cobaltstrike | 87b06fcb599928c18ec9a51391ff20744d2a9cdeb1aa51f3dca1c67d0ac32e03

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

28e643087db47cd16c8de76bd02957f5
SHA1

94b94936c7e6b867f69179e1424099b3dc61660d
SHA256

87b06fcb599928c18ec9a51391ff20744d2a9cdeb1aa51f3dca1c67d0ac32e03
SHA512

032bc84a7be46243b014740b9e0a5d15a202ac9f54daeb62426e4dae2160a431df17ed4d2f7cd943894a17dcea202029b255c76bc8cfb058a35c60c07a72e295
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6li:RWWBibf56utgpPFotBER/mQ32lUe

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\ZsvlgjM.exe	cobalt_reflective_dll
C:\Windows\System\wMxVpuR.exe	cobalt_reflective_dll
C:\Windows\System\NEGVmBu.exe	cobalt_reflective_dll
C:\Windows\System\xZsYdJs.exe	cobalt_reflective_dll
C:\Windows\System\abZHgMa.exe	cobalt_reflective_dll
C:\Windows\System\xbazhLh.exe	cobalt_reflective_dll
C:\Windows\System\hJsYyXM.exe	cobalt_reflective_dll
C:\Windows\System\VQYhamH.exe	cobalt_reflective_dll
C:\Windows\System\TjleIky.exe	cobalt_reflective_dll
C:\Windows\System\CNSPMjo.exe	cobalt_reflective_dll
C:\Windows\System\iwfBRQD.exe	cobalt_reflective_dll
C:\Windows\System\PUsRdIZ.exe	cobalt_reflective_dll
C:\Windows\System\hBAigPe.exe	cobalt_reflective_dll
C:\Windows\System\KlUBFuQ.exe	cobalt_reflective_dll
C:\Windows\System\fJrDajL.exe	cobalt_reflective_dll
C:\Windows\System\ebVuoxa.exe	cobalt_reflective_dll
C:\Windows\System\NbPBBcy.exe	cobalt_reflective_dll
C:\Windows\System\skQLnqz.exe	cobalt_reflective_dll
C:\Windows\System\ohwdKQb.exe	cobalt_reflective_dll
C:\Windows\System\obvIQio.exe	cobalt_reflective_dll
C:\Windows\System\YsTUdMd.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\ZsvlgjM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\wMxVpuR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\NEGVmBu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\xZsYdJs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\abZHgMa.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\xbazhLh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\hJsYyXM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\VQYhamH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\TjleIky.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\CNSPMjo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\iwfBRQD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\PUsRdIZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\hBAigPe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\KlUBFuQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\fJrDajL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ebVuoxa.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\NbPBBcy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\skQLnqz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ohwdKQb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\obvIQio.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\YsTUdMd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4268-0-0x00007FF7B1940000-0x00007FF7B1C91000-memory.dmp	UPX
C:\Windows\System\ZsvlgjM.exe	UPX
behavioral2/memory/2900-7-0x00007FF6D50D0000-0x00007FF6D5421000-memory.dmp	UPX
C:\Windows\System\wMxVpuR.exe	UPX
C:\Windows\System\NEGVmBu.exe	UPX
behavioral2/memory/2288-15-0x00007FF7C1940000-0x00007FF7C1C91000-memory.dmp	UPX
C:\Windows\System\xZsYdJs.exe	UPX
C:\Windows\System\abZHgMa.exe	UPX
C:\Windows\System\xbazhLh.exe	UPX
behavioral2/memory/2420-56-0x00007FF642820000-0x00007FF642B71000-memory.dmp	UPX
C:\Windows\System\hJsYyXM.exe	UPX
C:\Windows\System\VQYhamH.exe	UPX
C:\Windows\System\TjleIky.exe	UPX
C:\Windows\System\CNSPMjo.exe	UPX
C:\Windows\System\iwfBRQD.exe	UPX
C:\Windows\System\PUsRdIZ.exe	UPX
behavioral2/memory/3520-127-0x00007FF682260000-0x00007FF6825B1000-memory.dmp	UPX
behavioral2/memory/3424-126-0x00007FF6E9AF0000-0x00007FF6E9E41000-memory.dmp	UPX
behavioral2/memory/3304-125-0x00007FF655710000-0x00007FF655A61000-memory.dmp	UPX
C:\Windows\System\hBAigPe.exe	UPX
behavioral2/memory/3712-120-0x00007FF6016E0000-0x00007FF601A31000-memory.dmp	UPX
behavioral2/memory/2716-119-0x00007FF621D30000-0x00007FF622081000-memory.dmp	UPX
C:\Windows\System\KlUBFuQ.exe	UPX
behavioral2/memory/760-111-0x00007FF61AE70000-0x00007FF61B1C1000-memory.dmp	UPX
C:\Windows\System\fJrDajL.exe	UPX
C:\Windows\System\ebVuoxa.exe	UPX
behavioral2/memory/5104-103-0x00007FF622170000-0x00007FF6224C1000-memory.dmp	UPX
behavioral2/memory/3060-95-0x00007FF7DF060000-0x00007FF7DF3B1000-memory.dmp	UPX
behavioral2/memory/1564-85-0x00007FF616200000-0x00007FF616551000-memory.dmp	UPX
C:\Windows\System\NbPBBcy.exe	UPX
behavioral2/memory/456-75-0x00007FF7E7A50000-0x00007FF7E7DA1000-memory.dmp	UPX
behavioral2/memory/2640-74-0x00007FF6DE910000-0x00007FF6DEC61000-memory.dmp	UPX
C:\Windows\System\skQLnqz.exe	UPX
behavioral2/memory/3256-69-0x00007FF6F80D0000-0x00007FF6F8421000-memory.dmp	UPX
behavioral2/memory/1536-66-0x00007FF67FB90000-0x00007FF67FEE1000-memory.dmp	UPX
behavioral2/memory/4004-63-0x00007FF7C2B40000-0x00007FF7C2E91000-memory.dmp	UPX
behavioral2/memory/3380-49-0x00007FF645490000-0x00007FF6457E1000-memory.dmp	UPX
C:\Windows\System\ohwdKQb.exe	UPX
behavioral2/memory/3268-45-0x00007FF776A00000-0x00007FF776D51000-memory.dmp	UPX
C:\Windows\System\obvIQio.exe	UPX
behavioral2/memory/224-27-0x00007FF6CA6C0000-0x00007FF6CAA11000-memory.dmp	UPX
C:\Windows\System\YsTUdMd.exe	UPX
behavioral2/memory/3464-17-0x00007FF626460000-0x00007FF6267B1000-memory.dmp	UPX
behavioral2/memory/3464-131-0x00007FF626460000-0x00007FF6267B1000-memory.dmp	UPX
behavioral2/memory/224-132-0x00007FF6CA6C0000-0x00007FF6CAA11000-memory.dmp	UPX
behavioral2/memory/2716-147-0x00007FF621D30000-0x00007FF622081000-memory.dmp	UPX
behavioral2/memory/760-146-0x00007FF61AE70000-0x00007FF61B1C1000-memory.dmp	UPX
behavioral2/memory/3712-149-0x00007FF6016E0000-0x00007FF601A31000-memory.dmp	UPX
behavioral2/memory/5104-144-0x00007FF622170000-0x00007FF6224C1000-memory.dmp	UPX
behavioral2/memory/3256-141-0x00007FF6F80D0000-0x00007FF6F8421000-memory.dmp	UPX
behavioral2/memory/3060-142-0x00007FF7DF060000-0x00007FF7DF3B1000-memory.dmp	UPX
behavioral2/memory/1536-139-0x00007FF67FB90000-0x00007FF67FEE1000-memory.dmp	UPX
behavioral2/memory/4004-137-0x00007FF7C2B40000-0x00007FF7C2E91000-memory.dmp	UPX
behavioral2/memory/2420-136-0x00007FF642820000-0x00007FF642B71000-memory.dmp	UPX
behavioral2/memory/2288-130-0x00007FF7C1940000-0x00007FF7C1C91000-memory.dmp	UPX
behavioral2/memory/2900-129-0x00007FF6D50D0000-0x00007FF6D5421000-memory.dmp	UPX
behavioral2/memory/4268-128-0x00007FF7B1940000-0x00007FF7B1C91000-memory.dmp	UPX
behavioral2/memory/4268-150-0x00007FF7B1940000-0x00007FF7B1C91000-memory.dmp	UPX
behavioral2/memory/2900-196-0x00007FF6D50D0000-0x00007FF6D5421000-memory.dmp	UPX
behavioral2/memory/3464-198-0x00007FF626460000-0x00007FF6267B1000-memory.dmp	UPX
behavioral2/memory/2288-200-0x00007FF7C1940000-0x00007FF7C1C91000-memory.dmp	UPX
behavioral2/memory/224-204-0x00007FF6CA6C0000-0x00007FF6CAA11000-memory.dmp	UPX
behavioral2/memory/3380-203-0x00007FF645490000-0x00007FF6457E1000-memory.dmp	UPX
behavioral2/memory/2640-208-0x00007FF6DE910000-0x00007FF6DEC61000-memory.dmp	UPX

XMRig Miner payload 44 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3520-127-0x00007FF682260000-0x00007FF6825B1000-memory.dmp	xmrig
behavioral2/memory/3424-126-0x00007FF6E9AF0000-0x00007FF6E9E41000-memory.dmp	xmrig
behavioral2/memory/3304-125-0x00007FF655710000-0x00007FF655A61000-memory.dmp	xmrig
behavioral2/memory/1564-85-0x00007FF616200000-0x00007FF616551000-memory.dmp	xmrig
behavioral2/memory/456-75-0x00007FF7E7A50000-0x00007FF7E7DA1000-memory.dmp	xmrig
behavioral2/memory/2640-74-0x00007FF6DE910000-0x00007FF6DEC61000-memory.dmp	xmrig
behavioral2/memory/3380-49-0x00007FF645490000-0x00007FF6457E1000-memory.dmp	xmrig
behavioral2/memory/3268-45-0x00007FF776A00000-0x00007FF776D51000-memory.dmp	xmrig
behavioral2/memory/3464-131-0x00007FF626460000-0x00007FF6267B1000-memory.dmp	xmrig
behavioral2/memory/224-132-0x00007FF6CA6C0000-0x00007FF6CAA11000-memory.dmp	xmrig
behavioral2/memory/2716-147-0x00007FF621D30000-0x00007FF622081000-memory.dmp	xmrig
behavioral2/memory/760-146-0x00007FF61AE70000-0x00007FF61B1C1000-memory.dmp	xmrig
behavioral2/memory/3712-149-0x00007FF6016E0000-0x00007FF601A31000-memory.dmp	xmrig
behavioral2/memory/5104-144-0x00007FF622170000-0x00007FF6224C1000-memory.dmp	xmrig
behavioral2/memory/3256-141-0x00007FF6F80D0000-0x00007FF6F8421000-memory.dmp	xmrig
behavioral2/memory/3060-142-0x00007FF7DF060000-0x00007FF7DF3B1000-memory.dmp	xmrig
behavioral2/memory/1536-139-0x00007FF67FB90000-0x00007FF67FEE1000-memory.dmp	xmrig
behavioral2/memory/4004-137-0x00007FF7C2B40000-0x00007FF7C2E91000-memory.dmp	xmrig
behavioral2/memory/2420-136-0x00007FF642820000-0x00007FF642B71000-memory.dmp	xmrig
behavioral2/memory/2288-130-0x00007FF7C1940000-0x00007FF7C1C91000-memory.dmp	xmrig
behavioral2/memory/2900-129-0x00007FF6D50D0000-0x00007FF6D5421000-memory.dmp	xmrig
behavioral2/memory/4268-128-0x00007FF7B1940000-0x00007FF7B1C91000-memory.dmp	xmrig
behavioral2/memory/4268-150-0x00007FF7B1940000-0x00007FF7B1C91000-memory.dmp	xmrig
behavioral2/memory/2900-196-0x00007FF6D50D0000-0x00007FF6D5421000-memory.dmp	xmrig
behavioral2/memory/3464-198-0x00007FF626460000-0x00007FF6267B1000-memory.dmp	xmrig
behavioral2/memory/2288-200-0x00007FF7C1940000-0x00007FF7C1C91000-memory.dmp	xmrig
behavioral2/memory/224-204-0x00007FF6CA6C0000-0x00007FF6CAA11000-memory.dmp	xmrig
behavioral2/memory/3380-203-0x00007FF645490000-0x00007FF6457E1000-memory.dmp	xmrig
behavioral2/memory/2640-208-0x00007FF6DE910000-0x00007FF6DEC61000-memory.dmp	xmrig
behavioral2/memory/3268-206-0x00007FF776A00000-0x00007FF776D51000-memory.dmp	xmrig
behavioral2/memory/4004-210-0x00007FF7C2B40000-0x00007FF7C2E91000-memory.dmp	xmrig
behavioral2/memory/2420-212-0x00007FF642820000-0x00007FF642B71000-memory.dmp	xmrig
behavioral2/memory/456-214-0x00007FF7E7A50000-0x00007FF7E7DA1000-memory.dmp	xmrig
behavioral2/memory/1564-217-0x00007FF616200000-0x00007FF616551000-memory.dmp	xmrig
behavioral2/memory/1536-220-0x00007FF67FB90000-0x00007FF67FEE1000-memory.dmp	xmrig
behavioral2/memory/3256-219-0x00007FF6F80D0000-0x00007FF6F8421000-memory.dmp	xmrig
behavioral2/memory/3424-229-0x00007FF6E9AF0000-0x00007FF6E9E41000-memory.dmp	xmrig
behavioral2/memory/3712-231-0x00007FF6016E0000-0x00007FF601A31000-memory.dmp	xmrig
behavioral2/memory/760-236-0x00007FF61AE70000-0x00007FF61B1C1000-memory.dmp	xmrig
behavioral2/memory/3520-234-0x00007FF682260000-0x00007FF6825B1000-memory.dmp	xmrig
behavioral2/memory/3060-233-0x00007FF7DF060000-0x00007FF7DF3B1000-memory.dmp	xmrig
behavioral2/memory/5104-227-0x00007FF622170000-0x00007FF6224C1000-memory.dmp	xmrig
behavioral2/memory/3304-224-0x00007FF655710000-0x00007FF655A61000-memory.dmp	xmrig
behavioral2/memory/2716-223-0x00007FF621D30000-0x00007FF622081000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

ZsvlgjM.exeNEGVmBu.exewMxVpuR.exeYsTUdMd.exexZsYdJs.exeabZHgMa.exeobvIQio.exeohwdKQb.exexbazhLh.exehJsYyXM.exeskQLnqz.exeVQYhamH.exeNbPBBcy.exeCNSPMjo.exeebVuoxa.exefJrDajL.exeTjleIky.exeKlUBFuQ.exeiwfBRQD.exehBAigPe.exePUsRdIZ.exe

pid	process
2900	ZsvlgjM.exe
2288	NEGVmBu.exe
3464	wMxVpuR.exe
224	YsTUdMd.exe
3268	xZsYdJs.exe
3380	abZHgMa.exe
2640	obvIQio.exe
2420	ohwdKQb.exe
4004	xbazhLh.exe
456	hJsYyXM.exe
1536	skQLnqz.exe
1564	VQYhamH.exe
3256	NbPBBcy.exe
3060	CNSPMjo.exe
3304	ebVuoxa.exe
5104	fJrDajL.exe
3424	TjleIky.exe
760	KlUBFuQ.exe
2716	iwfBRQD.exe
3520	hBAigPe.exe
3712	PUsRdIZ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4268-0-0x00007FF7B1940000-0x00007FF7B1C91000-memory.dmp	upx
C:\Windows\System\ZsvlgjM.exe	upx
behavioral2/memory/2900-7-0x00007FF6D50D0000-0x00007FF6D5421000-memory.dmp	upx
C:\Windows\System\wMxVpuR.exe	upx
C:\Windows\System\NEGVmBu.exe	upx
behavioral2/memory/2288-15-0x00007FF7C1940000-0x00007FF7C1C91000-memory.dmp	upx
C:\Windows\System\xZsYdJs.exe	upx
C:\Windows\System\abZHgMa.exe	upx
C:\Windows\System\xbazhLh.exe	upx
behavioral2/memory/2420-56-0x00007FF642820000-0x00007FF642B71000-memory.dmp	upx
C:\Windows\System\hJsYyXM.exe	upx
C:\Windows\System\VQYhamH.exe	upx
C:\Windows\System\TjleIky.exe	upx
C:\Windows\System\CNSPMjo.exe	upx
C:\Windows\System\iwfBRQD.exe	upx
C:\Windows\System\PUsRdIZ.exe	upx
behavioral2/memory/3520-127-0x00007FF682260000-0x00007FF6825B1000-memory.dmp	upx
behavioral2/memory/3424-126-0x00007FF6E9AF0000-0x00007FF6E9E41000-memory.dmp	upx
behavioral2/memory/3304-125-0x00007FF655710000-0x00007FF655A61000-memory.dmp	upx
C:\Windows\System\hBAigPe.exe	upx
behavioral2/memory/3712-120-0x00007FF6016E0000-0x00007FF601A31000-memory.dmp	upx
behavioral2/memory/2716-119-0x00007FF621D30000-0x00007FF622081000-memory.dmp	upx
C:\Windows\System\KlUBFuQ.exe	upx
behavioral2/memory/760-111-0x00007FF61AE70000-0x00007FF61B1C1000-memory.dmp	upx
C:\Windows\System\fJrDajL.exe	upx
C:\Windows\System\ebVuoxa.exe	upx
behavioral2/memory/5104-103-0x00007FF622170000-0x00007FF6224C1000-memory.dmp	upx
behavioral2/memory/3060-95-0x00007FF7DF060000-0x00007FF7DF3B1000-memory.dmp	upx
behavioral2/memory/1564-85-0x00007FF616200000-0x00007FF616551000-memory.dmp	upx
C:\Windows\System\NbPBBcy.exe	upx
behavioral2/memory/456-75-0x00007FF7E7A50000-0x00007FF7E7DA1000-memory.dmp	upx
behavioral2/memory/2640-74-0x00007FF6DE910000-0x00007FF6DEC61000-memory.dmp	upx
C:\Windows\System\skQLnqz.exe	upx
behavioral2/memory/3256-69-0x00007FF6F80D0000-0x00007FF6F8421000-memory.dmp	upx
behavioral2/memory/1536-66-0x00007FF67FB90000-0x00007FF67FEE1000-memory.dmp	upx
behavioral2/memory/4004-63-0x00007FF7C2B40000-0x00007FF7C2E91000-memory.dmp	upx
behavioral2/memory/3380-49-0x00007FF645490000-0x00007FF6457E1000-memory.dmp	upx
C:\Windows\System\ohwdKQb.exe	upx
behavioral2/memory/3268-45-0x00007FF776A00000-0x00007FF776D51000-memory.dmp	upx
C:\Windows\System\obvIQio.exe	upx
behavioral2/memory/224-27-0x00007FF6CA6C0000-0x00007FF6CAA11000-memory.dmp	upx
C:\Windows\System\YsTUdMd.exe	upx
behavioral2/memory/3464-17-0x00007FF626460000-0x00007FF6267B1000-memory.dmp	upx
behavioral2/memory/3464-131-0x00007FF626460000-0x00007FF6267B1000-memory.dmp	upx
behavioral2/memory/224-132-0x00007FF6CA6C0000-0x00007FF6CAA11000-memory.dmp	upx
behavioral2/memory/2716-147-0x00007FF621D30000-0x00007FF622081000-memory.dmp	upx
behavioral2/memory/760-146-0x00007FF61AE70000-0x00007FF61B1C1000-memory.dmp	upx
behavioral2/memory/3712-149-0x00007FF6016E0000-0x00007FF601A31000-memory.dmp	upx
behavioral2/memory/5104-144-0x00007FF622170000-0x00007FF6224C1000-memory.dmp	upx
behavioral2/memory/3256-141-0x00007FF6F80D0000-0x00007FF6F8421000-memory.dmp	upx
behavioral2/memory/3060-142-0x00007FF7DF060000-0x00007FF7DF3B1000-memory.dmp	upx
behavioral2/memory/1536-139-0x00007FF67FB90000-0x00007FF67FEE1000-memory.dmp	upx
behavioral2/memory/4004-137-0x00007FF7C2B40000-0x00007FF7C2E91000-memory.dmp	upx
behavioral2/memory/2420-136-0x00007FF642820000-0x00007FF642B71000-memory.dmp	upx
behavioral2/memory/2288-130-0x00007FF7C1940000-0x00007FF7C1C91000-memory.dmp	upx
behavioral2/memory/2900-129-0x00007FF6D50D0000-0x00007FF6D5421000-memory.dmp	upx
behavioral2/memory/4268-128-0x00007FF7B1940000-0x00007FF7B1C91000-memory.dmp	upx
behavioral2/memory/4268-150-0x00007FF7B1940000-0x00007FF7B1C91000-memory.dmp	upx
behavioral2/memory/2900-196-0x00007FF6D50D0000-0x00007FF6D5421000-memory.dmp	upx
behavioral2/memory/3464-198-0x00007FF626460000-0x00007FF6267B1000-memory.dmp	upx
behavioral2/memory/2288-200-0x00007FF7C1940000-0x00007FF7C1C91000-memory.dmp	upx
behavioral2/memory/224-204-0x00007FF6CA6C0000-0x00007FF6CAA11000-memory.dmp	upx
behavioral2/memory/3380-203-0x00007FF645490000-0x00007FF6457E1000-memory.dmp	upx
behavioral2/memory/2640-208-0x00007FF6DE910000-0x00007FF6DEC61000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\iwfBRQD.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xZsYdJs.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\abZHgMa.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\obvIQio.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xbazhLh.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hJsYyXM.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CNSPMjo.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ebVuoxa.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YsTUdMd.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TjleIky.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KlUBFuQ.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wMxVpuR.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ohwdKQb.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VQYhamH.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NbPBBcy.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PUsRdIZ.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZsvlgjM.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NEGVmBu.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\skQLnqz.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fJrDajL.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hBAigPe.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 4268 wrote to memory of 2900	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	ZsvlgjM.exe
PID 4268 wrote to memory of 2900	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	ZsvlgjM.exe
PID 4268 wrote to memory of 2288	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	NEGVmBu.exe
PID 4268 wrote to memory of 2288	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	NEGVmBu.exe
PID 4268 wrote to memory of 3464	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	wMxVpuR.exe
PID 4268 wrote to memory of 3464	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	wMxVpuR.exe
PID 4268 wrote to memory of 224	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	YsTUdMd.exe
PID 4268 wrote to memory of 224	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	YsTUdMd.exe
PID 4268 wrote to memory of 3268	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	xZsYdJs.exe
PID 4268 wrote to memory of 3268	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	xZsYdJs.exe
PID 4268 wrote to memory of 3380	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	abZHgMa.exe
PID 4268 wrote to memory of 3380	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	abZHgMa.exe
PID 4268 wrote to memory of 2640	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	obvIQio.exe
PID 4268 wrote to memory of 2640	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	obvIQio.exe
PID 4268 wrote to memory of 2420	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	ohwdKQb.exe
PID 4268 wrote to memory of 2420	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	ohwdKQb.exe
PID 4268 wrote to memory of 4004	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	xbazhLh.exe
PID 4268 wrote to memory of 4004	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	xbazhLh.exe
PID 4268 wrote to memory of 456	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	hJsYyXM.exe
PID 4268 wrote to memory of 456	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	hJsYyXM.exe
PID 4268 wrote to memory of 1536	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	skQLnqz.exe
PID 4268 wrote to memory of 1536	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	skQLnqz.exe
PID 4268 wrote to memory of 1564	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	VQYhamH.exe
PID 4268 wrote to memory of 1564	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	VQYhamH.exe
PID 4268 wrote to memory of 3256	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	NbPBBcy.exe
PID 4268 wrote to memory of 3256	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	NbPBBcy.exe
PID 4268 wrote to memory of 3060	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	CNSPMjo.exe
PID 4268 wrote to memory of 3060	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	CNSPMjo.exe
PID 4268 wrote to memory of 3304	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	ebVuoxa.exe
PID 4268 wrote to memory of 3304	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	ebVuoxa.exe
PID 4268 wrote to memory of 5104	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	fJrDajL.exe
PID 4268 wrote to memory of 5104	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	fJrDajL.exe
PID 4268 wrote to memory of 3424	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	TjleIky.exe
PID 4268 wrote to memory of 3424	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	TjleIky.exe
PID 4268 wrote to memory of 760	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	KlUBFuQ.exe
PID 4268 wrote to memory of 760	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	KlUBFuQ.exe
PID 4268 wrote to memory of 2716	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	iwfBRQD.exe
PID 4268 wrote to memory of 2716	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	iwfBRQD.exe
PID 4268 wrote to memory of 3520	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	hBAigPe.exe
PID 4268 wrote to memory of 3520	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	hBAigPe.exe
PID 4268 wrote to memory of 3712	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	PUsRdIZ.exe
PID 4268 wrote to memory of 3712	4268	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	PUsRdIZ.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4268

C:\Windows\System\ZsvlgjM.exe
C:\Windows\System\ZsvlgjM.exe
2⤵
- Executes dropped EXE
PID:2900

C:\Windows\System\NEGVmBu.exe
C:\Windows\System\NEGVmBu.exe
2⤵
- Executes dropped EXE
PID:2288

C:\Windows\System\wMxVpuR.exe
C:\Windows\System\wMxVpuR.exe
2⤵
- Executes dropped EXE
PID:3464

C:\Windows\System\YsTUdMd.exe
C:\Windows\System\YsTUdMd.exe
2⤵
- Executes dropped EXE
PID:224

C:\Windows\System\xZsYdJs.exe
C:\Windows\System\xZsYdJs.exe
2⤵
- Executes dropped EXE
PID:3268

C:\Windows\System\abZHgMa.exe
C:\Windows\System\abZHgMa.exe
2⤵
- Executes dropped EXE
PID:3380

C:\Windows\System\obvIQio.exe
C:\Windows\System\obvIQio.exe
2⤵
- Executes dropped EXE
PID:2640

C:\Windows\System\ohwdKQb.exe
C:\Windows\System\ohwdKQb.exe
2⤵
- Executes dropped EXE
PID:2420

C:\Windows\System\xbazhLh.exe
C:\Windows\System\xbazhLh.exe
2⤵
- Executes dropped EXE
PID:4004

C:\Windows\System\hJsYyXM.exe
C:\Windows\System\hJsYyXM.exe
2⤵
- Executes dropped EXE
PID:456

C:\Windows\System\skQLnqz.exe
C:\Windows\System\skQLnqz.exe
2⤵
- Executes dropped EXE
PID:1536

C:\Windows\System\VQYhamH.exe
C:\Windows\System\VQYhamH.exe
2⤵
- Executes dropped EXE
PID:1564

C:\Windows\System\NbPBBcy.exe
C:\Windows\System\NbPBBcy.exe
2⤵
- Executes dropped EXE
PID:3256

C:\Windows\System\CNSPMjo.exe
C:\Windows\System\CNSPMjo.exe
2⤵
- Executes dropped EXE
PID:3060

C:\Windows\System\ebVuoxa.exe
C:\Windows\System\ebVuoxa.exe
2⤵
- Executes dropped EXE
PID:3304

C:\Windows\System\fJrDajL.exe
C:\Windows\System\fJrDajL.exe
2⤵
- Executes dropped EXE
PID:5104

C:\Windows\System\TjleIky.exe
C:\Windows\System\TjleIky.exe
2⤵
- Executes dropped EXE
PID:3424

C:\Windows\System\KlUBFuQ.exe
C:\Windows\System\KlUBFuQ.exe
2⤵
- Executes dropped EXE
PID:760

C:\Windows\System\iwfBRQD.exe
C:\Windows\System\iwfBRQD.exe
2⤵
- Executes dropped EXE
PID:2716

C:\Windows\System\hBAigPe.exe
C:\Windows\System\hBAigPe.exe
2⤵
- Executes dropped EXE
PID:3520

C:\Windows\System\PUsRdIZ.exe
C:\Windows\System\PUsRdIZ.exe
2⤵
- Executes dropped EXE
PID:3712

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CNSPMjo.exe
Filesize
5.2MB

MD5
0508bdad42e6381dbde6c379ed3296f0

SHA1
03ef24bac4ae9c0104110f7df029a465d95eba2c

SHA256
9ded07f2d3310a3647205dc78babe1477d9b9fb45a766cfeaef13049d650f0e6

SHA512
fd26d04754bd88942703e9d6f9ccefd74b88b245008817d4d1218537c9bcf0a040e62c3528f9d98a8a20c0bd5b8c6101eee0903bd2e9cc6c13c63ea44aac0735

Download Submit
C:\Windows\System\KlUBFuQ.exe
Filesize
5.2MB

MD5
7808f7c896076785fe9a34480e33bf0c

SHA1
43f3e87867770be927628b81a7ceece0d75c1c17

SHA256
6000d21ed3d22204520419f3bc7dfb1546a70775bb058d9d668eb8af8798d529

SHA512
22354c508fb1c83c900e2658d78d426f540ee6d4528424b99bea1b4a1040fa33c0059ab2a76e10c7230624c0533770e487a5ca328006bb1e3ae3359df54494cd

Download Submit
C:\Windows\System\NEGVmBu.exe
Filesize
5.2MB

MD5
586802a67bf241b5f90ca0c6f467e717

SHA1
fb37596f194fc81aec5e9d3aa512b04fafe41d8c

SHA256
e19be8972b97f1cb377bc0e752b3c1482dfedf5b844ce029c4e2616697586c02

SHA512
0cbc6b30e1d0089618c0b94f91ea40cbdb4bb7cd29f1c26a61990fc730baf7237a895b31e9f165a4bf7d00f26a54ecd162f0275500484eb7530a68b755739346

Download Submit
C:\Windows\System\NbPBBcy.exe
Filesize
5.2MB

MD5
6ae2323f94eeec31ea3ffc5db80e3a94

SHA1
930233ff45b958f5919e4f277f32777151ab5392

SHA256
adc730910141950696f28854b9223bf1d10f7fe0b37aaaa4c914765d556acba8

SHA512
37a3d60b56f8e3e0c6a67ff3f60d14ffa2b249a3ef614745348d1cb841b800381747320b701fc317452b3bbcf2ad0468e498ecbba47b6e0042642102eaf3a43d

Download Submit
C:\Windows\System\PUsRdIZ.exe
Filesize
5.2MB

MD5
aa79773fe97e725c77cb87e915902357

SHA1
8fccda2fa425efb8701b15117e06de57b0a903b1

SHA256
c9b3245322a17faf87c0ae1aac1ddc257affa2bf7e278fd87a1ab83fc4e24340

SHA512
c52321d75b95adb91525c9c605f8cae2d31b7b49c7191ba377bcebb5eb118a70e35ca278468df45a2b7addd7a887a96fa00a37e5d6f048bf74d572b95bfeaa04

Download Submit
C:\Windows\System\TjleIky.exe
Filesize
5.2MB

MD5
b1c83c1b30ac5bbd15e9fd16f2eb687c

SHA1
2535bd7cadcd6ffee24fba65f1e2962941017a5e

SHA256
be8bbda0b9a1626e268827178bf9cbbc412963733485414bc90fd9309441d940

SHA512
39765262d2491ae8daa4186eb21acd323ce6b4f2b40d6e934eba2f874c2d37f4c0e8d62d2c91718465fcc8197b3369ec0601b807a8d7fc615a0ec5b9ed1187ce

Download Submit
C:\Windows\System\VQYhamH.exe
Filesize
5.2MB

MD5
6e46b8be43b501099a62bbbc80dbb01c

SHA1
ed0f75ac08568992515eb8f905ec9e3dfcfd8ac7

SHA256
323aaf0b5ab4efc92ccaf28f20ffc9489664d254ae7d9ec8c488809d56abb4db

SHA512
f654427bf95436016f8d9030ba6d2671a764a81ced6477351386292bf699c4f1337899a8b31e981cd53695c94e6031e6000603d14897a6d26e1294db8755e2f8

Download Submit
C:\Windows\System\YsTUdMd.exe
Filesize
5.2MB

MD5
1278130060aa76edb5599a7c50d9aa42

SHA1
369dffab49f3f85820f580198c67f7b6d7ef1dfc

SHA256
612c27491c97b81912fd30f0f2de81ef41f7f8084d05927a51a33ce47e7fe952

SHA512
34da73b4c6dc6031a11e81d96bea768ca1112bcdf6cc7a9bc57e72523bf95668bc80f29b59f0f48f89b2659c00af0d06b71e2c04bc8d96acdebf81226cd4de16

Download Submit
C:\Windows\System\ZsvlgjM.exe
Filesize
5.2MB

MD5
ea304a5892871fa8525031ed554ef738

SHA1
ecffe6b68f05d906be0e634332e0e7e74b401549

SHA256
65d751a9007c584a62f3dbebccdcf6833d24cb82cdb3496ae2a7e96c3a021874

SHA512
c176a76c7bc5dc25769f9be94690b961d4c4e33f9e241c3ba3e382c53fdc4a6d51412a3710c95004bff5162f85a997a916fc8419f89b0e3b351d4e97ba3b5ad6

Download Submit
C:\Windows\System\abZHgMa.exe
Filesize
5.2MB

MD5
514380ca969c8e9d30a133c1f77fded0

SHA1
bb25df5328afc84a6d9a40ca7b23ea2422c2b2d7

SHA256
212856b176c7035c016199ebf42a842abe76f6493f22cb57277034996a81ef3a

SHA512
63120a77d130514ffea6c415c2ea63732d49a1df0f3c2443c3eb8f2e082fd4ba94ed632aaca9f97b6d92e92f5948f0e285f3c34ce1293c603ad036b53ff3d861

Download Submit
C:\Windows\System\ebVuoxa.exe
Filesize
5.2MB

MD5
7d8d5b53e000ab860036fe1f702e45d0

SHA1
c7199d90f218f7b121677a308c5917a8ec87ccd8

SHA256
0938b180947765a6ccd462003f3d522128c7f498c798b24cbfc6255dfc758f6b

SHA512
39203253f8e864c5ab18f141a3d6a5d452bb651d8b67f21a3f32c1af853290ac9dc30524b32d8190150f292f11969830476c59d3fe8392a9ce8b76597da834d6

Download Submit
C:\Windows\System\fJrDajL.exe
Filesize
5.2MB

MD5
e4a975b661492cad66be0e66a56baf24

SHA1
39ae792b14ea572dd9985f84ddd842e7ff3fcb7b

SHA256
45ffe1fa17b0e36be71d05885150154b56060c7e2e9bb866375b4e37579379e8

SHA512
725289ceb512bd4c3b1e44be16d9977f30b72b10b17b051326a8db06d686ac11b7af23baa40938e5e6c2a06b4ca7f66e1310963fa6fa607b4173b50f61d61590

Download Submit
C:\Windows\System\hBAigPe.exe
Filesize
5.2MB

MD5
449af96730d526478a9379f63f5234f0

SHA1
2ea87bcf5b83f4d6494a1ed77ecec54ad0105dc3

SHA256
2f4c0252bfce719b7475ce96839adedf9aa6c84a25ad1dd92af5a464158ebdc1

SHA512
42ae2b6ca8954c7d442405e86875abf979832e640fb114e5b9770d42800d79c4bca2a6d2c786f67e482a10c71b905d7c869564023601043ca5b9f531bcf0f975

Download Submit
C:\Windows\System\hJsYyXM.exe
Filesize
5.2MB

MD5
2e4cb68778cee0e5447c94c07547f84b

SHA1
ff2ebf34dafaa850d40b8f5265dee7063516f107

SHA256
b9c148bd9343ba2b77d01dd5acf6893f4a25e232e37e9376d92b7e678ca14529

SHA512
b8724bbb2118df7f39b1ad9bfdcbccb1b0e1ca9f99266faf31ac94bd4b5214cbfa7ee3650dae1445c3a84dcbe9e3285cd870a5a55940ce4a9a11bbc5eb3837b7

Download Submit
C:\Windows\System\iwfBRQD.exe
Filesize
5.2MB

MD5
8b58de74a0e8091c544524218a650e74

SHA1
caf3877c6e09028146d1dfed80ccbc303795d068

SHA256
0c80c9d362a042827131e1b45812dfa42ec4c5be18ec7d25c48e63bcd0b819de

SHA512
66402480079fe95c73161d4fbb1528a1f5b7d2886399a5e38baaf02820f754719c5703adc36e4deb9fb0068ca6c930c1b604dbab4c66e81a729b7c1b2b6550bd

Download Submit
C:\Windows\System\obvIQio.exe
Filesize
5.2MB

MD5
880299cd1374315b008e3afb8ea52691

SHA1
e15d9749777ad6e16a3fec7915b87a15dc2694b5

SHA256
c027cbc38280451ca9cae91b5bcda7d01ce59a47b79d7a2ccd96475d5da377a0

SHA512
e813011e6de64ecf4c654d448c70fa51609d4a6502d83803372e416f8ea6e89950289faaa7f15fbc1eb3f70143224b567f7dc0718d5d71d3280b74c33f82a9a7

Download Submit
C:\Windows\System\ohwdKQb.exe
Filesize
5.2MB

MD5
2c007352394ada137f77d69f8c07c760

SHA1
79a18505c73a88437583e0163cc4f7824a85f9f3

SHA256
ba48916a7d396cbeea6adcb94d99e1dab5c5bdae9ca953c1fe5dcbc9be74f700

SHA512
ed7db7ba3245d5ed25defe5e014e778fdac4aec7953cabae5df336910f5a24758983055302a5733843736988be424eed4f1af16d1a5b35e3d23124e5cc9fbda6

Download Submit
C:\Windows\System\skQLnqz.exe
Filesize
5.2MB

MD5
e6b578424751b646f88c6b015e59744a

SHA1
33f318f0a17b8150a95b28bf7f9e7eb3793b3314

SHA256
f872e6d63118dbbe690eccab9a1edb6c4355ae52d5e3588d32d7cc47a84fba59

SHA512
0092bf7cc1cef1c5573da3e6f294bf951678511a4c7c29f702a79655c42b0921ec9e9f9378fa592b9222dd9a424653d18f5c14727a1e0182b9409247153b0c14

Download Submit
C:\Windows\System\wMxVpuR.exe
Filesize
5.2MB

MD5
c2da4c99473a00e0ed017f3bf03bbb04

SHA1
9d076ced130dd4904a1d24c092a41d107141761e

SHA256
9b89d88a9608828406eafc2c11d11a28996d376d45e4610a8547f7023f532f82

SHA512
9e25b2cfebeac4b6230ea4740a7adc45d04719c6b2accc3f3d891b86e13f5caa3faff33feceb0ba5292edd37c797089e90f72a5cff7abe5addb3808b0d57d873

Download Submit
C:\Windows\System\xZsYdJs.exe
Filesize
5.2MB

MD5
1e8e0e51203461f591db07f5afa1653d

SHA1
7e5d0881d67c47bd0e5a6c3fed649a76c3d141f7

SHA256
d374036726dcb578485a4227146221698a02157e42b069473a2a308d281fde35

SHA512
6036f0f87f1a4fdf0404c45f8ef6448a1c19c9bfc9bc3fd84a6d5d6c375b71f94cefa0dff2ae2edec924f233fc09426754d0a8fef5b97dbb1cf6070ea31bce1d

Download Submit
C:\Windows\System\xbazhLh.exe
Filesize
5.2MB

MD5
14f1a4534714bc7cb81b552c00399eaa

SHA1
ead59801fcc3f90bb8abd5490edcfd60c3f1d251

SHA256
2a3a6e91dabba556e8a1e94b07f4b9ed660b7054d96389559b22517d76b2aea7

SHA512
1f15777a273339d1661de2d03031b4df732506f01468d701f1f87d620840c20de54c5207f1d8bb7f253611e407507dc17a02f828e8454ca0d20166ea724aee2d

Download Submit
memory/224-27-0x00007FF6CA6C0000-0x00007FF6CAA11000-memory.dmp

Filesize
3.3MB

Download
memory/224-204-0x00007FF6CA6C0000-0x00007FF6CAA11000-memory.dmp

Filesize
3.3MB

Download
memory/224-132-0x00007FF6CA6C0000-0x00007FF6CAA11000-memory.dmp

Filesize
3.3MB

Download
memory/456-75-0x00007FF7E7A50000-0x00007FF7E7DA1000-memory.dmp

Filesize
3.3MB

Download
memory/456-214-0x00007FF7E7A50000-0x00007FF7E7DA1000-memory.dmp

Filesize
3.3MB

Download
memory/760-236-0x00007FF61AE70000-0x00007FF61B1C1000-memory.dmp

Filesize
3.3MB

Download
memory/760-111-0x00007FF61AE70000-0x00007FF61B1C1000-memory.dmp

Filesize
3.3MB

Download
memory/760-146-0x00007FF61AE70000-0x00007FF61B1C1000-memory.dmp

Filesize
3.3MB

Download
memory/1536-66-0x00007FF67FB90000-0x00007FF67FEE1000-memory.dmp

Filesize
3.3MB

Download
memory/1536-220-0x00007FF67FB90000-0x00007FF67FEE1000-memory.dmp

Filesize
3.3MB

Download
memory/1536-139-0x00007FF67FB90000-0x00007FF67FEE1000-memory.dmp

Filesize
3.3MB

Download
memory/1564-85-0x00007FF616200000-0x00007FF616551000-memory.dmp

Filesize
3.3MB

Download
memory/1564-217-0x00007FF616200000-0x00007FF616551000-memory.dmp

Filesize
3.3MB

Download
memory/2288-15-0x00007FF7C1940000-0x00007FF7C1C91000-memory.dmp

Filesize
3.3MB

Download
memory/2288-200-0x00007FF7C1940000-0x00007FF7C1C91000-memory.dmp

Filesize
3.3MB

Download
memory/2288-130-0x00007FF7C1940000-0x00007FF7C1C91000-memory.dmp

Filesize
3.3MB

Download
memory/2420-136-0x00007FF642820000-0x00007FF642B71000-memory.dmp

Filesize
3.3MB

Download
memory/2420-56-0x00007FF642820000-0x00007FF642B71000-memory.dmp

Filesize
3.3MB

Download
memory/2420-212-0x00007FF642820000-0x00007FF642B71000-memory.dmp

Filesize
3.3MB

Download
memory/2640-74-0x00007FF6DE910000-0x00007FF6DEC61000-memory.dmp

Filesize
3.3MB

Download
memory/2640-208-0x00007FF6DE910000-0x00007FF6DEC61000-memory.dmp

Filesize
3.3MB

Download
memory/2716-119-0x00007FF621D30000-0x00007FF622081000-memory.dmp

Filesize
3.3MB

Download
memory/2716-223-0x00007FF621D30000-0x00007FF622081000-memory.dmp

Filesize
3.3MB

Download
memory/2716-147-0x00007FF621D30000-0x00007FF622081000-memory.dmp

Filesize
3.3MB

Download
memory/2900-196-0x00007FF6D50D0000-0x00007FF6D5421000-memory.dmp

Filesize
3.3MB

Download
memory/2900-7-0x00007FF6D50D0000-0x00007FF6D5421000-memory.dmp

Filesize
3.3MB

Download
memory/2900-129-0x00007FF6D50D0000-0x00007FF6D5421000-memory.dmp

Filesize
3.3MB

Download
memory/3060-233-0x00007FF7DF060000-0x00007FF7DF3B1000-memory.dmp

Filesize
3.3MB

Download
memory/3060-142-0x00007FF7DF060000-0x00007FF7DF3B1000-memory.dmp

Filesize
3.3MB

Download
memory/3060-95-0x00007FF7DF060000-0x00007FF7DF3B1000-memory.dmp

Filesize
3.3MB

Download
memory/3256-69-0x00007FF6F80D0000-0x00007FF6F8421000-memory.dmp

Filesize
3.3MB

Download
memory/3256-141-0x00007FF6F80D0000-0x00007FF6F8421000-memory.dmp

Filesize
3.3MB

Download
memory/3256-219-0x00007FF6F80D0000-0x00007FF6F8421000-memory.dmp

Filesize
3.3MB

Download
memory/3268-45-0x00007FF776A00000-0x00007FF776D51000-memory.dmp

Filesize
3.3MB

Download
memory/3268-206-0x00007FF776A00000-0x00007FF776D51000-memory.dmp

Filesize
3.3MB

Download
memory/3304-224-0x00007FF655710000-0x00007FF655A61000-memory.dmp

Filesize
3.3MB

Download
memory/3304-125-0x00007FF655710000-0x00007FF655A61000-memory.dmp

Filesize
3.3MB

Download
memory/3380-49-0x00007FF645490000-0x00007FF6457E1000-memory.dmp

Filesize
3.3MB

Download
memory/3380-203-0x00007FF645490000-0x00007FF6457E1000-memory.dmp

Filesize
3.3MB

Download
memory/3424-229-0x00007FF6E9AF0000-0x00007FF6E9E41000-memory.dmp

Filesize
3.3MB

Download
memory/3424-126-0x00007FF6E9AF0000-0x00007FF6E9E41000-memory.dmp

Filesize
3.3MB

Download
memory/3464-17-0x00007FF626460000-0x00007FF6267B1000-memory.dmp

Filesize
3.3MB

Download
memory/3464-198-0x00007FF626460000-0x00007FF6267B1000-memory.dmp

Filesize
3.3MB

Download
memory/3464-131-0x00007FF626460000-0x00007FF6267B1000-memory.dmp

Filesize
3.3MB

Download
memory/3520-234-0x00007FF682260000-0x00007FF6825B1000-memory.dmp

Filesize
3.3MB

Download
memory/3520-127-0x00007FF682260000-0x00007FF6825B1000-memory.dmp

Filesize
3.3MB

Download
memory/3712-120-0x00007FF6016E0000-0x00007FF601A31000-memory.dmp

Filesize
3.3MB

Download
memory/3712-231-0x00007FF6016E0000-0x00007FF601A31000-memory.dmp

Filesize
3.3MB

Download
memory/3712-149-0x00007FF6016E0000-0x00007FF601A31000-memory.dmp

Filesize
3.3MB

Download
memory/4004-210-0x00007FF7C2B40000-0x00007FF7C2E91000-memory.dmp

Filesize
3.3MB

Download
memory/4004-63-0x00007FF7C2B40000-0x00007FF7C2E91000-memory.dmp

Filesize
3.3MB

Download
memory/4004-137-0x00007FF7C2B40000-0x00007FF7C2E91000-memory.dmp

Filesize
3.3MB

Download
memory/4268-0-0x00007FF7B1940000-0x00007FF7B1C91000-memory.dmp

Filesize
3.3MB

Download
memory/4268-128-0x00007FF7B1940000-0x00007FF7B1C91000-memory.dmp

Filesize
3.3MB

Download
memory/4268-1-0x000001FCB82F0000-0x000001FCB8300000-memory.dmp

Filesize
64KB

Download
memory/4268-150-0x00007FF7B1940000-0x00007FF7B1C91000-memory.dmp

Filesize
3.3MB

Download
memory/5104-103-0x00007FF622170000-0x00007FF6224C1000-memory.dmp

Filesize
3.3MB

Download
memory/5104-227-0x00007FF622170000-0x00007FF6224C1000-memory.dmp

Filesize
3.3MB

Download
memory/5104-144-0x00007FF622170000-0x00007FF6224C1000-memory.dmp

Filesize
3.3MB

Download