cobaltstrike | 78b3835885eb90a7f12866283d1d7b8dce16ef125deae7601b1d7ba9b56c62b8

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

bda247ae3f547898a69397190e57a898
SHA1

586ed09e7cc674ee78d4f059991375491f3431ec
SHA256

78b3835885eb90a7f12866283d1d7b8dce16ef125deae7601b1d7ba9b56c62b8
SHA512

7c4308fb80343b02e12962c4e15c19f7d8669b2e4672023a1b16705edceb92869f8db9283325123790a429fe3cb8c4db4c09461860b03eb668849dd0627c4c7f
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU8:Q+856utgpPF8u/78

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000233ec-6.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f0-10.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f1-13.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f2-22.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000233ed-29.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f3-35.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f4-40.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f5-47.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f8-57.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f9-67.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233fa-72.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233fb-81.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233fc-86.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233fd-90.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233fe-95.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233ff-100.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023400-109.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023403-120.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023402-118.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023401-114.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f6-59.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x00080000000233ec-6.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233f0-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233f1-13.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233f2-22.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00080000000233ed-29.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233f3-35.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233f4-40.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233f5-47.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233f8-57.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233f9-67.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233fa-72.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233fb-81.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233fc-86.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233fd-90.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233fe-95.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233ff-100.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023400-109.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023403-120.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023402-118.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023401-114.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233f6-59.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/4168-0-0x00007FF62D5A0000-0x00007FF62D8F4000-memory.dmp	UPX
behavioral2/files/0x00080000000233ec-6.dat	UPX
behavioral2/memory/2992-8-0x00007FF7A5610000-0x00007FF7A5964000-memory.dmp	UPX
behavioral2/files/0x00070000000233f0-10.dat	UPX
behavioral2/files/0x00070000000233f1-13.dat	UPX
behavioral2/memory/4640-20-0x00007FF6D6390000-0x00007FF6D66E4000-memory.dmp	UPX
behavioral2/memory/2608-14-0x00007FF681B30000-0x00007FF681E84000-memory.dmp	UPX
behavioral2/files/0x00070000000233f2-22.dat	UPX
behavioral2/memory/3504-26-0x00007FF6DD920000-0x00007FF6DDC74000-memory.dmp	UPX
behavioral2/files/0x00080000000233ed-29.dat	UPX
behavioral2/files/0x00070000000233f3-35.dat	UPX
behavioral2/memory/2852-33-0x00007FF691CF0000-0x00007FF692044000-memory.dmp	UPX
behavioral2/memory/2120-38-0x00007FF665DE0000-0x00007FF666134000-memory.dmp	UPX
behavioral2/files/0x00070000000233f4-40.dat	UPX
behavioral2/memory/2200-44-0x00007FF7CCB70000-0x00007FF7CCEC4000-memory.dmp	UPX
behavioral2/files/0x00070000000233f5-47.dat	UPX
behavioral2/memory/4208-50-0x00007FF70F240000-0x00007FF70F594000-memory.dmp	UPX
behavioral2/files/0x00070000000233f8-57.dat	UPX
behavioral2/memory/3448-61-0x00007FF617050000-0x00007FF6173A4000-memory.dmp	UPX
behavioral2/files/0x00070000000233f9-67.dat	UPX
behavioral2/files/0x00070000000233fa-72.dat	UPX
behavioral2/memory/4608-74-0x00007FF608EF0000-0x00007FF609244000-memory.dmp	UPX
behavioral2/memory/1172-77-0x00007FF71ED60000-0x00007FF71F0B4000-memory.dmp	UPX
behavioral2/files/0x00070000000233fb-81.dat	UPX
behavioral2/files/0x00070000000233fc-86.dat	UPX
behavioral2/files/0x00070000000233fd-90.dat	UPX
behavioral2/files/0x00070000000233fe-95.dat	UPX
behavioral2/files/0x00070000000233ff-100.dat	UPX
behavioral2/files/0x0007000000023400-109.dat	UPX
behavioral2/files/0x0007000000023403-120.dat	UPX
behavioral2/files/0x0007000000023402-118.dat	UPX
behavioral2/files/0x0007000000023401-114.dat	UPX
behavioral2/memory/2548-73-0x00007FF7E7E90000-0x00007FF7E81E4000-memory.dmp	UPX
behavioral2/memory/2992-71-0x00007FF7A5610000-0x00007FF7A5964000-memory.dmp	UPX
behavioral2/memory/4284-65-0x00007FF73D0E0000-0x00007FF73D434000-memory.dmp	UPX
behavioral2/memory/4168-62-0x00007FF62D5A0000-0x00007FF62D8F4000-memory.dmp	UPX
behavioral2/files/0x00070000000233f6-59.dat	UPX
behavioral2/memory/3504-122-0x00007FF6DD920000-0x00007FF6DDC74000-memory.dmp	UPX
behavioral2/memory/404-124-0x00007FF6B71C0000-0x00007FF6B7514000-memory.dmp	UPX
behavioral2/memory/3156-125-0x00007FF7982D0000-0x00007FF798624000-memory.dmp	UPX
behavioral2/memory/764-123-0x00007FF7488B0000-0x00007FF748C04000-memory.dmp	UPX
behavioral2/memory/4728-126-0x00007FF6F33E0000-0x00007FF6F3734000-memory.dmp	UPX
behavioral2/memory/2736-127-0x00007FF774E30000-0x00007FF775184000-memory.dmp	UPX
behavioral2/memory/520-128-0x00007FF6E9DE0000-0x00007FF6EA134000-memory.dmp	UPX
behavioral2/memory/4544-130-0x00007FF79A090000-0x00007FF79A3E4000-memory.dmp	UPX
behavioral2/memory/4372-129-0x00007FF68FD30000-0x00007FF690084000-memory.dmp	UPX
behavioral2/memory/3448-131-0x00007FF617050000-0x00007FF6173A4000-memory.dmp	UPX
behavioral2/memory/4608-132-0x00007FF608EF0000-0x00007FF609244000-memory.dmp	UPX
behavioral2/memory/1172-133-0x00007FF71ED60000-0x00007FF71F0B4000-memory.dmp	UPX
behavioral2/memory/2992-134-0x00007FF7A5610000-0x00007FF7A5964000-memory.dmp	UPX
behavioral2/memory/2608-135-0x00007FF681B30000-0x00007FF681E84000-memory.dmp	UPX
behavioral2/memory/4640-136-0x00007FF6D6390000-0x00007FF6D66E4000-memory.dmp	UPX
behavioral2/memory/3504-137-0x00007FF6DD920000-0x00007FF6DDC74000-memory.dmp	UPX
behavioral2/memory/2852-138-0x00007FF691CF0000-0x00007FF692044000-memory.dmp	UPX
behavioral2/memory/2120-139-0x00007FF665DE0000-0x00007FF666134000-memory.dmp	UPX
behavioral2/memory/2200-140-0x00007FF7CCB70000-0x00007FF7CCEC4000-memory.dmp	UPX
behavioral2/memory/4208-141-0x00007FF70F240000-0x00007FF70F594000-memory.dmp	UPX
behavioral2/memory/4284-142-0x00007FF73D0E0000-0x00007FF73D434000-memory.dmp	UPX
behavioral2/memory/3448-143-0x00007FF617050000-0x00007FF6173A4000-memory.dmp	UPX
behavioral2/memory/2548-144-0x00007FF7E7E90000-0x00007FF7E81E4000-memory.dmp	UPX
behavioral2/memory/4608-145-0x00007FF608EF0000-0x00007FF609244000-memory.dmp	UPX
behavioral2/memory/1172-146-0x00007FF71ED60000-0x00007FF71F0B4000-memory.dmp	UPX
behavioral2/memory/404-148-0x00007FF6B71C0000-0x00007FF6B7514000-memory.dmp	UPX
behavioral2/memory/764-147-0x00007FF7488B0000-0x00007FF748C04000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4168-0-0x00007FF62D5A0000-0x00007FF62D8F4000-memory.dmp	xmrig
behavioral2/files/0x00080000000233ec-6.dat	xmrig
behavioral2/memory/2992-8-0x00007FF7A5610000-0x00007FF7A5964000-memory.dmp	xmrig
behavioral2/files/0x00070000000233f0-10.dat	xmrig
behavioral2/files/0x00070000000233f1-13.dat	xmrig
behavioral2/memory/4640-20-0x00007FF6D6390000-0x00007FF6D66E4000-memory.dmp	xmrig
behavioral2/memory/2608-14-0x00007FF681B30000-0x00007FF681E84000-memory.dmp	xmrig
behavioral2/files/0x00070000000233f2-22.dat	xmrig
behavioral2/memory/3504-26-0x00007FF6DD920000-0x00007FF6DDC74000-memory.dmp	xmrig
behavioral2/files/0x00080000000233ed-29.dat	xmrig
behavioral2/files/0x00070000000233f3-35.dat	xmrig
behavioral2/memory/2852-33-0x00007FF691CF0000-0x00007FF692044000-memory.dmp	xmrig
behavioral2/memory/2120-38-0x00007FF665DE0000-0x00007FF666134000-memory.dmp	xmrig
behavioral2/files/0x00070000000233f4-40.dat	xmrig
behavioral2/memory/2200-44-0x00007FF7CCB70000-0x00007FF7CCEC4000-memory.dmp	xmrig
behavioral2/files/0x00070000000233f5-47.dat	xmrig
behavioral2/memory/4208-50-0x00007FF70F240000-0x00007FF70F594000-memory.dmp	xmrig
behavioral2/files/0x00070000000233f8-57.dat	xmrig
behavioral2/memory/3448-61-0x00007FF617050000-0x00007FF6173A4000-memory.dmp	xmrig
behavioral2/files/0x00070000000233f9-67.dat	xmrig
behavioral2/files/0x00070000000233fa-72.dat	xmrig
behavioral2/memory/4608-74-0x00007FF608EF0000-0x00007FF609244000-memory.dmp	xmrig
behavioral2/memory/1172-77-0x00007FF71ED60000-0x00007FF71F0B4000-memory.dmp	xmrig
behavioral2/files/0x00070000000233fb-81.dat	xmrig
behavioral2/files/0x00070000000233fc-86.dat	xmrig
behavioral2/files/0x00070000000233fd-90.dat	xmrig
behavioral2/files/0x00070000000233fe-95.dat	xmrig
behavioral2/files/0x00070000000233ff-100.dat	xmrig
behavioral2/files/0x0007000000023400-109.dat	xmrig
behavioral2/files/0x0007000000023403-120.dat	xmrig
behavioral2/files/0x0007000000023402-118.dat	xmrig
behavioral2/files/0x0007000000023401-114.dat	xmrig
behavioral2/memory/2548-73-0x00007FF7E7E90000-0x00007FF7E81E4000-memory.dmp	xmrig
behavioral2/memory/2992-71-0x00007FF7A5610000-0x00007FF7A5964000-memory.dmp	xmrig
behavioral2/memory/4284-65-0x00007FF73D0E0000-0x00007FF73D434000-memory.dmp	xmrig
behavioral2/memory/4168-62-0x00007FF62D5A0000-0x00007FF62D8F4000-memory.dmp	xmrig
behavioral2/files/0x00070000000233f6-59.dat	xmrig
behavioral2/memory/3504-122-0x00007FF6DD920000-0x00007FF6DDC74000-memory.dmp	xmrig
behavioral2/memory/404-124-0x00007FF6B71C0000-0x00007FF6B7514000-memory.dmp	xmrig
behavioral2/memory/3156-125-0x00007FF7982D0000-0x00007FF798624000-memory.dmp	xmrig
behavioral2/memory/764-123-0x00007FF7488B0000-0x00007FF748C04000-memory.dmp	xmrig
behavioral2/memory/4728-126-0x00007FF6F33E0000-0x00007FF6F3734000-memory.dmp	xmrig
behavioral2/memory/2736-127-0x00007FF774E30000-0x00007FF775184000-memory.dmp	xmrig
behavioral2/memory/520-128-0x00007FF6E9DE0000-0x00007FF6EA134000-memory.dmp	xmrig
behavioral2/memory/4544-130-0x00007FF79A090000-0x00007FF79A3E4000-memory.dmp	xmrig
behavioral2/memory/4372-129-0x00007FF68FD30000-0x00007FF690084000-memory.dmp	xmrig
behavioral2/memory/3448-131-0x00007FF617050000-0x00007FF6173A4000-memory.dmp	xmrig
behavioral2/memory/4608-132-0x00007FF608EF0000-0x00007FF609244000-memory.dmp	xmrig
behavioral2/memory/1172-133-0x00007FF71ED60000-0x00007FF71F0B4000-memory.dmp	xmrig
behavioral2/memory/2992-134-0x00007FF7A5610000-0x00007FF7A5964000-memory.dmp	xmrig
behavioral2/memory/2608-135-0x00007FF681B30000-0x00007FF681E84000-memory.dmp	xmrig
behavioral2/memory/4640-136-0x00007FF6D6390000-0x00007FF6D66E4000-memory.dmp	xmrig
behavioral2/memory/3504-137-0x00007FF6DD920000-0x00007FF6DDC74000-memory.dmp	xmrig
behavioral2/memory/2852-138-0x00007FF691CF0000-0x00007FF692044000-memory.dmp	xmrig
behavioral2/memory/2120-139-0x00007FF665DE0000-0x00007FF666134000-memory.dmp	xmrig
behavioral2/memory/2200-140-0x00007FF7CCB70000-0x00007FF7CCEC4000-memory.dmp	xmrig
behavioral2/memory/4208-141-0x00007FF70F240000-0x00007FF70F594000-memory.dmp	xmrig
behavioral2/memory/4284-142-0x00007FF73D0E0000-0x00007FF73D434000-memory.dmp	xmrig
behavioral2/memory/3448-143-0x00007FF617050000-0x00007FF6173A4000-memory.dmp	xmrig
behavioral2/memory/2548-144-0x00007FF7E7E90000-0x00007FF7E81E4000-memory.dmp	xmrig
behavioral2/memory/4608-145-0x00007FF608EF0000-0x00007FF609244000-memory.dmp	xmrig
behavioral2/memory/1172-146-0x00007FF71ED60000-0x00007FF71F0B4000-memory.dmp	xmrig
behavioral2/memory/404-148-0x00007FF6B71C0000-0x00007FF6B7514000-memory.dmp	xmrig
behavioral2/memory/764-147-0x00007FF7488B0000-0x00007FF748C04000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2992	eWXhaGl.exe
2608	QQBIfNw.exe
4640	fXzlflk.exe
3504	oMwRshR.exe
2852	FCTyQoR.exe
2120	FPywHGF.exe
2200	ktknddO.exe
4208	yugGfdZ.exe
3448	dfxpdGP.exe
4284	JArXSfN.exe
2548	UwjcFVD.exe
4608	VnYPMRX.exe
1172	PDeSFfz.exe
764	wcNHZvF.exe
404	jwDYtKL.exe
3156	ZcMVNFp.exe
4728	oRjliSt.exe
2736	hyEcTHO.exe
520	qgJENdi.exe
4372	NxCiAFq.exe
4544	LElJvPV.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4168-0-0x00007FF62D5A0000-0x00007FF62D8F4000-memory.dmp	upx
behavioral2/files/0x00080000000233ec-6.dat	upx
behavioral2/memory/2992-8-0x00007FF7A5610000-0x00007FF7A5964000-memory.dmp	upx
behavioral2/files/0x00070000000233f0-10.dat	upx
behavioral2/files/0x00070000000233f1-13.dat	upx
behavioral2/memory/4640-20-0x00007FF6D6390000-0x00007FF6D66E4000-memory.dmp	upx
behavioral2/memory/2608-14-0x00007FF681B30000-0x00007FF681E84000-memory.dmp	upx
behavioral2/files/0x00070000000233f2-22.dat	upx
behavioral2/memory/3504-26-0x00007FF6DD920000-0x00007FF6DDC74000-memory.dmp	upx
behavioral2/files/0x00080000000233ed-29.dat	upx
behavioral2/files/0x00070000000233f3-35.dat	upx
behavioral2/memory/2852-33-0x00007FF691CF0000-0x00007FF692044000-memory.dmp	upx
behavioral2/memory/2120-38-0x00007FF665DE0000-0x00007FF666134000-memory.dmp	upx
behavioral2/files/0x00070000000233f4-40.dat	upx
behavioral2/memory/2200-44-0x00007FF7CCB70000-0x00007FF7CCEC4000-memory.dmp	upx
behavioral2/files/0x00070000000233f5-47.dat	upx
behavioral2/memory/4208-50-0x00007FF70F240000-0x00007FF70F594000-memory.dmp	upx
behavioral2/files/0x00070000000233f8-57.dat	upx
behavioral2/memory/3448-61-0x00007FF617050000-0x00007FF6173A4000-memory.dmp	upx
behavioral2/files/0x00070000000233f9-67.dat	upx
behavioral2/files/0x00070000000233fa-72.dat	upx
behavioral2/memory/4608-74-0x00007FF608EF0000-0x00007FF609244000-memory.dmp	upx
behavioral2/memory/1172-77-0x00007FF71ED60000-0x00007FF71F0B4000-memory.dmp	upx
behavioral2/files/0x00070000000233fb-81.dat	upx
behavioral2/files/0x00070000000233fc-86.dat	upx
behavioral2/files/0x00070000000233fd-90.dat	upx
behavioral2/files/0x00070000000233fe-95.dat	upx
behavioral2/files/0x00070000000233ff-100.dat	upx
behavioral2/files/0x0007000000023400-109.dat	upx
behavioral2/files/0x0007000000023403-120.dat	upx
behavioral2/files/0x0007000000023402-118.dat	upx
behavioral2/files/0x0007000000023401-114.dat	upx
behavioral2/memory/2548-73-0x00007FF7E7E90000-0x00007FF7E81E4000-memory.dmp	upx
behavioral2/memory/2992-71-0x00007FF7A5610000-0x00007FF7A5964000-memory.dmp	upx
behavioral2/memory/4284-65-0x00007FF73D0E0000-0x00007FF73D434000-memory.dmp	upx
behavioral2/memory/4168-62-0x00007FF62D5A0000-0x00007FF62D8F4000-memory.dmp	upx
behavioral2/files/0x00070000000233f6-59.dat	upx
behavioral2/memory/3504-122-0x00007FF6DD920000-0x00007FF6DDC74000-memory.dmp	upx
behavioral2/memory/404-124-0x00007FF6B71C0000-0x00007FF6B7514000-memory.dmp	upx
behavioral2/memory/3156-125-0x00007FF7982D0000-0x00007FF798624000-memory.dmp	upx
behavioral2/memory/764-123-0x00007FF7488B0000-0x00007FF748C04000-memory.dmp	upx
behavioral2/memory/4728-126-0x00007FF6F33E0000-0x00007FF6F3734000-memory.dmp	upx
behavioral2/memory/2736-127-0x00007FF774E30000-0x00007FF775184000-memory.dmp	upx
behavioral2/memory/520-128-0x00007FF6E9DE0000-0x00007FF6EA134000-memory.dmp	upx
behavioral2/memory/4544-130-0x00007FF79A090000-0x00007FF79A3E4000-memory.dmp	upx
behavioral2/memory/4372-129-0x00007FF68FD30000-0x00007FF690084000-memory.dmp	upx
behavioral2/memory/3448-131-0x00007FF617050000-0x00007FF6173A4000-memory.dmp	upx
behavioral2/memory/4608-132-0x00007FF608EF0000-0x00007FF609244000-memory.dmp	upx
behavioral2/memory/1172-133-0x00007FF71ED60000-0x00007FF71F0B4000-memory.dmp	upx
behavioral2/memory/2992-134-0x00007FF7A5610000-0x00007FF7A5964000-memory.dmp	upx
behavioral2/memory/2608-135-0x00007FF681B30000-0x00007FF681E84000-memory.dmp	upx
behavioral2/memory/4640-136-0x00007FF6D6390000-0x00007FF6D66E4000-memory.dmp	upx
behavioral2/memory/3504-137-0x00007FF6DD920000-0x00007FF6DDC74000-memory.dmp	upx
behavioral2/memory/2852-138-0x00007FF691CF0000-0x00007FF692044000-memory.dmp	upx
behavioral2/memory/2120-139-0x00007FF665DE0000-0x00007FF666134000-memory.dmp	upx
behavioral2/memory/2200-140-0x00007FF7CCB70000-0x00007FF7CCEC4000-memory.dmp	upx
behavioral2/memory/4208-141-0x00007FF70F240000-0x00007FF70F594000-memory.dmp	upx
behavioral2/memory/4284-142-0x00007FF73D0E0000-0x00007FF73D434000-memory.dmp	upx
behavioral2/memory/3448-143-0x00007FF617050000-0x00007FF6173A4000-memory.dmp	upx
behavioral2/memory/2548-144-0x00007FF7E7E90000-0x00007FF7E81E4000-memory.dmp	upx
behavioral2/memory/4608-145-0x00007FF608EF0000-0x00007FF609244000-memory.dmp	upx
behavioral2/memory/1172-146-0x00007FF71ED60000-0x00007FF71F0B4000-memory.dmp	upx
behavioral2/memory/404-148-0x00007FF6B71C0000-0x00007FF6B7514000-memory.dmp	upx
behavioral2/memory/764-147-0x00007FF7488B0000-0x00007FF748C04000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\eWXhaGl.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UwjcFVD.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VnYPMRX.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LElJvPV.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JArXSfN.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PDeSFfz.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wcNHZvF.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jwDYtKL.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FCTyQoR.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FPywHGF.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ktknddO.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dfxpdGP.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NxCiAFq.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fXzlflk.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oMwRshR.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZcMVNFp.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qgJENdi.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QQBIfNw.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yugGfdZ.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oRjliSt.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hyEcTHO.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4168 wrote to memory of 2992	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	83
PID 4168 wrote to memory of 2992	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	83
PID 4168 wrote to memory of 2608	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	84
PID 4168 wrote to memory of 2608	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	84
PID 4168 wrote to memory of 4640	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	85
PID 4168 wrote to memory of 4640	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	85
PID 4168 wrote to memory of 3504	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	86
PID 4168 wrote to memory of 3504	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	86
PID 4168 wrote to memory of 2852	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	87
PID 4168 wrote to memory of 2852	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	87
PID 4168 wrote to memory of 2120	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	88
PID 4168 wrote to memory of 2120	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	88
PID 4168 wrote to memory of 2200	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	90
PID 4168 wrote to memory of 2200	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	90
PID 4168 wrote to memory of 4208	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	92
PID 4168 wrote to memory of 4208	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	92
PID 4168 wrote to memory of 3448	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	94
PID 4168 wrote to memory of 3448	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	94
PID 4168 wrote to memory of 4284	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	95
PID 4168 wrote to memory of 4284	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	95
PID 4168 wrote to memory of 2548	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	96
PID 4168 wrote to memory of 2548	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	96
PID 4168 wrote to memory of 4608	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	97
PID 4168 wrote to memory of 4608	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	97
PID 4168 wrote to memory of 1172	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	98
PID 4168 wrote to memory of 1172	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	98
PID 4168 wrote to memory of 764	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	99
PID 4168 wrote to memory of 764	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	99
PID 4168 wrote to memory of 404	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	100
PID 4168 wrote to memory of 404	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	100
PID 4168 wrote to memory of 3156	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	101
PID 4168 wrote to memory of 3156	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	101
PID 4168 wrote to memory of 4728	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	102
PID 4168 wrote to memory of 4728	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	102
PID 4168 wrote to memory of 2736	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	103
PID 4168 wrote to memory of 2736	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	103
PID 4168 wrote to memory of 520	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	104
PID 4168 wrote to memory of 520	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	104
PID 4168 wrote to memory of 4372	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	105
PID 4168 wrote to memory of 4372	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	105
PID 4168 wrote to memory of 4544	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	106
PID 4168 wrote to memory of 4544	4168	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4168
- C:\Windows\System\eWXhaGl.exe
  C:\Windows\System\eWXhaGl.exe
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\System\QQBIfNw.exe
  C:\Windows\System\QQBIfNw.exe
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\System\fXzlflk.exe
  C:\Windows\System\fXzlflk.exe
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Windows\System\oMwRshR.exe
  C:\Windows\System\oMwRshR.exe
  2⤵
  - Executes dropped EXE
  PID:3504
- C:\Windows\System\FCTyQoR.exe
  C:\Windows\System\FCTyQoR.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\System\FPywHGF.exe
  C:\Windows\System\FPywHGF.exe
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\System\ktknddO.exe
  C:\Windows\System\ktknddO.exe
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\Windows\System\yugGfdZ.exe
  C:\Windows\System\yugGfdZ.exe
  2⤵
  - Executes dropped EXE
  PID:4208
- C:\Windows\System\dfxpdGP.exe
  C:\Windows\System\dfxpdGP.exe
  2⤵
  - Executes dropped EXE
  PID:3448
- C:\Windows\System\JArXSfN.exe
  C:\Windows\System\JArXSfN.exe
  2⤵
  - Executes dropped EXE
  PID:4284
- C:\Windows\System\UwjcFVD.exe
  C:\Windows\System\UwjcFVD.exe
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\System\VnYPMRX.exe
  C:\Windows\System\VnYPMRX.exe
  2⤵
  - Executes dropped EXE
  PID:4608
- C:\Windows\System\PDeSFfz.exe
  C:\Windows\System\PDeSFfz.exe
  2⤵
  - Executes dropped EXE
  PID:1172
- C:\Windows\System\wcNHZvF.exe
  C:\Windows\System\wcNHZvF.exe
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\System\jwDYtKL.exe
  C:\Windows\System\jwDYtKL.exe
  2⤵
  - Executes dropped EXE
  PID:404
- C:\Windows\System\ZcMVNFp.exe
  C:\Windows\System\ZcMVNFp.exe
  2⤵
  - Executes dropped EXE
  PID:3156
- C:\Windows\System\oRjliSt.exe
  C:\Windows\System\oRjliSt.exe
  2⤵
  - Executes dropped EXE
  PID:4728
- C:\Windows\System\hyEcTHO.exe
  C:\Windows\System\hyEcTHO.exe
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\System\qgJENdi.exe
  C:\Windows\System\qgJENdi.exe
  2⤵
  - Executes dropped EXE
  PID:520
- C:\Windows\System\NxCiAFq.exe
  C:\Windows\System\NxCiAFq.exe
  2⤵
  - Executes dropped EXE
  PID:4372
- C:\Windows\System\LElJvPV.exe
  C:\Windows\System\LElJvPV.exe
  2⤵
  - Executes dropped EXE
  PID:4544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\FCTyQoR.exe

Filesize
5.9MB

MD5
913cb599de18ef9c8b2005f81d9fd5f6

SHA1
803aca206eaf8c77e1bd37afb34815bb1eb1d686

SHA256
b20e6645f5e668c5d66ad02faf5226eec775d30f5ee1e9fdc45fb4acd2d62d05

SHA512
3cfdcb0b6b6dede2866e2573aff1aa6f5c9024f2cb4fdb1bb3b0e6dad33e2325f7069622cdc5dbdcd446d3118505437b1a3dfad49b86ab9f9d8094bf890f3f49

Download Submit
C:\Windows\System\FPywHGF.exe

Filesize
5.9MB

MD5
cf3c037d224e595e5c65afaca96f0552

SHA1
91887af8fde42d3b1c662dd5716522a432e69323

SHA256
7ec714d001d7d180a2270541c18f8dbaf4edf312e53c871fe076e7bd277613e3

SHA512
a414f2d94a196f578d532751964d1984dba326faed99d6c7f6c085470c0f50093d131954aa58bce81fe70cdf83f42b0ffcf9b61438b328cfd724db07412f118f

Download Submit
C:\Windows\System\JArXSfN.exe

Filesize
5.9MB

MD5
4a716c304307c6c562cea7d5646a85e8

SHA1
56771174d3ea629ef559890075fe760f504e75a4

SHA256
87e27f75b2f27bb9f1cd9fd03d4b1dfd8541a16520e24580bbead28ca252f377

SHA512
e7d655176241da3ae19be1dd993de26eca34b2f3c53f522b1fc0e79eb1105d8d55ecb48b0494e5ba993261441c5061166d965a3c0b4a519ef64e366d1c65ae6b

Download Submit
C:\Windows\System\LElJvPV.exe

Filesize
5.9MB

MD5
193375eba33ee5b3c71a6f9693483b1a

SHA1
801dfaee29a7de7cd687e1274fa8da0dc4a579be

SHA256
b95f775eb1456a6eade77a925b5546649ca1d27f8caaa90dee8fe78fd2a7d2ba

SHA512
b170f1ba70f062d12cc87f9ae48ad4472435742e14017581de2bee1407f411bf9d78ad94a77893b3aad6974dda75d586b3d467f40a65c8d78c02ef8add07d58f

Download Submit
C:\Windows\System\NxCiAFq.exe

Filesize
5.9MB

MD5
7faaec64cd9322b0040de9528e8188a9

SHA1
df138a6515b23ff28d78908de0ea7b5eb7cb0fe7

SHA256
281cb27aebe9784aba15e5d53aa4adf257fb91c0b9ab94f9cb09b529af026c96

SHA512
1ea3d273e474cb187a7e03b47f73f81743294e8414d110386b8dc37af16e0462b8b8e9ca46b40c064754c14c841db2396a0ae1df39b64021c2c51ebb616aadae

Download Submit
C:\Windows\System\PDeSFfz.exe

Filesize
5.9MB

MD5
f7dca71990d346aaf0bfebc18c844534

SHA1
3bc706d172f1dc8371b1d6303730d1279420ebce

SHA256
e7a7ddb23d2445705dbbffed92e0fd83b800d1bec24db0abd41c939fd28969cf

SHA512
d9b0cce2bfcd26c9fb744dc8b8ed3cf41d407bd3a472cfbc6c4c08fd052612462997d24d8901a02d18c13b39bae9e139926b440fbd09ca3db8c57edc21f930d9

Download Submit
C:\Windows\System\QQBIfNw.exe

Filesize
5.9MB

MD5
1b45910e8dcea302362efefc8dc78c7e

SHA1
623ba61cb5275d869da8ed9658f77129ad7d35fc

SHA256
1198138b9bfa6ead3e11836af798eac1226adbb63f208c4f9ea153760c85d69d

SHA512
cc9b4096d4a29fb141c24e6afe0273bda25401283c65b27c40aefa775f37bca60a8aa051916a17777639fb9438a52873dec52783d8caa3f4ccd065f3af52e6e8

Download Submit
C:\Windows\System\UwjcFVD.exe

Filesize
5.9MB

MD5
c88ed5f04f5843b2a38a076fe5273da2

SHA1
25bc2afa7223dd68bd7d60745311e444c116a4f4

SHA256
2a1ba7871d3d86d39cc8cf14753ee0a7a1ebeeeaa0a477a60c8a6ef0f41939a3

SHA512
fde634773c70d698770da914db60b7e035e42fec101f7a41c942f3d729365f41e887fb1256e6a2b406fb88b6ed5327839cc4129d5a62e8956d1334590abee801

Download Submit
C:\Windows\System\VnYPMRX.exe

Filesize
5.9MB

MD5
88df1b3aad732955f364707e8c6da6b6

SHA1
455697aef486665e0e342f199c357efcd53547c8

SHA256
e71e6a4ec3727e1c31f21e4b02ea009dafb0e2eb65a9bca89034f4d3fa74ac26

SHA512
c8876fea926ddce89206db5030700f87924fbae0e83311d35c362871a66f29738f6b560adf65ea01895971c5429ab029fc1d820dc3139c70036b89a6e1cff3e7

Download Submit
C:\Windows\System\ZcMVNFp.exe

Filesize
5.9MB

MD5
9a971efd1e79e905237d33a4a81e9e75

SHA1
1ae8ba834be67094268a7892c37bab80d6eb2070

SHA256
a47c50c09062ee8f3cbfe6f228b8a107566c570dfa717e3da5e857ca0a8d383d

SHA512
11e4c553c50863bb6c77f102a633e79f7ca78cf3c38240068aba31e9e669433854fb36a74d1424bf4e7e19c7bd3c5f2693e25e66240ce2191c4e2336e90a1a51

Download Submit
C:\Windows\System\dfxpdGP.exe

Filesize
5.9MB

MD5
3cca5d797dc2dfdcfa11f176c99ab90e

SHA1
0d1a1cf6035892475d50c0027184a676c5368e42

SHA256
a8a5038b5d6bed28d4e50585280dfd0f7a7c34b0d6bac82a084f4d7999227df0

SHA512
58e407d63d09de6f27ee72e100146095dcc88b07979d7c9506fbaa8d483c4a7fdd309a21152c59528c041a2113cc2f4e24a24fb76b03db49057af6c8cfb0ace6

Download Submit
C:\Windows\System\eWXhaGl.exe

Filesize
5.9MB

MD5
f33f1ebc160421a4d93fe41612c9e632

SHA1
d25fbaa176d9bb8c4e486b87c5fa88e8ca117656

SHA256
b750163fdfb2d8ad26672b994acfc56c1b142071e409b6880f243d9df0195eaa

SHA512
5a24d555b9a72642fe01036ea3b75890ad877e82490b3f6a11ffb19164fa84c1556e6d3e6b30c6fd96f9c453873dfd23393d4d5c92ca3c44bffbbdb86fdb1c88

Download Submit
C:\Windows\System\fXzlflk.exe

Filesize
5.9MB

MD5
75e04e96094de41898e9ca7ef558148e

SHA1
6c78c32a60275b8389328644e97dd5492812b486

SHA256
54ac1937dce34137af61d0d8004e4f686693f712eca5cbcfd2991f78ea0cfaf5

SHA512
c4b7fe7173bcd3c3dc86bc2acbfe137783c7cc85ce8b3b6daab330856037dcac4f9274ac7d2cba479f4f639ecf3c1ff5b43e76502a4f8b6029d114386a2c14f9

Download Submit
C:\Windows\System\hyEcTHO.exe

Filesize
5.9MB

MD5
1cf28cc816fba784fff8af9ecfd94e60

SHA1
42e228664691e07569b2285764842270fe0320c3

SHA256
db617570a801876f6a8e87933c8d81be22443d353804f3cdac07cd34ceadc5f9

SHA512
d29cda3f9fab3663a8397a950822003821f582a35f9b70540545266d943c8e474826c81de1d95774ed0ab7617d664aacacc38555dc6f9c21da32c7d94ca7b817

Download Submit
C:\Windows\System\jwDYtKL.exe

Filesize
5.9MB

MD5
9f241c3d38474c3b42d2e3d7c3c23993

SHA1
f1e8f16287e96f113f07181df90685303d5f0ee5

SHA256
1c5d8ca87f8266758b16069f8c66d1ad8f45b3d2da4978c3cacfc7c2e37c67e1

SHA512
a3c4c21e0829320e57aa6fac4f83c811d121c9767e1711add92dfa6388c02468e155436b888aee13169651b0fee131f56a088220f90149517f1390d45e869c27

Download Submit
C:\Windows\System\ktknddO.exe

Filesize
5.9MB

MD5
a450b3fafc3ba6aec9c12e28f5262ae8

SHA1
8775ce682fc7851b12bcb1265a21edca4c3b7232

SHA256
bb6957a060337c677d3bda07052bef83daaef7ed7fc29ca6aa6caff65cc28f2a

SHA512
1e77478a2c0f42d8890c84935aa7f20ed655784bba0558e377e6ed6f332de7421ce99b1a6563d892128e66b1a3573715977442992bfc76bf6196ef62a1e24e7b

Download Submit
C:\Windows\System\oMwRshR.exe

Filesize
5.9MB

MD5
ec12a1233b1079fdba3c4bf58089d5ea

SHA1
5f2ec3152e5602220640b2b70ad6e45acea8d8a3

SHA256
4303b5eda7b169a412566ff7be4fea591d5859b9c9caff8b6e1c9f4f749049b0

SHA512
5699f6eeeea471e955539efe17670dc55fe148c2690ba2ed184d7b927d2438111c11820b221d2ef8bdb155952b0f5d558c3d14b1e79598b99ce9817edaf15758

Download Submit
C:\Windows\System\oRjliSt.exe

Filesize
5.9MB

MD5
9544953864722d308861a8c304f0e6f2

SHA1
56bffe9d1f92abc90a19581f61a01d7308b8cf91

SHA256
199e7a6b7c2092c0e0e05c75dced467688bbec9e6a3130c766d242f21465dead

SHA512
30d77e48e82563dc3ca20c03ca8127e53eddd567fb47d58d95452eeed2abfe4807d13a3351b6cdcbbfe4022eb6b293fde222a048a23164b6830f08c17cbf834d

Download Submit
C:\Windows\System\qgJENdi.exe

Filesize
5.9MB

MD5
870f07e02c4fe5483b9d41a32f7c7735

SHA1
f6c6ff11c64a85a2cbc1e6ef78344c7842136c96

SHA256
7db5fbd6b6e2f2713d961de0b45cba827577936de8f95c4947cdedf016565b36

SHA512
d9e8ab036e601f5914f122833b32c13b99938c287542032b69c5387246ece591bd65ccf7fb1d92deb3113e622be0a96e5e714355319ac928361e07722285c4e0

Download Submit
C:\Windows\System\wcNHZvF.exe

Filesize
5.9MB

MD5
1c63e67c31dcfe47a216f492145122a4

SHA1
3caf1dd9d363275cedb8b24f68442e7abfe8d7a5

SHA256
005adcfae2c23ceb0c7971f80da4b7177fdfa3841371d6e3b2bcc1d2f0409d28

SHA512
fe815cfd2a974914cbccc8f0075a5cfb0bd9957251750015b7cc09ad660da5149e868936be4585f536fa40add5b24b477cdfbdee68939acefd2713556b3f7bb8

Download Submit
C:\Windows\System\yugGfdZ.exe

Filesize
5.9MB

MD5
4a724de358e0bdc0b77069968f8bb3cd

SHA1
2d76310b2ebce06b00c6ed2a4dfade73fa4f3b19

SHA256
bd293a2728d0bb52baf12b828aea18d13e7748f26325b3fe7bc92bc751e28c93

SHA512
27c6ecc7d0ba3231262a8c7454b5651b49d811030f01a6fc9db9783e2df7102ddecc1e0c97592fed45055149d02bdb7a24e89f7b03abf89b04eb1919755b7be5

Download Submit
memory/404-124-0x00007FF6B71C0000-0x00007FF6B7514000-memory.dmp

Filesize
3.3MB

Download
memory/404-148-0x00007FF6B71C0000-0x00007FF6B7514000-memory.dmp

Filesize
3.3MB

Download
memory/520-152-0x00007FF6E9DE0000-0x00007FF6EA134000-memory.dmp

Filesize
3.3MB

Download
memory/520-128-0x00007FF6E9DE0000-0x00007FF6EA134000-memory.dmp

Filesize
3.3MB

Download
memory/764-123-0x00007FF7488B0000-0x00007FF748C04000-memory.dmp

Filesize
3.3MB

Download
memory/764-147-0x00007FF7488B0000-0x00007FF748C04000-memory.dmp

Filesize
3.3MB

Download
memory/1172-146-0x00007FF71ED60000-0x00007FF71F0B4000-memory.dmp

Filesize
3.3MB

Download
memory/1172-133-0x00007FF71ED60000-0x00007FF71F0B4000-memory.dmp

Filesize
3.3MB

Download
memory/1172-77-0x00007FF71ED60000-0x00007FF71F0B4000-memory.dmp

Filesize
3.3MB

Download
memory/2120-38-0x00007FF665DE0000-0x00007FF666134000-memory.dmp

Filesize
3.3MB

Download
memory/2120-139-0x00007FF665DE0000-0x00007FF666134000-memory.dmp

Filesize
3.3MB

Download
memory/2200-140-0x00007FF7CCB70000-0x00007FF7CCEC4000-memory.dmp

Filesize
3.3MB

Download
memory/2200-44-0x00007FF7CCB70000-0x00007FF7CCEC4000-memory.dmp

Filesize
3.3MB

Download
memory/2548-144-0x00007FF7E7E90000-0x00007FF7E81E4000-memory.dmp

Filesize
3.3MB

Download
memory/2548-73-0x00007FF7E7E90000-0x00007FF7E81E4000-memory.dmp

Filesize
3.3MB

Download
memory/2608-135-0x00007FF681B30000-0x00007FF681E84000-memory.dmp

Filesize
3.3MB

Download
memory/2608-14-0x00007FF681B30000-0x00007FF681E84000-memory.dmp

Filesize
3.3MB

Download
memory/2736-127-0x00007FF774E30000-0x00007FF775184000-memory.dmp

Filesize
3.3MB

Download
memory/2736-153-0x00007FF774E30000-0x00007FF775184000-memory.dmp

Filesize
3.3MB

Download
memory/2852-138-0x00007FF691CF0000-0x00007FF692044000-memory.dmp

Filesize
3.3MB

Download
memory/2852-33-0x00007FF691CF0000-0x00007FF692044000-memory.dmp

Filesize
3.3MB

Download
memory/2992-71-0x00007FF7A5610000-0x00007FF7A5964000-memory.dmp

Filesize
3.3MB

Download
memory/2992-134-0x00007FF7A5610000-0x00007FF7A5964000-memory.dmp

Filesize
3.3MB

Download
memory/2992-8-0x00007FF7A5610000-0x00007FF7A5964000-memory.dmp

Filesize
3.3MB

Download
memory/3156-125-0x00007FF7982D0000-0x00007FF798624000-memory.dmp

Filesize
3.3MB

Download
memory/3156-149-0x00007FF7982D0000-0x00007FF798624000-memory.dmp

Filesize
3.3MB

Download
memory/3448-61-0x00007FF617050000-0x00007FF6173A4000-memory.dmp

Filesize
3.3MB

Download
memory/3448-131-0x00007FF617050000-0x00007FF6173A4000-memory.dmp

Filesize
3.3MB

Download
memory/3448-143-0x00007FF617050000-0x00007FF6173A4000-memory.dmp

Filesize
3.3MB

Download
memory/3504-26-0x00007FF6DD920000-0x00007FF6DDC74000-memory.dmp

Filesize
3.3MB

Download
memory/3504-122-0x00007FF6DD920000-0x00007FF6DDC74000-memory.dmp

Filesize
3.3MB

Download
memory/3504-137-0x00007FF6DD920000-0x00007FF6DDC74000-memory.dmp

Filesize
3.3MB

Download
memory/4168-62-0x00007FF62D5A0000-0x00007FF62D8F4000-memory.dmp

Filesize
3.3MB

Download
memory/4168-1-0x000001E443DF0000-0x000001E443E00000-memory.dmp

Filesize
64KB

Download
memory/4168-0-0x00007FF62D5A0000-0x00007FF62D8F4000-memory.dmp

Filesize
3.3MB

Download
memory/4208-141-0x00007FF70F240000-0x00007FF70F594000-memory.dmp

Filesize
3.3MB

Download
memory/4208-50-0x00007FF70F240000-0x00007FF70F594000-memory.dmp

Filesize
3.3MB

Download
memory/4284-142-0x00007FF73D0E0000-0x00007FF73D434000-memory.dmp

Filesize
3.3MB

Download
memory/4284-65-0x00007FF73D0E0000-0x00007FF73D434000-memory.dmp

Filesize
3.3MB

Download
memory/4372-151-0x00007FF68FD30000-0x00007FF690084000-memory.dmp

Filesize
3.3MB

Download
memory/4372-129-0x00007FF68FD30000-0x00007FF690084000-memory.dmp

Filesize
3.3MB

Download
memory/4544-150-0x00007FF79A090000-0x00007FF79A3E4000-memory.dmp

Filesize
3.3MB

Download
memory/4544-130-0x00007FF79A090000-0x00007FF79A3E4000-memory.dmp

Filesize
3.3MB

Download
memory/4608-132-0x00007FF608EF0000-0x00007FF609244000-memory.dmp

Filesize
3.3MB

Download
memory/4608-145-0x00007FF608EF0000-0x00007FF609244000-memory.dmp

Filesize
3.3MB

Download
memory/4608-74-0x00007FF608EF0000-0x00007FF609244000-memory.dmp

Filesize
3.3MB

Download
memory/4640-20-0x00007FF6D6390000-0x00007FF6D66E4000-memory.dmp

Filesize
3.3MB

Download
memory/4640-136-0x00007FF6D6390000-0x00007FF6D66E4000-memory.dmp

Filesize
3.3MB

Download
memory/4728-126-0x00007FF6F33E0000-0x00007FF6F3734000-memory.dmp

Filesize
3.3MB

Download
memory/4728-154-0x00007FF6F33E0000-0x00007FF6F3734000-memory.dmp

Filesize
3.3MB

Download