cobaltstrike | 79a3517ae7eff769fdd51f596e480490087be738fd9c07afaacbacddd9bc458a

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

7342f8a69c027cfe701f7c3596f3ed5d
SHA1

1a9d205287c9a5fdc7a9ee3ddc95c637765757bb
SHA256

79a3517ae7eff769fdd51f596e480490087be738fd9c07afaacbacddd9bc458a
SHA512

818c88e9915d7c99fb56f2e059b520ffe4e4652c9d9cf6b046c5c1c007aa62d9627d2aea1afe312256fc6c5ae8fbc9f9723e8af4eabd9ff6814099b7966b9e68
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lg:RWWBibf56utgpPFotBER/mQ32lU8

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\bjzBwzb.exe	cobalt_reflective_dll
C:\Windows\System\VEyhPHf.exe	cobalt_reflective_dll
C:\Windows\System\cIZAijV.exe	cobalt_reflective_dll
C:\Windows\System\GqrgJId.exe	cobalt_reflective_dll
C:\Windows\System\rkfAMfG.exe	cobalt_reflective_dll
C:\Windows\System\oPjwcGe.exe	cobalt_reflective_dll
C:\Windows\System\FtEstvF.exe	cobalt_reflective_dll
C:\Windows\System\qNRSuwQ.exe	cobalt_reflective_dll
C:\Windows\System\acPNjRl.exe	cobalt_reflective_dll
C:\Windows\System\SJEkxOJ.exe	cobalt_reflective_dll
C:\Windows\System\xzbveKv.exe	cobalt_reflective_dll
C:\Windows\System\zrEnVeu.exe	cobalt_reflective_dll
C:\Windows\System\KbdIxsJ.exe	cobalt_reflective_dll
C:\Windows\System\btQYtis.exe	cobalt_reflective_dll
C:\Windows\System\fAUNJFS.exe	cobalt_reflective_dll
C:\Windows\System\xudenBI.exe	cobalt_reflective_dll
C:\Windows\System\qVgkONT.exe	cobalt_reflective_dll
C:\Windows\System\CSryEab.exe	cobalt_reflective_dll
C:\Windows\System\BEBiyTW.exe	cobalt_reflective_dll
C:\Windows\System\WWVVKOt.exe	cobalt_reflective_dll
C:\Windows\System\IuqwDgd.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\bjzBwzb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\VEyhPHf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\cIZAijV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\GqrgJId.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\rkfAMfG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\oPjwcGe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\FtEstvF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\qNRSuwQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\acPNjRl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\SJEkxOJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\xzbveKv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\zrEnVeu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\KbdIxsJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\btQYtis.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\fAUNJFS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\xudenBI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\qVgkONT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\CSryEab.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\BEBiyTW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\WWVVKOt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\IuqwDgd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/628-0-0x00007FF64C860000-0x00007FF64CBB1000-memory.dmp	UPX
C:\Windows\System\bjzBwzb.exe	UPX
behavioral2/memory/408-8-0x00007FF746010000-0x00007FF746361000-memory.dmp	UPX
C:\Windows\System\VEyhPHf.exe	UPX
C:\Windows\System\cIZAijV.exe	UPX
behavioral2/memory/4984-14-0x00007FF6AECF0000-0x00007FF6AF041000-memory.dmp	UPX
C:\Windows\System\GqrgJId.exe	UPX
C:\Windows\System\rkfAMfG.exe	UPX
behavioral2/memory/1576-26-0x00007FF7E2A40000-0x00007FF7E2D91000-memory.dmp	UPX
C:\Windows\System\oPjwcGe.exe	UPX
C:\Windows\System\FtEstvF.exe	UPX
C:\Windows\System\qNRSuwQ.exe	UPX
behavioral2/memory/1948-48-0x00007FF7C5F40000-0x00007FF7C6291000-memory.dmp	UPX
behavioral2/memory/2892-50-0x00007FF628C70000-0x00007FF628FC1000-memory.dmp	UPX
behavioral2/memory/2972-49-0x00007FF7C7940000-0x00007FF7C7C91000-memory.dmp	UPX
behavioral2/memory/2452-47-0x00007FF6E9CE0000-0x00007FF6EA031000-memory.dmp	UPX
behavioral2/memory/4696-20-0x00007FF772ED0000-0x00007FF773221000-memory.dmp	UPX
C:\Windows\System\acPNjRl.exe	UPX
C:\Windows\System\SJEkxOJ.exe	UPX
C:\Windows\System\xzbveKv.exe	UPX
C:\Windows\System\zrEnVeu.exe	UPX
C:\Windows\System\KbdIxsJ.exe	UPX
C:\Windows\System\btQYtis.exe	UPX
C:\Windows\System\fAUNJFS.exe	UPX
C:\Windows\System\xudenBI.exe	UPX
C:\Windows\System\qVgkONT.exe	UPX
C:\Windows\System\CSryEab.exe	UPX
behavioral2/memory/4468-86-0x00007FF6B6B10000-0x00007FF6B6E61000-memory.dmp	UPX
C:\Windows\System\BEBiyTW.exe	UPX
behavioral2/memory/4652-80-0x00007FF66A5E0000-0x00007FF66A931000-memory.dmp	UPX
C:\Windows\System\WWVVKOt.exe	UPX
behavioral2/memory/4492-77-0x00007FF651660000-0x00007FF6519B1000-memory.dmp	UPX
behavioral2/memory/2268-73-0x00007FF766EB0000-0x00007FF767201000-memory.dmp	UPX
C:\Windows\System\IuqwDgd.exe	UPX
behavioral2/memory/2996-66-0x00007FF7D0D30000-0x00007FF7D1081000-memory.dmp	UPX
behavioral2/memory/4064-65-0x00007FF6FCD40000-0x00007FF6FD091000-memory.dmp	UPX
behavioral2/memory/408-122-0x00007FF746010000-0x00007FF746361000-memory.dmp	UPX
behavioral2/memory/4696-124-0x00007FF772ED0000-0x00007FF773221000-memory.dmp	UPX
behavioral2/memory/628-121-0x00007FF64C860000-0x00007FF64CBB1000-memory.dmp	UPX
behavioral2/memory/4836-132-0x00007FF6F1C00000-0x00007FF6F1F51000-memory.dmp	UPX
behavioral2/memory/2344-134-0x00007FF6AEE40000-0x00007FF6AF191000-memory.dmp	UPX
behavioral2/memory/1496-136-0x00007FF77E4D0000-0x00007FF77E821000-memory.dmp	UPX
behavioral2/memory/4568-137-0x00007FF6CB4D0000-0x00007FF6CB821000-memory.dmp	UPX
behavioral2/memory/4552-135-0x00007FF6BF400000-0x00007FF6BF751000-memory.dmp	UPX
behavioral2/memory/3744-133-0x00007FF727290000-0x00007FF7275E1000-memory.dmp	UPX
behavioral2/memory/4304-131-0x00007FF6A4140000-0x00007FF6A4491000-memory.dmp	UPX
behavioral2/memory/2268-139-0x00007FF766EB0000-0x00007FF767201000-memory.dmp	UPX
behavioral2/memory/4652-141-0x00007FF66A5E0000-0x00007FF66A931000-memory.dmp	UPX
behavioral2/memory/4468-142-0x00007FF6B6B10000-0x00007FF6B6E61000-memory.dmp	UPX
behavioral2/memory/4492-140-0x00007FF651660000-0x00007FF6519B1000-memory.dmp	UPX
behavioral2/memory/2996-138-0x00007FF7D0D30000-0x00007FF7D1081000-memory.dmp	UPX
behavioral2/memory/628-150-0x00007FF64C860000-0x00007FF64CBB1000-memory.dmp	UPX
behavioral2/memory/408-196-0x00007FF746010000-0x00007FF746361000-memory.dmp	UPX
behavioral2/memory/4984-198-0x00007FF6AECF0000-0x00007FF6AF041000-memory.dmp	UPX
behavioral2/memory/4696-200-0x00007FF772ED0000-0x00007FF773221000-memory.dmp	UPX
behavioral2/memory/2452-210-0x00007FF6E9CE0000-0x00007FF6EA031000-memory.dmp	UPX
behavioral2/memory/1576-208-0x00007FF7E2A40000-0x00007FF7E2D91000-memory.dmp	UPX
behavioral2/memory/1948-213-0x00007FF7C5F40000-0x00007FF7C6291000-memory.dmp	UPX
behavioral2/memory/2972-214-0x00007FF7C7940000-0x00007FF7C7C91000-memory.dmp	UPX
behavioral2/memory/2892-216-0x00007FF628C70000-0x00007FF628FC1000-memory.dmp	UPX
behavioral2/memory/4064-218-0x00007FF6FCD40000-0x00007FF6FD091000-memory.dmp	UPX
behavioral2/memory/2996-220-0x00007FF7D0D30000-0x00007FF7D1081000-memory.dmp	UPX
behavioral2/memory/2268-222-0x00007FF766EB0000-0x00007FF767201000-memory.dmp	UPX
behavioral2/memory/4652-226-0x00007FF66A5E0000-0x00007FF66A931000-memory.dmp	UPX

XMRig Miner payload 44 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4984-14-0x00007FF6AECF0000-0x00007FF6AF041000-memory.dmp	xmrig
behavioral2/memory/1576-26-0x00007FF7E2A40000-0x00007FF7E2D91000-memory.dmp	xmrig
behavioral2/memory/1948-48-0x00007FF7C5F40000-0x00007FF7C6291000-memory.dmp	xmrig
behavioral2/memory/2892-50-0x00007FF628C70000-0x00007FF628FC1000-memory.dmp	xmrig
behavioral2/memory/2972-49-0x00007FF7C7940000-0x00007FF7C7C91000-memory.dmp	xmrig
behavioral2/memory/2452-47-0x00007FF6E9CE0000-0x00007FF6EA031000-memory.dmp	xmrig
behavioral2/memory/4064-65-0x00007FF6FCD40000-0x00007FF6FD091000-memory.dmp	xmrig
behavioral2/memory/408-122-0x00007FF746010000-0x00007FF746361000-memory.dmp	xmrig
behavioral2/memory/4696-124-0x00007FF772ED0000-0x00007FF773221000-memory.dmp	xmrig
behavioral2/memory/628-121-0x00007FF64C860000-0x00007FF64CBB1000-memory.dmp	xmrig
behavioral2/memory/4836-132-0x00007FF6F1C00000-0x00007FF6F1F51000-memory.dmp	xmrig
behavioral2/memory/2344-134-0x00007FF6AEE40000-0x00007FF6AF191000-memory.dmp	xmrig
behavioral2/memory/1496-136-0x00007FF77E4D0000-0x00007FF77E821000-memory.dmp	xmrig
behavioral2/memory/4568-137-0x00007FF6CB4D0000-0x00007FF6CB821000-memory.dmp	xmrig
behavioral2/memory/4552-135-0x00007FF6BF400000-0x00007FF6BF751000-memory.dmp	xmrig
behavioral2/memory/3744-133-0x00007FF727290000-0x00007FF7275E1000-memory.dmp	xmrig
behavioral2/memory/4304-131-0x00007FF6A4140000-0x00007FF6A4491000-memory.dmp	xmrig
behavioral2/memory/2268-139-0x00007FF766EB0000-0x00007FF767201000-memory.dmp	xmrig
behavioral2/memory/4652-141-0x00007FF66A5E0000-0x00007FF66A931000-memory.dmp	xmrig
behavioral2/memory/4468-142-0x00007FF6B6B10000-0x00007FF6B6E61000-memory.dmp	xmrig
behavioral2/memory/4492-140-0x00007FF651660000-0x00007FF6519B1000-memory.dmp	xmrig
behavioral2/memory/2996-138-0x00007FF7D0D30000-0x00007FF7D1081000-memory.dmp	xmrig
behavioral2/memory/628-150-0x00007FF64C860000-0x00007FF64CBB1000-memory.dmp	xmrig
behavioral2/memory/408-196-0x00007FF746010000-0x00007FF746361000-memory.dmp	xmrig
behavioral2/memory/4984-198-0x00007FF6AECF0000-0x00007FF6AF041000-memory.dmp	xmrig
behavioral2/memory/4696-200-0x00007FF772ED0000-0x00007FF773221000-memory.dmp	xmrig
behavioral2/memory/2452-210-0x00007FF6E9CE0000-0x00007FF6EA031000-memory.dmp	xmrig
behavioral2/memory/1576-208-0x00007FF7E2A40000-0x00007FF7E2D91000-memory.dmp	xmrig
behavioral2/memory/1948-213-0x00007FF7C5F40000-0x00007FF7C6291000-memory.dmp	xmrig
behavioral2/memory/2972-214-0x00007FF7C7940000-0x00007FF7C7C91000-memory.dmp	xmrig
behavioral2/memory/2892-216-0x00007FF628C70000-0x00007FF628FC1000-memory.dmp	xmrig
behavioral2/memory/4064-218-0x00007FF6FCD40000-0x00007FF6FD091000-memory.dmp	xmrig
behavioral2/memory/2996-220-0x00007FF7D0D30000-0x00007FF7D1081000-memory.dmp	xmrig
behavioral2/memory/2268-222-0x00007FF766EB0000-0x00007FF767201000-memory.dmp	xmrig
behavioral2/memory/4652-226-0x00007FF66A5E0000-0x00007FF66A931000-memory.dmp	xmrig
behavioral2/memory/4492-225-0x00007FF651660000-0x00007FF6519B1000-memory.dmp	xmrig
behavioral2/memory/4468-228-0x00007FF6B6B10000-0x00007FF6B6E61000-memory.dmp	xmrig
behavioral2/memory/3744-234-0x00007FF727290000-0x00007FF7275E1000-memory.dmp	xmrig
behavioral2/memory/4552-237-0x00007FF6BF400000-0x00007FF6BF751000-memory.dmp	xmrig
behavioral2/memory/2344-238-0x00007FF6AEE40000-0x00007FF6AF191000-memory.dmp	xmrig
behavioral2/memory/1496-242-0x00007FF77E4D0000-0x00007FF77E821000-memory.dmp	xmrig
behavioral2/memory/4568-241-0x00007FF6CB4D0000-0x00007FF6CB821000-memory.dmp	xmrig
behavioral2/memory/4836-232-0x00007FF6F1C00000-0x00007FF6F1F51000-memory.dmp	xmrig
behavioral2/memory/4304-233-0x00007FF6A4140000-0x00007FF6A4491000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

bjzBwzb.exeVEyhPHf.execIZAijV.exeGqrgJId.exerkfAMfG.exeoPjwcGe.exeFtEstvF.exeqNRSuwQ.exeacPNjRl.exeSJEkxOJ.exeIuqwDgd.exeWWVVKOt.exeBEBiyTW.exexzbveKv.exeCSryEab.exezrEnVeu.exeqVgkONT.exeKbdIxsJ.exexudenBI.exebtQYtis.exefAUNJFS.exe

pid	process
408	bjzBwzb.exe
4984	VEyhPHf.exe
4696	cIZAijV.exe
1576	GqrgJId.exe
2452	rkfAMfG.exe
1948	oPjwcGe.exe
2972	FtEstvF.exe
2892	qNRSuwQ.exe
4064	acPNjRl.exe
2996	SJEkxOJ.exe
2268	IuqwDgd.exe
4492	WWVVKOt.exe
4652	BEBiyTW.exe
4468	xzbveKv.exe
4304	CSryEab.exe
4836	zrEnVeu.exe
3744	qVgkONT.exe
2344	KbdIxsJ.exe
4552	xudenBI.exe
1496	btQYtis.exe
4568	fAUNJFS.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/628-0-0x00007FF64C860000-0x00007FF64CBB1000-memory.dmp	upx
C:\Windows\System\bjzBwzb.exe	upx
behavioral2/memory/408-8-0x00007FF746010000-0x00007FF746361000-memory.dmp	upx
C:\Windows\System\VEyhPHf.exe	upx
C:\Windows\System\cIZAijV.exe	upx
behavioral2/memory/4984-14-0x00007FF6AECF0000-0x00007FF6AF041000-memory.dmp	upx
C:\Windows\System\GqrgJId.exe	upx
C:\Windows\System\rkfAMfG.exe	upx
behavioral2/memory/1576-26-0x00007FF7E2A40000-0x00007FF7E2D91000-memory.dmp	upx
C:\Windows\System\oPjwcGe.exe	upx
C:\Windows\System\FtEstvF.exe	upx
C:\Windows\System\qNRSuwQ.exe	upx
behavioral2/memory/1948-48-0x00007FF7C5F40000-0x00007FF7C6291000-memory.dmp	upx
behavioral2/memory/2892-50-0x00007FF628C70000-0x00007FF628FC1000-memory.dmp	upx
behavioral2/memory/2972-49-0x00007FF7C7940000-0x00007FF7C7C91000-memory.dmp	upx
behavioral2/memory/2452-47-0x00007FF6E9CE0000-0x00007FF6EA031000-memory.dmp	upx
behavioral2/memory/4696-20-0x00007FF772ED0000-0x00007FF773221000-memory.dmp	upx
C:\Windows\System\acPNjRl.exe	upx
C:\Windows\System\SJEkxOJ.exe	upx
C:\Windows\System\xzbveKv.exe	upx
C:\Windows\System\zrEnVeu.exe	upx
C:\Windows\System\KbdIxsJ.exe	upx
C:\Windows\System\btQYtis.exe	upx
C:\Windows\System\fAUNJFS.exe	upx
C:\Windows\System\xudenBI.exe	upx
C:\Windows\System\qVgkONT.exe	upx
C:\Windows\System\CSryEab.exe	upx
behavioral2/memory/4468-86-0x00007FF6B6B10000-0x00007FF6B6E61000-memory.dmp	upx
C:\Windows\System\BEBiyTW.exe	upx
behavioral2/memory/4652-80-0x00007FF66A5E0000-0x00007FF66A931000-memory.dmp	upx
C:\Windows\System\WWVVKOt.exe	upx
behavioral2/memory/4492-77-0x00007FF651660000-0x00007FF6519B1000-memory.dmp	upx
behavioral2/memory/2268-73-0x00007FF766EB0000-0x00007FF767201000-memory.dmp	upx
C:\Windows\System\IuqwDgd.exe	upx
behavioral2/memory/2996-66-0x00007FF7D0D30000-0x00007FF7D1081000-memory.dmp	upx
behavioral2/memory/4064-65-0x00007FF6FCD40000-0x00007FF6FD091000-memory.dmp	upx
behavioral2/memory/408-122-0x00007FF746010000-0x00007FF746361000-memory.dmp	upx
behavioral2/memory/4696-124-0x00007FF772ED0000-0x00007FF773221000-memory.dmp	upx
behavioral2/memory/628-121-0x00007FF64C860000-0x00007FF64CBB1000-memory.dmp	upx
behavioral2/memory/4836-132-0x00007FF6F1C00000-0x00007FF6F1F51000-memory.dmp	upx
behavioral2/memory/2344-134-0x00007FF6AEE40000-0x00007FF6AF191000-memory.dmp	upx
behavioral2/memory/1496-136-0x00007FF77E4D0000-0x00007FF77E821000-memory.dmp	upx
behavioral2/memory/4568-137-0x00007FF6CB4D0000-0x00007FF6CB821000-memory.dmp	upx
behavioral2/memory/4552-135-0x00007FF6BF400000-0x00007FF6BF751000-memory.dmp	upx
behavioral2/memory/3744-133-0x00007FF727290000-0x00007FF7275E1000-memory.dmp	upx
behavioral2/memory/4304-131-0x00007FF6A4140000-0x00007FF6A4491000-memory.dmp	upx
behavioral2/memory/2268-139-0x00007FF766EB0000-0x00007FF767201000-memory.dmp	upx
behavioral2/memory/4652-141-0x00007FF66A5E0000-0x00007FF66A931000-memory.dmp	upx
behavioral2/memory/4468-142-0x00007FF6B6B10000-0x00007FF6B6E61000-memory.dmp	upx
behavioral2/memory/4492-140-0x00007FF651660000-0x00007FF6519B1000-memory.dmp	upx
behavioral2/memory/2996-138-0x00007FF7D0D30000-0x00007FF7D1081000-memory.dmp	upx
behavioral2/memory/628-150-0x00007FF64C860000-0x00007FF64CBB1000-memory.dmp	upx
behavioral2/memory/408-196-0x00007FF746010000-0x00007FF746361000-memory.dmp	upx
behavioral2/memory/4984-198-0x00007FF6AECF0000-0x00007FF6AF041000-memory.dmp	upx
behavioral2/memory/4696-200-0x00007FF772ED0000-0x00007FF773221000-memory.dmp	upx
behavioral2/memory/2452-210-0x00007FF6E9CE0000-0x00007FF6EA031000-memory.dmp	upx
behavioral2/memory/1576-208-0x00007FF7E2A40000-0x00007FF7E2D91000-memory.dmp	upx
behavioral2/memory/1948-213-0x00007FF7C5F40000-0x00007FF7C6291000-memory.dmp	upx
behavioral2/memory/2972-214-0x00007FF7C7940000-0x00007FF7C7C91000-memory.dmp	upx
behavioral2/memory/2892-216-0x00007FF628C70000-0x00007FF628FC1000-memory.dmp	upx
behavioral2/memory/4064-218-0x00007FF6FCD40000-0x00007FF6FD091000-memory.dmp	upx
behavioral2/memory/2996-220-0x00007FF7D0D30000-0x00007FF7D1081000-memory.dmp	upx
behavioral2/memory/2268-222-0x00007FF766EB0000-0x00007FF767201000-memory.dmp	upx
behavioral2/memory/4652-226-0x00007FF66A5E0000-0x00007FF66A931000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\bjzBwzb.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FtEstvF.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qNRSuwQ.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\acPNjRl.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IuqwDgd.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BEBiyTW.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zrEnVeu.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CSryEab.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VEyhPHf.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cIZAijV.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GqrgJId.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rkfAMfG.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oPjwcGe.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SJEkxOJ.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WWVVKOt.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qVgkONT.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\btQYtis.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fAUNJFS.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xzbveKv.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KbdIxsJ.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xudenBI.exe	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 628 wrote to memory of 408	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	bjzBwzb.exe
PID 628 wrote to memory of 408	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	bjzBwzb.exe
PID 628 wrote to memory of 4984	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	VEyhPHf.exe
PID 628 wrote to memory of 4984	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	VEyhPHf.exe
PID 628 wrote to memory of 4696	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	cIZAijV.exe
PID 628 wrote to memory of 4696	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	cIZAijV.exe
PID 628 wrote to memory of 1576	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	GqrgJId.exe
PID 628 wrote to memory of 1576	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	GqrgJId.exe
PID 628 wrote to memory of 2452	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	rkfAMfG.exe
PID 628 wrote to memory of 2452	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	rkfAMfG.exe
PID 628 wrote to memory of 1948	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	oPjwcGe.exe
PID 628 wrote to memory of 1948	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	oPjwcGe.exe
PID 628 wrote to memory of 2972	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	FtEstvF.exe
PID 628 wrote to memory of 2972	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	FtEstvF.exe
PID 628 wrote to memory of 2892	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	qNRSuwQ.exe
PID 628 wrote to memory of 2892	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	qNRSuwQ.exe
PID 628 wrote to memory of 4064	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	acPNjRl.exe
PID 628 wrote to memory of 4064	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	acPNjRl.exe
PID 628 wrote to memory of 2996	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	SJEkxOJ.exe
PID 628 wrote to memory of 2996	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	SJEkxOJ.exe
PID 628 wrote to memory of 2268	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	IuqwDgd.exe
PID 628 wrote to memory of 2268	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	IuqwDgd.exe
PID 628 wrote to memory of 4492	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	WWVVKOt.exe
PID 628 wrote to memory of 4492	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	WWVVKOt.exe
PID 628 wrote to memory of 4652	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	BEBiyTW.exe
PID 628 wrote to memory of 4652	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	BEBiyTW.exe
PID 628 wrote to memory of 4468	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	xzbveKv.exe
PID 628 wrote to memory of 4468	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	xzbveKv.exe
PID 628 wrote to memory of 4304	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	CSryEab.exe
PID 628 wrote to memory of 4304	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	CSryEab.exe
PID 628 wrote to memory of 4836	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	zrEnVeu.exe
PID 628 wrote to memory of 4836	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	zrEnVeu.exe
PID 628 wrote to memory of 3744	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	qVgkONT.exe
PID 628 wrote to memory of 3744	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	qVgkONT.exe
PID 628 wrote to memory of 2344	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	KbdIxsJ.exe
PID 628 wrote to memory of 2344	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	KbdIxsJ.exe
PID 628 wrote to memory of 4552	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	xudenBI.exe
PID 628 wrote to memory of 4552	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	xudenBI.exe
PID 628 wrote to memory of 1496	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	btQYtis.exe
PID 628 wrote to memory of 1496	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	btQYtis.exe
PID 628 wrote to memory of 4568	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	fAUNJFS.exe
PID 628 wrote to memory of 4568	628	2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe	fAUNJFS.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_7342f8a69c027cfe701f7c3596f3ed5d_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\System\bjzBwzb.exe
C:\Windows\System\bjzBwzb.exe
2⤵
- Executes dropped EXE
PID:408

C:\Windows\System\VEyhPHf.exe
C:\Windows\System\VEyhPHf.exe
2⤵
- Executes dropped EXE
PID:4984

C:\Windows\System\cIZAijV.exe
C:\Windows\System\cIZAijV.exe
2⤵
- Executes dropped EXE
PID:4696

C:\Windows\System\GqrgJId.exe
C:\Windows\System\GqrgJId.exe
2⤵
- Executes dropped EXE
PID:1576

C:\Windows\System\rkfAMfG.exe
C:\Windows\System\rkfAMfG.exe
2⤵
- Executes dropped EXE
PID:2452

C:\Windows\System\oPjwcGe.exe
C:\Windows\System\oPjwcGe.exe
2⤵
- Executes dropped EXE
PID:1948

C:\Windows\System\FtEstvF.exe
C:\Windows\System\FtEstvF.exe
2⤵
- Executes dropped EXE
PID:2972

C:\Windows\System\qNRSuwQ.exe
C:\Windows\System\qNRSuwQ.exe
2⤵
- Executes dropped EXE
PID:2892

C:\Windows\System\acPNjRl.exe
C:\Windows\System\acPNjRl.exe
2⤵
- Executes dropped EXE
PID:4064

C:\Windows\System\SJEkxOJ.exe
C:\Windows\System\SJEkxOJ.exe
2⤵
- Executes dropped EXE
PID:2996

C:\Windows\System\IuqwDgd.exe
C:\Windows\System\IuqwDgd.exe
2⤵
- Executes dropped EXE
PID:2268

C:\Windows\System\WWVVKOt.exe
C:\Windows\System\WWVVKOt.exe
2⤵
- Executes dropped EXE
PID:4492

C:\Windows\System\BEBiyTW.exe
C:\Windows\System\BEBiyTW.exe
2⤵
- Executes dropped EXE
PID:4652

C:\Windows\System\xzbveKv.exe
C:\Windows\System\xzbveKv.exe
2⤵
- Executes dropped EXE
PID:4468

C:\Windows\System\CSryEab.exe
C:\Windows\System\CSryEab.exe
2⤵
- Executes dropped EXE
PID:4304

C:\Windows\System\zrEnVeu.exe
C:\Windows\System\zrEnVeu.exe
2⤵
- Executes dropped EXE
PID:4836

C:\Windows\System\qVgkONT.exe
C:\Windows\System\qVgkONT.exe
2⤵
- Executes dropped EXE
PID:3744

C:\Windows\System\KbdIxsJ.exe
C:\Windows\System\KbdIxsJ.exe
2⤵
- Executes dropped EXE
PID:2344

C:\Windows\System\xudenBI.exe
C:\Windows\System\xudenBI.exe
2⤵
- Executes dropped EXE
PID:4552

C:\Windows\System\btQYtis.exe
C:\Windows\System\btQYtis.exe
2⤵
- Executes dropped EXE
PID:1496

C:\Windows\System\fAUNJFS.exe
C:\Windows\System\fAUNJFS.exe
2⤵
- Executes dropped EXE
PID:4568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:4400

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BEBiyTW.exe

Filesize
5.2MB

MD5
d80e8a75080d6def70a9a9e570f0f01b

SHA1
5efac56574f7d920338b1f2caabac15b89d2b877

SHA256
b37c6b707abea3020a6e796533ec27a4bd0e356ecf7b25043b9338a54ad4e939

SHA512
762842d29e19878ebf426fdc5aaa0e24deb81c830b12b316bba6df88410284bc5953acd5b4183e020d01272a0839fd6fd6ab100bb54b9bac24600b28176b16a2

Download Submit
C:\Windows\System\CSryEab.exe

Filesize
5.2MB

MD5
1274c4e87aa23e7a84c2a35f5a095576

SHA1
5aa519abf24db06aea25df5159c072bf732bf526

SHA256
0bc3df19c0cdfa07b610f70f49611cfd642263752a559412dc1b834fdbe8b034

SHA512
8daaf6297b828835ba173b6381e58cbe9a75b4bd18110ecb3c0e449518cc8ac230956f8ae91d7d97e254eff3da5dd173012c3a9cabd10bb42cf11ae640316602

Download Submit
C:\Windows\System\FtEstvF.exe

Filesize
5.2MB

MD5
8c74e529868c5489ee01917ae67650d5

SHA1
454b00649305feff4ad8616fd765d0c978d1e97e

SHA256
d44fa06e45b1a84906247cc7d9780241644a1c467120593d506a3bd47657a81b

SHA512
851ed6316cebf19d9fe1a57b980b3d9a34b6bb571bd5a32c9fe8318f8cd17e6d446da26e2d69dec203d4b56cbaf836f622f3c4eab980c7d2f271f2390bf3a0a1

Download Submit
C:\Windows\System\GqrgJId.exe

Filesize
5.2MB

MD5
80b882fdd9d1a9d8c6021455bca56102

SHA1
6762ef472dd706e75a1a4dd1ea8e2ac6477baa0d

SHA256
42b72fb4fb463a6ec3b3c6b5072b9b030eaaf2c7f0fea57ed15d5b0d450d8a3b

SHA512
d7e0a4dae9a88c4ac5feb03daf66dd53b943a53cb8c06c2becd0c437f310108570c170945dfbd255449df3770351bb96bd63e20b77961b645210a1d3d2ab82b5

Download Submit
C:\Windows\System\IuqwDgd.exe

Filesize
5.2MB

MD5
971523174b9a3cb7c050dfd260386ae0

SHA1
dcdb45531becf98dd79a019bfcc5f6bb396dd6e2

SHA256
2c1b8fc12696ec42f80a3b3e4449a69eee8a758bd1a4b220c67e783bacf6f40c

SHA512
0eef5ab6fd6ae68833bc6ae2cbf5e4b6e692a22d1952ef8ea4d54122af7e1699f8d0c04f5e6dec8a6e747fcbf589708910af91cad3969b7b1254d79760435667

Download Submit
C:\Windows\System\KbdIxsJ.exe

Filesize
5.2MB

MD5
9b9efb4702cfeef6e972dae61e8e349f

SHA1
88f2f53354323d824ef86a0fdf4dc9f36fb68ba0

SHA256
634832e808d9a4638ee1aa6fd092c2f59c46ce89b5f00e07544ab25b6484453a

SHA512
c439a27590099f0b1c75dc15036730924d060c417ace7b3067424c76a4434228630d40e1519aae85343ba1a4cb88e52e18c2d964fb515e130a051ab039a0e767

Download Submit
C:\Windows\System\SJEkxOJ.exe

Filesize
5.2MB

MD5
60e10f0c5daf702292ead16eb70015d7

SHA1
76ab7086444e49189996fa8eba497e14015965a1

SHA256
3ae0229e7d2a5cfd10fd15c66a03e3c0a43d86c737ed6659e4d48ac397663cb4

SHA512
41722fe60e8388e0d03c9a2b2bb1247c5fef93fed3f8928af0db79cb4dabe2e5b1b847aa6749dd2f1819ef930f8f218f74377f587663bb2a6574334bfb52791a

Download Submit
C:\Windows\System\VEyhPHf.exe

Filesize
5.2MB

MD5
b239111b636eb92898ac01f96d44b3e9

SHA1
7d6ae4f86b5c06b4b7438d30857e1a74630d4a67

SHA256
24c26535dae7fb1dc9e913084882934fd712a1960c79032ef0cdf17ffb803aa6

SHA512
09a2010a5bf571a2eb07bae3f00f3e7ebe1149f89df456266854ef8682c73985fe4c8d8708da0c1a78149711da46ca44fe336d34a4502c4a357b157f05094392

Download Submit
C:\Windows\System\WWVVKOt.exe

Filesize
5.2MB

MD5
853cafa0d28c7d108368cfb5b2d4ea93

SHA1
a3973968cd6621ce3717bb915a4cafbeff5ace29

SHA256
b65861edda26f3dbd30c5dc7e5211b2f405cd0a494a84dfff6a557e714384c70

SHA512
d77e833e156ffad7c847e19a7e7b3bef2149afe07e7d2d9991d1645b93e4264f628bc1912f1a48174f20c1ab4e5a1c718f44f55c4a6f2d6983f7c27d096c2f1b

Download Submit
C:\Windows\System\acPNjRl.exe

Filesize
5.2MB

MD5
cfa5e97f908bab7900ec3c4168616ad8

SHA1
b6a39f5a2f2ec7300c408be4c29fe0b2c5a83b73

SHA256
a546b8441a6eb38f7bd6f49de607e276f653c8240c89bd3fd4988127874dce49

SHA512
1b61825a4c75510c2420036d842f96a268a0683c1284af0dc6e3ec9a5c25c7f9681f56f802080990b5fb12c7ee96848a98094ceb2fcd97c2102ebd7030918543

Download Submit
C:\Windows\System\bjzBwzb.exe

Filesize
5.2MB

MD5
b8f1121654a8f1cf4e59b6073b77b4ff

SHA1
723bd67f6bff7874c8f48dbc0646c8b02bc20c2a

SHA256
1edfff08d5b61ea91b84194e0e7bf34cca50c04949dde9b214071998335e76b6

SHA512
0f9a9418afcebae4b520b97a8e120dee18c98ceb2daa07becc0f8425b6e2c1bb491de338b08642909b5e0466f7a73c4d4132320c25d2f47e4d7f6c78e0c944de

Download Submit
C:\Windows\System\btQYtis.exe

Filesize
5.2MB

MD5
94fee1686de4f921c1d970a611a22294

SHA1
9040c5f82db22615b9dfacf1dbb2ddd83d5a2be4

SHA256
e87c33264d991700b67543eae53a05c7a152d0fa5939b3eab1ccb387217b9f3c

SHA512
0fffc54df43db0dad3a9ea44a7d7d1a3e2d93c82f996aedd836394b35b7f2835ae30477fbac56e15eac23c7fd6dc57a5c83878ba9b2e21d61165a6f8ec333ec3

Download Submit
C:\Windows\System\cIZAijV.exe

Filesize
5.2MB

MD5
c4b7bb14f16020feb2c9a461a6f912a1

SHA1
ecbb36eff00ea0c965f4d4072268dd8c6286e514

SHA256
6eac3cba17827211b192a5e52b098a532b71c555943217fd54e1ceeabbca6579

SHA512
04ccb5b6df7ba7ba1ebb17abf45eb3903687f77a796e9bea0aaec76f8976c4e2b5a7a71bb70d63209f3a0f1de151a5c6bfa5597e1512a04182b2a0182fc2517c

Download Submit
C:\Windows\System\fAUNJFS.exe

Filesize
5.2MB

MD5
83d873af0589858b5e9780692e3cbd98

SHA1
5222558bccf302b243832f9322e730042b384f5a

SHA256
670df4062ed52fbd113fa637a937050517b66ac402c57110a85fdff711f4f0c5

SHA512
e7d6c0e8fd1f4e807fd6ef44ee913bfa405224f6caebae37b97d460e201919802516aae2d02f093b1d564eed5bd466dfbae528778a12f49e89fc43de2860d602

Download Submit
C:\Windows\System\oPjwcGe.exe

Filesize
5.2MB

MD5
59329f4098a1e11ed4f7716ab0577c2a

SHA1
2eb245ca053d4433b70ffdd0779ea56211d329fd

SHA256
9b9340b0af0b6ad4c260e20cc9e681ed67209432c6c4232e054dabf51f616fdf

SHA512
fdefdc0d28e0de2f7c9a14e2637eb98d6f522d219ec62f613aee17e96359f89f4090ddcf836162a694c94ff1dab0b3cad69a199a23a89ef6db7d43fe701d75f4

Download Submit
C:\Windows\System\qNRSuwQ.exe

Filesize
5.2MB

MD5
428bc40ba0190e8048a1d4b825da4db0

SHA1
a6e0190696def4c0d04944e69240f1927fd8551e

SHA256
4607581536fe06e6456d3c61208e7a46aace10cd1868784bf47bc0413c45877f

SHA512
a2a022acdb9b94f61989916048b184d5c4df1d74c4a5d716a0f310efb864e70d926499a19bd4b6ff95560bac7849caa91e684b5bb32dcc48c1eb9560b1bd277c

Download Submit
C:\Windows\System\qVgkONT.exe

Filesize
5.2MB

MD5
486ab4b8af192c9f2383513c844b5d32

SHA1
84cc5cd926a8c864e3b7e96e4a9fcbdb5b484c7a

SHA256
fc904f5d14afe5b52f94407b87c6b5c87acfdd632c58ddf1c125b937bf9378f2

SHA512
4c469bf9bb3cef0751358b474119ebf635f9bad8c090ded70545d610bf7aa36c3e68a7c5dab6c35333f66045e57ed26df02bc682553e99d7b7a16639d8626d94

Download Submit
C:\Windows\System\rkfAMfG.exe

Filesize
5.2MB

MD5
a8f88bff1ce599bd0cc0a71fad144cbc

SHA1
e7c93cfd2faf29ca76bb08728565527881c6ce93

SHA256
059f29e326372081363eb9b5cb26fde8e7d3aab79a3a62ce0551ddc01dff84a1

SHA512
8f312b6c2d7be62d2414003691fd4d30d8ef252e0ce71bc6dba0962466171cbc61ef00d994d9224368bada9c2d1a3ddbb733632e08d53e2a1cc5f644736367fb

Download Submit
C:\Windows\System\xudenBI.exe

Filesize
5.2MB

MD5
a6386734835b26f53cac861a45a43b83

SHA1
c277afab0823dfeb2c427c76f5c9f9c119443548

SHA256
b8bbd0baf248c37845151a8065bd2c61b67c522a5285ac2795fa71dae587aed3

SHA512
9096dbac906f4a7231ac0c38ec430c1d61e53e1de3fc6a64f25bb6245a0d53e95f369bde8b6bfe41ffdb840bbb1f41662be3f1dae9c32f33c5f00d1f9835d9ae

Download Submit
C:\Windows\System\xzbveKv.exe

Filesize
5.2MB

MD5
3e00c9fa17bdcdf02902c4554fccf22c

SHA1
79c688ae6bd8968250067951dc90d014dd25c64d

SHA256
03b2a5d61087d1d1c087613267995352291d259c6f885da9e5210355f6e5f4ef

SHA512
5b5d64649d6dcd3905d852f018bf30817362cb3076cce6f23b0bece44ad2b4026d028a143d2b991f51ad2f6ff2cfdbc4e3fae80fbaa8d8a4493c1c8e61b7bddc

Download Submit
C:\Windows\System\zrEnVeu.exe

Filesize
5.2MB

MD5
d1b1796443ce877d208c87dcc348e7dd

SHA1
eecccabc39b0cfac46fd503eb4e9c48e744b53ea

SHA256
f9653264932cd24389e33514c20e32d75bfc88f1598b157dee988e236f4a1f19

SHA512
c9ebd7e57a95b5129519bf1c41c3e83ba1ac43ca8004fa9ae63fecbfb71615d42c9b36180b5c030a490f0ec4359b61dd0bf1eff62a447dd405b167bd80896152

Download Submit
memory/408-8-0x00007FF746010000-0x00007FF746361000-memory.dmp

Filesize
3.3MB

Download
memory/408-196-0x00007FF746010000-0x00007FF746361000-memory.dmp

Filesize
3.3MB

Download
memory/408-122-0x00007FF746010000-0x00007FF746361000-memory.dmp

Filesize
3.3MB

Download
memory/628-121-0x00007FF64C860000-0x00007FF64CBB1000-memory.dmp

Filesize
3.3MB

Download
memory/628-150-0x00007FF64C860000-0x00007FF64CBB1000-memory.dmp

Filesize
3.3MB

Download
memory/628-1-0x000001A34FA80000-0x000001A34FA90000-memory.dmp

Filesize
64KB

Download
memory/628-0-0x00007FF64C860000-0x00007FF64CBB1000-memory.dmp

Filesize
3.3MB

Download
memory/1496-136-0x00007FF77E4D0000-0x00007FF77E821000-memory.dmp

Filesize
3.3MB

Download
memory/1496-242-0x00007FF77E4D0000-0x00007FF77E821000-memory.dmp

Filesize
3.3MB

Download
memory/1576-208-0x00007FF7E2A40000-0x00007FF7E2D91000-memory.dmp

Filesize
3.3MB

Download
memory/1576-26-0x00007FF7E2A40000-0x00007FF7E2D91000-memory.dmp

Filesize
3.3MB

Download
memory/1948-48-0x00007FF7C5F40000-0x00007FF7C6291000-memory.dmp

Filesize
3.3MB

Download
memory/1948-213-0x00007FF7C5F40000-0x00007FF7C6291000-memory.dmp

Filesize
3.3MB

Download
memory/2268-73-0x00007FF766EB0000-0x00007FF767201000-memory.dmp

Filesize
3.3MB

Download
memory/2268-222-0x00007FF766EB0000-0x00007FF767201000-memory.dmp

Filesize
3.3MB

Download
memory/2268-139-0x00007FF766EB0000-0x00007FF767201000-memory.dmp

Filesize
3.3MB

Download
memory/2344-238-0x00007FF6AEE40000-0x00007FF6AF191000-memory.dmp

Filesize
3.3MB

Download
memory/2344-134-0x00007FF6AEE40000-0x00007FF6AF191000-memory.dmp

Filesize
3.3MB

Download
memory/2452-210-0x00007FF6E9CE0000-0x00007FF6EA031000-memory.dmp

Filesize
3.3MB

Download
memory/2452-47-0x00007FF6E9CE0000-0x00007FF6EA031000-memory.dmp

Filesize
3.3MB

Download
memory/2892-216-0x00007FF628C70000-0x00007FF628FC1000-memory.dmp

Filesize
3.3MB

Download
memory/2892-50-0x00007FF628C70000-0x00007FF628FC1000-memory.dmp

Filesize
3.3MB

Download
memory/2972-214-0x00007FF7C7940000-0x00007FF7C7C91000-memory.dmp

Filesize
3.3MB

Download
memory/2972-49-0x00007FF7C7940000-0x00007FF7C7C91000-memory.dmp

Filesize
3.3MB

Download
memory/2996-66-0x00007FF7D0D30000-0x00007FF7D1081000-memory.dmp

Filesize
3.3MB

Download
memory/2996-220-0x00007FF7D0D30000-0x00007FF7D1081000-memory.dmp

Filesize
3.3MB

Download
memory/2996-138-0x00007FF7D0D30000-0x00007FF7D1081000-memory.dmp

Filesize
3.3MB

Download
memory/3744-133-0x00007FF727290000-0x00007FF7275E1000-memory.dmp

Filesize
3.3MB

Download
memory/3744-234-0x00007FF727290000-0x00007FF7275E1000-memory.dmp

Filesize
3.3MB

Download
memory/4064-65-0x00007FF6FCD40000-0x00007FF6FD091000-memory.dmp

Filesize
3.3MB

Download
memory/4064-218-0x00007FF6FCD40000-0x00007FF6FD091000-memory.dmp

Filesize
3.3MB

Download
memory/4304-233-0x00007FF6A4140000-0x00007FF6A4491000-memory.dmp

Filesize
3.3MB

Download
memory/4304-131-0x00007FF6A4140000-0x00007FF6A4491000-memory.dmp

Filesize
3.3MB

Download
memory/4468-142-0x00007FF6B6B10000-0x00007FF6B6E61000-memory.dmp

Filesize
3.3MB

Download
memory/4468-86-0x00007FF6B6B10000-0x00007FF6B6E61000-memory.dmp

Filesize
3.3MB

Download
memory/4468-228-0x00007FF6B6B10000-0x00007FF6B6E61000-memory.dmp

Filesize
3.3MB

Download
memory/4492-140-0x00007FF651660000-0x00007FF6519B1000-memory.dmp

Filesize
3.3MB

Download
memory/4492-225-0x00007FF651660000-0x00007FF6519B1000-memory.dmp

Filesize
3.3MB

Download
memory/4492-77-0x00007FF651660000-0x00007FF6519B1000-memory.dmp

Filesize
3.3MB

Download
memory/4552-237-0x00007FF6BF400000-0x00007FF6BF751000-memory.dmp

Filesize
3.3MB

Download
memory/4552-135-0x00007FF6BF400000-0x00007FF6BF751000-memory.dmp

Filesize
3.3MB

Download
memory/4568-137-0x00007FF6CB4D0000-0x00007FF6CB821000-memory.dmp

Filesize
3.3MB

Download
memory/4568-241-0x00007FF6CB4D0000-0x00007FF6CB821000-memory.dmp

Filesize
3.3MB

Download
memory/4652-80-0x00007FF66A5E0000-0x00007FF66A931000-memory.dmp

Filesize
3.3MB

Download
memory/4652-226-0x00007FF66A5E0000-0x00007FF66A931000-memory.dmp

Filesize
3.3MB

Download
memory/4652-141-0x00007FF66A5E0000-0x00007FF66A931000-memory.dmp

Filesize
3.3MB

Download
memory/4696-124-0x00007FF772ED0000-0x00007FF773221000-memory.dmp

Filesize
3.3MB

Download
memory/4696-200-0x00007FF772ED0000-0x00007FF773221000-memory.dmp

Filesize
3.3MB

Download
memory/4696-20-0x00007FF772ED0000-0x00007FF773221000-memory.dmp

Filesize
3.3MB

Download
memory/4836-132-0x00007FF6F1C00000-0x00007FF6F1F51000-memory.dmp

Filesize
3.3MB

Download
memory/4836-232-0x00007FF6F1C00000-0x00007FF6F1F51000-memory.dmp

Filesize
3.3MB

Download
memory/4984-198-0x00007FF6AECF0000-0x00007FF6AF041000-memory.dmp

Filesize
3.3MB

Download
memory/4984-14-0x00007FF6AECF0000-0x00007FF6AF041000-memory.dmp

Filesize
3.3MB

Download