cobaltstrike | a9b48d62702ce0649694d108b0e09bec566805d928d73030acb6e64fc5a73032

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

f841b0ad9eb5462e9ca1eb0a3149cbc7
SHA1

514d0e8f419fe084180c49fcbd4239ce338a3844
SHA256

a9b48d62702ce0649694d108b0e09bec566805d928d73030acb6e64fc5a73032
SHA512

6556e95ff456a434bb804b041ae8dac50a34ef6c01660417bdb26a9666ee8e3b39185d4f1b37a67e53a5a8200cfbe38308b866cf2975e7b366e9800511572f0a
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l6:RWWBibf56utgpPFotBER/mQ32lUe

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\KzBiJuE.exe	cobalt_reflective_dll
C:\Windows\System\uqEzizx.exe	cobalt_reflective_dll
C:\Windows\System\NxWzsKk.exe	cobalt_reflective_dll
C:\Windows\System\wGAGmKu.exe	cobalt_reflective_dll
C:\Windows\System\yKwoHbE.exe	cobalt_reflective_dll
C:\Windows\System\LynuKwV.exe	cobalt_reflective_dll
C:\Windows\System\oqzvvpi.exe	cobalt_reflective_dll
C:\Windows\System\VZcDRct.exe	cobalt_reflective_dll
C:\Windows\System\RAfWSmT.exe	cobalt_reflective_dll
C:\Windows\System\lEZAiYr.exe	cobalt_reflective_dll
C:\Windows\System\QwVZQCY.exe	cobalt_reflective_dll
C:\Windows\System\mHVcSqh.exe	cobalt_reflective_dll
C:\Windows\System\PRnVOke.exe	cobalt_reflective_dll
C:\Windows\System\GMoxWkq.exe	cobalt_reflective_dll
C:\Windows\System\CYDvliY.exe	cobalt_reflective_dll
C:\Windows\System\rnicMJz.exe	cobalt_reflective_dll
C:\Windows\System\pGpWJvb.exe	cobalt_reflective_dll
C:\Windows\System\boLvWtH.exe	cobalt_reflective_dll
C:\Windows\System\FlVhHtk.exe	cobalt_reflective_dll
C:\Windows\System\lEUpfZk.exe	cobalt_reflective_dll
C:\Windows\System\KJpiLAi.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\KzBiJuE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\uqEzizx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\NxWzsKk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\wGAGmKu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\yKwoHbE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\LynuKwV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\oqzvvpi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\VZcDRct.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\RAfWSmT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\lEZAiYr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QwVZQCY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\mHVcSqh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\PRnVOke.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\GMoxWkq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\CYDvliY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\rnicMJz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\pGpWJvb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\boLvWtH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\FlVhHtk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\lEUpfZk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\KJpiLAi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4600-0-0x00007FF7316C0000-0x00007FF731A11000-memory.dmp	UPX
C:\Windows\System\KzBiJuE.exe	UPX
behavioral2/memory/3492-6-0x00007FF71BCB0000-0x00007FF71C001000-memory.dmp	UPX
behavioral2/memory/3712-14-0x00007FF626550000-0x00007FF6268A1000-memory.dmp	UPX
C:\Windows\System\uqEzizx.exe	UPX
behavioral2/memory/612-18-0x00007FF7EEB90000-0x00007FF7EEEE1000-memory.dmp	UPX
C:\Windows\System\NxWzsKk.exe	UPX
C:\Windows\System\wGAGmKu.exe	UPX
behavioral2/memory/100-24-0x00007FF757D50000-0x00007FF7580A1000-memory.dmp	UPX
C:\Windows\System\yKwoHbE.exe	UPX
C:\Windows\System\LynuKwV.exe	UPX
C:\Windows\System\oqzvvpi.exe	UPX
behavioral2/memory/2068-53-0x00007FF602560000-0x00007FF6028B1000-memory.dmp	UPX
behavioral2/memory/4416-54-0x00007FF61E670000-0x00007FF61E9C1000-memory.dmp	UPX
C:\Windows\System\VZcDRct.exe	UPX
C:\Windows\System\RAfWSmT.exe	UPX
behavioral2/memory/3992-40-0x00007FF724290000-0x00007FF7245E1000-memory.dmp	UPX
behavioral2/memory/2900-37-0x00007FF7AC1E0000-0x00007FF7AC531000-memory.dmp	UPX
behavioral2/memory/4216-32-0x00007FF736140000-0x00007FF736491000-memory.dmp	UPX
C:\Windows\System\lEZAiYr.exe	UPX
behavioral2/memory/4600-60-0x00007FF7316C0000-0x00007FF731A11000-memory.dmp	UPX
C:\Windows\System\QwVZQCY.exe	UPX
behavioral2/memory/4740-70-0x00007FF74B210000-0x00007FF74B561000-memory.dmp	UPX
behavioral2/memory/3712-76-0x00007FF626550000-0x00007FF6268A1000-memory.dmp	UPX
behavioral2/memory/2984-82-0x00007FF656AC0000-0x00007FF656E11000-memory.dmp	UPX
C:\Windows\System\mHVcSqh.exe	UPX
C:\Windows\System\PRnVOke.exe	UPX
behavioral2/memory/4672-105-0x00007FF61E790000-0x00007FF61EAE1000-memory.dmp	UPX
C:\Windows\System\GMoxWkq.exe	UPX
C:\Windows\System\CYDvliY.exe	UPX
C:\Windows\System\rnicMJz.exe	UPX
C:\Windows\System\pGpWJvb.exe	UPX
C:\Windows\System\boLvWtH.exe	UPX
behavioral2/memory/4768-109-0x00007FF6FDF10000-0x00007FF6FE261000-memory.dmp	UPX
behavioral2/memory/1808-108-0x00007FF7BC200000-0x00007FF7BC551000-memory.dmp	UPX
behavioral2/memory/2900-104-0x00007FF7AC1E0000-0x00007FF7AC531000-memory.dmp	UPX
C:\Windows\System\FlVhHtk.exe	UPX
behavioral2/memory/3288-94-0x00007FF72E9B0000-0x00007FF72ED01000-memory.dmp	UPX
behavioral2/memory/100-90-0x00007FF757D50000-0x00007FF7580A1000-memory.dmp	UPX
behavioral2/memory/3832-87-0x00007FF7614F0000-0x00007FF761841000-memory.dmp	UPX
C:\Windows\System\lEUpfZk.exe	UPX
behavioral2/memory/612-83-0x00007FF7EEB90000-0x00007FF7EEEE1000-memory.dmp	UPX
C:\Windows\System\KJpiLAi.exe	UPX
behavioral2/memory/3492-69-0x00007FF71BCB0000-0x00007FF71C001000-memory.dmp	UPX
behavioral2/memory/1752-63-0x00007FF6A9290000-0x00007FF6A95E1000-memory.dmp	UPX
behavioral2/memory/4600-129-0x00007FF7316C0000-0x00007FF731A11000-memory.dmp	UPX
behavioral2/memory/4996-138-0x00007FF7254E0000-0x00007FF725831000-memory.dmp	UPX
behavioral2/memory/2068-137-0x00007FF602560000-0x00007FF6028B1000-memory.dmp	UPX
behavioral2/memory/3992-136-0x00007FF724290000-0x00007FF7245E1000-memory.dmp	UPX
behavioral2/memory/860-139-0x00007FF727780000-0x00007FF727AD1000-memory.dmp	UPX
behavioral2/memory/4416-143-0x00007FF61E670000-0x00007FF61E9C1000-memory.dmp	UPX
behavioral2/memory/1752-144-0x00007FF6A9290000-0x00007FF6A95E1000-memory.dmp	UPX
behavioral2/memory/4860-145-0x00007FF6F55C0000-0x00007FF6F5911000-memory.dmp	UPX
behavioral2/memory/2244-146-0x00007FF7F60F0000-0x00007FF7F6441000-memory.dmp	UPX
behavioral2/memory/4740-147-0x00007FF74B210000-0x00007FF74B561000-memory.dmp	UPX
behavioral2/memory/2984-148-0x00007FF656AC0000-0x00007FF656E11000-memory.dmp	UPX
behavioral2/memory/4672-151-0x00007FF61E790000-0x00007FF61EAE1000-memory.dmp	UPX
behavioral2/memory/1808-153-0x00007FF7BC200000-0x00007FF7BC551000-memory.dmp	UPX
behavioral2/memory/3832-149-0x00007FF7614F0000-0x00007FF761841000-memory.dmp	UPX
behavioral2/memory/3288-150-0x00007FF72E9B0000-0x00007FF72ED01000-memory.dmp	UPX
behavioral2/memory/4600-158-0x00007FF7316C0000-0x00007FF731A11000-memory.dmp	UPX
behavioral2/memory/3492-203-0x00007FF71BCB0000-0x00007FF71C001000-memory.dmp	UPX
behavioral2/memory/3712-205-0x00007FF626550000-0x00007FF6268A1000-memory.dmp	UPX
behavioral2/memory/612-207-0x00007FF7EEB90000-0x00007FF7EEEE1000-memory.dmp	UPX

XMRig Miner payload 46 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4216-32-0x00007FF736140000-0x00007FF736491000-memory.dmp	xmrig
behavioral2/memory/4600-60-0x00007FF7316C0000-0x00007FF731A11000-memory.dmp	xmrig
behavioral2/memory/3712-76-0x00007FF626550000-0x00007FF6268A1000-memory.dmp	xmrig
behavioral2/memory/4672-105-0x00007FF61E790000-0x00007FF61EAE1000-memory.dmp	xmrig
behavioral2/memory/4768-109-0x00007FF6FDF10000-0x00007FF6FE261000-memory.dmp	xmrig
behavioral2/memory/2900-104-0x00007FF7AC1E0000-0x00007FF7AC531000-memory.dmp	xmrig
behavioral2/memory/100-90-0x00007FF757D50000-0x00007FF7580A1000-memory.dmp	xmrig
behavioral2/memory/612-83-0x00007FF7EEB90000-0x00007FF7EEEE1000-memory.dmp	xmrig
behavioral2/memory/3492-69-0x00007FF71BCB0000-0x00007FF71C001000-memory.dmp	xmrig
behavioral2/memory/4600-129-0x00007FF7316C0000-0x00007FF731A11000-memory.dmp	xmrig
behavioral2/memory/4996-138-0x00007FF7254E0000-0x00007FF725831000-memory.dmp	xmrig
behavioral2/memory/2068-137-0x00007FF602560000-0x00007FF6028B1000-memory.dmp	xmrig
behavioral2/memory/3992-136-0x00007FF724290000-0x00007FF7245E1000-memory.dmp	xmrig
behavioral2/memory/860-139-0x00007FF727780000-0x00007FF727AD1000-memory.dmp	xmrig
behavioral2/memory/4416-143-0x00007FF61E670000-0x00007FF61E9C1000-memory.dmp	xmrig
behavioral2/memory/1752-144-0x00007FF6A9290000-0x00007FF6A95E1000-memory.dmp	xmrig
behavioral2/memory/4860-145-0x00007FF6F55C0000-0x00007FF6F5911000-memory.dmp	xmrig
behavioral2/memory/2244-146-0x00007FF7F60F0000-0x00007FF7F6441000-memory.dmp	xmrig
behavioral2/memory/4740-147-0x00007FF74B210000-0x00007FF74B561000-memory.dmp	xmrig
behavioral2/memory/2984-148-0x00007FF656AC0000-0x00007FF656E11000-memory.dmp	xmrig
behavioral2/memory/4672-151-0x00007FF61E790000-0x00007FF61EAE1000-memory.dmp	xmrig
behavioral2/memory/1808-153-0x00007FF7BC200000-0x00007FF7BC551000-memory.dmp	xmrig
behavioral2/memory/3832-149-0x00007FF7614F0000-0x00007FF761841000-memory.dmp	xmrig
behavioral2/memory/3288-150-0x00007FF72E9B0000-0x00007FF72ED01000-memory.dmp	xmrig
behavioral2/memory/4600-158-0x00007FF7316C0000-0x00007FF731A11000-memory.dmp	xmrig
behavioral2/memory/3492-203-0x00007FF71BCB0000-0x00007FF71C001000-memory.dmp	xmrig
behavioral2/memory/3712-205-0x00007FF626550000-0x00007FF6268A1000-memory.dmp	xmrig
behavioral2/memory/612-207-0x00007FF7EEB90000-0x00007FF7EEEE1000-memory.dmp	xmrig
behavioral2/memory/100-212-0x00007FF757D50000-0x00007FF7580A1000-memory.dmp	xmrig
behavioral2/memory/4216-214-0x00007FF736140000-0x00007FF736491000-memory.dmp	xmrig
behavioral2/memory/2900-221-0x00007FF7AC1E0000-0x00007FF7AC531000-memory.dmp	xmrig
behavioral2/memory/3992-224-0x00007FF724290000-0x00007FF7245E1000-memory.dmp	xmrig
behavioral2/memory/2068-225-0x00007FF602560000-0x00007FF6028B1000-memory.dmp	xmrig
behavioral2/memory/4416-227-0x00007FF61E670000-0x00007FF61E9C1000-memory.dmp	xmrig
behavioral2/memory/1752-229-0x00007FF6A9290000-0x00007FF6A95E1000-memory.dmp	xmrig
behavioral2/memory/4740-231-0x00007FF74B210000-0x00007FF74B561000-memory.dmp	xmrig
behavioral2/memory/3832-234-0x00007FF7614F0000-0x00007FF761841000-memory.dmp	xmrig
behavioral2/memory/2984-235-0x00007FF656AC0000-0x00007FF656E11000-memory.dmp	xmrig
behavioral2/memory/3288-245-0x00007FF72E9B0000-0x00007FF72ED01000-memory.dmp	xmrig
behavioral2/memory/4768-247-0x00007FF6FDF10000-0x00007FF6FE261000-memory.dmp	xmrig
behavioral2/memory/4996-250-0x00007FF7254E0000-0x00007FF725831000-memory.dmp	xmrig
behavioral2/memory/1808-251-0x00007FF7BC200000-0x00007FF7BC551000-memory.dmp	xmrig
behavioral2/memory/860-253-0x00007FF727780000-0x00007FF727AD1000-memory.dmp	xmrig
behavioral2/memory/2244-257-0x00007FF7F60F0000-0x00007FF7F6441000-memory.dmp	xmrig
behavioral2/memory/4860-255-0x00007FF6F55C0000-0x00007FF6F5911000-memory.dmp	xmrig
behavioral2/memory/4672-260-0x00007FF61E790000-0x00007FF61EAE1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

KzBiJuE.exeNxWzsKk.exeuqEzizx.exewGAGmKu.exeyKwoHbE.exeRAfWSmT.exeLynuKwV.exeoqzvvpi.exeVZcDRct.exelEZAiYr.exeKJpiLAi.exeQwVZQCY.exelEUpfZk.exemHVcSqh.exeFlVhHtk.exePRnVOke.exeCYDvliY.exeGMoxWkq.exeboLvWtH.exepGpWJvb.exernicMJz.exe

pid	process
3492	KzBiJuE.exe
3712	NxWzsKk.exe
612	uqEzizx.exe
100	wGAGmKu.exe
4216	yKwoHbE.exe
2900	RAfWSmT.exe
3992	LynuKwV.exe
2068	oqzvvpi.exe
4416	VZcDRct.exe
1752	lEZAiYr.exe
4740	KJpiLAi.exe
2984	QwVZQCY.exe
3832	lEUpfZk.exe
3288	mHVcSqh.exe
4672	FlVhHtk.exe
4768	PRnVOke.exe
1808	CYDvliY.exe
4996	GMoxWkq.exe
860	boLvWtH.exe
4860	pGpWJvb.exe
2244	rnicMJz.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4600-0-0x00007FF7316C0000-0x00007FF731A11000-memory.dmp	upx
C:\Windows\System\KzBiJuE.exe	upx
behavioral2/memory/3492-6-0x00007FF71BCB0000-0x00007FF71C001000-memory.dmp	upx
behavioral2/memory/3712-14-0x00007FF626550000-0x00007FF6268A1000-memory.dmp	upx
C:\Windows\System\uqEzizx.exe	upx
behavioral2/memory/612-18-0x00007FF7EEB90000-0x00007FF7EEEE1000-memory.dmp	upx
C:\Windows\System\NxWzsKk.exe	upx
C:\Windows\System\wGAGmKu.exe	upx
behavioral2/memory/100-24-0x00007FF757D50000-0x00007FF7580A1000-memory.dmp	upx
C:\Windows\System\yKwoHbE.exe	upx
C:\Windows\System\LynuKwV.exe	upx
C:\Windows\System\oqzvvpi.exe	upx
behavioral2/memory/2068-53-0x00007FF602560000-0x00007FF6028B1000-memory.dmp	upx
behavioral2/memory/4416-54-0x00007FF61E670000-0x00007FF61E9C1000-memory.dmp	upx
C:\Windows\System\VZcDRct.exe	upx
C:\Windows\System\RAfWSmT.exe	upx
behavioral2/memory/3992-40-0x00007FF724290000-0x00007FF7245E1000-memory.dmp	upx
behavioral2/memory/2900-37-0x00007FF7AC1E0000-0x00007FF7AC531000-memory.dmp	upx
behavioral2/memory/4216-32-0x00007FF736140000-0x00007FF736491000-memory.dmp	upx
C:\Windows\System\lEZAiYr.exe	upx
behavioral2/memory/4600-60-0x00007FF7316C0000-0x00007FF731A11000-memory.dmp	upx
C:\Windows\System\QwVZQCY.exe	upx
behavioral2/memory/4740-70-0x00007FF74B210000-0x00007FF74B561000-memory.dmp	upx
behavioral2/memory/3712-76-0x00007FF626550000-0x00007FF6268A1000-memory.dmp	upx
behavioral2/memory/2984-82-0x00007FF656AC0000-0x00007FF656E11000-memory.dmp	upx
C:\Windows\System\mHVcSqh.exe	upx
C:\Windows\System\PRnVOke.exe	upx
behavioral2/memory/4672-105-0x00007FF61E790000-0x00007FF61EAE1000-memory.dmp	upx
C:\Windows\System\GMoxWkq.exe	upx
C:\Windows\System\CYDvliY.exe	upx
C:\Windows\System\rnicMJz.exe	upx
C:\Windows\System\pGpWJvb.exe	upx
C:\Windows\System\boLvWtH.exe	upx
behavioral2/memory/4768-109-0x00007FF6FDF10000-0x00007FF6FE261000-memory.dmp	upx
behavioral2/memory/1808-108-0x00007FF7BC200000-0x00007FF7BC551000-memory.dmp	upx
behavioral2/memory/2900-104-0x00007FF7AC1E0000-0x00007FF7AC531000-memory.dmp	upx
C:\Windows\System\FlVhHtk.exe	upx
behavioral2/memory/3288-94-0x00007FF72E9B0000-0x00007FF72ED01000-memory.dmp	upx
behavioral2/memory/100-90-0x00007FF757D50000-0x00007FF7580A1000-memory.dmp	upx
behavioral2/memory/3832-87-0x00007FF7614F0000-0x00007FF761841000-memory.dmp	upx
C:\Windows\System\lEUpfZk.exe	upx
behavioral2/memory/612-83-0x00007FF7EEB90000-0x00007FF7EEEE1000-memory.dmp	upx
C:\Windows\System\KJpiLAi.exe	upx
behavioral2/memory/3492-69-0x00007FF71BCB0000-0x00007FF71C001000-memory.dmp	upx
behavioral2/memory/1752-63-0x00007FF6A9290000-0x00007FF6A95E1000-memory.dmp	upx
behavioral2/memory/4600-129-0x00007FF7316C0000-0x00007FF731A11000-memory.dmp	upx
behavioral2/memory/4996-138-0x00007FF7254E0000-0x00007FF725831000-memory.dmp	upx
behavioral2/memory/2068-137-0x00007FF602560000-0x00007FF6028B1000-memory.dmp	upx
behavioral2/memory/3992-136-0x00007FF724290000-0x00007FF7245E1000-memory.dmp	upx
behavioral2/memory/860-139-0x00007FF727780000-0x00007FF727AD1000-memory.dmp	upx
behavioral2/memory/4416-143-0x00007FF61E670000-0x00007FF61E9C1000-memory.dmp	upx
behavioral2/memory/1752-144-0x00007FF6A9290000-0x00007FF6A95E1000-memory.dmp	upx
behavioral2/memory/4860-145-0x00007FF6F55C0000-0x00007FF6F5911000-memory.dmp	upx
behavioral2/memory/2244-146-0x00007FF7F60F0000-0x00007FF7F6441000-memory.dmp	upx
behavioral2/memory/4740-147-0x00007FF74B210000-0x00007FF74B561000-memory.dmp	upx
behavioral2/memory/2984-148-0x00007FF656AC0000-0x00007FF656E11000-memory.dmp	upx
behavioral2/memory/4672-151-0x00007FF61E790000-0x00007FF61EAE1000-memory.dmp	upx
behavioral2/memory/1808-153-0x00007FF7BC200000-0x00007FF7BC551000-memory.dmp	upx
behavioral2/memory/3832-149-0x00007FF7614F0000-0x00007FF761841000-memory.dmp	upx
behavioral2/memory/3288-150-0x00007FF72E9B0000-0x00007FF72ED01000-memory.dmp	upx
behavioral2/memory/4600-158-0x00007FF7316C0000-0x00007FF731A11000-memory.dmp	upx
behavioral2/memory/3492-203-0x00007FF71BCB0000-0x00007FF71C001000-memory.dmp	upx
behavioral2/memory/3712-205-0x00007FF626550000-0x00007FF6268A1000-memory.dmp	upx
behavioral2/memory/612-207-0x00007FF7EEB90000-0x00007FF7EEEE1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\NxWzsKk.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KJpiLAi.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QwVZQCY.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GMoxWkq.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oqzvvpi.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PRnVOke.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CYDvliY.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uqEzizx.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wGAGmKu.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lEZAiYr.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lEUpfZk.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mHVcSqh.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FlVhHtk.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\boLvWtH.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KzBiJuE.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yKwoHbE.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RAfWSmT.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LynuKwV.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VZcDRct.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pGpWJvb.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rnicMJz.exe	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 4600 wrote to memory of 3492	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	KzBiJuE.exe
PID 4600 wrote to memory of 3492	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	KzBiJuE.exe
PID 4600 wrote to memory of 3712	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	NxWzsKk.exe
PID 4600 wrote to memory of 3712	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	NxWzsKk.exe
PID 4600 wrote to memory of 612	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	uqEzizx.exe
PID 4600 wrote to memory of 612	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	uqEzizx.exe
PID 4600 wrote to memory of 100	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	wGAGmKu.exe
PID 4600 wrote to memory of 100	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	wGAGmKu.exe
PID 4600 wrote to memory of 4216	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	yKwoHbE.exe
PID 4600 wrote to memory of 4216	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	yKwoHbE.exe
PID 4600 wrote to memory of 2900	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	RAfWSmT.exe
PID 4600 wrote to memory of 2900	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	RAfWSmT.exe
PID 4600 wrote to memory of 3992	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	LynuKwV.exe
PID 4600 wrote to memory of 3992	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	LynuKwV.exe
PID 4600 wrote to memory of 2068	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	oqzvvpi.exe
PID 4600 wrote to memory of 2068	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	oqzvvpi.exe
PID 4600 wrote to memory of 4416	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	VZcDRct.exe
PID 4600 wrote to memory of 4416	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	VZcDRct.exe
PID 4600 wrote to memory of 1752	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	lEZAiYr.exe
PID 4600 wrote to memory of 1752	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	lEZAiYr.exe
PID 4600 wrote to memory of 4740	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	KJpiLAi.exe
PID 4600 wrote to memory of 4740	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	KJpiLAi.exe
PID 4600 wrote to memory of 2984	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	QwVZQCY.exe
PID 4600 wrote to memory of 2984	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	QwVZQCY.exe
PID 4600 wrote to memory of 3832	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	lEUpfZk.exe
PID 4600 wrote to memory of 3832	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	lEUpfZk.exe
PID 4600 wrote to memory of 3288	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	mHVcSqh.exe
PID 4600 wrote to memory of 3288	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	mHVcSqh.exe
PID 4600 wrote to memory of 4672	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	FlVhHtk.exe
PID 4600 wrote to memory of 4672	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	FlVhHtk.exe
PID 4600 wrote to memory of 4768	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	PRnVOke.exe
PID 4600 wrote to memory of 4768	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	PRnVOke.exe
PID 4600 wrote to memory of 1808	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	CYDvliY.exe
PID 4600 wrote to memory of 1808	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	CYDvliY.exe
PID 4600 wrote to memory of 4996	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	GMoxWkq.exe
PID 4600 wrote to memory of 4996	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	GMoxWkq.exe
PID 4600 wrote to memory of 860	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	boLvWtH.exe
PID 4600 wrote to memory of 860	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	boLvWtH.exe
PID 4600 wrote to memory of 4860	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	pGpWJvb.exe
PID 4600 wrote to memory of 4860	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	pGpWJvb.exe
PID 4600 wrote to memory of 2244	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	rnicMJz.exe
PID 4600 wrote to memory of 2244	4600	2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe	rnicMJz.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-20_f841b0ad9eb5462e9ca1eb0a3149cbc7_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4600

C:\Windows\System\KzBiJuE.exe
C:\Windows\System\KzBiJuE.exe
2⤵
- Executes dropped EXE
PID:3492

C:\Windows\System\NxWzsKk.exe
C:\Windows\System\NxWzsKk.exe
2⤵
- Executes dropped EXE
PID:3712

C:\Windows\System\uqEzizx.exe
C:\Windows\System\uqEzizx.exe
2⤵
- Executes dropped EXE
PID:612

C:\Windows\System\wGAGmKu.exe
C:\Windows\System\wGAGmKu.exe
2⤵
- Executes dropped EXE
PID:100

C:\Windows\System\yKwoHbE.exe
C:\Windows\System\yKwoHbE.exe
2⤵
- Executes dropped EXE
PID:4216

C:\Windows\System\RAfWSmT.exe
C:\Windows\System\RAfWSmT.exe
2⤵
- Executes dropped EXE
PID:2900

C:\Windows\System\LynuKwV.exe
C:\Windows\System\LynuKwV.exe
2⤵
- Executes dropped EXE
PID:3992

C:\Windows\System\oqzvvpi.exe
C:\Windows\System\oqzvvpi.exe
2⤵
- Executes dropped EXE
PID:2068

C:\Windows\System\VZcDRct.exe
C:\Windows\System\VZcDRct.exe
2⤵
- Executes dropped EXE
PID:4416

C:\Windows\System\lEZAiYr.exe
C:\Windows\System\lEZAiYr.exe
2⤵
- Executes dropped EXE
PID:1752

C:\Windows\System\KJpiLAi.exe
C:\Windows\System\KJpiLAi.exe
2⤵
- Executes dropped EXE
PID:4740

C:\Windows\System\QwVZQCY.exe
C:\Windows\System\QwVZQCY.exe
2⤵
- Executes dropped EXE
PID:2984

C:\Windows\System\lEUpfZk.exe
C:\Windows\System\lEUpfZk.exe
2⤵
- Executes dropped EXE
PID:3832

C:\Windows\System\mHVcSqh.exe
C:\Windows\System\mHVcSqh.exe
2⤵
- Executes dropped EXE
PID:3288

C:\Windows\System\FlVhHtk.exe
C:\Windows\System\FlVhHtk.exe
2⤵
- Executes dropped EXE
PID:4672

C:\Windows\System\PRnVOke.exe
C:\Windows\System\PRnVOke.exe
2⤵
- Executes dropped EXE
PID:4768

C:\Windows\System\CYDvliY.exe
C:\Windows\System\CYDvliY.exe
2⤵
- Executes dropped EXE
PID:1808

C:\Windows\System\GMoxWkq.exe
C:\Windows\System\GMoxWkq.exe
2⤵
- Executes dropped EXE
PID:4996

C:\Windows\System\boLvWtH.exe
C:\Windows\System\boLvWtH.exe
2⤵
- Executes dropped EXE
PID:860

C:\Windows\System\pGpWJvb.exe
C:\Windows\System\pGpWJvb.exe
2⤵
- Executes dropped EXE
PID:4860

C:\Windows\System\rnicMJz.exe
C:\Windows\System\rnicMJz.exe
2⤵
- Executes dropped EXE
PID:2244

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CYDvliY.exe

Filesize
5.2MB

MD5
81c6e291336494e674ae70f02b7aa95a

SHA1
6957de9685ec345c1eb0b711da4851784073fa66

SHA256
74d1b5d8a1aac4291a0d0ebf0f64c8d252f9625de3387d9099ee050ed343c683

SHA512
69f7ebeb80efbad44ef9c42920f468545a6ee5be1ef785859f607c179fb24b4ab9aa27f9c168c8ee1f2bd2922932d619a3b4bfd52047db1c10e158b84a12297b

Download Submit
C:\Windows\System\FlVhHtk.exe

Filesize
5.2MB

MD5
afeb3d1c53e63252c0b7f6f402ee748a

SHA1
f3660aff36521f9e1bb344951dbd8aa4540cd869

SHA256
2d4e1c69a1e658a6539a5b3ff1cf4707af87e47c666296429fdcb9916297bb76

SHA512
4c586c102d2ce8d9be2e9f2f5230fb47cf637c61adb4c9973e16508dbae75c247b7c401c1f0e8d34b6c4a053b12acddd43f5de71f26e3024b4757378602f3905

Download Submit
C:\Windows\System\GMoxWkq.exe

Filesize
5.2MB

MD5
2f74f0e83f41e50bae236a0bf4c88d7c

SHA1
8f77666ed1f004a300c51c5bad27745b07fbfcdb

SHA256
359a5d1c61b397aebeae0a4e9e773ffb0f952583d0de19bfee9aec6999a50bd6

SHA512
9b105d510dfdbe69ae56f8b021ca7836180bb9344b51a89de436091ca4f67e0111f7544a6bd1c39d39e7cc9ba2f9f34b494263c945404dbac33c226713271d75

Download Submit
C:\Windows\System\KJpiLAi.exe

Filesize
5.2MB

MD5
30058c627623e0589a18632584d89cf7

SHA1
d9298df5aac0b4913ecfd7be85dc5a161009d642

SHA256
8930ddedbbeae4dea23e3b417556241f0e31f2678dc194f394d1d133b78e8d76

SHA512
999326208e8407e630467121a454ffe285fc7e5fd5fe8fa24d4481b01bc46d3adef8e03f169bf4b2043899ee11582fbde5a62501dfbbd364f8bc150444d47c3e

Download Submit
C:\Windows\System\KzBiJuE.exe

Filesize
5.2MB

MD5
c2ef583d85d6638f98eff950462760aa

SHA1
58febbe4e8958cdae2c5e1b43d052060191e0e73

SHA256
98e7fa49518283d4be750dac4a454821e35700647735d6c4009fe75d2aec241e

SHA512
98d38f5eaca0fcdefbb52990c2bac96100e9b06df90d107c86a3501acc9b89501944004858a9b909d1e559bd7c004082fab9fd1a61f482e53f7228a0e5a5b48a

Download Submit
C:\Windows\System\LynuKwV.exe

Filesize
5.2MB

MD5
4eb7a0af5756b11df848516a0242f9bf

SHA1
11d4bc422d624823b1a269fd6ab2918d0c32c7c7

SHA256
e6ebb297ef1ddfe600149b0dd6cb4faf8b8aba476ae47273a0c926ec70542617

SHA512
5ac8c5f4b68021f7845e2a65b4c854a9491a774aa1f19a9109b3f9264aa260ed5643cfeb25a2543706e640cb2c3cd5e0c40f21808947377e5e5a4a506b80d1d5

Download Submit
C:\Windows\System\NxWzsKk.exe

Filesize
5.2MB

MD5
9aab25a23ba451d184f037416d981cc0

SHA1
6447ebfd51cc954b59a9b156c596997f84bd18d4

SHA256
3d02a312084c152557d1a71fca4e1b576840a39a3464ced242dc4ea630a859d3

SHA512
519d0a54e8490e827d05a1076ef5326eecbddcf76ae02f24c7f8ae293f06854f03df111b32e386cb359b6fcd9ccfb2ae6e12d671bd2cfee3586e004fee383a20

Download Submit
C:\Windows\System\PRnVOke.exe

Filesize
5.2MB

MD5
2494146d8382c04d8d2302cfb4959159

SHA1
4f8da4de871a3ea5223bb1e715fc609619b3dc56

SHA256
2b2522e0c0c5f58ce736d521634a21f2ab31fcbceea8b31a7acc62a2f4682d18

SHA512
8f87dbe1b107a2071e38b3c36a7824ec5fa40312d7fbf050c67b38dcb12d05daf0116a0f1cdb88850e8001d553b251dc1568ca3dc1e5ad5cd4383247f0811487

Download Submit
C:\Windows\System\QwVZQCY.exe

Filesize
5.2MB

MD5
ff809149f08efa67b0c072214f92d34c

SHA1
e46140f2f0ee464c2e0daede1fce917cb3adfd7f

SHA256
3db2a235d380fac585184c9f236cdae2dbdb15de18f68cecfe07fa1282c627b3

SHA512
2f297ffe414a91df66e4719ac06b952561670cbb7460b6eba7422ce4cf09fdac7b7f491073ea25cecbbf9966833bda1dc9c9b9c2e70fb0ae1134f6c1f84a588a

Download Submit
C:\Windows\System\RAfWSmT.exe

Filesize
5.2MB

MD5
e555ac2b57b063fa170ee5954d7c6a57

SHA1
3fafa2c8ef6098295adf5e01894444b19912ab97

SHA256
5a713692c9c954b87cb67b5095fe6ce664219ebfe0d2cbd77a5ea61643240800

SHA512
601bdcc3f2c80752cb7bcc2aeb8e6a7f8bf89b652b9fce724e8f2b38a3928b4725372a2168c8067a4f33dce0aa026281eefa7417aa859e8aa68c591839f899a8

Download Submit
C:\Windows\System\VZcDRct.exe

Filesize
5.2MB

MD5
3f877e3deb9a9fa491b73aff52baf8a9

SHA1
2bb9e9115cf2162cd69d1125e7e2e799d7904711

SHA256
75aa319644dbdda1aaa6039e8236336118982ab0661c1026a98f6120547f9c9c

SHA512
206d8ac4eca3c328468f05387f08a9f7e3de712254f766426c5e00410fa30e6d20a324417f64fa78772f52e8e4f95408aa88e2184761ed2e59473cdfadd5bf6a

Download Submit
C:\Windows\System\boLvWtH.exe

Filesize
5.2MB

MD5
488bcf3e69427b44f2ec66b5d73473dc

SHA1
e9d8d19bd93b828a8fa2072feb992c1f0f810f5c

SHA256
2ced2f7b3a0ae7b9357a5da1aef8e37ee7381de70cda7f0eeb00641a9565b66a

SHA512
46e748979116580104f14c618c972031c6c741d25ac08fc3987f42ee2cee746c285a2d05db65e8f2a19342af27d0d1e7d76a228f0464925255647d3a1fd3b353

Download Submit
C:\Windows\System\lEUpfZk.exe

Filesize
5.2MB

MD5
8da30e7a70b68aeb57480d3487ae736f

SHA1
89b329c88ea383c523f7f414cbdc3cdf63bcbc59

SHA256
cdebf756300d8e8995bbb5a845a9f867de7bfce38d250292c5025f6780a889b1

SHA512
7550a3b046cc3248a1cd517e5f62e8431ecc3ff4ba60803d824d4c84e95647e09d09adf6e616b6ea7f296f0670ef7558368e418b4030290abb3c56d987760641

Download Submit
C:\Windows\System\lEZAiYr.exe

Filesize
5.2MB

MD5
51944ce299edfd93e6ce19e1dc1535ea

SHA1
ea11cfa6fef0282fc79cc753136aaae49be14d9f

SHA256
670a8d8af63ac77530ec0ba803b4b80e36d988b819da78e545bda3d9c27f24e9

SHA512
f29764e627ea16d8ae1d495b6387560255ccea13c1fd8e84be3f28f1450483f160d03964a15f46f660fe447770dec4823fb651fdfc02a7c581faf9a07050e8ff

Download Submit
C:\Windows\System\mHVcSqh.exe

Filesize
5.2MB

MD5
65b8f05cae2240c7772a0a34fcfde232

SHA1
6ef2d8114c02d1b49b8cb5df46ecad64bba80937

SHA256
d034d929da55e24129434d34b9265d86096ad1a058b884a71129afb26347bf76

SHA512
bf09072caf074c2f70a08443b7c1127f4eea866cb1558ea448aad67b017a3c4adef0f619ada755b5e15c7b6f21ee4ccb093806901f1a6c5829f8fe2ab46fe2ae

Download Submit
C:\Windows\System\oqzvvpi.exe

Filesize
5.2MB

MD5
357c0bfd706458e8f9d837525c50d46b

SHA1
78a41058fe66d23897d5e456ec4e309748a60586

SHA256
67fc2596b68e17a3b1a73fc3eaf6c493f20a6e34a22bea2aa3b913d00aa37910

SHA512
d3b1107a9de1e534e4c6a8fbebc7fb0d5749c794d10a933157bef627cf20aa854d893284aee05f39fc47535a7e8886b61848ee8733ffd56afd04e0ef4420304d

Download Submit
C:\Windows\System\pGpWJvb.exe

Filesize
5.2MB

MD5
8d69d2684fe6526f42fdd188dab3ce0d

SHA1
a73fe9a0aeda0e683e2863d856a7890a4ff84217

SHA256
ed7552b36e9e5ca1351342ad2f328a821a9ffa8d33e27d0ee66dc828f87b41bb

SHA512
7dce6339b4f6721341df62163b78d0e84615a02f2638082afc5bb0d776a88a02f819e07e357c469eaf0fa919a4435f0a9d4f878b74a775dd5cda3103c12e377d

Download Submit
C:\Windows\System\rnicMJz.exe

Filesize
5.2MB

MD5
3ee923aafa0b0df259bf32162a2eb94f

SHA1
50da366a900d13c7d3a7f28165db55942c79e680

SHA256
a388df6044254a8995e0c0bf2fd0357ae69d065b44f7887f5d360c725a446c3c

SHA512
c3e1a775591c687243b06d4792be61edf42f328eba65c1283c77410edadf7b011e24494a088d9d605cb6d0cccf054ffb9f7b1eb73adb10a9158f4c68c32be8b9

Download Submit
C:\Windows\System\uqEzizx.exe

Filesize
5.2MB

MD5
4eafcc545a6e5043baf00a0f32bef147

SHA1
12fce7cc1c4c0e7059f0f2089c8cf92eb4255176

SHA256
76cd5f3b664d54169eaf93dd48f4a9a0ddda941f991fa440a148ff2a9cde02a4

SHA512
d12335feb3774443e527f1d2302b78825f6f8c65e7a9faefe8d0bdefbe194f66ce1d1cefe3d650142e92c4caa0742296f5a933398044d7ccba4063cad3ab4d3e

Download Submit
C:\Windows\System\wGAGmKu.exe

Filesize
5.2MB

MD5
934686342789eea72f3f542e88626780

SHA1
9534823437fae679194129de0d5cc45639cf0f5d

SHA256
d88560d85f2b620a4433e1d218cc65c31c033b5690434f198894178826bc077d

SHA512
f45de88efb916f9899069d5a78e51629d80c9d1529b94b84f436cfcf0efa2d090f5ceaa3428ec4b3c09e279288b6a35128f17a64c7c772acae5b1c4028554fdc

Download Submit
C:\Windows\System\yKwoHbE.exe

Filesize
5.2MB

MD5
d8d9b2e947c02a2633d2101f719d6324

SHA1
b40017ec7658eaa7d9735152722c445e70cba669

SHA256
060768e298c6a515c50bd1cbc9a170ec64accac80707c1df82ae634cf1ab67a3

SHA512
753f9b8e3117e9f2792f0c8955e104ed4fea9570edb30d18deccc4084343b02d2a9402f202b86bc0bd62581b77497edc55ecdf09d5c25ebe357d4671670609f6

Download Submit
memory/100-212-0x00007FF757D50000-0x00007FF7580A1000-memory.dmp

Filesize
3.3MB

Download
memory/100-24-0x00007FF757D50000-0x00007FF7580A1000-memory.dmp

Filesize
3.3MB

Download
memory/100-90-0x00007FF757D50000-0x00007FF7580A1000-memory.dmp

Filesize
3.3MB

Download
memory/612-207-0x00007FF7EEB90000-0x00007FF7EEEE1000-memory.dmp

Filesize
3.3MB

Download
memory/612-83-0x00007FF7EEB90000-0x00007FF7EEEE1000-memory.dmp

Filesize
3.3MB

Download
memory/612-18-0x00007FF7EEB90000-0x00007FF7EEEE1000-memory.dmp

Filesize
3.3MB

Download
memory/860-253-0x00007FF727780000-0x00007FF727AD1000-memory.dmp

Filesize
3.3MB

Download
memory/860-139-0x00007FF727780000-0x00007FF727AD1000-memory.dmp

Filesize
3.3MB

Download
memory/1752-144-0x00007FF6A9290000-0x00007FF6A95E1000-memory.dmp

Filesize
3.3MB

Download
memory/1752-229-0x00007FF6A9290000-0x00007FF6A95E1000-memory.dmp

Filesize
3.3MB

Download
memory/1752-63-0x00007FF6A9290000-0x00007FF6A95E1000-memory.dmp

Filesize
3.3MB

Download
memory/1808-251-0x00007FF7BC200000-0x00007FF7BC551000-memory.dmp

Filesize
3.3MB

Download
memory/1808-153-0x00007FF7BC200000-0x00007FF7BC551000-memory.dmp

Filesize
3.3MB

Download
memory/1808-108-0x00007FF7BC200000-0x00007FF7BC551000-memory.dmp

Filesize
3.3MB

Download
memory/2068-53-0x00007FF602560000-0x00007FF6028B1000-memory.dmp

Filesize
3.3MB

Download
memory/2068-225-0x00007FF602560000-0x00007FF6028B1000-memory.dmp

Filesize
3.3MB

Download
memory/2068-137-0x00007FF602560000-0x00007FF6028B1000-memory.dmp

Filesize
3.3MB

Download
memory/2244-257-0x00007FF7F60F0000-0x00007FF7F6441000-memory.dmp

Filesize
3.3MB

Download
memory/2244-146-0x00007FF7F60F0000-0x00007FF7F6441000-memory.dmp

Filesize
3.3MB

Download
memory/2900-221-0x00007FF7AC1E0000-0x00007FF7AC531000-memory.dmp

Filesize
3.3MB

Download
memory/2900-104-0x00007FF7AC1E0000-0x00007FF7AC531000-memory.dmp

Filesize
3.3MB

Download
memory/2900-37-0x00007FF7AC1E0000-0x00007FF7AC531000-memory.dmp

Filesize
3.3MB

Download
memory/2984-235-0x00007FF656AC0000-0x00007FF656E11000-memory.dmp

Filesize
3.3MB

Download
memory/2984-148-0x00007FF656AC0000-0x00007FF656E11000-memory.dmp

Filesize
3.3MB

Download
memory/2984-82-0x00007FF656AC0000-0x00007FF656E11000-memory.dmp

Filesize
3.3MB

Download
memory/3288-94-0x00007FF72E9B0000-0x00007FF72ED01000-memory.dmp

Filesize
3.3MB

Download
memory/3288-245-0x00007FF72E9B0000-0x00007FF72ED01000-memory.dmp

Filesize
3.3MB

Download
memory/3288-150-0x00007FF72E9B0000-0x00007FF72ED01000-memory.dmp

Filesize
3.3MB

Download
memory/3492-69-0x00007FF71BCB0000-0x00007FF71C001000-memory.dmp

Filesize
3.3MB

Download
memory/3492-203-0x00007FF71BCB0000-0x00007FF71C001000-memory.dmp

Filesize
3.3MB

Download
memory/3492-6-0x00007FF71BCB0000-0x00007FF71C001000-memory.dmp

Filesize
3.3MB

Download
memory/3712-14-0x00007FF626550000-0x00007FF6268A1000-memory.dmp

Filesize
3.3MB

Download
memory/3712-205-0x00007FF626550000-0x00007FF6268A1000-memory.dmp

Filesize
3.3MB

Download
memory/3712-76-0x00007FF626550000-0x00007FF6268A1000-memory.dmp

Filesize
3.3MB

Download
memory/3832-149-0x00007FF7614F0000-0x00007FF761841000-memory.dmp

Filesize
3.3MB

Download
memory/3832-87-0x00007FF7614F0000-0x00007FF761841000-memory.dmp

Filesize
3.3MB

Download
memory/3832-234-0x00007FF7614F0000-0x00007FF761841000-memory.dmp

Filesize
3.3MB

Download
memory/3992-224-0x00007FF724290000-0x00007FF7245E1000-memory.dmp

Filesize
3.3MB

Download
memory/3992-136-0x00007FF724290000-0x00007FF7245E1000-memory.dmp

Filesize
3.3MB

Download
memory/3992-40-0x00007FF724290000-0x00007FF7245E1000-memory.dmp

Filesize
3.3MB

Download
memory/4216-214-0x00007FF736140000-0x00007FF736491000-memory.dmp

Filesize
3.3MB

Download
memory/4216-32-0x00007FF736140000-0x00007FF736491000-memory.dmp

Filesize
3.3MB

Download
memory/4416-227-0x00007FF61E670000-0x00007FF61E9C1000-memory.dmp

Filesize
3.3MB

Download
memory/4416-143-0x00007FF61E670000-0x00007FF61E9C1000-memory.dmp

Filesize
3.3MB

Download
memory/4416-54-0x00007FF61E670000-0x00007FF61E9C1000-memory.dmp

Filesize
3.3MB

Download
memory/4600-0-0x00007FF7316C0000-0x00007FF731A11000-memory.dmp

Filesize
3.3MB

Download
memory/4600-60-0x00007FF7316C0000-0x00007FF731A11000-memory.dmp

Filesize
3.3MB

Download
memory/4600-129-0x00007FF7316C0000-0x00007FF731A11000-memory.dmp

Filesize
3.3MB

Download
memory/4600-1-0x0000021587C90000-0x0000021587CA0000-memory.dmp

Filesize
64KB

Download
memory/4600-158-0x00007FF7316C0000-0x00007FF731A11000-memory.dmp

Filesize
3.3MB

Download
memory/4672-105-0x00007FF61E790000-0x00007FF61EAE1000-memory.dmp

Filesize
3.3MB

Download
memory/4672-260-0x00007FF61E790000-0x00007FF61EAE1000-memory.dmp

Filesize
3.3MB

Download
memory/4672-151-0x00007FF61E790000-0x00007FF61EAE1000-memory.dmp

Filesize
3.3MB

Download
memory/4740-231-0x00007FF74B210000-0x00007FF74B561000-memory.dmp

Filesize
3.3MB

Download
memory/4740-147-0x00007FF74B210000-0x00007FF74B561000-memory.dmp

Filesize
3.3MB

Download
memory/4740-70-0x00007FF74B210000-0x00007FF74B561000-memory.dmp

Filesize
3.3MB

Download
memory/4768-247-0x00007FF6FDF10000-0x00007FF6FE261000-memory.dmp

Filesize
3.3MB

Download
memory/4768-109-0x00007FF6FDF10000-0x00007FF6FE261000-memory.dmp

Filesize
3.3MB

Download
memory/4860-145-0x00007FF6F55C0000-0x00007FF6F5911000-memory.dmp

Filesize
3.3MB

Download
memory/4860-255-0x00007FF6F55C0000-0x00007FF6F5911000-memory.dmp

Filesize
3.3MB

Download
memory/4996-250-0x00007FF7254E0000-0x00007FF725831000-memory.dmp

Filesize
3.3MB

Download
memory/4996-138-0x00007FF7254E0000-0x00007FF725831000-memory.dmp

Filesize
3.3MB

Download