exe	cobalt_reflective_dll
C:\Windows\System\SlczbIR.exe	cobalt_reflective_dll
C:\Windows\System\MVSYboW.exe	cobalt_reflective_dll
C:\Windows\System\xvFkLHc.exe	cobalt_reflective_dll
C:\Windows\System\wpbZgGf.exe	cobalt_reflective_dll
C:\Windows\System\YVVlcLW.exe	cobalt_reflective_dll
C:\Windows\System\xtzVEOU.exe	cobalt_reflective_dll
C:\Windows\System\AiHUDKx.exe	cobalt_reflective_dll
C:\Windows\System\dcJNfzQ.exe	cobalt_reflective_dll
C:\Windows\System\ZsHYeGF.exe	cobalt_reflective_dll
C:\Windows\System\Omcgirc.exe	cobalt_reflective_dll
C:\Windows\System\jTcwIKG.exe	cobalt_reflective_dll
C:\Windows\System\AeWmYjT.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\hXmsbcF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\BXtoAHL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\YNhJnZY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\dNQvTyS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\gFuvFcr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\bjMwhOK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\rKVyIri.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\rWESeBE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\xtmdekA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\SlczbIR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\MVSYboW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\xvFkLHc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\wpbZgGf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\YVVlcLW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\xtzVEOU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\AiHUDKx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\dcJNfzQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ZsHYeGF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\Omcgirc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\jTcwIKG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\AeWmYjT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1796-0-0x00007FF64FE10000-0x00007FF650161000-memory.dmp	UPX
C:\Windows\System\hXmsbcF.exe	UPX
behavioral2/memory/4376-8-0x00007FF766AF0000-0x00007FF766E41000-memory.dmp	UPX
C:\Windows\System\BXtoAHL.exe	UPX
behavioral2/memory/3408-14-0x00007FF6509F0000-0x00007FF650D41000-memory.dmp	UPX
C:\Windows\System\YNhJnZY.exe	UPX
behavioral2/memory/1412-20-0x00007FF678220000-0x00007FF678571000-memory.dmp	UPX
C:\Windows\System\dNQvTyS.exe	UPX
behavioral2/memory/4944-28-0x00007FF70CC70000-0x00007FF70CFC1000-memory.dmp	UPX
C:\Windows\System\gFuvFcr.exe	UPX
C:\Windows\System\bjMwhOK.exe	UPX
C:\Windows\System\rKVyIri.exe	UPX
C:\Windows\System\rWESeBE.exe	UPX
C:\Windows\System\xtmdekA.exe	UPX
C:\Windows\System\SlczbIR.exe	UPX
behavioral2/memory/4808-58-0x00007FF67A290000-0x00007FF67A5E1000-memory.dmp	UPX
C:\Windows\System\MVSYboW.exe	UPX
C:\Windows\System\xvFkLHc.exe	UPX
behavioral2/memory/4640-98-0x00007FF659BE0000-0x00007FF659F31000-memory.dmp	UPX
C:\Windows\System\wpbZgGf.exe	UPX
C:\Windows\System\YVVlcLW.exe	UPX
behavioral2/memory/4256-110-0x00007FF67D840000-0x00007FF67DB91000-memory.dmp	UPX
behavioral2/memory/2372-114-0x00007FF73AE90000-0x00007FF73B1E1000-memory.dmp	UPX
behavioral2/memory/896-116-0x00007FF6A5DB0000-0x00007FF6A6101000-memory.dmp	UPX
behavioral2/memory/2648-115-0x00007FF67ABA0000-0x00007FF67AEF1000-memory.dmp	UPX
behavioral2/memory/1644-113-0x00007FF7BF050000-0x00007FF7BF3A1000-memory.dmp	UPX
behavioral2/memory/3292-112-0x00007FF72B170000-0x00007FF72B4C1000-memory.dmp	UPX
C:\Windows\System\xtzVEOU.exe	UPX
C:\Windows\System\AiHUDKx.exe	UPX
C:\Windows\System\dcJNfzQ.exe	UPX
C:\Windows\System\ZsHYeGF.exe	UPX
C:\Windows\System\Omcgirc.exe	UPX
behavioral2/memory/1796-111-0x00007FF64FE10000-0x00007FF650161000-memory.dmp	UPX
behavioral2/memory/4508-109-0x00007FF6CEA70000-0x00007FF6CEDC1000-memory.dmp	UPX
C:\Windows\System\jTcwIKG.exe	UPX
behavioral2/memory/3956-103-0x00007FF6BF760000-0x00007FF6BFAB1000-memory.dmp	UPX
behavioral2/memory/700-89-0x00007FF7A5C70000-0x00007FF7A5FC1000-memory.dmp	UPX
C:\Windows\System\AeWmYjT.exe	UPX
behavioral2/memory/1400-80-0x00007FF7322E0000-0x00007FF732631000-memory.dmp	UPX
behavioral2/memory/1368-72-0x00007FF6BF870000-0x00007FF6BFBC1000-memory.dmp	UPX
behavioral2/memory/4184-53-0x00007FF6C3450000-0x00007FF6C37A1000-memory.dmp	UPX
behavioral2/memory/1912-46-0x00007FF63CDD0000-0x00007FF63D121000-memory.dmp	UPX
behavioral2/memory/1816-36-0x00007FF641A90000-0x00007FF641DE1000-memory.dmp	UPX
behavioral2/memory/3980-32-0x00007FF6E59B0000-0x00007FF6E5D01000-memory.dmp	UPX
behavioral2/memory/4376-130-0x00007FF766AF0000-0x00007FF766E41000-memory.dmp	UPX
behavioral2/memory/3408-131-0x00007FF6509F0000-0x00007FF650D41000-memory.dmp	UPX
behavioral2/memory/1412-132-0x00007FF678220000-0x00007FF678571000-memory.dmp	UPX
behavioral2/memory/1796-129-0x00007FF64FE10000-0x00007FF650161000-memory.dmp	UPX
behavioral2/memory/3980-134-0x00007FF6E59B0000-0x00007FF6E5D01000-memory.dmp	UPX
behavioral2/memory/1912-136-0x00007FF63CDD0000-0x00007FF63D121000-memory.dmp	UPX
behavioral2/memory/1816-135-0x00007FF641A90000-0x00007FF641DE1000-memory.dmp	UPX
behavioral2/memory/4944-133-0x00007FF70CC70000-0x00007FF70CFC1000-memory.dmp	UPX
behavioral2/memory/1368-138-0x00007FF6BF870000-0x00007FF6BFBC1000-memory.dmp	UPX
behavioral2/memory/4184-137-0x00007FF6C3450000-0x00007FF6C37A1000-memory.dmp	UPX
behavioral2/memory/4808-139-0x00007FF67A290000-0x00007FF67A5E1000-memory.dmp	UPX
behavioral2/memory/700-142-0x00007FF7A5C70000-0x00007FF7A5FC1000-memory.dmp	UPX
behavioral2/memory/4640-144-0x00007FF659BE0000-0x00007FF659F31000-memory.dmp	UPX
behavioral2/memory/2372-146-0x00007FF73AE90000-0x00007FF73B1E1000-memory.dmp	UPX
behavioral2/memory/4508-148-0x00007FF6CEA70000-0x00007FF6CEDC1000-memory.dmp	UPX
behavioral2/memory/896-149-0x00007FF6A5DB0000-0x00007FF6A6101000-memory.dmp	UPX
behavioral2/memory/2648-147-0x00007FF67ABA0000-0x00007FF67AEF1000-memory.dmp	UPX
behavioral2/memory/3956-145-0x00007FF6BF760000-0x00007FF6BFAB1000-memory.dmp	UPX
behavioral2/memory/4256-150-0x00007FF67D840000-0x00007FF67DB91000-memory.dmp	UPX
behavioral2/memory/1796-151-0x00007FF64FE10000-0x00007FF650161000-memory.dmp	UPX

XMRig Miner payload 49 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3408-14-0x00007FF6509F0000-0x00007FF650D41000-memory.dmp	xmrig
behavioral2/memory/1412-20-0x00007FF678220000-0x00007FF678571000-memory.dmp	xmrig
behavioral2/memory/4944-28-0x00007FF70CC70000-0x00007FF70CFC1000-memory.dmp	xmrig
behavioral2/memory/1644-113-0x00007FF7BF050000-0x00007FF7BF3A1000-memory.dmp	xmrig
behavioral2/memory/3292-112-0x00007FF72B170000-0x00007FF72B4C1000-memory.dmp	xmrig
behavioral2/memory/1796-111-0x00007FF64FE10000-0x00007FF650161000-memory.dmp	xmrig
behavioral2/memory/1400-80-0x00007FF7322E0000-0x00007FF732631000-memory.dmp	xmrig
behavioral2/memory/1912-46-0x00007FF63CDD0000-0x00007FF63D121000-memory.dmp	xmrig
behavioral2/memory/4376-130-0x00007FF766AF0000-0x00007FF766E41000-memory.dmp	xmrig
behavioral2/memory/3408-131-0x00007FF6509F0000-0x00007FF650D41000-memory.dmp	xmrig
behavioral2/memory/1412-132-0x00007FF678220000-0x00007FF678571000-memory.dmp	xmrig
behavioral2/memory/1796-129-0x00007FF64FE10000-0x00007FF650161000-memory.dmp	xmrig
behavioral2/memory/3980-134-0x00007FF6E59B0000-0x00007FF6E5D01000-memory.dmp	xmrig
behavioral2/memory/1912-136-0x00007FF63CDD0000-0x00007FF63D121000-memory.dmp	xmrig
behavioral2/memory/1816-135-0x00007FF641A90000-0x00007FF641DE1000-memory.dmp	xmrig
behavioral2/memory/4944-133-0x00007FF70CC70000-0x00007FF70CFC1000-memory.dmp	xmrig
behavioral2/memory/1368-138-0x00007FF6BF870000-0x00007FF6BFBC1000-memory.dmp	xmrig
behavioral2/memory/4184-137-0x00007FF6C3450000-0x00007FF6C37A1000-memory.dmp	xmrig
behavioral2/memory/4808-139-0x00007FF67A290000-0x00007FF67A5E1000-memory.dmp	xmrig
behavioral2/memory/700-142-0x00007FF7A5C70000-0x00007FF7A5FC1000-memory.dmp	xmrig
behavioral2/memory/4640-144-0x00007FF659BE0000-0x00007FF659F31000-memory.dmp	xmrig
behavioral2/memory/2372-146-0x00007FF73AE90000-0x00007FF73B1E1000-memory.dmp	xmrig
behavioral2/memory/4508-148-0x00007FF6CEA70000-0x00007FF6CEDC1000-memory.dmp	xmrig
behavioral2/memory/896-149-0x00007FF6A5DB0000-0x00007FF6A6101000-memory.dmp	xmrig
behavioral2/memory/2648-147-0x00007FF67ABA0000-0x00007FF67AEF1000-memory.dmp	xmrig
behavioral2/memory/3956-145-0x00007FF6BF760000-0x00007FF6BFAB1000-memory.dmp	xmrig
behavioral2/memory/4256-150-0x00007FF67D840000-0x00007FF67DB91000-memory.dmp	xmrig
behavioral2/memory/1796-151-0x00007FF64FE10000-0x00007FF650161000-memory.dmp	xmrig
behavioral2/memory/4376-200-0x00007FF766AF0000-0x00007FF766E41000-memory.dmp	xmrig
behavioral2/memory/3408-202-0x00007FF6509F0000-0x00007FF650D41000-memory.dmp	xmrig
behavioral2/memory/1412-204-0x00007FF678220000-0x00007FF678571000-memory.dmp	xmrig
behavioral2/memory/4944-206-0x00007FF70CC70000-0x00007FF70CFC1000-memory.dmp	xmrig
behavioral2/memory/3980-208-0x00007FF6E59B0000-0x00007FF6E5D01000-memory.dmp	xmrig
behavioral2/memory/1816-210-0x00007FF641A90000-0x00007FF641DE1000-memory.dmp	xmrig
behavioral2/memory/1912-212-0x00007FF63CDD0000-0x00007FF63D121000-memory.dmp	xmrig
behavioral2/memory/4184-227-0x00007FF6C3450000-0x00007FF6C37A1000-memory.dmp	xmrig
behavioral2/memory/1400-229-0x00007FF7322E0000-0x00007FF732631000-memory.dmp	xmrig
behavioral2/memory/1368-233-0x00007FF6BF870000-0x00007FF6BFBC1000-memory.dmp	xmrig
behavioral2/memory/4808-234-0x00007FF67A290000-0x00007FF67A5E1000-memory.dmp	xmrig
behavioral2/memory/3292-238-0x00007FF72B170000-0x00007FF72B4C1000-memory.dmp	xmrig
behavioral2/memory/1644-237-0x00007FF7BF050000-0x00007FF7BF3A1000-memory.dmp	xmrig
behavioral2/memory/700-242-0x00007FF7A5C70000-0x00007FF7A5FC1000-memory.dmp	xmrig
behavioral2/memory/4640-241-0x00007FF659BE0000-0x00007FF659F31000-memory.dmp	xmrig
behavioral2/memory/896-246-0x00007FF6A5DB0000-0x00007FF6A6101000-memory.dmp	xmrig
behavioral2/memory/2648-249-0x00007FF67ABA0000-0x00007FF67AEF1000-memory.dmp	xmrig
behavioral2/memory/2372-245-0x00007FF73AE90000-0x00007FF73B1E1000-memory.dmp	xmrig
behavioral2/memory/3956-251-0x00007FF6BF760000-0x00007FF6BFAB1000-memory.dmp	xmrig
behavioral2/memory/4508-252-0x00007FF6CEA70000-0x00007FF6CEDC1000-memory.dmp	xmrig
behavioral2/memory/4256-254-0x00007FF67D840000-0x00007FF67DB91000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

hXmsbcF.exeBXtoAHL.exeYNhJnZY.exedNQvTyS.exegFuvFcr.exebjMwhOK.exerKVyIri.exerWESeBE.exextmdekA.exeSlczbIR.exeMVSYboW.exexvFkLHc.exeAeWmYjT.exejTcwIKG.exeYVVlcLW.exeOmcgirc.exeZsHYeGF.exedcJNfzQ.exeAiHUDKx.exewpbZgGf.exextzVEOU.exe

pid	process
4376	hXmsbcF.exe
3408	BXtoAHL.exe
1412	YNhJnZY.exe
4944	dNQvTyS.exe
3980	gFuvFcr.exe
1816	bjMwhOK.exe
1912	rKVyIri.exe
4184	rWESeBE.exe
1368	xtmdekA.exe
4808	SlczbIR.exe
1400	MVSYboW.exe
3292	xvFkLHc.exe
1644	AeWmYjT.exe
700	jTcwIKG.exe
4640	YVVlcLW.exe
3956	Omcgirc.exe
2372	ZsHYeGF.exe
2648	dcJNfzQ.exe
4508	AiHUDKx.exe
896	wpbZgGf.exe
4256	xtzVEOU.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1796-0-0x00007FF64FE10000-0x00007FF650161000-memory.dmp	upx
C:\Windows\System\hXmsbcF.exe	upx
behavioral2/memory/4376-8-0x00007FF766AF0000-0x00007FF766E41000-memory.dmp	upx
C:\Windows\System\BXtoAHL.exe	upx
behavioral2/memory/3408-14-0x00007FF6509F0000-0x00007FF650D41000-memory.dmp	upx
C:\Windows\System\YNhJnZY.exe	upx
behavioral2/memory/1412-20-0x00007FF678220000-0x00007FF678571000-memory.dmp	upx
C:\Windows\System\dNQvTyS.exe	upx
behavioral2/memory/4944-28-0x00007FF70CC70000-0x00007FF70CFC1000-memory.dmp	upx
C:\Windows\System\gFuvFcr.exe	upx
C:\Windows\System\bjMwhOK.exe	upx
C:\Windows\System\rKVyIri.exe	upx
C:\Windows\System\rWESeBE.exe	upx
C:\Windows\System\xtmdekA.exe	upx
C:\Windows\System\SlczbIR.exe	upx
behavioral2/memory/4808-58-0x00007FF67A290000-0x00007FF67A5E1000-memory.dmp	upx
C:\Windows\System\MVSYboW.exe	upx
C:\Windows\System\xvFkLHc.exe	upx
behavioral2/memory/4640-98-0x00007FF659BE0000-0x00007FF659F31000-memory.dmp	upx
C:\Windows\System\wpbZgGf.exe	upx
C:\Windows\System\YVVlcLW.exe	upx
behavioral2/memory/4256-110-0x00007FF67D840000-0x00007FF67DB91000-memory.dmp	upx
behavioral2/memory/2372-114-0x00007FF73AE90000-0x00007FF73B1E1000-memory.dmp	upx
behavioral2/memory/896-116-0x00007FF6A5DB0000-0x00007FF6A6101000-memory.dmp	upx
behavioral2/memory/2648-115-0x00007FF67ABA0000-0x00007FF67AEF1000-memory.dmp	upx
behavioral2/memory/1644-113-0x00007FF7BF050000-0x00007FF7BF3A1000-memory.dmp	upx
behavioral2/memory/3292-112-0x00007FF72B170000-0x00007FF72B4C1000-memory.dmp	upx
C:\Windows\System\xtzVEOU.exe	upx
C:\Windows\System\AiHUDKx.exe	upx
C:\Windows\System\dcJNfzQ.exe	upx
C:\Windows\System\ZsHYeGF.exe	upx
C:\Windows\System\Omcgirc.exe	upx
behavioral2/memory/1796-111-0x00007FF64FE10000-0x00007FF650161000-memory.dmp	upx
behavioral2/memory/4508-109-0x00007FF6CEA70000-0x00007FF6CEDC1000-memory.dmp	upx
C:\Windows\System\jTcwIKG.exe	upx
behavioral2/memory/3956-103-0x00007FF6BF760000-0x00007FF6BFAB1000-memory.dmp	upx
behavioral2/memory/700-89-0x00007FF7A5C70000-0x00007FF7A5FC1000-memory.dmp	upx
C:\Windows\System\AeWmYjT.exe	upx
behavioral2/memory/1400-80-0x00007FF7322E0000-0x00007FF732631000-memory.dmp	upx
behavioral2/memory/1368-72-0x00007FF6BF870000-0x00007FF6BFBC1000-memory.dmp	upx
behavioral2/memory/4184-53-0x00007FF6C3450000-0x00007FF6C37A1000-memory.dmp	upx
behavioral2/memory/1912-46-0x00007FF63CDD0000-0x00007FF63D121000-memory.dmp	upx
behavioral2/memory/1816-36-0x00007FF641A90000-0x00007FF641DE1000-memory.dmp	upx
behavioral2/memory/3980-32-0x00007FF6E59B0000-0x00007FF6E5D01000-memory.dmp	upx
behavioral2/memory/4376-130-0x00007FF766AF0000-0x00007FF766E41000-memory.dmp	upx
behavioral2/memory/3408-131-0x00007FF6509F0000-0x00007FF650D41000-memory.dmp	upx
behavioral2/memory/1412-132-0x00007FF678220000-0x00007FF678571000-memory.dmp	upx
behavioral2/memory/1796-129-0x00007FF64FE10000-0x00007FF650161000-memory.dmp	upx
behavioral2/memory/3980-134-0x00007FF6E59B0000-0x00007FF6E5D01000-memory.dmp	upx
behavioral2/memory/1912-136-0x00007FF63CDD0000-0x00007FF63D121000-memory.dmp	upx
behavioral2/memory/1816-135-0x00007FF641A90000-0x00007FF641DE1000-memory.dmp	upx
behavioral2/memory/4944-133-0x00007FF70CC70000-0x00007FF70CFC1000-memory.dmp	upx
behavioral2/memory/1368-138-0x00007FF6BF870000-0x00007FF6BFBC1000-memory.dmp	upx
behavioral2/memory/4184-137-0x00007FF6C3450000-0x00007FF6C37A1000-memory.dmp	upx
behavioral2/memory/4808-139-0x00007FF67A290000-0x00007FF67A5E1000-memory.dmp	upx
behavioral2/memory/700-142-0x00007FF7A5C70000-0x00007FF7A5FC1000-memory.dmp	upx
behavioral2/memory/4640-144-0x00007FF659BE0000-0x00007FF659F31000-memory.dmp	upx
behavioral2/memory/2372-146-0x00007FF73AE90000-0x00007FF73B1E1000-memory.dmp	upx
behavioral2/memory/4508-148-0x00007FF6CEA70000-0x00007FF6CEDC1000-memory.dmp	upx
behavioral2/memory/896-149-0x00007FF6A5DB0000-0x00007FF6A6101000-memory.dmp	upx
behavioral2/memory/2648-147-0x00007FF67ABA0000-0x00007FF67AEF1000-memory.dmp	upx
behavioral2/memory/3956-145-0x00007FF6BF760000-0x00007FF6BFAB1000-memory.dmp	upx
behavioral2/memory/4256-150-0x00007FF67D840000-0x00007FF67DB91000-memory.dmp	upx
behavioral2/memory/1796-151-0x00007FF64FE10000-0x00007FF650161000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\YNhJnZY.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MVSYboW.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YVVlcLW.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dcJNfzQ.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dNQvTyS.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bjMwhOK.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rWESeBE.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xvFkLHc.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AeWmYjT.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wpbZgGf.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xtzVEOU.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hXmsbcF.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BXtoAHL.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gFuvFcr.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rKVyIri.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xtmdekA.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\Omcgirc.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SlczbIR.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jTcwIKG.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZsHYeGF.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AiHUDKx.exe	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 1796 wrote to memory of 4376	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	hXmsbcF.exe
PID 1796 wrote to memory of 4376	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	hXmsbcF.exe
PID 1796 wrote to memory of 3408	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	BXtoAHL.exe
PID 1796 wrote to memory of 3408	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	BXtoAHL.exe
PID 1796 wrote to memory of 1412	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	YNhJnZY.exe
PID 1796 wrote to memory of 1412	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	YNhJnZY.exe
PID 1796 wrote to memory of 4944	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	dNQvTyS.exe
PID 1796 wrote to memory of 4944	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	dNQvTyS.exe
PID 1796 wrote to memory of 3980	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	gFuvFcr.exe
PID 1796 wrote to memory of 3980	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	gFuvFcr.exe
PID 1796 wrote to memory of 1816	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	bjMwhOK.exe
PID 1796 wrote to memory of 1816	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	bjMwhOK.exe
PID 1796 wrote to memory of 1912	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	rKVyIri.exe
PID 1796 wrote to memory of 1912	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	rKVyIri.exe
PID 1796 wrote to memory of 4184	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	rWESeBE.exe
PID 1796 wrote to memory of 4184	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	rWESeBE.exe
PID 1796 wrote to memory of 1368	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	xtmdekA.exe
PID 1796 wrote to memory of 1368	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	xtmdekA.exe
PID 1796 wrote to memory of 4808	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	SlczbIR.exe
PID 1796 wrote to memory of 4808	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	SlczbIR.exe
PID 1796 wrote to memory of 1400	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	MVSYboW.exe
PID 1796 wrote to memory of 1400	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	MVSYboW.exe
PID 1796 wrote to memory of 3292	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	xvFkLHc.exe
PID 1796 wrote to memory of 3292	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	xvFkLHc.exe
PID 1796 wrote to memory of 700	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	jTcwIKG.exe
PID 1796 wrote to memory of 700	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	jTcwIKG.exe
PID 1796 wrote to memory of 1644	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	AeWmYjT.exe
PID 1796 wrote to memory of 1644	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	AeWmYjT.exe
PID 1796 wrote to memory of 4640	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	YVVlcLW.exe
PID 1796 wrote to memory of 4640	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	YVVlcLW.exe
PID 1796 wrote to memory of 3956	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	Omcgirc.exe
PID 1796 wrote to memory of 3956	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	Omcgirc.exe
PID 1796 wrote to memory of 2372	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	ZsHYeGF.exe
PID 1796 wrote to memory of 2372	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	ZsHYeGF.exe
PID 1796 wrote to memory of 2648	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	dcJNfzQ.exe
PID 1796 wrote to memory of 2648	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	dcJNfzQ.exe
PID 1796 wrote to memory of 4508	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	AiHUDKx.exe
PID 1796 wrote to memory of 4508	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	AiHUDKx.exe
PID 1796 wrote to memory of 896	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	wpbZgGf.exe
PID 1796 wrote to memory of 896	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	wpbZgGf.exe
PID 1796 wrote to memory of 4256	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	xtzVEOU.exe
PID 1796 wrote to memory of 4256	1796	2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe	xtzVEOU.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-16_8ca3bd3063896a8399abdd5ebb73bd09_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\System\hXmsbcF.exe
C:\Windows\System\hXmsbcF.exe
2⤵
- Executes dropped EXE
PID:4376

C:\Windows\System\BXtoAHL.exe
C:\Windows\System\BXtoAHL.exe
2⤵
- Executes dropped EXE
PID:3408

C:\Windows\System\YNhJnZY.exe
C:\Windows\System\YNhJnZY.exe
2⤵
- Executes dropped EXE
PID:1412

C:\Windows\System\dNQvTyS.exe
C:\Windows\System\dNQvTyS.exe
2⤵
- Executes dropped EXE
PID:4944

C:\Windows\System\gFuvFcr.exe
C:\Windows\System\gFuvFcr.exe
2⤵
- Executes dropped EXE
PID:3980

C:\Windows\System\bjMwhOK.exe
C:\Windows\System\bjMwhOK.exe
2⤵
- Executes dropped EXE
PID:1816

C:\Windows\System\rKVyIri.exe
C:\Windows\System\rKVyIri.exe
2⤵
- Executes dropped EXE
PID:1912

C:\Windows\System\rWESeBE.exe
C:\Windows\System\rWESeBE.exe
2⤵
- Executes dropped EXE
PID:4184

C:\Windows\System\xtmdekA.exe
C:\Windows\System\xtmdekA.exe
2⤵
- Executes dropped EXE
PID:1368

C:\Windows\System\SlczbIR.exe
C:\Windows\System\SlczbIR.exe
2⤵
- Executes dropped EXE
PID:4808

C:\Windows\System\MVSYboW.exe
C:\Windows\System\MVSYboW.exe
2⤵
- Executes dropped EXE
PID:1400

C:\Windows\System\xvFkLHc.exe
C:\Windows\System\xvFkLHc.exe
2⤵
- Executes dropped EXE
PID:3292

C:\Windows\System\jTcwIKG.exe
C:\Windows\System\jTcwIKG.exe
2⤵
- Executes dropped EXE
PID:700

C:\Windows\System\AeWmYjT.exe
C:\Windows\System\AeWmYjT.exe
2⤵
- Executes dropped EXE
PID:1644

C:\Windows\System\YVVlcLW.exe
C:\Windows\System\YVVlcLW.exe
2⤵
- Executes dropped EXE
PID:4640

C:\Windows\System\Omcgirc.exe
C:\Windows\System\Omcgirc.exe
2⤵
- Executes dropped EXE
PID:3956

C:\Windows\System\ZsHYeGF.exe
C:\Windows\System\ZsHYeGF.exe
2⤵
- Executes dropped EXE
PID:2372

C:\Windows\System\dcJNfzQ.exe
C:\Windows\System\dcJNfzQ.exe
2⤵
- Executes dropped EXE
PID:2648

C:\Windows\System\AiHUDKx.exe
C:\Windows\System\AiHUDKx.exe
2⤵
- Executes dropped EXE
PID:4508

C:\Windows\System\wpbZgGf.exe
C:\Windows\System\wpbZgGf.exe
2⤵
- Executes dropped EXE
PID:896

C:\Windows\System\xtzVEOU.exe
C:\Windows\System\xtzVEOU.exe
2⤵
- Executes dropped EXE
PID:4256

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AeWmYjT.exe
Filesize
5.2MB

MD5
69651aa3e289699ba1438fa0891b4541

SHA1
99b82cb243a7c15af1ba9c1e5aa46fab48bcac7d

SHA256
2d7fbaad2807fc934209b2aa0a6e388bc84485cbda7705f24137461331045fd4

SHA512
784e79ee62245af49147a29bfa755aa99b923232192a67f81d5e5e70ce4a84247a6c1c6d2d7132015b2c6f40fce9a5bd3fd75cf4fdd3cb866f7b2354ed5a6fb2

Download Submit
C:\Windows\System\AiHUDKx.exe
Filesize
5.2MB

MD5
d8519a86a4f504bcfe17f34746de9a56

SHA1
56d913564f0397c437ea47a00e399c722755efa7

SHA256
b3903a6f77a2c1aef5e37ab46444d7330932c233269a6d3771af12458d92515d

SHA512
412dd1d2764eac714280b101fba3785a10b93cb5f538308ac3eae9bf1fe4ab92e731c2732cf6915b1812946d957d41541398a6bc37418fbaaa5b0b4b5937fb1c

Download Submit
C:\Windows\System\BXtoAHL.exe
Filesize
5.2MB

MD5
70faf93cf1a3dfac4ec2860c2b356f79

SHA1
727be5704760cd36b13fe568c0bcbb7f1851aa99

SHA256
27a36b72127288ff3a6e78b09bd4a6744accb5696df627240f66201ea757dd6f

SHA512
b31ebae9985d539afe213f60a9b15816d431106da747a17c15d283f7ac46b202937c56deb3e24b61b8c21c0e2782bc79e6394351cb8d659ee3f7096adfe21c2c

Download Submit
C:\Windows\System\MVSYboW.exe
Filesize
5.2MB

MD5
494476371dd32420cf18b81b534185d2

SHA1
299a1c908b6219225def39a42cf5f11d2d458f19

SHA256
f071111a055468efe0ef4ead1615114b2d6f4ac386387110cc3644b26ff35a93

SHA512
4704c6d01537e86202d66b04ccdc2215d17a8afe62fe2221e2ffc47b38e7f9bb3b6846a70e948bc1dcf6925deb555dfd6558d06b624337a2d0ed7eec29090ae5

Download Submit
C:\Windows\System\Omcgirc.exe
Filesize
5.2MB

MD5
dc0c1d7d6274d0abd3c83308160be30c

SHA1
b717a6c0514906215f3c65303c1e804a82a2b0c2

SHA256
fefe24530a5901052fb47dbf525189e2fa0677cc64b8ab935225da025d51a54d

SHA512
c2476121501f66f268aae3c4a602785f2bc96a33985e0de8a4f5a0267f39ea6626aa855a5814b73a2b120d5f830b9acf739f605af6f0151c9f33b435bda13545

Download Submit
C:\Windows\System\SlczbIR.exe
Filesize
5.2MB

MD5
1c08d14571d334bffcca36d021d9ba1f

SHA1
c27703c1212dcc6537e45f54c92eb89c8b1ab642

SHA256
a9403edb30591b1e511e161afd169eb7a66de8b29ee3c31e3114f289cfa9934f

SHA512
53059ecdde300f2e32c41e1887f6750502600c616b022f941bd2c2cc5ca1125c8e78279c93f98cb9a0fc09863380fa58688449e38e73f173ddc2b4777fd0179f

Download Submit
C:\Windows\System\YNhJnZY.exe
Filesize
5.2MB

MD5
f587d13b9dd27d6c5617e5f6968e98ba

SHA1
4f113fbd09657806549b88a157d7c1664a3245b6

SHA256
895f7fbfa140df9eaafca4d75ecff1f6c557e267f4e924e8cd58070e8d342b99

SHA512
3bffc08a302d2a2ccb7c0330cf22a2de0f05ee96aff82e9b216719d98b99cfe9c031e2244b055591c432dc92a42f5d18cc02aeb16a954a297240f9b3d019deb6

Download Submit
C:\Windows\System\YVVlcLW.exe
Filesize
5.2MB

MD5
26293f480aae5c272f1b237e743c13a9

SHA1
eb9c442c2e899fb8a4da07bb68456450fedfad17

SHA256
a2f393b82a38b58cbedfc8346b99903892e3829f4f9b50f6c121a8abb57a62ef

SHA512
8997c7e628d5efef1551b16c273e98d911097c250587020409ead51e60eaca0f6b5e2b23b86b852004fe8f110f40c43c8ce4930a7e84918659ffeeb523c3fe4c

Download Submit
C:\Windows\System\ZsHYeGF.exe
Filesize
5.2MB

MD5
3c61b34413944a2e503087a0686ba3a8

SHA1
eff44a2c9789404cb3b572f27102d7cf12159909

SHA256
0976c6cd15d80dab981930d95761c2f3b4729c7c39374bb20631c61693666112

SHA512
91843907327899f8437777b2408d1e053a2cf7d21e49f8f80cfcfcc6a5c24e51f626eef4b73fff8fc382f9995cd6cd53a88a3deecb4d2e08d17f6fbe467b7f94

Download Submit
C:\Windows\System\bjMwhOK.exe
Filesize
5.2MB

MD5
965e071541f771f6b5d1e4b46b7078fe

SHA1
0a26e2c27ac5fd9dd6daab7622cfa575bf07dc7f

SHA256
612bd6c815b20f67239ead73fa441ab5d8cd8d91153c70672f42031ffad6aba7

SHA512
e998908281c5acb543ce8bb8d5f394d915399ac63429764897a8ca639d099e7e020adcca50779d242b947137ea42af7655887014bcf9a34f835b3f362b7efca2

Download Submit
C:\Windows\System\dNQvTyS.exe
Filesize
5.2MB

MD5
4467ac5cab73a9dd7389264262a5f228

SHA1
cdc8120ce9a4b5c99d4b0765ac08d21ab3b2e944

SHA256
079e1a08f0e80621fd5c9fb854dbf5c295ee35c06b84df96cd5c380d3331e7ac

SHA512
b700134ecd2a195388bc7069a6bf0f781d70a1859ef288bd0dca59297434a4d22c4dd06d0d36535bf5d53d1fc4bc8b2dea487886174f5d2e60f7fd725a39f88b

Download Submit
C:\Windows\System\dcJNfzQ.exe
Filesize
5.2MB

MD5
22a2fc9155cb8f742b0e1dcdfac7874e

SHA1
eaeef9c71834c42d5d2cb8d5cdf7f66365283222

SHA256
653835877a167d9f31e4d9933dacffd468c9e77bd2cb924d3c6bc7c43f2c1119

SHA512
0b7e7255d4b7740e9294a795d1a25f77ba40ac28682f816e8da8b6fbd95b508ab2b18d35fbc7dd45bb73aa6638cfbda92c339420a454117b38a5ef4dc1b06772

Download Submit
C:\Windows\System\gFuvFcr.exe
Filesize
5.2MB

MD5
497540db98acf99f11dd86e95cbd5015

SHA1
a146711fc44708014a1203b7d5bcea41dbd58c77

SHA256
a20ea4bc2951c24a2da4b9cc316f5a561a08835678150d9dd648b657bda20cc5

SHA512
02c248b72d149f41943b6203688bf1d78e6b086521677b673783a9a78685f996a6578dd28df741847f9343d1af45b9e73c8018f8ef4ecc75e0dea44ca62afc01

Download Submit
C:\Windows\System\hXmsbcF.exe
Filesize
5.2MB

MD5
23647c7c6475ae5d68684fbf910d8a13

SHA1
27c3cdd4f8e746eb36a5391442ee14f1c60ce228

SHA256
ce19aba77b730ba96a782f4e6f079cb2c1691054c0c03dba133f3eae7af14c09

SHA512
1956944e8346d5c6b4c1ff392cb53976c4468b503a7ddabd5685f3094e67091f21d1d959df3e2eaa3903e27da6cff85aff71d57f174bb1afa4d1d2de121cc1e7

Download Submit
C:\Windows\System\jTcwIKG.exe
Filesize
5.2MB

MD5
18c73fd77c78808b461cca9328a01b1a

SHA1
3ec687efab0203f6497a62ef21e761f35e2c1586

SHA256
b55f3193c4f60c4d4d59a9457ed7aeb09e1253ca1d60f834639c028af53502c5

SHA512
3bd9681c811756cfd3cd58056fb2a341733fd054e0300d2ff9ad3dd0d44c29b935ddec899f71220467ce8a16ba9413dbbed030dc3495c73cfa5be844cb4689ca

Download Submit
C:\Windows\System\rKVyIri.exe
Filesize
5.2MB

MD5
f398346b31a080aa363fb23e28506b81

SHA1
c2a7a61dfd2b3c36da10bd1844b7d39971d643be

SHA256
c354e08d9b042d024d0560a080cbd8ae8a00f45eaae66ea8e8edf97a76c7c23e

SHA512
ae92fabd8d9ced40f2bf373c7da484195a74a1d07daff01d26c53765b1d5580899282bedc09dc4cb1a3dc829a63ac78309104e01cd8bb208d89aa55f14172f0b

Download Submit
C:\Windows\System\rWESeBE.exe
Filesize
5.2MB

MD5
7ef0f79e4efe8d0fe1f25bd61aaf5bab

SHA1
a887a78827cddc171eedd4047410046bb0dfaf0a

SHA256
71c81646f0fd60566e6e1983cca66abc017b524aac9a23eec4c4460b3e398efc

SHA512
a094030ab4a3f8b90ad3b8c418e68711107c6a652ceb82759fdf23e6387f4cc94640b76dd8c555a0f867884ec19775b7f7d5eadc1e4f893e5bc2ec476771bc1e

Download Submit
C:\Windows\System\wpbZgGf.exe
Filesize
5.2MB

MD5
63ebc1b5c5fb5e03a6dd9fafdfc62ea1

SHA1
b00aafabfac61f3a0060b9f858d3ce961c5e5d8f

SHA256
f7d09713a39af6f909835f0b1e3fc4149dc6b92b89b34b97ec7fb4debee0649e

SHA512
165a009c5c6263d900be146f697dc8d0f58817952e6f37f67913f9e5d5b2b4871a55b2cc5326c8a68af060ba986d91c4f5c580b29e0382084f69f74e6a7d9a83

Download Submit
C:\Windows\System\xtmdekA.exe
Filesize
5.2MB

MD5
0cf3bebe9401ee82becb47e3a003bbe7

SHA1
af7376fa673e7183ed465a598c45dd5823687a5b

SHA256
cbd8fb86ead3ee2bb39c4b7613cf492f6575c78ce3e4e0600d1b27fc7352aa90

SHA512
027ea058d9d11ef5757990681c8bc265abeaa8f48b14c78ac8d44b0c0b6a53a6856c6ba4472c98999b8ab2a98e0058e0c8f40cc22a53cfed7893f21bd0b1cd77

Download Submit
C:\Windows\System\xtzVEOU.exe
Filesize
5.2MB

MD5
3b6bc8ba3bfc6b2c8b10c0fb02606ec8

SHA1
d8a7e2a7a717a09470b567ce3ae0734920027148

SHA256
67da9b209b047dba21df8079fede8e40312eb29fff3bbddff981b47de004ead3

SHA512
ab4a0e4dea4f9e319804bc067d264500afe726788d9e4249351a7597d7125b732651d80e7fcfebe6e65e79a0973f68d6f2f4ea082d447918d23982cd6425551a

Download Submit
C:\Windows\System\xvFkLHc.exe
Filesize
5.2MB

MD5
cda3f486e195909bf4de4acdb7e30a5b

SHA1
190e3b9f15ee7e832ba3437250eec61e7161c2ee

SHA256
9d8aa950f01fb6fd8d85b16e1cf664852cbf127ed1354609558222b204008789

SHA512
d4c8919b33d19b26b5cdd90e4d13b1dfe76b872027057bdabcaf37a0f000561d738371f52e3aacd5b20b91745b24863f7bcdc07a95cd8b959371168e7dc16f31

Download Submit
memory/700-242-0x00007FF7A5C70000-0x00007FF7A5FC1000-memory.dmp

Filesize
3.3MB

Download
memory/700-142-0x00007FF7A5C70000-0x00007FF7A5FC1000-memory.dmp

Filesize
3.3MB

Download
memory/700-89-0x00007FF7A5C70000-0x00007FF7A5FC1000-memory.dmp

Filesize
3.3MB

Download
memory/896-149-0x00007FF6A5DB0000-0x00007FF6A6101000-memory.dmp

Filesize
3.3MB

Download
memory/896-116-0x00007FF6A5DB0000-0x00007FF6A6101000-memory.dmp

Filesize
3.3MB

Download
memory/896-246-0x00007FF6A5DB0000-0x00007FF6A6101000-memory.dmp

Filesize
3.3MB

Download
memory/1368-233-0x00007FF6BF870000-0x00007FF6BFBC1000-memory.dmp

Filesize
3.3MB

Download
memory/1368-72-0x00007FF6BF870000-0x00007FF6BFBC1000-memory.dmp

Filesize
3.3MB

Download
memory/1368-138-0x00007FF6BF870000-0x00007FF6BFBC1000-memory.dmp

Filesize
3.3MB

Download
memory/1400-80-0x00007FF7322E0000-0x00007FF732631000-memory.dmp

Filesize
3.3MB

Download
memory/1400-229-0x00007FF7322E0000-0x00007FF732631000-memory.dmp

Filesize
3.3MB

Download
memory/1412-204-0x00007FF678220000-0x00007FF678571000-memory.dmp

Filesize
3.3MB

Download
memory/1412-20-0x00007FF678220000-0x00007FF678571000-memory.dmp

Filesize
3.3MB

Download
memory/1412-132-0x00007FF678220000-0x00007FF678571000-memory.dmp

Filesize
3.3MB

Download
memory/1644-113-0x00007FF7BF050000-0x00007FF7BF3A1000-memory.dmp

Filesize
3.3MB

Download
memory/1644-237-0x00007FF7BF050000-0x00007FF7BF3A1000-memory.dmp

Filesize
3.3MB

Download
memory/1796-111-0x00007FF64FE10000-0x00007FF650161000-memory.dmp

Filesize
3.3MB

Download
memory/1796-151-0x00007FF64FE10000-0x00007FF650161000-memory.dmp

Filesize
3.3MB

Download
memory/1796-1-0x000002B059BA0000-0x000002B059BB0000-memory.dmp

Filesize
64KB

Download
memory/1796-0-0x00007FF64FE10000-0x00007FF650161000-memory.dmp

Filesize
3.3MB

Download
memory/1796-129-0x00007FF64FE10000-0x00007FF650161000-memory.dmp

Filesize
3.3MB

Download
memory/1816-210-0x00007FF641A90000-0x00007FF641DE1000-memory.dmp

Filesize
3.3MB

Download
memory/1816-135-0x00007FF641A90000-0x00007FF641DE1000-memory.dmp

Filesize
3.3MB

Download
memory/1816-36-0x00007FF641A90000-0x00007FF641DE1000-memory.dmp

Filesize
3.3MB

Download
memory/1912-46-0x00007FF63CDD0000-0x00007FF63D121000-memory.dmp

Filesize
3.3MB

Download
memory/1912-136-0x00007FF63CDD0000-0x00007FF63D121000-memory.dmp

Filesize
3.3MB

Download
memory/1912-212-0x00007FF63CDD0000-0x00007FF63D121000-memory.dmp

Filesize
3.3MB

Download
memory/2372-146-0x00007FF73AE90000-0x00007FF73B1E1000-memory.dmp

Filesize
3.3MB

Download
memory/2372-245-0x00007FF73AE90000-0x00007FF73B1E1000-memory.dmp

Filesize
3.3MB

Download
memory/2372-114-0x00007FF73AE90000-0x00007FF73B1E1000-memory.dmp

Filesize
3.3MB

Download
memory/2648-249-0x00007FF67ABA0000-0x00007FF67AEF1000-memory.dmp

Filesize
3.3MB

Download
memory/2648-115-0x00007FF67ABA0000-0x00007FF67AEF1000-memory.dmp

Filesize
3.3MB

Download
memory/2648-147-0x00007FF67ABA0000-0x00007FF67AEF1000-memory.dmp

Filesize
3.3MB

Download
memory/3292-238-0x00007FF72B170000-0x00007FF72B4C1000-memory.dmp

Filesize
3.3MB

Download
memory/3292-112-0x00007FF72B170000-0x00007FF72B4C1000-memory.dmp

Filesize
3.3MB

Download
memory/3408-202-0x00007FF6509F0000-0x00007FF650D41000-memory.dmp

Filesize
3.3MB

Download
memory/3408-131-0x00007FF6509F0000-0x00007FF650D41000-memory.dmp

Filesize
3.3MB

Download
memory/3408-14-0x00007FF6509F0000-0x00007FF650D41000-memory.dmp

Filesize
3.3MB

Download
memory/3956-103-0x00007FF6BF760000-0x00007FF6BFAB1000-memory.dmp

Filesize
3.3MB

Download
memory/3956-145-0x00007FF6BF760000-0x00007FF6BFAB1000-memory.dmp

Filesize
3.3MB

Download
memory/3956-251-0x00007FF6BF760000-0x00007FF6BFAB1000-memory.dmp

Filesize
3.3MB

Download
memory/3980-208-0x00007FF6E59B0000-0x00007FF6E5D01000-memory.dmp

Filesize
3.3MB

Download
memory/3980-32-0x00007FF6E59B0000-0x00007FF6E5D01000-memory.dmp

Filesize
3.3MB

Download
memory/3980-134-0x00007FF6E59B0000-0x00007FF6E5D01000-memory.dmp

Filesize
3.3MB

Download
memory/4184-227-0x00007FF6C3450000-0x00007FF6C37A1000-memory.dmp

Filesize
3.3MB

Download
memory/4184-53-0x00007FF6C3450000-0x00007FF6C37A1000-memory.dmp

Filesize
3.3MB

Download
memory/4184-137-0x00007FF6C3450000-0x00007FF6C37A1000-memory.dmp

Filesize
3.3MB

Download
memory/4256-150-0x00007FF67D840000-0x00007FF67DB91000-memory.dmp

Filesize
3.3MB

Download
memory/4256-110-0x00007FF67D840000-0x00007FF67DB91000-memory.dmp

Filesize
3.3MB

Download
memory/4256-254-0x00007FF67D840000-0x00007FF67DB91000-memory.dmp

Filesize
3.3MB

Download
memory/4376-200-0x00007FF766AF0000-0x00007FF766E41000-memory.dmp

Filesize
3.3MB

Download
memory/4376-130-0x00007FF766AF0000-0x00007FF766E41000-memory.dmp

Filesize
3.3MB

Download
memory/4376-8-0x00007FF766AF0000-0x00007FF766E41000-memory.dmp

Filesize
3.3MB

Download
memory/4508-148-0x00007FF6CEA70000-0x00007FF6CEDC1000-memory.dmp

Filesize
3.3MB

Download
memory/4508-109-0x00007FF6CEA70000-0x00007FF6CEDC1000-memory.dmp

Filesize
3.3MB

Download
memory/4508-252-0x00007FF6CEA70000-0x00007FF6CEDC1000-memory.dmp

Filesize
3.3MB

Download
memory/4640-241-0x00007FF659BE0000-0x00007FF659F31000-memory.dmp

Filesize
3.3MB

Download
memory/4640-98-0x00007FF659BE0000-0x00007FF659F31000-memory.dmp

Filesize
3.3MB

Download
memory/4640-144-0x00007FF659BE0000-0x00007FF659F31000-memory.dmp

Filesize
3.3MB

Download
memory/4808-234-0x00007FF67A290000-0x00007FF67A5E1000-memory.dmp

Filesize
3.3MB

Download
memory/4808-58-0x00007FF67A290000-0x00007FF67A5E1000-memory.dmp

Filesize
3.3MB

Download
memory/4808-139-0x00007FF67A290000-0x00007FF67A5E1000-memory.dmp

Filesize
3.3MB

Download
memory/4944-28-0x00007FF70CC70000-0x00007FF70CFC1000-memory.dmp

Filesize
3.3MB

Download
memory/4944-206-0x00007FF70CC70000-0x00007FF70CFC1000-memory.dmp

Filesize
3.3MB

Download
memory/4944-133-0x00007FF70CC70000-0x00007FF70CFC1000-memory.dmp

Filesize
3.3MB

Download