cobaltstrike | 6ee8be4283e152ec0f971b540abe35dfd47feb9fc8baecd6d3a29d7afef49bb7

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

007ee70834c2ad0a8085c7d9acdf8747
SHA1

8da4d88529f2f717b8e53ec68e9b4a107221914f
SHA256

6ee8be4283e152ec0f971b540abe35dfd47feb9fc8baecd6d3a29d7afef49bb7
SHA512

fedae27262035593132576f0700da3c4eb2017afd26708bfcdbb272ecc4f7734238eba63160d26364b303478f8dae651f6cf53b189c5a418db8d492f442ec975
SSDEEP

49152:ROdWCCi7/ray56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lc:RWWBibh56utgpPFotBER/mQ32lUA

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\gzuBnyU.exe	cobalt_reflective_dll
C:\Windows\System\ykUetcR.exe	cobalt_reflective_dll
C:\Windows\System\FzkXPis.exe	cobalt_reflective_dll
C:\Windows\System\yPwyFvt.exe	cobalt_reflective_dll
C:\Windows\System\HLucelp.exe	cobalt_reflective_dll
C:\Windows\System\YFjMYVo.exe	cobalt_reflective_dll
C:\Windows\System\naAyFCi.exe	cobalt_reflective_dll
C:\Windows\System\uJbfoHQ.exe	cobalt_reflective_dll
C:\Windows\System\FqayKsG.exe	cobalt_reflective_dll
C:\Windows\System\FGNxVCD.exe	cobalt_reflective_dll
C:\Windows\System\tMUAVLJ.exe	cobalt_reflective_dll
C:\Windows\System\aMLKBmI.exe	cobalt_reflective_dll
C:\Windows\System\EiSXzUa.exe	cobalt_reflective_dll
C:\Windows\System\FExWAcp.exe	cobalt_reflective_dll
C:\Windows\System\NtBxXmp.exe	cobalt_reflective_dll
C:\Windows\System\ZOXYWLd.exe	cobalt_reflective_dll
C:\Windows\System\dCIutPN.exe	cobalt_reflective_dll
C:\Windows\System\KexTspW.exe	cobalt_reflective_dll
C:\Windows\System\sWnkqzs.exe	cobalt_reflective_dll
C:\Windows\System\SgDeXuc.exe	cobalt_reflective_dll
C:\Windows\System\QRguWzJ.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\gzuBnyU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ykUetcR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\FzkXPis.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\yPwyFvt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\HLucelp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\YFjMYVo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\naAyFCi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\uJbfoHQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\FqayKsG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\FGNxVCD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\tMUAVLJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\aMLKBmI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\EiSXzUa.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\FExWAcp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\NtBxXmp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ZOXYWLd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\dCIutPN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\KexTspW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\sWnkqzs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\SgDeXuc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QRguWzJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2788-0-0x00007FF7A0690000-0x00007FF7A09E1000-memory.dmp	UPX
C:\Windows\System\gzuBnyU.exe	UPX
C:\Windows\System\ykUetcR.exe	UPX
C:\Windows\System\FzkXPis.exe	UPX
C:\Windows\System\yPwyFvt.exe	UPX
behavioral2/memory/4396-33-0x00007FF772DF0000-0x00007FF773141000-memory.dmp	UPX
C:\Windows\System\HLucelp.exe	UPX
C:\Windows\System\YFjMYVo.exe	UPX
C:\Windows\System\naAyFCi.exe	UPX
C:\Windows\System\uJbfoHQ.exe	UPX
C:\Windows\System\FqayKsG.exe	UPX
behavioral2/memory/4416-71-0x00007FF772EC0000-0x00007FF773211000-memory.dmp	UPX
behavioral2/memory/5100-70-0x00007FF6E3F30000-0x00007FF6E4281000-memory.dmp	UPX
C:\Windows\System\FGNxVCD.exe	UPX
C:\Windows\System\tMUAVLJ.exe	UPX
behavioral2/memory/2856-62-0x00007FF668F90000-0x00007FF6692E1000-memory.dmp	UPX
behavioral2/memory/1276-55-0x00007FF76BA80000-0x00007FF76BDD1000-memory.dmp	UPX
behavioral2/memory/2768-54-0x00007FF6F4080000-0x00007FF6F43D1000-memory.dmp	UPX
C:\Windows\System\aMLKBmI.exe	UPX
behavioral2/memory/3984-92-0x00007FF77D520000-0x00007FF77D871000-memory.dmp	UPX
C:\Windows\System\EiSXzUa.exe	UPX
behavioral2/memory/1828-111-0x00007FF6590B0000-0x00007FF659401000-memory.dmp	UPX
behavioral2/memory/1404-122-0x00007FF777D90000-0x00007FF7780E1000-memory.dmp	UPX
C:\Windows\System\FExWAcp.exe	UPX
C:\Windows\System\NtBxXmp.exe	UPX
C:\Windows\System\ZOXYWLd.exe	UPX
behavioral2/memory/4636-117-0x00007FF64C170000-0x00007FF64C4C1000-memory.dmp	UPX
behavioral2/memory/216-116-0x00007FF6213B0000-0x00007FF621701000-memory.dmp	UPX
C:\Windows\System\dCIutPN.exe	UPX
C:\Windows\System\KexTspW.exe	UPX
behavioral2/memory/2500-106-0x00007FF77DF30000-0x00007FF77E281000-memory.dmp	UPX
behavioral2/memory/3788-105-0x00007FF7BD230000-0x00007FF7BD581000-memory.dmp	UPX
behavioral2/memory/332-98-0x00007FF618CB0000-0x00007FF619001000-memory.dmp	UPX
C:\Windows\System\sWnkqzs.exe	UPX
C:\Windows\System\SgDeXuc.exe	UPX
behavioral2/memory/4728-76-0x00007FF77C520000-0x00007FF77C871000-memory.dmp	UPX
behavioral2/memory/1236-46-0x00007FF7819C0000-0x00007FF781D11000-memory.dmp	UPX
behavioral2/memory/1648-39-0x00007FF632920000-0x00007FF632C71000-memory.dmp	UPX
behavioral2/memory/1328-31-0x00007FF748D70000-0x00007FF7490C1000-memory.dmp	UPX
behavioral2/memory/3364-24-0x00007FF6B5170000-0x00007FF6B54C1000-memory.dmp	UPX
C:\Windows\System\QRguWzJ.exe	UPX
behavioral2/memory/344-10-0x00007FF67EAD0000-0x00007FF67EE21000-memory.dmp	UPX
behavioral2/memory/2788-127-0x00007FF7A0690000-0x00007FF7A09E1000-memory.dmp	UPX
behavioral2/memory/2768-134-0x00007FF6F4080000-0x00007FF6F43D1000-memory.dmp	UPX
behavioral2/memory/3788-142-0x00007FF7BD230000-0x00007FF7BD581000-memory.dmp	UPX
behavioral2/memory/1828-145-0x00007FF6590B0000-0x00007FF659401000-memory.dmp	UPX
behavioral2/memory/4056-149-0x00007FF657DA0000-0x00007FF6580F1000-memory.dmp	UPX
behavioral2/memory/216-147-0x00007FF6213B0000-0x00007FF621701000-memory.dmp	UPX
behavioral2/memory/2500-144-0x00007FF77DF30000-0x00007FF77E281000-memory.dmp	UPX
behavioral2/memory/4728-139-0x00007FF77C520000-0x00007FF77C871000-memory.dmp	UPX
behavioral2/memory/5100-138-0x00007FF6E3F30000-0x00007FF6E4281000-memory.dmp	UPX
behavioral2/memory/2856-136-0x00007FF668F90000-0x00007FF6692E1000-memory.dmp	UPX
behavioral2/memory/1276-135-0x00007FF76BA80000-0x00007FF76BDD1000-memory.dmp	UPX
behavioral2/memory/4396-133-0x00007FF772DF0000-0x00007FF773141000-memory.dmp	UPX
behavioral2/memory/1236-132-0x00007FF7819C0000-0x00007FF781D11000-memory.dmp	UPX
behavioral2/memory/1404-146-0x00007FF777D90000-0x00007FF7780E1000-memory.dmp	UPX
behavioral2/memory/344-128-0x00007FF67EAD0000-0x00007FF67EE21000-memory.dmp	UPX
behavioral2/memory/1328-130-0x00007FF748D70000-0x00007FF7490C1000-memory.dmp	UPX
behavioral2/memory/2788-150-0x00007FF7A0690000-0x00007FF7A09E1000-memory.dmp	UPX
behavioral2/memory/2788-151-0x00007FF7A0690000-0x00007FF7A09E1000-memory.dmp	UPX
behavioral2/memory/344-196-0x00007FF67EAD0000-0x00007FF67EE21000-memory.dmp	UPX
behavioral2/memory/3364-198-0x00007FF6B5170000-0x00007FF6B54C1000-memory.dmp	UPX
behavioral2/memory/1648-200-0x00007FF632920000-0x00007FF632C71000-memory.dmp	UPX
behavioral2/memory/1328-202-0x00007FF748D70000-0x00007FF7490C1000-memory.dmp	UPX

XMRig Miner payload 45 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4416-71-0x00007FF772EC0000-0x00007FF773211000-memory.dmp	xmrig
behavioral2/memory/3984-92-0x00007FF77D520000-0x00007FF77D871000-memory.dmp	xmrig
behavioral2/memory/4636-117-0x00007FF64C170000-0x00007FF64C4C1000-memory.dmp	xmrig
behavioral2/memory/332-98-0x00007FF618CB0000-0x00007FF619001000-memory.dmp	xmrig
behavioral2/memory/1648-39-0x00007FF632920000-0x00007FF632C71000-memory.dmp	xmrig
behavioral2/memory/3364-24-0x00007FF6B5170000-0x00007FF6B54C1000-memory.dmp	xmrig
behavioral2/memory/2788-127-0x00007FF7A0690000-0x00007FF7A09E1000-memory.dmp	xmrig
behavioral2/memory/2768-134-0x00007FF6F4080000-0x00007FF6F43D1000-memory.dmp	xmrig
behavioral2/memory/3788-142-0x00007FF7BD230000-0x00007FF7BD581000-memory.dmp	xmrig
behavioral2/memory/1828-145-0x00007FF6590B0000-0x00007FF659401000-memory.dmp	xmrig
behavioral2/memory/4056-149-0x00007FF657DA0000-0x00007FF6580F1000-memory.dmp	xmrig
behavioral2/memory/216-147-0x00007FF6213B0000-0x00007FF621701000-memory.dmp	xmrig
behavioral2/memory/2500-144-0x00007FF77DF30000-0x00007FF77E281000-memory.dmp	xmrig
behavioral2/memory/4728-139-0x00007FF77C520000-0x00007FF77C871000-memory.dmp	xmrig
behavioral2/memory/5100-138-0x00007FF6E3F30000-0x00007FF6E4281000-memory.dmp	xmrig
behavioral2/memory/2856-136-0x00007FF668F90000-0x00007FF6692E1000-memory.dmp	xmrig
behavioral2/memory/1276-135-0x00007FF76BA80000-0x00007FF76BDD1000-memory.dmp	xmrig
behavioral2/memory/4396-133-0x00007FF772DF0000-0x00007FF773141000-memory.dmp	xmrig
behavioral2/memory/1236-132-0x00007FF7819C0000-0x00007FF781D11000-memory.dmp	xmrig
behavioral2/memory/1404-146-0x00007FF777D90000-0x00007FF7780E1000-memory.dmp	xmrig
behavioral2/memory/344-128-0x00007FF67EAD0000-0x00007FF67EE21000-memory.dmp	xmrig
behavioral2/memory/1328-130-0x00007FF748D70000-0x00007FF7490C1000-memory.dmp	xmrig
behavioral2/memory/2788-150-0x00007FF7A0690000-0x00007FF7A09E1000-memory.dmp	xmrig
behavioral2/memory/2788-151-0x00007FF7A0690000-0x00007FF7A09E1000-memory.dmp	xmrig
behavioral2/memory/344-196-0x00007FF67EAD0000-0x00007FF67EE21000-memory.dmp	xmrig
behavioral2/memory/3364-198-0x00007FF6B5170000-0x00007FF6B54C1000-memory.dmp	xmrig
behavioral2/memory/1648-200-0x00007FF632920000-0x00007FF632C71000-memory.dmp	xmrig
behavioral2/memory/1328-202-0x00007FF748D70000-0x00007FF7490C1000-memory.dmp	xmrig
behavioral2/memory/4396-206-0x00007FF772DF0000-0x00007FF773141000-memory.dmp	xmrig
behavioral2/memory/1236-222-0x00007FF7819C0000-0x00007FF781D11000-memory.dmp	xmrig
behavioral2/memory/2768-224-0x00007FF6F4080000-0x00007FF6F43D1000-memory.dmp	xmrig
behavioral2/memory/2856-230-0x00007FF668F90000-0x00007FF6692E1000-memory.dmp	xmrig
behavioral2/memory/4416-228-0x00007FF772EC0000-0x00007FF773211000-memory.dmp	xmrig
behavioral2/memory/1276-227-0x00007FF76BA80000-0x00007FF76BDD1000-memory.dmp	xmrig
behavioral2/memory/5100-237-0x00007FF6E3F30000-0x00007FF6E4281000-memory.dmp	xmrig
behavioral2/memory/3984-240-0x00007FF77D520000-0x00007FF77D871000-memory.dmp	xmrig
behavioral2/memory/332-238-0x00007FF618CB0000-0x00007FF619001000-memory.dmp	xmrig
behavioral2/memory/3788-235-0x00007FF7BD230000-0x00007FF7BD581000-memory.dmp	xmrig
behavioral2/memory/4728-233-0x00007FF77C520000-0x00007FF77C871000-memory.dmp	xmrig
behavioral2/memory/4636-242-0x00007FF64C170000-0x00007FF64C4C1000-memory.dmp	xmrig
behavioral2/memory/216-246-0x00007FF6213B0000-0x00007FF621701000-memory.dmp	xmrig
behavioral2/memory/2500-252-0x00007FF77DF30000-0x00007FF77E281000-memory.dmp	xmrig
behavioral2/memory/1828-251-0x00007FF6590B0000-0x00007FF659401000-memory.dmp	xmrig
behavioral2/memory/1404-249-0x00007FF777D90000-0x00007FF7780E1000-memory.dmp	xmrig
behavioral2/memory/4056-245-0x00007FF657DA0000-0x00007FF6580F1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

gzuBnyU.exeykUetcR.exeFzkXPis.exeQRguWzJ.exeyPwyFvt.exeHLucelp.exeYFjMYVo.exenaAyFCi.exeuJbfoHQ.exetMUAVLJ.exeFqayKsG.exeFGNxVCD.exeSgDeXuc.exesWnkqzs.exeEiSXzUa.exeaMLKBmI.exeKexTspW.exedCIutPN.exeZOXYWLd.exeNtBxXmp.exeFExWAcp.exe

pid	process
344	gzuBnyU.exe
3364	ykUetcR.exe
1648	FzkXPis.exe
1328	QRguWzJ.exe
1236	yPwyFvt.exe
4396	HLucelp.exe
2768	YFjMYVo.exe
1276	naAyFCi.exe
2856	uJbfoHQ.exe
4416	tMUAVLJ.exe
5100	FqayKsG.exe
4728	FGNxVCD.exe
3984	SgDeXuc.exe
332	sWnkqzs.exe
3788	EiSXzUa.exe
4636	aMLKBmI.exe
2500	KexTspW.exe
1828	dCIutPN.exe
1404	ZOXYWLd.exe
216	NtBxXmp.exe
4056	FExWAcp.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2788-0-0x00007FF7A0690000-0x00007FF7A09E1000-memory.dmp	upx
C:\Windows\System\gzuBnyU.exe	upx
C:\Windows\System\ykUetcR.exe	upx
C:\Windows\System\FzkXPis.exe	upx
C:\Windows\System\yPwyFvt.exe	upx
behavioral2/memory/4396-33-0x00007FF772DF0000-0x00007FF773141000-memory.dmp	upx
C:\Windows\System\HLucelp.exe	upx
C:\Windows\System\YFjMYVo.exe	upx
C:\Windows\System\naAyFCi.exe	upx
C:\Windows\System\uJbfoHQ.exe	upx
C:\Windows\System\FqayKsG.exe	upx
behavioral2/memory/4416-71-0x00007FF772EC0000-0x00007FF773211000-memory.dmp	upx
behavioral2/memory/5100-70-0x00007FF6E3F30000-0x00007FF6E4281000-memory.dmp	upx
C:\Windows\System\FGNxVCD.exe	upx
C:\Windows\System\tMUAVLJ.exe	upx
behavioral2/memory/2856-62-0x00007FF668F90000-0x00007FF6692E1000-memory.dmp	upx
behavioral2/memory/1276-55-0x00007FF76BA80000-0x00007FF76BDD1000-memory.dmp	upx
behavioral2/memory/2768-54-0x00007FF6F4080000-0x00007FF6F43D1000-memory.dmp	upx
C:\Windows\System\aMLKBmI.exe	upx
behavioral2/memory/3984-92-0x00007FF77D520000-0x00007FF77D871000-memory.dmp	upx
C:\Windows\System\EiSXzUa.exe	upx
behavioral2/memory/1828-111-0x00007FF6590B0000-0x00007FF659401000-memory.dmp	upx
behavioral2/memory/1404-122-0x00007FF777D90000-0x00007FF7780E1000-memory.dmp	upx
C:\Windows\System\FExWAcp.exe	upx
C:\Windows\System\NtBxXmp.exe	upx
C:\Windows\System\ZOXYWLd.exe	upx
behavioral2/memory/4636-117-0x00007FF64C170000-0x00007FF64C4C1000-memory.dmp	upx
behavioral2/memory/216-116-0x00007FF6213B0000-0x00007FF621701000-memory.dmp	upx
C:\Windows\System\dCIutPN.exe	upx
C:\Windows\System\KexTspW.exe	upx
behavioral2/memory/2500-106-0x00007FF77DF30000-0x00007FF77E281000-memory.dmp	upx
behavioral2/memory/3788-105-0x00007FF7BD230000-0x00007FF7BD581000-memory.dmp	upx
behavioral2/memory/332-98-0x00007FF618CB0000-0x00007FF619001000-memory.dmp	upx
C:\Windows\System\sWnkqzs.exe	upx
C:\Windows\System\SgDeXuc.exe	upx
behavioral2/memory/4728-76-0x00007FF77C520000-0x00007FF77C871000-memory.dmp	upx
behavioral2/memory/1236-46-0x00007FF7819C0000-0x00007FF781D11000-memory.dmp	upx
behavioral2/memory/1648-39-0x00007FF632920000-0x00007FF632C71000-memory.dmp	upx
behavioral2/memory/1328-31-0x00007FF748D70000-0x00007FF7490C1000-memory.dmp	upx
behavioral2/memory/3364-24-0x00007FF6B5170000-0x00007FF6B54C1000-memory.dmp	upx
C:\Windows\System\QRguWzJ.exe	upx
behavioral2/memory/344-10-0x00007FF67EAD0000-0x00007FF67EE21000-memory.dmp	upx
behavioral2/memory/2788-127-0x00007FF7A0690000-0x00007FF7A09E1000-memory.dmp	upx
behavioral2/memory/2768-134-0x00007FF6F4080000-0x00007FF6F43D1000-memory.dmp	upx
behavioral2/memory/3788-142-0x00007FF7BD230000-0x00007FF7BD581000-memory.dmp	upx
behavioral2/memory/1828-145-0x00007FF6590B0000-0x00007FF659401000-memory.dmp	upx
behavioral2/memory/4056-149-0x00007FF657DA0000-0x00007FF6580F1000-memory.dmp	upx
behavioral2/memory/216-147-0x00007FF6213B0000-0x00007FF621701000-memory.dmp	upx
behavioral2/memory/2500-144-0x00007FF77DF30000-0x00007FF77E281000-memory.dmp	upx
behavioral2/memory/4728-139-0x00007FF77C520000-0x00007FF77C871000-memory.dmp	upx
behavioral2/memory/5100-138-0x00007FF6E3F30000-0x00007FF6E4281000-memory.dmp	upx
behavioral2/memory/2856-136-0x00007FF668F90000-0x00007FF6692E1000-memory.dmp	upx
behavioral2/memory/1276-135-0x00007FF76BA80000-0x00007FF76BDD1000-memory.dmp	upx
behavioral2/memory/4396-133-0x00007FF772DF0000-0x00007FF773141000-memory.dmp	upx
behavioral2/memory/1236-132-0x00007FF7819C0000-0x00007FF781D11000-memory.dmp	upx
behavioral2/memory/1404-146-0x00007FF777D90000-0x00007FF7780E1000-memory.dmp	upx
behavioral2/memory/344-128-0x00007FF67EAD0000-0x00007FF67EE21000-memory.dmp	upx
behavioral2/memory/1328-130-0x00007FF748D70000-0x00007FF7490C1000-memory.dmp	upx
behavioral2/memory/2788-150-0x00007FF7A0690000-0x00007FF7A09E1000-memory.dmp	upx
behavioral2/memory/2788-151-0x00007FF7A0690000-0x00007FF7A09E1000-memory.dmp	upx
behavioral2/memory/344-196-0x00007FF67EAD0000-0x00007FF67EE21000-memory.dmp	upx
behavioral2/memory/3364-198-0x00007FF6B5170000-0x00007FF6B54C1000-memory.dmp	upx
behavioral2/memory/1648-200-0x00007FF632920000-0x00007FF632C71000-memory.dmp	upx
behavioral2/memory/1328-202-0x00007FF748D70000-0x00007FF7490C1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\gzuBnyU.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yPwyFvt.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\naAyFCi.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FGNxVCD.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sWnkqzs.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NtBxXmp.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZOXYWLd.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FzkXPis.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YFjMYVo.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tMUAVLJ.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SgDeXuc.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EiSXzUa.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aMLKBmI.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dCIutPN.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uJbfoHQ.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FqayKsG.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KexTspW.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ykUetcR.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QRguWzJ.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HLucelp.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FExWAcp.exe	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2788 wrote to memory of 344	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	gzuBnyU.exe
PID 2788 wrote to memory of 344	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	gzuBnyU.exe
PID 2788 wrote to memory of 3364	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	ykUetcR.exe
PID 2788 wrote to memory of 3364	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	ykUetcR.exe
PID 2788 wrote to memory of 1328	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	QRguWzJ.exe
PID 2788 wrote to memory of 1328	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	QRguWzJ.exe
PID 2788 wrote to memory of 1648	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	FzkXPis.exe
PID 2788 wrote to memory of 1648	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	FzkXPis.exe
PID 2788 wrote to memory of 1236	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	yPwyFvt.exe
PID 2788 wrote to memory of 1236	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	yPwyFvt.exe
PID 2788 wrote to memory of 4396	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	HLucelp.exe
PID 2788 wrote to memory of 4396	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	HLucelp.exe
PID 2788 wrote to memory of 2768	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	YFjMYVo.exe
PID 2788 wrote to memory of 2768	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	YFjMYVo.exe
PID 2788 wrote to memory of 1276	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	naAyFCi.exe
PID 2788 wrote to memory of 1276	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	naAyFCi.exe
PID 2788 wrote to memory of 2856	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	uJbfoHQ.exe
PID 2788 wrote to memory of 2856	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	uJbfoHQ.exe
PID 2788 wrote to memory of 4416	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	tMUAVLJ.exe
PID 2788 wrote to memory of 4416	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	tMUAVLJ.exe
PID 2788 wrote to memory of 5100	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	FqayKsG.exe
PID 2788 wrote to memory of 5100	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	FqayKsG.exe
PID 2788 wrote to memory of 4728	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	FGNxVCD.exe
PID 2788 wrote to memory of 4728	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	FGNxVCD.exe
PID 2788 wrote to memory of 332	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	sWnkqzs.exe
PID 2788 wrote to memory of 332	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	sWnkqzs.exe
PID 2788 wrote to memory of 3984	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	SgDeXuc.exe
PID 2788 wrote to memory of 3984	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	SgDeXuc.exe
PID 2788 wrote to memory of 3788	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	EiSXzUa.exe
PID 2788 wrote to memory of 3788	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	EiSXzUa.exe
PID 2788 wrote to memory of 4636	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	aMLKBmI.exe
PID 2788 wrote to memory of 4636	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	aMLKBmI.exe
PID 2788 wrote to memory of 2500	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	KexTspW.exe
PID 2788 wrote to memory of 2500	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	KexTspW.exe
PID 2788 wrote to memory of 1828	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	dCIutPN.exe
PID 2788 wrote to memory of 1828	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	dCIutPN.exe
PID 2788 wrote to memory of 1404	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	ZOXYWLd.exe
PID 2788 wrote to memory of 1404	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	ZOXYWLd.exe
PID 2788 wrote to memory of 216	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	NtBxXmp.exe
PID 2788 wrote to memory of 216	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	NtBxXmp.exe
PID 2788 wrote to memory of 4056	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	FExWAcp.exe
PID 2788 wrote to memory of 4056	2788	2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe	FExWAcp.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_007ee70834c2ad0a8085c7d9acdf8747_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\System\gzuBnyU.exe
C:\Windows\System\gzuBnyU.exe
2⤵
- Executes dropped EXE
PID:344

C:\Windows\System\ykUetcR.exe
C:\Windows\System\ykUetcR.exe
2⤵
- Executes dropped EXE
PID:3364

C:\Windows\System\QRguWzJ.exe
C:\Windows\System\QRguWzJ.exe
2⤵
- Executes dropped EXE
PID:1328

C:\Windows\System\FzkXPis.exe
C:\Windows\System\FzkXPis.exe
2⤵
- Executes dropped EXE
PID:1648

C:\Windows\System\yPwyFvt.exe
C:\Windows\System\yPwyFvt.exe
2⤵
- Executes dropped EXE
PID:1236

C:\Windows\System\HLucelp.exe
C:\Windows\System\HLucelp.exe
2⤵
- Executes dropped EXE
PID:4396

C:\Windows\System\YFjMYVo.exe
C:\Windows\System\YFjMYVo.exe
2⤵
- Executes dropped EXE
PID:2768

C:\Windows\System\naAyFCi.exe
C:\Windows\System\naAyFCi.exe
2⤵
- Executes dropped EXE
PID:1276

C:\Windows\System\uJbfoHQ.exe
C:\Windows\System\uJbfoHQ.exe
2⤵
- Executes dropped EXE
PID:2856

C:\Windows\System\tMUAVLJ.exe
C:\Windows\System\tMUAVLJ.exe
2⤵
- Executes dropped EXE
PID:4416

C:\Windows\System\FqayKsG.exe
C:\Windows\System\FqayKsG.exe
2⤵
- Executes dropped EXE
PID:5100

C:\Windows\System\FGNxVCD.exe
C:\Windows\System\FGNxVCD.exe
2⤵
- Executes dropped EXE
PID:4728

C:\Windows\System\sWnkqzs.exe
C:\Windows\System\sWnkqzs.exe
2⤵
- Executes dropped EXE
PID:332

C:\Windows\System\SgDeXuc.exe
C:\Windows\System\SgDeXuc.exe
2⤵
- Executes dropped EXE
PID:3984

C:\Windows\System\EiSXzUa.exe
C:\Windows\System\EiSXzUa.exe
2⤵
- Executes dropped EXE
PID:3788

C:\Windows\System\aMLKBmI.exe
C:\Windows\System\aMLKBmI.exe
2⤵
- Executes dropped EXE
PID:4636

C:\Windows\System\KexTspW.exe
C:\Windows\System\KexTspW.exe
2⤵
- Executes dropped EXE
PID:2500

C:\Windows\System\dCIutPN.exe
C:\Windows\System\dCIutPN.exe
2⤵
- Executes dropped EXE
PID:1828

C:\Windows\System\ZOXYWLd.exe
C:\Windows\System\ZOXYWLd.exe
2⤵
- Executes dropped EXE
PID:1404

C:\Windows\System\NtBxXmp.exe
C:\Windows\System\NtBxXmp.exe
2⤵
- Executes dropped EXE
PID:216

C:\Windows\System\FExWAcp.exe
C:\Windows\System\FExWAcp.exe
2⤵
- Executes dropped EXE
PID:4056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EiSXzUa.exe
Filesize
5.2MB

MD5
f23e69bfee478268d97a51bc089ea9e1

SHA1
23f7357abb5d7eb6f38f9bbb583671c5ae6eb2e6

SHA256
f525ff686f0183a0234eb01b7efdf12e2dd2fcb42bc32a8fc1ae76336e5c426e

SHA512
40a0efbb028adfc60811da366d92d2060f77403ab2424f08e246d36245379e43cd07aacc79457674758f974d70268a502efdff40fc1cf7bdff10d64799b94567

Download Submit
C:\Windows\System\FExWAcp.exe
Filesize
5.2MB

MD5
320fc420532454a1b43b7e4e8c51f75a

SHA1
47abf82e577414c96fcfb5e741dc4c8136015ced

SHA256
01833f8294f2897c03e310e9317987b9e62af5a7d48a59c6bee31d0fe778b6ab

SHA512
97ea67e6d9d47fb3961be4eb90cf750fd3c7eb7cfc4ae6cf061e35cc6510638f85ead33b408f7c326d3af7b4b8c2ba948522843f7af4618e313eff59918c0bb9

Download Submit
C:\Windows\System\FGNxVCD.exe
Filesize
5.2MB

MD5
513d7e53f0cb9aa4c40e9c0b40f35422

SHA1
877b0d34a4c241171c9d5c10f1036b67994c7d01

SHA256
46fe6176801750aeb761e3d12c73d22640748a5fce0a5fb781dbe66fd35f22f8

SHA512
0c0a1242ed0e1cdcf63383cedcf66d3c39d1d905485ddcc2c0dd50176da147e3e0841e2f2bc1c40aba3de555b685cbb5927b8ccb200e45dc8ce741bd937be6d5

Download Submit
C:\Windows\System\FqayKsG.exe
Filesize
5.2MB

MD5
fcb6867fe0da4a668c987b75ab407a19

SHA1
0fd06171ecc2530158bfa24d1a94eb4a4dc74c87

SHA256
ea6486673b4904c004be205cb8587f9d5d05b4b33786c2f2fca11e6fc7655ae8

SHA512
6d062e0b2484cc9b17c68c5b6badee1498fc903816af4261e21ca97dbd4c30f96117858d4eba81e3e03685948beb91219329da1cae560928fa2454c1aa53a25c

Download Submit
C:\Windows\System\FzkXPis.exe
Filesize
5.2MB

MD5
2a673d44c9baceb2dc9363bc500c3c98

SHA1
3593640975ffef4c4da3fa85bd87a6ce0b97cf7c

SHA256
f410547d88ab826327a7688c43997553fcfb928aca60e6f91e18b6e68c72af14

SHA512
2d5c0d986f11c37ccb751e2b8a221c46a78a1cead292e400dfb73ebc15551703e6337ede0e51962e229e7329aef3f4bf4a047a79d26713485702f8f2dee0edcf

Download Submit
C:\Windows\System\HLucelp.exe
Filesize
5.2MB

MD5
55e2814d7c769d2440d093e416dddfe2

SHA1
216030f9703cbff5a047d5540132c14d3916f4f5

SHA256
2822fa332a45791fe2e5fc97a5fdb967f9f320acbb5a34de12bea3f333faf56a

SHA512
4a8226a490a49dcb5fa71401a006b724eba94c650667ef8927afca148ff69bc6af3f2d695a96e70b274d735a218be64b884ad59a094c934e4c5e12c9d86c3b7c

Download Submit
C:\Windows\System\KexTspW.exe
Filesize
5.2MB

MD5
89934f359b25ac20b021f9021ac4e0a4

SHA1
992e52708a1ecb6268cffa940800c9306c2c1e2a

SHA256
23bd7e022c43a64c0cc563f1ac493f86b1dbbba63107d6bc6c0903f83f669e7d

SHA512
efd2de0c51329b252ab408c956ca063da781118f1019087a2c1201b853834948ece12844c989731bbf705ed55bfbf4e60059d3f25198d0e9a0bda26bc848b2fa

Download Submit
C:\Windows\System\NtBxXmp.exe
Filesize
5.2MB

MD5
2bbe5fcaac8fc441edf6cc650de22c02

SHA1
5c22d1bc2a0d4bc7823db861730e6dfc532e9d24

SHA256
e23b4d9d6959649992ec843724bb8554eeeff5399ed4dcb4984e93833bb01465

SHA512
304dfec8a35e5aa4804bec4134b6c672ecfc400ad84aac9b2e98287f21d2f3d431bc90e0562f77c9add8e351fa265c6b928a606691a87f45e737bd2c26dc8683

Download Submit
C:\Windows\System\QRguWzJ.exe
Filesize
5.2MB

MD5
b358f83895aa8aabb530fa353327a93e

SHA1
680096bffe62b5dc36f0515785d05a4e0acc8d9b

SHA256
4715dab97d3a061b457542cbaabc492b94639b592259d2accc1617331a86f086

SHA512
14a8d557f7db141e6f4d9678b8d35bb3534933de30967b56cce157f229ece743a6d92eca3a439bfe5ee635ae23bb84881ba1b9c1044653dc5ea592ef70644f3d

Download Submit
C:\Windows\System\SgDeXuc.exe
Filesize
5.2MB

MD5
69e96d8254c7f9a2734bea41df820f65

SHA1
66fbbeb5f853d0fd23b2bf7bb351195c1610be70

SHA256
9bddb660ad4a928674e1361f2316a194b1758bebedd2b5b3f5e28e0a74d1d571

SHA512
4a26a46dfdea2054bbcb8e7ffb79134c59053635e278cb6f247ed8270a925c42ce4248c98b2854862becc21761337f061227340f2f4888ca8277f089d82eb01c

Download Submit
C:\Windows\System\YFjMYVo.exe
Filesize
5.2MB

MD5
67e7c60682cced3ddcc51264ba323e80

SHA1
f080421e42aa22c6ffbf95346b3462c338616d5b

SHA256
4310b5e2591e894666e9c8542e0fa04e6ad00a1fbcc773c81ab39cf80dc493a5

SHA512
48ce13a1d436c39ee2feefc955fe47188fb309b75504ed5c69544c3eeb06980dd4e2c62ffe12a3186f3e93096d227db13dc18d820f631b3303a6a5bba54f08fc

Download Submit
C:\Windows\System\ZOXYWLd.exe
Filesize
5.2MB

MD5
d6cc4e7a4cbfac35defd6e4b0e71e567

SHA1
954e08bcd37d4c2a9930102362a1109f501c07c6

SHA256
ccf33e1ff709ea9ef41547728b3eadf9615b20ae46616ecd1ac14bbb8765f437

SHA512
45ca351b091febf08ab845bd4b34244fe4e6f41090699ec0e0ca21bc30231336696b3aad3d12b22150be699b86bd9442e0cf0894a5a888a84f3b4a046f76639b

Download Submit
C:\Windows\System\aMLKBmI.exe
Filesize
5.2MB

MD5
79c76ae246c246c362bd4cc9a8132094

SHA1
a31502358565604218401a759c2562244114e1a7

SHA256
ad65a08989f0b7bc5c95749fe068e556b936b16ff30e4c8ccb4b80c91ac51ef1

SHA512
f415a84fe211944abf5eafbdefeb22d27c97a5ea7d42ff2a7daba80be8eb9e495105f1dff8f5115c67bc2bd9b2eaa8e27f5f082af1f421470e70ddf1ef2f526e

Download Submit
C:\Windows\System\dCIutPN.exe
Filesize
5.2MB

MD5
afcca7dcd5643d9eff4501b56f6b9740

SHA1
c530e2a58cdad173f9c48897ec32c2b0284d2708

SHA256
c61b0cc9c07099b302f9cde249ff72ff9bd72ae1081ff93503370581190765b9

SHA512
49d2a2f98563ba988abace91d287408fb7423cc11761356e4445c55886a817d1b3fe0d305cb9881581f5ed836213fea6efd39bda716ef29788731e5c4e90e1b7

Download Submit
C:\Windows\System\gzuBnyU.exe
Filesize
5.2MB

MD5
33629fef7c343db7ab112e3d8c4dc685

SHA1
f45e47896c9f56fdc97524991281bb6dff81de1f

SHA256
efa412a0f8eb8071220dccf1a61490de0d82d01a4356d93a4870a90a76305988

SHA512
4d2b9208310f1d70c10a0f8b4473e3b358722758c3088bf87293727872676bd3c3edf23b2f135ff48df73ecf98a35ed2485ca0b333791c237c97e0a21d066712

Download Submit
C:\Windows\System\naAyFCi.exe
Filesize
5.2MB

MD5
a93db97d29b530ea42e1131ce219b4ef

SHA1
33591d0d59b29b3072ee36072c25892f078e5067

SHA256
912abbf2e9df86f367e02f2a638bac1a8242e66046cf3e0a872ebb37387cc8ae

SHA512
81a150e1a86e35be61f92443889033d14853f6b8e2e013bc9842198751d2e81bbbedb01effb7ca0f5426d33134136d98d1b5b6ad482e89d83d466bd3eac7a5f4

Download Submit
C:\Windows\System\sWnkqzs.exe
Filesize
5.2MB

MD5
cf1da8e4167b075a6c82a5ee6eabb15f

SHA1
64fb16e152fe196cd7520a091996fe6244ace0ab

SHA256
9f3e28eecb3ef1c4e1ffd72df68a7b8f8963b80913f275798a6cfe5b40a2a887

SHA512
af97bf47792664626db1cfbae9770cfa7ccdc93bfbcc6ac6a4bfdf8ac623b76c3402f7bc6fb354f3478c70e2464e9665ee5d3298889b01e7531d0632b41b4bca

Download Submit
C:\Windows\System\tMUAVLJ.exe
Filesize
5.2MB

MD5
f9b633c46139c438481cacf3697a8ada

SHA1
8d9744b0a54f9216e9756855b1964f146e43bccb

SHA256
a6f5e4eca47167749168a8f377752d49e9f5d3caab48fb98449214b7666fcea7

SHA512
2162f0c59b8b02707a5a2bc579593dac3ee2428c2f2238544115b8469ae9bab27cc9b4be11e691fefad4e659097ec12187161e49b61f8e2cf98dcb6d0587e9ac

Download Submit
C:\Windows\System\uJbfoHQ.exe
Filesize
5.2MB

MD5
b17f0be71d5990efb67018d7bbf6c03e

SHA1
3c9666c9a26febd451fa12d24bc7723de8f4f307

SHA256
ee48eae950134bc7631c4ef9dfd7c3893df95b391a1b2956a41760ff666b20ac

SHA512
a2cd491a7a086a11f9a054ea625ed5fb90b2017e3f0bf4b04ed30c64299ad1730772bcbc000b985e52983da145241ff7f3bf209857224fb21a1cfc4d3e0a1c29

Download Submit
C:\Windows\System\yPwyFvt.exe
Filesize
5.2MB

MD5
1855c0a56297ecb8afa5b2bee120a47b

SHA1
5d2a297a7b88695f8e0198935c7833f2fcfe9d61

SHA256
68e2d270b4054b4b2a79a55465101f1d1eb2fce9fde6196a8a7813c06292d711

SHA512
7c4b988b55d7905285d2d27a1209ee41593f98adef9b8f7a7dfc42b08a41c4a08ed095efaa0648cfc24963b5d445724befc3f1b9b37def99a924c1556ec9ee8c

Download Submit
C:\Windows\System\ykUetcR.exe
Filesize
5.2MB

MD5
94a6c6842969fd5dafa14003e6defbbb

SHA1
74b2179ed5f729ad958854d698d9548fa0a35ef2

SHA256
8c2588ef0d09759bca6bb8f0037146779cb7fff5552ebca11178374c44a441b3

SHA512
74c58aafc7c087235f114b4558782a4841c78728dba6c167a5e2a36bbb83196abce65a558d46e6842f4365f1a1d1c6e0e8b01cc9371d3d4dd7a3cf837b829d53

Download Submit
memory/216-147-0x00007FF6213B0000-0x00007FF621701000-memory.dmp

Filesize
3.3MB

Download
memory/216-246-0x00007FF6213B0000-0x00007FF621701000-memory.dmp

Filesize
3.3MB

Download
memory/216-116-0x00007FF6213B0000-0x00007FF621701000-memory.dmp

Filesize
3.3MB

Download
memory/332-238-0x00007FF618CB0000-0x00007FF619001000-memory.dmp

Filesize
3.3MB

Download
memory/332-98-0x00007FF618CB0000-0x00007FF619001000-memory.dmp

Filesize
3.3MB

Download
memory/344-128-0x00007FF67EAD0000-0x00007FF67EE21000-memory.dmp

Filesize
3.3MB

Download
memory/344-10-0x00007FF67EAD0000-0x00007FF67EE21000-memory.dmp

Filesize
3.3MB

Download
memory/344-196-0x00007FF67EAD0000-0x00007FF67EE21000-memory.dmp

Filesize
3.3MB

Download
memory/1236-132-0x00007FF7819C0000-0x00007FF781D11000-memory.dmp

Filesize
3.3MB

Download
memory/1236-222-0x00007FF7819C0000-0x00007FF781D11000-memory.dmp

Filesize
3.3MB

Download
memory/1236-46-0x00007FF7819C0000-0x00007FF781D11000-memory.dmp

Filesize
3.3MB

Download
memory/1276-55-0x00007FF76BA80000-0x00007FF76BDD1000-memory.dmp

Filesize
3.3MB

Download
memory/1276-135-0x00007FF76BA80000-0x00007FF76BDD1000-memory.dmp

Filesize
3.3MB

Download
memory/1276-227-0x00007FF76BA80000-0x00007FF76BDD1000-memory.dmp

Filesize
3.3MB

Download
memory/1328-31-0x00007FF748D70000-0x00007FF7490C1000-memory.dmp

Filesize
3.3MB

Download
memory/1328-202-0x00007FF748D70000-0x00007FF7490C1000-memory.dmp

Filesize
3.3MB

Download
memory/1328-130-0x00007FF748D70000-0x00007FF7490C1000-memory.dmp

Filesize
3.3MB

Download
memory/1404-249-0x00007FF777D90000-0x00007FF7780E1000-memory.dmp

Filesize
3.3MB

Download
memory/1404-122-0x00007FF777D90000-0x00007FF7780E1000-memory.dmp

Filesize
3.3MB

Download
memory/1404-146-0x00007FF777D90000-0x00007FF7780E1000-memory.dmp

Filesize
3.3MB

Download
memory/1648-200-0x00007FF632920000-0x00007FF632C71000-memory.dmp

Filesize
3.3MB

Download
memory/1648-39-0x00007FF632920000-0x00007FF632C71000-memory.dmp

Filesize
3.3MB

Download
memory/1828-111-0x00007FF6590B0000-0x00007FF659401000-memory.dmp

Filesize
3.3MB

Download
memory/1828-145-0x00007FF6590B0000-0x00007FF659401000-memory.dmp

Filesize
3.3MB

Download
memory/1828-251-0x00007FF6590B0000-0x00007FF659401000-memory.dmp

Filesize
3.3MB

Download
memory/2500-106-0x00007FF77DF30000-0x00007FF77E281000-memory.dmp

Filesize
3.3MB

Download
memory/2500-144-0x00007FF77DF30000-0x00007FF77E281000-memory.dmp

Filesize
3.3MB

Download
memory/2500-252-0x00007FF77DF30000-0x00007FF77E281000-memory.dmp

Filesize
3.3MB

Download
memory/2768-54-0x00007FF6F4080000-0x00007FF6F43D1000-memory.dmp

Filesize
3.3MB

Download
memory/2768-134-0x00007FF6F4080000-0x00007FF6F43D1000-memory.dmp

Filesize
3.3MB

Download
memory/2768-224-0x00007FF6F4080000-0x00007FF6F43D1000-memory.dmp

Filesize
3.3MB

Download
memory/2788-151-0x00007FF7A0690000-0x00007FF7A09E1000-memory.dmp

Filesize
3.3MB

Download
memory/2788-1-0x00000205F7670000-0x00000205F7680000-memory.dmp

Filesize
64KB

Download
memory/2788-0-0x00007FF7A0690000-0x00007FF7A09E1000-memory.dmp

Filesize
3.3MB

Download
memory/2788-127-0x00007FF7A0690000-0x00007FF7A09E1000-memory.dmp

Filesize
3.3MB

Download
memory/2788-150-0x00007FF7A0690000-0x00007FF7A09E1000-memory.dmp

Filesize
3.3MB

Download
memory/2856-136-0x00007FF668F90000-0x00007FF6692E1000-memory.dmp

Filesize
3.3MB

Download
memory/2856-230-0x00007FF668F90000-0x00007FF6692E1000-memory.dmp

Filesize
3.3MB

Download
memory/2856-62-0x00007FF668F90000-0x00007FF6692E1000-memory.dmp

Filesize
3.3MB

Download
memory/3364-198-0x00007FF6B5170000-0x00007FF6B54C1000-memory.dmp

Filesize
3.3MB

Download
memory/3364-24-0x00007FF6B5170000-0x00007FF6B54C1000-memory.dmp

Filesize
3.3MB

Download
memory/3788-142-0x00007FF7BD230000-0x00007FF7BD581000-memory.dmp

Filesize
3.3MB

Download
memory/3788-105-0x00007FF7BD230000-0x00007FF7BD581000-memory.dmp

Filesize
3.3MB

Download
memory/3788-235-0x00007FF7BD230000-0x00007FF7BD581000-memory.dmp

Filesize
3.3MB

Download
memory/3984-92-0x00007FF77D520000-0x00007FF77D871000-memory.dmp

Filesize
3.3MB

Download
memory/3984-240-0x00007FF77D520000-0x00007FF77D871000-memory.dmp

Filesize
3.3MB

Download
memory/4056-149-0x00007FF657DA0000-0x00007FF6580F1000-memory.dmp

Filesize
3.3MB

Download
memory/4056-245-0x00007FF657DA0000-0x00007FF6580F1000-memory.dmp

Filesize
3.3MB

Download
memory/4396-206-0x00007FF772DF0000-0x00007FF773141000-memory.dmp

Filesize
3.3MB

Download
memory/4396-33-0x00007FF772DF0000-0x00007FF773141000-memory.dmp

Filesize
3.3MB

Download
memory/4396-133-0x00007FF772DF0000-0x00007FF773141000-memory.dmp

Filesize
3.3MB

Download
memory/4416-228-0x00007FF772EC0000-0x00007FF773211000-memory.dmp

Filesize
3.3MB

Download
memory/4416-71-0x00007FF772EC0000-0x00007FF773211000-memory.dmp

Filesize
3.3MB

Download
memory/4636-242-0x00007FF64C170000-0x00007FF64C4C1000-memory.dmp

Filesize
3.3MB

Download
memory/4636-117-0x00007FF64C170000-0x00007FF64C4C1000-memory.dmp

Filesize
3.3MB

Download
memory/4728-76-0x00007FF77C520000-0x00007FF77C871000-memory.dmp

Filesize
3.3MB

Download
memory/4728-233-0x00007FF77C520000-0x00007FF77C871000-memory.dmp

Filesize
3.3MB

Download
memory/4728-139-0x00007FF77C520000-0x00007FF77C871000-memory.dmp

Filesize
3.3MB

Download
memory/5100-237-0x00007FF6E3F30000-0x00007FF6E4281000-memory.dmp

Filesize
3.3MB

Download
memory/5100-138-0x00007FF6E3F30000-0x00007FF6E4281000-memory.dmp

Filesize
3.3MB

Download
memory/5100-70-0x00007FF6E3F30000-0x00007FF6E4281000-memory.dmp

Filesize
3.3MB

Download