cobaltstrike | c7582440ac863d0f189018c4e6e51817e31c5d602547d401346b17abc4c5caed

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

ff125116f134e5a9eb784c333d90bdad
SHA1

5d02ff798199bc4bdd88a660e7d49aae53ff837c
SHA256

c7582440ac863d0f189018c4e6e51817e31c5d602547d401346b17abc4c5caed
SHA512

24f36338edecbbfbe1fab9f79a085318d44b95c92e5cc36c076649bbeb260f75b2ba4f25818054a796382d44dc498fee706e0d57d31d043b3f7ab582794d0b51
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lo:RWWBibf56utgpPFotBER/mQ32lUs

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\eJZnRTB.exe	cobalt_reflective_dll
C:\Windows\System\YpYznDb.exe	cobalt_reflective_dll
C:\Windows\System\PMmaiKu.exe	cobalt_reflective_dll
C:\Windows\System\sNyvTwu.exe	cobalt_reflective_dll
C:\Windows\System\AYfKWhf.exe	cobalt_reflective_dll
C:\Windows\System\QstFkQP.exe	cobalt_reflective_dll
C:\Windows\System\dMasgKb.exe	cobalt_reflective_dll
C:\Windows\System\qwzpDGJ.exe	cobalt_reflective_dll
C:\Windows\System\Pvjtpum.exe	cobalt_reflective_dll
C:\Windows\System\mIQZgml.exe	cobalt_reflective_dll
C:\Windows\System\oleOZxx.exe	cobalt_reflective_dll
C:\Windows\System\iuBqINs.exe	cobalt_reflective_dll
C:\Windows\System\jKFtyxF.exe	cobalt_reflective_dll
C:\Windows\System\vRWTAex.exe	cobalt_reflective_dll
C:\Windows\System\xLbZpFB.exe	cobalt_reflective_dll
C:\Windows\System\SHrsMgw.exe	cobalt_reflective_dll
C:\Windows\System\IiSFxlO.exe	cobalt_reflective_dll
C:\Windows\System\BlezRwy.exe	cobalt_reflective_dll
C:\Windows\System\bDpkTGT.exe	cobalt_reflective_dll
C:\Windows\System\BHHwaVN.exe	cobalt_reflective_dll
C:\Windows\System\qcSdKsO.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\eJZnRTB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\YpYznDb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\PMmaiKu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\sNyvTwu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\AYfKWhf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QstFkQP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\dMasgKb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\qwzpDGJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\Pvjtpum.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\mIQZgml.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\oleOZxx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\iuBqINs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\jKFtyxF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\vRWTAex.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\xLbZpFB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\SHrsMgw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\IiSFxlO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\BlezRwy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\bDpkTGT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\BHHwaVN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\qcSdKsO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2548-0-0x00007FF78C0C0000-0x00007FF78C411000-memory.dmp	UPX
C:\Windows\System\eJZnRTB.exe	UPX
behavioral2/memory/464-6-0x00007FF6DB3B0000-0x00007FF6DB701000-memory.dmp	UPX
C:\Windows\System\YpYznDb.exe	UPX
behavioral2/memory/5016-13-0x00007FF7B2C30000-0x00007FF7B2F81000-memory.dmp	UPX
C:\Windows\System\PMmaiKu.exe	UPX
behavioral2/memory/952-20-0x00007FF7440E0000-0x00007FF744431000-memory.dmp	UPX
C:\Windows\System\sNyvTwu.exe	UPX
behavioral2/memory/4228-26-0x00007FF7790E0000-0x00007FF779431000-memory.dmp	UPX
C:\Windows\System\AYfKWhf.exe	UPX
C:\Windows\System\QstFkQP.exe	UPX
C:\Windows\System\dMasgKb.exe	UPX
behavioral2/memory/228-44-0x00007FF776460000-0x00007FF7767B1000-memory.dmp	UPX
C:\Windows\System\qwzpDGJ.exe	UPX
C:\Windows\System\Pvjtpum.exe	UPX
C:\Windows\System\mIQZgml.exe	UPX
C:\Windows\System\oleOZxx.exe	UPX
C:\Windows\System\iuBqINs.exe	UPX
C:\Windows\System\jKFtyxF.exe	UPX
C:\Windows\System\vRWTAex.exe	UPX
C:\Windows\System\xLbZpFB.exe	UPX
C:\Windows\System\SHrsMgw.exe	UPX
C:\Windows\System\IiSFxlO.exe	UPX
C:\Windows\System\BlezRwy.exe	UPX
C:\Windows\System\bDpkTGT.exe	UPX
C:\Windows\System\BHHwaVN.exe	UPX
C:\Windows\System\qcSdKsO.exe	UPX
behavioral2/memory/3052-40-0x00007FF6DD440000-0x00007FF6DD791000-memory.dmp	UPX
behavioral2/memory/1832-37-0x00007FF713AC0000-0x00007FF713E11000-memory.dmp	UPX
behavioral2/memory/5016-116-0x00007FF7B2C30000-0x00007FF7B2F81000-memory.dmp	UPX
behavioral2/memory/952-117-0x00007FF7440E0000-0x00007FF744431000-memory.dmp	UPX
behavioral2/memory/464-115-0x00007FF6DB3B0000-0x00007FF6DB701000-memory.dmp	UPX
behavioral2/memory/4228-118-0x00007FF7790E0000-0x00007FF779431000-memory.dmp	UPX
behavioral2/memory/3860-128-0x00007FF739BA0000-0x00007FF739EF1000-memory.dmp	UPX
behavioral2/memory/2216-130-0x00007FF76F280000-0x00007FF76F5D1000-memory.dmp	UPX
behavioral2/memory/4652-132-0x00007FF744E00000-0x00007FF745151000-memory.dmp	UPX
behavioral2/memory/1808-131-0x00007FF75F640000-0x00007FF75F991000-memory.dmp	UPX
behavioral2/memory/2924-129-0x00007FF750340000-0x00007FF750691000-memory.dmp	UPX
behavioral2/memory/2796-127-0x00007FF70AE70000-0x00007FF70B1C1000-memory.dmp	UPX
behavioral2/memory/1836-126-0x00007FF724040000-0x00007FF724391000-memory.dmp	UPX
behavioral2/memory/4912-125-0x00007FF6E89E0000-0x00007FF6E8D31000-memory.dmp	UPX
behavioral2/memory/904-124-0x00007FF7FE530000-0x00007FF7FE881000-memory.dmp	UPX
behavioral2/memory/4108-122-0x00007FF6991A0000-0x00007FF6994F1000-memory.dmp	UPX
behavioral2/memory/3756-123-0x00007FF6E9010000-0x00007FF6E9361000-memory.dmp	UPX
behavioral2/memory/2548-114-0x00007FF78C0C0000-0x00007FF78C411000-memory.dmp	UPX
behavioral2/memory/2100-135-0x00007FF7B9AD0000-0x00007FF7B9E21000-memory.dmp	UPX
behavioral2/memory/1128-134-0x00007FF7CA940000-0x00007FF7CAC91000-memory.dmp	UPX
behavioral2/memory/2176-133-0x00007FF66FA40000-0x00007FF66FD91000-memory.dmp	UPX
behavioral2/memory/2548-136-0x00007FF78C0C0000-0x00007FF78C411000-memory.dmp	UPX
behavioral2/memory/464-182-0x00007FF6DB3B0000-0x00007FF6DB701000-memory.dmp	UPX
behavioral2/memory/5016-184-0x00007FF7B2C30000-0x00007FF7B2F81000-memory.dmp	UPX
behavioral2/memory/952-193-0x00007FF7440E0000-0x00007FF744431000-memory.dmp	UPX
behavioral2/memory/4228-196-0x00007FF7790E0000-0x00007FF779431000-memory.dmp	UPX
behavioral2/memory/1832-201-0x00007FF713AC0000-0x00007FF713E11000-memory.dmp	UPX
behavioral2/memory/3052-203-0x00007FF6DD440000-0x00007FF6DD791000-memory.dmp	UPX
behavioral2/memory/228-205-0x00007FF776460000-0x00007FF7767B1000-memory.dmp	UPX
behavioral2/memory/4108-209-0x00007FF6991A0000-0x00007FF6994F1000-memory.dmp	UPX
behavioral2/memory/904-211-0x00007FF7FE530000-0x00007FF7FE881000-memory.dmp	UPX
behavioral2/memory/3756-208-0x00007FF6E9010000-0x00007FF6E9361000-memory.dmp	UPX
behavioral2/memory/3860-214-0x00007FF739BA0000-0x00007FF739EF1000-memory.dmp	UPX
behavioral2/memory/4912-219-0x00007FF6E89E0000-0x00007FF6E8D31000-memory.dmp	UPX
behavioral2/memory/1836-218-0x00007FF724040000-0x00007FF724391000-memory.dmp	UPX
behavioral2/memory/2924-221-0x00007FF750340000-0x00007FF750691000-memory.dmp	UPX
behavioral2/memory/2216-223-0x00007FF76F280000-0x00007FF76F5D1000-memory.dmp	UPX

XMRig Miner payload 44 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/228-44-0x00007FF776460000-0x00007FF7767B1000-memory.dmp	xmrig
behavioral2/memory/3052-40-0x00007FF6DD440000-0x00007FF6DD791000-memory.dmp	xmrig
behavioral2/memory/1832-37-0x00007FF713AC0000-0x00007FF713E11000-memory.dmp	xmrig
behavioral2/memory/5016-116-0x00007FF7B2C30000-0x00007FF7B2F81000-memory.dmp	xmrig
behavioral2/memory/952-117-0x00007FF7440E0000-0x00007FF744431000-memory.dmp	xmrig
behavioral2/memory/464-115-0x00007FF6DB3B0000-0x00007FF6DB701000-memory.dmp	xmrig
behavioral2/memory/4228-118-0x00007FF7790E0000-0x00007FF779431000-memory.dmp	xmrig
behavioral2/memory/3860-128-0x00007FF739BA0000-0x00007FF739EF1000-memory.dmp	xmrig
behavioral2/memory/2216-130-0x00007FF76F280000-0x00007FF76F5D1000-memory.dmp	xmrig
behavioral2/memory/4652-132-0x00007FF744E00000-0x00007FF745151000-memory.dmp	xmrig
behavioral2/memory/1808-131-0x00007FF75F640000-0x00007FF75F991000-memory.dmp	xmrig
behavioral2/memory/2924-129-0x00007FF750340000-0x00007FF750691000-memory.dmp	xmrig
behavioral2/memory/2796-127-0x00007FF70AE70000-0x00007FF70B1C1000-memory.dmp	xmrig
behavioral2/memory/1836-126-0x00007FF724040000-0x00007FF724391000-memory.dmp	xmrig
behavioral2/memory/4912-125-0x00007FF6E89E0000-0x00007FF6E8D31000-memory.dmp	xmrig
behavioral2/memory/904-124-0x00007FF7FE530000-0x00007FF7FE881000-memory.dmp	xmrig
behavioral2/memory/4108-122-0x00007FF6991A0000-0x00007FF6994F1000-memory.dmp	xmrig
behavioral2/memory/3756-123-0x00007FF6E9010000-0x00007FF6E9361000-memory.dmp	xmrig
behavioral2/memory/2548-114-0x00007FF78C0C0000-0x00007FF78C411000-memory.dmp	xmrig
behavioral2/memory/2100-135-0x00007FF7B9AD0000-0x00007FF7B9E21000-memory.dmp	xmrig
behavioral2/memory/1128-134-0x00007FF7CA940000-0x00007FF7CAC91000-memory.dmp	xmrig
behavioral2/memory/2176-133-0x00007FF66FA40000-0x00007FF66FD91000-memory.dmp	xmrig
behavioral2/memory/2548-136-0x00007FF78C0C0000-0x00007FF78C411000-memory.dmp	xmrig
behavioral2/memory/464-182-0x00007FF6DB3B0000-0x00007FF6DB701000-memory.dmp	xmrig
behavioral2/memory/5016-184-0x00007FF7B2C30000-0x00007FF7B2F81000-memory.dmp	xmrig
behavioral2/memory/952-193-0x00007FF7440E0000-0x00007FF744431000-memory.dmp	xmrig
behavioral2/memory/4228-196-0x00007FF7790E0000-0x00007FF779431000-memory.dmp	xmrig
behavioral2/memory/1832-201-0x00007FF713AC0000-0x00007FF713E11000-memory.dmp	xmrig
behavioral2/memory/3052-203-0x00007FF6DD440000-0x00007FF6DD791000-memory.dmp	xmrig
behavioral2/memory/228-205-0x00007FF776460000-0x00007FF7767B1000-memory.dmp	xmrig
behavioral2/memory/4108-209-0x00007FF6991A0000-0x00007FF6994F1000-memory.dmp	xmrig
behavioral2/memory/904-211-0x00007FF7FE530000-0x00007FF7FE881000-memory.dmp	xmrig
behavioral2/memory/3756-208-0x00007FF6E9010000-0x00007FF6E9361000-memory.dmp	xmrig
behavioral2/memory/3860-214-0x00007FF739BA0000-0x00007FF739EF1000-memory.dmp	xmrig
behavioral2/memory/4912-219-0x00007FF6E89E0000-0x00007FF6E8D31000-memory.dmp	xmrig
behavioral2/memory/1836-218-0x00007FF724040000-0x00007FF724391000-memory.dmp	xmrig
behavioral2/memory/2924-221-0x00007FF750340000-0x00007FF750691000-memory.dmp	xmrig
behavioral2/memory/2216-223-0x00007FF76F280000-0x00007FF76F5D1000-memory.dmp	xmrig
behavioral2/memory/2796-215-0x00007FF70AE70000-0x00007FF70B1C1000-memory.dmp	xmrig
behavioral2/memory/1808-226-0x00007FF75F640000-0x00007FF75F991000-memory.dmp	xmrig
behavioral2/memory/4652-227-0x00007FF744E00000-0x00007FF745151000-memory.dmp	xmrig
behavioral2/memory/2176-229-0x00007FF66FA40000-0x00007FF66FD91000-memory.dmp	xmrig
behavioral2/memory/1128-231-0x00007FF7CA940000-0x00007FF7CAC91000-memory.dmp	xmrig
behavioral2/memory/2100-233-0x00007FF7B9AD0000-0x00007FF7B9E21000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

eJZnRTB.exeYpYznDb.exePMmaiKu.exesNyvTwu.exeAYfKWhf.exeQstFkQP.exedMasgKb.exeqwzpDGJ.exePvjtpum.exemIQZgml.exeoleOZxx.exeiuBqINs.exejKFtyxF.exevRWTAex.exexLbZpFB.exeqcSdKsO.exeSHrsMgw.exeIiSFxlO.exeBlezRwy.exebDpkTGT.exeBHHwaVN.exe

pid	process
464	eJZnRTB.exe
5016	YpYznDb.exe
952	PMmaiKu.exe
4228	sNyvTwu.exe
1832	AYfKWhf.exe
3052	QstFkQP.exe
228	dMasgKb.exe
4108	qwzpDGJ.exe
3756	Pvjtpum.exe
904	mIQZgml.exe
4912	oleOZxx.exe
1836	iuBqINs.exe
2796	jKFtyxF.exe
3860	vRWTAex.exe
2924	xLbZpFB.exe
2216	qcSdKsO.exe
1808	SHrsMgw.exe
4652	IiSFxlO.exe
2176	BlezRwy.exe
1128	bDpkTGT.exe
2100	BHHwaVN.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2548-0-0x00007FF78C0C0000-0x00007FF78C411000-memory.dmp	upx
C:\Windows\System\eJZnRTB.exe	upx
behavioral2/memory/464-6-0x00007FF6DB3B0000-0x00007FF6DB701000-memory.dmp	upx
C:\Windows\System\YpYznDb.exe	upx
behavioral2/memory/5016-13-0x00007FF7B2C30000-0x00007FF7B2F81000-memory.dmp	upx
C:\Windows\System\PMmaiKu.exe	upx
behavioral2/memory/952-20-0x00007FF7440E0000-0x00007FF744431000-memory.dmp	upx
C:\Windows\System\sNyvTwu.exe	upx
behavioral2/memory/4228-26-0x00007FF7790E0000-0x00007FF779431000-memory.dmp	upx
C:\Windows\System\AYfKWhf.exe	upx
C:\Windows\System\QstFkQP.exe	upx
C:\Windows\System\dMasgKb.exe	upx
behavioral2/memory/228-44-0x00007FF776460000-0x00007FF7767B1000-memory.dmp	upx
C:\Windows\System\qwzpDGJ.exe	upx
C:\Windows\System\Pvjtpum.exe	upx
C:\Windows\System\mIQZgml.exe	upx
C:\Windows\System\oleOZxx.exe	upx
C:\Windows\System\iuBqINs.exe	upx
C:\Windows\System\jKFtyxF.exe	upx
C:\Windows\System\vRWTAex.exe	upx
C:\Windows\System\xLbZpFB.exe	upx
C:\Windows\System\SHrsMgw.exe	upx
C:\Windows\System\IiSFxlO.exe	upx
C:\Windows\System\BlezRwy.exe	upx
C:\Windows\System\bDpkTGT.exe	upx
C:\Windows\System\BHHwaVN.exe	upx
C:\Windows\System\qcSdKsO.exe	upx
behavioral2/memory/3052-40-0x00007FF6DD440000-0x00007FF6DD791000-memory.dmp	upx
behavioral2/memory/1832-37-0x00007FF713AC0000-0x00007FF713E11000-memory.dmp	upx
behavioral2/memory/5016-116-0x00007FF7B2C30000-0x00007FF7B2F81000-memory.dmp	upx
behavioral2/memory/952-117-0x00007FF7440E0000-0x00007FF744431000-memory.dmp	upx
behavioral2/memory/464-115-0x00007FF6DB3B0000-0x00007FF6DB701000-memory.dmp	upx
behavioral2/memory/4228-118-0x00007FF7790E0000-0x00007FF779431000-memory.dmp	upx
behavioral2/memory/3860-128-0x00007FF739BA0000-0x00007FF739EF1000-memory.dmp	upx
behavioral2/memory/2216-130-0x00007FF76F280000-0x00007FF76F5D1000-memory.dmp	upx
behavioral2/memory/4652-132-0x00007FF744E00000-0x00007FF745151000-memory.dmp	upx
behavioral2/memory/1808-131-0x00007FF75F640000-0x00007FF75F991000-memory.dmp	upx
behavioral2/memory/2924-129-0x00007FF750340000-0x00007FF750691000-memory.dmp	upx
behavioral2/memory/2796-127-0x00007FF70AE70000-0x00007FF70B1C1000-memory.dmp	upx
behavioral2/memory/1836-126-0x00007FF724040000-0x00007FF724391000-memory.dmp	upx
behavioral2/memory/4912-125-0x00007FF6E89E0000-0x00007FF6E8D31000-memory.dmp	upx
behavioral2/memory/904-124-0x00007FF7FE530000-0x00007FF7FE881000-memory.dmp	upx
behavioral2/memory/4108-122-0x00007FF6991A0000-0x00007FF6994F1000-memory.dmp	upx
behavioral2/memory/3756-123-0x00007FF6E9010000-0x00007FF6E9361000-memory.dmp	upx
behavioral2/memory/2548-114-0x00007FF78C0C0000-0x00007FF78C411000-memory.dmp	upx
behavioral2/memory/2100-135-0x00007FF7B9AD0000-0x00007FF7B9E21000-memory.dmp	upx
behavioral2/memory/1128-134-0x00007FF7CA940000-0x00007FF7CAC91000-memory.dmp	upx
behavioral2/memory/2176-133-0x00007FF66FA40000-0x00007FF66FD91000-memory.dmp	upx
behavioral2/memory/2548-136-0x00007FF78C0C0000-0x00007FF78C411000-memory.dmp	upx
behavioral2/memory/464-182-0x00007FF6DB3B0000-0x00007FF6DB701000-memory.dmp	upx
behavioral2/memory/5016-184-0x00007FF7B2C30000-0x00007FF7B2F81000-memory.dmp	upx
behavioral2/memory/952-193-0x00007FF7440E0000-0x00007FF744431000-memory.dmp	upx
behavioral2/memory/4228-196-0x00007FF7790E0000-0x00007FF779431000-memory.dmp	upx
behavioral2/memory/1832-201-0x00007FF713AC0000-0x00007FF713E11000-memory.dmp	upx
behavioral2/memory/3052-203-0x00007FF6DD440000-0x00007FF6DD791000-memory.dmp	upx
behavioral2/memory/228-205-0x00007FF776460000-0x00007FF7767B1000-memory.dmp	upx
behavioral2/memory/4108-209-0x00007FF6991A0000-0x00007FF6994F1000-memory.dmp	upx
behavioral2/memory/904-211-0x00007FF7FE530000-0x00007FF7FE881000-memory.dmp	upx
behavioral2/memory/3756-208-0x00007FF6E9010000-0x00007FF6E9361000-memory.dmp	upx
behavioral2/memory/3860-214-0x00007FF739BA0000-0x00007FF739EF1000-memory.dmp	upx
behavioral2/memory/4912-219-0x00007FF6E89E0000-0x00007FF6E8D31000-memory.dmp	upx
behavioral2/memory/1836-218-0x00007FF724040000-0x00007FF724391000-memory.dmp	upx
behavioral2/memory/2924-221-0x00007FF750340000-0x00007FF750691000-memory.dmp	upx
behavioral2/memory/2216-223-0x00007FF76F280000-0x00007FF76F5D1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\eJZnRTB.exe	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YpYznDb.exe	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QstFkQP.exe	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dMasgKb.exe	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jKFtyxF.exe	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BlezRwy.exe	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xLbZpFB.exe	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qcSdKsO.exe	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PMmaiKu.exe	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AYfKWhf.exe	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qwzpDGJ.exe	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mIQZgml.exe	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oleOZxx.exe	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iuBqINs.exe	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BHHwaVN.exe	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SHrsMgw.exe	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IiSFxlO.exe	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bDpkTGT.exe	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sNyvTwu.exe	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\Pvjtpum.exe	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vRWTAex.exe	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2548 wrote to memory of 464	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	eJZnRTB.exe
PID 2548 wrote to memory of 464	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	eJZnRTB.exe
PID 2548 wrote to memory of 5016	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	YpYznDb.exe
PID 2548 wrote to memory of 5016	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	YpYznDb.exe
PID 2548 wrote to memory of 952	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	PMmaiKu.exe
PID 2548 wrote to memory of 952	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	PMmaiKu.exe
PID 2548 wrote to memory of 4228	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	sNyvTwu.exe
PID 2548 wrote to memory of 4228	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	sNyvTwu.exe
PID 2548 wrote to memory of 1832	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	AYfKWhf.exe
PID 2548 wrote to memory of 1832	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	AYfKWhf.exe
PID 2548 wrote to memory of 3052	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	QstFkQP.exe
PID 2548 wrote to memory of 3052	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	QstFkQP.exe
PID 2548 wrote to memory of 228	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	dMasgKb.exe
PID 2548 wrote to memory of 228	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	dMasgKb.exe
PID 2548 wrote to memory of 4108	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	qwzpDGJ.exe
PID 2548 wrote to memory of 4108	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	qwzpDGJ.exe
PID 2548 wrote to memory of 3756	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	Pvjtpum.exe
PID 2548 wrote to memory of 3756	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	Pvjtpum.exe
PID 2548 wrote to memory of 904	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	mIQZgml.exe
PID 2548 wrote to memory of 904	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	mIQZgml.exe
PID 2548 wrote to memory of 4912	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	oleOZxx.exe
PID 2548 wrote to memory of 4912	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	oleOZxx.exe
PID 2548 wrote to memory of 1836	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	iuBqINs.exe
PID 2548 wrote to memory of 1836	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	iuBqINs.exe
PID 2548 wrote to memory of 2796	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	jKFtyxF.exe
PID 2548 wrote to memory of 2796	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	jKFtyxF.exe
PID 2548 wrote to memory of 3860	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	vRWTAex.exe
PID 2548 wrote to memory of 3860	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	vRWTAex.exe
PID 2548 wrote to memory of 2924	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	xLbZpFB.exe
PID 2548 wrote to memory of 2924	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	xLbZpFB.exe
PID 2548 wrote to memory of 2216	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	qcSdKsO.exe
PID 2548 wrote to memory of 2216	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	qcSdKsO.exe
PID 2548 wrote to memory of 1808	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	SHrsMgw.exe
PID 2548 wrote to memory of 1808	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	SHrsMgw.exe
PID 2548 wrote to memory of 4652	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	IiSFxlO.exe
PID 2548 wrote to memory of 4652	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	IiSFxlO.exe
PID 2548 wrote to memory of 2176	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	BlezRwy.exe
PID 2548 wrote to memory of 2176	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	BlezRwy.exe
PID 2548 wrote to memory of 1128	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	bDpkTGT.exe
PID 2548 wrote to memory of 1128	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	bDpkTGT.exe
PID 2548 wrote to memory of 2100	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	BHHwaVN.exe
PID 2548 wrote to memory of 2100	2548	2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe	BHHwaVN.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-20_ff125116f134e5a9eb784c333d90bdad_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\System\eJZnRTB.exe
C:\Windows\System\eJZnRTB.exe
2⤵
- Executes dropped EXE
PID:464

C:\Windows\System\YpYznDb.exe
C:\Windows\System\YpYznDb.exe
2⤵
- Executes dropped EXE
PID:5016

C:\Windows\System\PMmaiKu.exe
C:\Windows\System\PMmaiKu.exe
2⤵
- Executes dropped EXE
PID:952

C:\Windows\System\sNyvTwu.exe
C:\Windows\System\sNyvTwu.exe
2⤵
- Executes dropped EXE
PID:4228

C:\Windows\System\AYfKWhf.exe
C:\Windows\System\AYfKWhf.exe
2⤵
- Executes dropped EXE
PID:1832

C:\Windows\System\QstFkQP.exe
C:\Windows\System\QstFkQP.exe
2⤵
- Executes dropped EXE
PID:3052

C:\Windows\System\dMasgKb.exe
C:\Windows\System\dMasgKb.exe
2⤵
- Executes dropped EXE
PID:228

C:\Windows\System\qwzpDGJ.exe
C:\Windows\System\qwzpDGJ.exe
2⤵
- Executes dropped EXE
PID:4108

C:\Windows\System\Pvjtpum.exe
C:\Windows\System\Pvjtpum.exe
2⤵
- Executes dropped EXE
PID:3756

C:\Windows\System\mIQZgml.exe
C:\Windows\System\mIQZgml.exe
2⤵
- Executes dropped EXE
PID:904

C:\Windows\System\oleOZxx.exe
C:\Windows\System\oleOZxx.exe
2⤵
- Executes dropped EXE
PID:4912

C:\Windows\System\iuBqINs.exe
C:\Windows\System\iuBqINs.exe
2⤵
- Executes dropped EXE
PID:1836

C:\Windows\System\jKFtyxF.exe
C:\Windows\System\jKFtyxF.exe
2⤵
- Executes dropped EXE
PID:2796

C:\Windows\System\vRWTAex.exe
C:\Windows\System\vRWTAex.exe
2⤵
- Executes dropped EXE
PID:3860

C:\Windows\System\xLbZpFB.exe
C:\Windows\System\xLbZpFB.exe
2⤵
- Executes dropped EXE
PID:2924

C:\Windows\System\qcSdKsO.exe
C:\Windows\System\qcSdKsO.exe
2⤵
- Executes dropped EXE
PID:2216

C:\Windows\System\SHrsMgw.exe
C:\Windows\System\SHrsMgw.exe
2⤵
- Executes dropped EXE
PID:1808

C:\Windows\System\IiSFxlO.exe
C:\Windows\System\IiSFxlO.exe
2⤵
- Executes dropped EXE
PID:4652

C:\Windows\System\BlezRwy.exe
C:\Windows\System\BlezRwy.exe
2⤵
- Executes dropped EXE
PID:2176

C:\Windows\System\bDpkTGT.exe
C:\Windows\System\bDpkTGT.exe
2⤵
- Executes dropped EXE
PID:1128

C:\Windows\System\BHHwaVN.exe
C:\Windows\System\BHHwaVN.exe
2⤵
- Executes dropped EXE
PID:2100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:940

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AYfKWhf.exe

Filesize
5.2MB

MD5
5de5a1607cc2bbb6b650ec096bcada4f

SHA1
1447a08ea71de35c5c8e20b173ee132909cd698d

SHA256
e5d8dafc9845226e801da490fb91951ed6fa38db5cb315e1fdc80752f8db9a7c

SHA512
4a1a12298fd13c2d99591817547afed59477a6156024da46be6206d4297c9320f6f0a38d6cf18a0e4b818742a3ef3265a6870ac2906572407e73a4866d921800

Download Submit
C:\Windows\System\BHHwaVN.exe

Filesize
5.2MB

MD5
691ce04b9b154b9bd41361142c61d496

SHA1
d12b740b531831505d923981e4053bed098597aa

SHA256
48de0780888937e7f33ac91ad4707dacebfe589cb5e1396ae0a62a870305c3e4

SHA512
514dd7e1ab8133b9e9eb2adae5f3fa7de47e7df483d35f4d6703fb1aee0c4fce608a321961fc7206820b24912c8459658378d18055cd27c30aec254531125fee

Download Submit
C:\Windows\System\BlezRwy.exe

Filesize
5.2MB

MD5
b64e9deb529b77557b62eb52a0caaa02

SHA1
b83daf5ecd4ec02f4b694a97cdbdbe16f22b8afa

SHA256
21b942c34de7f4189fa7dd50de652f4551a5b7fd5dfbfb57e572e23ea4b0107f

SHA512
5394b46f9c77510bbdb459281c0e5dc206ae6639bff55a62cb5fb6d007aaf835ee0389bf912b84bda251e1fbdffdd28fc170b903120e020bec242989374b0e7d

Download Submit
C:\Windows\System\IiSFxlO.exe

Filesize
5.2MB

MD5
0a6292ab57ef77bc1b0e196862a2e6f3

SHA1
ab7b7e4c4ba2608aa8ee7cdbd46d5a854509f371

SHA256
7a98b29b1d6168788bc07da8ea0110f0d7d8e3b64494a185f36e3c3cbcb9bd3d

SHA512
2417953b04418f94c86936a738fb0af2e738fc1ae1b8c09012ebf300f40cd977b82c6fb54f6b605e127abbc77113092d598c13b28408d28f3810ce86f98695dc

Download Submit
C:\Windows\System\PMmaiKu.exe

Filesize
5.2MB

MD5
d5f7aa5520a8e6b1177150333a2af40f

SHA1
42319c9f9dfcb8228bdb6be3d1d58b0e25fc5c7a

SHA256
dc0af10b36b230dcb5f0d9b85c2134d783681577875ac41631c5df917686bc95

SHA512
c27a735c82429a5e85eb6b46272f8812e2a301e9616ca42f26524b23d1cf2f13c33699017c8b421a3e373f8fe7fd575642fd4f9556e96bdf20c3ca1b617e81a7

Download Submit
C:\Windows\System\Pvjtpum.exe

Filesize
5.2MB

MD5
1de637fa50892cd48a44d508f423daa5

SHA1
ced275d12d8b91f1e4a6d56d02ba0b4f8558079f

SHA256
678f03f520cc468b8564ec8544e9844d4e355c5aa4b4c3679f0cfa6eaf4b496f

SHA512
8999b89ff7044a3b30317dac10c77c8a68ac63b8e308ba36b2e6a07a1c45520bdffa5bbfbdee3c21147e8d8eecb9c01330a6898f4f99b3cf02bcbee937d583ca

Download Submit
C:\Windows\System\QstFkQP.exe

Filesize
5.2MB

MD5
61bc5d72712ba7280997e57c8d23927e

SHA1
2cfea5b2d43e1a5b75ebbbe3aadea5b82a1656d5

SHA256
7ae0f834eb901218f815abc64ace20b58fb2ff3780ecb6f9ff7f675557da0a45

SHA512
66b841a6cb558e09bbfdfdf2137bf2e1936b59dbfe3ff7f63f25f06c054fe00fe49cfe8df315f75cf6c3db6c69b7de2236d6509aefa05a191fda0e4ab8535405

Download Submit
C:\Windows\System\SHrsMgw.exe

Filesize
5.2MB

MD5
2bb2bbb00b3b3758656cc67b10a8f426

SHA1
6e095b66614b9425215dc51f30addac129947bdb

SHA256
24404f4ed2722046c38c13327d63895f44c71e4015638c52a20c44f2ab820db6

SHA512
5c7aa968b2ae80a5518750031be843433adc3ac863353e9cf5a55a410dca50fb923cb4f6503e3bec411a31ca8063b606b0076ae933809ef274a5662629dd5d8c

Download Submit
C:\Windows\System\YpYznDb.exe

Filesize
5.2MB

MD5
92a659e1fc329bf2768a12823728e5cd

SHA1
8f05fd4e94c1d697df26ee50928da131002daf49

SHA256
ff7efc9d30b018c3e981fca901c878849ab587c83ae19a436d3e42fb502c8bb0

SHA512
710847ec0aa14ace5464026479ea17518b05df50191df3e920672bdd46cf73689bafa873e35f63647c912d1ad32bda95d0207dd1678f64df933da15a1b016e3a

Download Submit
C:\Windows\System\bDpkTGT.exe

Filesize
5.2MB

MD5
4be9c66c45eece6dc6fd34f01ed47b4e

SHA1
59bb7a46b68c1942a6e9916893505338a73810ee

SHA256
fec74c4921db9f6c67ea9d0d9d82461f96ac7d3959e434b6643c569cd7ddbf88

SHA512
a528f652d7aaa7d614893b5980d9bdefa5da5727fef90778811585f2cb82b52612b14a57b1f7b10790e02c4461cb6ff63382d9b6c50ce65c6dbbc48d725f4e3c

Download Submit
C:\Windows\System\dMasgKb.exe

Filesize
5.2MB

MD5
5b22e4ba330dff8cccf4f333a4ced7b6

SHA1
d3263b0ebb945b49d7599e3d393e2393ea75edd4

SHA256
e8dc762c115a4a5bf276be57be9990b5ac47d1b484297a5166f8342d12d06d23

SHA512
9347c350d349e809b1276536ca71e41dbe8dc9c634f8e30c8cec48edc7ea0fe0564a67311f7b254d9b603e2885cb689d41ea851e259f98195335f0038ede3592

Download Submit
C:\Windows\System\eJZnRTB.exe

Filesize
5.2MB

MD5
c8cc5c7fb2840f3ec5a67f6488136116

SHA1
c8904d99cbf1670371d0bd500a5d29e26f2e49c1

SHA256
4c0fc651c1e01e3aac57092eb4e7fb655d8e7ac0e978453dff42b9d235bc9c33

SHA512
cc4fd72341ed2ad4cebc45845d18e8be41a853b5c794325061e5a52f9ad92516e46aaa5487274298ab38ca669bb23fc73219766e92ab55e88eda3de3d1d7d10d

Download Submit
C:\Windows\System\iuBqINs.exe

Filesize
5.2MB

MD5
9ea81eabb6b3b2b2d8b594c993c42842

SHA1
2badf8303d3d0a98da1050cbc61601bed9ce1385

SHA256
1323991808b975be973846bf0af79a489ad0eda803dfcb88734bd582b06c004d

SHA512
1b5d9d7ccbfff4a65eee6cfa7479248db68c088819acff690947d98eeadfcbde7a7b5932cdbae7bbcbc56506b03bf69f5aa0242f5646e76239859b2907ce0d2d

Download Submit
C:\Windows\System\jKFtyxF.exe

Filesize
5.2MB

MD5
7e8d185308b635b1bded6034ee9b66ff

SHA1
6bfc9bdcef28be20cae328b96d6e55340bc8c775

SHA256
7ac752d973674efbfc8a472fbc44dba3dce6f346c9cf18ee8975d02b9bb84493

SHA512
b85b4f30ad41261e0e09548bb18a2b73005dc94e4b82d5dc76a4414ecbc87b455f464a52a0de377f50e1e18c318b9ab466c85df9c4e1530f700f9022ffca8b72

Download Submit
C:\Windows\System\mIQZgml.exe

Filesize
5.2MB

MD5
363c3d610c9fc0542839798bfb8ed452

SHA1
c394a7d60e99e36101b47a0f01a1e13765bca3a3

SHA256
d7460a0ddcb7fe573f720ae7d0d25020faddf9d23f71d39d5b9393586b9500af

SHA512
3d44668733ab3053b3bcde87b27c8242c8dc671cd88049585cda15a461887e6d545ec7a2f230a50dcf98463a232ee50541803b1c68906ee1149a89bae47f9060

Download Submit
C:\Windows\System\oleOZxx.exe

Filesize
5.2MB

MD5
8fac992438a6eeac1192db566236939d

SHA1
1dc6403ca26bc61df5ffdc32c2b6bd2a9c241ca6

SHA256
c1446ab8c3e0082e9e6d63d592881d698cccc2087aa3db9230664d3d1322c91b

SHA512
6189214c7e4a38f56eb9c5c1c152f4a42533f59a8153b6b457176f12fc19eb1b24b79cf37d520a6e86800e4e069be6e82906d64ab447b707db9db1c2116f566f

Download Submit
C:\Windows\System\qcSdKsO.exe

Filesize
5.2MB

MD5
03e3e88ddaa68400cdeb70a3064b100d

SHA1
35b1a5944ed7949c23d676f0d0bbbcd409b5f3d3

SHA256
da85cd50e8c629830f9b7e94d6343ba7c113f49076980211b13b41b1be37c296

SHA512
85f87a00746d9f35223c32619d019f2e653674c0a633367f962eecf34c453e12e5efcd7e73d9d87ef147cfc6a655837c331378872406e5278f3994e16c142d48

Download Submit
C:\Windows\System\qwzpDGJ.exe

Filesize
5.2MB

MD5
a6eac67f33df4a003678fd3fa34aa52a

SHA1
b628dd3b8c75de2b024630a53751bff61931c438

SHA256
d6ed9f47c2f81c5e28300b5eb918064a9fc03134b31abdf8da42eacbf0aae75f

SHA512
2fbf6cffbb7b0838b02ddab4a2bbd51cfb231e4ec8c61969ca50c2bae0227bbb78112f0a9db8fa0f2c102050d767124b10c7a8b56ac61f33abc3523a28751183

Download Submit
C:\Windows\System\sNyvTwu.exe

Filesize
5.2MB

MD5
6f4a8741748177916f806532d64db937

SHA1
aa78a325cc86852e23e00b57cc305bfdd989ed93

SHA256
31edd2d441810a07ddcac6503c010b8f73b45e1443995a0385fe0f1263839e91

SHA512
a2b79949dbc1f2ed87816eac42ec3650134c92b99db5c922ae5fa4c78aaf771530b0b01ab8862c404b36c4e49d2204073cd4a50bf92d431adff392f1cdea1c23

Download Submit
C:\Windows\System\vRWTAex.exe

Filesize
5.2MB

MD5
2abf5e1c3a6ccd5d008b54e478ff03c0

SHA1
5f70c2843f006c7bd86550c3d3ee817492c1eef7

SHA256
2a58b2749df109da21b9b35e19a375847a115c5bc2cc1a95e3a9773b3b4cf125

SHA512
a89314b95bf15d21291c9b8affa478c6999ade4e3952d52760d158630331d6091952d7e2624600397797716e1b758f2246cfa9f8cde22ce87e24d0347bfc2576

Download Submit
C:\Windows\System\xLbZpFB.exe

Filesize
5.2MB

MD5
76b0f2f4bc606fafccfdb7a23d05852c

SHA1
669b4e2662b31cf02676d5e15c1d1d164e581f2d

SHA256
e29d14139d2183622b787e83c410105e3d527e960ff8861e9cc9565a948399c4

SHA512
dfabfe45cb4adc96a2237de42cde84c029adc43c3a55359b5743b88b740326838fd1b959b863e5e922ba3afe1514a4093a946458d487a13a0c831a11449e932f

Download Submit
memory/228-44-0x00007FF776460000-0x00007FF7767B1000-memory.dmp

Filesize
3.3MB

Download
memory/228-205-0x00007FF776460000-0x00007FF7767B1000-memory.dmp

Filesize
3.3MB

Download
memory/464-115-0x00007FF6DB3B0000-0x00007FF6DB701000-memory.dmp

Filesize
3.3MB

Download
memory/464-182-0x00007FF6DB3B0000-0x00007FF6DB701000-memory.dmp

Filesize
3.3MB

Download
memory/464-6-0x00007FF6DB3B0000-0x00007FF6DB701000-memory.dmp

Filesize
3.3MB

Download
memory/904-124-0x00007FF7FE530000-0x00007FF7FE881000-memory.dmp

Filesize
3.3MB

Download
memory/904-211-0x00007FF7FE530000-0x00007FF7FE881000-memory.dmp

Filesize
3.3MB

Download
memory/952-193-0x00007FF7440E0000-0x00007FF744431000-memory.dmp

Filesize
3.3MB

Download
memory/952-20-0x00007FF7440E0000-0x00007FF744431000-memory.dmp

Filesize
3.3MB

Download
memory/952-117-0x00007FF7440E0000-0x00007FF744431000-memory.dmp

Filesize
3.3MB

Download
memory/1128-134-0x00007FF7CA940000-0x00007FF7CAC91000-memory.dmp

Filesize
3.3MB

Download
memory/1128-231-0x00007FF7CA940000-0x00007FF7CAC91000-memory.dmp

Filesize
3.3MB

Download
memory/1808-226-0x00007FF75F640000-0x00007FF75F991000-memory.dmp

Filesize
3.3MB

Download
memory/1808-131-0x00007FF75F640000-0x00007FF75F991000-memory.dmp

Filesize
3.3MB

Download
memory/1832-201-0x00007FF713AC0000-0x00007FF713E11000-memory.dmp

Filesize
3.3MB

Download
memory/1832-37-0x00007FF713AC0000-0x00007FF713E11000-memory.dmp

Filesize
3.3MB

Download
memory/1836-126-0x00007FF724040000-0x00007FF724391000-memory.dmp

Filesize
3.3MB

Download
memory/1836-218-0x00007FF724040000-0x00007FF724391000-memory.dmp

Filesize
3.3MB

Download
memory/2100-135-0x00007FF7B9AD0000-0x00007FF7B9E21000-memory.dmp

Filesize
3.3MB

Download
memory/2100-233-0x00007FF7B9AD0000-0x00007FF7B9E21000-memory.dmp

Filesize
3.3MB

Download
memory/2176-229-0x00007FF66FA40000-0x00007FF66FD91000-memory.dmp

Filesize
3.3MB

Download
memory/2176-133-0x00007FF66FA40000-0x00007FF66FD91000-memory.dmp

Filesize
3.3MB

Download
memory/2216-223-0x00007FF76F280000-0x00007FF76F5D1000-memory.dmp

Filesize
3.3MB

Download
memory/2216-130-0x00007FF76F280000-0x00007FF76F5D1000-memory.dmp

Filesize
3.3MB

Download
memory/2548-136-0x00007FF78C0C0000-0x00007FF78C411000-memory.dmp

Filesize
3.3MB

Download
memory/2548-1-0x000002779D820000-0x000002779D830000-memory.dmp

Filesize
64KB

Download
memory/2548-0-0x00007FF78C0C0000-0x00007FF78C411000-memory.dmp

Filesize
3.3MB

Download
memory/2548-114-0x00007FF78C0C0000-0x00007FF78C411000-memory.dmp

Filesize
3.3MB

Download
memory/2796-127-0x00007FF70AE70000-0x00007FF70B1C1000-memory.dmp

Filesize
3.3MB

Download
memory/2796-215-0x00007FF70AE70000-0x00007FF70B1C1000-memory.dmp

Filesize
3.3MB

Download
memory/2924-129-0x00007FF750340000-0x00007FF750691000-memory.dmp

Filesize
3.3MB

Download
memory/2924-221-0x00007FF750340000-0x00007FF750691000-memory.dmp

Filesize
3.3MB

Download
memory/3052-203-0x00007FF6DD440000-0x00007FF6DD791000-memory.dmp

Filesize
3.3MB

Download
memory/3052-40-0x00007FF6DD440000-0x00007FF6DD791000-memory.dmp

Filesize
3.3MB

Download
memory/3756-123-0x00007FF6E9010000-0x00007FF6E9361000-memory.dmp

Filesize
3.3MB

Download
memory/3756-208-0x00007FF6E9010000-0x00007FF6E9361000-memory.dmp

Filesize
3.3MB

Download
memory/3860-128-0x00007FF739BA0000-0x00007FF739EF1000-memory.dmp

Filesize
3.3MB

Download
memory/3860-214-0x00007FF739BA0000-0x00007FF739EF1000-memory.dmp

Filesize
3.3MB

Download
memory/4108-122-0x00007FF6991A0000-0x00007FF6994F1000-memory.dmp

Filesize
3.3MB

Download
memory/4108-209-0x00007FF6991A0000-0x00007FF6994F1000-memory.dmp

Filesize
3.3MB

Download
memory/4228-196-0x00007FF7790E0000-0x00007FF779431000-memory.dmp

Filesize
3.3MB

Download
memory/4228-26-0x00007FF7790E0000-0x00007FF779431000-memory.dmp

Filesize
3.3MB

Download
memory/4228-118-0x00007FF7790E0000-0x00007FF779431000-memory.dmp

Filesize
3.3MB

Download
memory/4652-132-0x00007FF744E00000-0x00007FF745151000-memory.dmp

Filesize
3.3MB

Download
memory/4652-227-0x00007FF744E00000-0x00007FF745151000-memory.dmp

Filesize
3.3MB

Download
memory/4912-219-0x00007FF6E89E0000-0x00007FF6E8D31000-memory.dmp

Filesize
3.3MB

Download
memory/4912-125-0x00007FF6E89E0000-0x00007FF6E8D31000-memory.dmp

Filesize
3.3MB

Download
memory/5016-184-0x00007FF7B2C30000-0x00007FF7B2F81000-memory.dmp

Filesize
3.3MB

Download
memory/5016-13-0x00007FF7B2C30000-0x00007FF7B2F81000-memory.dmp

Filesize
3.3MB

Download
memory/5016-116-0x00007FF7B2C30000-0x00007FF7B2F81000-memory.dmp

Filesize
3.3MB

Download