cobaltstrike | 13dfd72e64b69083fb2ffe8aa1bdd77e86d42a64571abcd6ca15341b6ba78292

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

ece0c0ed1f879feceb90e1e7e9499bc5
SHA1

6516a5c1d0b4d00465532c8d84f47c917eef87e0
SHA256

13dfd72e64b69083fb2ffe8aa1bdd77e86d42a64571abcd6ca15341b6ba78292
SHA512

457629ac9bc2336e1cafa6018e6158861e8849241d0e8f8d71ec5435114797790d0122b63d22b71299fbe6026bd62791d1fd49e3600ffb8f0b89c685383034c9
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lx:RWWBibf56utgpPFotBER/mQ32lUd

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\rwHxlxC.exe	cobalt_reflective_dll
C:\Windows\System\nrXairq.exe	cobalt_reflective_dll
C:\Windows\System\XMuBVkN.exe	cobalt_reflective_dll
C:\Windows\System\oyCkHRq.exe	cobalt_reflective_dll
C:\Windows\System\iofNCyc.exe	cobalt_reflective_dll
C:\Windows\System\rlLNOSj.exe	cobalt_reflective_dll
C:\Windows\System\DVfhxRd.exe	cobalt_reflective_dll
C:\Windows\System\gyvqPZY.exe	cobalt_reflective_dll
C:\Windows\System\tdWolJW.exe	cobalt_reflective_dll
C:\Windows\System\xWZAued.exe	cobalt_reflective_dll
C:\Windows\System\phlVoKL.exe	cobalt_reflective_dll
C:\Windows\System\pwaakFY.exe	cobalt_reflective_dll
C:\Windows\System\wNcGrCx.exe	cobalt_reflective_dll
C:\Windows\System\YTVFMgn.exe	cobalt_reflective_dll
C:\Windows\System\rdCEsGt.exe	cobalt_reflective_dll
C:\Windows\System\sQijemI.exe	cobalt_reflective_dll
C:\Windows\System\gkNmKGU.exe	cobalt_reflective_dll
C:\Windows\System\lrSYntb.exe	cobalt_reflective_dll
C:\Windows\System\lxCpuyS.exe	cobalt_reflective_dll
C:\Windows\System\oVrCZfB.exe	cobalt_reflective_dll
C:\Windows\System\mhyYzEs.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\rwHxlxC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\nrXairq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\XMuBVkN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\oyCkHRq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\iofNCyc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\rlLNOSj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\DVfhxRd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\gyvqPZY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\tdWolJW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\xWZAued.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\phlVoKL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\pwaakFY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\wNcGrCx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\YTVFMgn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\rdCEsGt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\sQijemI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\gkNmKGU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\lrSYntb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\lxCpuyS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\oVrCZfB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\mhyYzEs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4380-0-0x00007FF7EDAE0000-0x00007FF7EDE31000-memory.dmp	UPX
C:\Windows\System\rwHxlxC.exe	UPX
C:\Windows\System\nrXairq.exe	UPX
C:\Windows\System\XMuBVkN.exe	UPX
C:\Windows\System\oyCkHRq.exe	UPX
C:\Windows\System\iofNCyc.exe	UPX
behavioral2/memory/2568-24-0x00007FF6847A0000-0x00007FF684AF1000-memory.dmp	UPX
behavioral2/memory/3804-21-0x00007FF765F90000-0x00007FF7662E1000-memory.dmp	UPX
behavioral2/memory/1636-13-0x00007FF74DC50000-0x00007FF74DFA1000-memory.dmp	UPX
C:\Windows\System\rlLNOSj.exe	UPX
behavioral2/memory/3868-42-0x00007FF759220000-0x00007FF759571000-memory.dmp	UPX
behavioral2/memory/3516-43-0x00007FF7B90E0000-0x00007FF7B9431000-memory.dmp	UPX
C:\Windows\System\DVfhxRd.exe	UPX
behavioral2/memory/3684-30-0x00007FF712BF0000-0x00007FF712F41000-memory.dmp	UPX
behavioral2/memory/4604-54-0x00007FF6C9F20000-0x00007FF6CA271000-memory.dmp	UPX
C:\Windows\System\gyvqPZY.exe	UPX
behavioral2/memory/4284-57-0x00007FF6E9510000-0x00007FF6E9861000-memory.dmp	UPX
behavioral2/memory/4108-56-0x00007FF65F4B0000-0x00007FF65F801000-memory.dmp	UPX
C:\Windows\System\tdWolJW.exe	UPX
C:\Windows\System\xWZAued.exe	UPX
behavioral2/memory/456-68-0x00007FF6E6E50000-0x00007FF6E71A1000-memory.dmp	UPX
C:\Windows\System\phlVoKL.exe	UPX
behavioral2/memory/3268-84-0x00007FF6E8350000-0x00007FF6E86A1000-memory.dmp	UPX
behavioral2/memory/3136-87-0x00007FF6DF0E0000-0x00007FF6DF431000-memory.dmp	UPX
C:\Windows\System\pwaakFY.exe	UPX
C:\Windows\System\wNcGrCx.exe	UPX
C:\Windows\System\YTVFMgn.exe	UPX
C:\Windows\System\rdCEsGt.exe	UPX
C:\Windows\System\sQijemI.exe	UPX
C:\Windows\System\gkNmKGU.exe	UPX
C:\Windows\System\lrSYntb.exe	UPX
behavioral2/memory/2288-106-0x00007FF660BD0000-0x00007FF660F21000-memory.dmp	UPX
C:\Windows\System\lxCpuyS.exe	UPX
behavioral2/memory/4380-92-0x00007FF7EDAE0000-0x00007FF7EDE31000-memory.dmp	UPX
behavioral2/memory/4552-79-0x00007FF7A7930000-0x00007FF7A7C81000-memory.dmp	UPX
C:\Windows\System\oVrCZfB.exe	UPX
C:\Windows\System\mhyYzEs.exe	UPX
behavioral2/memory/3736-62-0x00007FF75C990000-0x00007FF75CCE1000-memory.dmp	UPX
behavioral2/memory/2968-124-0x00007FF6B5BB0000-0x00007FF6B5F01000-memory.dmp	UPX
behavioral2/memory/4988-123-0x00007FF6F8980000-0x00007FF6F8CD1000-memory.dmp	UPX
behavioral2/memory/1160-125-0x00007FF718810000-0x00007FF718B61000-memory.dmp	UPX
behavioral2/memory/400-126-0x00007FF79D100000-0x00007FF79D451000-memory.dmp	UPX
behavioral2/memory/4828-127-0x00007FF6D2840000-0x00007FF6D2B91000-memory.dmp	UPX
behavioral2/memory/2756-129-0x00007FF605CE0000-0x00007FF606031000-memory.dmp	UPX
behavioral2/memory/3804-128-0x00007FF765F90000-0x00007FF7662E1000-memory.dmp	UPX
behavioral2/memory/4380-130-0x00007FF7EDAE0000-0x00007FF7EDE31000-memory.dmp	UPX
behavioral2/memory/3868-135-0x00007FF759220000-0x00007FF759571000-memory.dmp	UPX
behavioral2/memory/3516-137-0x00007FF7B90E0000-0x00007FF7B9431000-memory.dmp	UPX
behavioral2/memory/4552-142-0x00007FF7A7930000-0x00007FF7A7C81000-memory.dmp	UPX
behavioral2/memory/456-141-0x00007FF6E6E50000-0x00007FF6E71A1000-memory.dmp	UPX
behavioral2/memory/3136-145-0x00007FF6DF0E0000-0x00007FF6DF431000-memory.dmp	UPX
behavioral2/memory/4284-140-0x00007FF6E9510000-0x00007FF6E9861000-memory.dmp	UPX
behavioral2/memory/4108-139-0x00007FF65F4B0000-0x00007FF65F801000-memory.dmp	UPX
behavioral2/memory/3268-143-0x00007FF6E8350000-0x00007FF6E86A1000-memory.dmp	UPX
behavioral2/memory/3684-134-0x00007FF712BF0000-0x00007FF712F41000-memory.dmp	UPX
behavioral2/memory/4380-152-0x00007FF7EDAE0000-0x00007FF7EDE31000-memory.dmp	UPX
behavioral2/memory/1636-197-0x00007FF74DC50000-0x00007FF74DFA1000-memory.dmp	UPX
behavioral2/memory/3804-213-0x00007FF765F90000-0x00007FF7662E1000-memory.dmp	UPX
behavioral2/memory/2568-215-0x00007FF6847A0000-0x00007FF684AF1000-memory.dmp	UPX
behavioral2/memory/3868-217-0x00007FF759220000-0x00007FF759571000-memory.dmp	UPX
behavioral2/memory/4604-221-0x00007FF6C9F20000-0x00007FF6CA271000-memory.dmp	UPX
behavioral2/memory/3684-220-0x00007FF712BF0000-0x00007FF712F41000-memory.dmp	UPX
behavioral2/memory/3516-223-0x00007FF7B90E0000-0x00007FF7B9431000-memory.dmp	UPX
behavioral2/memory/4108-226-0x00007FF65F4B0000-0x00007FF65F801000-memory.dmp	UPX

XMRig Miner payload 45 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2568-24-0x00007FF6847A0000-0x00007FF684AF1000-memory.dmp	xmrig
behavioral2/memory/1636-13-0x00007FF74DC50000-0x00007FF74DFA1000-memory.dmp	xmrig
behavioral2/memory/4604-54-0x00007FF6C9F20000-0x00007FF6CA271000-memory.dmp	xmrig
behavioral2/memory/2288-106-0x00007FF660BD0000-0x00007FF660F21000-memory.dmp	xmrig
behavioral2/memory/4380-92-0x00007FF7EDAE0000-0x00007FF7EDE31000-memory.dmp	xmrig
behavioral2/memory/3736-62-0x00007FF75C990000-0x00007FF75CCE1000-memory.dmp	xmrig
behavioral2/memory/2968-124-0x00007FF6B5BB0000-0x00007FF6B5F01000-memory.dmp	xmrig
behavioral2/memory/4988-123-0x00007FF6F8980000-0x00007FF6F8CD1000-memory.dmp	xmrig
behavioral2/memory/1160-125-0x00007FF718810000-0x00007FF718B61000-memory.dmp	xmrig
behavioral2/memory/400-126-0x00007FF79D100000-0x00007FF79D451000-memory.dmp	xmrig
behavioral2/memory/4828-127-0x00007FF6D2840000-0x00007FF6D2B91000-memory.dmp	xmrig
behavioral2/memory/2756-129-0x00007FF605CE0000-0x00007FF606031000-memory.dmp	xmrig
behavioral2/memory/3804-128-0x00007FF765F90000-0x00007FF7662E1000-memory.dmp	xmrig
behavioral2/memory/4380-130-0x00007FF7EDAE0000-0x00007FF7EDE31000-memory.dmp	xmrig
behavioral2/memory/3868-135-0x00007FF759220000-0x00007FF759571000-memory.dmp	xmrig
behavioral2/memory/3516-137-0x00007FF7B90E0000-0x00007FF7B9431000-memory.dmp	xmrig
behavioral2/memory/4552-142-0x00007FF7A7930000-0x00007FF7A7C81000-memory.dmp	xmrig
behavioral2/memory/456-141-0x00007FF6E6E50000-0x00007FF6E71A1000-memory.dmp	xmrig
behavioral2/memory/3136-145-0x00007FF6DF0E0000-0x00007FF6DF431000-memory.dmp	xmrig
behavioral2/memory/4284-140-0x00007FF6E9510000-0x00007FF6E9861000-memory.dmp	xmrig
behavioral2/memory/4108-139-0x00007FF65F4B0000-0x00007FF65F801000-memory.dmp	xmrig
behavioral2/memory/3268-143-0x00007FF6E8350000-0x00007FF6E86A1000-memory.dmp	xmrig
behavioral2/memory/3684-134-0x00007FF712BF0000-0x00007FF712F41000-memory.dmp	xmrig
behavioral2/memory/4380-152-0x00007FF7EDAE0000-0x00007FF7EDE31000-memory.dmp	xmrig
behavioral2/memory/1636-197-0x00007FF74DC50000-0x00007FF74DFA1000-memory.dmp	xmrig
behavioral2/memory/3804-213-0x00007FF765F90000-0x00007FF7662E1000-memory.dmp	xmrig
behavioral2/memory/2568-215-0x00007FF6847A0000-0x00007FF684AF1000-memory.dmp	xmrig
behavioral2/memory/3868-217-0x00007FF759220000-0x00007FF759571000-memory.dmp	xmrig
behavioral2/memory/4604-221-0x00007FF6C9F20000-0x00007FF6CA271000-memory.dmp	xmrig
behavioral2/memory/3684-220-0x00007FF712BF0000-0x00007FF712F41000-memory.dmp	xmrig
behavioral2/memory/3516-223-0x00007FF7B90E0000-0x00007FF7B9431000-memory.dmp	xmrig
behavioral2/memory/4108-226-0x00007FF65F4B0000-0x00007FF65F801000-memory.dmp	xmrig
behavioral2/memory/3736-227-0x00007FF75C990000-0x00007FF75CCE1000-memory.dmp	xmrig
behavioral2/memory/4284-229-0x00007FF6E9510000-0x00007FF6E9861000-memory.dmp	xmrig
behavioral2/memory/4552-233-0x00007FF7A7930000-0x00007FF7A7C81000-memory.dmp	xmrig
behavioral2/memory/456-232-0x00007FF6E6E50000-0x00007FF6E71A1000-memory.dmp	xmrig
behavioral2/memory/4988-244-0x00007FF6F8980000-0x00007FF6F8CD1000-memory.dmp	xmrig
behavioral2/memory/2968-249-0x00007FF6B5BB0000-0x00007FF6B5F01000-memory.dmp	xmrig
behavioral2/memory/400-251-0x00007FF79D100000-0x00007FF79D451000-memory.dmp	xmrig
behavioral2/memory/4828-247-0x00007FF6D2840000-0x00007FF6D2B91000-memory.dmp	xmrig
behavioral2/memory/1160-242-0x00007FF718810000-0x00007FF718B61000-memory.dmp	xmrig
behavioral2/memory/2288-238-0x00007FF660BD0000-0x00007FF660F21000-memory.dmp	xmrig
behavioral2/memory/2756-246-0x00007FF605CE0000-0x00007FF606031000-memory.dmp	xmrig
behavioral2/memory/3136-240-0x00007FF6DF0E0000-0x00007FF6DF431000-memory.dmp	xmrig
behavioral2/memory/3268-236-0x00007FF6E8350000-0x00007FF6E86A1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

rwHxlxC.exenrXairq.exeXMuBVkN.exeiofNCyc.exeoyCkHRq.exeDVfhxRd.exerlLNOSj.exexWZAued.exegyvqPZY.exetdWolJW.exemhyYzEs.exeoVrCZfB.exephlVoKL.exepwaakFY.exelxCpuyS.exelrSYntb.exegkNmKGU.exesQijemI.exewNcGrCx.exerdCEsGt.exeYTVFMgn.exe

pid	process
1636	rwHxlxC.exe
3804	nrXairq.exe
2568	XMuBVkN.exe
3684	iofNCyc.exe
3868	oyCkHRq.exe
4604	DVfhxRd.exe
3516	rlLNOSj.exe
3736	xWZAued.exe
4108	gyvqPZY.exe
4284	tdWolJW.exe
456	mhyYzEs.exe
4552	oVrCZfB.exe
3268	phlVoKL.exe
2288	pwaakFY.exe
3136	lxCpuyS.exe
4828	lrSYntb.exe
4988	gkNmKGU.exe
2968	sQijemI.exe
2756	wNcGrCx.exe
1160	rdCEsGt.exe
400	YTVFMgn.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4380-0-0x00007FF7EDAE0000-0x00007FF7EDE31000-memory.dmp	upx
C:\Windows\System\rwHxlxC.exe	upx
C:\Windows\System\nrXairq.exe	upx
C:\Windows\System\XMuBVkN.exe	upx
C:\Windows\System\oyCkHRq.exe	upx
C:\Windows\System\iofNCyc.exe	upx
behavioral2/memory/2568-24-0x00007FF6847A0000-0x00007FF684AF1000-memory.dmp	upx
behavioral2/memory/3804-21-0x00007FF765F90000-0x00007FF7662E1000-memory.dmp	upx
behavioral2/memory/1636-13-0x00007FF74DC50000-0x00007FF74DFA1000-memory.dmp	upx
C:\Windows\System\rlLNOSj.exe	upx
behavioral2/memory/3868-42-0x00007FF759220000-0x00007FF759571000-memory.dmp	upx
behavioral2/memory/3516-43-0x00007FF7B90E0000-0x00007FF7B9431000-memory.dmp	upx
C:\Windows\System\DVfhxRd.exe	upx
behavioral2/memory/3684-30-0x00007FF712BF0000-0x00007FF712F41000-memory.dmp	upx
behavioral2/memory/4604-54-0x00007FF6C9F20000-0x00007FF6CA271000-memory.dmp	upx
C:\Windows\System\gyvqPZY.exe	upx
behavioral2/memory/4284-57-0x00007FF6E9510000-0x00007FF6E9861000-memory.dmp	upx
behavioral2/memory/4108-56-0x00007FF65F4B0000-0x00007FF65F801000-memory.dmp	upx
C:\Windows\System\tdWolJW.exe	upx
C:\Windows\System\xWZAued.exe	upx
behavioral2/memory/456-68-0x00007FF6E6E50000-0x00007FF6E71A1000-memory.dmp	upx
C:\Windows\System\phlVoKL.exe	upx
behavioral2/memory/3268-84-0x00007FF6E8350000-0x00007FF6E86A1000-memory.dmp	upx
behavioral2/memory/3136-87-0x00007FF6DF0E0000-0x00007FF6DF431000-memory.dmp	upx
C:\Windows\System\pwaakFY.exe	upx
C:\Windows\System\wNcGrCx.exe	upx
C:\Windows\System\YTVFMgn.exe	upx
C:\Windows\System\rdCEsGt.exe	upx
C:\Windows\System\sQijemI.exe	upx
C:\Windows\System\gkNmKGU.exe	upx
C:\Windows\System\lrSYntb.exe	upx
behavioral2/memory/2288-106-0x00007FF660BD0000-0x00007FF660F21000-memory.dmp	upx
C:\Windows\System\lxCpuyS.exe	upx
behavioral2/memory/4380-92-0x00007FF7EDAE0000-0x00007FF7EDE31000-memory.dmp	upx
behavioral2/memory/4552-79-0x00007FF7A7930000-0x00007FF7A7C81000-memory.dmp	upx
C:\Windows\System\oVrCZfB.exe	upx
C:\Windows\System\mhyYzEs.exe	upx
behavioral2/memory/3736-62-0x00007FF75C990000-0x00007FF75CCE1000-memory.dmp	upx
behavioral2/memory/2968-124-0x00007FF6B5BB0000-0x00007FF6B5F01000-memory.dmp	upx
behavioral2/memory/4988-123-0x00007FF6F8980000-0x00007FF6F8CD1000-memory.dmp	upx
behavioral2/memory/1160-125-0x00007FF718810000-0x00007FF718B61000-memory.dmp	upx
behavioral2/memory/400-126-0x00007FF79D100000-0x00007FF79D451000-memory.dmp	upx
behavioral2/memory/4828-127-0x00007FF6D2840000-0x00007FF6D2B91000-memory.dmp	upx
behavioral2/memory/2756-129-0x00007FF605CE0000-0x00007FF606031000-memory.dmp	upx
behavioral2/memory/3804-128-0x00007FF765F90000-0x00007FF7662E1000-memory.dmp	upx
behavioral2/memory/4380-130-0x00007FF7EDAE0000-0x00007FF7EDE31000-memory.dmp	upx
behavioral2/memory/3868-135-0x00007FF759220000-0x00007FF759571000-memory.dmp	upx
behavioral2/memory/3516-137-0x00007FF7B90E0000-0x00007FF7B9431000-memory.dmp	upx
behavioral2/memory/4552-142-0x00007FF7A7930000-0x00007FF7A7C81000-memory.dmp	upx
behavioral2/memory/456-141-0x00007FF6E6E50000-0x00007FF6E71A1000-memory.dmp	upx
behavioral2/memory/3136-145-0x00007FF6DF0E0000-0x00007FF6DF431000-memory.dmp	upx
behavioral2/memory/4284-140-0x00007FF6E9510000-0x00007FF6E9861000-memory.dmp	upx
behavioral2/memory/4108-139-0x00007FF65F4B0000-0x00007FF65F801000-memory.dmp	upx
behavioral2/memory/3268-143-0x00007FF6E8350000-0x00007FF6E86A1000-memory.dmp	upx
behavioral2/memory/3684-134-0x00007FF712BF0000-0x00007FF712F41000-memory.dmp	upx
behavioral2/memory/4380-152-0x00007FF7EDAE0000-0x00007FF7EDE31000-memory.dmp	upx
behavioral2/memory/1636-197-0x00007FF74DC50000-0x00007FF74DFA1000-memory.dmp	upx
behavioral2/memory/3804-213-0x00007FF765F90000-0x00007FF7662E1000-memory.dmp	upx
behavioral2/memory/2568-215-0x00007FF6847A0000-0x00007FF684AF1000-memory.dmp	upx
behavioral2/memory/3868-217-0x00007FF759220000-0x00007FF759571000-memory.dmp	upx
behavioral2/memory/4604-221-0x00007FF6C9F20000-0x00007FF6CA271000-memory.dmp	upx
behavioral2/memory/3684-220-0x00007FF712BF0000-0x00007FF712F41000-memory.dmp	upx
behavioral2/memory/3516-223-0x00007FF7B90E0000-0x00007FF7B9431000-memory.dmp	upx
behavioral2/memory/4108-226-0x00007FF65F4B0000-0x00007FF65F801000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\oyCkHRq.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mhyYzEs.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lxCpuyS.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sQijemI.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rwHxlxC.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iofNCyc.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\phlVoKL.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nrXairq.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rlLNOSj.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xWZAued.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gyvqPZY.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tdWolJW.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oVrCZfB.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lrSYntb.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gkNmKGU.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DVfhxRd.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wNcGrCx.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pwaakFY.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YTVFMgn.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rdCEsGt.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XMuBVkN.exe	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 4380 wrote to memory of 1636	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	rwHxlxC.exe
PID 4380 wrote to memory of 1636	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	rwHxlxC.exe
PID 4380 wrote to memory of 3804	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	nrXairq.exe
PID 4380 wrote to memory of 3804	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	nrXairq.exe
PID 4380 wrote to memory of 2568	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	XMuBVkN.exe
PID 4380 wrote to memory of 2568	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	XMuBVkN.exe
PID 4380 wrote to memory of 3684	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	iofNCyc.exe
PID 4380 wrote to memory of 3684	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	iofNCyc.exe
PID 4380 wrote to memory of 3868	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	oyCkHRq.exe
PID 4380 wrote to memory of 3868	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	oyCkHRq.exe
PID 4380 wrote to memory of 4604	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	DVfhxRd.exe
PID 4380 wrote to memory of 4604	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	DVfhxRd.exe
PID 4380 wrote to memory of 3516	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	rlLNOSj.exe
PID 4380 wrote to memory of 3516	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	rlLNOSj.exe
PID 4380 wrote to memory of 3736	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	xWZAued.exe
PID 4380 wrote to memory of 3736	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	xWZAued.exe
PID 4380 wrote to memory of 4108	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	gyvqPZY.exe
PID 4380 wrote to memory of 4108	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	gyvqPZY.exe
PID 4380 wrote to memory of 4284	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	tdWolJW.exe
PID 4380 wrote to memory of 4284	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	tdWolJW.exe
PID 4380 wrote to memory of 456	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	mhyYzEs.exe
PID 4380 wrote to memory of 456	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	mhyYzEs.exe
PID 4380 wrote to memory of 4552	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	oVrCZfB.exe
PID 4380 wrote to memory of 4552	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	oVrCZfB.exe
PID 4380 wrote to memory of 3268	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	phlVoKL.exe
PID 4380 wrote to memory of 3268	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	phlVoKL.exe
PID 4380 wrote to memory of 2288	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	pwaakFY.exe
PID 4380 wrote to memory of 2288	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	pwaakFY.exe
PID 4380 wrote to memory of 3136	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	lxCpuyS.exe
PID 4380 wrote to memory of 3136	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	lxCpuyS.exe
PID 4380 wrote to memory of 4828	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	lrSYntb.exe
PID 4380 wrote to memory of 4828	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	lrSYntb.exe
PID 4380 wrote to memory of 4988	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	gkNmKGU.exe
PID 4380 wrote to memory of 4988	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	gkNmKGU.exe
PID 4380 wrote to memory of 2968	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	sQijemI.exe
PID 4380 wrote to memory of 2968	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	sQijemI.exe
PID 4380 wrote to memory of 400	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	YTVFMgn.exe
PID 4380 wrote to memory of 400	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	YTVFMgn.exe
PID 4380 wrote to memory of 2756	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	wNcGrCx.exe
PID 4380 wrote to memory of 2756	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	wNcGrCx.exe
PID 4380 wrote to memory of 1160	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	rdCEsGt.exe
PID 4380 wrote to memory of 1160	4380	2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe	rdCEsGt.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-20_ece0c0ed1f879feceb90e1e7e9499bc5_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4380

C:\Windows\System\rwHxlxC.exe
C:\Windows\System\rwHxlxC.exe
2⤵
- Executes dropped EXE
PID:1636

C:\Windows\System\nrXairq.exe
C:\Windows\System\nrXairq.exe
2⤵
- Executes dropped EXE
PID:3804

C:\Windows\System\XMuBVkN.exe
C:\Windows\System\XMuBVkN.exe
2⤵
- Executes dropped EXE
PID:2568

C:\Windows\System\iofNCyc.exe
C:\Windows\System\iofNCyc.exe
2⤵
- Executes dropped EXE
PID:3684

C:\Windows\System\oyCkHRq.exe
C:\Windows\System\oyCkHRq.exe
2⤵
- Executes dropped EXE
PID:3868

C:\Windows\System\DVfhxRd.exe
C:\Windows\System\DVfhxRd.exe
2⤵
- Executes dropped EXE
PID:4604

C:\Windows\System\rlLNOSj.exe
C:\Windows\System\rlLNOSj.exe
2⤵
- Executes dropped EXE
PID:3516

C:\Windows\System\xWZAued.exe
C:\Windows\System\xWZAued.exe
2⤵
- Executes dropped EXE
PID:3736

C:\Windows\System\gyvqPZY.exe
C:\Windows\System\gyvqPZY.exe
2⤵
- Executes dropped EXE
PID:4108

C:\Windows\System\tdWolJW.exe
C:\Windows\System\tdWolJW.exe
2⤵
- Executes dropped EXE
PID:4284

C:\Windows\System\mhyYzEs.exe
C:\Windows\System\mhyYzEs.exe
2⤵
- Executes dropped EXE
PID:456

C:\Windows\System\oVrCZfB.exe
C:\Windows\System\oVrCZfB.exe
2⤵
- Executes dropped EXE
PID:4552

C:\Windows\System\phlVoKL.exe
C:\Windows\System\phlVoKL.exe
2⤵
- Executes dropped EXE
PID:3268

C:\Windows\System\pwaakFY.exe
C:\Windows\System\pwaakFY.exe
2⤵
- Executes dropped EXE
PID:2288

C:\Windows\System\lxCpuyS.exe
C:\Windows\System\lxCpuyS.exe
2⤵
- Executes dropped EXE
PID:3136

C:\Windows\System\lrSYntb.exe
C:\Windows\System\lrSYntb.exe
2⤵
- Executes dropped EXE
PID:4828

C:\Windows\System\gkNmKGU.exe
C:\Windows\System\gkNmKGU.exe
2⤵
- Executes dropped EXE
PID:4988

C:\Windows\System\sQijemI.exe
C:\Windows\System\sQijemI.exe
2⤵
- Executes dropped EXE
PID:2968

C:\Windows\System\YTVFMgn.exe
C:\Windows\System\YTVFMgn.exe
2⤵
- Executes dropped EXE
PID:400

C:\Windows\System\wNcGrCx.exe
C:\Windows\System\wNcGrCx.exe
2⤵
- Executes dropped EXE
PID:2756

C:\Windows\System\rdCEsGt.exe
C:\Windows\System\rdCEsGt.exe
2⤵
- Executes dropped EXE
PID:1160

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DVfhxRd.exe
Filesize
5.2MB

MD5
2ffd54694f4221a01e304e0e5027de2c

SHA1
b0964c697f8182ee2a4cf582ee58fecf7106ce6d

SHA256
6223100e032f4227c25e60673305e7c8a5c25650dcc298f8646943e8c8d6ce91

SHA512
25882dc767b43a0ad5212727dbf25613adfca2a64841b13af72df084aa381fc1b728f44778024cea99c9e1bf922bcffdbcd1e28a63a56a3b273585ab9c12074a

Download Submit
C:\Windows\System\XMuBVkN.exe
Filesize
5.2MB

MD5
c600abea15d35a00cd44444c082d707f

SHA1
34d0a2d072b2098cba4f02dc0b4af93507194813

SHA256
a65079776dad78438dde465824cfb09e2902f1892aaae3b12227474aa7c82530

SHA512
81c8b4c36c4569425d91c9273eb9a0b4b016965677bdcd9ed184a7b58fbcb87e4649a31d82d88584ee0870cd56425402db75845252fa99b061e1e57825f663b8

Download Submit
C:\Windows\System\YTVFMgn.exe
Filesize
5.2MB

MD5
a99dceb4d4130c3ef2745618ad1e16ec

SHA1
8c04eb61bfcc5e51b169f3bbbc864d7fc8993f6f

SHA256
08c57b428f32550bea3472d86e6ba21e875264bd398bd81bd9c380fcc271ec35

SHA512
3bc58a04b22bd06d40012e14b35e22bacf849c80df9addc7939ea37692dce717a736e91d48db5c288ec9177da3276caea03f6e2f5af4380fceef24abfe3fb9c2

Download Submit
C:\Windows\System\gkNmKGU.exe
Filesize
5.2MB

MD5
1ce8d1836c09592ebeeb979c39177680

SHA1
99e0266c2ba24acfc0224d7e108a436b35f31509

SHA256
f11a783a4dd8b63ca1a0f704c7bb72dbdec3766b108295c443b2656475889cd5

SHA512
234588030a610d6aaac0486f8e4c093e7828f5155177a9a8e348467919199329e5d4ee9c286c98cb84a1f2a577a6e5ff632c2969e8108b164f51256f336a50eb

Download Submit
C:\Windows\System\gyvqPZY.exe
Filesize
5.2MB

MD5
5947cc3e1471e7f9e32d85d4624f45ac

SHA1
05219b1f68244355bb475619eeaa4f77e2038b4b

SHA256
0bf8c1784a6502f7476f8ba05336978255b46c3a2b99926b790618bc50fb632f

SHA512
b6b6acf06707a73d109f7b91b38f1bd6f92e1a793693ec2ce995816ef818a65e6f1c8d1bd35e44730d414810cbf5f4367ad147a41a57c4676ef26851b6fcf7d5

Download Submit
C:\Windows\System\iofNCyc.exe
Filesize
5.2MB

MD5
d2c2dc8954b2538dfab811b7e1c33d10

SHA1
1948d8e0946d602529ed35e9c104c8e44ebdef6a

SHA256
8fa5755d49b5665f374b2eb32bebe3c4c472a76fd9fb506943d433dee4ec91d0

SHA512
bc32678b3a89bc2513653b5613c6e0d5e3d2479a1f82f10a3ef78948ae53dc7895283cfc745501d739c8eb63fc4896761c5749865190c10717af3c78f72ba0bd

Download Submit
C:\Windows\System\lrSYntb.exe
Filesize
5.2MB

MD5
9db894890ba36681b1ff015a2b4a77dd

SHA1
6262572eec3ebe704d9bf95359dbe5bceee16827

SHA256
a28157889ef200555822b021da5817b184f7a673bb8ffa108b644adb43c74766

SHA512
6ef5b62ecbb9f2e8cd86d87b6df21d15cd1d6c7baf2c6349d5496fcdbba481989975c6ff2f1cb208cb4b81abfb6bbd82d7e83c988c1db154cc543d12a01986cb

Download Submit
C:\Windows\System\lxCpuyS.exe
Filesize
5.2MB

MD5
578db64aa6ca060fc122c55f80e8fc70

SHA1
0df70ba43bd7af55eac5ffd0b0012be6b82ddfed

SHA256
5c6b09c2def8d9a25550ad4d73a8810c86df931e6a97e7bddf80d167bcf18ab0

SHA512
d2c1ffa854223599ff83b558e1b2e9de2fc38cd1526f141d1fca940669fce129864cb0eb6adf4e8d33a17f79f50682eda36a13d67f649da8f66b0367e7b0bbdd

Download Submit
C:\Windows\System\mhyYzEs.exe
Filesize
5.2MB

MD5
97821554b48e6bee7b33bbba1dd92f55

SHA1
a44fc25418660ae49abff15a03f9dfed29c68a73

SHA256
b2cfbf3e80a287b409b1a23669f1ea0693f11dc70854f76c6b35108e8fb79381

SHA512
48c12570fac8cafd1e328a4b5832622c47e63c0dacefa4e8d2ab695dbdda8887698fb3b2152cfbe4db2dfb1f61026fe5541fa997ab7f1ff0da822b0a659503ff

Download Submit
C:\Windows\System\nrXairq.exe
Filesize
5.2MB

MD5
8578b47cb80e07a4424a6d397c2d85c2

SHA1
3af095cd7871a5bb8efb2cc2349a7e2cac67d8c2

SHA256
40206ddf8ab740fb4b3f70ce236dc11d3c750f34ce4abfcb4bea83ac1d7e2e45

SHA512
77ebef857c4e65c5e046269a8e546e0eb584b77ce9c5bac19bf83e4fe3ed11cc5f27cbfd7215d7e6653434cb22780a9656ab97abc7532f240b4b59202334c167

Download Submit
C:\Windows\System\oVrCZfB.exe
Filesize
5.2MB

MD5
9a2c97a8165540a4c6a45099a3f4b81d

SHA1
74bf48aff095e5dadcb89e210b9dae121bdfc49e

SHA256
f056b3eb93dc072b1657a703fe11fd4342ff56c6bc697a46b6758b83a6b8cf0a

SHA512
22d6317cac6a7efcbb9ede158a10f559786d74ae5fa2e43b59412e5ddb020b41d52b887eecd24278c785ad6a6ec285ee31766edda578c9217095a241976b81c6

Download Submit
C:\Windows\System\oyCkHRq.exe
Filesize
5.2MB

MD5
8094fd069401ae094856412bf795000e

SHA1
5ded3cac959ca7bc99f9e80c1bc3f6bf875039da

SHA256
65cba3c6cef3018a76a4421d203cd409ac29da51c8f2e65da5cb2f055c3cba5f

SHA512
2967ab8f038e842ac615b7db9a0bedbdf483681f7d89158410cc3dbcf9a203d02044e376d220c4e770138afeea42b1bdbbf5b61db6f921a06d5475a2bd9d8345

Download Submit
C:\Windows\System\phlVoKL.exe
Filesize
5.2MB

MD5
0ef995a9bb0245f70d99aa9b80e5d899

SHA1
8b12739be806262e4b73a3cd37f3e58a75609571

SHA256
2a776458b58da627256a816a7e75357681a8cb869d65fee944aa1998f92fdcfd

SHA512
c00fdfc094651f664aaf345b515cb43a4435280b2c81d2b40533124e4a7dceb86ca10a92ddd6080a5de3f5e9f3012f3408fbf698b1304d4b9d321e305e322b3b

Download Submit
C:\Windows\System\pwaakFY.exe
Filesize
5.2MB

MD5
50903a251e6f751595a1a6209dcbb398

SHA1
fc4e4fbeec8f83c5c9c461a35c806c4b5e57708e

SHA256
37eab7633b4694052476d565f8d80c9b76c9b6c40ecdd06cfa5b3329fafd2fb6

SHA512
c2c801ce851b7787c53fa8f3a2541fa7403231ce2e9d680818acca27c9f1867e9f6282c8085589fedbe2de0f3ded200fa328661e4dd4155e3885e9609f160a33

Download Submit
C:\Windows\System\rdCEsGt.exe
Filesize
5.2MB

MD5
31eeb647682d9bbf3bb32f812afef874

SHA1
068eda2cf36c2e6bcdf71b641312b32501abf389

SHA256
ce0c91db58c710744c1131dc5605087c5d13da6725c92cc1e966e709202abf2c

SHA512
21b9c4ad952354c934bbb86c7d3ecceb5bf414f0f9a8f3ef373d84ca50adf32ebb1352f51674a86590c4ac71448ecec7b45202000ed21aa0d51325086d40c169

Download Submit
C:\Windows\System\rlLNOSj.exe
Filesize
5.2MB

MD5
80b2c8c880dc3e0f9c18d6db35fc7ca2

SHA1
91d159e9797ba53d8360308943fc5d9750ba3a28

SHA256
bfc387f853b5a16b1bf9c8cdbb5e5b5c830be86ebe78498890231d3c48130cda

SHA512
bec2aeb0aa748de3b18437aee0c0df88c995189b9a27ff67411ee410cdbc8b03d8938c6193b1cba28e480e28768148c10de43ac0ea4b374c20c4fa2b1330f581

Download Submit
C:\Windows\System\rwHxlxC.exe
Filesize
5.2MB

MD5
6e0cd2343c0e97413a9a6badd9035bcc

SHA1
746d18a183848e5a08eef3dcd0482510f97a0c9f

SHA256
ddb346e96d7cbf3ca115b2e2c7f404359dfa09bd3fa6d5c5c0fbd0e3f596a7f9

SHA512
e0fcf34700191a1fc06e308c9e930e9f5d3267b464c023c522007bd28040f20c62dc7501dbd2a2600575825fdb1a59d6e08012731d86ef3ebd3c6abf1368abd8

Download Submit
C:\Windows\System\sQijemI.exe
Filesize
5.2MB

MD5
b7f22bcd4a17fb8317955c2a14dfa4dc

SHA1
700d035f263ac4963b596ec55bed4ecf52e298dc

SHA256
0b8e83596089a5c787f03e2ca33ad7290793c159ae18c64bbd270d15b98c9fc2

SHA512
6151ed6d344f50b14fe6509164fec5ba7361ce0f36a45af998384c4a6e9b245c549e9e179a1e7a7a53493076972be7ea2f468ff6bf4e43ce0e5338f3899a1dee

Download Submit
C:\Windows\System\tdWolJW.exe
Filesize
5.2MB

MD5
b079535cf0600b99f48f8ad776f95430

SHA1
ac8ff4b021dbebdbf314078303bfcd08ea11017f

SHA256
848cf8ccc7b6bdc8389bb966497688c63bef9ba51aa4af8ff671375806179947

SHA512
245e9db64151e54a39bfbb835fa9c963801e9f9c667d655a03b5f1d2bddbbba6269320c7c5a4beeef862d71401d91be048bd90fbc5aaa0b765511c76451c87e2

Download Submit
C:\Windows\System\wNcGrCx.exe
Filesize
5.2MB

MD5
74da68486074963368a126c73692d600

SHA1
86b8d86c56c8429ef3fb849788f116fe1032bae4

SHA256
f6d7316072f8fa0333ae47aadb81cafe6cdfd564cd4b72c054cd92f7b1947fa9

SHA512
7eff4777db663443c028475675ad7fd7b2c404e50b684f5f0e49aea35034191f5c5259a3e0cc7f87764b50b84c76640801596b6169cac5e14b18dc1a06962b69

Download Submit
C:\Windows\System\xWZAued.exe
Filesize
5.2MB

MD5
acfab0ffc3bf4b00d221c702d8964035

SHA1
ea117e3095ba03c09970a66dda6b6369b5520020

SHA256
1b3318eab1e7f76a43041e18949a7b2a2e83aecf43462b304a977a61bf6734c1

SHA512
87750632c945d17e1c7b432d5d55184e0eb1b769036e061dea77c1b82746d8c20cf9be46c900e92357bcf6033187d8b205834234592165edf5c01ebbf89f5506

Download Submit
memory/400-251-0x00007FF79D100000-0x00007FF79D451000-memory.dmp

Filesize
3.3MB

Download
memory/400-126-0x00007FF79D100000-0x00007FF79D451000-memory.dmp

Filesize
3.3MB

Download
memory/456-141-0x00007FF6E6E50000-0x00007FF6E71A1000-memory.dmp

Filesize
3.3MB

Download
memory/456-68-0x00007FF6E6E50000-0x00007FF6E71A1000-memory.dmp

Filesize
3.3MB

Download
memory/456-232-0x00007FF6E6E50000-0x00007FF6E71A1000-memory.dmp

Filesize
3.3MB

Download
memory/1160-242-0x00007FF718810000-0x00007FF718B61000-memory.dmp

Filesize
3.3MB

Download
memory/1160-125-0x00007FF718810000-0x00007FF718B61000-memory.dmp

Filesize
3.3MB

Download
memory/1636-197-0x00007FF74DC50000-0x00007FF74DFA1000-memory.dmp

Filesize
3.3MB

Download
memory/1636-13-0x00007FF74DC50000-0x00007FF74DFA1000-memory.dmp

Filesize
3.3MB

Download
memory/2288-238-0x00007FF660BD0000-0x00007FF660F21000-memory.dmp

Filesize
3.3MB

Download
memory/2288-106-0x00007FF660BD0000-0x00007FF660F21000-memory.dmp

Filesize
3.3MB

Download
memory/2568-215-0x00007FF6847A0000-0x00007FF684AF1000-memory.dmp

Filesize
3.3MB

Download
memory/2568-24-0x00007FF6847A0000-0x00007FF684AF1000-memory.dmp

Filesize
3.3MB

Download
memory/2756-129-0x00007FF605CE0000-0x00007FF606031000-memory.dmp

Filesize
3.3MB

Download
memory/2756-246-0x00007FF605CE0000-0x00007FF606031000-memory.dmp

Filesize
3.3MB

Download
memory/2968-124-0x00007FF6B5BB0000-0x00007FF6B5F01000-memory.dmp

Filesize
3.3MB

Download
memory/2968-249-0x00007FF6B5BB0000-0x00007FF6B5F01000-memory.dmp

Filesize
3.3MB

Download
memory/3136-240-0x00007FF6DF0E0000-0x00007FF6DF431000-memory.dmp

Filesize
3.3MB

Download
memory/3136-87-0x00007FF6DF0E0000-0x00007FF6DF431000-memory.dmp

Filesize
3.3MB

Download
memory/3136-145-0x00007FF6DF0E0000-0x00007FF6DF431000-memory.dmp

Filesize
3.3MB

Download
memory/3268-236-0x00007FF6E8350000-0x00007FF6E86A1000-memory.dmp

Filesize
3.3MB

Download
memory/3268-143-0x00007FF6E8350000-0x00007FF6E86A1000-memory.dmp

Filesize
3.3MB

Download
memory/3268-84-0x00007FF6E8350000-0x00007FF6E86A1000-memory.dmp

Filesize
3.3MB

Download
memory/3516-137-0x00007FF7B90E0000-0x00007FF7B9431000-memory.dmp

Filesize
3.3MB

Download
memory/3516-223-0x00007FF7B90E0000-0x00007FF7B9431000-memory.dmp

Filesize
3.3MB

Download
memory/3516-43-0x00007FF7B90E0000-0x00007FF7B9431000-memory.dmp

Filesize
3.3MB

Download
memory/3684-134-0x00007FF712BF0000-0x00007FF712F41000-memory.dmp

Filesize
3.3MB

Download
memory/3684-220-0x00007FF712BF0000-0x00007FF712F41000-memory.dmp

Filesize
3.3MB

Download
memory/3684-30-0x00007FF712BF0000-0x00007FF712F41000-memory.dmp

Filesize
3.3MB

Download
memory/3736-62-0x00007FF75C990000-0x00007FF75CCE1000-memory.dmp

Filesize
3.3MB

Download
memory/3736-227-0x00007FF75C990000-0x00007FF75CCE1000-memory.dmp

Filesize
3.3MB

Download
memory/3804-128-0x00007FF765F90000-0x00007FF7662E1000-memory.dmp

Filesize
3.3MB

Download
memory/3804-213-0x00007FF765F90000-0x00007FF7662E1000-memory.dmp

Filesize
3.3MB

Download
memory/3804-21-0x00007FF765F90000-0x00007FF7662E1000-memory.dmp

Filesize
3.3MB

Download
memory/3868-42-0x00007FF759220000-0x00007FF759571000-memory.dmp

Filesize
3.3MB

Download
memory/3868-135-0x00007FF759220000-0x00007FF759571000-memory.dmp

Filesize
3.3MB

Download
memory/3868-217-0x00007FF759220000-0x00007FF759571000-memory.dmp

Filesize
3.3MB

Download
memory/4108-139-0x00007FF65F4B0000-0x00007FF65F801000-memory.dmp

Filesize
3.3MB

Download
memory/4108-226-0x00007FF65F4B0000-0x00007FF65F801000-memory.dmp

Filesize
3.3MB

Download
memory/4108-56-0x00007FF65F4B0000-0x00007FF65F801000-memory.dmp

Filesize
3.3MB

Download
memory/4284-57-0x00007FF6E9510000-0x00007FF6E9861000-memory.dmp

Filesize
3.3MB

Download
memory/4284-229-0x00007FF6E9510000-0x00007FF6E9861000-memory.dmp

Filesize
3.3MB

Download
memory/4284-140-0x00007FF6E9510000-0x00007FF6E9861000-memory.dmp

Filesize
3.3MB

Download
memory/4380-92-0x00007FF7EDAE0000-0x00007FF7EDE31000-memory.dmp

Filesize
3.3MB

Download
memory/4380-1-0x000001BFB5650000-0x000001BFB5660000-memory.dmp

Filesize
64KB

Download
memory/4380-152-0x00007FF7EDAE0000-0x00007FF7EDE31000-memory.dmp

Filesize
3.3MB

Download
memory/4380-0-0x00007FF7EDAE0000-0x00007FF7EDE31000-memory.dmp

Filesize
3.3MB

Download
memory/4380-130-0x00007FF7EDAE0000-0x00007FF7EDE31000-memory.dmp

Filesize
3.3MB

Download
memory/4552-79-0x00007FF7A7930000-0x00007FF7A7C81000-memory.dmp

Filesize
3.3MB

Download
memory/4552-233-0x00007FF7A7930000-0x00007FF7A7C81000-memory.dmp

Filesize
3.3MB

Download
memory/4552-142-0x00007FF7A7930000-0x00007FF7A7C81000-memory.dmp

Filesize
3.3MB

Download
memory/4604-54-0x00007FF6C9F20000-0x00007FF6CA271000-memory.dmp

Filesize
3.3MB

Download
memory/4604-221-0x00007FF6C9F20000-0x00007FF6CA271000-memory.dmp

Filesize
3.3MB

Download
memory/4828-127-0x00007FF6D2840000-0x00007FF6D2B91000-memory.dmp

Filesize
3.3MB

Download
memory/4828-247-0x00007FF6D2840000-0x00007FF6D2B91000-memory.dmp

Filesize
3.3MB

Download
memory/4988-123-0x00007FF6F8980000-0x00007FF6F8CD1000-memory.dmp

Filesize
3.3MB

Download
memory/4988-244-0x00007FF6F8980000-0x00007FF6F8CD1000-memory.dmp

Filesize
3.3MB

Download