cobaltstrike | 2355ab65e1a76372836c79b496d853b0917d72b3c0de88f398b8169df1bbaa21

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2024, 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

d529a922da360715e2a3480e1dd5ee1f
SHA1

95bc2e5bbb29af2ca79e09842fa4172573b4f7dc
SHA256

2355ab65e1a76372836c79b496d853b0917d72b3c0de88f398b8169df1bbaa21
SHA512

0daeeccc94bd83169186a025b8c469329d6170d7ab0c585f203ae809d3e65937305111182c2735c269bd51e35bcea88eec3d6d29c7fec6fabfe41f8c174dec91
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lc:RWWBibf56utgpPFotBER/mQ32lUg

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023422-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023427-8.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023426-10.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342c-44.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342d-54.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023430-63.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023435-90.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023434-89.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023438-121.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023423-119.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023437-117.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023436-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023432-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023431-97.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023433-95.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342f-83.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342e-78.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342b-47.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342a-39.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023429-38.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023428-31.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023422-5.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023427-8.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023426-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342c-44.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342d-54.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023430-63.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023435-90.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023434-89.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023438-121.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0008000000023423-119.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023437-117.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023436-115.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023432-99.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023431-97.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023433-95.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342f-83.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342e-78.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342b-47.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342a-39.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023429-38.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023428-31.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/5612-0-0x00007FF66CD30000-0x00007FF66D081000-memory.dmp	UPX
behavioral2/files/0x0008000000023422-5.dat	UPX
behavioral2/files/0x0007000000023427-8.dat	UPX
behavioral2/files/0x0007000000023426-10.dat	UPX
behavioral2/memory/2640-24-0x00007FF68C920000-0x00007FF68CC71000-memory.dmp	UPX
behavioral2/files/0x000700000002342c-44.dat	UPX
behavioral2/memory/940-49-0x00007FF7BA870000-0x00007FF7BABC1000-memory.dmp	UPX
behavioral2/files/0x000700000002342d-54.dat	UPX
behavioral2/files/0x0007000000023430-63.dat	UPX
behavioral2/files/0x0007000000023435-90.dat	UPX
behavioral2/files/0x0007000000023434-89.dat	UPX
behavioral2/files/0x0007000000023438-121.dat	UPX
behavioral2/files/0x0008000000023423-119.dat	UPX
behavioral2/files/0x0007000000023437-117.dat	UPX
behavioral2/files/0x0007000000023436-115.dat	UPX
behavioral2/memory/1964-114-0x00007FF684900000-0x00007FF684C51000-memory.dmp	UPX
behavioral2/memory/4888-107-0x00007FF746B00000-0x00007FF746E51000-memory.dmp	UPX
behavioral2/memory/3932-106-0x00007FF63F9F0000-0x00007FF63FD41000-memory.dmp	UPX
behavioral2/files/0x0007000000023432-99.dat	UPX
behavioral2/files/0x0007000000023431-97.dat	UPX
behavioral2/files/0x0007000000023433-95.dat	UPX
behavioral2/memory/5048-92-0x00007FF712920000-0x00007FF712C71000-memory.dmp	UPX
behavioral2/memory/5256-91-0x00007FF736AA0000-0x00007FF736DF1000-memory.dmp	UPX
behavioral2/files/0x000700000002342f-83.dat	UPX
behavioral2/files/0x000700000002342e-78.dat	UPX
behavioral2/memory/6112-76-0x00007FF7D4100000-0x00007FF7D4451000-memory.dmp	UPX
behavioral2/memory/4684-69-0x00007FF6CBE30000-0x00007FF6CC181000-memory.dmp	UPX
behavioral2/memory/5772-58-0x00007FF7DDD00000-0x00007FF7DE051000-memory.dmp	UPX
behavioral2/memory/2172-57-0x00007FF6A6E30000-0x00007FF6A7181000-memory.dmp	UPX
behavioral2/memory/4296-50-0x00007FF76BF20000-0x00007FF76C271000-memory.dmp	UPX
behavioral2/files/0x000700000002342b-47.dat	UPX
behavioral2/memory/6056-41-0x00007FF685800000-0x00007FF685B51000-memory.dmp	UPX
behavioral2/files/0x000700000002342a-39.dat	UPX
behavioral2/files/0x0007000000023429-38.dat	UPX
behavioral2/files/0x0007000000023428-31.dat	UPX
behavioral2/memory/4948-30-0x00007FF7CA5D0000-0x00007FF7CA921000-memory.dmp	UPX
behavioral2/memory/2760-20-0x00007FF7E0960000-0x00007FF7E0CB1000-memory.dmp	UPX
behavioral2/memory/6044-9-0x00007FF7F54B0000-0x00007FF7F5801000-memory.dmp	UPX
behavioral2/memory/3600-123-0x00007FF7397D0000-0x00007FF739B21000-memory.dmp	UPX
behavioral2/memory/3988-126-0x00007FF612FC0000-0x00007FF613311000-memory.dmp	UPX
behavioral2/memory/5252-127-0x00007FF671140000-0x00007FF671491000-memory.dmp	UPX
behavioral2/memory/1440-125-0x00007FF76B570000-0x00007FF76B8C1000-memory.dmp	UPX
behavioral2/memory/3296-124-0x00007FF710F00000-0x00007FF711251000-memory.dmp	UPX
behavioral2/memory/5612-128-0x00007FF66CD30000-0x00007FF66D081000-memory.dmp	UPX
behavioral2/memory/4948-132-0x00007FF7CA5D0000-0x00007FF7CA921000-memory.dmp	UPX
behavioral2/memory/2640-131-0x00007FF68C920000-0x00007FF68CC71000-memory.dmp	UPX
behavioral2/memory/2760-130-0x00007FF7E0960000-0x00007FF7E0CB1000-memory.dmp	UPX
behavioral2/memory/5256-142-0x00007FF736AA0000-0x00007FF736DF1000-memory.dmp	UPX
behavioral2/memory/5048-144-0x00007FF712920000-0x00007FF712C71000-memory.dmp	UPX
behavioral2/memory/3932-145-0x00007FF63F9F0000-0x00007FF63FD41000-memory.dmp	UPX
behavioral2/memory/6112-140-0x00007FF7D4100000-0x00007FF7D4451000-memory.dmp	UPX
behavioral2/memory/4684-139-0x00007FF6CBE30000-0x00007FF6CC181000-memory.dmp	UPX
behavioral2/memory/5772-136-0x00007FF7DDD00000-0x00007FF7DE051000-memory.dmp	UPX
behavioral2/memory/6044-129-0x00007FF7F54B0000-0x00007FF7F5801000-memory.dmp	UPX
behavioral2/memory/2172-137-0x00007FF6A6E30000-0x00007FF6A7181000-memory.dmp	UPX
behavioral2/memory/6056-133-0x00007FF685800000-0x00007FF685B51000-memory.dmp	UPX
behavioral2/memory/5612-150-0x00007FF66CD30000-0x00007FF66D081000-memory.dmp	UPX
behavioral2/memory/6044-217-0x00007FF7F54B0000-0x00007FF7F5801000-memory.dmp	UPX
behavioral2/memory/2760-219-0x00007FF7E0960000-0x00007FF7E0CB1000-memory.dmp	UPX
behavioral2/memory/2640-221-0x00007FF68C920000-0x00007FF68CC71000-memory.dmp	UPX
behavioral2/memory/940-225-0x00007FF7BA870000-0x00007FF7BABC1000-memory.dmp	UPX
behavioral2/memory/4296-229-0x00007FF76BF20000-0x00007FF76C271000-memory.dmp	UPX
behavioral2/memory/6056-227-0x00007FF685800000-0x00007FF685B51000-memory.dmp	UPX
behavioral2/memory/4948-223-0x00007FF7CA5D0000-0x00007FF7CA921000-memory.dmp	UPX

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/940-49-0x00007FF7BA870000-0x00007FF7BABC1000-memory.dmp	xmrig
behavioral2/memory/1964-114-0x00007FF684900000-0x00007FF684C51000-memory.dmp	xmrig
behavioral2/memory/4888-107-0x00007FF746B00000-0x00007FF746E51000-memory.dmp	xmrig
behavioral2/memory/4296-50-0x00007FF76BF20000-0x00007FF76C271000-memory.dmp	xmrig
behavioral2/memory/2760-20-0x00007FF7E0960000-0x00007FF7E0CB1000-memory.dmp	xmrig
behavioral2/memory/6044-9-0x00007FF7F54B0000-0x00007FF7F5801000-memory.dmp	xmrig
behavioral2/memory/3600-123-0x00007FF7397D0000-0x00007FF739B21000-memory.dmp	xmrig
behavioral2/memory/3988-126-0x00007FF612FC0000-0x00007FF613311000-memory.dmp	xmrig
behavioral2/memory/5252-127-0x00007FF671140000-0x00007FF671491000-memory.dmp	xmrig
behavioral2/memory/1440-125-0x00007FF76B570000-0x00007FF76B8C1000-memory.dmp	xmrig
behavioral2/memory/3296-124-0x00007FF710F00000-0x00007FF711251000-memory.dmp	xmrig
behavioral2/memory/5612-128-0x00007FF66CD30000-0x00007FF66D081000-memory.dmp	xmrig
behavioral2/memory/4948-132-0x00007FF7CA5D0000-0x00007FF7CA921000-memory.dmp	xmrig
behavioral2/memory/2640-131-0x00007FF68C920000-0x00007FF68CC71000-memory.dmp	xmrig
behavioral2/memory/2760-130-0x00007FF7E0960000-0x00007FF7E0CB1000-memory.dmp	xmrig
behavioral2/memory/5256-142-0x00007FF736AA0000-0x00007FF736DF1000-memory.dmp	xmrig
behavioral2/memory/5048-144-0x00007FF712920000-0x00007FF712C71000-memory.dmp	xmrig
behavioral2/memory/3932-145-0x00007FF63F9F0000-0x00007FF63FD41000-memory.dmp	xmrig
behavioral2/memory/6112-140-0x00007FF7D4100000-0x00007FF7D4451000-memory.dmp	xmrig
behavioral2/memory/4684-139-0x00007FF6CBE30000-0x00007FF6CC181000-memory.dmp	xmrig
behavioral2/memory/5772-136-0x00007FF7DDD00000-0x00007FF7DE051000-memory.dmp	xmrig
behavioral2/memory/6044-129-0x00007FF7F54B0000-0x00007FF7F5801000-memory.dmp	xmrig
behavioral2/memory/2172-137-0x00007FF6A6E30000-0x00007FF6A7181000-memory.dmp	xmrig
behavioral2/memory/6056-133-0x00007FF685800000-0x00007FF685B51000-memory.dmp	xmrig
behavioral2/memory/5612-150-0x00007FF66CD30000-0x00007FF66D081000-memory.dmp	xmrig
behavioral2/memory/6044-217-0x00007FF7F54B0000-0x00007FF7F5801000-memory.dmp	xmrig
behavioral2/memory/2760-219-0x00007FF7E0960000-0x00007FF7E0CB1000-memory.dmp	xmrig
behavioral2/memory/2640-221-0x00007FF68C920000-0x00007FF68CC71000-memory.dmp	xmrig
behavioral2/memory/940-225-0x00007FF7BA870000-0x00007FF7BABC1000-memory.dmp	xmrig
behavioral2/memory/4296-229-0x00007FF76BF20000-0x00007FF76C271000-memory.dmp	xmrig
behavioral2/memory/6056-227-0x00007FF685800000-0x00007FF685B51000-memory.dmp	xmrig
behavioral2/memory/4948-223-0x00007FF7CA5D0000-0x00007FF7CA921000-memory.dmp	xmrig
behavioral2/memory/5772-231-0x00007FF7DDD00000-0x00007FF7DE051000-memory.dmp	xmrig
behavioral2/memory/2172-233-0x00007FF6A6E30000-0x00007FF6A7181000-memory.dmp	xmrig
behavioral2/memory/6112-239-0x00007FF7D4100000-0x00007FF7D4451000-memory.dmp	xmrig
behavioral2/memory/4684-237-0x00007FF6CBE30000-0x00007FF6CC181000-memory.dmp	xmrig
behavioral2/memory/1964-241-0x00007FF684900000-0x00007FF684C51000-memory.dmp	xmrig
behavioral2/memory/5048-245-0x00007FF712920000-0x00007FF712C71000-memory.dmp	xmrig
behavioral2/memory/5256-243-0x00007FF736AA0000-0x00007FF736DF1000-memory.dmp	xmrig
behavioral2/memory/5252-253-0x00007FF671140000-0x00007FF671491000-memory.dmp	xmrig
behavioral2/memory/3988-257-0x00007FF612FC0000-0x00007FF613311000-memory.dmp	xmrig
behavioral2/memory/1440-255-0x00007FF76B570000-0x00007FF76B8C1000-memory.dmp	xmrig
behavioral2/memory/3296-251-0x00007FF710F00000-0x00007FF711251000-memory.dmp	xmrig
behavioral2/memory/3932-249-0x00007FF63F9F0000-0x00007FF63FD41000-memory.dmp	xmrig
behavioral2/memory/3600-247-0x00007FF7397D0000-0x00007FF739B21000-memory.dmp	xmrig
behavioral2/memory/4888-235-0x00007FF746B00000-0x00007FF746E51000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
6044	ZylVDqG.exe
2760	XHepDsW.exe
2640	xnvnKaB.exe
4948	sdbSGkX.exe
6056	QiQXWMj.exe
940	AgJgIsW.exe
4296	EEkEGVK.exe
5772	RAxWBIS.exe
2172	ycBiVXg.exe
4888	sybvvbc.exe
4684	WSanPtj.exe
6112	ZjqplSd.exe
1964	lvqJpzI.exe
5256	xQzSBdj.exe
3600	bCDPgqy.exe
5048	faENaYR.exe
3932	Ntxjhhr.exe
3296	rsdBjUm.exe
5252	MMWXkMr.exe
1440	CtndLWN.exe
3988	swLrifM.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5612-0-0x00007FF66CD30000-0x00007FF66D081000-memory.dmp	upx
behavioral2/files/0x0008000000023422-5.dat	upx
behavioral2/files/0x0007000000023427-8.dat	upx
behavioral2/files/0x0007000000023426-10.dat	upx
behavioral2/memory/2640-24-0x00007FF68C920000-0x00007FF68CC71000-memory.dmp	upx
behavioral2/files/0x000700000002342c-44.dat	upx
behavioral2/memory/940-49-0x00007FF7BA870000-0x00007FF7BABC1000-memory.dmp	upx
behavioral2/files/0x000700000002342d-54.dat	upx
behavioral2/files/0x0007000000023430-63.dat	upx
behavioral2/files/0x0007000000023435-90.dat	upx
behavioral2/files/0x0007000000023434-89.dat	upx
behavioral2/files/0x0007000000023438-121.dat	upx
behavioral2/files/0x0008000000023423-119.dat	upx
behavioral2/files/0x0007000000023437-117.dat	upx
behavioral2/files/0x0007000000023436-115.dat	upx
behavioral2/memory/1964-114-0x00007FF684900000-0x00007FF684C51000-memory.dmp	upx
behavioral2/memory/4888-107-0x00007FF746B00000-0x00007FF746E51000-memory.dmp	upx
behavioral2/memory/3932-106-0x00007FF63F9F0000-0x00007FF63FD41000-memory.dmp	upx
behavioral2/files/0x0007000000023432-99.dat	upx
behavioral2/files/0x0007000000023431-97.dat	upx
behavioral2/files/0x0007000000023433-95.dat	upx
behavioral2/memory/5048-92-0x00007FF712920000-0x00007FF712C71000-memory.dmp	upx
behavioral2/memory/5256-91-0x00007FF736AA0000-0x00007FF736DF1000-memory.dmp	upx
behavioral2/files/0x000700000002342f-83.dat	upx
behavioral2/files/0x000700000002342e-78.dat	upx
behavioral2/memory/6112-76-0x00007FF7D4100000-0x00007FF7D4451000-memory.dmp	upx
behavioral2/memory/4684-69-0x00007FF6CBE30000-0x00007FF6CC181000-memory.dmp	upx
behavioral2/memory/5772-58-0x00007FF7DDD00000-0x00007FF7DE051000-memory.dmp	upx
behavioral2/memory/2172-57-0x00007FF6A6E30000-0x00007FF6A7181000-memory.dmp	upx
behavioral2/memory/4296-50-0x00007FF76BF20000-0x00007FF76C271000-memory.dmp	upx
behavioral2/files/0x000700000002342b-47.dat	upx
behavioral2/memory/6056-41-0x00007FF685800000-0x00007FF685B51000-memory.dmp	upx
behavioral2/files/0x000700000002342a-39.dat	upx
behavioral2/files/0x0007000000023429-38.dat	upx
behavioral2/files/0x0007000000023428-31.dat	upx
behavioral2/memory/4948-30-0x00007FF7CA5D0000-0x00007FF7CA921000-memory.dmp	upx
behavioral2/memory/2760-20-0x00007FF7E0960000-0x00007FF7E0CB1000-memory.dmp	upx
behavioral2/memory/6044-9-0x00007FF7F54B0000-0x00007FF7F5801000-memory.dmp	upx
behavioral2/memory/3600-123-0x00007FF7397D0000-0x00007FF739B21000-memory.dmp	upx
behavioral2/memory/3988-126-0x00007FF612FC0000-0x00007FF613311000-memory.dmp	upx
behavioral2/memory/5252-127-0x00007FF671140000-0x00007FF671491000-memory.dmp	upx
behavioral2/memory/1440-125-0x00007FF76B570000-0x00007FF76B8C1000-memory.dmp	upx
behavioral2/memory/3296-124-0x00007FF710F00000-0x00007FF711251000-memory.dmp	upx
behavioral2/memory/5612-128-0x00007FF66CD30000-0x00007FF66D081000-memory.dmp	upx
behavioral2/memory/4948-132-0x00007FF7CA5D0000-0x00007FF7CA921000-memory.dmp	upx
behavioral2/memory/2640-131-0x00007FF68C920000-0x00007FF68CC71000-memory.dmp	upx
behavioral2/memory/2760-130-0x00007FF7E0960000-0x00007FF7E0CB1000-memory.dmp	upx
behavioral2/memory/5256-142-0x00007FF736AA0000-0x00007FF736DF1000-memory.dmp	upx
behavioral2/memory/5048-144-0x00007FF712920000-0x00007FF712C71000-memory.dmp	upx
behavioral2/memory/3932-145-0x00007FF63F9F0000-0x00007FF63FD41000-memory.dmp	upx
behavioral2/memory/6112-140-0x00007FF7D4100000-0x00007FF7D4451000-memory.dmp	upx
behavioral2/memory/4684-139-0x00007FF6CBE30000-0x00007FF6CC181000-memory.dmp	upx
behavioral2/memory/5772-136-0x00007FF7DDD00000-0x00007FF7DE051000-memory.dmp	upx
behavioral2/memory/6044-129-0x00007FF7F54B0000-0x00007FF7F5801000-memory.dmp	upx
behavioral2/memory/2172-137-0x00007FF6A6E30000-0x00007FF6A7181000-memory.dmp	upx
behavioral2/memory/6056-133-0x00007FF685800000-0x00007FF685B51000-memory.dmp	upx
behavioral2/memory/5612-150-0x00007FF66CD30000-0x00007FF66D081000-memory.dmp	upx
behavioral2/memory/6044-217-0x00007FF7F54B0000-0x00007FF7F5801000-memory.dmp	upx
behavioral2/memory/2760-219-0x00007FF7E0960000-0x00007FF7E0CB1000-memory.dmp	upx
behavioral2/memory/2640-221-0x00007FF68C920000-0x00007FF68CC71000-memory.dmp	upx
behavioral2/memory/940-225-0x00007FF7BA870000-0x00007FF7BABC1000-memory.dmp	upx
behavioral2/memory/4296-229-0x00007FF76BF20000-0x00007FF76C271000-memory.dmp	upx
behavioral2/memory/6056-227-0x00007FF685800000-0x00007FF685B51000-memory.dmp	upx
behavioral2/memory/4948-223-0x00007FF7CA5D0000-0x00007FF7CA921000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\swLrifM.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZylVDqG.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sdbSGkX.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xQzSBdj.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WSanPtj.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\Ntxjhhr.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rsdBjUm.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XHepDsW.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xnvnKaB.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EEkEGVK.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lvqJpzI.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bCDPgqy.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\faENaYR.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AgJgIsW.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sybvvbc.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZjqplSd.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MMWXkMr.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CtndLWN.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QiQXWMj.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RAxWBIS.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ycBiVXg.exe	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 5612 wrote to memory of 6044	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	83
PID 5612 wrote to memory of 6044	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	83
PID 5612 wrote to memory of 2760	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	84
PID 5612 wrote to memory of 2760	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	84
PID 5612 wrote to memory of 2640	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	85
PID 5612 wrote to memory of 2640	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	85
PID 5612 wrote to memory of 4948	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	86
PID 5612 wrote to memory of 4948	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	86
PID 5612 wrote to memory of 6056	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	87
PID 5612 wrote to memory of 6056	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	87
PID 5612 wrote to memory of 940	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	88
PID 5612 wrote to memory of 940	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	88
PID 5612 wrote to memory of 4296	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	89
PID 5612 wrote to memory of 4296	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	89
PID 5612 wrote to memory of 5772	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	90
PID 5612 wrote to memory of 5772	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	90
PID 5612 wrote to memory of 2172	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	91
PID 5612 wrote to memory of 2172	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	91
PID 5612 wrote to memory of 4888	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	92
PID 5612 wrote to memory of 4888	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	92
PID 5612 wrote to memory of 4684	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	93
PID 5612 wrote to memory of 4684	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	93
PID 5612 wrote to memory of 6112	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	94
PID 5612 wrote to memory of 6112	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	94
PID 5612 wrote to memory of 1964	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	95
PID 5612 wrote to memory of 1964	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	95
PID 5612 wrote to memory of 5256	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	96
PID 5612 wrote to memory of 5256	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	96
PID 5612 wrote to memory of 3600	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	97
PID 5612 wrote to memory of 3600	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	97
PID 5612 wrote to memory of 5048	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	98
PID 5612 wrote to memory of 5048	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	98
PID 5612 wrote to memory of 3932	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	99
PID 5612 wrote to memory of 3932	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	99
PID 5612 wrote to memory of 3296	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	100
PID 5612 wrote to memory of 3296	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	100
PID 5612 wrote to memory of 5252	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	101
PID 5612 wrote to memory of 5252	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	101
PID 5612 wrote to memory of 1440	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	102
PID 5612 wrote to memory of 1440	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	102
PID 5612 wrote to memory of 3988	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	103
PID 5612 wrote to memory of 3988	5612	2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_d529a922da360715e2a3480e1dd5ee1f_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5612
- C:\Windows\System\ZylVDqG.exe
  C:\Windows\System\ZylVDqG.exe
  2⤵
  - Executes dropped EXE
  PID:6044
- C:\Windows\System\XHepDsW.exe
  C:\Windows\System\XHepDsW.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System\xnvnKaB.exe
  C:\Windows\System\xnvnKaB.exe
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\System\sdbSGkX.exe
  C:\Windows\System\sdbSGkX.exe
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Windows\System\QiQXWMj.exe
  C:\Windows\System\QiQXWMj.exe
  2⤵
  - Executes dropped EXE
  PID:6056
- C:\Windows\System\AgJgIsW.exe
  C:\Windows\System\AgJgIsW.exe
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\System\EEkEGVK.exe
  C:\Windows\System\EEkEGVK.exe
  2⤵
  - Executes dropped EXE
  PID:4296
- C:\Windows\System\RAxWBIS.exe
  C:\Windows\System\RAxWBIS.exe
  2⤵
  - Executes dropped EXE
  PID:5772
- C:\Windows\System\ycBiVXg.exe
  C:\Windows\System\ycBiVXg.exe
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\System\sybvvbc.exe
  C:\Windows\System\sybvvbc.exe
  2⤵
  - Executes dropped EXE
  PID:4888
- C:\Windows\System\WSanPtj.exe
  C:\Windows\System\WSanPtj.exe
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\Windows\System\ZjqplSd.exe
  C:\Windows\System\ZjqplSd.exe
  2⤵
  - Executes dropped EXE
  PID:6112
- C:\Windows\System\lvqJpzI.exe
  C:\Windows\System\lvqJpzI.exe
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\System\xQzSBdj.exe
  C:\Windows\System\xQzSBdj.exe
  2⤵
  - Executes dropped EXE
  PID:5256
- C:\Windows\System\bCDPgqy.exe
  C:\Windows\System\bCDPgqy.exe
  2⤵
  - Executes dropped EXE
  PID:3600
- C:\Windows\System\faENaYR.exe
  C:\Windows\System\faENaYR.exe
  2⤵
  - Executes dropped EXE
  PID:5048
- C:\Windows\System\Ntxjhhr.exe
  C:\Windows\System\Ntxjhhr.exe
  2⤵
  - Executes dropped EXE
  PID:3932
- C:\Windows\System\rsdBjUm.exe
  C:\Windows\System\rsdBjUm.exe
  2⤵
  - Executes dropped EXE
  PID:3296
- C:\Windows\System\MMWXkMr.exe
  C:\Windows\System\MMWXkMr.exe
  2⤵
  - Executes dropped EXE
  PID:5252
- C:\Windows\System\CtndLWN.exe
  C:\Windows\System\CtndLWN.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System\swLrifM.exe
  C:\Windows\System\swLrifM.exe
  2⤵
  - Executes dropped EXE
  PID:3988

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AgJgIsW.exe

Filesize
5.2MB

MD5
050e86afb30df582b938919f839b9221

SHA1
67e87162524a26f61c8107015e9677c051d1f35e

SHA256
0dc34b112969086b77a78144480dba7931750841c205b0faadae8596eb81b339

SHA512
2a6cd74347679f9c30b0aa348710c1cdbc9a4a402c620814532beee2b4d20aed022898b29c5c5cd8360bfee1170d1375d6770350a9fef5df6e162421cd6bbb2b

Download Submit
C:\Windows\System\CtndLWN.exe

Filesize
5.2MB

MD5
54d6981be0bca5396ef5cbd86a0096fd

SHA1
3e1e30fae4e168930176fcc8eeb6d0da8363379b

SHA256
c6ed993f43f4570077e4f880bd280a3232a5c1baf896326aeaece4eaed6f32a8

SHA512
67bda3c54e2ee997f673b7df013a4ae46ab58a0d5f893e1dd641f3a0c1064fcb84fb5ea6189273f23a4386f839cadd5bfb36d6fab01d942cdb1a78672d24b5d8

Download Submit
C:\Windows\System\EEkEGVK.exe

Filesize
5.2MB

MD5
0018a543f69f4505ce17d10cddfa9911

SHA1
43dc98155b86814fa437c4ae7e0edf329b8d545b

SHA256
6d93159e9b73c61c68242adf41ef80caede95af00c10f45c5e29cb66da36c384

SHA512
a248b750f08978d67978582f8d54159b94370e5ee913d5652a028dc81e533fd26ce00f5a9427307fe58851dc5d2b796e57bcfdb49f5e1ffe3013424656fc87a5

Download Submit
C:\Windows\System\MMWXkMr.exe

Filesize
5.2MB

MD5
c56cb7aa90dbe23258a20fb9644b64c8

SHA1
1b56fb988eef7610c14cc8f86a8ce478b81dbe3f

SHA256
ac8996585cc2e5874de114e2df45587f23cf2ea9a8eb09f498a1342c87f2f912

SHA512
f2fbc75a72a9e4b591300458415161cdbeee8e688b7e8e50a6cd01b6603022003f40c1f4942c108ad0e9ae603a9fe7b7d6a40c12dad2127d06d9caeeaa3de237

Download Submit
C:\Windows\System\Ntxjhhr.exe

Filesize
5.2MB

MD5
6dc4c0d014a2b9a64d1c3fa26d795394

SHA1
e4f32b397c5b2f65ce05c94289c441ff6ae96ffa

SHA256
bf12555be5e27aac10c3292fef768b7f4f87bf33c320b5645c41f1319b8c38eb

SHA512
987d176ceb1e0e9c02e529d58945aaca71c96006a49d3261bd95b6c1b8195ac2274201f8f012e4dcad6ec8973c485b8223092b4d19a7e0f842c3f1d4193b109c

Download Submit
C:\Windows\System\QiQXWMj.exe

Filesize
5.2MB

MD5
5e1e7bfe2d2bd9b479cb5f8e71c3947c

SHA1
aaaaf67fe5a63bf68effa3ad7dec0b84993edb20

SHA256
38166704ebe6d5636823323d33d6bd7781d1bf0dc87cabc339cb675ec400d90e

SHA512
05e38ea6c99c64175f804e18077f5d8514d1b066f2d8666c3bf978f2a7f80f5339d934ae01580c857021d596c9e08403600800f92c8c90ecff382eee8078143c

Download Submit
C:\Windows\System\RAxWBIS.exe

Filesize
5.2MB

MD5
71dee8bc156895976ac28639088865d5

SHA1
807b396f228e3fdd5e4458691d321f20f40ea945

SHA256
3672868b169432c12b869d4b274cd5ff90d26495c9d95e492ebbc0c66066ec49

SHA512
41593e5f6c0fd6456e23123bb00720009c4e9dce602399e0be557d46a7b7b340791b2df684ac4c27cd211d441bddc36cc326ec65c6f870aa6cc0e88e61348e77

Download Submit
C:\Windows\System\WSanPtj.exe

Filesize
5.2MB

MD5
35630a6ddd21e0397046186509f47891

SHA1
89abc29a50949e58a9d19a8296d5c113b340001a

SHA256
7aa079f5afc5b075eb7902015025c12d61c28e390c98f8b0ddb514ea382c84dd

SHA512
b499277d8facfa64815462f84e6e64fe2e3d9b36e8b8de8bbc6fc57a88aa4c1e369ecd0398486e78343b73e46cfa9e64e08154a20b12644ab29405afbb73890e

Download Submit
C:\Windows\System\XHepDsW.exe

Filesize
5.2MB

MD5
889c6f81f3bd17b5262a4b2bf789e6b4

SHA1
7abc566b075f6d28197da020d4b245d2ae569e14

SHA256
d4775ba3db5f2d40221089a57261e8ca31587e3d5a4e3fbc76fef5d038ff9889

SHA512
ed9544b340643bb5ee2c93034c08d232e2cb7ec976e3ef857d65c9742d0e5c6db77b1245e543864a68430f4dc952c079aaa9b9fc57f4b8576ed7e792b182949b

Download Submit
C:\Windows\System\ZjqplSd.exe

Filesize
5.2MB

MD5
686fd0948d65dab498e8f263799249c1

SHA1
5e4c7ce4042225677267157f1fd1fba98c520b99

SHA256
6898931c304b63d74e21e3e21c160aeced94df35d9ba37ada8cc4ff3b288d45c

SHA512
aa9fc4c0346f915685a92991e0fef436801453f7006e791b78b3ecdd5c5f9d7b45b8363510f7892a1e97db9d640fee7e8936a810be740547c9b3df91e6f20b42

Download Submit
C:\Windows\System\ZylVDqG.exe

Filesize
5.2MB

MD5
202bfe77e98488ffceda8f8dc6c4b0ea

SHA1
529c0b57f78357c732151452f13e805e0fb69532

SHA256
dae81d7893af094d64926ea8403fba9bb32b3dc13c95ed6cf11d57752560403c

SHA512
5f679d00e3188cb49bb3a3a488da1cb164a3c00cd247479d833d5a2196c80c908082a5b4d71f21df421e8f6ec5f2954557e9fa325069d23831181de772cc538d

Download Submit
C:\Windows\System\bCDPgqy.exe

Filesize
5.2MB

MD5
4a8816fb4e815d10fd5957362e44a6f3

SHA1
0ad88881d7762bfc3ecd2444042ddaa138c27d10

SHA256
9ebe2fbac7b542ca09b6635261f409ecba66be0de1708e5a3e2455853da59870

SHA512
bfa073064c98e7caf61bb5a59e3e2061a4f04d5121df4c01c9cf6f205075a276f31aa8cffdb2d92396ac9b4e74705e8441164b21ee7b2e34fc1f7fbc65017a06

Download Submit
C:\Windows\System\faENaYR.exe

Filesize
5.2MB

MD5
6b83ba50b6416a241fc7ec17eb4bc200

SHA1
ae95a72c15ca8545d61bca2b699e82d4f8cafe20

SHA256
88969b2d6330d7fa0ce7b52208b4a2bc8fc9e8ae952e0aa83937ffb5f956e9d7

SHA512
f5e3120aca2b5c0846dd9eecd700c9e55aed8cfa2eb79c1a1de2683af60ae6475b6287e4254cc8d4fa754601ccd527d34afc1ab930c7e75ac6deabff509683f2

Download Submit
C:\Windows\System\lvqJpzI.exe

Filesize
5.2MB

MD5
463f7880e2947a4752b4540fb90dedbf

SHA1
24baff1060d6d425e25b56159a862b71df684a01

SHA256
04661d42ae1c0eabc013251a439a5cb55082461e2bdbd1f3b6865886624590a9

SHA512
f2a68b6c7e7574a94f1c463c502da3558bb6b080e66236bb708588424907c012fc12b0affa0d8edca84e226708cf5e5affdd876262205c75b9f384c4b4db404b

Download Submit
C:\Windows\System\rsdBjUm.exe

Filesize
5.2MB

MD5
d070934514e3d29612e8f5c486395132

SHA1
59481e7155309f520dea2df1b2ec618239255fb8

SHA256
510fccf55274469a80c46b047f3b4631a37dcf851c72fa5d757fbd43fb5c2ee3

SHA512
53464db99f7402b5c49d5a2cdb7877943a923baba20014718c8c2bf765825ad9542838a1a31db61781eac22b0e0b390b7f34d072503dba8ae5536cbdae488b5c

Download Submit
C:\Windows\System\sdbSGkX.exe

Filesize
5.2MB

MD5
a95df02a662403a4afb455b8fc0059e1

SHA1
0ca4f7614a6b63ff9cfb75dce039dee1871646de

SHA256
f0a144a9b8dbea83740a17dbbce7340d362d5a54312ea89d0870ab03a9485a76

SHA512
e23c13066be52c5a4c128a2c1c4f4c2f257a2267af9de829286ab4a1937aeaf5082f551804daf3c264630c81c293d198044ed36ef6822b8afb1a908943db1f30

Download Submit
C:\Windows\System\swLrifM.exe

Filesize
5.2MB

MD5
1749a40ec63e5ed6eba04684855757c4

SHA1
67d9ebb014ebe3e4b270ad1cdb5170b6529467ee

SHA256
ed9f8356dbb749c89bbda06f81f31af210a783fba1be839d861c4005fb49ed68

SHA512
e882949fab9decbf6b602e54ae9eb9459278edc68afbf81c07c074fcc44d91351836787cd8043737ee21bf37eb0420d0f64afc705c54d37c3658c7beee7f29b6

Download Submit
C:\Windows\System\sybvvbc.exe

Filesize
5.2MB

MD5
0e32050f055977df023326400169ba8d

SHA1
76474974602c0cb5dade917db96507519bee95fe

SHA256
358267bc89c0758ae64e6b0f5867aa9dd812ba15e82640120b0c60fc58522d4f

SHA512
687d948ba9aeb4dff250326e80e6b0f744944c3fdd96ed99e73e59aae7d5dadb7a42390aee84458d48d410e7a6199e75b84d6eaefe3c1f920d0452c5f1f00f18

Download Submit
C:\Windows\System\xQzSBdj.exe

Filesize
5.2MB

MD5
4a8aca5ce430ec5132636be3aad06e3c

SHA1
1f448e42cf1179eb2fe8848d47a6747d33dd79d0

SHA256
a9a29f3ab4f0231fc6b9848400d1ddb7977b57a9d47464b30550d10e1d809b36

SHA512
e883bd1b728f72162a8017a84dc06b3479324a40ddddbb67f8baf4092df55c2971174a168e4312b99fad54c984641fb2a829acfd53359dbf440fe2d7a303faec

Download Submit
C:\Windows\System\xnvnKaB.exe

Filesize
5.2MB

MD5
79603db996ce972124b9922a2d07ff69

SHA1
440e6abadef138a782fb184b74dd9aa0e319a270

SHA256
fae7f09743ab79a776c52abf80ae43d3ab73a016374254586e4ed78ca177e7ef

SHA512
59b8cdeb1122086ab04ac9e60cabe8a3a4b3c35176e287b561379d90cc2bc9516abcbab7701f1725a138908b7ed0ff4892047ca47ae41f10c588b368efabf41f

Download Submit
C:\Windows\System\ycBiVXg.exe

Filesize
5.2MB

MD5
1c8cdfe61e62720a5d7686e7fafa79ff

SHA1
12d42b4fa5ca9cb808b2799c9768219da8975862

SHA256
abc1804cd8068de1816f3c5183ca50edceca68d78a4dbc2166af1eaf2a3ff1b0

SHA512
e2f3b2229cd5afdc8485a207ca2acfdfd48ab8b9661680f300c38be3439fa472bc65d25c1463164f3b3bc91b796d977eed3e07fdac4ab3b697cadeebb6156cb9

Download Submit
memory/940-49-0x00007FF7BA870000-0x00007FF7BABC1000-memory.dmp

Filesize
3.3MB

Download
memory/940-225-0x00007FF7BA870000-0x00007FF7BABC1000-memory.dmp

Filesize
3.3MB

Download
memory/1440-255-0x00007FF76B570000-0x00007FF76B8C1000-memory.dmp

Filesize
3.3MB

Download
memory/1440-125-0x00007FF76B570000-0x00007FF76B8C1000-memory.dmp

Filesize
3.3MB

Download
memory/1964-241-0x00007FF684900000-0x00007FF684C51000-memory.dmp

Filesize
3.3MB

Download
memory/1964-114-0x00007FF684900000-0x00007FF684C51000-memory.dmp

Filesize
3.3MB

Download
memory/2172-137-0x00007FF6A6E30000-0x00007FF6A7181000-memory.dmp

Filesize
3.3MB

Download
memory/2172-57-0x00007FF6A6E30000-0x00007FF6A7181000-memory.dmp

Filesize
3.3MB

Download
memory/2172-233-0x00007FF6A6E30000-0x00007FF6A7181000-memory.dmp

Filesize
3.3MB

Download
memory/2640-221-0x00007FF68C920000-0x00007FF68CC71000-memory.dmp

Filesize
3.3MB

Download
memory/2640-131-0x00007FF68C920000-0x00007FF68CC71000-memory.dmp

Filesize
3.3MB

Download
memory/2640-24-0x00007FF68C920000-0x00007FF68CC71000-memory.dmp

Filesize
3.3MB

Download
memory/2760-219-0x00007FF7E0960000-0x00007FF7E0CB1000-memory.dmp

Filesize
3.3MB

Download
memory/2760-130-0x00007FF7E0960000-0x00007FF7E0CB1000-memory.dmp

Filesize
3.3MB

Download
memory/2760-20-0x00007FF7E0960000-0x00007FF7E0CB1000-memory.dmp

Filesize
3.3MB

Download
memory/3296-251-0x00007FF710F00000-0x00007FF711251000-memory.dmp

Filesize
3.3MB

Download
memory/3296-124-0x00007FF710F00000-0x00007FF711251000-memory.dmp

Filesize
3.3MB

Download
memory/3600-123-0x00007FF7397D0000-0x00007FF739B21000-memory.dmp

Filesize
3.3MB

Download
memory/3600-247-0x00007FF7397D0000-0x00007FF739B21000-memory.dmp

Filesize
3.3MB

Download
memory/3932-249-0x00007FF63F9F0000-0x00007FF63FD41000-memory.dmp

Filesize
3.3MB

Download
memory/3932-106-0x00007FF63F9F0000-0x00007FF63FD41000-memory.dmp

Filesize
3.3MB

Download
memory/3932-145-0x00007FF63F9F0000-0x00007FF63FD41000-memory.dmp

Filesize
3.3MB

Download
memory/3988-126-0x00007FF612FC0000-0x00007FF613311000-memory.dmp

Filesize
3.3MB

Download
memory/3988-257-0x00007FF612FC0000-0x00007FF613311000-memory.dmp

Filesize
3.3MB

Download
memory/4296-50-0x00007FF76BF20000-0x00007FF76C271000-memory.dmp

Filesize
3.3MB

Download
memory/4296-229-0x00007FF76BF20000-0x00007FF76C271000-memory.dmp

Filesize
3.3MB

Download
memory/4684-69-0x00007FF6CBE30000-0x00007FF6CC181000-memory.dmp

Filesize
3.3MB

Download
memory/4684-237-0x00007FF6CBE30000-0x00007FF6CC181000-memory.dmp

Filesize
3.3MB

Download
memory/4684-139-0x00007FF6CBE30000-0x00007FF6CC181000-memory.dmp

Filesize
3.3MB

Download
memory/4888-235-0x00007FF746B00000-0x00007FF746E51000-memory.dmp

Filesize
3.3MB

Download
memory/4888-107-0x00007FF746B00000-0x00007FF746E51000-memory.dmp

Filesize
3.3MB

Download
memory/4948-223-0x00007FF7CA5D0000-0x00007FF7CA921000-memory.dmp

Filesize
3.3MB

Download
memory/4948-132-0x00007FF7CA5D0000-0x00007FF7CA921000-memory.dmp

Filesize
3.3MB

Download
memory/4948-30-0x00007FF7CA5D0000-0x00007FF7CA921000-memory.dmp

Filesize
3.3MB

Download
memory/5048-245-0x00007FF712920000-0x00007FF712C71000-memory.dmp

Filesize
3.3MB

Download
memory/5048-92-0x00007FF712920000-0x00007FF712C71000-memory.dmp

Filesize
3.3MB

Download
memory/5048-144-0x00007FF712920000-0x00007FF712C71000-memory.dmp

Filesize
3.3MB

Download
memory/5252-253-0x00007FF671140000-0x00007FF671491000-memory.dmp

Filesize
3.3MB

Download
memory/5252-127-0x00007FF671140000-0x00007FF671491000-memory.dmp

Filesize
3.3MB

Download
memory/5256-243-0x00007FF736AA0000-0x00007FF736DF1000-memory.dmp

Filesize
3.3MB

Download
memory/5256-142-0x00007FF736AA0000-0x00007FF736DF1000-memory.dmp

Filesize
3.3MB

Download
memory/5256-91-0x00007FF736AA0000-0x00007FF736DF1000-memory.dmp

Filesize
3.3MB

Download
memory/5612-128-0x00007FF66CD30000-0x00007FF66D081000-memory.dmp

Filesize
3.3MB

Download
memory/5612-150-0x00007FF66CD30000-0x00007FF66D081000-memory.dmp

Filesize
3.3MB

Download
memory/5612-1-0x00000220E60E0000-0x00000220E60F0000-memory.dmp

Filesize
64KB

Download
memory/5612-0-0x00007FF66CD30000-0x00007FF66D081000-memory.dmp

Filesize
3.3MB

Download
memory/5772-231-0x00007FF7DDD00000-0x00007FF7DE051000-memory.dmp

Filesize
3.3MB

Download
memory/5772-136-0x00007FF7DDD00000-0x00007FF7DE051000-memory.dmp

Filesize
3.3MB

Download
memory/5772-58-0x00007FF7DDD00000-0x00007FF7DE051000-memory.dmp

Filesize
3.3MB

Download
memory/6044-129-0x00007FF7F54B0000-0x00007FF7F5801000-memory.dmp

Filesize
3.3MB

Download
memory/6044-217-0x00007FF7F54B0000-0x00007FF7F5801000-memory.dmp

Filesize
3.3MB

Download
memory/6044-9-0x00007FF7F54B0000-0x00007FF7F5801000-memory.dmp

Filesize
3.3MB

Download
memory/6056-133-0x00007FF685800000-0x00007FF685B51000-memory.dmp

Filesize
3.3MB

Download
memory/6056-227-0x00007FF685800000-0x00007FF685B51000-memory.dmp

Filesize
3.3MB

Download
memory/6056-41-0x00007FF685800000-0x00007FF685B51000-memory.dmp

Filesize
3.3MB

Download
memory/6112-239-0x00007FF7D4100000-0x00007FF7D4451000-memory.dmp

Filesize
3.3MB

Download
memory/6112-76-0x00007FF7D4100000-0x00007FF7D4451000-memory.dmp

Filesize
3.3MB

Download
memory/6112-140-0x00007FF7D4100000-0x00007FF7D4451000-memory.dmp

Filesize
3.3MB

Download