cobaltstrike | 6b2b9dab2fa1bc859681c0693d07525ccdc7bed7af848730c4e72b1d7fd06979

Analysis

max time kernel
137s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 10:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
Size

8.3MB
MD5

74ba46c6e38e987c225e446df110cd23
SHA1

2c2b6bd598c096d157cb4f3ef2167c8c1efd0ae7
SHA256

6b2b9dab2fa1bc859681c0693d07525ccdc7bed7af848730c4e72b1d7fd06979
SHA512

61171c2a95b6bf24f3857c4b47bb64f192114f591403dcb7b865ef28493501b7575b2772be0c9097def516e4526349fcae026ab7f55fa705dbee08cfb3ceed79
SSDEEP

98304:MemTLkNdfE0pZb756utgpPFotBER/mQ32lUI:v+O56utgpPF8u/7I

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000800000002342c-4.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002342f-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023433-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023435-25.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023436-29.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023437-36.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023438-42.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023439-47.dat	cobalt_reflective_dll
behavioral2/files/0x0003000000022986-54.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023430-59.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343a-67.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343b-75.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343c-79.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343d-84.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343e-93.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343f-97.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023442-112.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023443-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023444-122.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023441-110.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023440-106.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x000800000002342c-4.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000800000002342f-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023433-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023435-25.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023436-29.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023437-36.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023438-42.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023439-47.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0003000000022986-54.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0008000000023430-59.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002343a-67.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002343b-75.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002343c-79.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002343d-84.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002343e-93.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002343f-97.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023442-112.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023443-115.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023444-122.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023441-110.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023440-106.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/596-0-0x00007FF6FD540000-0x00007FF6FD892000-memory.dmp	UPX
behavioral2/files/0x000800000002342c-4.dat	UPX
behavioral2/memory/3068-7-0x00007FF662F00000-0x00007FF663252000-memory.dmp	UPX
behavioral2/files/0x000800000002342f-11.dat	UPX
behavioral2/files/0x0007000000023433-10.dat	UPX
behavioral2/memory/4212-14-0x00007FF734A60000-0x00007FF734DB2000-memory.dmp	UPX
behavioral2/memory/2120-18-0x00007FF77A470000-0x00007FF77A7C2000-memory.dmp	UPX
behavioral2/memory/216-24-0x00007FF69EF50000-0x00007FF69F2A2000-memory.dmp	UPX
behavioral2/files/0x0007000000023435-25.dat	UPX
behavioral2/files/0x0007000000023436-29.dat	UPX
behavioral2/memory/796-32-0x00007FF7B0800000-0x00007FF7B0B52000-memory.dmp	UPX
behavioral2/files/0x0007000000023437-36.dat	UPX
behavioral2/files/0x0007000000023438-42.dat	UPX
behavioral2/memory/456-44-0x00007FF702220000-0x00007FF702572000-memory.dmp	UPX
behavioral2/memory/4792-38-0x00007FF7E57F0000-0x00007FF7E5B42000-memory.dmp	UPX
behavioral2/files/0x0007000000023439-47.dat	UPX
behavioral2/memory/516-50-0x00007FF730D60000-0x00007FF7310B2000-memory.dmp	UPX
behavioral2/files/0x0003000000022986-54.dat	UPX
behavioral2/files/0x0008000000023430-59.dat	UPX
behavioral2/memory/1792-56-0x00007FF7931C0000-0x00007FF793512000-memory.dmp	UPX
behavioral2/memory/3156-61-0x00007FF716970000-0x00007FF716CC2000-memory.dmp	UPX
behavioral2/files/0x000700000002343a-67.dat	UPX
behavioral2/memory/3068-69-0x00007FF662F00000-0x00007FF663252000-memory.dmp	UPX
behavioral2/files/0x000700000002343b-75.dat	UPX
behavioral2/files/0x000700000002343c-79.dat	UPX
behavioral2/files/0x000700000002343d-84.dat	UPX
behavioral2/memory/2120-85-0x00007FF77A470000-0x00007FF77A7C2000-memory.dmp	UPX
behavioral2/files/0x000700000002343e-93.dat	UPX
behavioral2/files/0x000700000002343f-97.dat	UPX
behavioral2/files/0x0007000000023442-112.dat	UPX
behavioral2/files/0x0007000000023443-115.dat	UPX
behavioral2/files/0x0007000000023444-122.dat	UPX
behavioral2/files/0x0007000000023441-110.dat	UPX
behavioral2/files/0x0007000000023440-106.dat	UPX
behavioral2/memory/4328-91-0x00007FF7C2F10000-0x00007FF7C3262000-memory.dmp	UPX
behavioral2/memory/3832-86-0x00007FF7D9070000-0x00007FF7D93C2000-memory.dmp	UPX
behavioral2/memory/5092-73-0x00007FF7F1A40000-0x00007FF7F1D92000-memory.dmp	UPX
behavioral2/memory/3768-70-0x00007FF7745A0000-0x00007FF7748F2000-memory.dmp	UPX
behavioral2/memory/596-60-0x00007FF6FD540000-0x00007FF6FD892000-memory.dmp	UPX
behavioral2/memory/3264-125-0x00007FF60B3C0000-0x00007FF60B712000-memory.dmp	UPX
behavioral2/memory/3596-127-0x00007FF7A27E0000-0x00007FF7A2B32000-memory.dmp	UPX
behavioral2/memory/2860-126-0x00007FF785EF0000-0x00007FF786242000-memory.dmp	UPX
behavioral2/memory/2596-129-0x00007FF62A2E0000-0x00007FF62A632000-memory.dmp	UPX
behavioral2/memory/2272-131-0x00007FF69A3F0000-0x00007FF69A742000-memory.dmp	UPX
behavioral2/memory/1056-130-0x00007FF6C6DE0000-0x00007FF6C7132000-memory.dmp	UPX
behavioral2/memory/1920-128-0x00007FF66E800000-0x00007FF66EB52000-memory.dmp	UPX
behavioral2/memory/216-124-0x00007FF69EF50000-0x00007FF69F2A2000-memory.dmp	UPX
behavioral2/memory/3156-132-0x00007FF716970000-0x00007FF716CC2000-memory.dmp	UPX
behavioral2/memory/5092-133-0x00007FF7F1A40000-0x00007FF7F1D92000-memory.dmp	UPX
behavioral2/memory/3068-134-0x00007FF662F00000-0x00007FF663252000-memory.dmp	UPX
behavioral2/memory/4212-135-0x00007FF734A60000-0x00007FF734DB2000-memory.dmp	UPX
behavioral2/memory/2120-136-0x00007FF77A470000-0x00007FF77A7C2000-memory.dmp	UPX
behavioral2/memory/216-137-0x00007FF69EF50000-0x00007FF69F2A2000-memory.dmp	UPX
behavioral2/memory/796-138-0x00007FF7B0800000-0x00007FF7B0B52000-memory.dmp	UPX
behavioral2/memory/4792-139-0x00007FF7E57F0000-0x00007FF7E5B42000-memory.dmp	UPX
behavioral2/memory/456-140-0x00007FF702220000-0x00007FF702572000-memory.dmp	UPX
behavioral2/memory/516-141-0x00007FF730D60000-0x00007FF7310B2000-memory.dmp	UPX
behavioral2/memory/1792-142-0x00007FF7931C0000-0x00007FF793512000-memory.dmp	UPX
behavioral2/memory/3156-143-0x00007FF716970000-0x00007FF716CC2000-memory.dmp	UPX
behavioral2/memory/3768-144-0x00007FF7745A0000-0x00007FF7748F2000-memory.dmp	UPX
behavioral2/memory/5092-145-0x00007FF7F1A40000-0x00007FF7F1D92000-memory.dmp	UPX
behavioral2/memory/3832-146-0x00007FF7D9070000-0x00007FF7D93C2000-memory.dmp	UPX
behavioral2/memory/4328-147-0x00007FF7C2F10000-0x00007FF7C3262000-memory.dmp	UPX
behavioral2/memory/3264-148-0x00007FF60B3C0000-0x00007FF60B712000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/596-0-0x00007FF6FD540000-0x00007FF6FD892000-memory.dmp	xmrig
behavioral2/files/0x000800000002342c-4.dat	xmrig
behavioral2/memory/3068-7-0x00007FF662F00000-0x00007FF663252000-memory.dmp	xmrig
behavioral2/files/0x000800000002342f-11.dat	xmrig
behavioral2/files/0x0007000000023433-10.dat	xmrig
behavioral2/memory/4212-14-0x00007FF734A60000-0x00007FF734DB2000-memory.dmp	xmrig
behavioral2/memory/2120-18-0x00007FF77A470000-0x00007FF77A7C2000-memory.dmp	xmrig
behavioral2/memory/216-24-0x00007FF69EF50000-0x00007FF69F2A2000-memory.dmp	xmrig
behavioral2/files/0x0007000000023435-25.dat	xmrig
behavioral2/files/0x0007000000023436-29.dat	xmrig
behavioral2/memory/796-32-0x00007FF7B0800000-0x00007FF7B0B52000-memory.dmp	xmrig
behavioral2/files/0x0007000000023437-36.dat	xmrig
behavioral2/files/0x0007000000023438-42.dat	xmrig
behavioral2/memory/456-44-0x00007FF702220000-0x00007FF702572000-memory.dmp	xmrig
behavioral2/memory/4792-38-0x00007FF7E57F0000-0x00007FF7E5B42000-memory.dmp	xmrig
behavioral2/files/0x0007000000023439-47.dat	xmrig
behavioral2/memory/516-50-0x00007FF730D60000-0x00007FF7310B2000-memory.dmp	xmrig
behavioral2/files/0x0003000000022986-54.dat	xmrig
behavioral2/files/0x0008000000023430-59.dat	xmrig
behavioral2/memory/1792-56-0x00007FF7931C0000-0x00007FF793512000-memory.dmp	xmrig
behavioral2/memory/3156-61-0x00007FF716970000-0x00007FF716CC2000-memory.dmp	xmrig
behavioral2/files/0x000700000002343a-67.dat	xmrig
behavioral2/memory/3068-69-0x00007FF662F00000-0x00007FF663252000-memory.dmp	xmrig
behavioral2/files/0x000700000002343b-75.dat	xmrig
behavioral2/files/0x000700000002343c-79.dat	xmrig
behavioral2/files/0x000700000002343d-84.dat	xmrig
behavioral2/memory/2120-85-0x00007FF77A470000-0x00007FF77A7C2000-memory.dmp	xmrig
behavioral2/files/0x000700000002343e-93.dat	xmrig
behavioral2/files/0x000700000002343f-97.dat	xmrig
behavioral2/files/0x0007000000023442-112.dat	xmrig
behavioral2/files/0x0007000000023443-115.dat	xmrig
behavioral2/files/0x0007000000023444-122.dat	xmrig
behavioral2/files/0x0007000000023441-110.dat	xmrig
behavioral2/files/0x0007000000023440-106.dat	xmrig
behavioral2/memory/4328-91-0x00007FF7C2F10000-0x00007FF7C3262000-memory.dmp	xmrig
behavioral2/memory/3832-86-0x00007FF7D9070000-0x00007FF7D93C2000-memory.dmp	xmrig
behavioral2/memory/5092-73-0x00007FF7F1A40000-0x00007FF7F1D92000-memory.dmp	xmrig
behavioral2/memory/3768-70-0x00007FF7745A0000-0x00007FF7748F2000-memory.dmp	xmrig
behavioral2/memory/596-60-0x00007FF6FD540000-0x00007FF6FD892000-memory.dmp	xmrig
behavioral2/memory/3264-125-0x00007FF60B3C0000-0x00007FF60B712000-memory.dmp	xmrig
behavioral2/memory/3596-127-0x00007FF7A27E0000-0x00007FF7A2B32000-memory.dmp	xmrig
behavioral2/memory/2860-126-0x00007FF785EF0000-0x00007FF786242000-memory.dmp	xmrig
behavioral2/memory/2596-129-0x00007FF62A2E0000-0x00007FF62A632000-memory.dmp	xmrig
behavioral2/memory/2272-131-0x00007FF69A3F0000-0x00007FF69A742000-memory.dmp	xmrig
behavioral2/memory/1056-130-0x00007FF6C6DE0000-0x00007FF6C7132000-memory.dmp	xmrig
behavioral2/memory/1920-128-0x00007FF66E800000-0x00007FF66EB52000-memory.dmp	xmrig
behavioral2/memory/216-124-0x00007FF69EF50000-0x00007FF69F2A2000-memory.dmp	xmrig
behavioral2/memory/3156-132-0x00007FF716970000-0x00007FF716CC2000-memory.dmp	xmrig
behavioral2/memory/5092-133-0x00007FF7F1A40000-0x00007FF7F1D92000-memory.dmp	xmrig
behavioral2/memory/3068-134-0x00007FF662F00000-0x00007FF663252000-memory.dmp	xmrig
behavioral2/memory/4212-135-0x00007FF734A60000-0x00007FF734DB2000-memory.dmp	xmrig
behavioral2/memory/2120-136-0x00007FF77A470000-0x00007FF77A7C2000-memory.dmp	xmrig
behavioral2/memory/216-137-0x00007FF69EF50000-0x00007FF69F2A2000-memory.dmp	xmrig
behavioral2/memory/796-138-0x00007FF7B0800000-0x00007FF7B0B52000-memory.dmp	xmrig
behavioral2/memory/4792-139-0x00007FF7E57F0000-0x00007FF7E5B42000-memory.dmp	xmrig
behavioral2/memory/456-140-0x00007FF702220000-0x00007FF702572000-memory.dmp	xmrig
behavioral2/memory/516-141-0x00007FF730D60000-0x00007FF7310B2000-memory.dmp	xmrig
behavioral2/memory/1792-142-0x00007FF7931C0000-0x00007FF793512000-memory.dmp	xmrig
behavioral2/memory/3156-143-0x00007FF716970000-0x00007FF716CC2000-memory.dmp	xmrig
behavioral2/memory/3768-144-0x00007FF7745A0000-0x00007FF7748F2000-memory.dmp	xmrig
behavioral2/memory/5092-145-0x00007FF7F1A40000-0x00007FF7F1D92000-memory.dmp	xmrig
behavioral2/memory/3832-146-0x00007FF7D9070000-0x00007FF7D93C2000-memory.dmp	xmrig
behavioral2/memory/4328-147-0x00007FF7C2F10000-0x00007FF7C3262000-memory.dmp	xmrig
behavioral2/memory/3264-148-0x00007FF60B3C0000-0x00007FF60B712000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3068	sqsLhJU.exe
4212	RzgZCTK.exe
2120	lzMEFRi.exe
216	mAMbkat.exe
796	xsNDBfQ.exe
4792	WYGwbxy.exe
456	roXRxej.exe
516	DoliNZq.exe
1792	zdFrDqb.exe
3156	xVVDZhC.exe
3768	PGSmSPj.exe
5092	RNubtgH.exe
3832	SMOSPiY.exe
4328	nrplNcl.exe
3264	CZvKEBB.exe
2860	bWAzYEP.exe
3596	wKVJDWG.exe
1920	lEDqFfj.exe
2596	NHpfOUU.exe
1056	KAApZos.exe
2272	uHtymXa.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/596-0-0x00007FF6FD540000-0x00007FF6FD892000-memory.dmp	upx
behavioral2/files/0x000800000002342c-4.dat	upx
behavioral2/memory/3068-7-0x00007FF662F00000-0x00007FF663252000-memory.dmp	upx
behavioral2/files/0x000800000002342f-11.dat	upx
behavioral2/files/0x0007000000023433-10.dat	upx
behavioral2/memory/4212-14-0x00007FF734A60000-0x00007FF734DB2000-memory.dmp	upx
behavioral2/memory/2120-18-0x00007FF77A470000-0x00007FF77A7C2000-memory.dmp	upx
behavioral2/memory/216-24-0x00007FF69EF50000-0x00007FF69F2A2000-memory.dmp	upx
behavioral2/files/0x0007000000023435-25.dat	upx
behavioral2/files/0x0007000000023436-29.dat	upx
behavioral2/memory/796-32-0x00007FF7B0800000-0x00007FF7B0B52000-memory.dmp	upx
behavioral2/files/0x0007000000023437-36.dat	upx
behavioral2/files/0x0007000000023438-42.dat	upx
behavioral2/memory/456-44-0x00007FF702220000-0x00007FF702572000-memory.dmp	upx
behavioral2/memory/4792-38-0x00007FF7E57F0000-0x00007FF7E5B42000-memory.dmp	upx
behavioral2/files/0x0007000000023439-47.dat	upx
behavioral2/memory/516-50-0x00007FF730D60000-0x00007FF7310B2000-memory.dmp	upx
behavioral2/files/0x0003000000022986-54.dat	upx
behavioral2/files/0x0008000000023430-59.dat	upx
behavioral2/memory/1792-56-0x00007FF7931C0000-0x00007FF793512000-memory.dmp	upx
behavioral2/memory/3156-61-0x00007FF716970000-0x00007FF716CC2000-memory.dmp	upx
behavioral2/files/0x000700000002343a-67.dat	upx
behavioral2/memory/3068-69-0x00007FF662F00000-0x00007FF663252000-memory.dmp	upx
behavioral2/files/0x000700000002343b-75.dat	upx
behavioral2/files/0x000700000002343c-79.dat	upx
behavioral2/files/0x000700000002343d-84.dat	upx
behavioral2/memory/2120-85-0x00007FF77A470000-0x00007FF77A7C2000-memory.dmp	upx
behavioral2/files/0x000700000002343e-93.dat	upx
behavioral2/files/0x000700000002343f-97.dat	upx
behavioral2/files/0x0007000000023442-112.dat	upx
behavioral2/files/0x0007000000023443-115.dat	upx
behavioral2/files/0x0007000000023444-122.dat	upx
behavioral2/files/0x0007000000023441-110.dat	upx
behavioral2/files/0x0007000000023440-106.dat	upx
behavioral2/memory/4328-91-0x00007FF7C2F10000-0x00007FF7C3262000-memory.dmp	upx
behavioral2/memory/3832-86-0x00007FF7D9070000-0x00007FF7D93C2000-memory.dmp	upx
behavioral2/memory/5092-73-0x00007FF7F1A40000-0x00007FF7F1D92000-memory.dmp	upx
behavioral2/memory/3768-70-0x00007FF7745A0000-0x00007FF7748F2000-memory.dmp	upx
behavioral2/memory/596-60-0x00007FF6FD540000-0x00007FF6FD892000-memory.dmp	upx
behavioral2/memory/3264-125-0x00007FF60B3C0000-0x00007FF60B712000-memory.dmp	upx
behavioral2/memory/3596-127-0x00007FF7A27E0000-0x00007FF7A2B32000-memory.dmp	upx
behavioral2/memory/2860-126-0x00007FF785EF0000-0x00007FF786242000-memory.dmp	upx
behavioral2/memory/2596-129-0x00007FF62A2E0000-0x00007FF62A632000-memory.dmp	upx
behavioral2/memory/2272-131-0x00007FF69A3F0000-0x00007FF69A742000-memory.dmp	upx
behavioral2/memory/1056-130-0x00007FF6C6DE0000-0x00007FF6C7132000-memory.dmp	upx
behavioral2/memory/1920-128-0x00007FF66E800000-0x00007FF66EB52000-memory.dmp	upx
behavioral2/memory/216-124-0x00007FF69EF50000-0x00007FF69F2A2000-memory.dmp	upx
behavioral2/memory/3156-132-0x00007FF716970000-0x00007FF716CC2000-memory.dmp	upx
behavioral2/memory/5092-133-0x00007FF7F1A40000-0x00007FF7F1D92000-memory.dmp	upx
behavioral2/memory/3068-134-0x00007FF662F00000-0x00007FF663252000-memory.dmp	upx
behavioral2/memory/4212-135-0x00007FF734A60000-0x00007FF734DB2000-memory.dmp	upx
behavioral2/memory/2120-136-0x00007FF77A470000-0x00007FF77A7C2000-memory.dmp	upx
behavioral2/memory/216-137-0x00007FF69EF50000-0x00007FF69F2A2000-memory.dmp	upx
behavioral2/memory/796-138-0x00007FF7B0800000-0x00007FF7B0B52000-memory.dmp	upx
behavioral2/memory/4792-139-0x00007FF7E57F0000-0x00007FF7E5B42000-memory.dmp	upx
behavioral2/memory/456-140-0x00007FF702220000-0x00007FF702572000-memory.dmp	upx
behavioral2/memory/516-141-0x00007FF730D60000-0x00007FF7310B2000-memory.dmp	upx
behavioral2/memory/1792-142-0x00007FF7931C0000-0x00007FF793512000-memory.dmp	upx
behavioral2/memory/3156-143-0x00007FF716970000-0x00007FF716CC2000-memory.dmp	upx
behavioral2/memory/3768-144-0x00007FF7745A0000-0x00007FF7748F2000-memory.dmp	upx
behavioral2/memory/5092-145-0x00007FF7F1A40000-0x00007FF7F1D92000-memory.dmp	upx
behavioral2/memory/3832-146-0x00007FF7D9070000-0x00007FF7D93C2000-memory.dmp	upx
behavioral2/memory/4328-147-0x00007FF7C2F10000-0x00007FF7C3262000-memory.dmp	upx
behavioral2/memory/3264-148-0x00007FF60B3C0000-0x00007FF60B712000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\lzMEFRi.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mAMbkat.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xVVDZhC.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NHpfOUU.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xsNDBfQ.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nrplNcl.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lEDqFfj.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KAApZos.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\roXRxej.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zdFrDqb.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RNubtgH.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CZvKEBB.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bWAzYEP.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uHtymXa.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wKVJDWG.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sqsLhJU.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RzgZCTK.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WYGwbxy.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DoliNZq.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PGSmSPj.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SMOSPiY.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 596 wrote to memory of 3068	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	82
PID 596 wrote to memory of 3068	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	82
PID 596 wrote to memory of 4212	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	84
PID 596 wrote to memory of 4212	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	84
PID 596 wrote to memory of 2120	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	86
PID 596 wrote to memory of 2120	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	86
PID 596 wrote to memory of 216	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	89
PID 596 wrote to memory of 216	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	89
PID 596 wrote to memory of 796	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	90
PID 596 wrote to memory of 796	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	90
PID 596 wrote to memory of 4792	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	91
PID 596 wrote to memory of 4792	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	91
PID 596 wrote to memory of 456	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	92
PID 596 wrote to memory of 456	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	92
PID 596 wrote to memory of 516	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	93
PID 596 wrote to memory of 516	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	93
PID 596 wrote to memory of 1792	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	94
PID 596 wrote to memory of 1792	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	94
PID 596 wrote to memory of 3156	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	95
PID 596 wrote to memory of 3156	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	95
PID 596 wrote to memory of 3768	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	96
PID 596 wrote to memory of 3768	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	96
PID 596 wrote to memory of 5092	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	97
PID 596 wrote to memory of 5092	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	97
PID 596 wrote to memory of 3832	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	98
PID 596 wrote to memory of 3832	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	98
PID 596 wrote to memory of 4328	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	99
PID 596 wrote to memory of 4328	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	99
PID 596 wrote to memory of 3264	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	100
PID 596 wrote to memory of 3264	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	100
PID 596 wrote to memory of 2860	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	101
PID 596 wrote to memory of 2860	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	101
PID 596 wrote to memory of 3596	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	102
PID 596 wrote to memory of 3596	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	102
PID 596 wrote to memory of 1920	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	103
PID 596 wrote to memory of 1920	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	103
PID 596 wrote to memory of 2596	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	104
PID 596 wrote to memory of 2596	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	104
PID 596 wrote to memory of 1056	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	105
PID 596 wrote to memory of 1056	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	105
PID 596 wrote to memory of 2272	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	106
PID 596 wrote to memory of 2272	596	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:596
- C:\Windows\System\sqsLhJU.exe
  C:\Windows\System\sqsLhJU.exe
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\System\RzgZCTK.exe
  C:\Windows\System\RzgZCTK.exe
  2⤵
  - Executes dropped EXE
  PID:4212
- C:\Windows\System\lzMEFRi.exe
  C:\Windows\System\lzMEFRi.exe
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\System\mAMbkat.exe
  C:\Windows\System\mAMbkat.exe
  2⤵
  - Executes dropped EXE
  PID:216
- C:\Windows\System\xsNDBfQ.exe
  C:\Windows\System\xsNDBfQ.exe
  2⤵
  - Executes dropped EXE
  PID:796
- C:\Windows\System\WYGwbxy.exe
  C:\Windows\System\WYGwbxy.exe
  2⤵
  - Executes dropped EXE
  PID:4792
- C:\Windows\System\roXRxej.exe
  C:\Windows\System\roXRxej.exe
  2⤵
  - Executes dropped EXE
  PID:456
- C:\Windows\System\DoliNZq.exe
  C:\Windows\System\DoliNZq.exe
  2⤵
  - Executes dropped EXE
  PID:516
- C:\Windows\System\zdFrDqb.exe
  C:\Windows\System\zdFrDqb.exe
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\System\xVVDZhC.exe
  C:\Windows\System\xVVDZhC.exe
  2⤵
  - Executes dropped EXE
  PID:3156
- C:\Windows\System\PGSmSPj.exe
  C:\Windows\System\PGSmSPj.exe
  2⤵
  - Executes dropped EXE
  PID:3768
- C:\Windows\System\RNubtgH.exe
  C:\Windows\System\RNubtgH.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System\SMOSPiY.exe
  C:\Windows\System\SMOSPiY.exe
  2⤵
  - Executes dropped EXE
  PID:3832
- C:\Windows\System\nrplNcl.exe
  C:\Windows\System\nrplNcl.exe
  2⤵
  - Executes dropped EXE
  PID:4328
- C:\Windows\System\CZvKEBB.exe
  C:\Windows\System\CZvKEBB.exe
  2⤵
  - Executes dropped EXE
  PID:3264
- C:\Windows\System\bWAzYEP.exe
  C:\Windows\System\bWAzYEP.exe
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\System\wKVJDWG.exe
  C:\Windows\System\wKVJDWG.exe
  2⤵
  - Executes dropped EXE
  PID:3596
- C:\Windows\System\lEDqFfj.exe
  C:\Windows\System\lEDqFfj.exe
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\System\NHpfOUU.exe
  C:\Windows\System\NHpfOUU.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System\KAApZos.exe
  C:\Windows\System\KAApZos.exe
  2⤵
  - Executes dropped EXE
  PID:1056
- C:\Windows\System\uHtymXa.exe
  C:\Windows\System\uHtymXa.exe
  2⤵
  - Executes dropped EXE
  PID:2272

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CZvKEBB.exe

Filesize
8.3MB

MD5
40b5a473452c7b4bd1b3b28df66ae632

SHA1
beb3b21f9a13afdfb3fa2565695ebc81d45d62c7

SHA256
689ba780e161776530450de8a9943ed101ac33452b7df0d6f005fce52ed571eb

SHA512
0cee3e08b3a9349f34c2f00459d14f9d40ce95fe457140c6cd5b4cf0b6550062e09ce0a1b3115d707312fc6fe76431b9f17f3cca30ad33ebb8896558b6dad0a2

Download Submit
C:\Windows\System\DoliNZq.exe

Filesize
8.3MB

MD5
f44602813b49db78fcb1404a889bd280

SHA1
0dd4c0649f8d007dc3b37cb99f6af759bd0abf8b

SHA256
2baed79f38a3d8420abae71123974117dadc691aca99ef29c77ad8f471bea436

SHA512
d121fd0a26f01bca2127d23b4cbf3842df560fbdf4b891946039443ea2db041ff1d12611026231b06bd7e43aca30a66972ac14c2b7921acd6abea993f311e2e7

Download Submit
C:\Windows\System\KAApZos.exe

Filesize
8.3MB

MD5
3f8447caa6285dc9b612c5a4ff45ea71

SHA1
da1dbff1242afb95c05743051a07124c339ed4be

SHA256
9b7deaa0b39150cef0e55500656448d0e30433b905951a758e41d330b4abbdc7

SHA512
b12b40e5f4a6b90b85329749263d4a041ddf808e2bc4b68a0d125dea2e4cbf0d659aa3be79b5985d1cac531a15b91f98442ed212e15a0b23571413fdf82a063d

Download Submit
C:\Windows\System\NHpfOUU.exe

Filesize
8.3MB

MD5
7277195d059e320bd0cff837c5c5f2ee

SHA1
bab0a06b24d4d10af55f7995ffb3337ef96ec1a0

SHA256
35cfe17bfdbfb325d92203bcd333b1b779c2d2caaaea82ff80a27a7b67dd5b47

SHA512
acd44fa3eb1156dfa2cbf9535c935c4f97916038f19fee65db3e82732c8e39695dfa05d7fa5a41e4baa384ba409b0b678ae8627cbf8b07a39756cde1d82238e2

Download Submit
C:\Windows\System\PGSmSPj.exe

Filesize
8.3MB

MD5
9d17d0de0a8e1e29eee9445f3a953165

SHA1
f9574552bca1376b3c0a26aa4977a1942c2b8885

SHA256
89d9a9f032594879bd884a6b54a46ac825661894dab49ea4604c79698b028859

SHA512
f9f260c257ccf283ace03b191ba6c06ef5b48bc819d3edaac23fbf5bbd7bf1c0bd4cbe62fa6edfdf947882866d2acd8d670af316b38499878c373f5e13301da0

Download Submit
C:\Windows\System\RNubtgH.exe

Filesize
8.3MB

MD5
1d99e4b381c2612098b2f381333daf4d

SHA1
6352799b57dc9122ddecd0e94dcbca090bb29b84

SHA256
b57edaa2bc8e10e2bc53556b23bb424bc1fd84fbe18292e4606270c6d31741f0

SHA512
f5a024f7d077cc140fc02b163eb729ccd593f63765f7c43879fd59d790be4be9fb21fb1a278392c79c44bb62080f5c566b9008a8742b5621921a8cceb350ecd4

Download Submit
C:\Windows\System\RzgZCTK.exe

Filesize
8.3MB

MD5
e72af44406c3e87fafa5a87729323c04

SHA1
0ad61ae1d7f5f170ebbec60024ae4e16abfea1cd

SHA256
2baf793ccf51db34bb7425802bb4f5b19580c812cb267a4f9fde37ea017e3834

SHA512
c3510e3ff249598a0f55ec4d07716c6ca050be207cf524f79e109f9201b955a5d4f9707c6277edd9bf5bf296a2fe317eccba2877c87906d9192998f2725bef0f

Download Submit
C:\Windows\System\SMOSPiY.exe

Filesize
8.3MB

MD5
60d3fe2a7cef6f053faa4ad37cd23b21

SHA1
00ae2a84da353b42e3976eaf7914fea969b0db1f

SHA256
264d1bb13472d8a4b097cc9830500e0892e99f4b36423e753cc21710cefae75f

SHA512
0ba698c70ecc46e2c910411eefb847a05ba6a30dba81aa650c051a13e2708ea98893ced68bdf4b96a1fb03f0a8a716adc2c52eac9cf83b02cc5c8d78f933258f

Download Submit
C:\Windows\System\WYGwbxy.exe

Filesize
8.3MB

MD5
4ece9e933b8c7aa307170c87b8f0929d

SHA1
d2b0bd0273d761587ac747aeff547eb05b01a1d2

SHA256
7583a42f19569eca88473cc3d2041f809c1f85d41837a177d5a7a94273bc3da4

SHA512
b9b5c6d57a6234b99d57d1d2d76875eab07f6ac4ea0201db50630321bf9f52d40abc50fa0a6279bed9499c656b97802d322857e360854220769655e5328d5bd4

Download Submit
C:\Windows\System\bWAzYEP.exe

Filesize
8.3MB

MD5
b610cceef0984fa4ccd290fd805462d3

SHA1
7ff6d0b7ce63712a6582be22d3ccdda43534d989

SHA256
268845b097694670cf49dc94d44895f59582def5d84c99e5381ac89bb1f03265

SHA512
54143bf6c962b866a3a7dc862c6806f6d57ea9b4ad013c8514b12efe5e927637e4ea493851baef3ba12579d61603c3e9fbac059933b08beeb57fe57113dfc78d

Download Submit
C:\Windows\System\lEDqFfj.exe

Filesize
8.3MB

MD5
9dbfd6e890dcb51a30fe70d0004ed58a

SHA1
2f7dfa56ce4b2bf1619cb37f930d7da1e510cacd

SHA256
318ed3ac179fe2567356d61e2166eafa8feb5f1dcd3e2e32f25693d43e271a18

SHA512
c226e0d5fcbe02edb0f988d647a7bf8fce1ca3a913458ed6edc5f677bc528d71336dd131c8ccd920a5867c7d4fd0277ca225c3367aa7634d45b158e18da27de9

Download Submit
C:\Windows\System\lzMEFRi.exe

Filesize
8.3MB

MD5
b483f1de545510bdb82f93b3b064154a

SHA1
7072c308bb077da64a95aefd8c95283acc2eb616

SHA256
fce84dc0f7a92584e43712ba2f6b40f2b46fdb78d50ad8900fa8d475e7a043ac

SHA512
b2cb21e3c018035e08da57d9fa5a1ae0e226acb3b5b5c998a9ef41dceac5133a019d11f7a8603a64976721ec5248332d0ac77d351acdde9bfd9f35c0b4ac0299

Download Submit
C:\Windows\System\mAMbkat.exe

Filesize
8.3MB

MD5
b091a63a1c8242182beb9410e9ef2d2f

SHA1
6e05a0649975475e2fca41bcbbb15ded8e27927b

SHA256
92fd99c05c8dcde9cee97c15b382c0d8c9d4708f315391a78e4a8302f9b20208

SHA512
cab45bdc2a536df3b09539938dc668c8b63531af0fa1d9b84d9aefa9d1bc77cd8b3d55845ada5029058410801a74bc3c5021d0513fc9f97d75e2e8944d5841ba

Download Submit
C:\Windows\System\nrplNcl.exe

Filesize
8.3MB

MD5
cd58e0aa41999b395187cbe6132682e3

SHA1
5d09d92989267377ec0684bf181fe6ee6a95b737

SHA256
d3fe57145fdd231348e2faf3cfdf59c7cae9d13466f951911c5467bdd3a87654

SHA512
e0edcf4a6775290040b9115acbf11858291ea1d28114b33abc665f307a55a62bac3e679fb75ad2c90e0d69f0a6ae1a5673de241137dbea112652d3ed4d8bebf8

Download Submit
C:\Windows\System\roXRxej.exe

Filesize
8.3MB

MD5
3bd658c4081c68b3b0d3161daa9e66f6

SHA1
6b3321480b8d1eaf09484cbd7b3087279246f3d5

SHA256
863419dcaf96dc76ba50b866f86080bb410e91bbb050f5f91b4809b3aaad294c

SHA512
0ae648bc2da77418cb857a440fd56f1be0b67ed382341eed2abba33e03ff65175ed80d44127279de933ef6ea64aedb57cde8a974bea317fa690cf59a4d728a99

Download Submit
C:\Windows\System\sqsLhJU.exe

Filesize
8.3MB

MD5
765455ca60da7f128df11d829909dea1

SHA1
c73727bb3e6294a518a98ee57ff8fa3dfed94d50

SHA256
e8f4e8c557aee6e0808659851f6324069346d5ce08036ba8c7988f3b4c631847

SHA512
effc3f09f4d9debe6956953fb7385840ea37d6ce8fde5f824208ce7c292f867237a7cb2c64a919828ee363ffc4425f68ede2d4e411d2de817c7bdbbbece01215

Download Submit
C:\Windows\System\uHtymXa.exe

Filesize
8.3MB

MD5
458b1263bcf3369aaa007c033fd96ac1

SHA1
8d6c964c0f61ec859c530066f92658cf4716701d

SHA256
a4e3e46883c7b83895b63ed142b1c0525b6433444f8321ec09ba2910ce2ee4ef

SHA512
f81c9319b40ddff709632338789297287af2d40cc1c11ecedb745b9d2b27f211459e5bd5228a9249cf1b0cf68e1e9921f92cbe471fd365203e3e0f88cdd2e9a7

Download Submit
C:\Windows\System\wKVJDWG.exe

Filesize
8.3MB

MD5
6415755e764e5dd82a8e0b709fe76a0e

SHA1
0423cc8e1efbb29a370120cf8750ea16a390ad27

SHA256
932163391550d2041670e6d1ca40591f40ae9fc84e28a6feacc79b0a0f6d3be6

SHA512
a6d01310c9c0e07c1513afdef90a9ebf8f2112a6e43376bdf1d944fdaca88b8445a3943bbeb4484026741bcf911e29747cc9b5b6f5fbfcc09685869e0cb5651f

Download Submit
C:\Windows\System\xVVDZhC.exe

Filesize
8.3MB

MD5
697abcd1807adf423e45a55c8086f697

SHA1
9138e71fa4f59ac3df0886ddf9890be28db37e58

SHA256
80d3aeea2a33c3ce42fd947e19bb9961e27fe35587ddfe3b6beba68274504425

SHA512
63186adc55178c2fc00686c3729837bf9074ec09113df38c0791d66002c180c4ba0cab34b3c34ef1da3afb0c1f6d77f8281e2ec326d3fd00f971ca50e1bbd5d6

Download Submit
C:\Windows\System\xsNDBfQ.exe

Filesize
8.3MB

MD5
52d9c1a663978f278c856d6b786a9ec1

SHA1
86474bc8010a8d2f64f0cf62a712436c0ba2e843

SHA256
e417ab75f9dc5e5c8f21c44378cb4b3eaeffdc46ca7bb74c7d9cdce2852161e5

SHA512
111b70b6ba7ecf168c10bae64b34cc62579925518d6b4e7ccd6f875f7e2292f10f63f96fb8bd80ebc2b988dd1fc8734681fc670df501fafaf2e61758100fa2dd

Download Submit
C:\Windows\System\zdFrDqb.exe

Filesize
8.3MB

MD5
53c3106d64c657a755f0d8be6684ad2c

SHA1
5f0df248eb68237b4ab597841fd15ca8ae8cb9c2

SHA256
095c04a00f5837feb7b1427c07fe0a334911a80344c778a17caa5f84ff120421

SHA512
e7d242fac240f35f4d72b218122b854516e1a805c9a8972eda1c79a5b442c48504832698399b985f1efdb2c62e8c05a2a32fa522f8c09776ced5eec3fa7273df

Download Submit
memory/216-124-0x00007FF69EF50000-0x00007FF69F2A2000-memory.dmp

Filesize
3.3MB

Download
memory/216-137-0x00007FF69EF50000-0x00007FF69F2A2000-memory.dmp

Filesize
3.3MB

Download
memory/216-24-0x00007FF69EF50000-0x00007FF69F2A2000-memory.dmp

Filesize
3.3MB

Download
memory/456-44-0x00007FF702220000-0x00007FF702572000-memory.dmp

Filesize
3.3MB

Download
memory/456-140-0x00007FF702220000-0x00007FF702572000-memory.dmp

Filesize
3.3MB

Download
memory/516-50-0x00007FF730D60000-0x00007FF7310B2000-memory.dmp

Filesize
3.3MB

Download
memory/516-141-0x00007FF730D60000-0x00007FF7310B2000-memory.dmp

Filesize
3.3MB

Download
memory/596-60-0x00007FF6FD540000-0x00007FF6FD892000-memory.dmp

Filesize
3.3MB

Download
memory/596-0-0x00007FF6FD540000-0x00007FF6FD892000-memory.dmp

Filesize
3.3MB

Download
memory/596-1-0x0000026E23780000-0x0000026E23790000-memory.dmp

Filesize
64KB

Download
memory/796-32-0x00007FF7B0800000-0x00007FF7B0B52000-memory.dmp

Filesize
3.3MB

Download
memory/796-138-0x00007FF7B0800000-0x00007FF7B0B52000-memory.dmp

Filesize
3.3MB

Download
memory/1056-153-0x00007FF6C6DE0000-0x00007FF6C7132000-memory.dmp

Filesize
3.3MB

Download
memory/1056-130-0x00007FF6C6DE0000-0x00007FF6C7132000-memory.dmp

Filesize
3.3MB

Download
memory/1792-142-0x00007FF7931C0000-0x00007FF793512000-memory.dmp

Filesize
3.3MB

Download
memory/1792-56-0x00007FF7931C0000-0x00007FF793512000-memory.dmp

Filesize
3.3MB

Download
memory/1920-128-0x00007FF66E800000-0x00007FF66EB52000-memory.dmp

Filesize
3.3MB

Download
memory/1920-151-0x00007FF66E800000-0x00007FF66EB52000-memory.dmp

Filesize
3.3MB

Download
memory/2120-85-0x00007FF77A470000-0x00007FF77A7C2000-memory.dmp

Filesize
3.3MB

Download
memory/2120-18-0x00007FF77A470000-0x00007FF77A7C2000-memory.dmp

Filesize
3.3MB

Download
memory/2120-136-0x00007FF77A470000-0x00007FF77A7C2000-memory.dmp

Filesize
3.3MB

Download
memory/2272-154-0x00007FF69A3F0000-0x00007FF69A742000-memory.dmp

Filesize
3.3MB

Download
memory/2272-131-0x00007FF69A3F0000-0x00007FF69A742000-memory.dmp

Filesize
3.3MB

Download
memory/2596-129-0x00007FF62A2E0000-0x00007FF62A632000-memory.dmp

Filesize
3.3MB

Download
memory/2596-152-0x00007FF62A2E0000-0x00007FF62A632000-memory.dmp

Filesize
3.3MB

Download
memory/2860-126-0x00007FF785EF0000-0x00007FF786242000-memory.dmp

Filesize
3.3MB

Download
memory/2860-149-0x00007FF785EF0000-0x00007FF786242000-memory.dmp

Filesize
3.3MB

Download
memory/3068-7-0x00007FF662F00000-0x00007FF663252000-memory.dmp

Filesize
3.3MB

Download
memory/3068-134-0x00007FF662F00000-0x00007FF663252000-memory.dmp

Filesize
3.3MB

Download
memory/3068-69-0x00007FF662F00000-0x00007FF663252000-memory.dmp

Filesize
3.3MB

Download
memory/3156-132-0x00007FF716970000-0x00007FF716CC2000-memory.dmp

Filesize
3.3MB

Download
memory/3156-61-0x00007FF716970000-0x00007FF716CC2000-memory.dmp

Filesize
3.3MB

Download
memory/3156-143-0x00007FF716970000-0x00007FF716CC2000-memory.dmp

Filesize
3.3MB

Download
memory/3264-148-0x00007FF60B3C0000-0x00007FF60B712000-memory.dmp

Filesize
3.3MB

Download
memory/3264-125-0x00007FF60B3C0000-0x00007FF60B712000-memory.dmp

Filesize
3.3MB

Download
memory/3596-150-0x00007FF7A27E0000-0x00007FF7A2B32000-memory.dmp

Filesize
3.3MB

Download
memory/3596-127-0x00007FF7A27E0000-0x00007FF7A2B32000-memory.dmp

Filesize
3.3MB

Download
memory/3768-144-0x00007FF7745A0000-0x00007FF7748F2000-memory.dmp

Filesize
3.3MB

Download
memory/3768-70-0x00007FF7745A0000-0x00007FF7748F2000-memory.dmp

Filesize
3.3MB

Download
memory/3832-146-0x00007FF7D9070000-0x00007FF7D93C2000-memory.dmp

Filesize
3.3MB

Download
memory/3832-86-0x00007FF7D9070000-0x00007FF7D93C2000-memory.dmp

Filesize
3.3MB

Download
memory/4212-14-0x00007FF734A60000-0x00007FF734DB2000-memory.dmp

Filesize
3.3MB

Download
memory/4212-135-0x00007FF734A60000-0x00007FF734DB2000-memory.dmp

Filesize
3.3MB

Download
memory/4328-147-0x00007FF7C2F10000-0x00007FF7C3262000-memory.dmp

Filesize
3.3MB

Download
memory/4328-91-0x00007FF7C2F10000-0x00007FF7C3262000-memory.dmp

Filesize
3.3MB

Download
memory/4792-38-0x00007FF7E57F0000-0x00007FF7E5B42000-memory.dmp

Filesize
3.3MB

Download
memory/4792-139-0x00007FF7E57F0000-0x00007FF7E5B42000-memory.dmp

Filesize
3.3MB

Download
memory/5092-145-0x00007FF7F1A40000-0x00007FF7F1D92000-memory.dmp

Filesize
3.3MB

Download
memory/5092-133-0x00007FF7F1A40000-0x00007FF7F1D92000-memory.dmp

Filesize
3.3MB

Download
memory/5092-73-0x00007FF7F1A40000-0x00007FF7F1D92000-memory.dmp

Filesize
3.3MB

Download