cobaltstrike | d1ca88bb6b1d8d01c8b090ef65e654b66779606e322ef60527899080aa242720

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

efe30ff2f84fbab3245b804f15f756d9
SHA1

43a65294eb5ce760d92ea74519c6c8f23ade96f3
SHA256

d1ca88bb6b1d8d01c8b090ef65e654b66779606e322ef60527899080aa242720
SHA512

9e5d909525fbfe7cc56830ecfd940e628d664fb00c81a9bb7095617331eb155daa3ea377881a580b6d6366b6ef08c985e1232124fc9066a7c35fd43e08fdd78a
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lV:RWWBibf56utgpPFotBER/mQ32lUZ

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\SxWlAmg.exe	cobalt_reflective_dll
C:\Windows\System\INeBskX.exe	cobalt_reflective_dll
C:\Windows\System\TqZZZFr.exe	cobalt_reflective_dll
C:\Windows\System\CbeSjCW.exe	cobalt_reflective_dll
C:\Windows\System\EbiRFbl.exe	cobalt_reflective_dll
C:\Windows\System\rEOedGg.exe	cobalt_reflective_dll
C:\Windows\System\uMLOIZa.exe	cobalt_reflective_dll
C:\Windows\System\wlyWVOV.exe	cobalt_reflective_dll
C:\Windows\System\yvRBJwf.exe	cobalt_reflective_dll
C:\Windows\System\wnJvpcS.exe	cobalt_reflective_dll
C:\Windows\System\GFvDjYq.exe	cobalt_reflective_dll
C:\Windows\System\hOUjMOQ.exe	cobalt_reflective_dll
C:\Windows\System\qYrDwLk.exe	cobalt_reflective_dll
C:\Windows\System\gKSyHzY.exe	cobalt_reflective_dll
C:\Windows\System\WrfdpiZ.exe	cobalt_reflective_dll
C:\Windows\System\zoAIudb.exe	cobalt_reflective_dll
C:\Windows\System\efPcdwh.exe	cobalt_reflective_dll
C:\Windows\System\IvXPoJi.exe	cobalt_reflective_dll
C:\Windows\System\hTlwgfg.exe	cobalt_reflective_dll
C:\Windows\System\wIhLoPT.exe	cobalt_reflective_dll
C:\Windows\System\RYydFZI.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\SxWlAmg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\INeBskX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\TqZZZFr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\CbeSjCW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\EbiRFbl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\rEOedGg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\uMLOIZa.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\wlyWVOV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\yvRBJwf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\wnJvpcS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\GFvDjYq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\hOUjMOQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\qYrDwLk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\gKSyHzY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\WrfdpiZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\zoAIudb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\efPcdwh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\IvXPoJi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\hTlwgfg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\wIhLoPT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\RYydFZI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3328-0-0x00007FF6A5240000-0x00007FF6A5591000-memory.dmp	UPX
C:\Windows\System\SxWlAmg.exe	UPX
C:\Windows\System\INeBskX.exe	UPX
C:\Windows\System\TqZZZFr.exe	UPX
behavioral2/memory/3116-20-0x00007FF67D220000-0x00007FF67D571000-memory.dmp	UPX
behavioral2/memory/2592-13-0x00007FF61B3E0000-0x00007FF61B731000-memory.dmp	UPX
behavioral2/memory/208-7-0x00007FF6FBDC0000-0x00007FF6FC111000-memory.dmp	UPX
behavioral2/memory/1788-25-0x00007FF63AF60000-0x00007FF63B2B1000-memory.dmp	UPX
C:\Windows\System\CbeSjCW.exe	UPX
C:\Windows\System\EbiRFbl.exe	UPX
behavioral2/memory/2756-32-0x00007FF67E010000-0x00007FF67E361000-memory.dmp	UPX
C:\Windows\System\rEOedGg.exe	UPX
C:\Windows\System\uMLOIZa.exe	UPX
behavioral2/memory/2904-48-0x00007FF72DA60000-0x00007FF72DDB1000-memory.dmp	UPX
behavioral2/memory/4820-47-0x00007FF7C5560000-0x00007FF7C58B1000-memory.dmp	UPX
behavioral2/memory/4524-40-0x00007FF792D60000-0x00007FF7930B1000-memory.dmp	UPX
C:\Windows\System\wlyWVOV.exe	UPX
C:\Windows\System\yvRBJwf.exe	UPX
behavioral2/memory/3000-54-0x00007FF64ECB0000-0x00007FF64F001000-memory.dmp	UPX
C:\Windows\System\wnJvpcS.exe	UPX
behavioral2/memory/3040-59-0x00007FF601490000-0x00007FF6017E1000-memory.dmp	UPX
C:\Windows\System\GFvDjYq.exe	UPX
behavioral2/memory/3328-68-0x00007FF6A5240000-0x00007FF6A5591000-memory.dmp	UPX
C:\Windows\System\hOUjMOQ.exe	UPX
behavioral2/memory/208-75-0x00007FF6FBDC0000-0x00007FF6FC111000-memory.dmp	UPX
behavioral2/memory/3356-76-0x00007FF7D1DD0000-0x00007FF7D2121000-memory.dmp	UPX
behavioral2/memory/3240-71-0x00007FF696980000-0x00007FF696CD1000-memory.dmp	UPX
C:\Windows\System\qYrDwLk.exe	UPX
C:\Windows\System\gKSyHzY.exe	UPX
C:\Windows\System\WrfdpiZ.exe	UPX
C:\Windows\System\zoAIudb.exe	UPX
C:\Windows\System\efPcdwh.exe	UPX
C:\Windows\System\IvXPoJi.exe	UPX
C:\Windows\System\hTlwgfg.exe	UPX
behavioral2/memory/3768-122-0x00007FF7FED90000-0x00007FF7FF0E1000-memory.dmp	UPX
behavioral2/memory/5040-121-0x00007FF692960000-0x00007FF692CB1000-memory.dmp	UPX
C:\Windows\System\wIhLoPT.exe	UPX
behavioral2/memory/1356-114-0x00007FF724FC0000-0x00007FF725311000-memory.dmp	UPX
behavioral2/memory/4552-107-0x00007FF6CF630000-0x00007FF6CF981000-memory.dmp	UPX
behavioral2/memory/2756-102-0x00007FF67E010000-0x00007FF67E361000-memory.dmp	UPX
behavioral2/memory/3176-100-0x00007FF694A60000-0x00007FF694DB1000-memory.dmp	UPX
C:\Windows\System\RYydFZI.exe	UPX
behavioral2/memory/4648-89-0x00007FF6FE550000-0x00007FF6FE8A1000-memory.dmp	UPX
behavioral2/memory/1788-91-0x00007FF63AF60000-0x00007FF63B2B1000-memory.dmp	UPX
behavioral2/memory/4868-86-0x00007FF788E80000-0x00007FF7891D1000-memory.dmp	UPX
behavioral2/memory/2592-82-0x00007FF61B3E0000-0x00007FF61B731000-memory.dmp	UPX
behavioral2/memory/2904-131-0x00007FF72DA60000-0x00007FF72DDB1000-memory.dmp	UPX
behavioral2/memory/1128-132-0x00007FF66CCD0000-0x00007FF66D021000-memory.dmp	UPX
behavioral2/memory/3000-134-0x00007FF64ECB0000-0x00007FF64F001000-memory.dmp	UPX
behavioral2/memory/2452-133-0x00007FF7B7A20000-0x00007FF7B7D71000-memory.dmp	UPX
behavioral2/memory/3040-136-0x00007FF601490000-0x00007FF6017E1000-memory.dmp	UPX
behavioral2/memory/3328-135-0x00007FF6A5240000-0x00007FF6A5591000-memory.dmp	UPX
behavioral2/memory/4868-149-0x00007FF788E80000-0x00007FF7891D1000-memory.dmp	UPX
behavioral2/memory/3176-151-0x00007FF694A60000-0x00007FF694DB1000-memory.dmp	UPX
behavioral2/memory/3768-155-0x00007FF7FED90000-0x00007FF7FF0E1000-memory.dmp	UPX
behavioral2/memory/1356-154-0x00007FF724FC0000-0x00007FF725311000-memory.dmp	UPX
behavioral2/memory/4552-152-0x00007FF6CF630000-0x00007FF6CF981000-memory.dmp	UPX
behavioral2/memory/4648-150-0x00007FF6FE550000-0x00007FF6FE8A1000-memory.dmp	UPX
behavioral2/memory/5040-153-0x00007FF692960000-0x00007FF692CB1000-memory.dmp	UPX
behavioral2/memory/3328-158-0x00007FF6A5240000-0x00007FF6A5591000-memory.dmp	UPX
behavioral2/memory/208-213-0x00007FF6FBDC0000-0x00007FF6FC111000-memory.dmp	UPX
behavioral2/memory/2592-215-0x00007FF61B3E0000-0x00007FF61B731000-memory.dmp	UPX
behavioral2/memory/3116-217-0x00007FF67D220000-0x00007FF67D571000-memory.dmp	UPX
behavioral2/memory/1788-219-0x00007FF63AF60000-0x00007FF63B2B1000-memory.dmp	UPX

XMRig Miner payload 47 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3116-20-0x00007FF67D220000-0x00007FF67D571000-memory.dmp	xmrig
behavioral2/memory/2756-32-0x00007FF67E010000-0x00007FF67E361000-memory.dmp	xmrig
behavioral2/memory/4820-47-0x00007FF7C5560000-0x00007FF7C58B1000-memory.dmp	xmrig
behavioral2/memory/4524-40-0x00007FF792D60000-0x00007FF7930B1000-memory.dmp	xmrig
behavioral2/memory/3328-68-0x00007FF6A5240000-0x00007FF6A5591000-memory.dmp	xmrig
behavioral2/memory/208-75-0x00007FF6FBDC0000-0x00007FF6FC111000-memory.dmp	xmrig
behavioral2/memory/3356-76-0x00007FF7D1DD0000-0x00007FF7D2121000-memory.dmp	xmrig
behavioral2/memory/3240-71-0x00007FF696980000-0x00007FF696CD1000-memory.dmp	xmrig
behavioral2/memory/2756-102-0x00007FF67E010000-0x00007FF67E361000-memory.dmp	xmrig
behavioral2/memory/3176-100-0x00007FF694A60000-0x00007FF694DB1000-memory.dmp	xmrig
behavioral2/memory/1788-91-0x00007FF63AF60000-0x00007FF63B2B1000-memory.dmp	xmrig
behavioral2/memory/2592-82-0x00007FF61B3E0000-0x00007FF61B731000-memory.dmp	xmrig
behavioral2/memory/2904-131-0x00007FF72DA60000-0x00007FF72DDB1000-memory.dmp	xmrig
behavioral2/memory/1128-132-0x00007FF66CCD0000-0x00007FF66D021000-memory.dmp	xmrig
behavioral2/memory/3000-134-0x00007FF64ECB0000-0x00007FF64F001000-memory.dmp	xmrig
behavioral2/memory/2452-133-0x00007FF7B7A20000-0x00007FF7B7D71000-memory.dmp	xmrig
behavioral2/memory/3040-136-0x00007FF601490000-0x00007FF6017E1000-memory.dmp	xmrig
behavioral2/memory/3328-135-0x00007FF6A5240000-0x00007FF6A5591000-memory.dmp	xmrig
behavioral2/memory/4868-149-0x00007FF788E80000-0x00007FF7891D1000-memory.dmp	xmrig
behavioral2/memory/3176-151-0x00007FF694A60000-0x00007FF694DB1000-memory.dmp	xmrig
behavioral2/memory/3768-155-0x00007FF7FED90000-0x00007FF7FF0E1000-memory.dmp	xmrig
behavioral2/memory/1356-154-0x00007FF724FC0000-0x00007FF725311000-memory.dmp	xmrig
behavioral2/memory/4552-152-0x00007FF6CF630000-0x00007FF6CF981000-memory.dmp	xmrig
behavioral2/memory/4648-150-0x00007FF6FE550000-0x00007FF6FE8A1000-memory.dmp	xmrig
behavioral2/memory/5040-153-0x00007FF692960000-0x00007FF692CB1000-memory.dmp	xmrig
behavioral2/memory/3328-158-0x00007FF6A5240000-0x00007FF6A5591000-memory.dmp	xmrig
behavioral2/memory/208-213-0x00007FF6FBDC0000-0x00007FF6FC111000-memory.dmp	xmrig
behavioral2/memory/2592-215-0x00007FF61B3E0000-0x00007FF61B731000-memory.dmp	xmrig
behavioral2/memory/3116-217-0x00007FF67D220000-0x00007FF67D571000-memory.dmp	xmrig
behavioral2/memory/1788-219-0x00007FF63AF60000-0x00007FF63B2B1000-memory.dmp	xmrig
behavioral2/memory/2756-221-0x00007FF67E010000-0x00007FF67E361000-memory.dmp	xmrig
behavioral2/memory/4524-223-0x00007FF792D60000-0x00007FF7930B1000-memory.dmp	xmrig
behavioral2/memory/4820-225-0x00007FF7C5560000-0x00007FF7C58B1000-memory.dmp	xmrig
behavioral2/memory/2904-227-0x00007FF72DA60000-0x00007FF72DDB1000-memory.dmp	xmrig
behavioral2/memory/3040-229-0x00007FF601490000-0x00007FF6017E1000-memory.dmp	xmrig
behavioral2/memory/3000-231-0x00007FF64ECB0000-0x00007FF64F001000-memory.dmp	xmrig
behavioral2/memory/3240-233-0x00007FF696980000-0x00007FF696CD1000-memory.dmp	xmrig
behavioral2/memory/3356-235-0x00007FF7D1DD0000-0x00007FF7D2121000-memory.dmp	xmrig
behavioral2/memory/4868-246-0x00007FF788E80000-0x00007FF7891D1000-memory.dmp	xmrig
behavioral2/memory/3176-248-0x00007FF694A60000-0x00007FF694DB1000-memory.dmp	xmrig
behavioral2/memory/4648-250-0x00007FF6FE550000-0x00007FF6FE8A1000-memory.dmp	xmrig
behavioral2/memory/4552-252-0x00007FF6CF630000-0x00007FF6CF981000-memory.dmp	xmrig
behavioral2/memory/5040-254-0x00007FF692960000-0x00007FF692CB1000-memory.dmp	xmrig
behavioral2/memory/1356-256-0x00007FF724FC0000-0x00007FF725311000-memory.dmp	xmrig
behavioral2/memory/3768-258-0x00007FF7FED90000-0x00007FF7FF0E1000-memory.dmp	xmrig
behavioral2/memory/1128-260-0x00007FF66CCD0000-0x00007FF66D021000-memory.dmp	xmrig
behavioral2/memory/2452-262-0x00007FF7B7A20000-0x00007FF7B7D71000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

SxWlAmg.exeTqZZZFr.exeINeBskX.exeCbeSjCW.exeEbiRFbl.exewlyWVOV.exerEOedGg.exeuMLOIZa.exeyvRBJwf.exewnJvpcS.exeGFvDjYq.exehOUjMOQ.exeqYrDwLk.exegKSyHzY.exeRYydFZI.exeWrfdpiZ.exezoAIudb.exewIhLoPT.exeefPcdwh.exehTlwgfg.exeIvXPoJi.exe

pid	process
208	SxWlAmg.exe
2592	TqZZZFr.exe
3116	INeBskX.exe
1788	CbeSjCW.exe
2756	EbiRFbl.exe
4524	wlyWVOV.exe
4820	rEOedGg.exe
2904	uMLOIZa.exe
3000	yvRBJwf.exe
3040	wnJvpcS.exe
3240	GFvDjYq.exe
3356	hOUjMOQ.exe
4868	qYrDwLk.exe
4648	gKSyHzY.exe
3176	RYydFZI.exe
4552	WrfdpiZ.exe
5040	zoAIudb.exe
1356	wIhLoPT.exe
3768	efPcdwh.exe
1128	hTlwgfg.exe
2452	IvXPoJi.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3328-0-0x00007FF6A5240000-0x00007FF6A5591000-memory.dmp	upx
C:\Windows\System\SxWlAmg.exe	upx
C:\Windows\System\INeBskX.exe	upx
C:\Windows\System\TqZZZFr.exe	upx
behavioral2/memory/3116-20-0x00007FF67D220000-0x00007FF67D571000-memory.dmp	upx
behavioral2/memory/2592-13-0x00007FF61B3E0000-0x00007FF61B731000-memory.dmp	upx
behavioral2/memory/208-7-0x00007FF6FBDC0000-0x00007FF6FC111000-memory.dmp	upx
behavioral2/memory/1788-25-0x00007FF63AF60000-0x00007FF63B2B1000-memory.dmp	upx
C:\Windows\System\CbeSjCW.exe	upx
C:\Windows\System\EbiRFbl.exe	upx
behavioral2/memory/2756-32-0x00007FF67E010000-0x00007FF67E361000-memory.dmp	upx
C:\Windows\System\rEOedGg.exe	upx
C:\Windows\System\uMLOIZa.exe	upx
behavioral2/memory/2904-48-0x00007FF72DA60000-0x00007FF72DDB1000-memory.dmp	upx
behavioral2/memory/4820-47-0x00007FF7C5560000-0x00007FF7C58B1000-memory.dmp	upx
behavioral2/memory/4524-40-0x00007FF792D60000-0x00007FF7930B1000-memory.dmp	upx
C:\Windows\System\wlyWVOV.exe	upx
C:\Windows\System\yvRBJwf.exe	upx
behavioral2/memory/3000-54-0x00007FF64ECB0000-0x00007FF64F001000-memory.dmp	upx
C:\Windows\System\wnJvpcS.exe	upx
behavioral2/memory/3040-59-0x00007FF601490000-0x00007FF6017E1000-memory.dmp	upx
C:\Windows\System\GFvDjYq.exe	upx
behavioral2/memory/3328-68-0x00007FF6A5240000-0x00007FF6A5591000-memory.dmp	upx
C:\Windows\System\hOUjMOQ.exe	upx
behavioral2/memory/208-75-0x00007FF6FBDC0000-0x00007FF6FC111000-memory.dmp	upx
behavioral2/memory/3356-76-0x00007FF7D1DD0000-0x00007FF7D2121000-memory.dmp	upx
behavioral2/memory/3240-71-0x00007FF696980000-0x00007FF696CD1000-memory.dmp	upx
C:\Windows\System\qYrDwLk.exe	upx
C:\Windows\System\gKSyHzY.exe	upx
C:\Windows\System\WrfdpiZ.exe	upx
C:\Windows\System\zoAIudb.exe	upx
C:\Windows\System\efPcdwh.exe	upx
C:\Windows\System\IvXPoJi.exe	upx
C:\Windows\System\hTlwgfg.exe	upx
behavioral2/memory/3768-122-0x00007FF7FED90000-0x00007FF7FF0E1000-memory.dmp	upx
behavioral2/memory/5040-121-0x00007FF692960000-0x00007FF692CB1000-memory.dmp	upx
C:\Windows\System\wIhLoPT.exe	upx
behavioral2/memory/1356-114-0x00007FF724FC0000-0x00007FF725311000-memory.dmp	upx
behavioral2/memory/4552-107-0x00007FF6CF630000-0x00007FF6CF981000-memory.dmp	upx
behavioral2/memory/2756-102-0x00007FF67E010000-0x00007FF67E361000-memory.dmp	upx
behavioral2/memory/3176-100-0x00007FF694A60000-0x00007FF694DB1000-memory.dmp	upx
C:\Windows\System\RYydFZI.exe	upx
behavioral2/memory/4648-89-0x00007FF6FE550000-0x00007FF6FE8A1000-memory.dmp	upx
behavioral2/memory/1788-91-0x00007FF63AF60000-0x00007FF63B2B1000-memory.dmp	upx
behavioral2/memory/4868-86-0x00007FF788E80000-0x00007FF7891D1000-memory.dmp	upx
behavioral2/memory/2592-82-0x00007FF61B3E0000-0x00007FF61B731000-memory.dmp	upx
behavioral2/memory/2904-131-0x00007FF72DA60000-0x00007FF72DDB1000-memory.dmp	upx
behavioral2/memory/1128-132-0x00007FF66CCD0000-0x00007FF66D021000-memory.dmp	upx
behavioral2/memory/3000-134-0x00007FF64ECB0000-0x00007FF64F001000-memory.dmp	upx
behavioral2/memory/2452-133-0x00007FF7B7A20000-0x00007FF7B7D71000-memory.dmp	upx
behavioral2/memory/3040-136-0x00007FF601490000-0x00007FF6017E1000-memory.dmp	upx
behavioral2/memory/3328-135-0x00007FF6A5240000-0x00007FF6A5591000-memory.dmp	upx
behavioral2/memory/4868-149-0x00007FF788E80000-0x00007FF7891D1000-memory.dmp	upx
behavioral2/memory/3176-151-0x00007FF694A60000-0x00007FF694DB1000-memory.dmp	upx
behavioral2/memory/3768-155-0x00007FF7FED90000-0x00007FF7FF0E1000-memory.dmp	upx
behavioral2/memory/1356-154-0x00007FF724FC0000-0x00007FF725311000-memory.dmp	upx
behavioral2/memory/4552-152-0x00007FF6CF630000-0x00007FF6CF981000-memory.dmp	upx
behavioral2/memory/4648-150-0x00007FF6FE550000-0x00007FF6FE8A1000-memory.dmp	upx
behavioral2/memory/5040-153-0x00007FF692960000-0x00007FF692CB1000-memory.dmp	upx
behavioral2/memory/3328-158-0x00007FF6A5240000-0x00007FF6A5591000-memory.dmp	upx
behavioral2/memory/208-213-0x00007FF6FBDC0000-0x00007FF6FC111000-memory.dmp	upx
behavioral2/memory/2592-215-0x00007FF61B3E0000-0x00007FF61B731000-memory.dmp	upx
behavioral2/memory/3116-217-0x00007FF67D220000-0x00007FF67D571000-memory.dmp	upx
behavioral2/memory/1788-219-0x00007FF63AF60000-0x00007FF63B2B1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\SxWlAmg.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TqZZZFr.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EbiRFbl.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GFvDjYq.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\efPcdwh.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IvXPoJi.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CbeSjCW.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qYrDwLk.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RYydFZI.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WrfdpiZ.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\INeBskX.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wlyWVOV.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uMLOIZa.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yvRBJwf.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gKSyHzY.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zoAIudb.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wIhLoPT.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rEOedGg.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wnJvpcS.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hOUjMOQ.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hTlwgfg.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 3328 wrote to memory of 208	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	SxWlAmg.exe
PID 3328 wrote to memory of 208	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	SxWlAmg.exe
PID 3328 wrote to memory of 2592	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	TqZZZFr.exe
PID 3328 wrote to memory of 2592	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	TqZZZFr.exe
PID 3328 wrote to memory of 3116	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	INeBskX.exe
PID 3328 wrote to memory of 3116	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	INeBskX.exe
PID 3328 wrote to memory of 1788	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	CbeSjCW.exe
PID 3328 wrote to memory of 1788	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	CbeSjCW.exe
PID 3328 wrote to memory of 2756	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	EbiRFbl.exe
PID 3328 wrote to memory of 2756	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	EbiRFbl.exe
PID 3328 wrote to memory of 4524	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	wlyWVOV.exe
PID 3328 wrote to memory of 4524	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	wlyWVOV.exe
PID 3328 wrote to memory of 4820	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	rEOedGg.exe
PID 3328 wrote to memory of 4820	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	rEOedGg.exe
PID 3328 wrote to memory of 2904	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	uMLOIZa.exe
PID 3328 wrote to memory of 2904	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	uMLOIZa.exe
PID 3328 wrote to memory of 3000	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	yvRBJwf.exe
PID 3328 wrote to memory of 3000	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	yvRBJwf.exe
PID 3328 wrote to memory of 3040	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	wnJvpcS.exe
PID 3328 wrote to memory of 3040	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	wnJvpcS.exe
PID 3328 wrote to memory of 3240	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	GFvDjYq.exe
PID 3328 wrote to memory of 3240	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	GFvDjYq.exe
PID 3328 wrote to memory of 3356	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	hOUjMOQ.exe
PID 3328 wrote to memory of 3356	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	hOUjMOQ.exe
PID 3328 wrote to memory of 4868	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	qYrDwLk.exe
PID 3328 wrote to memory of 4868	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	qYrDwLk.exe
PID 3328 wrote to memory of 4648	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	gKSyHzY.exe
PID 3328 wrote to memory of 4648	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	gKSyHzY.exe
PID 3328 wrote to memory of 3176	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	RYydFZI.exe
PID 3328 wrote to memory of 3176	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	RYydFZI.exe
PID 3328 wrote to memory of 4552	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	WrfdpiZ.exe
PID 3328 wrote to memory of 4552	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	WrfdpiZ.exe
PID 3328 wrote to memory of 5040	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	zoAIudb.exe
PID 3328 wrote to memory of 5040	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	zoAIudb.exe
PID 3328 wrote to memory of 1356	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	wIhLoPT.exe
PID 3328 wrote to memory of 1356	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	wIhLoPT.exe
PID 3328 wrote to memory of 3768	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	efPcdwh.exe
PID 3328 wrote to memory of 3768	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	efPcdwh.exe
PID 3328 wrote to memory of 1128	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	hTlwgfg.exe
PID 3328 wrote to memory of 1128	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	hTlwgfg.exe
PID 3328 wrote to memory of 2452	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	IvXPoJi.exe
PID 3328 wrote to memory of 2452	3328	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	IvXPoJi.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3328

C:\Windows\System\SxWlAmg.exe
C:\Windows\System\SxWlAmg.exe
2⤵
- Executes dropped EXE
PID:208

C:\Windows\System\TqZZZFr.exe
C:\Windows\System\TqZZZFr.exe
2⤵
- Executes dropped EXE
PID:2592

C:\Windows\System\INeBskX.exe
C:\Windows\System\INeBskX.exe
2⤵
- Executes dropped EXE
PID:3116

C:\Windows\System\CbeSjCW.exe
C:\Windows\System\CbeSjCW.exe
2⤵
- Executes dropped EXE
PID:1788

C:\Windows\System\EbiRFbl.exe
C:\Windows\System\EbiRFbl.exe
2⤵
- Executes dropped EXE
PID:2756

C:\Windows\System\wlyWVOV.exe
C:\Windows\System\wlyWVOV.exe
2⤵
- Executes dropped EXE
PID:4524

C:\Windows\System\rEOedGg.exe
C:\Windows\System\rEOedGg.exe
2⤵
- Executes dropped EXE
PID:4820

C:\Windows\System\uMLOIZa.exe
C:\Windows\System\uMLOIZa.exe
2⤵
- Executes dropped EXE
PID:2904

C:\Windows\System\yvRBJwf.exe
C:\Windows\System\yvRBJwf.exe
2⤵
- Executes dropped EXE
PID:3000

C:\Windows\System\wnJvpcS.exe
C:\Windows\System\wnJvpcS.exe
2⤵
- Executes dropped EXE
PID:3040

C:\Windows\System\GFvDjYq.exe
C:\Windows\System\GFvDjYq.exe
2⤵
- Executes dropped EXE
PID:3240

C:\Windows\System\hOUjMOQ.exe
C:\Windows\System\hOUjMOQ.exe
2⤵
- Executes dropped EXE
PID:3356

C:\Windows\System\qYrDwLk.exe
C:\Windows\System\qYrDwLk.exe
2⤵
- Executes dropped EXE
PID:4868

C:\Windows\System\gKSyHzY.exe
C:\Windows\System\gKSyHzY.exe
2⤵
- Executes dropped EXE
PID:4648

C:\Windows\System\RYydFZI.exe
C:\Windows\System\RYydFZI.exe
2⤵
- Executes dropped EXE
PID:3176

C:\Windows\System\WrfdpiZ.exe
C:\Windows\System\WrfdpiZ.exe
2⤵
- Executes dropped EXE
PID:4552

C:\Windows\System\zoAIudb.exe
C:\Windows\System\zoAIudb.exe
2⤵
- Executes dropped EXE
PID:5040

C:\Windows\System\wIhLoPT.exe
C:\Windows\System\wIhLoPT.exe
2⤵
- Executes dropped EXE
PID:1356

C:\Windows\System\efPcdwh.exe
C:\Windows\System\efPcdwh.exe
2⤵
- Executes dropped EXE
PID:3768

C:\Windows\System\hTlwgfg.exe
C:\Windows\System\hTlwgfg.exe
2⤵
- Executes dropped EXE
PID:1128

C:\Windows\System\IvXPoJi.exe
C:\Windows\System\IvXPoJi.exe
2⤵
- Executes dropped EXE
PID:2452

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CbeSjCW.exe

Filesize
5.2MB

MD5
5510e869401b86832d5977e8a01f3aa4

SHA1
d285463162cda7b55dcae6fc88c78bc19c960df5

SHA256
5abd16da27760ad6578bf21b0277ff5573d0d3add47acb3a597a71ca2e3c831c

SHA512
940fce89d0cdf5dc36422bdd10d0ab8a255bdb516ba82e11d78262b9563fe136e08b960db1476d503b50851157654ebaae6856b8e4cb8a6a46d3156ffe91889d

Download Submit
C:\Windows\System\EbiRFbl.exe

Filesize
5.2MB

MD5
86677b450bb7b18b39fc27ec8c51873b

SHA1
baa3d6f616bbbdba2431fb4e1ee09fd454bf0283

SHA256
ae4979b089af4f56ca3ce79c8135a29159380feb1e96db6a03758b508b63b00a

SHA512
fc4cf980c3b74307f857b53c523a266a95d3f5ebb9d16f85f65fcf4cb540c5e5115f1811c861979544bf69159bd8b5585edf275dc1e81a0f66b72e22b97de192

Download Submit
C:\Windows\System\GFvDjYq.exe

Filesize
5.2MB

MD5
3dfb3c162c37e780deec45b195b84d02

SHA1
084db3395b58e009abb49a8dc48327fac63672b9

SHA256
58e85de34f1088b15c11465bc928f5773f17f42a9ce1d5db2305d1757577628c

SHA512
19ebbbc7ca0f18b4ef6c793cfccda48ce01c7bc815adbb5c943fb0378760a75910bb33554b52b374657ae80817a1e84b4ffd512cb0e3659f4be50174e2e6e6ee

Download Submit
C:\Windows\System\INeBskX.exe

Filesize
5.2MB

MD5
9208da1503c89925ad3329adec9af4d2

SHA1
0350084fc93fc8d5bf9706ca3eccb2c7dab2b970

SHA256
c5ea0f66fe927832686b84c2634bfee069ce64e6803ee8efd3d2eb4cbf363335

SHA512
d7b3c6906b96fdfc12f0ad4c29dc0f257ce760dc501d6cbb08c52e0480a709c25a42c2e023c613b1da4fe7ef7a2d0781719f5e7ccf4c8db35c613c3fe804135f

Download Submit
C:\Windows\System\IvXPoJi.exe

Filesize
5.2MB

MD5
24172b0d6815eac77a24d56eb2039855

SHA1
0f5e5954c9a37be81329d70b9387f2c106698ad6

SHA256
759e99142a882d481611a6f3a756ed3481b797e63a5e1e4a435fc3d92f2817ed

SHA512
0cd786ea1615f13c9f3c2b2254c252d8a2abb51cb785375948ca6450b7983f679e328fbef0ac1cc8ce4756d5c320f83d3e8b95fe15ce98d15c5ac644657db953

Download Submit
C:\Windows\System\RYydFZI.exe

Filesize
5.2MB

MD5
6c3dfb88564fb437888a23ffd5aeb4fb

SHA1
a441027dde31baf96dfb6aa4f13f5f263cbae1fe

SHA256
ea6749bf60d89891fad884f8985b9b980d2f3545b056063df1c8843880374229

SHA512
d54bf130eefce402cdc56f20f800c46530b75ba0ad668e145d37bd5b530e21e666776664df5831bf52c2782d7c802d8c739db9819a2effcd6621db673841a89d

Download Submit
C:\Windows\System\SxWlAmg.exe

Filesize
5.2MB

MD5
d65b6148e2efc77d191a81cf84a666b7

SHA1
af84e52f629a944f3ab45d97d00fbe0bf8fd1760

SHA256
2afbab29516e6bd1592866cbd921fce2b536f61e90a85d6e60af2b290667891c

SHA512
81e23ebf8e3f710580234873feb4345e83fd08d816270720c83a18d9ad874e44355ccd5dd3eeea0b23cba6907738a49998fa35389360dea7328c0435d7be5725

Download Submit
C:\Windows\System\TqZZZFr.exe

Filesize
5.2MB

MD5
e504b57b760b3c50e1fba5353d5cd8e9

SHA1
e37e59072b2aebc991925184c533ef787e84a7ac

SHA256
718b53b3681a75f2360084352fa088db345bf69466c4c40df288f81315109a1b

SHA512
bbfa04e9797bc0f162241c6d5ce353725dcd3a7d4d9e90da5c56e57ac389558c6459a8f02500e1bf8ce05a6516c87a893dd8658a77eebb9b21fb00b8eba855cc

Download Submit
C:\Windows\System\WrfdpiZ.exe

Filesize
5.2MB

MD5
0728392bcc937695bb41e40b88f695b4

SHA1
39f8f9e323cd8ea373ca0e8693b665e36a42538e

SHA256
8246ce595ff33ecd660fb38e23de83500e3d0519f1c49f80d104754e8e9c3cbf

SHA512
dfac578e7b6f69cd29e3968ab247e73f97613bc323a85e7d8012a9f403a0b029e5613b769880ae04b10bb704c07f583aaa2416b0822f0081583a0936e271d226

Download Submit
C:\Windows\System\efPcdwh.exe

Filesize
5.2MB

MD5
0b1f6c20db1c1002d41f2eff9e35e6b8

SHA1
993228253176bbb102f736eafcee7964d0d3ee00

SHA256
acf7a25e450f0cc56e4308bfd447466933bcfc874b4e9e8472d4bdf2a1b46fbc

SHA512
3031cfe7e28b1f7cdd4952b6228c5248dd3c33e03d3e2accfd0dec44999f9ac84c03698965ebb107256ee398b0fe4687c27d21f5a1577bf2de67a11fb8525bbe

Download Submit
C:\Windows\System\gKSyHzY.exe

Filesize
5.2MB

MD5
51082ad8cdb59f12861e3fd3bd9f916e

SHA1
015144610b8d2e7ea82fb0012abe5f2f26a1a8dc

SHA256
18501f6b5d8d084ff0e789cead41748154c5432c5e7c1a1e09202989a9aac0cc

SHA512
5fde12f497f71357a94db9da2d9f76a79a6daada0bf4c536f8df9602e9b4206a859d0003ac63c06e8c0577d22ae833d198e5377eb8b713394c396c86d5bbe162

Download Submit
C:\Windows\System\hOUjMOQ.exe

Filesize
5.2MB

MD5
6bbe8748e58f0f0bd49c3547847526bf

SHA1
2bda240074864267fd3125868d5d8e4be5b8333a

SHA256
99c2bb5a846c95739e583ec16f9e06df71e2c2f4135838fa5e33e325caf72f7e

SHA512
ab429adb96475574fd029544bcbd6084bc302c2f5387e4f2a04a0865bc2f3f09e30a673c9f0e2a296608e7db9ee54f69a48d79354aecb9dafb47acaae1082f38

Download Submit
C:\Windows\System\hTlwgfg.exe

Filesize
5.2MB

MD5
f3ca5dc507542350b291f815fd765e9b

SHA1
ba803e8017e23051900af18cf0ff19a7aa0b6a8c

SHA256
87d314d8b9d8f79f56867bc8853b291ab5f151a4a688df358b84463c671cd8d4

SHA512
36e7b05e2c5ae7cf0ec6d1f3c3d09e0114d88a2638015cd10cf4993b03190f4e67f6ec516abfbe59135f0fc74b15d240d0ad16626889a34481bcccf4a76776bd

Download Submit
C:\Windows\System\qYrDwLk.exe

Filesize
5.2MB

MD5
82f1f4c4bb7afbc58043bf54d1438ce6

SHA1
91d6e3833feed786276a1a04e6c7ff3ede7fe9ff

SHA256
e434f11bc41c1f938ded6c8b1997f27fdb3ad991b97773b4f5c802635ac48499

SHA512
18299266bcf93d2a2ef9f10ab22fd81c7271e4227f54aece6b27408d7f5609ef6bd248ec0352a958c07b7bd005119a522b0770c949f5d49d92962ae0710e7128

Download Submit
C:\Windows\System\rEOedGg.exe

Filesize
5.2MB

MD5
d9b1902920c0ec86d92250ac2f90916c

SHA1
46e112a6075852b49409ecb3ae0e70f41428ec5c

SHA256
a75a6f7921c0cd806efd546e1c877224a804ab71c182286a24ca867bece08417

SHA512
c5d38884eb89e25944794e2cad618a08cc66e3ddd1ae9c63bf6eceac733b01a79f229e173d131a775543cad22090145d835c7a5b5323726bd7371d1ba5373cd0

Download Submit
C:\Windows\System\uMLOIZa.exe

Filesize
5.2MB

MD5
37fa4b5dc0304f81a4b18385c2b5f3c3

SHA1
0759a4828461e065bc137701cd0ffdb403314d34

SHA256
9393656001a0b647849d3e8dd6962e3a912aebf9925ca131f916b8eba9ca55cb

SHA512
f8e035618451224c6046ae4395196f70d043c8516bcafe3718c115c4b2757c09c7f0370fac72e4bc4cd1da366959a5efbac652597e0a3a68ae402b160ea6de44

Download Submit
C:\Windows\System\wIhLoPT.exe

Filesize
5.2MB

MD5
1cb99254c802786a2aa96977fd6ae51a

SHA1
cc35df9195444158f35a3f99bc77c0b706562b21

SHA256
2b00f9e7e77c9c573a7b8764b0e17d00c91641009815d01bf011d1eff3cbe723

SHA512
95c483ca940015eb0d8aca46cc54069edc5e5134e08151f401acf895c0d03db43c9bb275906b8a553abd1242a5c2b6acf37833373c11afb0643fa0a131b78229

Download Submit
C:\Windows\System\wlyWVOV.exe

Filesize
5.2MB

MD5
b06b0d8a8e4bd56bb6d101778fe421fb

SHA1
f7dede337bfbed10ab884e9a7d76a4defd75c628

SHA256
85fc3e1b73cc41e09a233f507892b05551b17683d5c9bb8c398e045e56b0ed65

SHA512
fc91086b459930fc506a648e652f8d6353c12df9f8b268cda5177422e434d66cd2327f9c66989a9b87881e894bb0f5d4c22693ae021edbdc936f6842fef50795

Download Submit
C:\Windows\System\wnJvpcS.exe

Filesize
5.2MB

MD5
54d33da5ad5366bd789cae92b94327a9

SHA1
61faa67997577c180168e4310c2fd34278424c07

SHA256
a3e28b56189cd643605aa371771585c99fbda52ddb704c031c9d5e21c24ae67d

SHA512
63763be08258633601ca8f82c170a4f815cc1c9911aace2d4333ab11aeb8467db4e78df473fe33506adde65e11ca5b7be514e5c5e19ee6cd5873ff0976a63fa5

Download Submit
C:\Windows\System\yvRBJwf.exe

Filesize
5.2MB

MD5
81572c1222d9c3767567326d86ed0eb6

SHA1
8f9e8aa7171c7801fd79bdd47428473aefeb50d7

SHA256
38c9541aa1d4ac46cf532799acf6132328bdcd469287e5e7aaa0542d49ba3005

SHA512
9dec9b310ccf6b67ef51809e1dc278aafa2b5a3be48b243733e469cef1fa4d8d0ede2046614aedb988fc72caf4807f561bf82f01854c169a258fceb39411cfce

Download Submit
C:\Windows\System\zoAIudb.exe

Filesize
5.2MB

MD5
a4f3bc4273b32460fb235f60609638ff

SHA1
b5653a8cf7c50eb2c025ee70322b959182b27456

SHA256
6669c841dba0c1cac559c12adaf0827b254ab2032fa87f09437d6cb947bc745b

SHA512
2097fd19e8915869676e345e22a194db120b339c3151da30a8d5ef515348c9996289ecc9e2831c84fb6d8b8bc9fdf7c89832f5fc5c822c539f5a78e5bc0e3ec2

Download Submit
memory/208-75-0x00007FF6FBDC0000-0x00007FF6FC111000-memory.dmp

Filesize
3.3MB

Download
memory/208-7-0x00007FF6FBDC0000-0x00007FF6FC111000-memory.dmp

Filesize
3.3MB

Download
memory/208-213-0x00007FF6FBDC0000-0x00007FF6FC111000-memory.dmp

Filesize
3.3MB

Download
memory/1128-260-0x00007FF66CCD0000-0x00007FF66D021000-memory.dmp

Filesize
3.3MB

Download
memory/1128-132-0x00007FF66CCD0000-0x00007FF66D021000-memory.dmp

Filesize
3.3MB

Download
memory/1356-256-0x00007FF724FC0000-0x00007FF725311000-memory.dmp

Filesize
3.3MB

Download
memory/1356-114-0x00007FF724FC0000-0x00007FF725311000-memory.dmp

Filesize
3.3MB

Download
memory/1356-154-0x00007FF724FC0000-0x00007FF725311000-memory.dmp

Filesize
3.3MB

Download
memory/1788-219-0x00007FF63AF60000-0x00007FF63B2B1000-memory.dmp

Filesize
3.3MB

Download
memory/1788-91-0x00007FF63AF60000-0x00007FF63B2B1000-memory.dmp

Filesize
3.3MB

Download
memory/1788-25-0x00007FF63AF60000-0x00007FF63B2B1000-memory.dmp

Filesize
3.3MB

Download
memory/2452-133-0x00007FF7B7A20000-0x00007FF7B7D71000-memory.dmp

Filesize
3.3MB

Download
memory/2452-262-0x00007FF7B7A20000-0x00007FF7B7D71000-memory.dmp

Filesize
3.3MB

Download
memory/2592-82-0x00007FF61B3E0000-0x00007FF61B731000-memory.dmp

Filesize
3.3MB

Download
memory/2592-13-0x00007FF61B3E0000-0x00007FF61B731000-memory.dmp

Filesize
3.3MB

Download
memory/2592-215-0x00007FF61B3E0000-0x00007FF61B731000-memory.dmp

Filesize
3.3MB

Download
memory/2756-32-0x00007FF67E010000-0x00007FF67E361000-memory.dmp

Filesize
3.3MB

Download
memory/2756-102-0x00007FF67E010000-0x00007FF67E361000-memory.dmp

Filesize
3.3MB

Download
memory/2756-221-0x00007FF67E010000-0x00007FF67E361000-memory.dmp

Filesize
3.3MB

Download
memory/2904-131-0x00007FF72DA60000-0x00007FF72DDB1000-memory.dmp

Filesize
3.3MB

Download
memory/2904-48-0x00007FF72DA60000-0x00007FF72DDB1000-memory.dmp

Filesize
3.3MB

Download
memory/2904-227-0x00007FF72DA60000-0x00007FF72DDB1000-memory.dmp

Filesize
3.3MB

Download
memory/3000-54-0x00007FF64ECB0000-0x00007FF64F001000-memory.dmp

Filesize
3.3MB

Download
memory/3000-231-0x00007FF64ECB0000-0x00007FF64F001000-memory.dmp

Filesize
3.3MB

Download
memory/3000-134-0x00007FF64ECB0000-0x00007FF64F001000-memory.dmp

Filesize
3.3MB

Download
memory/3040-136-0x00007FF601490000-0x00007FF6017E1000-memory.dmp

Filesize
3.3MB

Download
memory/3040-59-0x00007FF601490000-0x00007FF6017E1000-memory.dmp

Filesize
3.3MB

Download
memory/3040-229-0x00007FF601490000-0x00007FF6017E1000-memory.dmp

Filesize
3.3MB

Download
memory/3116-217-0x00007FF67D220000-0x00007FF67D571000-memory.dmp

Filesize
3.3MB

Download
memory/3116-20-0x00007FF67D220000-0x00007FF67D571000-memory.dmp

Filesize
3.3MB

Download
memory/3176-100-0x00007FF694A60000-0x00007FF694DB1000-memory.dmp

Filesize
3.3MB

Download
memory/3176-151-0x00007FF694A60000-0x00007FF694DB1000-memory.dmp

Filesize
3.3MB

Download
memory/3176-248-0x00007FF694A60000-0x00007FF694DB1000-memory.dmp

Filesize
3.3MB

Download
memory/3240-233-0x00007FF696980000-0x00007FF696CD1000-memory.dmp

Filesize
3.3MB

Download
memory/3240-71-0x00007FF696980000-0x00007FF696CD1000-memory.dmp

Filesize
3.3MB

Download
memory/3328-1-0x0000024745F30000-0x0000024745F40000-memory.dmp

Filesize
64KB

Download
memory/3328-68-0x00007FF6A5240000-0x00007FF6A5591000-memory.dmp

Filesize
3.3MB

Download
memory/3328-135-0x00007FF6A5240000-0x00007FF6A5591000-memory.dmp

Filesize
3.3MB

Download
memory/3328-0-0x00007FF6A5240000-0x00007FF6A5591000-memory.dmp

Filesize
3.3MB

Download
memory/3328-158-0x00007FF6A5240000-0x00007FF6A5591000-memory.dmp

Filesize
3.3MB

Download
memory/3356-235-0x00007FF7D1DD0000-0x00007FF7D2121000-memory.dmp

Filesize
3.3MB

Download
memory/3356-76-0x00007FF7D1DD0000-0x00007FF7D2121000-memory.dmp

Filesize
3.3MB

Download
memory/3768-258-0x00007FF7FED90000-0x00007FF7FF0E1000-memory.dmp

Filesize
3.3MB

Download
memory/3768-155-0x00007FF7FED90000-0x00007FF7FF0E1000-memory.dmp

Filesize
3.3MB

Download
memory/3768-122-0x00007FF7FED90000-0x00007FF7FF0E1000-memory.dmp

Filesize
3.3MB

Download
memory/4524-40-0x00007FF792D60000-0x00007FF7930B1000-memory.dmp

Filesize
3.3MB

Download
memory/4524-223-0x00007FF792D60000-0x00007FF7930B1000-memory.dmp

Filesize
3.3MB

Download
memory/4552-252-0x00007FF6CF630000-0x00007FF6CF981000-memory.dmp

Filesize
3.3MB

Download
memory/4552-107-0x00007FF6CF630000-0x00007FF6CF981000-memory.dmp

Filesize
3.3MB

Download
memory/4552-152-0x00007FF6CF630000-0x00007FF6CF981000-memory.dmp

Filesize
3.3MB

Download
memory/4648-89-0x00007FF6FE550000-0x00007FF6FE8A1000-memory.dmp

Filesize
3.3MB

Download
memory/4648-150-0x00007FF6FE550000-0x00007FF6FE8A1000-memory.dmp

Filesize
3.3MB

Download
memory/4648-250-0x00007FF6FE550000-0x00007FF6FE8A1000-memory.dmp

Filesize
3.3MB

Download
memory/4820-225-0x00007FF7C5560000-0x00007FF7C58B1000-memory.dmp

Filesize
3.3MB

Download
memory/4820-47-0x00007FF7C5560000-0x00007FF7C58B1000-memory.dmp

Filesize
3.3MB

Download
memory/4868-246-0x00007FF788E80000-0x00007FF7891D1000-memory.dmp

Filesize
3.3MB

Download
memory/4868-86-0x00007FF788E80000-0x00007FF7891D1000-memory.dmp

Filesize
3.3MB

Download
memory/4868-149-0x00007FF788E80000-0x00007FF7891D1000-memory.dmp

Filesize
3.3MB

Download
memory/5040-254-0x00007FF692960000-0x00007FF692CB1000-memory.dmp

Filesize
3.3MB

Download
memory/5040-121-0x00007FF692960000-0x00007FF692CB1000-memory.dmp

Filesize
3.3MB

Download
memory/5040-153-0x00007FF692960000-0x00007FF692CB1000-memory.dmp

Filesize
3.3MB

Download