cobaltstrike | c20a39335678b75ed7eb6162ebaf5847ad442a138e2decc13ca783d3bd3db001

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

0d2928c7641b504e667e7904d77fd96f
SHA1

f9aaaad245d6f6c560c55197f210d038f7976273
SHA256

c20a39335678b75ed7eb6162ebaf5847ad442a138e2decc13ca783d3bd3db001
SHA512

5405530b7cf1e4b9d7feea30051a54fb55c2f2b9c77cea2a149b3d378859ae33f2d4e937786016cccd230d0ad647a89b52d2c5bbdbdd9ce0339b8babe8b5940a
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lx:RWWBibf56utgpPFotBER/mQ32lUN

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\IyKvKCe.exe	cobalt_reflective_dll
C:\Windows\System\DzowfRL.exe	cobalt_reflective_dll
C:\Windows\System\WvVodsi.exe	cobalt_reflective_dll
C:\Windows\System\sbisOxS.exe	cobalt_reflective_dll
C:\Windows\System\BQpJLOL.exe	cobalt_reflective_dll
C:\Windows\System\ylhYEKN.exe	cobalt_reflective_dll
C:\Windows\System\lmEbZYf.exe	cobalt_reflective_dll
C:\Windows\System\hOLnCFn.exe	cobalt_reflective_dll
C:\Windows\System\tdDusxu.exe	cobalt_reflective_dll
C:\Windows\System\GfACqpC.exe	cobalt_reflective_dll
C:\Windows\System\WLwnuDt.exe	cobalt_reflective_dll
C:\Windows\System\UCVkyBA.exe	cobalt_reflective_dll
C:\Windows\System\dawOBJm.exe	cobalt_reflective_dll
C:\Windows\System\WZBGwJz.exe	cobalt_reflective_dll
C:\Windows\System\mJANlHU.exe	cobalt_reflective_dll
C:\Windows\System\bBsTDqv.exe	cobalt_reflective_dll
C:\Windows\System\iJkBggt.exe	cobalt_reflective_dll
C:\Windows\System\OKyStMV.exe	cobalt_reflective_dll
C:\Windows\System\gVbxZAs.exe	cobalt_reflective_dll
C:\Windows\System\wOtLFmi.exe	cobalt_reflective_dll
C:\Windows\System\oMjUhyN.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\IyKvKCe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\DzowfRL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\WvVodsi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\sbisOxS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\BQpJLOL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ylhYEKN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\lmEbZYf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\hOLnCFn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\tdDusxu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\GfACqpC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\WLwnuDt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\UCVkyBA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\dawOBJm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\WZBGwJz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\mJANlHU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\bBsTDqv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\iJkBggt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\OKyStMV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\gVbxZAs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\wOtLFmi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\oMjUhyN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4708-0-0x00007FF6B8C10000-0x00007FF6B8F61000-memory.dmp	UPX
C:\Windows\System\IyKvKCe.exe	UPX
C:\Windows\System\DzowfRL.exe	UPX
C:\Windows\System\WvVodsi.exe	UPX
behavioral2/memory/1568-18-0x00007FF761D80000-0x00007FF7620D1000-memory.dmp	UPX
behavioral2/memory/2956-26-0x00007FF699680000-0x00007FF6999D1000-memory.dmp	UPX
C:\Windows\System\sbisOxS.exe	UPX
C:\Windows\System\BQpJLOL.exe	UPX
C:\Windows\System\ylhYEKN.exe	UPX
C:\Windows\System\lmEbZYf.exe	UPX
C:\Windows\System\hOLnCFn.exe	UPX
behavioral2/memory/3884-75-0x00007FF7ADB00000-0x00007FF7ADE51000-memory.dmp	UPX
C:\Windows\System\tdDusxu.exe	UPX
behavioral2/memory/2424-67-0x00007FF6BFA60000-0x00007FF6BFDB1000-memory.dmp	UPX
behavioral2/memory/3972-66-0x00007FF7DB260000-0x00007FF7DB5B1000-memory.dmp	UPX
behavioral2/memory/3780-62-0x00007FF61C500000-0x00007FF61C851000-memory.dmp	UPX
behavioral2/memory/1728-61-0x00007FF6740B0000-0x00007FF674401000-memory.dmp	UPX
C:\Windows\System\GfACqpC.exe	UPX
C:\Windows\System\WLwnuDt.exe	UPX
behavioral2/memory/1544-52-0x00007FF744DD0000-0x00007FF745121000-memory.dmp	UPX
C:\Windows\System\UCVkyBA.exe	UPX
behavioral2/memory/4236-40-0x00007FF6B4620000-0x00007FF6B4971000-memory.dmp	UPX
behavioral2/memory/1412-39-0x00007FF6348F0000-0x00007FF634C41000-memory.dmp	UPX
C:\Windows\System\dawOBJm.exe	UPX
C:\Windows\System\WZBGwJz.exe	UPX
behavioral2/memory/1720-24-0x00007FF6A3570000-0x00007FF6A38C1000-memory.dmp	UPX
behavioral2/memory/2260-9-0x00007FF6C6F80000-0x00007FF6C72D1000-memory.dmp	UPX
behavioral2/memory/5084-81-0x00007FF7C4BC0000-0x00007FF7C4F11000-memory.dmp	UPX
behavioral2/memory/4068-82-0x00007FF634B80000-0x00007FF634ED1000-memory.dmp	UPX
C:\Windows\System\mJANlHU.exe	UPX
C:\Windows\System\bBsTDqv.exe	UPX
behavioral2/memory/436-99-0x00007FF6FDA70000-0x00007FF6FDDC1000-memory.dmp	UPX
behavioral2/memory/4988-97-0x00007FF694F10000-0x00007FF695261000-memory.dmp	UPX
C:\Windows\System\iJkBggt.exe	UPX
behavioral2/memory/4708-104-0x00007FF6B8C10000-0x00007FF6B8F61000-memory.dmp	UPX
C:\Windows\System\OKyStMV.exe	UPX
behavioral2/memory/2260-109-0x00007FF6C6F80000-0x00007FF6C72D1000-memory.dmp	UPX
C:\Windows\System\gVbxZAs.exe	UPX
C:\Windows\System\wOtLFmi.exe	UPX
C:\Windows\System\oMjUhyN.exe	UPX
behavioral2/memory/4084-129-0x00007FF6AFCC0000-0x00007FF6B0011000-memory.dmp	UPX
behavioral2/memory/4516-126-0x00007FF6102B0000-0x00007FF610601000-memory.dmp	UPX
behavioral2/memory/1412-125-0x00007FF6348F0000-0x00007FF634C41000-memory.dmp	UPX
behavioral2/memory/2956-123-0x00007FF699680000-0x00007FF6999D1000-memory.dmp	UPX
behavioral2/memory/1520-121-0x00007FF73FDD0000-0x00007FF740121000-memory.dmp	UPX
behavioral2/memory/1568-117-0x00007FF761D80000-0x00007FF7620D1000-memory.dmp	UPX
behavioral2/memory/1684-116-0x00007FF7DE7D0000-0x00007FF7DEB21000-memory.dmp	UPX
behavioral2/memory/2596-106-0x00007FF7158F0000-0x00007FF715C41000-memory.dmp	UPX
behavioral2/memory/3972-135-0x00007FF7DB260000-0x00007FF7DB5B1000-memory.dmp	UPX
behavioral2/memory/1728-134-0x00007FF6740B0000-0x00007FF674401000-memory.dmp	UPX
behavioral2/memory/4236-133-0x00007FF6B4620000-0x00007FF6B4971000-memory.dmp	UPX
behavioral2/memory/5084-149-0x00007FF7C4BC0000-0x00007FF7C4F11000-memory.dmp	UPX
behavioral2/memory/4068-150-0x00007FF634B80000-0x00007FF634ED1000-memory.dmp	UPX
behavioral2/memory/3884-148-0x00007FF7ADB00000-0x00007FF7ADE51000-memory.dmp	UPX
behavioral2/memory/3780-145-0x00007FF61C500000-0x00007FF61C851000-memory.dmp	UPX
behavioral2/memory/1544-143-0x00007FF744DD0000-0x00007FF745121000-memory.dmp	UPX
behavioral2/memory/2424-146-0x00007FF6BFA60000-0x00007FF6BFDB1000-memory.dmp	UPX
behavioral2/memory/4708-136-0x00007FF6B8C10000-0x00007FF6B8F61000-memory.dmp	UPX
behavioral2/memory/4516-156-0x00007FF6102B0000-0x00007FF610601000-memory.dmp	UPX
behavioral2/memory/4084-157-0x00007FF6AFCC0000-0x00007FF6B0011000-memory.dmp	UPX
behavioral2/memory/1520-155-0x00007FF73FDD0000-0x00007FF740121000-memory.dmp	UPX
behavioral2/memory/1684-154-0x00007FF7DE7D0000-0x00007FF7DEB21000-memory.dmp	UPX
behavioral2/memory/4708-158-0x00007FF6B8C10000-0x00007FF6B8F61000-memory.dmp	UPX
behavioral2/memory/2260-208-0x00007FF6C6F80000-0x00007FF6C72D1000-memory.dmp	UPX

XMRig Miner payload 46 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1544-52-0x00007FF744DD0000-0x00007FF745121000-memory.dmp	xmrig
behavioral2/memory/1720-24-0x00007FF6A3570000-0x00007FF6A38C1000-memory.dmp	xmrig
behavioral2/memory/436-99-0x00007FF6FDA70000-0x00007FF6FDDC1000-memory.dmp	xmrig
behavioral2/memory/4988-97-0x00007FF694F10000-0x00007FF695261000-memory.dmp	xmrig
behavioral2/memory/4708-104-0x00007FF6B8C10000-0x00007FF6B8F61000-memory.dmp	xmrig
behavioral2/memory/2260-109-0x00007FF6C6F80000-0x00007FF6C72D1000-memory.dmp	xmrig
behavioral2/memory/1412-125-0x00007FF6348F0000-0x00007FF634C41000-memory.dmp	xmrig
behavioral2/memory/2956-123-0x00007FF699680000-0x00007FF6999D1000-memory.dmp	xmrig
behavioral2/memory/1568-117-0x00007FF761D80000-0x00007FF7620D1000-memory.dmp	xmrig
behavioral2/memory/2596-106-0x00007FF7158F0000-0x00007FF715C41000-memory.dmp	xmrig
behavioral2/memory/3972-135-0x00007FF7DB260000-0x00007FF7DB5B1000-memory.dmp	xmrig
behavioral2/memory/1728-134-0x00007FF6740B0000-0x00007FF674401000-memory.dmp	xmrig
behavioral2/memory/4236-133-0x00007FF6B4620000-0x00007FF6B4971000-memory.dmp	xmrig
behavioral2/memory/5084-149-0x00007FF7C4BC0000-0x00007FF7C4F11000-memory.dmp	xmrig
behavioral2/memory/4068-150-0x00007FF634B80000-0x00007FF634ED1000-memory.dmp	xmrig
behavioral2/memory/3884-148-0x00007FF7ADB00000-0x00007FF7ADE51000-memory.dmp	xmrig
behavioral2/memory/3780-145-0x00007FF61C500000-0x00007FF61C851000-memory.dmp	xmrig
behavioral2/memory/1544-143-0x00007FF744DD0000-0x00007FF745121000-memory.dmp	xmrig
behavioral2/memory/2424-146-0x00007FF6BFA60000-0x00007FF6BFDB1000-memory.dmp	xmrig
behavioral2/memory/4708-136-0x00007FF6B8C10000-0x00007FF6B8F61000-memory.dmp	xmrig
behavioral2/memory/4516-156-0x00007FF6102B0000-0x00007FF610601000-memory.dmp	xmrig
behavioral2/memory/4084-157-0x00007FF6AFCC0000-0x00007FF6B0011000-memory.dmp	xmrig
behavioral2/memory/1520-155-0x00007FF73FDD0000-0x00007FF740121000-memory.dmp	xmrig
behavioral2/memory/1684-154-0x00007FF7DE7D0000-0x00007FF7DEB21000-memory.dmp	xmrig
behavioral2/memory/4708-158-0x00007FF6B8C10000-0x00007FF6B8F61000-memory.dmp	xmrig
behavioral2/memory/2260-208-0x00007FF6C6F80000-0x00007FF6C72D1000-memory.dmp	xmrig
behavioral2/memory/1568-210-0x00007FF761D80000-0x00007FF7620D1000-memory.dmp	xmrig
behavioral2/memory/1720-212-0x00007FF6A3570000-0x00007FF6A38C1000-memory.dmp	xmrig
behavioral2/memory/2956-214-0x00007FF699680000-0x00007FF6999D1000-memory.dmp	xmrig
behavioral2/memory/1412-216-0x00007FF6348F0000-0x00007FF634C41000-memory.dmp	xmrig
behavioral2/memory/4236-218-0x00007FF6B4620000-0x00007FF6B4971000-memory.dmp	xmrig
behavioral2/memory/1544-221-0x00007FF744DD0000-0x00007FF745121000-memory.dmp	xmrig
behavioral2/memory/1728-222-0x00007FF6740B0000-0x00007FF674401000-memory.dmp	xmrig
behavioral2/memory/2424-226-0x00007FF6BFA60000-0x00007FF6BFDB1000-memory.dmp	xmrig
behavioral2/memory/3780-225-0x00007FF61C500000-0x00007FF61C851000-memory.dmp	xmrig
behavioral2/memory/3972-228-0x00007FF7DB260000-0x00007FF7DB5B1000-memory.dmp	xmrig
behavioral2/memory/5084-233-0x00007FF7C4BC0000-0x00007FF7C4F11000-memory.dmp	xmrig
behavioral2/memory/4068-235-0x00007FF634B80000-0x00007FF634ED1000-memory.dmp	xmrig
behavioral2/memory/4988-237-0x00007FF694F10000-0x00007FF695261000-memory.dmp	xmrig
behavioral2/memory/436-240-0x00007FF6FDA70000-0x00007FF6FDDC1000-memory.dmp	xmrig
behavioral2/memory/3884-241-0x00007FF7ADB00000-0x00007FF7ADE51000-memory.dmp	xmrig
behavioral2/memory/2596-243-0x00007FF7158F0000-0x00007FF715C41000-memory.dmp	xmrig
behavioral2/memory/1684-248-0x00007FF7DE7D0000-0x00007FF7DEB21000-memory.dmp	xmrig
behavioral2/memory/1520-251-0x00007FF73FDD0000-0x00007FF740121000-memory.dmp	xmrig
behavioral2/memory/4516-253-0x00007FF6102B0000-0x00007FF610601000-memory.dmp	xmrig
behavioral2/memory/4084-255-0x00007FF6AFCC0000-0x00007FF6B0011000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

IyKvKCe.exeWvVodsi.exeDzowfRL.exeWZBGwJz.exedawOBJm.exesbisOxS.exeUCVkyBA.exeWLwnuDt.exeGfACqpC.exetdDusxu.exeylhYEKN.exeBQpJLOL.exehOLnCFn.exelmEbZYf.exeiJkBggt.exemJANlHU.exebBsTDqv.exeOKyStMV.exegVbxZAs.exewOtLFmi.exeoMjUhyN.exe

pid	process
2260	IyKvKCe.exe
1568	WvVodsi.exe
1720	DzowfRL.exe
2956	WZBGwJz.exe
1412	dawOBJm.exe
4236	sbisOxS.exe
1544	UCVkyBA.exe
1728	WLwnuDt.exe
3780	GfACqpC.exe
2424	tdDusxu.exe
3972	ylhYEKN.exe
3884	BQpJLOL.exe
5084	hOLnCFn.exe
4068	lmEbZYf.exe
4988	iJkBggt.exe
436	mJANlHU.exe
2596	bBsTDqv.exe
1684	OKyStMV.exe
1520	gVbxZAs.exe
4516	wOtLFmi.exe
4084	oMjUhyN.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4708-0-0x00007FF6B8C10000-0x00007FF6B8F61000-memory.dmp	upx
C:\Windows\System\IyKvKCe.exe	upx
C:\Windows\System\DzowfRL.exe	upx
C:\Windows\System\WvVodsi.exe	upx
behavioral2/memory/1568-18-0x00007FF761D80000-0x00007FF7620D1000-memory.dmp	upx
behavioral2/memory/2956-26-0x00007FF699680000-0x00007FF6999D1000-memory.dmp	upx
C:\Windows\System\sbisOxS.exe	upx
C:\Windows\System\BQpJLOL.exe	upx
C:\Windows\System\ylhYEKN.exe	upx
C:\Windows\System\lmEbZYf.exe	upx
C:\Windows\System\hOLnCFn.exe	upx
behavioral2/memory/3884-75-0x00007FF7ADB00000-0x00007FF7ADE51000-memory.dmp	upx
C:\Windows\System\tdDusxu.exe	upx
behavioral2/memory/2424-67-0x00007FF6BFA60000-0x00007FF6BFDB1000-memory.dmp	upx
behavioral2/memory/3972-66-0x00007FF7DB260000-0x00007FF7DB5B1000-memory.dmp	upx
behavioral2/memory/3780-62-0x00007FF61C500000-0x00007FF61C851000-memory.dmp	upx
behavioral2/memory/1728-61-0x00007FF6740B0000-0x00007FF674401000-memory.dmp	upx
C:\Windows\System\GfACqpC.exe	upx
C:\Windows\System\WLwnuDt.exe	upx
behavioral2/memory/1544-52-0x00007FF744DD0000-0x00007FF745121000-memory.dmp	upx
C:\Windows\System\UCVkyBA.exe	upx
behavioral2/memory/4236-40-0x00007FF6B4620000-0x00007FF6B4971000-memory.dmp	upx
behavioral2/memory/1412-39-0x00007FF6348F0000-0x00007FF634C41000-memory.dmp	upx
C:\Windows\System\dawOBJm.exe	upx
C:\Windows\System\WZBGwJz.exe	upx
behavioral2/memory/1720-24-0x00007FF6A3570000-0x00007FF6A38C1000-memory.dmp	upx
behavioral2/memory/2260-9-0x00007FF6C6F80000-0x00007FF6C72D1000-memory.dmp	upx
behavioral2/memory/5084-81-0x00007FF7C4BC0000-0x00007FF7C4F11000-memory.dmp	upx
behavioral2/memory/4068-82-0x00007FF634B80000-0x00007FF634ED1000-memory.dmp	upx
C:\Windows\System\mJANlHU.exe	upx
C:\Windows\System\bBsTDqv.exe	upx
behavioral2/memory/436-99-0x00007FF6FDA70000-0x00007FF6FDDC1000-memory.dmp	upx
behavioral2/memory/4988-97-0x00007FF694F10000-0x00007FF695261000-memory.dmp	upx
C:\Windows\System\iJkBggt.exe	upx
behavioral2/memory/4708-104-0x00007FF6B8C10000-0x00007FF6B8F61000-memory.dmp	upx
C:\Windows\System\OKyStMV.exe	upx
behavioral2/memory/2260-109-0x00007FF6C6F80000-0x00007FF6C72D1000-memory.dmp	upx
C:\Windows\System\gVbxZAs.exe	upx
C:\Windows\System\wOtLFmi.exe	upx
C:\Windows\System\oMjUhyN.exe	upx
behavioral2/memory/4084-129-0x00007FF6AFCC0000-0x00007FF6B0011000-memory.dmp	upx
behavioral2/memory/4516-126-0x00007FF6102B0000-0x00007FF610601000-memory.dmp	upx
behavioral2/memory/1412-125-0x00007FF6348F0000-0x00007FF634C41000-memory.dmp	upx
behavioral2/memory/2956-123-0x00007FF699680000-0x00007FF6999D1000-memory.dmp	upx
behavioral2/memory/1520-121-0x00007FF73FDD0000-0x00007FF740121000-memory.dmp	upx
behavioral2/memory/1568-117-0x00007FF761D80000-0x00007FF7620D1000-memory.dmp	upx
behavioral2/memory/1684-116-0x00007FF7DE7D0000-0x00007FF7DEB21000-memory.dmp	upx
behavioral2/memory/2596-106-0x00007FF7158F0000-0x00007FF715C41000-memory.dmp	upx
behavioral2/memory/3972-135-0x00007FF7DB260000-0x00007FF7DB5B1000-memory.dmp	upx
behavioral2/memory/1728-134-0x00007FF6740B0000-0x00007FF674401000-memory.dmp	upx
behavioral2/memory/4236-133-0x00007FF6B4620000-0x00007FF6B4971000-memory.dmp	upx
behavioral2/memory/5084-149-0x00007FF7C4BC0000-0x00007FF7C4F11000-memory.dmp	upx
behavioral2/memory/4068-150-0x00007FF634B80000-0x00007FF634ED1000-memory.dmp	upx
behavioral2/memory/3884-148-0x00007FF7ADB00000-0x00007FF7ADE51000-memory.dmp	upx
behavioral2/memory/3780-145-0x00007FF61C500000-0x00007FF61C851000-memory.dmp	upx
behavioral2/memory/1544-143-0x00007FF744DD0000-0x00007FF745121000-memory.dmp	upx
behavioral2/memory/2424-146-0x00007FF6BFA60000-0x00007FF6BFDB1000-memory.dmp	upx
behavioral2/memory/4708-136-0x00007FF6B8C10000-0x00007FF6B8F61000-memory.dmp	upx
behavioral2/memory/4516-156-0x00007FF6102B0000-0x00007FF610601000-memory.dmp	upx
behavioral2/memory/4084-157-0x00007FF6AFCC0000-0x00007FF6B0011000-memory.dmp	upx
behavioral2/memory/1520-155-0x00007FF73FDD0000-0x00007FF740121000-memory.dmp	upx
behavioral2/memory/1684-154-0x00007FF7DE7D0000-0x00007FF7DEB21000-memory.dmp	upx
behavioral2/memory/4708-158-0x00007FF6B8C10000-0x00007FF6B8F61000-memory.dmp	upx
behavioral2/memory/2260-208-0x00007FF6C6F80000-0x00007FF6C72D1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\mJANlHU.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OKyStMV.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oMjUhyN.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dawOBJm.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WLwnuDt.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tdDusxu.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BQpJLOL.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hOLnCFn.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WvVodsi.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UCVkyBA.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lmEbZYf.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bBsTDqv.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gVbxZAs.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IyKvKCe.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DzowfRL.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sbisOxS.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GfACqpC.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ylhYEKN.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WZBGwJz.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iJkBggt.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wOtLFmi.exe	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 4708 wrote to memory of 2260	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	IyKvKCe.exe
PID 4708 wrote to memory of 2260	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	IyKvKCe.exe
PID 4708 wrote to memory of 1568	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	WvVodsi.exe
PID 4708 wrote to memory of 1568	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	WvVodsi.exe
PID 4708 wrote to memory of 1720	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	DzowfRL.exe
PID 4708 wrote to memory of 1720	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	DzowfRL.exe
PID 4708 wrote to memory of 2956	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	WZBGwJz.exe
PID 4708 wrote to memory of 2956	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	WZBGwJz.exe
PID 4708 wrote to memory of 1412	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	dawOBJm.exe
PID 4708 wrote to memory of 1412	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	dawOBJm.exe
PID 4708 wrote to memory of 4236	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	sbisOxS.exe
PID 4708 wrote to memory of 4236	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	sbisOxS.exe
PID 4708 wrote to memory of 1544	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	UCVkyBA.exe
PID 4708 wrote to memory of 1544	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	UCVkyBA.exe
PID 4708 wrote to memory of 1728	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	WLwnuDt.exe
PID 4708 wrote to memory of 1728	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	WLwnuDt.exe
PID 4708 wrote to memory of 3780	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	GfACqpC.exe
PID 4708 wrote to memory of 3780	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	GfACqpC.exe
PID 4708 wrote to memory of 2424	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	tdDusxu.exe
PID 4708 wrote to memory of 2424	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	tdDusxu.exe
PID 4708 wrote to memory of 3972	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	ylhYEKN.exe
PID 4708 wrote to memory of 3972	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	ylhYEKN.exe
PID 4708 wrote to memory of 3884	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	BQpJLOL.exe
PID 4708 wrote to memory of 3884	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	BQpJLOL.exe
PID 4708 wrote to memory of 5084	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	hOLnCFn.exe
PID 4708 wrote to memory of 5084	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	hOLnCFn.exe
PID 4708 wrote to memory of 4068	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	lmEbZYf.exe
PID 4708 wrote to memory of 4068	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	lmEbZYf.exe
PID 4708 wrote to memory of 4988	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	iJkBggt.exe
PID 4708 wrote to memory of 4988	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	iJkBggt.exe
PID 4708 wrote to memory of 436	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	mJANlHU.exe
PID 4708 wrote to memory of 436	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	mJANlHU.exe
PID 4708 wrote to memory of 2596	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	bBsTDqv.exe
PID 4708 wrote to memory of 2596	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	bBsTDqv.exe
PID 4708 wrote to memory of 1684	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	OKyStMV.exe
PID 4708 wrote to memory of 1684	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	OKyStMV.exe
PID 4708 wrote to memory of 1520	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	gVbxZAs.exe
PID 4708 wrote to memory of 1520	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	gVbxZAs.exe
PID 4708 wrote to memory of 4516	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	wOtLFmi.exe
PID 4708 wrote to memory of 4516	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	wOtLFmi.exe
PID 4708 wrote to memory of 4084	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	oMjUhyN.exe
PID 4708 wrote to memory of 4084	4708	2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe	oMjUhyN.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_0d2928c7641b504e667e7904d77fd96f_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4708

C:\Windows\System\IyKvKCe.exe
C:\Windows\System\IyKvKCe.exe
2⤵
- Executes dropped EXE
PID:2260

C:\Windows\System\WvVodsi.exe
C:\Windows\System\WvVodsi.exe
2⤵
- Executes dropped EXE
PID:1568

C:\Windows\System\DzowfRL.exe
C:\Windows\System\DzowfRL.exe
2⤵
- Executes dropped EXE
PID:1720

C:\Windows\System\WZBGwJz.exe
C:\Windows\System\WZBGwJz.exe
2⤵
- Executes dropped EXE
PID:2956

C:\Windows\System\dawOBJm.exe
C:\Windows\System\dawOBJm.exe
2⤵
- Executes dropped EXE
PID:1412

C:\Windows\System\sbisOxS.exe
C:\Windows\System\sbisOxS.exe
2⤵
- Executes dropped EXE
PID:4236

C:\Windows\System\UCVkyBA.exe
C:\Windows\System\UCVkyBA.exe
2⤵
- Executes dropped EXE
PID:1544

C:\Windows\System\WLwnuDt.exe
C:\Windows\System\WLwnuDt.exe
2⤵
- Executes dropped EXE
PID:1728

C:\Windows\System\GfACqpC.exe
C:\Windows\System\GfACqpC.exe
2⤵
- Executes dropped EXE
PID:3780

C:\Windows\System\tdDusxu.exe
C:\Windows\System\tdDusxu.exe
2⤵
- Executes dropped EXE
PID:2424

C:\Windows\System\ylhYEKN.exe
C:\Windows\System\ylhYEKN.exe
2⤵
- Executes dropped EXE
PID:3972

C:\Windows\System\BQpJLOL.exe
C:\Windows\System\BQpJLOL.exe
2⤵
- Executes dropped EXE
PID:3884

C:\Windows\System\hOLnCFn.exe
C:\Windows\System\hOLnCFn.exe
2⤵
- Executes dropped EXE
PID:5084

C:\Windows\System\lmEbZYf.exe
C:\Windows\System\lmEbZYf.exe
2⤵
- Executes dropped EXE
PID:4068

C:\Windows\System\iJkBggt.exe
C:\Windows\System\iJkBggt.exe
2⤵
- Executes dropped EXE
PID:4988

C:\Windows\System\mJANlHU.exe
C:\Windows\System\mJANlHU.exe
2⤵
- Executes dropped EXE
PID:436

C:\Windows\System\bBsTDqv.exe
C:\Windows\System\bBsTDqv.exe
2⤵
- Executes dropped EXE
PID:2596

C:\Windows\System\OKyStMV.exe
C:\Windows\System\OKyStMV.exe
2⤵
- Executes dropped EXE
PID:1684

C:\Windows\System\gVbxZAs.exe
C:\Windows\System\gVbxZAs.exe
2⤵
- Executes dropped EXE
PID:1520

C:\Windows\System\wOtLFmi.exe
C:\Windows\System\wOtLFmi.exe
2⤵
- Executes dropped EXE
PID:4516

C:\Windows\System\oMjUhyN.exe
C:\Windows\System\oMjUhyN.exe
2⤵
- Executes dropped EXE
PID:4084

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BQpJLOL.exe
Filesize
5.2MB

MD5
10adc471d7370eda626cf30b152705e0

SHA1
ff143c42a1f454413821b2c916247df6466c0f62

SHA256
f8739cbd0ee707ceeb94d81eff33209cced71ac0307785fc25fcbd6e34f8daa4

SHA512
7af18e352729c7c1c1b193f5f25b82407986d8dffb9ef72b5500647171d4407f062fa01e10b5e43c41fd9e7f871ba0772dfb1ab4abfbf279a57c76e5e27bf51c

Download Submit
C:\Windows\System\DzowfRL.exe
Filesize
5.2MB

MD5
b98f587e6d76aea4d886bc156bd0daa0

SHA1
6e5e0a837075c294694fbdb554f85d83c3bb3e0c

SHA256
b62e6d72afb04909056e0ec6fb59afe3e27e3020d75ac1cb23c1fdd2a22cc825

SHA512
d418a8197a55149388536f35a5516c303c36ac85f1fb81205b11882a6168da9fabd323a755e2476445207a54e3ea8395f822eee083e28e2ff41dc068684a92f0

Download Submit
C:\Windows\System\GfACqpC.exe
Filesize
5.2MB

MD5
f8a12e508f6a3aa9a506bc175245a986

SHA1
8629cd3eacf910fbcd30b7299dabd1809d520a40

SHA256
346b71d176e03671d33aa7f50994d15245da9f62305d6337ae4c66c2cbd1b441

SHA512
6480fbbb252eecc3e381f35bf9d11d5904840ef46e458596af009b4de1bd8032f6dc74cc90065cff818e36fbff7d8e0428291138333cd83e09c248f32fdd52bc

Download Submit
C:\Windows\System\IyKvKCe.exe
Filesize
5.2MB

MD5
bd89455f9ca27c9059bc8220b0e0bd7f

SHA1
242872cab2cfce4742d4295a42502077e1d307fc

SHA256
a2668aab4e93d3df65f8d719ccc2970558dcaf6d28e42889f2da9781571f31ce

SHA512
fc3f06572e1f44eea983150ded205bc76254861bc127ee172e11cce31656aab52caf6cf7fa5e7f8186203a1eefcf20154fac25e2bd5fdf0c10770a46671c7df4

Download Submit
C:\Windows\System\OKyStMV.exe
Filesize
5.2MB

MD5
9fc0d843dd1f6d790a80f24303ee33fd

SHA1
b472ba2bae1ed7e1a1a472ab2cbe83dd379ae80e

SHA256
873d35c303afb93560d787452fa4d849efb3f5a6e2aa61920caff722dc3b04d2

SHA512
2ad150d1f79f902f96facfacb85dbc55083626223051ea51e2140132188c02f4b47645d0d7f0ee8e4927e5a96c94fd41e05cf565feffbe6ac9fd9298ff98dc23

Download Submit
C:\Windows\System\UCVkyBA.exe
Filesize
5.2MB

MD5
6e5d34c3381d7c753f8b294275486633

SHA1
c83288886603d4a50eadc6a1f0ce9bc17642336f

SHA256
01daa43a4b17d421d47939c0a06991e6fba765417282a14367fa127ad7b112bf

SHA512
eb01d3a36ea980cc9c449a9be0b396ebe3aaca53d2720952b2712829e234c95b54cbdafa6458da259fce82ab099b821f23101034d4448b2918aad041f1fc9010

Download Submit
C:\Windows\System\WLwnuDt.exe
Filesize
5.2MB

MD5
8ebcd6f85ebe8677b364f4cb3ade67d2

SHA1
9404f325dcacd5aa9090fc9d0767e6419b07412e

SHA256
69480f471b2803e617f6e03e8077dff37a1d477dd0ff569cad5d5adb4810db21

SHA512
4c556002c6a448607e59032cb548317e44e33691d995bd43dcbdba9c088cb5597495c5433065b5ef72e07897b4c93db31b55cedcfb4b89bd145c09a803fb6f21

Download Submit
C:\Windows\System\WZBGwJz.exe
Filesize
5.2MB

MD5
de7a357ff27c7b06c71878620f2866e9

SHA1
32d397ca9727ee840b45680dff141f9c449745c4

SHA256
9e184e135174694074e2039aa01806964f0e22db624f1392bf59b6cdc357ba03

SHA512
b8080aed4c0a56b3554a70a8fc5b72a430c3940339eace7fae1992b63e748a0cd238d9bd069e8b735ca6a320b1946250074207a4aed32896786610e89abcad54

Download Submit
C:\Windows\System\WvVodsi.exe
Filesize
5.2MB

MD5
82bcf34bda6686cdc5f646617fcb4b08

SHA1
842ebf20a0ea506aeb6d9170f05e31ceb99a2a3a

SHA256
e9b06becef34a9c3797a580315b4eaffd9773c840e7aa6fa9cbfcf252e871bc1

SHA512
621f378d24f433415a734f5b5f877cfa82fa536b4c9070edd75684189b5499237205b3e1bff87794fd6f576a5f8f699cccea7ab1d0f77297058d9cf67b03c04b

Download Submit
C:\Windows\System\bBsTDqv.exe
Filesize
5.2MB

MD5
8880c2bef2821f5147abe7ded79f4f2d

SHA1
55359d056fac57f4e97324e2c88830834ae82c2a

SHA256
cfe01e95f3784707bc9311163a8695455bbc69ac2812306b5c6a843a5b72f9b4

SHA512
676bcd2a58579cdf139b3cd02f054e55fd896a4850eb7028f0b67fef0ea1bc4cb5704b2c532403a851d135de7adaf513849767b6c84c40f7d143ea6fd25b828a

Download Submit
C:\Windows\System\dawOBJm.exe
Filesize
5.2MB

MD5
fc8fadae0c35e78bb23524c1a842879a

SHA1
34aeb36f26f7f1b3a20d52baaae189b2d4363f88

SHA256
826f851b3bd8143b8378b89cdc5c641891d31d01fc9f7ae638303291d647c920

SHA512
fe1e68b326f10a93bf393b6d6485f69f47b567b7b69f1f5b99cb38df076ab0b2f7f05d4da4f81b2b4676be6fe50ca14e1c622b73caea8043b76e796f5bcf596c

Download Submit
C:\Windows\System\gVbxZAs.exe
Filesize
5.2MB

MD5
0b6827e1d85533c373662cf2631a57a3

SHA1
96de5b6cfa9a86e0a9aaec9078269a8a5682d15c

SHA256
f1c58268f7fe3ee18466570f290e24fc06eb69885c3445839f589d6d07c4544e

SHA512
31a7ce14e3a6ccf4d0b618f30bf433809605adb956ee25aef7b54d9d372ca39a946c8e8e52ad145757b5edece8d59ecdb32b9b5dea53847a905cca54b2fcd657

Download Submit
C:\Windows\System\hOLnCFn.exe
Filesize
5.2MB

MD5
4aab35c7d91c792ff0d2cea79719bd21

SHA1
83d87b3d2281b538b84a569740fc2d81af73126a

SHA256
c948fbeafbd47944e965a56b339dae9dbfc0e7dc3962db40cf31bd74d2a46949

SHA512
7f4277fbdea19054358256aed83fb16b6bae7d19eb283db8d7174f69fe85908aa723ce4540939ce876fec665c46535ec81dd64921057d37fe5da339b86f0b394

Download Submit
C:\Windows\System\iJkBggt.exe
Filesize
5.2MB

MD5
033d867a523b73a6a6c999a09c9cabec

SHA1
b90dc7b4a398bd5f5d0154a85e9a3f52ede231d9

SHA256
b070e9ec20c5dcbc85a604b207f79e70df06012101d61013b68ab8440eb04e15

SHA512
7dbf41fe144071c053cf8dff35080a0b52203d9117225a2f4f7423f0fb1031b2d94c3c6b46619ecedac4b37220277af45e110ee4de1fd00efe13a360cbe2175a

Download Submit
C:\Windows\System\lmEbZYf.exe
Filesize
5.2MB

MD5
00da2f71bcd3a9430e6d45ef97ff1403

SHA1
ef21cb0aaf662d9c81dfe883aa0a02530f1de168

SHA256
bcc159fb5b59c994fa668297a961b5f191b5675a9b5860a67c583ff2217dc3fc

SHA512
2057e995a9c89e546cca4b7a5d20547dc8af2b066fb83bd9bc3a26ffd97f9e72e49dd13aa66974ada51c806a4c164486802a9834266146a5f3bb0708f82a1d60

Download Submit
C:\Windows\System\mJANlHU.exe
Filesize
5.2MB

MD5
5dd8ba3c5529fecf12ef8101f25bb5a5

SHA1
e272d4ecbf4ad934061d935d8d4012d4621aa38e

SHA256
d6575aa3ec0ce9e5e9fa5fa42cb38d9ceb54911f48acbea4b7d30d63d53b9112

SHA512
31fb8f69299cf78b076319a7f0bab310f9b9f01c001929b4cff7eff13ef24f44c3c87666ce906934e926af310e256f7df305d107ed9648bed25c71e5c75ab9f8

Download Submit
C:\Windows\System\oMjUhyN.exe
Filesize
5.2MB

MD5
0241ca903c9fab3f26ffc24becd7558e

SHA1
298dd3d358785177ab8308a786ef46bbbc61f709

SHA256
bf5934e262e5893399b5df344022e0e9c496315bcd0fdd3c8049be7c23133d7a

SHA512
e8184eaaf1ab584b73a14246a991f0086799242811f04eb171b48204bca6535835f3626f99327f902abaad557cba2315c5f2d98547549b99b14ae39d7d8ec8e6

Download Submit
C:\Windows\System\sbisOxS.exe
Filesize
5.2MB

MD5
e5ced3be727663ebb98faa05eb2e8714

SHA1
45a6e8e5f7419bb3e5da315b2fc9d2651e7f06bd

SHA256
15d2a81f79f1ec258f39ba5029c3394c21dc57be8aa27d2b7a952beae5546355

SHA512
d4e7ec273bfc21812d07dd721e47293fa698349a110f3b078824cc2ec188198ef4088ebe0242298119237bc6690dbf574afd24f93b538772a587616ef10ef65b

Download Submit
C:\Windows\System\tdDusxu.exe
Filesize
5.2MB

MD5
d1c52fa7114e68412925a23bc0360f88

SHA1
da7528c30e6d8a9324916721ae083403b985b3d2

SHA256
8bb0a657586f6c6d3fd5641957d33079910905e4425728be29c6f630513b6d61

SHA512
917c5bde07262f0a44014d6eb054ede3f2b985659981c4da8dafe1d663a272fd16673a710023cb311224074061940ace094c063fd713905d9971df31072fffb6

Download Submit
C:\Windows\System\wOtLFmi.exe
Filesize
5.2MB

MD5
69f974d3b93e0e9d8449899935122929

SHA1
0889c35b678192bf302085b09d501dacaf0e2ab0

SHA256
157a653f5218bf34fa4ae5ce0ca020f113f62e7ead38437e1c1145981f10e86b

SHA512
5f2e5c65f8dc0e6b0b6a402513a44fddad584c3f5396e48e048696f3bb7dffd5fda6bff36460181f7a21e75cd4b19980c8f7dca74aa0f76d4fd4f112ccab9fb3

Download Submit
C:\Windows\System\ylhYEKN.exe
Filesize
5.2MB

MD5
be6c49061a53b31809f05e83ffd79e2d

SHA1
8dc58f8fb421bf645b753aca16ae9f13f795136c

SHA256
86f01bd8350c5a9fda82caf5cf851522e88c13de69264ac226f747560a325c20

SHA512
8945f97e5720049c6114490243bae83b86f7f9823402fc54a2f525b58ced849a78f086b0ed268cfe56b49ac2e8585d65dc900b953c6a9c63b72654783e272fad

Download Submit
memory/436-99-0x00007FF6FDA70000-0x00007FF6FDDC1000-memory.dmp

Filesize
3.3MB

Download
memory/436-240-0x00007FF6FDA70000-0x00007FF6FDDC1000-memory.dmp

Filesize
3.3MB

Download
memory/1412-216-0x00007FF6348F0000-0x00007FF634C41000-memory.dmp

Filesize
3.3MB

Download
memory/1412-125-0x00007FF6348F0000-0x00007FF634C41000-memory.dmp

Filesize
3.3MB

Download
memory/1412-39-0x00007FF6348F0000-0x00007FF634C41000-memory.dmp

Filesize
3.3MB

Download
memory/1520-251-0x00007FF73FDD0000-0x00007FF740121000-memory.dmp

Filesize
3.3MB

Download
memory/1520-155-0x00007FF73FDD0000-0x00007FF740121000-memory.dmp

Filesize
3.3MB

Download
memory/1520-121-0x00007FF73FDD0000-0x00007FF740121000-memory.dmp

Filesize
3.3MB

Download
memory/1544-52-0x00007FF744DD0000-0x00007FF745121000-memory.dmp

Filesize
3.3MB

Download
memory/1544-221-0x00007FF744DD0000-0x00007FF745121000-memory.dmp

Filesize
3.3MB

Download
memory/1544-143-0x00007FF744DD0000-0x00007FF745121000-memory.dmp

Filesize
3.3MB

Download
memory/1568-210-0x00007FF761D80000-0x00007FF7620D1000-memory.dmp

Filesize
3.3MB

Download
memory/1568-18-0x00007FF761D80000-0x00007FF7620D1000-memory.dmp

Filesize
3.3MB

Download
memory/1568-117-0x00007FF761D80000-0x00007FF7620D1000-memory.dmp

Filesize
3.3MB

Download
memory/1684-248-0x00007FF7DE7D0000-0x00007FF7DEB21000-memory.dmp

Filesize
3.3MB

Download
memory/1684-116-0x00007FF7DE7D0000-0x00007FF7DEB21000-memory.dmp

Filesize
3.3MB

Download
memory/1684-154-0x00007FF7DE7D0000-0x00007FF7DEB21000-memory.dmp

Filesize
3.3MB

Download
memory/1720-24-0x00007FF6A3570000-0x00007FF6A38C1000-memory.dmp

Filesize
3.3MB

Download
memory/1720-212-0x00007FF6A3570000-0x00007FF6A38C1000-memory.dmp

Filesize
3.3MB

Download
memory/1728-134-0x00007FF6740B0000-0x00007FF674401000-memory.dmp

Filesize
3.3MB

Download
memory/1728-222-0x00007FF6740B0000-0x00007FF674401000-memory.dmp

Filesize
3.3MB

Download
memory/1728-61-0x00007FF6740B0000-0x00007FF674401000-memory.dmp

Filesize
3.3MB

Download
memory/2260-208-0x00007FF6C6F80000-0x00007FF6C72D1000-memory.dmp

Filesize
3.3MB

Download
memory/2260-109-0x00007FF6C6F80000-0x00007FF6C72D1000-memory.dmp

Filesize
3.3MB

Download
memory/2260-9-0x00007FF6C6F80000-0x00007FF6C72D1000-memory.dmp

Filesize
3.3MB

Download
memory/2424-226-0x00007FF6BFA60000-0x00007FF6BFDB1000-memory.dmp

Filesize
3.3MB

Download
memory/2424-146-0x00007FF6BFA60000-0x00007FF6BFDB1000-memory.dmp

Filesize
3.3MB

Download
memory/2424-67-0x00007FF6BFA60000-0x00007FF6BFDB1000-memory.dmp

Filesize
3.3MB

Download
memory/2596-106-0x00007FF7158F0000-0x00007FF715C41000-memory.dmp

Filesize
3.3MB

Download
memory/2596-243-0x00007FF7158F0000-0x00007FF715C41000-memory.dmp

Filesize
3.3MB

Download
memory/2956-123-0x00007FF699680000-0x00007FF6999D1000-memory.dmp

Filesize
3.3MB

Download
memory/2956-26-0x00007FF699680000-0x00007FF6999D1000-memory.dmp

Filesize
3.3MB

Download
memory/2956-214-0x00007FF699680000-0x00007FF6999D1000-memory.dmp

Filesize
3.3MB

Download
memory/3780-225-0x00007FF61C500000-0x00007FF61C851000-memory.dmp

Filesize
3.3MB

Download
memory/3780-145-0x00007FF61C500000-0x00007FF61C851000-memory.dmp

Filesize
3.3MB

Download
memory/3780-62-0x00007FF61C500000-0x00007FF61C851000-memory.dmp

Filesize
3.3MB

Download
memory/3884-75-0x00007FF7ADB00000-0x00007FF7ADE51000-memory.dmp

Filesize
3.3MB

Download
memory/3884-241-0x00007FF7ADB00000-0x00007FF7ADE51000-memory.dmp

Filesize
3.3MB

Download
memory/3884-148-0x00007FF7ADB00000-0x00007FF7ADE51000-memory.dmp

Filesize
3.3MB

Download
memory/3972-228-0x00007FF7DB260000-0x00007FF7DB5B1000-memory.dmp

Filesize
3.3MB

Download
memory/3972-135-0x00007FF7DB260000-0x00007FF7DB5B1000-memory.dmp

Filesize
3.3MB

Download
memory/3972-66-0x00007FF7DB260000-0x00007FF7DB5B1000-memory.dmp

Filesize
3.3MB

Download
memory/4068-150-0x00007FF634B80000-0x00007FF634ED1000-memory.dmp

Filesize
3.3MB

Download
memory/4068-82-0x00007FF634B80000-0x00007FF634ED1000-memory.dmp

Filesize
3.3MB

Download
memory/4068-235-0x00007FF634B80000-0x00007FF634ED1000-memory.dmp

Filesize
3.3MB

Download
memory/4084-255-0x00007FF6AFCC0000-0x00007FF6B0011000-memory.dmp

Filesize
3.3MB

Download
memory/4084-129-0x00007FF6AFCC0000-0x00007FF6B0011000-memory.dmp

Filesize
3.3MB

Download
memory/4084-157-0x00007FF6AFCC0000-0x00007FF6B0011000-memory.dmp

Filesize
3.3MB

Download
memory/4236-40-0x00007FF6B4620000-0x00007FF6B4971000-memory.dmp

Filesize
3.3MB

Download
memory/4236-218-0x00007FF6B4620000-0x00007FF6B4971000-memory.dmp

Filesize
3.3MB

Download
memory/4236-133-0x00007FF6B4620000-0x00007FF6B4971000-memory.dmp

Filesize
3.3MB

Download
memory/4516-156-0x00007FF6102B0000-0x00007FF610601000-memory.dmp

Filesize
3.3MB

Download
memory/4516-126-0x00007FF6102B0000-0x00007FF610601000-memory.dmp

Filesize
3.3MB

Download
memory/4516-253-0x00007FF6102B0000-0x00007FF610601000-memory.dmp

Filesize
3.3MB

Download
memory/4708-136-0x00007FF6B8C10000-0x00007FF6B8F61000-memory.dmp

Filesize
3.3MB

Download
memory/4708-104-0x00007FF6B8C10000-0x00007FF6B8F61000-memory.dmp

Filesize
3.3MB

Download
memory/4708-0-0x00007FF6B8C10000-0x00007FF6B8F61000-memory.dmp

Filesize
3.3MB

Download
memory/4708-158-0x00007FF6B8C10000-0x00007FF6B8F61000-memory.dmp

Filesize
3.3MB

Download
memory/4708-1-0x000001A9FC3F0000-0x000001A9FC400000-memory.dmp

Filesize
64KB

Download
memory/4988-97-0x00007FF694F10000-0x00007FF695261000-memory.dmp

Filesize
3.3MB

Download
memory/4988-237-0x00007FF694F10000-0x00007FF695261000-memory.dmp

Filesize
3.3MB

Download
memory/5084-149-0x00007FF7C4BC0000-0x00007FF7C4F11000-memory.dmp

Filesize
3.3MB

Download
memory/5084-233-0x00007FF7C4BC0000-0x00007FF7C4F11000-memory.dmp

Filesize
3.3MB

Download
memory/5084-81-0x00007FF7C4BC0000-0x00007FF7C4F11000-memory.dmp

Filesize
3.3MB

Download