cobaltstrike | 8ea8d45b8ddc09fe5defd1890fa1e0b6c70c202f6a2e1e60b75784cf8cfbc72d

Analysis

max time kernel
143s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe
Size

8.3MB
MD5

721496e3d8574d3b36b661857b46f56c
SHA1

c416e174f4254b308a5f6735a79777045f18fd71
SHA256

8ea8d45b8ddc09fe5defd1890fa1e0b6c70c202f6a2e1e60b75784cf8cfbc72d
SHA512

2a69526762649b91944f5a7723cd290565b38c223844d4631d686b6ea391527168e117859e1d16c409702452816092e810498d2f710cbd6bf18212284e82e0da
SSDEEP

98304:MemTLkNdfE0pZba56utgpPFotBER/mQ32lUp:v+D56utgpPF8u/7p

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\IoekMai.exe	cobalt_reflective_dll
C:\Windows\System\laxcvZI.exe	cobalt_reflective_dll
C:\Windows\System\LxrFVwQ.exe	cobalt_reflective_dll
C:\Windows\System\oCNxOBg.exe	cobalt_reflective_dll
C:\Windows\System\yziZPeL.exe	cobalt_reflective_dll
C:\Windows\System\iszZyHz.exe	cobalt_reflective_dll
C:\Windows\System\IzyHLLF.exe	cobalt_reflective_dll
C:\Windows\System\TVjKXYh.exe	cobalt_reflective_dll
C:\Windows\System\UzpkyAn.exe	cobalt_reflective_dll
C:\Windows\System\aYulbBc.exe	cobalt_reflective_dll
C:\Windows\System\PvrmLJo.exe	cobalt_reflective_dll
C:\Windows\System\QbhUouq.exe	cobalt_reflective_dll
C:\Windows\System\zsIRTJP.exe	cobalt_reflective_dll
C:\Windows\System\ybsCebw.exe	cobalt_reflective_dll
C:\Windows\System\doNGkfQ.exe	cobalt_reflective_dll
C:\Windows\System\bCIjRzO.exe	cobalt_reflective_dll
C:\Windows\System\CwIhXsz.exe	cobalt_reflective_dll
C:\Windows\System\UrABWOw.exe	cobalt_reflective_dll
C:\Windows\System\unxDUKf.exe	cobalt_reflective_dll
C:\Windows\System\cvVJBCR.exe	cobalt_reflective_dll
C:\Windows\System\MXoHvpt.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\IoekMai.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\laxcvZI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\LxrFVwQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\oCNxOBg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\yziZPeL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\iszZyHz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\IzyHLLF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\TVjKXYh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\UzpkyAn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\aYulbBc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\PvrmLJo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QbhUouq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\zsIRTJP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ybsCebw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\doNGkfQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\bCIjRzO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\CwIhXsz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\UrABWOw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\unxDUKf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\cvVJBCR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\MXoHvpt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2636-0-0x00007FF6D00A0000-0x00007FF6D03F2000-memory.dmp	UPX
C:\Windows\System\IoekMai.exe	UPX
behavioral2/memory/3284-8-0x00007FF611190000-0x00007FF6114E2000-memory.dmp	UPX
C:\Windows\System\laxcvZI.exe	UPX
behavioral2/memory/4020-14-0x00007FF78C5D0000-0x00007FF78C922000-memory.dmp	UPX
C:\Windows\System\LxrFVwQ.exe	UPX
behavioral2/memory/3020-20-0x00007FF60A430000-0x00007FF60A782000-memory.dmp	UPX
C:\Windows\System\oCNxOBg.exe	UPX
behavioral2/memory/3688-26-0x00007FF72B960000-0x00007FF72BCB2000-memory.dmp	UPX
C:\Windows\System\yziZPeL.exe	UPX
behavioral2/memory/2632-30-0x00007FF6CEF10000-0x00007FF6CF262000-memory.dmp	UPX
C:\Windows\System\iszZyHz.exe	UPX
behavioral2/memory/1724-38-0x00007FF7A8640000-0x00007FF7A8992000-memory.dmp	UPX
C:\Windows\System\IzyHLLF.exe	UPX
behavioral2/memory/2484-44-0x00007FF753880000-0x00007FF753BD2000-memory.dmp	UPX
C:\Windows\System\TVjKXYh.exe	UPX
behavioral2/memory/2168-50-0x00007FF68A150000-0x00007FF68A4A2000-memory.dmp	UPX
C:\Windows\System\UzpkyAn.exe	UPX
behavioral2/memory/1444-56-0x00007FF6669B0000-0x00007FF666D02000-memory.dmp	UPX
C:\Windows\System\aYulbBc.exe	UPX
behavioral2/memory/2636-62-0x00007FF6D00A0000-0x00007FF6D03F2000-memory.dmp	UPX
C:\Windows\System\PvrmLJo.exe	UPX
C:\Windows\System\QbhUouq.exe	UPX
C:\Windows\System\zsIRTJP.exe	UPX
C:\Windows\System\ybsCebw.exe	UPX
C:\Windows\System\doNGkfQ.exe	UPX
C:\Windows\System\bCIjRzO.exe	UPX
C:\Windows\System\CwIhXsz.exe	UPX
C:\Windows\System\UrABWOw.exe	UPX
C:\Windows\System\unxDUKf.exe	UPX
C:\Windows\System\cvVJBCR.exe	UPX
C:\Windows\System\MXoHvpt.exe	UPX
behavioral2/memory/1048-117-0x00007FF63D550000-0x00007FF63D8A2000-memory.dmp	UPX
behavioral2/memory/776-118-0x00007FF740F30000-0x00007FF741282000-memory.dmp	UPX
behavioral2/memory/1248-119-0x00007FF7EBF30000-0x00007FF7EC282000-memory.dmp	UPX
behavioral2/memory/3416-120-0x00007FF7E57C0000-0x00007FF7E5B12000-memory.dmp	UPX
behavioral2/memory/2488-121-0x00007FF71E790000-0x00007FF71EAE2000-memory.dmp	UPX
behavioral2/memory/3516-122-0x00007FF67E7A0000-0x00007FF67EAF2000-memory.dmp	UPX
behavioral2/memory/2164-123-0x00007FF79E1B0000-0x00007FF79E502000-memory.dmp	UPX
behavioral2/memory/4320-125-0x00007FF660510000-0x00007FF660862000-memory.dmp	UPX
behavioral2/memory/4616-126-0x00007FF60E820000-0x00007FF60EB72000-memory.dmp	UPX
behavioral2/memory/3428-127-0x00007FF720D60000-0x00007FF7210B2000-memory.dmp	UPX
behavioral2/memory/3284-128-0x00007FF611190000-0x00007FF6114E2000-memory.dmp	UPX
behavioral2/memory/3672-124-0x00007FF7DC3E0000-0x00007FF7DC732000-memory.dmp	UPX
behavioral2/memory/5024-129-0x00007FF6A3970000-0x00007FF6A3CC2000-memory.dmp	UPX
behavioral2/memory/3020-130-0x00007FF60A430000-0x00007FF60A782000-memory.dmp	UPX
behavioral2/memory/3688-131-0x00007FF72B960000-0x00007FF72BCB2000-memory.dmp	UPX
behavioral2/memory/2632-132-0x00007FF6CEF10000-0x00007FF6CF262000-memory.dmp	UPX
behavioral2/memory/3284-133-0x00007FF611190000-0x00007FF6114E2000-memory.dmp	UPX
behavioral2/memory/4020-134-0x00007FF78C5D0000-0x00007FF78C922000-memory.dmp	UPX
behavioral2/memory/3020-135-0x00007FF60A430000-0x00007FF60A782000-memory.dmp	UPX
behavioral2/memory/3688-136-0x00007FF72B960000-0x00007FF72BCB2000-memory.dmp	UPX
behavioral2/memory/2632-137-0x00007FF6CEF10000-0x00007FF6CF262000-memory.dmp	UPX
behavioral2/memory/2168-138-0x00007FF68A150000-0x00007FF68A4A2000-memory.dmp	UPX
behavioral2/memory/1724-139-0x00007FF7A8640000-0x00007FF7A8992000-memory.dmp	UPX
behavioral2/memory/2484-140-0x00007FF753880000-0x00007FF753BD2000-memory.dmp	UPX
behavioral2/memory/2168-141-0x00007FF68A150000-0x00007FF68A4A2000-memory.dmp	UPX
behavioral2/memory/1444-142-0x00007FF6669B0000-0x00007FF666D02000-memory.dmp	UPX
behavioral2/memory/1048-143-0x00007FF63D550000-0x00007FF63D8A2000-memory.dmp	UPX
behavioral2/memory/5024-144-0x00007FF6A3970000-0x00007FF6A3CC2000-memory.dmp	UPX
behavioral2/memory/776-145-0x00007FF740F30000-0x00007FF741282000-memory.dmp	UPX
behavioral2/memory/1248-146-0x00007FF7EBF30000-0x00007FF7EC282000-memory.dmp	UPX
behavioral2/memory/3416-147-0x00007FF7E57C0000-0x00007FF7E5B12000-memory.dmp	UPX
behavioral2/memory/2488-148-0x00007FF71E790000-0x00007FF71EAE2000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2636-0-0x00007FF6D00A0000-0x00007FF6D03F2000-memory.dmp	xmrig
C:\Windows\System\IoekMai.exe	xmrig
behavioral2/memory/3284-8-0x00007FF611190000-0x00007FF6114E2000-memory.dmp	xmrig
C:\Windows\System\laxcvZI.exe	xmrig
behavioral2/memory/4020-14-0x00007FF78C5D0000-0x00007FF78C922000-memory.dmp	xmrig
C:\Windows\System\LxrFVwQ.exe	xmrig
behavioral2/memory/3020-20-0x00007FF60A430000-0x00007FF60A782000-memory.dmp	xmrig
C:\Windows\System\oCNxOBg.exe	xmrig
behavioral2/memory/3688-26-0x00007FF72B960000-0x00007FF72BCB2000-memory.dmp	xmrig
C:\Windows\System\yziZPeL.exe	xmrig
behavioral2/memory/2632-30-0x00007FF6CEF10000-0x00007FF6CF262000-memory.dmp	xmrig
C:\Windows\System\iszZyHz.exe	xmrig
behavioral2/memory/1724-38-0x00007FF7A8640000-0x00007FF7A8992000-memory.dmp	xmrig
C:\Windows\System\IzyHLLF.exe	xmrig
behavioral2/memory/2484-44-0x00007FF753880000-0x00007FF753BD2000-memory.dmp	xmrig
C:\Windows\System\TVjKXYh.exe	xmrig
behavioral2/memory/2168-50-0x00007FF68A150000-0x00007FF68A4A2000-memory.dmp	xmrig
C:\Windows\System\UzpkyAn.exe	xmrig
behavioral2/memory/1444-56-0x00007FF6669B0000-0x00007FF666D02000-memory.dmp	xmrig
C:\Windows\System\aYulbBc.exe	xmrig
behavioral2/memory/2636-62-0x00007FF6D00A0000-0x00007FF6D03F2000-memory.dmp	xmrig
C:\Windows\System\PvrmLJo.exe	xmrig
C:\Windows\System\QbhUouq.exe	xmrig
C:\Windows\System\zsIRTJP.exe	xmrig
C:\Windows\System\ybsCebw.exe	xmrig
C:\Windows\System\doNGkfQ.exe	xmrig
C:\Windows\System\bCIjRzO.exe	xmrig
C:\Windows\System\CwIhXsz.exe	xmrig
C:\Windows\System\UrABWOw.exe	xmrig
C:\Windows\System\unxDUKf.exe	xmrig
C:\Windows\System\cvVJBCR.exe	xmrig
C:\Windows\System\MXoHvpt.exe	xmrig
behavioral2/memory/1048-117-0x00007FF63D550000-0x00007FF63D8A2000-memory.dmp	xmrig
behavioral2/memory/776-118-0x00007FF740F30000-0x00007FF741282000-memory.dmp	xmrig
behavioral2/memory/1248-119-0x00007FF7EBF30000-0x00007FF7EC282000-memory.dmp	xmrig
behavioral2/memory/3416-120-0x00007FF7E57C0000-0x00007FF7E5B12000-memory.dmp	xmrig
behavioral2/memory/2488-121-0x00007FF71E790000-0x00007FF71EAE2000-memory.dmp	xmrig
behavioral2/memory/3516-122-0x00007FF67E7A0000-0x00007FF67EAF2000-memory.dmp	xmrig
behavioral2/memory/2164-123-0x00007FF79E1B0000-0x00007FF79E502000-memory.dmp	xmrig
behavioral2/memory/4320-125-0x00007FF660510000-0x00007FF660862000-memory.dmp	xmrig
behavioral2/memory/4616-126-0x00007FF60E820000-0x00007FF60EB72000-memory.dmp	xmrig
behavioral2/memory/3428-127-0x00007FF720D60000-0x00007FF7210B2000-memory.dmp	xmrig
behavioral2/memory/3284-128-0x00007FF611190000-0x00007FF6114E2000-memory.dmp	xmrig
behavioral2/memory/3672-124-0x00007FF7DC3E0000-0x00007FF7DC732000-memory.dmp	xmrig
behavioral2/memory/5024-129-0x00007FF6A3970000-0x00007FF6A3CC2000-memory.dmp	xmrig
behavioral2/memory/3020-130-0x00007FF60A430000-0x00007FF60A782000-memory.dmp	xmrig
behavioral2/memory/3688-131-0x00007FF72B960000-0x00007FF72BCB2000-memory.dmp	xmrig
behavioral2/memory/2632-132-0x00007FF6CEF10000-0x00007FF6CF262000-memory.dmp	xmrig
behavioral2/memory/3284-133-0x00007FF611190000-0x00007FF6114E2000-memory.dmp	xmrig
behavioral2/memory/4020-134-0x00007FF78C5D0000-0x00007FF78C922000-memory.dmp	xmrig
behavioral2/memory/3020-135-0x00007FF60A430000-0x00007FF60A782000-memory.dmp	xmrig
behavioral2/memory/3688-136-0x00007FF72B960000-0x00007FF72BCB2000-memory.dmp	xmrig
behavioral2/memory/2632-137-0x00007FF6CEF10000-0x00007FF6CF262000-memory.dmp	xmrig
behavioral2/memory/2168-138-0x00007FF68A150000-0x00007FF68A4A2000-memory.dmp	xmrig
behavioral2/memory/1724-139-0x00007FF7A8640000-0x00007FF7A8992000-memory.dmp	xmrig
behavioral2/memory/2484-140-0x00007FF753880000-0x00007FF753BD2000-memory.dmp	xmrig
behavioral2/memory/2168-141-0x00007FF68A150000-0x00007FF68A4A2000-memory.dmp	xmrig
behavioral2/memory/1444-142-0x00007FF6669B0000-0x00007FF666D02000-memory.dmp	xmrig
behavioral2/memory/1048-143-0x00007FF63D550000-0x00007FF63D8A2000-memory.dmp	xmrig
behavioral2/memory/5024-144-0x00007FF6A3970000-0x00007FF6A3CC2000-memory.dmp	xmrig
behavioral2/memory/776-145-0x00007FF740F30000-0x00007FF741282000-memory.dmp	xmrig
behavioral2/memory/1248-146-0x00007FF7EBF30000-0x00007FF7EC282000-memory.dmp	xmrig
behavioral2/memory/3416-147-0x00007FF7E57C0000-0x00007FF7E5B12000-memory.dmp	xmrig
behavioral2/memory/2488-148-0x00007FF71E790000-0x00007FF71EAE2000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

IoekMai.exelaxcvZI.exeLxrFVwQ.exeoCNxOBg.exeyziZPeL.exeiszZyHz.exeIzyHLLF.exeTVjKXYh.exeUzpkyAn.exeaYulbBc.exePvrmLJo.exeQbhUouq.exezsIRTJP.exeybsCebw.exeMXoHvpt.exedoNGkfQ.exebCIjRzO.exeCwIhXsz.exeUrABWOw.exeunxDUKf.execvVJBCR.exe

pid	process
3284	IoekMai.exe
4020	laxcvZI.exe
3020	LxrFVwQ.exe
3688	oCNxOBg.exe
2632	yziZPeL.exe
1724	iszZyHz.exe
2484	IzyHLLF.exe
2168	TVjKXYh.exe
1444	UzpkyAn.exe
1048	aYulbBc.exe
5024	PvrmLJo.exe
776	QbhUouq.exe
1248	zsIRTJP.exe
3416	ybsCebw.exe
2488	MXoHvpt.exe
3516	doNGkfQ.exe
2164	bCIjRzO.exe
3672	CwIhXsz.exe
4320	UrABWOw.exe
4616	unxDUKf.exe
3428	cvVJBCR.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2636-0-0x00007FF6D00A0000-0x00007FF6D03F2000-memory.dmp	upx
C:\Windows\System\IoekMai.exe	upx
behavioral2/memory/3284-8-0x00007FF611190000-0x00007FF6114E2000-memory.dmp	upx
C:\Windows\System\laxcvZI.exe	upx
behavioral2/memory/4020-14-0x00007FF78C5D0000-0x00007FF78C922000-memory.dmp	upx
C:\Windows\System\LxrFVwQ.exe	upx
behavioral2/memory/3020-20-0x00007FF60A430000-0x00007FF60A782000-memory.dmp	upx
C:\Windows\System\oCNxOBg.exe	upx
behavioral2/memory/3688-26-0x00007FF72B960000-0x00007FF72BCB2000-memory.dmp	upx
C:\Windows\System\yziZPeL.exe	upx
behavioral2/memory/2632-30-0x00007FF6CEF10000-0x00007FF6CF262000-memory.dmp	upx
C:\Windows\System\iszZyHz.exe	upx
behavioral2/memory/1724-38-0x00007FF7A8640000-0x00007FF7A8992000-memory.dmp	upx
C:\Windows\System\IzyHLLF.exe	upx
behavioral2/memory/2484-44-0x00007FF753880000-0x00007FF753BD2000-memory.dmp	upx
C:\Windows\System\TVjKXYh.exe	upx
behavioral2/memory/2168-50-0x00007FF68A150000-0x00007FF68A4A2000-memory.dmp	upx
C:\Windows\System\UzpkyAn.exe	upx
behavioral2/memory/1444-56-0x00007FF6669B0000-0x00007FF666D02000-memory.dmp	upx
C:\Windows\System\aYulbBc.exe	upx
behavioral2/memory/2636-62-0x00007FF6D00A0000-0x00007FF6D03F2000-memory.dmp	upx
C:\Windows\System\PvrmLJo.exe	upx
C:\Windows\System\QbhUouq.exe	upx
C:\Windows\System\zsIRTJP.exe	upx
C:\Windows\System\ybsCebw.exe	upx
C:\Windows\System\doNGkfQ.exe	upx
C:\Windows\System\bCIjRzO.exe	upx
C:\Windows\System\CwIhXsz.exe	upx
C:\Windows\System\UrABWOw.exe	upx
C:\Windows\System\unxDUKf.exe	upx
C:\Windows\System\cvVJBCR.exe	upx
C:\Windows\System\MXoHvpt.exe	upx
behavioral2/memory/1048-117-0x00007FF63D550000-0x00007FF63D8A2000-memory.dmp	upx
behavioral2/memory/776-118-0x00007FF740F30000-0x00007FF741282000-memory.dmp	upx
behavioral2/memory/1248-119-0x00007FF7EBF30000-0x00007FF7EC282000-memory.dmp	upx
behavioral2/memory/3416-120-0x00007FF7E57C0000-0x00007FF7E5B12000-memory.dmp	upx
behavioral2/memory/2488-121-0x00007FF71E790000-0x00007FF71EAE2000-memory.dmp	upx
behavioral2/memory/3516-122-0x00007FF67E7A0000-0x00007FF67EAF2000-memory.dmp	upx
behavioral2/memory/2164-123-0x00007FF79E1B0000-0x00007FF79E502000-memory.dmp	upx
behavioral2/memory/4320-125-0x00007FF660510000-0x00007FF660862000-memory.dmp	upx
behavioral2/memory/4616-126-0x00007FF60E820000-0x00007FF60EB72000-memory.dmp	upx
behavioral2/memory/3428-127-0x00007FF720D60000-0x00007FF7210B2000-memory.dmp	upx
behavioral2/memory/3284-128-0x00007FF611190000-0x00007FF6114E2000-memory.dmp	upx
behavioral2/memory/3672-124-0x00007FF7DC3E0000-0x00007FF7DC732000-memory.dmp	upx
behavioral2/memory/5024-129-0x00007FF6A3970000-0x00007FF6A3CC2000-memory.dmp	upx
behavioral2/memory/3020-130-0x00007FF60A430000-0x00007FF60A782000-memory.dmp	upx
behavioral2/memory/3688-131-0x00007FF72B960000-0x00007FF72BCB2000-memory.dmp	upx
behavioral2/memory/2632-132-0x00007FF6CEF10000-0x00007FF6CF262000-memory.dmp	upx
behavioral2/memory/3284-133-0x00007FF611190000-0x00007FF6114E2000-memory.dmp	upx
behavioral2/memory/4020-134-0x00007FF78C5D0000-0x00007FF78C922000-memory.dmp	upx
behavioral2/memory/3020-135-0x00007FF60A430000-0x00007FF60A782000-memory.dmp	upx
behavioral2/memory/3688-136-0x00007FF72B960000-0x00007FF72BCB2000-memory.dmp	upx
behavioral2/memory/2632-137-0x00007FF6CEF10000-0x00007FF6CF262000-memory.dmp	upx
behavioral2/memory/2168-138-0x00007FF68A150000-0x00007FF68A4A2000-memory.dmp	upx
behavioral2/memory/1724-139-0x00007FF7A8640000-0x00007FF7A8992000-memory.dmp	upx
behavioral2/memory/2484-140-0x00007FF753880000-0x00007FF753BD2000-memory.dmp	upx
behavioral2/memory/2168-141-0x00007FF68A150000-0x00007FF68A4A2000-memory.dmp	upx
behavioral2/memory/1444-142-0x00007FF6669B0000-0x00007FF666D02000-memory.dmp	upx
behavioral2/memory/1048-143-0x00007FF63D550000-0x00007FF63D8A2000-memory.dmp	upx
behavioral2/memory/5024-144-0x00007FF6A3970000-0x00007FF6A3CC2000-memory.dmp	upx
behavioral2/memory/776-145-0x00007FF740F30000-0x00007FF741282000-memory.dmp	upx
behavioral2/memory/1248-146-0x00007FF7EBF30000-0x00007FF7EC282000-memory.dmp	upx
behavioral2/memory/3416-147-0x00007FF7E57C0000-0x00007FF7E5B12000-memory.dmp	upx
behavioral2/memory/2488-148-0x00007FF71E790000-0x00007FF71EAE2000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\laxcvZI.exe	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oCNxOBg.exe	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UzpkyAn.exe	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ybsCebw.exe	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bCIjRzO.exe	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yziZPeL.exe	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QbhUouq.exe	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zsIRTJP.exe	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MXoHvpt.exe	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iszZyHz.exe	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TVjKXYh.exe	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PvrmLJo.exe	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CwIhXsz.exe	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UrABWOw.exe	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\unxDUKf.exe	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cvVJBCR.exe	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IoekMai.exe	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LxrFVwQ.exe	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IzyHLLF.exe	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aYulbBc.exe	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\doNGkfQ.exe	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2636 wrote to memory of 3284	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	IoekMai.exe
PID 2636 wrote to memory of 3284	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	IoekMai.exe
PID 2636 wrote to memory of 4020	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	laxcvZI.exe
PID 2636 wrote to memory of 4020	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	laxcvZI.exe
PID 2636 wrote to memory of 3020	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	LxrFVwQ.exe
PID 2636 wrote to memory of 3020	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	LxrFVwQ.exe
PID 2636 wrote to memory of 3688	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	oCNxOBg.exe
PID 2636 wrote to memory of 3688	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	oCNxOBg.exe
PID 2636 wrote to memory of 2632	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	yziZPeL.exe
PID 2636 wrote to memory of 2632	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	yziZPeL.exe
PID 2636 wrote to memory of 1724	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	iszZyHz.exe
PID 2636 wrote to memory of 1724	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	iszZyHz.exe
PID 2636 wrote to memory of 2484	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	IzyHLLF.exe
PID 2636 wrote to memory of 2484	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	IzyHLLF.exe
PID 2636 wrote to memory of 2168	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	TVjKXYh.exe
PID 2636 wrote to memory of 2168	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	TVjKXYh.exe
PID 2636 wrote to memory of 1444	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	UzpkyAn.exe
PID 2636 wrote to memory of 1444	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	UzpkyAn.exe
PID 2636 wrote to memory of 1048	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	aYulbBc.exe
PID 2636 wrote to memory of 1048	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	aYulbBc.exe
PID 2636 wrote to memory of 5024	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	PvrmLJo.exe
PID 2636 wrote to memory of 5024	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	PvrmLJo.exe
PID 2636 wrote to memory of 776	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	QbhUouq.exe
PID 2636 wrote to memory of 776	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	QbhUouq.exe
PID 2636 wrote to memory of 1248	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	zsIRTJP.exe
PID 2636 wrote to memory of 1248	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	zsIRTJP.exe
PID 2636 wrote to memory of 3416	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	ybsCebw.exe
PID 2636 wrote to memory of 3416	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	ybsCebw.exe
PID 2636 wrote to memory of 2488	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	MXoHvpt.exe
PID 2636 wrote to memory of 2488	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	MXoHvpt.exe
PID 2636 wrote to memory of 3516	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	doNGkfQ.exe
PID 2636 wrote to memory of 3516	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	doNGkfQ.exe
PID 2636 wrote to memory of 2164	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	bCIjRzO.exe
PID 2636 wrote to memory of 2164	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	bCIjRzO.exe
PID 2636 wrote to memory of 3672	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	CwIhXsz.exe
PID 2636 wrote to memory of 3672	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	CwIhXsz.exe
PID 2636 wrote to memory of 4320	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	UrABWOw.exe
PID 2636 wrote to memory of 4320	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	UrABWOw.exe
PID 2636 wrote to memory of 4616	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	unxDUKf.exe
PID 2636 wrote to memory of 4616	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	unxDUKf.exe
PID 2636 wrote to memory of 3428	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	cvVJBCR.exe
PID 2636 wrote to memory of 3428	2636	2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe	cvVJBCR.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_721496e3d8574d3b36b661857b46f56c_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Windows\System\IoekMai.exe
  C:\Windows\System\IoekMai.exe
  2⤵
  - Executes dropped EXE
  PID:3284
- C:\Windows\System\laxcvZI.exe
  C:\Windows\System\laxcvZI.exe
  2⤵
  - Executes dropped EXE
  PID:4020
- C:\Windows\System\LxrFVwQ.exe
  C:\Windows\System\LxrFVwQ.exe
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Windows\System\oCNxOBg.exe
  C:\Windows\System\oCNxOBg.exe
  2⤵
  - Executes dropped EXE
  PID:3688
- C:\Windows\System\yziZPeL.exe
  C:\Windows\System\yziZPeL.exe
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\System\iszZyHz.exe
  C:\Windows\System\iszZyHz.exe
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\System\IzyHLLF.exe
  C:\Windows\System\IzyHLLF.exe
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\System\TVjKXYh.exe
  C:\Windows\System\TVjKXYh.exe
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\System\UzpkyAn.exe
  C:\Windows\System\UzpkyAn.exe
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\System\aYulbBc.exe
  C:\Windows\System\aYulbBc.exe
  2⤵
  - Executes dropped EXE
  PID:1048
- C:\Windows\System\PvrmLJo.exe
  C:\Windows\System\PvrmLJo.exe
  2⤵
  - Executes dropped EXE
  PID:5024
- C:\Windows\System\QbhUouq.exe
  C:\Windows\System\QbhUouq.exe
  2⤵
  - Executes dropped EXE
  PID:776
- C:\Windows\System\zsIRTJP.exe
  C:\Windows\System\zsIRTJP.exe
  2⤵
  - Executes dropped EXE
  PID:1248
- C:\Windows\System\ybsCebw.exe
  C:\Windows\System\ybsCebw.exe
  2⤵
  - Executes dropped EXE
  PID:3416
- C:\Windows\System\MXoHvpt.exe
  C:\Windows\System\MXoHvpt.exe
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\System\doNGkfQ.exe
  C:\Windows\System\doNGkfQ.exe
  2⤵
  - Executes dropped EXE
  PID:3516
- C:\Windows\System\bCIjRzO.exe
  C:\Windows\System\bCIjRzO.exe
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\System\CwIhXsz.exe
  C:\Windows\System\CwIhXsz.exe
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Windows\System\UrABWOw.exe
  C:\Windows\System\UrABWOw.exe
  2⤵
  - Executes dropped EXE
  PID:4320
- C:\Windows\System\unxDUKf.exe
  C:\Windows\System\unxDUKf.exe
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Windows\System\cvVJBCR.exe
  C:\Windows\System\cvVJBCR.exe
  2⤵
  - Executes dropped EXE
  PID:3428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:4012

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CwIhXsz.exe

Filesize
8.3MB

MD5
17d66615ee813146888c59a441f68341

SHA1
72d5192384146ca47baa770f6217da381f379981

SHA256
a1fc2ce96ca1b0ef7cb76ed4ca0ace5b9be851269872e7e8beed368378fb84e1

SHA512
52f44cb7ef0a6e1b24954fc3ca117939a45a020653db645ece556b14b72648d7206983bcfe31cfbac951573159fe51971e15ccb2f0bc465d35d326316fd4ad11

Download Submit
C:\Windows\System\IoekMai.exe

Filesize
8.3MB

MD5
b20d34ed3f3f83dc3f9fb4133e8da1ab

SHA1
08d3cdfb0549b267df184ad4d623afdf61c75ae6

SHA256
240094a372ee233d73fd1916bcab55c6e847de8f5922fc5268fe060c47c223dd

SHA512
5660cf634e362e01fa822f898411b59e6f9148c2cca5860d110758940f0e124dde5f4c5c343f4e6cb09609c2354f1f0ed8bcbec2e2e93543014f594f733c9e5f

Download Submit
C:\Windows\System\IzyHLLF.exe

Filesize
8.3MB

MD5
f9e3774e4bad2c300b74033394f93a2d

SHA1
ccacc263f8fdab2c039436ed2188d63ed451e03b

SHA256
1b8682002a0926347291aea359d1878c3b908c4067109d2687313bf8a14b69f6

SHA512
c2f3f003cd9bb730ea9fca0aaa8022201406af6a3c22b923ec569d710bad3177dd3a182a98cbaabbe07da25958d9902a3116f83d1bbef736ef9b1d4db95aef2d

Download Submit
C:\Windows\System\LxrFVwQ.exe

Filesize
8.3MB

MD5
793e371a8747457b3d43fc7d3dd837e2

SHA1
c29a19091aabc3e01f3a8db0f4734de9cd24d34b

SHA256
3485e2371f4610eb457fc77e8b2491bfcb2915d3b4247e580b1baa375dea8f60

SHA512
4606a9607f65e77781581ae0689ca49173d48e0818cc0fc7915142752fe1f2c927a02bb77a3cd8f7af1cf75a517358e72c7be4f83a8e62c455761b6a866bd9bf

Download Submit
C:\Windows\System\MXoHvpt.exe

Filesize
8.3MB

MD5
d56f663da471133c1fb518c7e5e6b120

SHA1
966b9f62aaa1b06770254462337cf494a250f497

SHA256
ffcfa6ec2bc10b6002583c12ea937e4889ef7c60fc3a6fcd2f86732dc36928d7

SHA512
0cdd9faec1ff586028de4e8cbcf14ac7abb4bbd5bc9cafbb472501044e39f84cf96c8661e60fe669ca52654148682ba7535c6e7af2104da78dc74565bac22e24

Download Submit
C:\Windows\System\PvrmLJo.exe

Filesize
8.3MB

MD5
cd2b5b2d3d7e052124102c17087e9e3f

SHA1
dacef080a129f557970349bc9c50e3cff3314e93

SHA256
eafa790ea5e9639438e629b1e0ea25109c09fff6817f2cbc51958c35912e6ae2

SHA512
b489af37f736cf514c3772e2436e139ddd29590ac15eec94abbf2317173892efded06666b9ca32daccb840fd8bebb41434d5ee9e7d6aa5ff575435d949cf2583

Download Submit
C:\Windows\System\QbhUouq.exe

Filesize
8.3MB

MD5
69d6f83980d36bf5ff589a64c1984abe

SHA1
432426ff92657b2129c79e7c70a4fcbfb63bb13f

SHA256
33c08ed84a64270adb5998fa865d9e991113f687dccd8b00d32f6036f63866a1

SHA512
97db1f0e0ba3e9278aaf9dfba9992ecd7cdb65a806e9a6057a5c3577c57af4fc1e425c8b601e629d974e44b80167449e093bb679ac1d2214aa373e9d2ce6c43c

Download Submit
C:\Windows\System\TVjKXYh.exe

Filesize
8.3MB

MD5
18a215ac5d68205e04c6387373f009c2

SHA1
d1dcfdc261e4f55113d423bdb97cfd6b7150240b

SHA256
0c8dd5d71f307a2a3aafc8d75e17128b62aeb5f9462c5556079fa209baf25c28

SHA512
cfd8db8cded2ac8b2c3d02a233c825f9e1517819bd061706ca440dfae961ae1d9d961b8c0e0bab31d62bd63f11fafe29b7fb3f6466ed69abad34bff0f8f13b3b

Download Submit
C:\Windows\System\UrABWOw.exe

Filesize
8.3MB

MD5
6152f667f6069f24e120718bdf216ddc

SHA1
803c5a7ca7eef20028d992611df37378a1e6a587

SHA256
6a53fde4e25602d32877036ef2e6c4eaf40d642f05413f07aefc0cad137becf3

SHA512
874298af31029da86dcb5167341fd4086b0a79b8d76c696c5a2735293b2d324ced15bab94a435b319b2998e9eae81ef354f38e25573e577fd2f6f04b2333bde2

Download Submit
C:\Windows\System\UzpkyAn.exe

Filesize
8.3MB

MD5
099f82eff2caf5397c8bea1ad1e5e810

SHA1
461dc2ae1b98d5a87fc2fcf51769641157357617

SHA256
1e2da786bffe9c34c2c782f4009be0b9e29d52bd62d1ed00c35f9ee3b3345955

SHA512
a823e48576292f1c34fd9cae288be9b78582b0cc41948e616d1ea31da9433218a55398f497d6872127c59afd18c83b4550e06d2befafc45fbb1f9e3860ef04b5

Download Submit
C:\Windows\System\aYulbBc.exe

Filesize
8.3MB

MD5
b0e7dda8c958bfef3b612ed8b50e2b1d

SHA1
d1902ef4c79bbf9418c587fbb4ee749e0a254b78

SHA256
e0cee4de40ed77cd5a62257f96b76341e3abcb23a4804a58fb939e2c9bff3415

SHA512
6787f2dc4752b01fe2ad2c16dd8d0d0804d4b6f6b6fc9996b186b6d99cc768166667c1cbd3f163b4a8b71f74c68928237bf9a47f64d09407cfcd045fefd27827

Download Submit
C:\Windows\System\bCIjRzO.exe

Filesize
8.3MB

MD5
ba285dba64f3620713a19dec4058999d

SHA1
88fb355b49bee762ad0b91e668829a14ac95129e

SHA256
5f7d77ef2e015920f3f702fd12e62ae0eacf02458654a1b139df9474b037eb27

SHA512
fda211864d9ee58d29fbc227b109f7140ee3b637bb4130730ad7ed7615dc334b34e3049a55d16de78f33cf1e299181fd64c89405abc87eb12810990ab85261c0

Download Submit
C:\Windows\System\cvVJBCR.exe

Filesize
8.3MB

MD5
88d401999f7fc6207c33b1a2e724a25b

SHA1
7b8204f3efb38861428bcc347b19de31b56367f8

SHA256
c70566e8b89c2fab3055b611af9eecb244cf1ee48cb6ca2925a0605244c0bb89

SHA512
0a54fa3766edc44757a0cbb1b74e26898f44dff93e4931a9db7f59114e507a018d20940f77c4bcf1ba880a2827c3aa048abb1dba46ac1a570c3c4184e9bbc4b9

Download Submit
C:\Windows\System\doNGkfQ.exe

Filesize
8.3MB

MD5
408aa08dd3d7032447ff6882be26863e

SHA1
fdb4e5183aa412a2f3f074c3c1202fe3c8f86ef8

SHA256
741ff1ea87e3af1bb003972e64b2816bdb06e86bda7e2df9d65ceacaf7df77c6

SHA512
85c9f105cc63703d2b8e67965b41a0f6f4c0b64d0d02187777ddc0ae28591411314fd86d9b5ff02b88dd4f9d5d51928de7483c5692fe8779680fa46cb09c50ae

Download Submit
C:\Windows\System\iszZyHz.exe

Filesize
8.3MB

MD5
dfdce0c56ca4d566b7f60e55b4341829

SHA1
eab20e9b1ca609860e86f161362c0c1dbcd7a288

SHA256
d1e34f2b351e9183bc0bea8e46269de08e98d29870703b6e881b95543bbfab1b

SHA512
23ffaf267368140779f3c676d5fe57b79722880f8961e75da3f413610f81e95d4c551ffe7a58f5bc10faa4301839b41a497776e378ca3890ae76bdc99df3a339

Download Submit
C:\Windows\System\laxcvZI.exe

Filesize
8.3MB

MD5
147710ef820f2643610205a2d8e5df7c

SHA1
ce62a6d851352d80c7cda7f545009d8bb230f24d

SHA256
05c49054374ba887b70aefd2bc30617afcc848a9bc9ee86dcabef5e090eef95b

SHA512
1fba22e37b5b7b3d09437c6f7be5ce59e139da6234095ac593960a5fd72a76c5f66d572542696e7e74ebe5362bb3a182fb15be0ee5edd666b34d6daf2df4ad82

Download Submit
C:\Windows\System\oCNxOBg.exe

Filesize
8.3MB

MD5
028a4dc6f9877b8c7d7ef40a5715aa10

SHA1
d585524a93e496301e2cb8dfef722c6cf8c35efd

SHA256
bbf53a1afa6365825bf4eaa485a14246f0690dcdfcff6e7e2f2f0dd21c02881e

SHA512
2d7c3c55003f4b01df197cf91c137401d79de5fc4aba1143c2734a8859bb28a3b7fac977c7a86d043a66fc1dd60183babedbc76a3520ab9364ea08329cfc9279

Download Submit
C:\Windows\System\unxDUKf.exe

Filesize
8.3MB

MD5
e50f431e76bf19555b2d0839b4510679

SHA1
74103216bd8fd4167b4f09c9fc6cf75b0017350e

SHA256
3a745ee19614f57928fa2f8e690c69f799301ed1d10e0fb66536efed7b07c7ce

SHA512
add685052b5fb8d3ad1e853457fe68ea84641cde45b2779f655fcc66971fd48ef94d34bc9d144f55386369eda90241a3607688e19b5ce5af426a113be6e39a0a

Download Submit
C:\Windows\System\ybsCebw.exe

Filesize
8.3MB

MD5
aba85fafa3b8ce39c5c53cfd88fff2fa

SHA1
8f6d22827cc9cf8967d35faab94e091b43328abd

SHA256
84d4cf1da19a09adbd4877bfb1ccddd3c4b0d4dcc00ad16e334112ff9d0b0729

SHA512
fd4ad83d22d6e913ce204450ba28fa3d2f0717530de19d946e39a5d22c98c0c5115604740bf3f293363b8528b14f619ff605deec7fbffa3976e2f87057bc1886

Download Submit
C:\Windows\System\yziZPeL.exe

Filesize
8.3MB

MD5
bdef39d875a6c248c5f3135d3bbaec3c

SHA1
b4aa38b012428d22efaa36c812515c58ae3e66f3

SHA256
d34c25f337b2e5dddcfbac915ff5dd248a7173b5fd9e58b5a56998e5080bf575

SHA512
e1351670ab3f017a913cb3cc50cb65732b50c086e607628473903a0aa0433cb4036d505d15e2a85d286ad33d34919953ff1277f88eba7d47958b1074174fabf4

Download Submit
C:\Windows\System\zsIRTJP.exe

Filesize
8.3MB

MD5
0b860cb2dec47357facb381fc78618f0

SHA1
f4153ecb4079ba52b7bff511ac42bfde2aae7f54

SHA256
c1be78b8883e508884da4baf30991f43f7ed67be7aeb9d4bbfcd975e16d50258

SHA512
cfaec16978c3722fa623611f5623950439c21d8f653b46a6ceb03cfa2e197f3dd9b93535e961b9c1709f958e10d6ecb4ac8d1614cc99f754b1cd337ee070c1a7

Download Submit
memory/776-118-0x00007FF740F30000-0x00007FF741282000-memory.dmp

Filesize
3.3MB

Download
memory/776-145-0x00007FF740F30000-0x00007FF741282000-memory.dmp

Filesize
3.3MB

Download
memory/1048-117-0x00007FF63D550000-0x00007FF63D8A2000-memory.dmp

Filesize
3.3MB

Download
memory/1048-143-0x00007FF63D550000-0x00007FF63D8A2000-memory.dmp

Filesize
3.3MB

Download
memory/1248-119-0x00007FF7EBF30000-0x00007FF7EC282000-memory.dmp

Filesize
3.3MB

Download
memory/1248-146-0x00007FF7EBF30000-0x00007FF7EC282000-memory.dmp

Filesize
3.3MB

Download
memory/1444-56-0x00007FF6669B0000-0x00007FF666D02000-memory.dmp

Filesize
3.3MB

Download
memory/1444-142-0x00007FF6669B0000-0x00007FF666D02000-memory.dmp

Filesize
3.3MB

Download
memory/1724-38-0x00007FF7A8640000-0x00007FF7A8992000-memory.dmp

Filesize
3.3MB

Download
memory/1724-139-0x00007FF7A8640000-0x00007FF7A8992000-memory.dmp

Filesize
3.3MB

Download
memory/2164-150-0x00007FF79E1B0000-0x00007FF79E502000-memory.dmp

Filesize
3.3MB

Download
memory/2164-123-0x00007FF79E1B0000-0x00007FF79E502000-memory.dmp

Filesize
3.3MB

Download
memory/2168-141-0x00007FF68A150000-0x00007FF68A4A2000-memory.dmp

Filesize
3.3MB

Download
memory/2168-138-0x00007FF68A150000-0x00007FF68A4A2000-memory.dmp

Filesize
3.3MB

Download
memory/2168-50-0x00007FF68A150000-0x00007FF68A4A2000-memory.dmp

Filesize
3.3MB

Download
memory/2484-44-0x00007FF753880000-0x00007FF753BD2000-memory.dmp

Filesize
3.3MB

Download
memory/2484-140-0x00007FF753880000-0x00007FF753BD2000-memory.dmp

Filesize
3.3MB

Download
memory/2488-121-0x00007FF71E790000-0x00007FF71EAE2000-memory.dmp

Filesize
3.3MB

Download
memory/2488-148-0x00007FF71E790000-0x00007FF71EAE2000-memory.dmp

Filesize
3.3MB

Download
memory/2632-30-0x00007FF6CEF10000-0x00007FF6CF262000-memory.dmp

Filesize
3.3MB

Download
memory/2632-137-0x00007FF6CEF10000-0x00007FF6CF262000-memory.dmp

Filesize
3.3MB

Download
memory/2632-132-0x00007FF6CEF10000-0x00007FF6CF262000-memory.dmp

Filesize
3.3MB

Download
memory/2636-1-0x000002E65EA20000-0x000002E65EA30000-memory.dmp

Filesize
64KB

Download
memory/2636-62-0x00007FF6D00A0000-0x00007FF6D03F2000-memory.dmp

Filesize
3.3MB

Download
memory/2636-0-0x00007FF6D00A0000-0x00007FF6D03F2000-memory.dmp

Filesize
3.3MB

Download
memory/3020-135-0x00007FF60A430000-0x00007FF60A782000-memory.dmp

Filesize
3.3MB

Download
memory/3020-20-0x00007FF60A430000-0x00007FF60A782000-memory.dmp

Filesize
3.3MB

Download
memory/3020-130-0x00007FF60A430000-0x00007FF60A782000-memory.dmp

Filesize
3.3MB

Download
memory/3284-128-0x00007FF611190000-0x00007FF6114E2000-memory.dmp

Filesize
3.3MB

Download
memory/3284-133-0x00007FF611190000-0x00007FF6114E2000-memory.dmp

Filesize
3.3MB

Download
memory/3284-8-0x00007FF611190000-0x00007FF6114E2000-memory.dmp

Filesize
3.3MB

Download
memory/3416-147-0x00007FF7E57C0000-0x00007FF7E5B12000-memory.dmp

Filesize
3.3MB

Download
memory/3416-120-0x00007FF7E57C0000-0x00007FF7E5B12000-memory.dmp

Filesize
3.3MB

Download
memory/3428-154-0x00007FF720D60000-0x00007FF7210B2000-memory.dmp

Filesize
3.3MB

Download
memory/3428-127-0x00007FF720D60000-0x00007FF7210B2000-memory.dmp

Filesize
3.3MB

Download
memory/3516-149-0x00007FF67E7A0000-0x00007FF67EAF2000-memory.dmp

Filesize
3.3MB

Download
memory/3516-122-0x00007FF67E7A0000-0x00007FF67EAF2000-memory.dmp

Filesize
3.3MB

Download
memory/3672-124-0x00007FF7DC3E0000-0x00007FF7DC732000-memory.dmp

Filesize
3.3MB

Download
memory/3672-151-0x00007FF7DC3E0000-0x00007FF7DC732000-memory.dmp

Filesize
3.3MB

Download
memory/3688-26-0x00007FF72B960000-0x00007FF72BCB2000-memory.dmp

Filesize
3.3MB

Download
memory/3688-131-0x00007FF72B960000-0x00007FF72BCB2000-memory.dmp

Filesize
3.3MB

Download
memory/3688-136-0x00007FF72B960000-0x00007FF72BCB2000-memory.dmp

Filesize
3.3MB

Download
memory/4020-14-0x00007FF78C5D0000-0x00007FF78C922000-memory.dmp

Filesize
3.3MB

Download
memory/4020-134-0x00007FF78C5D0000-0x00007FF78C922000-memory.dmp

Filesize
3.3MB

Download
memory/4320-125-0x00007FF660510000-0x00007FF660862000-memory.dmp

Filesize
3.3MB

Download
memory/4320-152-0x00007FF660510000-0x00007FF660862000-memory.dmp

Filesize
3.3MB

Download
memory/4616-126-0x00007FF60E820000-0x00007FF60EB72000-memory.dmp

Filesize
3.3MB

Download
memory/4616-153-0x00007FF60E820000-0x00007FF60EB72000-memory.dmp

Filesize
3.3MB

Download
memory/5024-144-0x00007FF6A3970000-0x00007FF6A3CC2000-memory.dmp

Filesize
3.3MB

Download
memory/5024-129-0x00007FF6A3970000-0x00007FF6A3CC2000-memory.dmp

Filesize
3.3MB

Download