cobaltstrike | 81e589a541c667206447663c273808799e7398eba57987bacebc9347a3214d21

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

8e3c634227dc0306df558907ca1a4488
SHA1

6cfb101b3996dc47de2d97568334a11245f256e2
SHA256

81e589a541c667206447663c273808799e7398eba57987bacebc9347a3214d21
SHA512

ba63d0c9e61849385d0476ac4f720dde382dd6791d7de15934375f600dd0c80110bc6a9b57f83fab3379a1a46ded283a3387c4419fa06ade10c1176aff2f597e
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lj:RWWBibf56utgpPFotBER/mQ32lUP

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\WxSzBye.exe	cobalt_reflective_dll
C:\Windows\System\YrdXueD.exe	cobalt_reflective_dll
C:\Windows\System\divCIBE.exe	cobalt_reflective_dll
C:\Windows\System\PJmaunV.exe	cobalt_reflective_dll
C:\Windows\System\CZjLfnd.exe	cobalt_reflective_dll
C:\Windows\System\KdPJvgO.exe	cobalt_reflective_dll
C:\Windows\System\FTzuKiw.exe	cobalt_reflective_dll
C:\Windows\System\CTjMtdr.exe	cobalt_reflective_dll
C:\Windows\System\lcZOdTG.exe	cobalt_reflective_dll
C:\Windows\System\GzMeecP.exe	cobalt_reflective_dll
C:\Windows\System\ZBzfhrw.exe	cobalt_reflective_dll
C:\Windows\System\cCJsiNw.exe	cobalt_reflective_dll
C:\Windows\System\HvvZoCn.exe	cobalt_reflective_dll
C:\Windows\System\LodYvpk.exe	cobalt_reflective_dll
C:\Windows\System\mmivQKI.exe	cobalt_reflective_dll
C:\Windows\System\IaeLgTn.exe	cobalt_reflective_dll
C:\Windows\System\LMebVoO.exe	cobalt_reflective_dll
C:\Windows\System\WYeGapo.exe	cobalt_reflective_dll
C:\Windows\System\JSoNIlE.exe	cobalt_reflective_dll
C:\Windows\System\jDcIAlL.exe	cobalt_reflective_dll
C:\Windows\System\ywgUCEt.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\WxSzBye.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\YrdXueD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\divCIBE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\PJmaunV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\CZjLfnd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\KdPJvgO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\FTzuKiw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\CTjMtdr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\lcZOdTG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\GzMeecP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ZBzfhrw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\cCJsiNw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\HvvZoCn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\LodYvpk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\mmivQKI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\IaeLgTn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\LMebVoO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\WYeGapo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\JSoNIlE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\jDcIAlL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ywgUCEt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4104-0-0x00007FF7C5530000-0x00007FF7C5881000-memory.dmp	UPX
behavioral2/memory/2160-7-0x00007FF7ACC60000-0x00007FF7ACFB1000-memory.dmp	UPX
C:\Windows\System\WxSzBye.exe	UPX
C:\Windows\System\YrdXueD.exe	UPX
C:\Windows\System\divCIBE.exe	UPX
behavioral2/memory/3760-12-0x00007FF7AFDA0000-0x00007FF7B00F1000-memory.dmp	UPX
behavioral2/memory/3092-19-0x00007FF7D6B30000-0x00007FF7D6E81000-memory.dmp	UPX
C:\Windows\System\PJmaunV.exe	UPX
behavioral2/memory/1872-26-0x00007FF730BC0000-0x00007FF730F11000-memory.dmp	UPX
C:\Windows\System\CZjLfnd.exe	UPX
behavioral2/memory/4072-32-0x00007FF6DA020000-0x00007FF6DA371000-memory.dmp	UPX
C:\Windows\System\KdPJvgO.exe	UPX
behavioral2/memory/1356-36-0x00007FF6847C0000-0x00007FF684B11000-memory.dmp	UPX
C:\Windows\System\FTzuKiw.exe	UPX
behavioral2/memory/3064-42-0x00007FF674D30000-0x00007FF675081000-memory.dmp	UPX
C:\Windows\System\CTjMtdr.exe	UPX
behavioral2/memory/3832-50-0x00007FF78A9E0000-0x00007FF78AD31000-memory.dmp	UPX
C:\Windows\System\lcZOdTG.exe	UPX
behavioral2/memory/4056-55-0x00007FF690810000-0x00007FF690B61000-memory.dmp	UPX
C:\Windows\System\GzMeecP.exe	UPX
C:\Windows\System\ZBzfhrw.exe	UPX
behavioral2/memory/3424-69-0x00007FF61E350000-0x00007FF61E6A1000-memory.dmp	UPX
behavioral2/memory/3992-76-0x00007FF78C800000-0x00007FF78CB51000-memory.dmp	UPX
C:\Windows\System\cCJsiNw.exe	UPX
C:\Windows\System\HvvZoCn.exe	UPX
behavioral2/memory/4980-102-0x00007FF6E15C0000-0x00007FF6E1911000-memory.dmp	UPX
C:\Windows\System\LodYvpk.exe	UPX
C:\Windows\System\mmivQKI.exe	UPX
C:\Windows\System\IaeLgTn.exe	UPX
C:\Windows\System\LMebVoO.exe	UPX
C:\Windows\System\WYeGapo.exe	UPX
behavioral2/memory/1672-107-0x00007FF7DE5D0000-0x00007FF7DE921000-memory.dmp	UPX
behavioral2/memory/4072-106-0x00007FF6DA020000-0x00007FF6DA371000-memory.dmp	UPX
behavioral2/memory/1436-103-0x00007FF6039C0000-0x00007FF603D11000-memory.dmp	UPX
behavioral2/memory/1872-100-0x00007FF730BC0000-0x00007FF730F11000-memory.dmp	UPX
C:\Windows\System\JSoNIlE.exe	UPX
C:\Windows\System\jDcIAlL.exe	UPX
behavioral2/memory/3300-88-0x00007FF6DCD50000-0x00007FF6DD0A1000-memory.dmp	UPX
behavioral2/memory/3092-87-0x00007FF7D6B30000-0x00007FF7D6E81000-memory.dmp	UPX
behavioral2/memory/1612-86-0x00007FF7B5ED0000-0x00007FF7B6221000-memory.dmp	UPX
C:\Windows\System\ywgUCEt.exe	UPX
behavioral2/memory/3760-79-0x00007FF7AFDA0000-0x00007FF7B00F1000-memory.dmp	UPX
behavioral2/memory/4488-77-0x00007FF696560000-0x00007FF6968B1000-memory.dmp	UPX
behavioral2/memory/2160-74-0x00007FF7ACC60000-0x00007FF7ACFB1000-memory.dmp	UPX
behavioral2/memory/4104-64-0x00007FF7C5530000-0x00007FF7C5881000-memory.dmp	UPX
behavioral2/memory/4104-129-0x00007FF7C5530000-0x00007FF7C5881000-memory.dmp	UPX
behavioral2/memory/3064-138-0x00007FF674D30000-0x00007FF675081000-memory.dmp	UPX
behavioral2/memory/4844-139-0x00007FF79DE80000-0x00007FF79E1D1000-memory.dmp	UPX
behavioral2/memory/3088-142-0x00007FF730520000-0x00007FF730871000-memory.dmp	UPX
behavioral2/memory/3952-141-0x00007FF7B6CF0000-0x00007FF7B7041000-memory.dmp	UPX
behavioral2/memory/692-140-0x00007FF7E95B0000-0x00007FF7E9901000-memory.dmp	UPX
behavioral2/memory/1356-137-0x00007FF6847C0000-0x00007FF684B11000-memory.dmp	UPX
behavioral2/memory/3300-149-0x00007FF6DCD50000-0x00007FF6DD0A1000-memory.dmp	UPX
behavioral2/memory/1672-152-0x00007FF7DE5D0000-0x00007FF7DE921000-memory.dmp	UPX
behavioral2/memory/1436-151-0x00007FF6039C0000-0x00007FF603D11000-memory.dmp	UPX
behavioral2/memory/4488-147-0x00007FF696560000-0x00007FF6968B1000-memory.dmp	UPX
behavioral2/memory/4056-144-0x00007FF690810000-0x00007FF690B61000-memory.dmp	UPX
behavioral2/memory/4980-150-0x00007FF6E15C0000-0x00007FF6E1911000-memory.dmp	UPX
behavioral2/memory/3832-143-0x00007FF78A9E0000-0x00007FF78AD31000-memory.dmp	UPX
behavioral2/memory/4104-157-0x00007FF7C5530000-0x00007FF7C5881000-memory.dmp	UPX
behavioral2/memory/2160-202-0x00007FF7ACC60000-0x00007FF7ACFB1000-memory.dmp	UPX
behavioral2/memory/3760-207-0x00007FF7AFDA0000-0x00007FF7B00F1000-memory.dmp	UPX
behavioral2/memory/3092-209-0x00007FF7D6B30000-0x00007FF7D6E81000-memory.dmp	UPX
behavioral2/memory/1872-211-0x00007FF730BC0000-0x00007FF730F11000-memory.dmp	UPX

XMRig Miner payload 45 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3424-69-0x00007FF61E350000-0x00007FF61E6A1000-memory.dmp	xmrig
behavioral2/memory/3992-76-0x00007FF78C800000-0x00007FF78CB51000-memory.dmp	xmrig
behavioral2/memory/4072-106-0x00007FF6DA020000-0x00007FF6DA371000-memory.dmp	xmrig
behavioral2/memory/1872-100-0x00007FF730BC0000-0x00007FF730F11000-memory.dmp	xmrig
behavioral2/memory/3092-87-0x00007FF7D6B30000-0x00007FF7D6E81000-memory.dmp	xmrig
behavioral2/memory/1612-86-0x00007FF7B5ED0000-0x00007FF7B6221000-memory.dmp	xmrig
behavioral2/memory/3760-79-0x00007FF7AFDA0000-0x00007FF7B00F1000-memory.dmp	xmrig
behavioral2/memory/2160-74-0x00007FF7ACC60000-0x00007FF7ACFB1000-memory.dmp	xmrig
behavioral2/memory/4104-64-0x00007FF7C5530000-0x00007FF7C5881000-memory.dmp	xmrig
behavioral2/memory/4104-129-0x00007FF7C5530000-0x00007FF7C5881000-memory.dmp	xmrig
behavioral2/memory/3064-138-0x00007FF674D30000-0x00007FF675081000-memory.dmp	xmrig
behavioral2/memory/4844-139-0x00007FF79DE80000-0x00007FF79E1D1000-memory.dmp	xmrig
behavioral2/memory/3088-142-0x00007FF730520000-0x00007FF730871000-memory.dmp	xmrig
behavioral2/memory/3952-141-0x00007FF7B6CF0000-0x00007FF7B7041000-memory.dmp	xmrig
behavioral2/memory/692-140-0x00007FF7E95B0000-0x00007FF7E9901000-memory.dmp	xmrig
behavioral2/memory/1356-137-0x00007FF6847C0000-0x00007FF684B11000-memory.dmp	xmrig
behavioral2/memory/3300-149-0x00007FF6DCD50000-0x00007FF6DD0A1000-memory.dmp	xmrig
behavioral2/memory/1672-152-0x00007FF7DE5D0000-0x00007FF7DE921000-memory.dmp	xmrig
behavioral2/memory/1436-151-0x00007FF6039C0000-0x00007FF603D11000-memory.dmp	xmrig
behavioral2/memory/4488-147-0x00007FF696560000-0x00007FF6968B1000-memory.dmp	xmrig
behavioral2/memory/4056-144-0x00007FF690810000-0x00007FF690B61000-memory.dmp	xmrig
behavioral2/memory/4980-150-0x00007FF6E15C0000-0x00007FF6E1911000-memory.dmp	xmrig
behavioral2/memory/3832-143-0x00007FF78A9E0000-0x00007FF78AD31000-memory.dmp	xmrig
behavioral2/memory/4104-157-0x00007FF7C5530000-0x00007FF7C5881000-memory.dmp	xmrig
behavioral2/memory/2160-202-0x00007FF7ACC60000-0x00007FF7ACFB1000-memory.dmp	xmrig
behavioral2/memory/3760-207-0x00007FF7AFDA0000-0x00007FF7B00F1000-memory.dmp	xmrig
behavioral2/memory/3092-209-0x00007FF7D6B30000-0x00007FF7D6E81000-memory.dmp	xmrig
behavioral2/memory/1872-211-0x00007FF730BC0000-0x00007FF730F11000-memory.dmp	xmrig
behavioral2/memory/4072-217-0x00007FF6DA020000-0x00007FF6DA371000-memory.dmp	xmrig
behavioral2/memory/1356-219-0x00007FF6847C0000-0x00007FF684B11000-memory.dmp	xmrig
behavioral2/memory/3064-221-0x00007FF674D30000-0x00007FF675081000-memory.dmp	xmrig
behavioral2/memory/3832-224-0x00007FF78A9E0000-0x00007FF78AD31000-memory.dmp	xmrig
behavioral2/memory/4056-226-0x00007FF690810000-0x00007FF690B61000-memory.dmp	xmrig
behavioral2/memory/3424-228-0x00007FF61E350000-0x00007FF61E6A1000-memory.dmp	xmrig
behavioral2/memory/3992-230-0x00007FF78C800000-0x00007FF78CB51000-memory.dmp	xmrig
behavioral2/memory/4488-232-0x00007FF696560000-0x00007FF6968B1000-memory.dmp	xmrig
behavioral2/memory/1612-234-0x00007FF7B5ED0000-0x00007FF7B6221000-memory.dmp	xmrig
behavioral2/memory/3300-237-0x00007FF6DCD50000-0x00007FF6DD0A1000-memory.dmp	xmrig
behavioral2/memory/1436-240-0x00007FF6039C0000-0x00007FF603D11000-memory.dmp	xmrig
behavioral2/memory/1672-239-0x00007FF7DE5D0000-0x00007FF7DE921000-memory.dmp	xmrig
behavioral2/memory/4844-243-0x00007FF79DE80000-0x00007FF79E1D1000-memory.dmp	xmrig
behavioral2/memory/3952-244-0x00007FF7B6CF0000-0x00007FF7B7041000-memory.dmp	xmrig
behavioral2/memory/692-246-0x00007FF7E95B0000-0x00007FF7E9901000-memory.dmp	xmrig
behavioral2/memory/3088-248-0x00007FF730520000-0x00007FF730871000-memory.dmp	xmrig
behavioral2/memory/4980-252-0x00007FF6E15C0000-0x00007FF6E1911000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

YrdXueD.exeWxSzBye.exedivCIBE.exePJmaunV.exeCZjLfnd.exeKdPJvgO.exeFTzuKiw.exeCTjMtdr.exelcZOdTG.exeGzMeecP.exeZBzfhrw.execCJsiNw.exeywgUCEt.exejDcIAlL.exeJSoNIlE.exeHvvZoCn.exeWYeGapo.exeLodYvpk.exemmivQKI.exeLMebVoO.exeIaeLgTn.exe

pid	process
2160	YrdXueD.exe
3760	WxSzBye.exe
3092	divCIBE.exe
1872	PJmaunV.exe
4072	CZjLfnd.exe
1356	KdPJvgO.exe
3064	FTzuKiw.exe
3832	CTjMtdr.exe
4056	lcZOdTG.exe
3424	GzMeecP.exe
3992	ZBzfhrw.exe
4488	cCJsiNw.exe
1612	ywgUCEt.exe
3300	jDcIAlL.exe
4980	JSoNIlE.exe
1436	HvvZoCn.exe
1672	WYeGapo.exe
4844	LodYvpk.exe
692	mmivQKI.exe
3952	LMebVoO.exe
3088	IaeLgTn.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4104-0-0x00007FF7C5530000-0x00007FF7C5881000-memory.dmp	upx
behavioral2/memory/2160-7-0x00007FF7ACC60000-0x00007FF7ACFB1000-memory.dmp	upx
C:\Windows\System\WxSzBye.exe	upx
C:\Windows\System\YrdXueD.exe	upx
C:\Windows\System\divCIBE.exe	upx
behavioral2/memory/3760-12-0x00007FF7AFDA0000-0x00007FF7B00F1000-memory.dmp	upx
behavioral2/memory/3092-19-0x00007FF7D6B30000-0x00007FF7D6E81000-memory.dmp	upx
C:\Windows\System\PJmaunV.exe	upx
behavioral2/memory/1872-26-0x00007FF730BC0000-0x00007FF730F11000-memory.dmp	upx
C:\Windows\System\CZjLfnd.exe	upx
behavioral2/memory/4072-32-0x00007FF6DA020000-0x00007FF6DA371000-memory.dmp	upx
C:\Windows\System\KdPJvgO.exe	upx
behavioral2/memory/1356-36-0x00007FF6847C0000-0x00007FF684B11000-memory.dmp	upx
C:\Windows\System\FTzuKiw.exe	upx
behavioral2/memory/3064-42-0x00007FF674D30000-0x00007FF675081000-memory.dmp	upx
C:\Windows\System\CTjMtdr.exe	upx
behavioral2/memory/3832-50-0x00007FF78A9E0000-0x00007FF78AD31000-memory.dmp	upx
C:\Windows\System\lcZOdTG.exe	upx
behavioral2/memory/4056-55-0x00007FF690810000-0x00007FF690B61000-memory.dmp	upx
C:\Windows\System\GzMeecP.exe	upx
C:\Windows\System\ZBzfhrw.exe	upx
behavioral2/memory/3424-69-0x00007FF61E350000-0x00007FF61E6A1000-memory.dmp	upx
behavioral2/memory/3992-76-0x00007FF78C800000-0x00007FF78CB51000-memory.dmp	upx
C:\Windows\System\cCJsiNw.exe	upx
C:\Windows\System\HvvZoCn.exe	upx
behavioral2/memory/4980-102-0x00007FF6E15C0000-0x00007FF6E1911000-memory.dmp	upx
C:\Windows\System\LodYvpk.exe	upx
C:\Windows\System\mmivQKI.exe	upx
C:\Windows\System\IaeLgTn.exe	upx
C:\Windows\System\LMebVoO.exe	upx
C:\Windows\System\WYeGapo.exe	upx
behavioral2/memory/1672-107-0x00007FF7DE5D0000-0x00007FF7DE921000-memory.dmp	upx
behavioral2/memory/4072-106-0x00007FF6DA020000-0x00007FF6DA371000-memory.dmp	upx
behavioral2/memory/1436-103-0x00007FF6039C0000-0x00007FF603D11000-memory.dmp	upx
behavioral2/memory/1872-100-0x00007FF730BC0000-0x00007FF730F11000-memory.dmp	upx
C:\Windows\System\JSoNIlE.exe	upx
C:\Windows\System\jDcIAlL.exe	upx
behavioral2/memory/3300-88-0x00007FF6DCD50000-0x00007FF6DD0A1000-memory.dmp	upx
behavioral2/memory/3092-87-0x00007FF7D6B30000-0x00007FF7D6E81000-memory.dmp	upx
behavioral2/memory/1612-86-0x00007FF7B5ED0000-0x00007FF7B6221000-memory.dmp	upx
C:\Windows\System\ywgUCEt.exe	upx
behavioral2/memory/3760-79-0x00007FF7AFDA0000-0x00007FF7B00F1000-memory.dmp	upx
behavioral2/memory/4488-77-0x00007FF696560000-0x00007FF6968B1000-memory.dmp	upx
behavioral2/memory/2160-74-0x00007FF7ACC60000-0x00007FF7ACFB1000-memory.dmp	upx
behavioral2/memory/4104-64-0x00007FF7C5530000-0x00007FF7C5881000-memory.dmp	upx
behavioral2/memory/4104-129-0x00007FF7C5530000-0x00007FF7C5881000-memory.dmp	upx
behavioral2/memory/3064-138-0x00007FF674D30000-0x00007FF675081000-memory.dmp	upx
behavioral2/memory/4844-139-0x00007FF79DE80000-0x00007FF79E1D1000-memory.dmp	upx
behavioral2/memory/3088-142-0x00007FF730520000-0x00007FF730871000-memory.dmp	upx
behavioral2/memory/3952-141-0x00007FF7B6CF0000-0x00007FF7B7041000-memory.dmp	upx
behavioral2/memory/692-140-0x00007FF7E95B0000-0x00007FF7E9901000-memory.dmp	upx
behavioral2/memory/1356-137-0x00007FF6847C0000-0x00007FF684B11000-memory.dmp	upx
behavioral2/memory/3300-149-0x00007FF6DCD50000-0x00007FF6DD0A1000-memory.dmp	upx
behavioral2/memory/1672-152-0x00007FF7DE5D0000-0x00007FF7DE921000-memory.dmp	upx
behavioral2/memory/1436-151-0x00007FF6039C0000-0x00007FF603D11000-memory.dmp	upx
behavioral2/memory/4488-147-0x00007FF696560000-0x00007FF6968B1000-memory.dmp	upx
behavioral2/memory/4056-144-0x00007FF690810000-0x00007FF690B61000-memory.dmp	upx
behavioral2/memory/4980-150-0x00007FF6E15C0000-0x00007FF6E1911000-memory.dmp	upx
behavioral2/memory/3832-143-0x00007FF78A9E0000-0x00007FF78AD31000-memory.dmp	upx
behavioral2/memory/4104-157-0x00007FF7C5530000-0x00007FF7C5881000-memory.dmp	upx
behavioral2/memory/2160-202-0x00007FF7ACC60000-0x00007FF7ACFB1000-memory.dmp	upx
behavioral2/memory/3760-207-0x00007FF7AFDA0000-0x00007FF7B00F1000-memory.dmp	upx
behavioral2/memory/3092-209-0x00007FF7D6B30000-0x00007FF7D6E81000-memory.dmp	upx
behavioral2/memory/1872-211-0x00007FF730BC0000-0x00007FF730F11000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\FTzuKiw.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZBzfhrw.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cCJsiNw.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JSoNIlE.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YrdXueD.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\divCIBE.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CZjLfnd.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HvvZoCn.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mmivQKI.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IaeLgTn.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WxSzBye.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lcZOdTG.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GzMeecP.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ywgUCEt.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LMebVoO.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PJmaunV.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KdPJvgO.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CTjMtdr.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jDcIAlL.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WYeGapo.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LodYvpk.exe	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 4104 wrote to memory of 2160	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	YrdXueD.exe
PID 4104 wrote to memory of 2160	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	YrdXueD.exe
PID 4104 wrote to memory of 3760	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	WxSzBye.exe
PID 4104 wrote to memory of 3760	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	WxSzBye.exe
PID 4104 wrote to memory of 3092	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	divCIBE.exe
PID 4104 wrote to memory of 3092	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	divCIBE.exe
PID 4104 wrote to memory of 1872	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	PJmaunV.exe
PID 4104 wrote to memory of 1872	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	PJmaunV.exe
PID 4104 wrote to memory of 4072	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	CZjLfnd.exe
PID 4104 wrote to memory of 4072	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	CZjLfnd.exe
PID 4104 wrote to memory of 1356	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	KdPJvgO.exe
PID 4104 wrote to memory of 1356	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	KdPJvgO.exe
PID 4104 wrote to memory of 3064	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	FTzuKiw.exe
PID 4104 wrote to memory of 3064	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	FTzuKiw.exe
PID 4104 wrote to memory of 3832	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	CTjMtdr.exe
PID 4104 wrote to memory of 3832	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	CTjMtdr.exe
PID 4104 wrote to memory of 4056	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	lcZOdTG.exe
PID 4104 wrote to memory of 4056	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	lcZOdTG.exe
PID 4104 wrote to memory of 3424	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	GzMeecP.exe
PID 4104 wrote to memory of 3424	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	GzMeecP.exe
PID 4104 wrote to memory of 3992	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	ZBzfhrw.exe
PID 4104 wrote to memory of 3992	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	ZBzfhrw.exe
PID 4104 wrote to memory of 4488	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	cCJsiNw.exe
PID 4104 wrote to memory of 4488	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	cCJsiNw.exe
PID 4104 wrote to memory of 1612	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	ywgUCEt.exe
PID 4104 wrote to memory of 1612	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	ywgUCEt.exe
PID 4104 wrote to memory of 3300	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	jDcIAlL.exe
PID 4104 wrote to memory of 3300	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	jDcIAlL.exe
PID 4104 wrote to memory of 4980	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	JSoNIlE.exe
PID 4104 wrote to memory of 4980	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	JSoNIlE.exe
PID 4104 wrote to memory of 1436	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	HvvZoCn.exe
PID 4104 wrote to memory of 1436	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	HvvZoCn.exe
PID 4104 wrote to memory of 1672	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	WYeGapo.exe
PID 4104 wrote to memory of 1672	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	WYeGapo.exe
PID 4104 wrote to memory of 4844	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	LodYvpk.exe
PID 4104 wrote to memory of 4844	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	LodYvpk.exe
PID 4104 wrote to memory of 692	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	mmivQKI.exe
PID 4104 wrote to memory of 692	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	mmivQKI.exe
PID 4104 wrote to memory of 3952	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	LMebVoO.exe
PID 4104 wrote to memory of 3952	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	LMebVoO.exe
PID 4104 wrote to memory of 3088	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	IaeLgTn.exe
PID 4104 wrote to memory of 3088	4104	2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe	IaeLgTn.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-20_8e3c634227dc0306df558907ca1a4488_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4104

C:\Windows\System\YrdXueD.exe
C:\Windows\System\YrdXueD.exe
2⤵
- Executes dropped EXE
PID:2160

C:\Windows\System\WxSzBye.exe
C:\Windows\System\WxSzBye.exe
2⤵
- Executes dropped EXE
PID:3760

C:\Windows\System\divCIBE.exe
C:\Windows\System\divCIBE.exe
2⤵
- Executes dropped EXE
PID:3092

C:\Windows\System\PJmaunV.exe
C:\Windows\System\PJmaunV.exe
2⤵
- Executes dropped EXE
PID:1872

C:\Windows\System\CZjLfnd.exe
C:\Windows\System\CZjLfnd.exe
2⤵
- Executes dropped EXE
PID:4072

C:\Windows\System\KdPJvgO.exe
C:\Windows\System\KdPJvgO.exe
2⤵
- Executes dropped EXE
PID:1356

C:\Windows\System\FTzuKiw.exe
C:\Windows\System\FTzuKiw.exe
2⤵
- Executes dropped EXE
PID:3064

C:\Windows\System\CTjMtdr.exe
C:\Windows\System\CTjMtdr.exe
2⤵
- Executes dropped EXE
PID:3832

C:\Windows\System\lcZOdTG.exe
C:\Windows\System\lcZOdTG.exe
2⤵
- Executes dropped EXE
PID:4056

C:\Windows\System\GzMeecP.exe
C:\Windows\System\GzMeecP.exe
2⤵
- Executes dropped EXE
PID:3424

C:\Windows\System\ZBzfhrw.exe
C:\Windows\System\ZBzfhrw.exe
2⤵
- Executes dropped EXE
PID:3992

C:\Windows\System\cCJsiNw.exe
C:\Windows\System\cCJsiNw.exe
2⤵
- Executes dropped EXE
PID:4488

C:\Windows\System\ywgUCEt.exe
C:\Windows\System\ywgUCEt.exe
2⤵
- Executes dropped EXE
PID:1612

C:\Windows\System\jDcIAlL.exe
C:\Windows\System\jDcIAlL.exe
2⤵
- Executes dropped EXE
PID:3300

C:\Windows\System\JSoNIlE.exe
C:\Windows\System\JSoNIlE.exe
2⤵
- Executes dropped EXE
PID:4980

C:\Windows\System\HvvZoCn.exe
C:\Windows\System\HvvZoCn.exe
2⤵
- Executes dropped EXE
PID:1436

C:\Windows\System\WYeGapo.exe
C:\Windows\System\WYeGapo.exe
2⤵
- Executes dropped EXE
PID:1672

C:\Windows\System\LodYvpk.exe
C:\Windows\System\LodYvpk.exe
2⤵
- Executes dropped EXE
PID:4844

C:\Windows\System\mmivQKI.exe
C:\Windows\System\mmivQKI.exe
2⤵
- Executes dropped EXE
PID:692

C:\Windows\System\LMebVoO.exe
C:\Windows\System\LMebVoO.exe
2⤵
- Executes dropped EXE
PID:3952

C:\Windows\System\IaeLgTn.exe
C:\Windows\System\IaeLgTn.exe
2⤵
- Executes dropped EXE
PID:3088

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CTjMtdr.exe

Filesize
5.2MB

MD5
0945e8d208247639ce04d8a3ed121804

SHA1
847955bad188810b1327c26c1c1a1014ccfb8ee6

SHA256
510c28aaa78e20e28a4e43db69e9e8bd3e87ead6fd10b312a32bb6dbd223f34f

SHA512
6f90cafb6f6a7a34a4029b85a43f29eb2cc573c7a423981d41edd852393b8a65503222cbb33bc163007811f962e829a76063e2bed5055e45dcbbc5622d88008f

Download Submit
C:\Windows\System\CZjLfnd.exe

Filesize
5.2MB

MD5
818d1e84b6392a1bf4416d803069bff3

SHA1
5f2320e48c5c735baa6adea304f9ae70f0678601

SHA256
c27485e89a4e4846b966d2ac7887e8bc03656afc42d8fc79aa6561a8156be83f

SHA512
fa4b3e11a7f2b398e77f4d2709031b2e6f312cae46d4be06da7b4889f8941700f86f0a1f51a99929712a7b0f0604ae8fdd08cfa7097aea43b174de1dd53d735c

Download Submit
C:\Windows\System\FTzuKiw.exe

Filesize
5.2MB

MD5
7a1ca7dc8b662e6a9abf5884e4bc26e8

SHA1
bec9ab975eabf296f3a93ad467f799f60658095c

SHA256
727ac37d8fd4b20382cfd4d6b20097469f8645792a415535ea4551d70e33b766

SHA512
e2ced3b712b1366fa58843f836168fd55eb5252520165a5486650ccc508a723c0171fe16d0d07968a0e77fc0e14270ddae22dfc4eee02e2f667c430059344f79

Download Submit
C:\Windows\System\GzMeecP.exe

Filesize
5.2MB

MD5
da7795a5b8d4a164635121f322a379f9

SHA1
de5108c7dac271a05c3f75872ab7720d481cb051

SHA256
c4abaa877198c6ac91f52163f14f407acb48fb57df9b7e3df86d125391e18068

SHA512
c57b3850edfc85baeb2d927cd3e867f00c82149ef23640d2c4851e47ad4b559c2b268c2a9a10c9dba5bea8b6d6804ba34a8ea01ec1e6ead28ccef3b3ce3d0b9e

Download Submit
C:\Windows\System\HvvZoCn.exe

Filesize
5.2MB

MD5
727b7549e67fa2f968ee9740ae509728

SHA1
47473450732cc11f1204ff4ae290cab7d92cdde5

SHA256
3ad28b9f38ad52d6b5abf985ca2843070f0b86666a2fb6a4c53d97a6eb953320

SHA512
2ea81e9a919bbc459b6eb2399892c44857eca96ab0817b9dde16a3e16678b23925a2e336ccd54fca10ef72b771dfb0d092412c5757cced9959e4d8fabcc02295

Download Submit
C:\Windows\System\IaeLgTn.exe

Filesize
5.2MB

MD5
960c24c94dac0830a10e83b07d0d8f61

SHA1
dc0c8153c88b6e3a65397456be999cbabc808648

SHA256
b3f51735ba7f504de5de174ab0bcf1fa830ff21824706d2efac4083172595c6d

SHA512
0c38aa8b612219123dcfb8a9c76c1791e7710820bce22943923d20045427eeac016b60d3d26943d40e75368c5f0f30a0bae859ab49a624237d1462235fbd67c8

Download Submit
C:\Windows\System\JSoNIlE.exe

Filesize
5.2MB

MD5
141c69ba393b83ceb1b2fe0e206d3ab1

SHA1
7a2efd78704e003c0defebd9c7d7aa9a96ae6d48

SHA256
af8979a2cded91781d60434fea0bec5036bd09cf623e80b27b8fac1fc5a70a81

SHA512
b24e602eedb2c4c7e716d10efd8bc19bf9aafb846e26ede48f9e619482b5755f51e462d6773f24291b216f7676d1a33d48bbc1da653f7c32eb69a4352d66459d

Download Submit
C:\Windows\System\KdPJvgO.exe

Filesize
5.2MB

MD5
e990e3f5ba7f4b6527396e4d67c530f9

SHA1
89fba3dea290f9cf22bf5e08da90c9b4dae5dc81

SHA256
9e97d9180a5d46481c91509f006947da15b97c9e27e924d3740adf5a4f2cba96

SHA512
12a67828a0ab9def4dc4a20e33c4d2dcd2b36a3b947cfb09b9a5e3dc77fb868756d161c17b91674df53dae22726174aad816cfcaf9d9e1358c18e1f9e5782d38

Download Submit
C:\Windows\System\LMebVoO.exe

Filesize
5.2MB

MD5
4327fc721fb667fde5017a974d96d78c

SHA1
e5783e42e6a2792af48177b46e383fd8e300100d

SHA256
f9d2426752f910a36a1bfbb025362ecb6dc3423bb42e5f3cb45953f1c06d9956

SHA512
3c1bce44804d2703d71ab4ad68bfc4cc6533622547836d93704f51357687881f7911d9b3429146e4618c16c0c773992dd139083408d11b89428824e4bb1d0c13

Download Submit
C:\Windows\System\LodYvpk.exe

Filesize
5.2MB

MD5
147bac44fb1df0cd5a0734cdc9ef795f

SHA1
1911b9c24ed55080504752f58391c3382aa615cc

SHA256
64bcba511daa11389e653867cae9c1e01d1afc7ae954b0759dbed44fef2609de

SHA512
d2c4a00fd87b057c0fffba96d3b87955e849abae7c7dcd097e638f2c3bacf64a355cb893d8b65e86475a33080b20509792ab5bb5d9c3ad7c9714ae513a275530

Download Submit
C:\Windows\System\PJmaunV.exe

Filesize
5.2MB

MD5
7f736bab1a8692e3745e704b9b4767d1

SHA1
e0a64280929e363f5084611ddcf434d487b16b81

SHA256
b571c1f27db4791a0852f6ea70193292e1a1e112a1b666ab90d406fc4a009b6f

SHA512
5b2d901854e6188ffbefd13b52baf9de8b3f74e6a8c14e1287344051772be1ec4c3ba795918fd69fa52ead8777375cdf26a7407308b201c71e25c01c2872c559

Download Submit
C:\Windows\System\WYeGapo.exe

Filesize
5.2MB

MD5
da16235f18402040e92832ac6706671c

SHA1
96f0fa180a71e7b6d8bcb97aa97f0ada413f1b62

SHA256
a366db6405c5b3d9b1dd769356d00712778361e7df7bc928c7fac24d91f03028

SHA512
19863f54cd78204ef3a58ae9a333f24df0662abc10bb654c50507a7c59077df9ea47f7fba0d303fd13e15a19e19fac4ae1ab7d58d245b4e1b375e93bd0d447a8

Download Submit
C:\Windows\System\WxSzBye.exe

Filesize
5.2MB

MD5
262c666581322113b3b736c0402c8b10

SHA1
089ec0821a3039635a6cddaaea063841533f219d

SHA256
430e36d7fc02451920380d45fcd006fdcb508bb19fd63715ac67efa0df11b925

SHA512
f83752d5108bbea8c020f9d6267ca1da83aa9aff9753ea3304e150b91c19a2296e81c879a39bfe1f5d5e642041d2b500077bc9c51acf438650729e6c2df58016

Download Submit
C:\Windows\System\YrdXueD.exe

Filesize
5.2MB

MD5
e6ac8635a6f7dec965d35b0fe40c35be

SHA1
6babb9367cb544cfeb412d999a873d013d9312f2

SHA256
6e7a75c16dda75111857a0a1ccd2a0ae859a052b817440a80ad34d2dd18ce048

SHA512
0896bed5a9743b48b68e54d4142ded824a5c56a8a20a1a3cdc53a3529446ce206471115b9b0884dfcfa15cf09e33a11ad5b61113c33078e2fc178710a0a9c70f

Download Submit
C:\Windows\System\ZBzfhrw.exe

Filesize
5.2MB

MD5
5b0f3589ade9317e77c7c3b093575d9b

SHA1
74e3ced10fba83d879b4fbf4225734133692b572

SHA256
11890df6d8cb69218718afe5c2ef906204d993f841044654c87b46176b505a72

SHA512
49c1700fafa4a674122daff0bc6212e521fdeda57a7fdea8f35ae5bddede9c8fa918124e72bfc740395f79c8c35ee2e14e7eac40de361a54d5ee11cf1432ec9d

Download Submit
C:\Windows\System\cCJsiNw.exe

Filesize
5.2MB

MD5
7242138406762f59197e9d73676ad7fa

SHA1
5e147d7dc227391a0f4651745cf8cfaea22c1ee6

SHA256
fdec60f1eb0218af7b0d185094845860a7ca6c2227fde1f8bae9cf23b3026efe

SHA512
3ca62b8b2a96b1245c329b291fde57ed5a378794b6bb13023aef6b5d6612517f196046b3d5956fab33d44cf12b798ab64f012165b0e3b75f6f49da9446da2941

Download Submit
C:\Windows\System\divCIBE.exe

Filesize
5.2MB

MD5
3e02005a53ad40376e8b02bd688350a7

SHA1
4f58720af59c65e36eb63af2cc4dabd553ecc65a

SHA256
47759e10bb8c9287a15cf802e069e4bba9a0b297927ede1fb7e031f9e32d845e

SHA512
0b11e1e303653190c02ac8a444b4fc251ba120c055e9270282bdd87e2c0bf2125f0bec6d6b483312c6ee402ff6f9e7b582ccb81089a437337df97048a3bf675c

Download Submit
C:\Windows\System\jDcIAlL.exe

Filesize
5.2MB

MD5
11a9105597421da6a4720eef7f5b11b3

SHA1
abcbf2a8f757ceb8f189a3a3e149de626e138051

SHA256
b1cd2ec094514f703afad3210572f88a3b5135df4648dc1872937d617a4480ed

SHA512
73580d5af9eda1da050dc3b3600819cc966014e71799e559c0a62525f5121625be8537a2ea7636955bab21a9e14ffeb9b700dff8b33d22591bc616fd192f0c0d

Download Submit
C:\Windows\System\lcZOdTG.exe

Filesize
5.2MB

MD5
c4bcdd41fe7e9aa67642c5a31eef53b7

SHA1
feb131361016f2559eb901ba595c45abe063a247

SHA256
b92b905a10991c99ac0a8e35c552777bdfd29909b70100b9c751223c1cbbfdf0

SHA512
825ff38348cb98db1fbbc76bcee2d9dc9e679325a1c2ca1baf38ede1deef8ee2efa5a35092066f7f80a669977292ebc927a46799f6ed889a38158a69a8341c52

Download Submit
C:\Windows\System\mmivQKI.exe

Filesize
5.2MB

MD5
aa0b186005a7b22d248ff5cb9574026d

SHA1
2215fbd90a1bc87a0a66f302d8e7f6f2d92ee046

SHA256
a01b37074a640b11c1da0178a8b7f417e592008998c17102825816f16ce9f81d

SHA512
96a88f807b4ba28b103b9f033d2f4a17b1b28560bf42060149dadfa05c51ff7f447c8590630c721d4f641dc75748cad061515c6161917ca891fb013fd1954eb7

Download Submit
C:\Windows\System\ywgUCEt.exe

Filesize
5.2MB

MD5
a05535677db6796dccc35c1479012d47

SHA1
3b1ee23e829038991780ac299910794ba5d3d6f6

SHA256
41eae265040828ecac13da605bf301011b770ad7d1b5061149d51027eb869077

SHA512
58b98008236d1e971608cb5778ea78ee1b2ca57b938fd7c6af37939e254952b8e04d9d528a7577cc69668f0126ac7a396bc57dc1a26f83e2f0e6e668906d16a3

Download Submit
memory/692-140-0x00007FF7E95B0000-0x00007FF7E9901000-memory.dmp

Filesize
3.3MB

Download
memory/692-246-0x00007FF7E95B0000-0x00007FF7E9901000-memory.dmp

Filesize
3.3MB

Download
memory/1356-137-0x00007FF6847C0000-0x00007FF684B11000-memory.dmp

Filesize
3.3MB

Download
memory/1356-219-0x00007FF6847C0000-0x00007FF684B11000-memory.dmp

Filesize
3.3MB

Download
memory/1356-36-0x00007FF6847C0000-0x00007FF684B11000-memory.dmp

Filesize
3.3MB

Download
memory/1436-151-0x00007FF6039C0000-0x00007FF603D11000-memory.dmp

Filesize
3.3MB

Download
memory/1436-103-0x00007FF6039C0000-0x00007FF603D11000-memory.dmp

Filesize
3.3MB

Download
memory/1436-240-0x00007FF6039C0000-0x00007FF603D11000-memory.dmp

Filesize
3.3MB

Download
memory/1612-86-0x00007FF7B5ED0000-0x00007FF7B6221000-memory.dmp

Filesize
3.3MB

Download
memory/1612-234-0x00007FF7B5ED0000-0x00007FF7B6221000-memory.dmp

Filesize
3.3MB

Download
memory/1672-152-0x00007FF7DE5D0000-0x00007FF7DE921000-memory.dmp

Filesize
3.3MB

Download
memory/1672-107-0x00007FF7DE5D0000-0x00007FF7DE921000-memory.dmp

Filesize
3.3MB

Download
memory/1672-239-0x00007FF7DE5D0000-0x00007FF7DE921000-memory.dmp

Filesize
3.3MB

Download
memory/1872-26-0x00007FF730BC0000-0x00007FF730F11000-memory.dmp

Filesize
3.3MB

Download
memory/1872-100-0x00007FF730BC0000-0x00007FF730F11000-memory.dmp

Filesize
3.3MB

Download
memory/1872-211-0x00007FF730BC0000-0x00007FF730F11000-memory.dmp

Filesize
3.3MB

Download
memory/2160-7-0x00007FF7ACC60000-0x00007FF7ACFB1000-memory.dmp

Filesize
3.3MB

Download
memory/2160-74-0x00007FF7ACC60000-0x00007FF7ACFB1000-memory.dmp

Filesize
3.3MB

Download
memory/2160-202-0x00007FF7ACC60000-0x00007FF7ACFB1000-memory.dmp

Filesize
3.3MB

Download
memory/3064-42-0x00007FF674D30000-0x00007FF675081000-memory.dmp

Filesize
3.3MB

Download
memory/3064-221-0x00007FF674D30000-0x00007FF675081000-memory.dmp

Filesize
3.3MB

Download
memory/3064-138-0x00007FF674D30000-0x00007FF675081000-memory.dmp

Filesize
3.3MB

Download
memory/3088-142-0x00007FF730520000-0x00007FF730871000-memory.dmp

Filesize
3.3MB

Download
memory/3088-248-0x00007FF730520000-0x00007FF730871000-memory.dmp

Filesize
3.3MB

Download
memory/3092-19-0x00007FF7D6B30000-0x00007FF7D6E81000-memory.dmp

Filesize
3.3MB

Download
memory/3092-87-0x00007FF7D6B30000-0x00007FF7D6E81000-memory.dmp

Filesize
3.3MB

Download
memory/3092-209-0x00007FF7D6B30000-0x00007FF7D6E81000-memory.dmp

Filesize
3.3MB

Download
memory/3300-149-0x00007FF6DCD50000-0x00007FF6DD0A1000-memory.dmp

Filesize
3.3MB

Download
memory/3300-88-0x00007FF6DCD50000-0x00007FF6DD0A1000-memory.dmp

Filesize
3.3MB

Download
memory/3300-237-0x00007FF6DCD50000-0x00007FF6DD0A1000-memory.dmp

Filesize
3.3MB

Download
memory/3424-228-0x00007FF61E350000-0x00007FF61E6A1000-memory.dmp

Filesize
3.3MB

Download
memory/3424-69-0x00007FF61E350000-0x00007FF61E6A1000-memory.dmp

Filesize
3.3MB

Download
memory/3760-79-0x00007FF7AFDA0000-0x00007FF7B00F1000-memory.dmp

Filesize
3.3MB

Download
memory/3760-207-0x00007FF7AFDA0000-0x00007FF7B00F1000-memory.dmp

Filesize
3.3MB

Download
memory/3760-12-0x00007FF7AFDA0000-0x00007FF7B00F1000-memory.dmp

Filesize
3.3MB

Download
memory/3832-224-0x00007FF78A9E0000-0x00007FF78AD31000-memory.dmp

Filesize
3.3MB

Download
memory/3832-143-0x00007FF78A9E0000-0x00007FF78AD31000-memory.dmp

Filesize
3.3MB

Download
memory/3832-50-0x00007FF78A9E0000-0x00007FF78AD31000-memory.dmp

Filesize
3.3MB

Download
memory/3952-141-0x00007FF7B6CF0000-0x00007FF7B7041000-memory.dmp

Filesize
3.3MB

Download
memory/3952-244-0x00007FF7B6CF0000-0x00007FF7B7041000-memory.dmp

Filesize
3.3MB

Download
memory/3992-76-0x00007FF78C800000-0x00007FF78CB51000-memory.dmp

Filesize
3.3MB

Download
memory/3992-230-0x00007FF78C800000-0x00007FF78CB51000-memory.dmp

Filesize
3.3MB

Download
memory/4056-226-0x00007FF690810000-0x00007FF690B61000-memory.dmp

Filesize
3.3MB

Download
memory/4056-55-0x00007FF690810000-0x00007FF690B61000-memory.dmp

Filesize
3.3MB

Download
memory/4056-144-0x00007FF690810000-0x00007FF690B61000-memory.dmp

Filesize
3.3MB

Download
memory/4072-217-0x00007FF6DA020000-0x00007FF6DA371000-memory.dmp

Filesize
3.3MB

Download
memory/4072-32-0x00007FF6DA020000-0x00007FF6DA371000-memory.dmp

Filesize
3.3MB

Download
memory/4072-106-0x00007FF6DA020000-0x00007FF6DA371000-memory.dmp

Filesize
3.3MB

Download
memory/4104-129-0x00007FF7C5530000-0x00007FF7C5881000-memory.dmp

Filesize
3.3MB

Download
memory/4104-64-0x00007FF7C5530000-0x00007FF7C5881000-memory.dmp

Filesize
3.3MB

Download
memory/4104-1-0x0000018041350000-0x0000018041360000-memory.dmp

Filesize
64KB

Download
memory/4104-157-0x00007FF7C5530000-0x00007FF7C5881000-memory.dmp

Filesize
3.3MB

Download
memory/4104-0-0x00007FF7C5530000-0x00007FF7C5881000-memory.dmp

Filesize
3.3MB

Download
memory/4488-232-0x00007FF696560000-0x00007FF6968B1000-memory.dmp

Filesize
3.3MB

Download
memory/4488-147-0x00007FF696560000-0x00007FF6968B1000-memory.dmp

Filesize
3.3MB

Download
memory/4488-77-0x00007FF696560000-0x00007FF6968B1000-memory.dmp

Filesize
3.3MB

Download
memory/4844-139-0x00007FF79DE80000-0x00007FF79E1D1000-memory.dmp

Filesize
3.3MB

Download
memory/4844-243-0x00007FF79DE80000-0x00007FF79E1D1000-memory.dmp

Filesize
3.3MB

Download
memory/4980-102-0x00007FF6E15C0000-0x00007FF6E1911000-memory.dmp

Filesize
3.3MB

Download
memory/4980-150-0x00007FF6E15C0000-0x00007FF6E1911000-memory.dmp

Filesize
3.3MB

Download
memory/4980-252-0x00007FF6E15C0000-0x00007FF6E1911000-memory.dmp

Filesize
3.3MB

Download