cobaltstrike | e71e639032d251e8668f825bd7728779d4e13c540b5e7af56a00deed945638b0

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 08:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

993a9d59f962ae35f5f7a6cbff51ddd3
SHA1

3a078439a7235bbd546e58f4fddc27521cc1b661
SHA256

e71e639032d251e8668f825bd7728779d4e13c540b5e7af56a00deed945638b0
SHA512

28775e88fc4a6c8f9dcacaac960aa39d7dc5edcbdd554df2ce8ca0a9509eb950c98dc2929419ada0195ad8fad82686ba3026cf89a5548c2cfc5333f33334449e
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lT:RWWBibf56utgpPFotBER/mQ32lUX

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\urAZZmK.exe	cobalt_reflective_dll
C:\Windows\System\ioahRoc.exe	cobalt_reflective_dll
C:\Windows\System\CyDfMwV.exe	cobalt_reflective_dll
C:\Windows\System\jdkzTXk.exe	cobalt_reflective_dll
C:\Windows\System\FOnMLgy.exe	cobalt_reflective_dll
C:\Windows\System\rgpuyrc.exe	cobalt_reflective_dll
C:\Windows\System\eRDcpRT.exe	cobalt_reflective_dll
C:\Windows\System\tjnaVgb.exe	cobalt_reflective_dll
C:\Windows\System\CzvyNrK.exe	cobalt_reflective_dll
C:\Windows\System\SukCRFB.exe	cobalt_reflective_dll
C:\Windows\System\rKacDsv.exe	cobalt_reflective_dll
C:\Windows\System\QEcYwRj.exe	cobalt_reflective_dll
C:\Windows\System\qdfMrNR.exe	cobalt_reflective_dll
C:\Windows\System\yNfHRzF.exe	cobalt_reflective_dll
C:\Windows\System\sKpgAAK.exe	cobalt_reflective_dll
C:\Windows\System\qBDaqRs.exe	cobalt_reflective_dll
C:\Windows\System\EKoanQH.exe	cobalt_reflective_dll
C:\Windows\System\ncHWACh.exe	cobalt_reflective_dll
C:\Windows\System\HQlrVoE.exe	cobalt_reflective_dll
C:\Windows\System\mewwYYp.exe	cobalt_reflective_dll
C:\Windows\System\CtjjvZY.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\urAZZmK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ioahRoc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\CyDfMwV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\jdkzTXk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\FOnMLgy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\rgpuyrc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\eRDcpRT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\tjnaVgb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\CzvyNrK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\SukCRFB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\rKacDsv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QEcYwRj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\qdfMrNR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\yNfHRzF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\sKpgAAK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\qBDaqRs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\EKoanQH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ncHWACh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\HQlrVoE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\mewwYYp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\CtjjvZY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4004-0-0x00007FF6952A0000-0x00007FF6955F1000-memory.dmp	UPX
C:\Windows\System\urAZZmK.exe	UPX
C:\Windows\System\ioahRoc.exe	UPX
C:\Windows\System\CyDfMwV.exe	UPX
behavioral2/memory/3576-42-0x00007FF6F3AE0000-0x00007FF6F3E31000-memory.dmp	UPX
C:\Windows\System\jdkzTXk.exe	UPX
C:\Windows\System\FOnMLgy.exe	UPX
C:\Windows\System\rgpuyrc.exe	UPX
C:\Windows\System\eRDcpRT.exe	UPX
behavioral2/memory/924-80-0x00007FF75ABD0000-0x00007FF75AF21000-memory.dmp	UPX
behavioral2/memory/2724-91-0x00007FF67F170000-0x00007FF67F4C1000-memory.dmp	UPX
C:\Windows\System\tjnaVgb.exe	UPX
behavioral2/memory/3996-104-0x00007FF75CF50000-0x00007FF75D2A1000-memory.dmp	UPX
C:\Windows\System\CzvyNrK.exe	UPX
behavioral2/memory/232-115-0x00007FF782400000-0x00007FF782751000-memory.dmp	UPX
behavioral2/memory/732-122-0x00007FF6F7940000-0x00007FF6F7C91000-memory.dmp	UPX
behavioral2/memory/1036-127-0x00007FF7FF1C0000-0x00007FF7FF511000-memory.dmp	UPX
behavioral2/memory/516-126-0x00007FF784A90000-0x00007FF784DE1000-memory.dmp	UPX
behavioral2/memory/3436-125-0x00007FF7741C0000-0x00007FF774511000-memory.dmp	UPX
behavioral2/memory/588-124-0x00007FF641A20000-0x00007FF641D71000-memory.dmp	UPX
behavioral2/memory/1860-123-0x00007FF6A8520000-0x00007FF6A8871000-memory.dmp	UPX
C:\Windows\System\SukCRFB.exe	UPX
behavioral2/memory/3904-114-0x00007FF690100000-0x00007FF690451000-memory.dmp	UPX
C:\Windows\System\rKacDsv.exe	UPX
behavioral2/memory/3244-110-0x00007FF692650000-0x00007FF6929A1000-memory.dmp	UPX
C:\Windows\System\QEcYwRj.exe	UPX
C:\Windows\System\qdfMrNR.exe	UPX
behavioral2/memory/2516-97-0x00007FF616B30000-0x00007FF616E81000-memory.dmp	UPX
behavioral2/memory/4628-96-0x00007FF65EDE0000-0x00007FF65F131000-memory.dmp	UPX
C:\Windows\System\yNfHRzF.exe	UPX
C:\Windows\System\sKpgAAK.exe	UPX
behavioral2/memory/1576-90-0x00007FF7B4A30000-0x00007FF7B4D81000-memory.dmp	UPX
C:\Windows\System\qBDaqRs.exe	UPX
C:\Windows\System\EKoanQH.exe	UPX
behavioral2/memory/2276-57-0x00007FF6B08F0000-0x00007FF6B0C41000-memory.dmp	UPX
behavioral2/memory/4964-49-0x00007FF681920000-0x00007FF681C71000-memory.dmp	UPX
C:\Windows\System\ncHWACh.exe	UPX
behavioral2/memory/636-31-0x00007FF78A850000-0x00007FF78ABA1000-memory.dmp	UPX
C:\Windows\System\HQlrVoE.exe	UPX
C:\Windows\System\mewwYYp.exe	UPX
behavioral2/memory/3388-27-0x00007FF630BA0000-0x00007FF630EF1000-memory.dmp	UPX
C:\Windows\System\CtjjvZY.exe	UPX
behavioral2/memory/2824-9-0x00007FF7F62F0000-0x00007FF7F6641000-memory.dmp	UPX
behavioral2/memory/4004-128-0x00007FF6952A0000-0x00007FF6955F1000-memory.dmp	UPX
behavioral2/memory/636-132-0x00007FF78A850000-0x00007FF78ABA1000-memory.dmp	UPX
behavioral2/memory/2276-137-0x00007FF6B08F0000-0x00007FF6B0C41000-memory.dmp	UPX
behavioral2/memory/3576-133-0x00007FF6F3AE0000-0x00007FF6F3E31000-memory.dmp	UPX
behavioral2/memory/2824-129-0x00007FF7F62F0000-0x00007FF7F6641000-memory.dmp	UPX
behavioral2/memory/4004-150-0x00007FF6952A0000-0x00007FF6955F1000-memory.dmp	UPX
behavioral2/memory/4004-172-0x00007FF6952A0000-0x00007FF6955F1000-memory.dmp	UPX
behavioral2/memory/2824-196-0x00007FF7F62F0000-0x00007FF7F6641000-memory.dmp	UPX
behavioral2/memory/3388-198-0x00007FF630BA0000-0x00007FF630EF1000-memory.dmp	UPX
behavioral2/memory/924-200-0x00007FF75ABD0000-0x00007FF75AF21000-memory.dmp	UPX
behavioral2/memory/4964-202-0x00007FF681920000-0x00007FF681C71000-memory.dmp	UPX
behavioral2/memory/636-204-0x00007FF78A850000-0x00007FF78ABA1000-memory.dmp	UPX
behavioral2/memory/3436-207-0x00007FF7741C0000-0x00007FF774511000-memory.dmp	UPX
behavioral2/memory/2516-218-0x00007FF616B30000-0x00007FF616E81000-memory.dmp	UPX
behavioral2/memory/3576-216-0x00007FF6F3AE0000-0x00007FF6F3E31000-memory.dmp	UPX
behavioral2/memory/1576-214-0x00007FF7B4A30000-0x00007FF7B4D81000-memory.dmp	UPX
behavioral2/memory/2724-213-0x00007FF67F170000-0x00007FF67F4C1000-memory.dmp	UPX
behavioral2/memory/2276-211-0x00007FF6B08F0000-0x00007FF6B0C41000-memory.dmp	UPX
behavioral2/memory/4628-208-0x00007FF65EDE0000-0x00007FF65F131000-memory.dmp	UPX
behavioral2/memory/1860-232-0x00007FF6A8520000-0x00007FF6A8871000-memory.dmp	UPX
behavioral2/memory/1036-236-0x00007FF7FF1C0000-0x00007FF7FF511000-memory.dmp	UPX

XMRig Miner payload 47 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3576-42-0x00007FF6F3AE0000-0x00007FF6F3E31000-memory.dmp	xmrig
behavioral2/memory/924-80-0x00007FF75ABD0000-0x00007FF75AF21000-memory.dmp	xmrig
behavioral2/memory/2724-91-0x00007FF67F170000-0x00007FF67F4C1000-memory.dmp	xmrig
behavioral2/memory/3996-104-0x00007FF75CF50000-0x00007FF75D2A1000-memory.dmp	xmrig
behavioral2/memory/232-115-0x00007FF782400000-0x00007FF782751000-memory.dmp	xmrig
behavioral2/memory/732-122-0x00007FF6F7940000-0x00007FF6F7C91000-memory.dmp	xmrig
behavioral2/memory/1036-127-0x00007FF7FF1C0000-0x00007FF7FF511000-memory.dmp	xmrig
behavioral2/memory/516-126-0x00007FF784A90000-0x00007FF784DE1000-memory.dmp	xmrig
behavioral2/memory/3436-125-0x00007FF7741C0000-0x00007FF774511000-memory.dmp	xmrig
behavioral2/memory/588-124-0x00007FF641A20000-0x00007FF641D71000-memory.dmp	xmrig
behavioral2/memory/1860-123-0x00007FF6A8520000-0x00007FF6A8871000-memory.dmp	xmrig
behavioral2/memory/3904-114-0x00007FF690100000-0x00007FF690451000-memory.dmp	xmrig
behavioral2/memory/3244-110-0x00007FF692650000-0x00007FF6929A1000-memory.dmp	xmrig
behavioral2/memory/2516-97-0x00007FF616B30000-0x00007FF616E81000-memory.dmp	xmrig
behavioral2/memory/4628-96-0x00007FF65EDE0000-0x00007FF65F131000-memory.dmp	xmrig
behavioral2/memory/1576-90-0x00007FF7B4A30000-0x00007FF7B4D81000-memory.dmp	xmrig
behavioral2/memory/4964-49-0x00007FF681920000-0x00007FF681C71000-memory.dmp	xmrig
behavioral2/memory/3388-27-0x00007FF630BA0000-0x00007FF630EF1000-memory.dmp	xmrig
behavioral2/memory/2824-9-0x00007FF7F62F0000-0x00007FF7F6641000-memory.dmp	xmrig
behavioral2/memory/4004-128-0x00007FF6952A0000-0x00007FF6955F1000-memory.dmp	xmrig
behavioral2/memory/636-132-0x00007FF78A850000-0x00007FF78ABA1000-memory.dmp	xmrig
behavioral2/memory/2276-137-0x00007FF6B08F0000-0x00007FF6B0C41000-memory.dmp	xmrig
behavioral2/memory/3576-133-0x00007FF6F3AE0000-0x00007FF6F3E31000-memory.dmp	xmrig
behavioral2/memory/2824-129-0x00007FF7F62F0000-0x00007FF7F6641000-memory.dmp	xmrig
behavioral2/memory/4004-150-0x00007FF6952A0000-0x00007FF6955F1000-memory.dmp	xmrig
behavioral2/memory/4004-172-0x00007FF6952A0000-0x00007FF6955F1000-memory.dmp	xmrig
behavioral2/memory/2824-196-0x00007FF7F62F0000-0x00007FF7F6641000-memory.dmp	xmrig
behavioral2/memory/3388-198-0x00007FF630BA0000-0x00007FF630EF1000-memory.dmp	xmrig
behavioral2/memory/924-200-0x00007FF75ABD0000-0x00007FF75AF21000-memory.dmp	xmrig
behavioral2/memory/4964-202-0x00007FF681920000-0x00007FF681C71000-memory.dmp	xmrig
behavioral2/memory/636-204-0x00007FF78A850000-0x00007FF78ABA1000-memory.dmp	xmrig
behavioral2/memory/3436-207-0x00007FF7741C0000-0x00007FF774511000-memory.dmp	xmrig
behavioral2/memory/2516-218-0x00007FF616B30000-0x00007FF616E81000-memory.dmp	xmrig
behavioral2/memory/3576-216-0x00007FF6F3AE0000-0x00007FF6F3E31000-memory.dmp	xmrig
behavioral2/memory/1576-214-0x00007FF7B4A30000-0x00007FF7B4D81000-memory.dmp	xmrig
behavioral2/memory/2724-213-0x00007FF67F170000-0x00007FF67F4C1000-memory.dmp	xmrig
behavioral2/memory/2276-211-0x00007FF6B08F0000-0x00007FF6B0C41000-memory.dmp	xmrig
behavioral2/memory/4628-208-0x00007FF65EDE0000-0x00007FF65F131000-memory.dmp	xmrig
behavioral2/memory/1860-232-0x00007FF6A8520000-0x00007FF6A8871000-memory.dmp	xmrig
behavioral2/memory/1036-236-0x00007FF7FF1C0000-0x00007FF7FF511000-memory.dmp	xmrig
behavioral2/memory/732-234-0x00007FF6F7940000-0x00007FF6F7C91000-memory.dmp	xmrig
behavioral2/memory/588-231-0x00007FF641A20000-0x00007FF641D71000-memory.dmp	xmrig
behavioral2/memory/3996-229-0x00007FF75CF50000-0x00007FF75D2A1000-memory.dmp	xmrig
behavioral2/memory/3244-227-0x00007FF692650000-0x00007FF6929A1000-memory.dmp	xmrig
behavioral2/memory/3904-224-0x00007FF690100000-0x00007FF690451000-memory.dmp	xmrig
behavioral2/memory/516-223-0x00007FF784A90000-0x00007FF784DE1000-memory.dmp	xmrig
behavioral2/memory/232-221-0x00007FF782400000-0x00007FF782751000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

urAZZmK.exeioahRoc.exeCtjjvZY.exeHQlrVoE.exeCyDfMwV.exemewwYYp.exencHWACh.exejdkzTXk.exeFOnMLgy.exergpuyrc.exeEKoanQH.exeqBDaqRs.exeeRDcpRT.exesKpgAAK.exeyNfHRzF.exetjnaVgb.exeqdfMrNR.exeQEcYwRj.exerKacDsv.exeCzvyNrK.exeSukCRFB.exe

pid	process
2824	urAZZmK.exe
3388	ioahRoc.exe
924	CtjjvZY.exe
636	HQlrVoE.exe
3576	CyDfMwV.exe
4964	mewwYYp.exe
1576	ncHWACh.exe
2724	jdkzTXk.exe
2276	FOnMLgy.exe
4628	rgpuyrc.exe
3436	EKoanQH.exe
2516	qBDaqRs.exe
3996	eRDcpRT.exe
3244	sKpgAAK.exe
3904	yNfHRzF.exe
516	tjnaVgb.exe
232	qdfMrNR.exe
732	QEcYwRj.exe
1036	rKacDsv.exe
1860	CzvyNrK.exe
588	SukCRFB.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4004-0-0x00007FF6952A0000-0x00007FF6955F1000-memory.dmp	upx
C:\Windows\System\urAZZmK.exe	upx
C:\Windows\System\ioahRoc.exe	upx
C:\Windows\System\CyDfMwV.exe	upx
behavioral2/memory/3576-42-0x00007FF6F3AE0000-0x00007FF6F3E31000-memory.dmp	upx
C:\Windows\System\jdkzTXk.exe	upx
C:\Windows\System\FOnMLgy.exe	upx
C:\Windows\System\rgpuyrc.exe	upx
C:\Windows\System\eRDcpRT.exe	upx
behavioral2/memory/924-80-0x00007FF75ABD0000-0x00007FF75AF21000-memory.dmp	upx
behavioral2/memory/2724-91-0x00007FF67F170000-0x00007FF67F4C1000-memory.dmp	upx
C:\Windows\System\tjnaVgb.exe	upx
behavioral2/memory/3996-104-0x00007FF75CF50000-0x00007FF75D2A1000-memory.dmp	upx
C:\Windows\System\CzvyNrK.exe	upx
behavioral2/memory/232-115-0x00007FF782400000-0x00007FF782751000-memory.dmp	upx
behavioral2/memory/732-122-0x00007FF6F7940000-0x00007FF6F7C91000-memory.dmp	upx
behavioral2/memory/1036-127-0x00007FF7FF1C0000-0x00007FF7FF511000-memory.dmp	upx
behavioral2/memory/516-126-0x00007FF784A90000-0x00007FF784DE1000-memory.dmp	upx
behavioral2/memory/3436-125-0x00007FF7741C0000-0x00007FF774511000-memory.dmp	upx
behavioral2/memory/588-124-0x00007FF641A20000-0x00007FF641D71000-memory.dmp	upx
behavioral2/memory/1860-123-0x00007FF6A8520000-0x00007FF6A8871000-memory.dmp	upx
C:\Windows\System\SukCRFB.exe	upx
behavioral2/memory/3904-114-0x00007FF690100000-0x00007FF690451000-memory.dmp	upx
C:\Windows\System\rKacDsv.exe	upx
behavioral2/memory/3244-110-0x00007FF692650000-0x00007FF6929A1000-memory.dmp	upx
C:\Windows\System\QEcYwRj.exe	upx
C:\Windows\System\qdfMrNR.exe	upx
behavioral2/memory/2516-97-0x00007FF616B30000-0x00007FF616E81000-memory.dmp	upx
behavioral2/memory/4628-96-0x00007FF65EDE0000-0x00007FF65F131000-memory.dmp	upx
C:\Windows\System\yNfHRzF.exe	upx
C:\Windows\System\sKpgAAK.exe	upx
behavioral2/memory/1576-90-0x00007FF7B4A30000-0x00007FF7B4D81000-memory.dmp	upx
C:\Windows\System\qBDaqRs.exe	upx
C:\Windows\System\EKoanQH.exe	upx
behavioral2/memory/2276-57-0x00007FF6B08F0000-0x00007FF6B0C41000-memory.dmp	upx
behavioral2/memory/4964-49-0x00007FF681920000-0x00007FF681C71000-memory.dmp	upx
C:\Windows\System\ncHWACh.exe	upx
behavioral2/memory/636-31-0x00007FF78A850000-0x00007FF78ABA1000-memory.dmp	upx
C:\Windows\System\HQlrVoE.exe	upx
C:\Windows\System\mewwYYp.exe	upx
behavioral2/memory/3388-27-0x00007FF630BA0000-0x00007FF630EF1000-memory.dmp	upx
C:\Windows\System\CtjjvZY.exe	upx
behavioral2/memory/2824-9-0x00007FF7F62F0000-0x00007FF7F6641000-memory.dmp	upx
behavioral2/memory/4004-128-0x00007FF6952A0000-0x00007FF6955F1000-memory.dmp	upx
behavioral2/memory/636-132-0x00007FF78A850000-0x00007FF78ABA1000-memory.dmp	upx
behavioral2/memory/2276-137-0x00007FF6B08F0000-0x00007FF6B0C41000-memory.dmp	upx
behavioral2/memory/3576-133-0x00007FF6F3AE0000-0x00007FF6F3E31000-memory.dmp	upx
behavioral2/memory/2824-129-0x00007FF7F62F0000-0x00007FF7F6641000-memory.dmp	upx
behavioral2/memory/4004-150-0x00007FF6952A0000-0x00007FF6955F1000-memory.dmp	upx
behavioral2/memory/4004-172-0x00007FF6952A0000-0x00007FF6955F1000-memory.dmp	upx
behavioral2/memory/2824-196-0x00007FF7F62F0000-0x00007FF7F6641000-memory.dmp	upx
behavioral2/memory/3388-198-0x00007FF630BA0000-0x00007FF630EF1000-memory.dmp	upx
behavioral2/memory/924-200-0x00007FF75ABD0000-0x00007FF75AF21000-memory.dmp	upx
behavioral2/memory/4964-202-0x00007FF681920000-0x00007FF681C71000-memory.dmp	upx
behavioral2/memory/636-204-0x00007FF78A850000-0x00007FF78ABA1000-memory.dmp	upx
behavioral2/memory/3436-207-0x00007FF7741C0000-0x00007FF774511000-memory.dmp	upx
behavioral2/memory/2516-218-0x00007FF616B30000-0x00007FF616E81000-memory.dmp	upx
behavioral2/memory/3576-216-0x00007FF6F3AE0000-0x00007FF6F3E31000-memory.dmp	upx
behavioral2/memory/1576-214-0x00007FF7B4A30000-0x00007FF7B4D81000-memory.dmp	upx
behavioral2/memory/2724-213-0x00007FF67F170000-0x00007FF67F4C1000-memory.dmp	upx
behavioral2/memory/2276-211-0x00007FF6B08F0000-0x00007FF6B0C41000-memory.dmp	upx
behavioral2/memory/4628-208-0x00007FF65EDE0000-0x00007FF65F131000-memory.dmp	upx
behavioral2/memory/1860-232-0x00007FF6A8520000-0x00007FF6A8871000-memory.dmp	upx
behavioral2/memory/1036-236-0x00007FF7FF1C0000-0x00007FF7FF511000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\CyDfMwV.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mewwYYp.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EKoanQH.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qdfMrNR.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HQlrVoE.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qBDaqRs.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eRDcpRT.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yNfHRzF.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rgpuyrc.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CtjjvZY.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ncHWACh.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FOnMLgy.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sKpgAAK.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QEcYwRj.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rKacDsv.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ioahRoc.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jdkzTXk.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tjnaVgb.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CzvyNrK.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SukCRFB.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\urAZZmK.exe	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 4004 wrote to memory of 2824	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	urAZZmK.exe
PID 4004 wrote to memory of 2824	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	urAZZmK.exe
PID 4004 wrote to memory of 3388	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	ioahRoc.exe
PID 4004 wrote to memory of 3388	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	ioahRoc.exe
PID 4004 wrote to memory of 924	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	CtjjvZY.exe
PID 4004 wrote to memory of 924	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	CtjjvZY.exe
PID 4004 wrote to memory of 636	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	HQlrVoE.exe
PID 4004 wrote to memory of 636	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	HQlrVoE.exe
PID 4004 wrote to memory of 3576	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	CyDfMwV.exe
PID 4004 wrote to memory of 3576	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	CyDfMwV.exe
PID 4004 wrote to memory of 4964	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	mewwYYp.exe
PID 4004 wrote to memory of 4964	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	mewwYYp.exe
PID 4004 wrote to memory of 1576	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	ncHWACh.exe
PID 4004 wrote to memory of 1576	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	ncHWACh.exe
PID 4004 wrote to memory of 2724	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	jdkzTXk.exe
PID 4004 wrote to memory of 2724	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	jdkzTXk.exe
PID 4004 wrote to memory of 2276	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	FOnMLgy.exe
PID 4004 wrote to memory of 2276	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	FOnMLgy.exe
PID 4004 wrote to memory of 4628	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	rgpuyrc.exe
PID 4004 wrote to memory of 4628	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	rgpuyrc.exe
PID 4004 wrote to memory of 3436	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	EKoanQH.exe
PID 4004 wrote to memory of 3436	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	EKoanQH.exe
PID 4004 wrote to memory of 2516	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	qBDaqRs.exe
PID 4004 wrote to memory of 2516	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	qBDaqRs.exe
PID 4004 wrote to memory of 3996	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	eRDcpRT.exe
PID 4004 wrote to memory of 3996	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	eRDcpRT.exe
PID 4004 wrote to memory of 3244	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	sKpgAAK.exe
PID 4004 wrote to memory of 3244	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	sKpgAAK.exe
PID 4004 wrote to memory of 3904	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	yNfHRzF.exe
PID 4004 wrote to memory of 3904	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	yNfHRzF.exe
PID 4004 wrote to memory of 516	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	tjnaVgb.exe
PID 4004 wrote to memory of 516	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	tjnaVgb.exe
PID 4004 wrote to memory of 232	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	qdfMrNR.exe
PID 4004 wrote to memory of 232	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	qdfMrNR.exe
PID 4004 wrote to memory of 732	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	QEcYwRj.exe
PID 4004 wrote to memory of 732	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	QEcYwRj.exe
PID 4004 wrote to memory of 1036	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	rKacDsv.exe
PID 4004 wrote to memory of 1036	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	rKacDsv.exe
PID 4004 wrote to memory of 1860	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	CzvyNrK.exe
PID 4004 wrote to memory of 1860	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	CzvyNrK.exe
PID 4004 wrote to memory of 588	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	SukCRFB.exe
PID 4004 wrote to memory of 588	4004	2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe	SukCRFB.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_993a9d59f962ae35f5f7a6cbff51ddd3_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Windows\System\urAZZmK.exe
  C:\Windows\System\urAZZmK.exe
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\System\ioahRoc.exe
  C:\Windows\System\ioahRoc.exe
  2⤵
  - Executes dropped EXE
  PID:3388
- C:\Windows\System\CtjjvZY.exe
  C:\Windows\System\CtjjvZY.exe
  2⤵
  - Executes dropped EXE
  PID:924
- C:\Windows\System\HQlrVoE.exe
  C:\Windows\System\HQlrVoE.exe
  2⤵
  - Executes dropped EXE
  PID:636
- C:\Windows\System\CyDfMwV.exe
  C:\Windows\System\CyDfMwV.exe
  2⤵
  - Executes dropped EXE
  PID:3576
- C:\Windows\System\mewwYYp.exe
  C:\Windows\System\mewwYYp.exe
  2⤵
  - Executes dropped EXE
  PID:4964
- C:\Windows\System\ncHWACh.exe
  C:\Windows\System\ncHWACh.exe
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\System\jdkzTXk.exe
  C:\Windows\System\jdkzTXk.exe
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\System\FOnMLgy.exe
  C:\Windows\System\FOnMLgy.exe
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\System\rgpuyrc.exe
  C:\Windows\System\rgpuyrc.exe
  2⤵
  - Executes dropped EXE
  PID:4628
- C:\Windows\System\EKoanQH.exe
  C:\Windows\System\EKoanQH.exe
  2⤵
  - Executes dropped EXE
  PID:3436
- C:\Windows\System\qBDaqRs.exe
  C:\Windows\System\qBDaqRs.exe
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\System\eRDcpRT.exe
  C:\Windows\System\eRDcpRT.exe
  2⤵
  - Executes dropped EXE
  PID:3996
- C:\Windows\System\sKpgAAK.exe
  C:\Windows\System\sKpgAAK.exe
  2⤵
  - Executes dropped EXE
  PID:3244
- C:\Windows\System\yNfHRzF.exe
  C:\Windows\System\yNfHRzF.exe
  2⤵
  - Executes dropped EXE
  PID:3904
- C:\Windows\System\tjnaVgb.exe
  C:\Windows\System\tjnaVgb.exe
  2⤵
  - Executes dropped EXE
  PID:516
- C:\Windows\System\qdfMrNR.exe
  C:\Windows\System\qdfMrNR.exe
  2⤵
  - Executes dropped EXE
  PID:232
- C:\Windows\System\QEcYwRj.exe
  C:\Windows\System\QEcYwRj.exe
  2⤵
  - Executes dropped EXE
  PID:732
- C:\Windows\System\rKacDsv.exe
  C:\Windows\System\rKacDsv.exe
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Windows\System\CzvyNrK.exe
  C:\Windows\System\CzvyNrK.exe
  2⤵
  - Executes dropped EXE
  PID:1860
- C:\Windows\System\SukCRFB.exe
  C:\Windows\System\SukCRFB.exe
  2⤵
  - Executes dropped EXE
  PID:588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4184,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4332 /prefetch:8
1⤵
PID:2092

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CtjjvZY.exe

Filesize
5.2MB

MD5
3b20fad6ecf54024dafb4936125ce83b

SHA1
78df85b573c8f457653cf85c128ae61399d54dc4

SHA256
edf35edb7109687703f5467f5fe3ccae4915868f7140aacbfe36e976638a2da2

SHA512
a47bdd3fd6eda403cfce15d09693c47b85957428c4eb4c216236378315669c0e245a103763b7f5feb4647a96c79272805fd09232a7f3ee1abda85992d1a50917

Download Submit
C:\Windows\System\CyDfMwV.exe

Filesize
5.2MB

MD5
3161a5c374d63898742c50d57ddea230

SHA1
b635db692182f414bd47640b3b088fa0863cd32e

SHA256
21186e6941d0d20abc26a6583ce21ad0fe9ff9dc05d1da18a30d3d9fbe566f43

SHA512
cc760f13e8b011fed3ee8b6e47aa5c1446c2c304df432a869f52ac269a8d8c1456ecd2f6759baf8f5dcdda4ec298f48d10b9e15a50e15b1589ee740bfa8fabbc

Download Submit
C:\Windows\System\CzvyNrK.exe

Filesize
5.2MB

MD5
0affd46f726d50bfdb59e64dab7024cd

SHA1
8f9a8aa9ecf32f80fe41714f3e77a8d6aa8e48b0

SHA256
8f1928bdd746489e9e31e9f6433929fd935228436fe9d8f02ee0385300d38476

SHA512
4ad0cda5c6c36257d62272fad1230fa73d5d32d9b2df0203d2abbadbeeb769610bb877f7ffa711844e279ab78869df808b6bff3a4d19940d7a67086fd0253218

Download Submit
C:\Windows\System\EKoanQH.exe

Filesize
5.2MB

MD5
bfa01a059adcc172cd21f1e5efabdd40

SHA1
9b24cf4fb4ef6a17d00b5302adcd95dbb60c2be6

SHA256
3a19e3ddcf4f982f4d838fcb7ebff95323d57f9523e861ecb1adc5a2fb1e2198

SHA512
fd536579e57e134b91a2ad4a2b91bf668a15ff9f39e00e9d68f2a3d99b687395b1914541cb9e5aafac7f0fbe8df082ac52f3bc3b4876f5e7c85f74505724159b

Download Submit
C:\Windows\System\FOnMLgy.exe

Filesize
5.2MB

MD5
13bdd89b6a118d62c9c2c104428f2984

SHA1
bc2a7d86bdf90c31603b42254cfea38bdd317605

SHA256
e7df3354da5fff81ada875d1cf1ff0831de19a82f7912b6dd9b63ec87fab0bd5

SHA512
3003e237a647a3216929c47e7f3b0a115f5a27f3cde1cef788d918de4d0a7f4c1594eca68412fc3b1cc2d99b57fb9159d9038d790c33cb3246be3111110d7b05

Download Submit
C:\Windows\System\HQlrVoE.exe

Filesize
5.2MB

MD5
370b36652d16d72883c357d6207c8148

SHA1
e6f6655b39e54b9243ab9b6607b8f818e387580a

SHA256
c7e386c4b55255cadd2493039a9cc63ad4d9b778414807a8e3854283713a72f3

SHA512
cb9bfed7747439f5313c93fd8de9377b9363b043476cb1a11882fb6aa7f9bb260a84e47bf56557dcfe4f766101788740f37cec942e24a80ed19521cb07b36778

Download Submit
C:\Windows\System\QEcYwRj.exe

Filesize
5.2MB

MD5
f44118d24c4ad488a3241895bf82e4ed

SHA1
7a5d21a8d86c397f4d8888e7aa5a61193045610a

SHA256
d3f47f6bc1c4a02d2e4529f0ed51fc0c98d90fa59c53859f5b2bf820f4d16aca

SHA512
a658002f485bb3cbfe55214bfb93f405da2d51b9736b2248c6b6aefa52574d6463c15072de6e43dacbb6cd8d6f64bd33923a7e2d34b0dc8b9a2ed3caa405ad2f

Download Submit
C:\Windows\System\SukCRFB.exe

Filesize
5.2MB

MD5
b31a1992a01ae612924ad18c020ad526

SHA1
062bcf3efbc015df2d26026a91280e991833afc9

SHA256
61e992e48a6c13a4efd93650f91aff01d34258007e95236b88c38b4f20acb589

SHA512
8c06db005a9e8044ee1a1b7f558b778d557218d7a383f65881dfd6c1a7b84ce4e954200119665e6ce1411b93fb1a341514d1b0cfdbdd55e0d68b5dcf414b5a40

Download Submit
C:\Windows\System\eRDcpRT.exe

Filesize
5.2MB

MD5
7e899ab2116af5d3fb1e6dc1c5785e2a

SHA1
700cfdd321841cff8384e8ab770860258b339eaf

SHA256
4672383562121c1b425f85284db1cf74d7320944daf50343639668a09a8e8dc9

SHA512
eeaf53ff8aba156d50fd3cef8a6d610b7a8e7ebeac361e81e1219b8431fe6b69c98f23c8a411da9a969e802c807f1d01cfc87abcdb05b71447d746881fe9344f

Download Submit
C:\Windows\System\ioahRoc.exe

Filesize
5.2MB

MD5
bfd45199d24aed0d2e3ac3f755f3a3cd

SHA1
1c0ed3e68a2fa51b25c63f4d61900039bc8da9b1

SHA256
72c72202ab5e842cc7f6b93b676bf59fff7257e1544d7aa620fb2aa36566cee3

SHA512
7ce20db8881aca019138665530717f10dc949c04c8e8c34f1f89bca64b472ddd08a1f67cce6b7464b32ec08b86b08f2950867f2d30b5b2581f618a78b1f71746

Download Submit
C:\Windows\System\jdkzTXk.exe

Filesize
5.2MB

MD5
c935e2bdf32fa45f609539f51f7d1c23

SHA1
d306dafd4766c2eaea50bd5414aaa30b561cbda8

SHA256
5bc88b89781882a58f10aa3d0774bf010e79c94de2133d1420b8cfb07016dbf6

SHA512
4c2be181fe9b0a23ac9636d08c0e7362ee95c6788def5d34f92c31329c50c3f8afd2e1cf8765dea441dcf7f27a0a66381cc706ca874924385365cf1f5ab1d3c4

Download Submit
C:\Windows\System\mewwYYp.exe

Filesize
5.2MB

MD5
14ee42bdc9b6ba197995a940bd5e07f7

SHA1
2c1c7c022ceb9c47f6ae9fbacf19986d549489a4

SHA256
ebef89b091abbbc852334cfcfca214022a980bba05c5d22d6e888030fb42c340

SHA512
69ecad0d7f819c7eab161fd68135a521f674356baccc401fdaf067929e434110d486b3ea9cdc57ffa211956d73c50b9eca88ed12dfc259c8c2260852fdd522ec

Download Submit
C:\Windows\System\ncHWACh.exe

Filesize
5.2MB

MD5
afb46480879434f7f1062c4070127ee4

SHA1
7d105c6b6f1dcb874ba1918e95bb3709420eba40

SHA256
fbb79f72eb88212565173835e638135f7336a34a06ab07a0e732d1c410343971

SHA512
64b131763b171a858422599a01ffc4afa39cef4c8ccd9a3448755ff54cee0b48b325281fc426d31978d1efbe262022e4ddd49ff88844226e2fb6a599afe3a804

Download Submit
C:\Windows\System\qBDaqRs.exe

Filesize
5.2MB

MD5
e03ff5bd2d8cfd37ca4903ad79e9d210

SHA1
f55c209dc34d3851ea1e482ef03fccd6694e8d0d

SHA256
efc2ee72b2d8dbd29c916e4907cbb83a4bbb2637bc0964299c0354bfdf16de79

SHA512
0240e84fa5641369a852a690272efcd0881c82be0b88d81172edd0aff2ac2016e2d599b05a314028194d6c9730c8b6f2a148bb7f9c03bd766a652fc5558c8684

Download Submit
C:\Windows\System\qdfMrNR.exe

Filesize
5.2MB

MD5
514e1344001cc29985720d1e76040e3e

SHA1
4e7171d8cbf201236d57da675d19ac07321a502d

SHA256
8ce0ce538614f0d95eba3076c66ab1a8accd5a7aa5ea0e722d0595d7f879d9c8

SHA512
67bc2d4cbed751b9fba1f910b7b5de421ecd437871d7b00146a7383f6eef07f4f2689f7676a7d91279dff2f54ce1ab50b6ef638f5363354f52c75743d924ea41

Download Submit
C:\Windows\System\rKacDsv.exe

Filesize
5.2MB

MD5
bcbe91cd7c53380d2fe62db74af21127

SHA1
235ba89a76363300cb1c77ae6cf058c108017d71

SHA256
38caadc3b2a4b2385318868451489ab402efb3f57f3569a5c471f08fae8ac019

SHA512
d634810cd32792504dafb30ef980313b6ae6bdce4f857239af4bf1f8858c04224057b69d469e3c5ece46da2ba814aef682e61aceec9593b3d157bf7e8d8d54aa

Download Submit
C:\Windows\System\rgpuyrc.exe

Filesize
5.2MB

MD5
1c562382d2aea213ec6fea39516dd771

SHA1
457351979cb45e8da54b737a4456ab58bf5ac77b

SHA256
b75562fe1516d2964618688c2dddd0de9e8e1d37423fc3590ed87e0a23fad995

SHA512
57f0a0e169d442ed2fe80040de42e32028134f0b7c00260625167e367ae508c619b9c3c96b18d9544b48d61ee71161d6f9c2a835598d5540a64f6d7d3e3eb994

Download Submit
C:\Windows\System\sKpgAAK.exe

Filesize
5.2MB

MD5
3cbc696dc86e700a04a01cdc543deef9

SHA1
52930b06f68bdfd55e46f8860cdeeb910f62741e

SHA256
f55df488d0bd604b085fff7ab684814a6aa7359a68f6d1a808e72a45321cb963

SHA512
b51e19cc7a2119fb2257c5dba4c347cd124a61cb57a7f026f159a1485a7b8296c473eeb2d1a51025b8ea6a42f1a055605b124b2028c0c1de9c3bab02759ac3d9

Download Submit
C:\Windows\System\tjnaVgb.exe

Filesize
5.2MB

MD5
03f6cd212ec9d84bec6742620d2b3405

SHA1
acf69d4a01acb6f4ad4d2e57c80507c51917482e

SHA256
dd05fcd0027fbfab36a9a1daca8cd19e47f444ae7a071d3eb18f15635cdce45d

SHA512
4565950ff42abfb458069d71581936008b116acd3fab0b5d6dc261fbf72ddb6dea0aa56c35f241920387dbefee16ae89425b9f7329d7656d5833f3275573c295

Download Submit
C:\Windows\System\urAZZmK.exe

Filesize
5.2MB

MD5
64a78413f7341329a0958f0097428dd1

SHA1
b0ab14d24912c60549647f94583ce0e9cabddc14

SHA256
0b233420a014542d397268b8dff0d12f018d7f94c7aa61435cf29ecdf1d78125

SHA512
16e22926dcc40625f6866aa10abd45cc7f7f0d6c8c80831ba3df9fa4ae314027dd76336bfba4eba71f8fa699cb90d0dec1e0c0db08d5e6e0bd28e4870f47eb34

Download Submit
C:\Windows\System\yNfHRzF.exe

Filesize
5.2MB

MD5
0ddbb10eb75a4638bba4916456aa8fa4

SHA1
a6a3e9272501d8734e5e33bf0ba91db0a2a7ae88

SHA256
9ffb7bfd178b508367e06e179f906b96f07bcf31e88c0ef0a555a88c5f8537b8

SHA512
57f9af821b918166bddb77085d7d81f3aeb69880a6d79446dcdd5c7988aa60f217ba5db100049f318e20df4ebcefca6befde17ebde233c674880f837674240b2

Download Submit
memory/232-221-0x00007FF782400000-0x00007FF782751000-memory.dmp

Filesize
3.3MB

Download
memory/232-115-0x00007FF782400000-0x00007FF782751000-memory.dmp

Filesize
3.3MB

Download
memory/516-223-0x00007FF784A90000-0x00007FF784DE1000-memory.dmp

Filesize
3.3MB

Download
memory/516-126-0x00007FF784A90000-0x00007FF784DE1000-memory.dmp

Filesize
3.3MB

Download
memory/588-124-0x00007FF641A20000-0x00007FF641D71000-memory.dmp

Filesize
3.3MB

Download
memory/588-231-0x00007FF641A20000-0x00007FF641D71000-memory.dmp

Filesize
3.3MB

Download
memory/636-132-0x00007FF78A850000-0x00007FF78ABA1000-memory.dmp

Filesize
3.3MB

Download
memory/636-31-0x00007FF78A850000-0x00007FF78ABA1000-memory.dmp

Filesize
3.3MB

Download
memory/636-204-0x00007FF78A850000-0x00007FF78ABA1000-memory.dmp

Filesize
3.3MB

Download
memory/732-234-0x00007FF6F7940000-0x00007FF6F7C91000-memory.dmp

Filesize
3.3MB

Download
memory/732-122-0x00007FF6F7940000-0x00007FF6F7C91000-memory.dmp

Filesize
3.3MB

Download
memory/924-80-0x00007FF75ABD0000-0x00007FF75AF21000-memory.dmp

Filesize
3.3MB

Download
memory/924-200-0x00007FF75ABD0000-0x00007FF75AF21000-memory.dmp

Filesize
3.3MB

Download
memory/1036-127-0x00007FF7FF1C0000-0x00007FF7FF511000-memory.dmp

Filesize
3.3MB

Download
memory/1036-236-0x00007FF7FF1C0000-0x00007FF7FF511000-memory.dmp

Filesize
3.3MB

Download
memory/1576-90-0x00007FF7B4A30000-0x00007FF7B4D81000-memory.dmp

Filesize
3.3MB

Download
memory/1576-214-0x00007FF7B4A30000-0x00007FF7B4D81000-memory.dmp

Filesize
3.3MB

Download
memory/1860-232-0x00007FF6A8520000-0x00007FF6A8871000-memory.dmp

Filesize
3.3MB

Download
memory/1860-123-0x00007FF6A8520000-0x00007FF6A8871000-memory.dmp

Filesize
3.3MB

Download
memory/2276-57-0x00007FF6B08F0000-0x00007FF6B0C41000-memory.dmp

Filesize
3.3MB

Download
memory/2276-211-0x00007FF6B08F0000-0x00007FF6B0C41000-memory.dmp

Filesize
3.3MB

Download
memory/2276-137-0x00007FF6B08F0000-0x00007FF6B0C41000-memory.dmp

Filesize
3.3MB

Download
memory/2516-97-0x00007FF616B30000-0x00007FF616E81000-memory.dmp

Filesize
3.3MB

Download
memory/2516-218-0x00007FF616B30000-0x00007FF616E81000-memory.dmp

Filesize
3.3MB

Download
memory/2724-213-0x00007FF67F170000-0x00007FF67F4C1000-memory.dmp

Filesize
3.3MB

Download
memory/2724-91-0x00007FF67F170000-0x00007FF67F4C1000-memory.dmp

Filesize
3.3MB

Download
memory/2824-9-0x00007FF7F62F0000-0x00007FF7F6641000-memory.dmp

Filesize
3.3MB

Download
memory/2824-129-0x00007FF7F62F0000-0x00007FF7F6641000-memory.dmp

Filesize
3.3MB

Download
memory/2824-196-0x00007FF7F62F0000-0x00007FF7F6641000-memory.dmp

Filesize
3.3MB

Download
memory/3244-110-0x00007FF692650000-0x00007FF6929A1000-memory.dmp

Filesize
3.3MB

Download
memory/3244-227-0x00007FF692650000-0x00007FF6929A1000-memory.dmp

Filesize
3.3MB

Download
memory/3388-27-0x00007FF630BA0000-0x00007FF630EF1000-memory.dmp

Filesize
3.3MB

Download
memory/3388-198-0x00007FF630BA0000-0x00007FF630EF1000-memory.dmp

Filesize
3.3MB

Download
memory/3436-207-0x00007FF7741C0000-0x00007FF774511000-memory.dmp

Filesize
3.3MB

Download
memory/3436-125-0x00007FF7741C0000-0x00007FF774511000-memory.dmp

Filesize
3.3MB

Download
memory/3576-216-0x00007FF6F3AE0000-0x00007FF6F3E31000-memory.dmp

Filesize
3.3MB

Download
memory/3576-133-0x00007FF6F3AE0000-0x00007FF6F3E31000-memory.dmp

Filesize
3.3MB

Download
memory/3576-42-0x00007FF6F3AE0000-0x00007FF6F3E31000-memory.dmp

Filesize
3.3MB

Download
memory/3904-114-0x00007FF690100000-0x00007FF690451000-memory.dmp

Filesize
3.3MB

Download
memory/3904-224-0x00007FF690100000-0x00007FF690451000-memory.dmp

Filesize
3.3MB

Download
memory/3996-104-0x00007FF75CF50000-0x00007FF75D2A1000-memory.dmp

Filesize
3.3MB

Download
memory/3996-229-0x00007FF75CF50000-0x00007FF75D2A1000-memory.dmp

Filesize
3.3MB

Download
memory/4004-128-0x00007FF6952A0000-0x00007FF6955F1000-memory.dmp

Filesize
3.3MB

Download
memory/4004-0-0x00007FF6952A0000-0x00007FF6955F1000-memory.dmp

Filesize
3.3MB

Download
memory/4004-172-0x00007FF6952A0000-0x00007FF6955F1000-memory.dmp

Filesize
3.3MB

Download
memory/4004-150-0x00007FF6952A0000-0x00007FF6955F1000-memory.dmp

Filesize
3.3MB

Download
memory/4004-1-0x0000020CB6FD0000-0x0000020CB6FE0000-memory.dmp

Filesize
64KB

Download
memory/4628-208-0x00007FF65EDE0000-0x00007FF65F131000-memory.dmp

Filesize
3.3MB

Download
memory/4628-96-0x00007FF65EDE0000-0x00007FF65F131000-memory.dmp

Filesize
3.3MB

Download
memory/4964-202-0x00007FF681920000-0x00007FF681C71000-memory.dmp

Filesize
3.3MB

Download
memory/4964-49-0x00007FF681920000-0x00007FF681C71000-memory.dmp

Filesize
3.3MB

Download