cobaltstrike | 7b2b428899e516ebc71c7cb26369138f942ee596774ee335ececd434be1c4402

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe
Size

8.3MB
MD5

73b6f0a294fc287a2eee939bb968658b
SHA1

ee7da06f817d106c406d469f8a6b90ec33016e48
SHA256

7b2b428899e516ebc71c7cb26369138f942ee596774ee335ececd434be1c4402
SHA512

33e47d8f0a4d55a9b66311bcc52da03cc287699d7f69ed83efae99ce67fd4eacc9661d754122be3fc4bd8236b901fc2f37f89cacaf07211907de1ed1d4824276
SSDEEP

98304:MemTLkNdfE0pZba56utgpPFotBER/mQ32lUe:v+D56utgpPF8u/7e

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\CjiVTLK.exe	cobalt_reflective_dll
C:\Windows\System\VaMrAav.exe	cobalt_reflective_dll
C:\Windows\System\hCzrbQB.exe	cobalt_reflective_dll
C:\Windows\System\hwqWQXP.exe	cobalt_reflective_dll
C:\Windows\System\XxocdIq.exe	cobalt_reflective_dll
C:\Windows\System\FdtsKxN.exe	cobalt_reflective_dll
C:\Windows\System\ZLIPjNb.exe	cobalt_reflective_dll
C:\Windows\System\picqmjp.exe	cobalt_reflective_dll
C:\Windows\System\VChHiup.exe	cobalt_reflective_dll
C:\Windows\System\PPdReZp.exe	cobalt_reflective_dll
C:\Windows\System\NuZllbI.exe	cobalt_reflective_dll
C:\Windows\System\BOkfiLM.exe	cobalt_reflective_dll
C:\Windows\System\mZWSHzY.exe	cobalt_reflective_dll
C:\Windows\System\ulaDlru.exe	cobalt_reflective_dll
C:\Windows\System\eTpQKjT.exe	cobalt_reflective_dll
C:\Windows\System\qbtXjDJ.exe	cobalt_reflective_dll
C:\Windows\System\FabQmyI.exe	cobalt_reflective_dll
C:\Windows\System\wYnxymM.exe	cobalt_reflective_dll
C:\Windows\System\RqtAmIP.exe	cobalt_reflective_dll
C:\Windows\System\CjVubTc.exe	cobalt_reflective_dll
C:\Windows\System\KUJHXZc.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\CjiVTLK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\VaMrAav.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\hCzrbQB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\hwqWQXP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\XxocdIq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\FdtsKxN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ZLIPjNb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\picqmjp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\VChHiup.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\PPdReZp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\NuZllbI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\BOkfiLM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\mZWSHzY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ulaDlru.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\eTpQKjT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\qbtXjDJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\FabQmyI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\wYnxymM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\RqtAmIP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\CjVubTc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\KUJHXZc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1848-0-0x00007FF682A20000-0x00007FF682D72000-memory.dmp	UPX
C:\Windows\System\CjiVTLK.exe	UPX
behavioral2/memory/1396-8-0x00007FF7F0240000-0x00007FF7F0592000-memory.dmp	UPX
C:\Windows\System\VaMrAav.exe	UPX
C:\Windows\System\hCzrbQB.exe	UPX
behavioral2/memory/3536-13-0x00007FF61FE90000-0x00007FF6201E2000-memory.dmp	UPX
behavioral2/memory/4532-20-0x00007FF6D2900000-0x00007FF6D2C52000-memory.dmp	UPX
C:\Windows\System\hwqWQXP.exe	UPX
C:\Windows\System\XxocdIq.exe	UPX
C:\Windows\System\FdtsKxN.exe	UPX
C:\Windows\System\ZLIPjNb.exe	UPX
behavioral2/memory/3060-46-0x00007FF6EFEA0000-0x00007FF6F01F2000-memory.dmp	UPX
C:\Windows\System\picqmjp.exe	UPX
behavioral2/memory/1212-54-0x00007FF7A8610000-0x00007FF7A8962000-memory.dmp	UPX
C:\Windows\System\VChHiup.exe	UPX
behavioral2/memory/2256-59-0x00007FF717B30000-0x00007FF717E82000-memory.dmp	UPX
behavioral2/memory/2148-51-0x00007FF758690000-0x00007FF7589E2000-memory.dmp	UPX
behavioral2/memory/3972-47-0x00007FF637D30000-0x00007FF638082000-memory.dmp	UPX
C:\Windows\System\PPdReZp.exe	UPX
behavioral2/memory/1872-32-0x00007FF6068C0000-0x00007FF606C12000-memory.dmp	UPX
behavioral2/memory/2652-24-0x00007FF7916A0000-0x00007FF7919F2000-memory.dmp	UPX
C:\Windows\System\NuZllbI.exe	UPX
behavioral2/memory/644-71-0x00007FF6065A0000-0x00007FF6068F2000-memory.dmp	UPX
C:\Windows\System\BOkfiLM.exe	UPX
behavioral2/memory/1396-81-0x00007FF7F0240000-0x00007FF7F0592000-memory.dmp	UPX
behavioral2/memory/4724-82-0x00007FF71C8C0000-0x00007FF71CC12000-memory.dmp	UPX
C:\Windows\System\mZWSHzY.exe	UPX
behavioral2/memory/1040-77-0x00007FF7B4670000-0x00007FF7B49C2000-memory.dmp	UPX
behavioral2/memory/1848-74-0x00007FF682A20000-0x00007FF682D72000-memory.dmp	UPX
C:\Windows\System\ulaDlru.exe	UPX
behavioral2/memory/3536-87-0x00007FF61FE90000-0x00007FF6201E2000-memory.dmp	UPX
C:\Windows\System\eTpQKjT.exe	UPX
behavioral2/memory/2840-92-0x00007FF658560000-0x00007FF6588B2000-memory.dmp	UPX
behavioral2/memory/2652-100-0x00007FF7916A0000-0x00007FF7919F2000-memory.dmp	UPX
C:\Windows\System\qbtXjDJ.exe	UPX
C:\Windows\System\FabQmyI.exe	UPX
C:\Windows\System\wYnxymM.exe	UPX
behavioral2/memory/2212-112-0x00007FF6219D0000-0x00007FF621D22000-memory.dmp	UPX
behavioral2/memory/4692-109-0x00007FF7CE960000-0x00007FF7CECB2000-memory.dmp	UPX
behavioral2/memory/1028-104-0x00007FF68A4A0000-0x00007FF68A7F2000-memory.dmp	UPX
C:\Windows\System\RqtAmIP.exe	UPX
behavioral2/memory/632-95-0x00007FF7F9C30000-0x00007FF7F9F82000-memory.dmp	UPX
behavioral2/memory/4164-123-0x00007FF623560000-0x00007FF6238B2000-memory.dmp	UPX
behavioral2/memory/2148-120-0x00007FF758690000-0x00007FF7589E2000-memory.dmp	UPX
C:\Windows\System\CjVubTc.exe	UPX
behavioral2/memory/1568-132-0x00007FF72A870000-0x00007FF72ABC2000-memory.dmp	UPX
behavioral2/memory/1212-133-0x00007FF7A8610000-0x00007FF7A8962000-memory.dmp	UPX
behavioral2/memory/2328-131-0x00007FF78A870000-0x00007FF78ABC2000-memory.dmp	UPX
C:\Windows\System\KUJHXZc.exe	UPX
behavioral2/memory/2256-134-0x00007FF717B30000-0x00007FF717E82000-memory.dmp	UPX
behavioral2/memory/2840-135-0x00007FF658560000-0x00007FF6588B2000-memory.dmp	UPX
behavioral2/memory/632-136-0x00007FF7F9C30000-0x00007FF7F9F82000-memory.dmp	UPX
behavioral2/memory/1028-137-0x00007FF68A4A0000-0x00007FF68A7F2000-memory.dmp	UPX
behavioral2/memory/4692-138-0x00007FF7CE960000-0x00007FF7CECB2000-memory.dmp	UPX
behavioral2/memory/1396-139-0x00007FF7F0240000-0x00007FF7F0592000-memory.dmp	UPX
behavioral2/memory/3536-140-0x00007FF61FE90000-0x00007FF6201E2000-memory.dmp	UPX
behavioral2/memory/4532-141-0x00007FF6D2900000-0x00007FF6D2C52000-memory.dmp	UPX
behavioral2/memory/1872-142-0x00007FF6068C0000-0x00007FF606C12000-memory.dmp	UPX
behavioral2/memory/2652-143-0x00007FF7916A0000-0x00007FF7919F2000-memory.dmp	UPX
behavioral2/memory/3060-144-0x00007FF6EFEA0000-0x00007FF6F01F2000-memory.dmp	UPX
behavioral2/memory/3972-145-0x00007FF637D30000-0x00007FF638082000-memory.dmp	UPX
behavioral2/memory/1212-146-0x00007FF7A8610000-0x00007FF7A8962000-memory.dmp	UPX
behavioral2/memory/2148-147-0x00007FF758690000-0x00007FF7589E2000-memory.dmp	UPX
behavioral2/memory/2256-148-0x00007FF717B30000-0x00007FF717E82000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1848-0-0x00007FF682A20000-0x00007FF682D72000-memory.dmp	xmrig
C:\Windows\System\CjiVTLK.exe	xmrig
behavioral2/memory/1396-8-0x00007FF7F0240000-0x00007FF7F0592000-memory.dmp	xmrig
C:\Windows\System\VaMrAav.exe	xmrig
C:\Windows\System\hCzrbQB.exe	xmrig
behavioral2/memory/3536-13-0x00007FF61FE90000-0x00007FF6201E2000-memory.dmp	xmrig
behavioral2/memory/4532-20-0x00007FF6D2900000-0x00007FF6D2C52000-memory.dmp	xmrig
C:\Windows\System\hwqWQXP.exe	xmrig
C:\Windows\System\XxocdIq.exe	xmrig
C:\Windows\System\FdtsKxN.exe	xmrig
C:\Windows\System\ZLIPjNb.exe	xmrig
behavioral2/memory/3060-46-0x00007FF6EFEA0000-0x00007FF6F01F2000-memory.dmp	xmrig
C:\Windows\System\picqmjp.exe	xmrig
behavioral2/memory/1212-54-0x00007FF7A8610000-0x00007FF7A8962000-memory.dmp	xmrig
C:\Windows\System\VChHiup.exe	xmrig
behavioral2/memory/2256-59-0x00007FF717B30000-0x00007FF717E82000-memory.dmp	xmrig
behavioral2/memory/2148-51-0x00007FF758690000-0x00007FF7589E2000-memory.dmp	xmrig
behavioral2/memory/3972-47-0x00007FF637D30000-0x00007FF638082000-memory.dmp	xmrig
C:\Windows\System\PPdReZp.exe	xmrig
behavioral2/memory/1872-32-0x00007FF6068C0000-0x00007FF606C12000-memory.dmp	xmrig
behavioral2/memory/2652-24-0x00007FF7916A0000-0x00007FF7919F2000-memory.dmp	xmrig
C:\Windows\System\NuZllbI.exe	xmrig
behavioral2/memory/644-71-0x00007FF6065A0000-0x00007FF6068F2000-memory.dmp	xmrig
C:\Windows\System\BOkfiLM.exe	xmrig
behavioral2/memory/1396-81-0x00007FF7F0240000-0x00007FF7F0592000-memory.dmp	xmrig
behavioral2/memory/4724-82-0x00007FF71C8C0000-0x00007FF71CC12000-memory.dmp	xmrig
C:\Windows\System\mZWSHzY.exe	xmrig
behavioral2/memory/1040-77-0x00007FF7B4670000-0x00007FF7B49C2000-memory.dmp	xmrig
behavioral2/memory/1848-74-0x00007FF682A20000-0x00007FF682D72000-memory.dmp	xmrig
C:\Windows\System\ulaDlru.exe	xmrig
behavioral2/memory/3536-87-0x00007FF61FE90000-0x00007FF6201E2000-memory.dmp	xmrig
C:\Windows\System\eTpQKjT.exe	xmrig
behavioral2/memory/2840-92-0x00007FF658560000-0x00007FF6588B2000-memory.dmp	xmrig
behavioral2/memory/2652-100-0x00007FF7916A0000-0x00007FF7919F2000-memory.dmp	xmrig
C:\Windows\System\qbtXjDJ.exe	xmrig
C:\Windows\System\FabQmyI.exe	xmrig
C:\Windows\System\wYnxymM.exe	xmrig
behavioral2/memory/2212-112-0x00007FF6219D0000-0x00007FF621D22000-memory.dmp	xmrig
behavioral2/memory/4692-109-0x00007FF7CE960000-0x00007FF7CECB2000-memory.dmp	xmrig
behavioral2/memory/1028-104-0x00007FF68A4A0000-0x00007FF68A7F2000-memory.dmp	xmrig
C:\Windows\System\RqtAmIP.exe	xmrig
behavioral2/memory/632-95-0x00007FF7F9C30000-0x00007FF7F9F82000-memory.dmp	xmrig
behavioral2/memory/4164-123-0x00007FF623560000-0x00007FF6238B2000-memory.dmp	xmrig
behavioral2/memory/2148-120-0x00007FF758690000-0x00007FF7589E2000-memory.dmp	xmrig
C:\Windows\System\CjVubTc.exe	xmrig
behavioral2/memory/1568-132-0x00007FF72A870000-0x00007FF72ABC2000-memory.dmp	xmrig
behavioral2/memory/1212-133-0x00007FF7A8610000-0x00007FF7A8962000-memory.dmp	xmrig
behavioral2/memory/2328-131-0x00007FF78A870000-0x00007FF78ABC2000-memory.dmp	xmrig
C:\Windows\System\KUJHXZc.exe	xmrig
behavioral2/memory/2256-134-0x00007FF717B30000-0x00007FF717E82000-memory.dmp	xmrig
behavioral2/memory/2840-135-0x00007FF658560000-0x00007FF6588B2000-memory.dmp	xmrig
behavioral2/memory/632-136-0x00007FF7F9C30000-0x00007FF7F9F82000-memory.dmp	xmrig
behavioral2/memory/1028-137-0x00007FF68A4A0000-0x00007FF68A7F2000-memory.dmp	xmrig
behavioral2/memory/4692-138-0x00007FF7CE960000-0x00007FF7CECB2000-memory.dmp	xmrig
behavioral2/memory/1396-139-0x00007FF7F0240000-0x00007FF7F0592000-memory.dmp	xmrig
behavioral2/memory/3536-140-0x00007FF61FE90000-0x00007FF6201E2000-memory.dmp	xmrig
behavioral2/memory/4532-141-0x00007FF6D2900000-0x00007FF6D2C52000-memory.dmp	xmrig
behavioral2/memory/1872-142-0x00007FF6068C0000-0x00007FF606C12000-memory.dmp	xmrig
behavioral2/memory/2652-143-0x00007FF7916A0000-0x00007FF7919F2000-memory.dmp	xmrig
behavioral2/memory/3060-144-0x00007FF6EFEA0000-0x00007FF6F01F2000-memory.dmp	xmrig
behavioral2/memory/3972-145-0x00007FF637D30000-0x00007FF638082000-memory.dmp	xmrig
behavioral2/memory/1212-146-0x00007FF7A8610000-0x00007FF7A8962000-memory.dmp	xmrig
behavioral2/memory/2148-147-0x00007FF758690000-0x00007FF7589E2000-memory.dmp	xmrig
behavioral2/memory/2256-148-0x00007FF717B30000-0x00007FF717E82000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

CjiVTLK.exeVaMrAav.exehCzrbQB.exehwqWQXP.exeXxocdIq.exeFdtsKxN.exePPdReZp.exeZLIPjNb.exepicqmjp.exeVChHiup.exeNuZllbI.exeBOkfiLM.exemZWSHzY.exeulaDlru.exeeTpQKjT.exeRqtAmIP.exeqbtXjDJ.exeFabQmyI.exewYnxymM.exeKUJHXZc.exeCjVubTc.exe

pid	process
1396	CjiVTLK.exe
3536	VaMrAav.exe
4532	hCzrbQB.exe
2652	hwqWQXP.exe
1872	XxocdIq.exe
3060	FdtsKxN.exe
3972	PPdReZp.exe
2148	ZLIPjNb.exe
1212	picqmjp.exe
2256	VChHiup.exe
644	NuZllbI.exe
1040	BOkfiLM.exe
4724	mZWSHzY.exe
2840	ulaDlru.exe
632	eTpQKjT.exe
1028	RqtAmIP.exe
4692	qbtXjDJ.exe
2212	FabQmyI.exe
4164	wYnxymM.exe
2328	KUJHXZc.exe
1568	CjVubTc.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1848-0-0x00007FF682A20000-0x00007FF682D72000-memory.dmp	upx
C:\Windows\System\CjiVTLK.exe	upx
behavioral2/memory/1396-8-0x00007FF7F0240000-0x00007FF7F0592000-memory.dmp	upx
C:\Windows\System\VaMrAav.exe	upx
C:\Windows\System\hCzrbQB.exe	upx
behavioral2/memory/3536-13-0x00007FF61FE90000-0x00007FF6201E2000-memory.dmp	upx
behavioral2/memory/4532-20-0x00007FF6D2900000-0x00007FF6D2C52000-memory.dmp	upx
C:\Windows\System\hwqWQXP.exe	upx
C:\Windows\System\XxocdIq.exe	upx
C:\Windows\System\FdtsKxN.exe	upx
C:\Windows\System\ZLIPjNb.exe	upx
behavioral2/memory/3060-46-0x00007FF6EFEA0000-0x00007FF6F01F2000-memory.dmp	upx
C:\Windows\System\picqmjp.exe	upx
behavioral2/memory/1212-54-0x00007FF7A8610000-0x00007FF7A8962000-memory.dmp	upx
C:\Windows\System\VChHiup.exe	upx
behavioral2/memory/2256-59-0x00007FF717B30000-0x00007FF717E82000-memory.dmp	upx
behavioral2/memory/2148-51-0x00007FF758690000-0x00007FF7589E2000-memory.dmp	upx
behavioral2/memory/3972-47-0x00007FF637D30000-0x00007FF638082000-memory.dmp	upx
C:\Windows\System\PPdReZp.exe	upx
behavioral2/memory/1872-32-0x00007FF6068C0000-0x00007FF606C12000-memory.dmp	upx
behavioral2/memory/2652-24-0x00007FF7916A0000-0x00007FF7919F2000-memory.dmp	upx
C:\Windows\System\NuZllbI.exe	upx
behavioral2/memory/644-71-0x00007FF6065A0000-0x00007FF6068F2000-memory.dmp	upx
C:\Windows\System\BOkfiLM.exe	upx
behavioral2/memory/1396-81-0x00007FF7F0240000-0x00007FF7F0592000-memory.dmp	upx
behavioral2/memory/4724-82-0x00007FF71C8C0000-0x00007FF71CC12000-memory.dmp	upx
C:\Windows\System\mZWSHzY.exe	upx
behavioral2/memory/1040-77-0x00007FF7B4670000-0x00007FF7B49C2000-memory.dmp	upx
behavioral2/memory/1848-74-0x00007FF682A20000-0x00007FF682D72000-memory.dmp	upx
C:\Windows\System\ulaDlru.exe	upx
behavioral2/memory/3536-87-0x00007FF61FE90000-0x00007FF6201E2000-memory.dmp	upx
C:\Windows\System\eTpQKjT.exe	upx
behavioral2/memory/2840-92-0x00007FF658560000-0x00007FF6588B2000-memory.dmp	upx
behavioral2/memory/2652-100-0x00007FF7916A0000-0x00007FF7919F2000-memory.dmp	upx
C:\Windows\System\qbtXjDJ.exe	upx
C:\Windows\System\FabQmyI.exe	upx
C:\Windows\System\wYnxymM.exe	upx
behavioral2/memory/2212-112-0x00007FF6219D0000-0x00007FF621D22000-memory.dmp	upx
behavioral2/memory/4692-109-0x00007FF7CE960000-0x00007FF7CECB2000-memory.dmp	upx
behavioral2/memory/1028-104-0x00007FF68A4A0000-0x00007FF68A7F2000-memory.dmp	upx
C:\Windows\System\RqtAmIP.exe	upx
behavioral2/memory/632-95-0x00007FF7F9C30000-0x00007FF7F9F82000-memory.dmp	upx
behavioral2/memory/4164-123-0x00007FF623560000-0x00007FF6238B2000-memory.dmp	upx
behavioral2/memory/2148-120-0x00007FF758690000-0x00007FF7589E2000-memory.dmp	upx
C:\Windows\System\CjVubTc.exe	upx
behavioral2/memory/1568-132-0x00007FF72A870000-0x00007FF72ABC2000-memory.dmp	upx
behavioral2/memory/1212-133-0x00007FF7A8610000-0x00007FF7A8962000-memory.dmp	upx
behavioral2/memory/2328-131-0x00007FF78A870000-0x00007FF78ABC2000-memory.dmp	upx
C:\Windows\System\KUJHXZc.exe	upx
behavioral2/memory/2256-134-0x00007FF717B30000-0x00007FF717E82000-memory.dmp	upx
behavioral2/memory/2840-135-0x00007FF658560000-0x00007FF6588B2000-memory.dmp	upx
behavioral2/memory/632-136-0x00007FF7F9C30000-0x00007FF7F9F82000-memory.dmp	upx
behavioral2/memory/1028-137-0x00007FF68A4A0000-0x00007FF68A7F2000-memory.dmp	upx
behavioral2/memory/4692-138-0x00007FF7CE960000-0x00007FF7CECB2000-memory.dmp	upx
behavioral2/memory/1396-139-0x00007FF7F0240000-0x00007FF7F0592000-memory.dmp	upx
behavioral2/memory/3536-140-0x00007FF61FE90000-0x00007FF6201E2000-memory.dmp	upx
behavioral2/memory/4532-141-0x00007FF6D2900000-0x00007FF6D2C52000-memory.dmp	upx
behavioral2/memory/1872-142-0x00007FF6068C0000-0x00007FF606C12000-memory.dmp	upx
behavioral2/memory/2652-143-0x00007FF7916A0000-0x00007FF7919F2000-memory.dmp	upx
behavioral2/memory/3060-144-0x00007FF6EFEA0000-0x00007FF6F01F2000-memory.dmp	upx
behavioral2/memory/3972-145-0x00007FF637D30000-0x00007FF638082000-memory.dmp	upx
behavioral2/memory/1212-146-0x00007FF7A8610000-0x00007FF7A8962000-memory.dmp	upx
behavioral2/memory/2148-147-0x00007FF758690000-0x00007FF7589E2000-memory.dmp	upx
behavioral2/memory/2256-148-0x00007FF717B30000-0x00007FF717E82000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\KUJHXZc.exe	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CjVubTc.exe	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hCzrbQB.exe	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PPdReZp.exe	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZLIPjNb.exe	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\picqmjp.exe	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VChHiup.exe	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BOkfiLM.exe	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FabQmyI.exe	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RqtAmIP.exe	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wYnxymM.exe	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FdtsKxN.exe	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NuZllbI.exe	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mZWSHzY.exe	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ulaDlru.exe	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eTpQKjT.exe	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qbtXjDJ.exe	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CjiVTLK.exe	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VaMrAav.exe	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hwqWQXP.exe	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XxocdIq.exe	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 1848 wrote to memory of 1396	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	CjiVTLK.exe
PID 1848 wrote to memory of 1396	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	CjiVTLK.exe
PID 1848 wrote to memory of 3536	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	VaMrAav.exe
PID 1848 wrote to memory of 3536	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	VaMrAav.exe
PID 1848 wrote to memory of 4532	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	hCzrbQB.exe
PID 1848 wrote to memory of 4532	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	hCzrbQB.exe
PID 1848 wrote to memory of 2652	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	hwqWQXP.exe
PID 1848 wrote to memory of 2652	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	hwqWQXP.exe
PID 1848 wrote to memory of 1872	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	XxocdIq.exe
PID 1848 wrote to memory of 1872	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	XxocdIq.exe
PID 1848 wrote to memory of 3060	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	FdtsKxN.exe
PID 1848 wrote to memory of 3060	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	FdtsKxN.exe
PID 1848 wrote to memory of 3972	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	PPdReZp.exe
PID 1848 wrote to memory of 3972	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	PPdReZp.exe
PID 1848 wrote to memory of 2148	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	ZLIPjNb.exe
PID 1848 wrote to memory of 2148	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	ZLIPjNb.exe
PID 1848 wrote to memory of 1212	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	picqmjp.exe
PID 1848 wrote to memory of 1212	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	picqmjp.exe
PID 1848 wrote to memory of 2256	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	VChHiup.exe
PID 1848 wrote to memory of 2256	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	VChHiup.exe
PID 1848 wrote to memory of 644	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	NuZllbI.exe
PID 1848 wrote to memory of 644	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	NuZllbI.exe
PID 1848 wrote to memory of 1040	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	BOkfiLM.exe
PID 1848 wrote to memory of 1040	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	BOkfiLM.exe
PID 1848 wrote to memory of 4724	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	mZWSHzY.exe
PID 1848 wrote to memory of 4724	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	mZWSHzY.exe
PID 1848 wrote to memory of 2840	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	ulaDlru.exe
PID 1848 wrote to memory of 2840	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	ulaDlru.exe
PID 1848 wrote to memory of 632	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	eTpQKjT.exe
PID 1848 wrote to memory of 632	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	eTpQKjT.exe
PID 1848 wrote to memory of 1028	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	RqtAmIP.exe
PID 1848 wrote to memory of 1028	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	RqtAmIP.exe
PID 1848 wrote to memory of 4692	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	qbtXjDJ.exe
PID 1848 wrote to memory of 4692	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	qbtXjDJ.exe
PID 1848 wrote to memory of 2212	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	FabQmyI.exe
PID 1848 wrote to memory of 2212	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	FabQmyI.exe
PID 1848 wrote to memory of 4164	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	wYnxymM.exe
PID 1848 wrote to memory of 4164	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	wYnxymM.exe
PID 1848 wrote to memory of 2328	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	KUJHXZc.exe
PID 1848 wrote to memory of 2328	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	KUJHXZc.exe
PID 1848 wrote to memory of 1568	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	CjVubTc.exe
PID 1848 wrote to memory of 1568	1848	2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe	CjVubTc.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_73b6f0a294fc287a2eee939bb968658b_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\System\CjiVTLK.exe
C:\Windows\System\CjiVTLK.exe
2⤵
- Executes dropped EXE
PID:1396

C:\Windows\System\VaMrAav.exe
C:\Windows\System\VaMrAav.exe
2⤵
- Executes dropped EXE
PID:3536

C:\Windows\System\hCzrbQB.exe
C:\Windows\System\hCzrbQB.exe
2⤵
- Executes dropped EXE
PID:4532

C:\Windows\System\hwqWQXP.exe
C:\Windows\System\hwqWQXP.exe
2⤵
- Executes dropped EXE
PID:2652

C:\Windows\System\XxocdIq.exe
C:\Windows\System\XxocdIq.exe
2⤵
- Executes dropped EXE
PID:1872

C:\Windows\System\FdtsKxN.exe
C:\Windows\System\FdtsKxN.exe
2⤵
- Executes dropped EXE
PID:3060

C:\Windows\System\PPdReZp.exe
C:\Windows\System\PPdReZp.exe
2⤵
- Executes dropped EXE
PID:3972

C:\Windows\System\ZLIPjNb.exe
C:\Windows\System\ZLIPjNb.exe
2⤵
- Executes dropped EXE
PID:2148

C:\Windows\System\picqmjp.exe
C:\Windows\System\picqmjp.exe
2⤵
- Executes dropped EXE
PID:1212

C:\Windows\System\VChHiup.exe
C:\Windows\System\VChHiup.exe
2⤵
- Executes dropped EXE
PID:2256

C:\Windows\System\NuZllbI.exe
C:\Windows\System\NuZllbI.exe
2⤵
- Executes dropped EXE
PID:644

C:\Windows\System\BOkfiLM.exe
C:\Windows\System\BOkfiLM.exe
2⤵
- Executes dropped EXE
PID:1040

C:\Windows\System\mZWSHzY.exe
C:\Windows\System\mZWSHzY.exe
2⤵
- Executes dropped EXE
PID:4724

C:\Windows\System\ulaDlru.exe
C:\Windows\System\ulaDlru.exe
2⤵
- Executes dropped EXE
PID:2840

C:\Windows\System\eTpQKjT.exe
C:\Windows\System\eTpQKjT.exe
2⤵
- Executes dropped EXE
PID:632

C:\Windows\System\RqtAmIP.exe
C:\Windows\System\RqtAmIP.exe
2⤵
- Executes dropped EXE
PID:1028

C:\Windows\System\qbtXjDJ.exe
C:\Windows\System\qbtXjDJ.exe
2⤵
- Executes dropped EXE
PID:4692

C:\Windows\System\FabQmyI.exe
C:\Windows\System\FabQmyI.exe
2⤵
- Executes dropped EXE
PID:2212

C:\Windows\System\wYnxymM.exe
C:\Windows\System\wYnxymM.exe
2⤵
- Executes dropped EXE
PID:4164

C:\Windows\System\KUJHXZc.exe
C:\Windows\System\KUJHXZc.exe
2⤵
- Executes dropped EXE
PID:2328

C:\Windows\System\CjVubTc.exe
C:\Windows\System\CjVubTc.exe
2⤵
- Executes dropped EXE
PID:1568

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BOkfiLM.exe
Filesize
8.3MB

MD5
cc9bec64f5af935b32b890a6173f6619

SHA1
a203b51f616d5444a10c9897371fc201eacbe773

SHA256
c2ee118543a9c12fb66c7bdc0c054722330a83a6f5b8f05d10a58cc448addd19

SHA512
19cb561892cededd3a751f112a8ae41badd5c0a4d29ca00b1867a177ab528c481a668751a3ec95fd570357bb627a13be9e76c21c80b48f8c0b00b4743f3becdf

Download Submit
C:\Windows\System\CjVubTc.exe
Filesize
8.3MB

MD5
fc36ed8031d77dd37a7e516e06105ba3

SHA1
66df38d3fa8907a30a4a259d1eb8ccfb9939b206

SHA256
c97990dae5ae0e82e9a1f259bd793b1ce4f29680c7e9f735b21e070b20219ee9

SHA512
e88c37f63dd6faea2a42bcc6f7c1d59edbb6b55f2e76915d574640d093f492536fd602e51e4752f09e0e99d0e28de86d95a564a033a27adda2c4eb51c4d23a2e

Download Submit
C:\Windows\System\CjiVTLK.exe
Filesize
8.3MB

MD5
5afac0019d4cd4042ad9460ad1444799

SHA1
381cef8857e498d93d2cc334d70f17c0c434b1ca

SHA256
d7165abeb4a8c154ea1e7f0df25fdc5d5873e6fea905398cf0d017ea8428df68

SHA512
a746bcb6c264aeda81a89ccff883923be25022641840aea192d8872feba7cd7e353012b505f399c225e2a395f25ef3f3ab20a8a24610f8763dd008d2cf06c6cd

Download Submit
C:\Windows\System\FabQmyI.exe
Filesize
8.3MB

MD5
3df0edce541f0901f06f624c6bfec7d8

SHA1
e197737d1a20ea46ea7bab0f1e5cc58601c7dbd0

SHA256
b0dc73f885396b760826125b6740565be2bd00152658a86a9e03b34c5d686f3f

SHA512
65be3738af3d4062e2d415eda51c23147f2709a4de38f6a83b6d52e2df2941f3248c6a83806337d8c6b178d544f538d9a1381360f05972be37ee06973d4b1f36

Download Submit
C:\Windows\System\FdtsKxN.exe
Filesize
8.3MB

MD5
4867400e9d76bcb4ee58efcd848eba03

SHA1
8b3ad5f3404f342ce26e23b85bab17a91a7bc66f

SHA256
c45ccfb50f333a0499722c4e5feec1ea097acb4008653205203d7ad74a567474

SHA512
50cad39e6ad405fecc64a0bf8d076930911ff26060f0c1641166419ee5fed418ad03e04f6f77b54b8c766b6d85617e2a9e9c1655bb3489be5bef20ff81b9049c

Download Submit
C:\Windows\System\KUJHXZc.exe
Filesize
8.3MB

MD5
24b5f63ea939946a7c0ec3b8e877276f

SHA1
6ba9b16d4d6f2fdf75d01c5cb4ddfcc9d53d3ff8

SHA256
7f2fc430555c0cf2dfb8356554e77aa3c761ecd0ad57fead3fccff9b342e3ff9

SHA512
0cdc76ce68175edafd290b3af7d6ecae7ec2f40ba6fe432fb8a053e02a1d2882edce4fe72c09acb0815d33030363d8e8fbff6ffd60202b006cd8d3a979e3aa98

Download Submit
C:\Windows\System\NuZllbI.exe
Filesize
8.3MB

MD5
4c3b448694fbf3b89380d2fe07a31365

SHA1
57329279182e72e667ab83a58e08fd0b01e350f7

SHA256
d2b236b35fc6add1de538160f88e7c32076ea021da703267f04669a699fb16f7

SHA512
d53c9008003b3a65609373b1af0d13f573b0962dc23a678b48eb8c399633203b8ec520deadb57b88cdae1b31df661a254bbdbb81bc5ca59162976fd6abd79048

Download Submit
C:\Windows\System\PPdReZp.exe
Filesize
8.3MB

MD5
d7807250aa56e69b34d40e663cbdec2c

SHA1
0a7f7ce010ddb1e4cd9a00d6560bbee44138e8c7

SHA256
fe262702a434f92e95968a87a360d4bd7e9b0bfc24de652d17de823697ac9546

SHA512
5d1c6609e99abee3035561789cc3f7ffee40b67ec52ae083f8ffd86e99f4dec614a6aa87fa27cd0564a360c68f0c2a8197b2e92c43d150b39b86f7c6e0e33b7b

Download Submit
C:\Windows\System\RqtAmIP.exe
Filesize
8.3MB

MD5
ad499473a5dc482d6c05fc681220cb6b

SHA1
bc828e3358d6580b7f6f7f5c586ddb04ecdc9dc7

SHA256
4192cda98aca543e8e3f3a005da601a9dab0850c27ff1dbf8d265a8e46dab886

SHA512
82702f2f88f4426528fd3ba72dc5d0151f4057a1332884403694d0309a29551e44388fbe2b4d925c78ffad7b27c030d817ad8b35cc56d7efc5afa5c74c9c979e

Download Submit
C:\Windows\System\VChHiup.exe
Filesize
8.3MB

MD5
153b842ffbdd227887c917154bbb5168

SHA1
86b3198ffdc0b24c0ca738ff6b88934d4eda256e

SHA256
c12bfc94ae31266913d2c60b43770f9fbad6022bc4a1e545fe6bfd6b3baf3eb6

SHA512
46b475d7932903388b0b1d4e227e9ff5b71dad8aa937a0c7662b3987eccf7ed35025d669bd46a5b3df4902b139924cb962697352fb3398b691b54b7cb8e45db5

Download Submit
C:\Windows\System\VaMrAav.exe
Filesize
8.3MB

MD5
8ba7875050b4e79a3980af2cf4b730b7

SHA1
aa6fa795d9e02abc7890a9ec47d7edd936a01c5b

SHA256
ce3e6f17783afa60d31a69f0ba320cc8dc51163af2dc4e41b1d79259695659fd

SHA512
a97ba44e5d0b4b75043136c4bd4872a73ae84d1d58a28a5bdd4cabb010ee84feb029026d0b0e1cf3cb58f8816ec4a58ea6c102ce37b9ea988c8f1d1ee0a9d4bf

Download Submit
C:\Windows\System\XxocdIq.exe
Filesize
8.3MB

MD5
f08bba5857671093ba5a6324590b95ce

SHA1
870aec63cf0fc62f88df6379aed9a65f38ba677d

SHA256
6d9e235c3531c9636b129cc359ac4033ad967eb00c9c111be055cda50a6a5b00

SHA512
6d90a10955be4a8f3543690d3f77f7981988259e7e3decc05db3cc9386a20d86ae1e45eb94e087d37cf6d06f09ad7e0e302abb0d8ac14d2ceb8e023ad2ac78b9

Download Submit
C:\Windows\System\ZLIPjNb.exe
Filesize
8.3MB

MD5
c75f9cae70c08f139619b1963fedc926

SHA1
01daea91de14fa57a313c417f4b694238084bc03

SHA256
a3a3e424e6ba8fe0aff2322a54384ea7f17c918f1c9eb4ad140e970e14549187

SHA512
8adabc29b32f3a473bf2ac7bbc2bcdce6b4c222287df55bab76c6bf01c82623bc69dabea848d34a8d61f40fdf04e19ff54913d49d7f99799cbc005e0614b6909

Download Submit
C:\Windows\System\eTpQKjT.exe
Filesize
8.3MB

MD5
cfbb85af610535db292b1bffec5e78f0

SHA1
680e18576c15544365df9738008d465995dcaf36

SHA256
1517bae80f6b0d909702a8888083105a5ea8b3cf4b6c23d71902f2f0569e75e0

SHA512
c1a2d8ca4303f9b91260b0d6aef4ad74861a686e95cfd3c733dec390fcab5043a8c66a9cb9d1c5f4c61df3b5d7feb27f75b7221ba90f978f1ed33b4f379bfc42

Download Submit
C:\Windows\System\hCzrbQB.exe
Filesize
8.3MB

MD5
4506970171fc93fcc40bbf9cec4fc95a

SHA1
df9339d3e3ca6a63aa8b9bf3fedeca1ecd4b3b1d

SHA256
447f79bf37f88dec7c2d39cecca7bd79a5cd129d346c1fb85bbc5f2676bba01f

SHA512
f21573c3ebd07175819822a9327cc19ce9a287e3bc1d5b84392dbbcf1dfcee358256d42760e8bf4ac4bf8df2d00c5c73fca03ae0e32d1a274af5a1d32d936df5

Download Submit
C:\Windows\System\hwqWQXP.exe
Filesize
8.3MB

MD5
bd0023bbc3862daf04bfaee477a9a03e

SHA1
f8cb3621342e8e7db35a7a0f91374f51dc320c6c

SHA256
eaf3bb96f099ee7cb1fb2f3298a136229156c393e77385bebbf1bd5485e78d30

SHA512
729ac8eec50c14f5492a8b815babdb4c310e1ab5e2c28b2b7ea848462ae92a5b997c17b2ee679048abbfe836749d2d8dbd4d6d6e1eb337b15d3be3fe6d4a8833

Download Submit
C:\Windows\System\mZWSHzY.exe
Filesize
8.3MB

MD5
ab84331419a64dc40417bbcedd8df688

SHA1
5145c4709a159cff708d6b2dccaf869957349a96

SHA256
5838bb321c002cf7b7e4d7ddba2a53ed794fd3e6f06c39c903791df010e7d6e4

SHA512
7a9b2c2b12d2782f73f1078f0d05153a299267056eda63ffacb708236ee8d62cf773c6745a35e8406162cbb88ff600952d50d2fc7716f18e8374e3158169fe7c

Download Submit
C:\Windows\System\picqmjp.exe
Filesize
8.3MB

MD5
b6fa0001a4be1dc93e4c265652fb3c31

SHA1
8a269bec61180fb2205e2f25bbb3d8fbb1262660

SHA256
eb81c9e3c8384620e8eae092770ac6f82989389eeec5b23ccad54817a10da29b

SHA512
ecd9eb04b50582f8735db75fbf7b5a1d8ce95fe76f209d11da879604b2633a79b44aafe6603c727e3fdcb807197da9f31bc77c7d56a8902284dac517ab0ed184

Download Submit
C:\Windows\System\qbtXjDJ.exe
Filesize
8.3MB

MD5
ef456a316095d0500d8eda97c0ae27c3

SHA1
4a0b04ff0121c0a13306f7af831fbceb66107f3f

SHA256
e2d3e8978cc9e87d016f5d06e3e34d12bc9bcfcf3873933e4061dd3fb80de763

SHA512
f917e9f029bb0bf550fab2ef53f155d7d79066e9185fbf10ed4e14ce0320f89bab170c7898f5dd6a5c0197cf3d59620bdc5e9018fde9fac9ef6dbe6edab95943

Download Submit
C:\Windows\System\ulaDlru.exe
Filesize
8.3MB

MD5
14c79de8ce5c1f1421435de9bcbf0eb1

SHA1
a7c3abc914c53e668a5e99e000c208712e64dbcd

SHA256
737aa7a2c98b8c1f9dd8e83e25fe7aa4ed25ebb3ec5ccbeff95996f997c3b9ad

SHA512
f884c556d64075c6478e56aaeff53f6cef7843888d1db6c97d87910869b438577f0d627064ee13207754bcd213e16d5ffab28d275cfc33e8789d1fc90abaa69c

Download Submit
C:\Windows\System\wYnxymM.exe
Filesize
8.3MB

MD5
59a656d7f813f5de00d181bd561fa57e

SHA1
fea5b9f8ef1c184cbccfe5a16323bb6d7b2e4ab0

SHA256
fc1970fd67773684dfe4f6595ed6ea8f7fa720b37cc8cad72f05dd65abafdaf9

SHA512
eaa330a5a82087321e6e0a1c991f0664f9ba2951d7ea5b873728224fbd447f527ee0f5037cd3691468e90963b8e9a32fbebf595733cdf427af5cc7fb913a7d1a

Download Submit
memory/632-95-0x00007FF7F9C30000-0x00007FF7F9F82000-memory.dmp

Filesize
3.3MB

Download
memory/632-136-0x00007FF7F9C30000-0x00007FF7F9F82000-memory.dmp

Filesize
3.3MB

Download
memory/632-153-0x00007FF7F9C30000-0x00007FF7F9F82000-memory.dmp

Filesize
3.3MB

Download
memory/644-71-0x00007FF6065A0000-0x00007FF6068F2000-memory.dmp

Filesize
3.3MB

Download
memory/644-149-0x00007FF6065A0000-0x00007FF6068F2000-memory.dmp

Filesize
3.3MB

Download
memory/1028-154-0x00007FF68A4A0000-0x00007FF68A7F2000-memory.dmp

Filesize
3.3MB

Download
memory/1028-137-0x00007FF68A4A0000-0x00007FF68A7F2000-memory.dmp

Filesize
3.3MB

Download
memory/1028-104-0x00007FF68A4A0000-0x00007FF68A7F2000-memory.dmp

Filesize
3.3MB

Download
memory/1040-150-0x00007FF7B4670000-0x00007FF7B49C2000-memory.dmp

Filesize
3.3MB

Download
memory/1040-77-0x00007FF7B4670000-0x00007FF7B49C2000-memory.dmp

Filesize
3.3MB

Download
memory/1212-133-0x00007FF7A8610000-0x00007FF7A8962000-memory.dmp

Filesize
3.3MB

Download
memory/1212-146-0x00007FF7A8610000-0x00007FF7A8962000-memory.dmp

Filesize
3.3MB

Download
memory/1212-54-0x00007FF7A8610000-0x00007FF7A8962000-memory.dmp

Filesize
3.3MB

Download
memory/1396-139-0x00007FF7F0240000-0x00007FF7F0592000-memory.dmp

Filesize
3.3MB

Download
memory/1396-81-0x00007FF7F0240000-0x00007FF7F0592000-memory.dmp

Filesize
3.3MB

Download
memory/1396-8-0x00007FF7F0240000-0x00007FF7F0592000-memory.dmp

Filesize
3.3MB

Download
memory/1568-159-0x00007FF72A870000-0x00007FF72ABC2000-memory.dmp

Filesize
3.3MB

Download
memory/1568-132-0x00007FF72A870000-0x00007FF72ABC2000-memory.dmp

Filesize
3.3MB

Download
memory/1848-74-0x00007FF682A20000-0x00007FF682D72000-memory.dmp

Filesize
3.3MB

Download
memory/1848-0-0x00007FF682A20000-0x00007FF682D72000-memory.dmp

Filesize
3.3MB

Download
memory/1848-1-0x0000022B2D350000-0x0000022B2D360000-memory.dmp

Filesize
64KB

Download
memory/1872-142-0x00007FF6068C0000-0x00007FF606C12000-memory.dmp

Filesize
3.3MB

Download
memory/1872-32-0x00007FF6068C0000-0x00007FF606C12000-memory.dmp

Filesize
3.3MB

Download
memory/2148-147-0x00007FF758690000-0x00007FF7589E2000-memory.dmp

Filesize
3.3MB

Download
memory/2148-120-0x00007FF758690000-0x00007FF7589E2000-memory.dmp

Filesize
3.3MB

Download
memory/2148-51-0x00007FF758690000-0x00007FF7589E2000-memory.dmp

Filesize
3.3MB

Download
memory/2212-112-0x00007FF6219D0000-0x00007FF621D22000-memory.dmp

Filesize
3.3MB

Download
memory/2212-155-0x00007FF6219D0000-0x00007FF621D22000-memory.dmp

Filesize
3.3MB

Download
memory/2256-134-0x00007FF717B30000-0x00007FF717E82000-memory.dmp

Filesize
3.3MB

Download
memory/2256-59-0x00007FF717B30000-0x00007FF717E82000-memory.dmp

Filesize
3.3MB

Download
memory/2256-148-0x00007FF717B30000-0x00007FF717E82000-memory.dmp

Filesize
3.3MB

Download
memory/2328-158-0x00007FF78A870000-0x00007FF78ABC2000-memory.dmp

Filesize
3.3MB

Download
memory/2328-131-0x00007FF78A870000-0x00007FF78ABC2000-memory.dmp

Filesize
3.3MB

Download
memory/2652-24-0x00007FF7916A0000-0x00007FF7919F2000-memory.dmp

Filesize
3.3MB

Download
memory/2652-100-0x00007FF7916A0000-0x00007FF7919F2000-memory.dmp

Filesize
3.3MB

Download
memory/2652-143-0x00007FF7916A0000-0x00007FF7919F2000-memory.dmp

Filesize
3.3MB

Download
memory/2840-135-0x00007FF658560000-0x00007FF6588B2000-memory.dmp

Filesize
3.3MB

Download
memory/2840-92-0x00007FF658560000-0x00007FF6588B2000-memory.dmp

Filesize
3.3MB

Download
memory/2840-152-0x00007FF658560000-0x00007FF6588B2000-memory.dmp

Filesize
3.3MB

Download
memory/3060-46-0x00007FF6EFEA0000-0x00007FF6F01F2000-memory.dmp

Filesize
3.3MB

Download
memory/3060-144-0x00007FF6EFEA0000-0x00007FF6F01F2000-memory.dmp

Filesize
3.3MB

Download
memory/3536-13-0x00007FF61FE90000-0x00007FF6201E2000-memory.dmp

Filesize
3.3MB

Download
memory/3536-87-0x00007FF61FE90000-0x00007FF6201E2000-memory.dmp

Filesize
3.3MB

Download
memory/3536-140-0x00007FF61FE90000-0x00007FF6201E2000-memory.dmp

Filesize
3.3MB

Download
memory/3972-145-0x00007FF637D30000-0x00007FF638082000-memory.dmp

Filesize
3.3MB

Download
memory/3972-47-0x00007FF637D30000-0x00007FF638082000-memory.dmp

Filesize
3.3MB

Download
memory/4164-123-0x00007FF623560000-0x00007FF6238B2000-memory.dmp

Filesize
3.3MB

Download
memory/4164-157-0x00007FF623560000-0x00007FF6238B2000-memory.dmp

Filesize
3.3MB

Download
memory/4532-20-0x00007FF6D2900000-0x00007FF6D2C52000-memory.dmp

Filesize
3.3MB

Download
memory/4532-141-0x00007FF6D2900000-0x00007FF6D2C52000-memory.dmp

Filesize
3.3MB

Download
memory/4692-138-0x00007FF7CE960000-0x00007FF7CECB2000-memory.dmp

Filesize
3.3MB

Download
memory/4692-109-0x00007FF7CE960000-0x00007FF7CECB2000-memory.dmp

Filesize
3.3MB

Download
memory/4692-156-0x00007FF7CE960000-0x00007FF7CECB2000-memory.dmp

Filesize
3.3MB

Download
memory/4724-151-0x00007FF71C8C0000-0x00007FF71CC12000-memory.dmp

Filesize
3.3MB

Download
memory/4724-82-0x00007FF71C8C0000-0x00007FF71CC12000-memory.dmp

Filesize
3.3MB

Download