cobaltstrike | b7f172168180b323c7eabe13d1b41b9cd6a2d274f7668754eefc5f93ecea6863

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 16:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

f75ec048d2aaa9b7e109e0a54629072c
SHA1

f46335b57a565a80b2de855e7f9c249af4ab26e7
SHA256

b7f172168180b323c7eabe13d1b41b9cd6a2d274f7668754eefc5f93ecea6863
SHA512

bbd601edc967e5cd2fe815baeae750ddfa091e8c2463ee19de652c0a8211fa8b042066de2c1d3ab123299626b5b7d5a258c00c6c17ca5f82a9c1e3c4a4dbd933
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6li:RWWBibW56utgpPFotBER/mQ32lU2

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000900000002340c-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023413-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023414-9.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023415-27.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023416-29.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023417-39.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023418-38.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341a-49.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341b-55.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341c-60.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341d-70.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023410-77.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341e-86.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341f-91.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023421-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023423-111.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023425-117.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023424-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023422-106.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023420-96.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023419-52.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x000900000002340c-5.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023413-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023414-9.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023415-27.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023416-29.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023417-39.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023418-38.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002341a-49.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002341b-55.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002341c-60.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002341d-70.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0008000000023410-77.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002341e-86.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002341f-91.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023421-101.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023423-111.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023425-117.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023424-115.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023422-106.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023420-96.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023419-52.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/3096-0-0x00007FF69B220000-0x00007FF69B571000-memory.dmp	UPX
behavioral2/files/0x000900000002340c-5.dat	UPX
behavioral2/files/0x0007000000023413-10.dat	UPX
behavioral2/files/0x0007000000023414-9.dat	UPX
behavioral2/files/0x0007000000023415-27.dat	UPX
behavioral2/files/0x0007000000023416-29.dat	UPX
behavioral2/files/0x0007000000023417-39.dat	UPX
behavioral2/files/0x0007000000023418-38.dat	UPX
behavioral2/files/0x000700000002341a-49.dat	UPX
behavioral2/files/0x000700000002341b-55.dat	UPX
behavioral2/files/0x000700000002341c-60.dat	UPX
behavioral2/files/0x000700000002341d-70.dat	UPX
behavioral2/files/0x0008000000023410-77.dat	UPX
behavioral2/files/0x000700000002341e-86.dat	UPX
behavioral2/files/0x000700000002341f-91.dat	UPX
behavioral2/files/0x0007000000023421-101.dat	UPX
behavioral2/files/0x0007000000023423-111.dat	UPX
behavioral2/files/0x0007000000023425-117.dat	UPX
behavioral2/files/0x0007000000023424-115.dat	UPX
behavioral2/files/0x0007000000023422-106.dat	UPX
behavioral2/files/0x0007000000023420-96.dat	UPX
behavioral2/memory/4432-72-0x00007FF63F3D0000-0x00007FF63F721000-memory.dmp	UPX
behavioral2/memory/2300-71-0x00007FF793F50000-0x00007FF7942A1000-memory.dmp	UPX
behavioral2/memory/4100-68-0x00007FF617BE0000-0x00007FF617F31000-memory.dmp	UPX
behavioral2/memory/396-62-0x00007FF69B4E0000-0x00007FF69B831000-memory.dmp	UPX
behavioral2/memory/3648-59-0x00007FF7C7150000-0x00007FF7C74A1000-memory.dmp	UPX
behavioral2/memory/2420-61-0x00007FF71E950000-0x00007FF71ECA1000-memory.dmp	UPX
behavioral2/files/0x0007000000023419-52.dat	UPX
behavioral2/memory/3152-48-0x00007FF714260000-0x00007FF7145B1000-memory.dmp	UPX
behavioral2/memory/3052-37-0x00007FF7C1E90000-0x00007FF7C21E1000-memory.dmp	UPX
behavioral2/memory/3324-31-0x00007FF6CC4F0000-0x00007FF6CC841000-memory.dmp	UPX
behavioral2/memory/3084-25-0x00007FF793800000-0x00007FF793B51000-memory.dmp	UPX
behavioral2/memory/4936-16-0x00007FF6D5000000-0x00007FF6D5351000-memory.dmp	UPX
behavioral2/memory/452-6-0x00007FF7E9F30000-0x00007FF7EA281000-memory.dmp	UPX
behavioral2/memory/3096-119-0x00007FF69B220000-0x00007FF69B571000-memory.dmp	UPX
behavioral2/memory/3084-122-0x00007FF793800000-0x00007FF793B51000-memory.dmp	UPX
behavioral2/memory/3324-123-0x00007FF6CC4F0000-0x00007FF6CC841000-memory.dmp	UPX
behavioral2/memory/3648-128-0x00007FF7C7150000-0x00007FF7C74A1000-memory.dmp	UPX
behavioral2/memory/4432-131-0x00007FF63F3D0000-0x00007FF63F721000-memory.dmp	UPX
behavioral2/memory/2088-133-0x00007FF7EBC10000-0x00007FF7EBF61000-memory.dmp	UPX
behavioral2/memory/2300-130-0x00007FF793F50000-0x00007FF7942A1000-memory.dmp	UPX
behavioral2/memory/3152-126-0x00007FF714260000-0x00007FF7145B1000-memory.dmp	UPX
behavioral2/memory/4936-121-0x00007FF6D5000000-0x00007FF6D5351000-memory.dmp	UPX
behavioral2/memory/4100-129-0x00007FF617BE0000-0x00007FF617F31000-memory.dmp	UPX
behavioral2/memory/452-120-0x00007FF7E9F30000-0x00007FF7EA281000-memory.dmp	UPX
behavioral2/memory/1388-136-0x00007FF748F90000-0x00007FF7492E1000-memory.dmp	UPX
behavioral2/memory/3192-137-0x00007FF73F860000-0x00007FF73FBB1000-memory.dmp	UPX
behavioral2/memory/444-139-0x00007FF722A90000-0x00007FF722DE1000-memory.dmp	UPX
behavioral2/memory/4972-140-0x00007FF6DD340000-0x00007FF6DD691000-memory.dmp	UPX
behavioral2/memory/3388-143-0x00007FF79D7F0000-0x00007FF79DB41000-memory.dmp	UPX
behavioral2/memory/4604-144-0x00007FF74E260000-0x00007FF74E5B1000-memory.dmp	UPX
behavioral2/memory/1328-142-0x00007FF7833F0000-0x00007FF783741000-memory.dmp	UPX
behavioral2/memory/4636-135-0x00007FF64E610000-0x00007FF64E961000-memory.dmp	UPX
behavioral2/memory/3096-149-0x00007FF69B220000-0x00007FF69B571000-memory.dmp	UPX
behavioral2/memory/3096-150-0x00007FF69B220000-0x00007FF69B571000-memory.dmp	UPX
behavioral2/memory/452-201-0x00007FF7E9F30000-0x00007FF7EA281000-memory.dmp	UPX
behavioral2/memory/4936-203-0x00007FF6D5000000-0x00007FF6D5351000-memory.dmp	UPX
behavioral2/memory/3324-207-0x00007FF6CC4F0000-0x00007FF6CC841000-memory.dmp	UPX
behavioral2/memory/3084-206-0x00007FF793800000-0x00007FF793B51000-memory.dmp	UPX
behavioral2/memory/2420-211-0x00007FF71E950000-0x00007FF71ECA1000-memory.dmp	UPX
behavioral2/memory/3052-210-0x00007FF7C1E90000-0x00007FF7C21E1000-memory.dmp	UPX
behavioral2/memory/3152-213-0x00007FF714260000-0x00007FF7145B1000-memory.dmp	UPX
behavioral2/memory/4100-219-0x00007FF617BE0000-0x00007FF617F31000-memory.dmp	UPX
behavioral2/memory/396-218-0x00007FF69B4E0000-0x00007FF69B831000-memory.dmp	UPX

XMRig Miner payload 49 IoCs

miner

resource	yara_rule
behavioral2/memory/4100-68-0x00007FF617BE0000-0x00007FF617F31000-memory.dmp	xmrig
behavioral2/memory/396-62-0x00007FF69B4E0000-0x00007FF69B831000-memory.dmp	xmrig
behavioral2/memory/3648-59-0x00007FF7C7150000-0x00007FF7C74A1000-memory.dmp	xmrig
behavioral2/memory/2420-61-0x00007FF71E950000-0x00007FF71ECA1000-memory.dmp	xmrig
behavioral2/memory/3152-48-0x00007FF714260000-0x00007FF7145B1000-memory.dmp	xmrig
behavioral2/memory/3052-37-0x00007FF7C1E90000-0x00007FF7C21E1000-memory.dmp	xmrig
behavioral2/memory/3324-31-0x00007FF6CC4F0000-0x00007FF6CC841000-memory.dmp	xmrig
behavioral2/memory/3096-119-0x00007FF69B220000-0x00007FF69B571000-memory.dmp	xmrig
behavioral2/memory/3084-122-0x00007FF793800000-0x00007FF793B51000-memory.dmp	xmrig
behavioral2/memory/3324-123-0x00007FF6CC4F0000-0x00007FF6CC841000-memory.dmp	xmrig
behavioral2/memory/3648-128-0x00007FF7C7150000-0x00007FF7C74A1000-memory.dmp	xmrig
behavioral2/memory/4432-131-0x00007FF63F3D0000-0x00007FF63F721000-memory.dmp	xmrig
behavioral2/memory/2088-133-0x00007FF7EBC10000-0x00007FF7EBF61000-memory.dmp	xmrig
behavioral2/memory/2300-130-0x00007FF793F50000-0x00007FF7942A1000-memory.dmp	xmrig
behavioral2/memory/3152-126-0x00007FF714260000-0x00007FF7145B1000-memory.dmp	xmrig
behavioral2/memory/4936-121-0x00007FF6D5000000-0x00007FF6D5351000-memory.dmp	xmrig
behavioral2/memory/4100-129-0x00007FF617BE0000-0x00007FF617F31000-memory.dmp	xmrig
behavioral2/memory/452-120-0x00007FF7E9F30000-0x00007FF7EA281000-memory.dmp	xmrig
behavioral2/memory/1388-136-0x00007FF748F90000-0x00007FF7492E1000-memory.dmp	xmrig
behavioral2/memory/3192-137-0x00007FF73F860000-0x00007FF73FBB1000-memory.dmp	xmrig
behavioral2/memory/444-139-0x00007FF722A90000-0x00007FF722DE1000-memory.dmp	xmrig
behavioral2/memory/4972-140-0x00007FF6DD340000-0x00007FF6DD691000-memory.dmp	xmrig
behavioral2/memory/3388-143-0x00007FF79D7F0000-0x00007FF79DB41000-memory.dmp	xmrig
behavioral2/memory/4604-144-0x00007FF74E260000-0x00007FF74E5B1000-memory.dmp	xmrig
behavioral2/memory/1328-142-0x00007FF7833F0000-0x00007FF783741000-memory.dmp	xmrig
behavioral2/memory/4636-135-0x00007FF64E610000-0x00007FF64E961000-memory.dmp	xmrig
behavioral2/memory/3096-149-0x00007FF69B220000-0x00007FF69B571000-memory.dmp	xmrig
behavioral2/memory/3096-150-0x00007FF69B220000-0x00007FF69B571000-memory.dmp	xmrig
behavioral2/memory/452-201-0x00007FF7E9F30000-0x00007FF7EA281000-memory.dmp	xmrig
behavioral2/memory/4936-203-0x00007FF6D5000000-0x00007FF6D5351000-memory.dmp	xmrig
behavioral2/memory/3324-207-0x00007FF6CC4F0000-0x00007FF6CC841000-memory.dmp	xmrig
behavioral2/memory/3084-206-0x00007FF793800000-0x00007FF793B51000-memory.dmp	xmrig
behavioral2/memory/2420-211-0x00007FF71E950000-0x00007FF71ECA1000-memory.dmp	xmrig
behavioral2/memory/3052-210-0x00007FF7C1E90000-0x00007FF7C21E1000-memory.dmp	xmrig
behavioral2/memory/3152-213-0x00007FF714260000-0x00007FF7145B1000-memory.dmp	xmrig
behavioral2/memory/4100-219-0x00007FF617BE0000-0x00007FF617F31000-memory.dmp	xmrig
behavioral2/memory/396-218-0x00007FF69B4E0000-0x00007FF69B831000-memory.dmp	xmrig
behavioral2/memory/3648-216-0x00007FF7C7150000-0x00007FF7C74A1000-memory.dmp	xmrig
behavioral2/memory/4636-227-0x00007FF64E610000-0x00007FF64E961000-memory.dmp	xmrig
behavioral2/memory/2088-226-0x00007FF7EBC10000-0x00007FF7EBF61000-memory.dmp	xmrig
behavioral2/memory/2300-224-0x00007FF793F50000-0x00007FF7942A1000-memory.dmp	xmrig
behavioral2/memory/4432-223-0x00007FF63F3D0000-0x00007FF63F721000-memory.dmp	xmrig
behavioral2/memory/3388-232-0x00007FF79D7F0000-0x00007FF79DB41000-memory.dmp	xmrig
behavioral2/memory/444-237-0x00007FF722A90000-0x00007FF722DE1000-memory.dmp	xmrig
behavioral2/memory/4604-239-0x00007FF74E260000-0x00007FF74E5B1000-memory.dmp	xmrig
behavioral2/memory/3192-241-0x00007FF73F860000-0x00007FF73FBB1000-memory.dmp	xmrig
behavioral2/memory/4972-236-0x00007FF6DD340000-0x00007FF6DD691000-memory.dmp	xmrig
behavioral2/memory/1328-233-0x00007FF7833F0000-0x00007FF783741000-memory.dmp	xmrig
behavioral2/memory/1388-229-0x00007FF748F90000-0x00007FF7492E1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
452	Ukjygpi.exe
4936	aINTyKB.exe
3084	qkIlzze.exe
3324	FebidDh.exe
3052	KPWrQNs.exe
2420	NlzYixN.exe
3152	fNSPdQd.exe
396	Zxxmwft.exe
3648	unLDAGC.exe
4100	kBXRWiW.exe
2300	SISNNdQ.exe
4432	kauwcya.exe
2088	Jtnsfhz.exe
4636	CNoXTmc.exe
1388	lhvpCfw.exe
3192	kdXDgBc.exe
444	iqWSOJt.exe
4972	RQawgev.exe
1328	MJkohtJ.exe
3388	mkOAnUL.exe
4604	jFHZTRT.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3096-0-0x00007FF69B220000-0x00007FF69B571000-memory.dmp	upx
behavioral2/files/0x000900000002340c-5.dat	upx
behavioral2/files/0x0007000000023413-10.dat	upx
behavioral2/files/0x0007000000023414-9.dat	upx
behavioral2/files/0x0007000000023415-27.dat	upx
behavioral2/files/0x0007000000023416-29.dat	upx
behavioral2/files/0x0007000000023417-39.dat	upx
behavioral2/files/0x0007000000023418-38.dat	upx
behavioral2/files/0x000700000002341a-49.dat	upx
behavioral2/files/0x000700000002341b-55.dat	upx
behavioral2/files/0x000700000002341c-60.dat	upx
behavioral2/files/0x000700000002341d-70.dat	upx
behavioral2/files/0x0008000000023410-77.dat	upx
behavioral2/files/0x000700000002341e-86.dat	upx
behavioral2/files/0x000700000002341f-91.dat	upx
behavioral2/files/0x0007000000023421-101.dat	upx
behavioral2/files/0x0007000000023423-111.dat	upx
behavioral2/files/0x0007000000023425-117.dat	upx
behavioral2/files/0x0007000000023424-115.dat	upx
behavioral2/files/0x0007000000023422-106.dat	upx
behavioral2/files/0x0007000000023420-96.dat	upx
behavioral2/memory/4432-72-0x00007FF63F3D0000-0x00007FF63F721000-memory.dmp	upx
behavioral2/memory/2300-71-0x00007FF793F50000-0x00007FF7942A1000-memory.dmp	upx
behavioral2/memory/4100-68-0x00007FF617BE0000-0x00007FF617F31000-memory.dmp	upx
behavioral2/memory/396-62-0x00007FF69B4E0000-0x00007FF69B831000-memory.dmp	upx
behavioral2/memory/3648-59-0x00007FF7C7150000-0x00007FF7C74A1000-memory.dmp	upx
behavioral2/memory/2420-61-0x00007FF71E950000-0x00007FF71ECA1000-memory.dmp	upx
behavioral2/files/0x0007000000023419-52.dat	upx
behavioral2/memory/3152-48-0x00007FF714260000-0x00007FF7145B1000-memory.dmp	upx
behavioral2/memory/3052-37-0x00007FF7C1E90000-0x00007FF7C21E1000-memory.dmp	upx
behavioral2/memory/3324-31-0x00007FF6CC4F0000-0x00007FF6CC841000-memory.dmp	upx
behavioral2/memory/3084-25-0x00007FF793800000-0x00007FF793B51000-memory.dmp	upx
behavioral2/memory/4936-16-0x00007FF6D5000000-0x00007FF6D5351000-memory.dmp	upx
behavioral2/memory/452-6-0x00007FF7E9F30000-0x00007FF7EA281000-memory.dmp	upx
behavioral2/memory/3096-119-0x00007FF69B220000-0x00007FF69B571000-memory.dmp	upx
behavioral2/memory/3084-122-0x00007FF793800000-0x00007FF793B51000-memory.dmp	upx
behavioral2/memory/3324-123-0x00007FF6CC4F0000-0x00007FF6CC841000-memory.dmp	upx
behavioral2/memory/3648-128-0x00007FF7C7150000-0x00007FF7C74A1000-memory.dmp	upx
behavioral2/memory/4432-131-0x00007FF63F3D0000-0x00007FF63F721000-memory.dmp	upx
behavioral2/memory/2088-133-0x00007FF7EBC10000-0x00007FF7EBF61000-memory.dmp	upx
behavioral2/memory/2300-130-0x00007FF793F50000-0x00007FF7942A1000-memory.dmp	upx
behavioral2/memory/3152-126-0x00007FF714260000-0x00007FF7145B1000-memory.dmp	upx
behavioral2/memory/4936-121-0x00007FF6D5000000-0x00007FF6D5351000-memory.dmp	upx
behavioral2/memory/4100-129-0x00007FF617BE0000-0x00007FF617F31000-memory.dmp	upx
behavioral2/memory/452-120-0x00007FF7E9F30000-0x00007FF7EA281000-memory.dmp	upx
behavioral2/memory/1388-136-0x00007FF748F90000-0x00007FF7492E1000-memory.dmp	upx
behavioral2/memory/3192-137-0x00007FF73F860000-0x00007FF73FBB1000-memory.dmp	upx
behavioral2/memory/444-139-0x00007FF722A90000-0x00007FF722DE1000-memory.dmp	upx
behavioral2/memory/4972-140-0x00007FF6DD340000-0x00007FF6DD691000-memory.dmp	upx
behavioral2/memory/3388-143-0x00007FF79D7F0000-0x00007FF79DB41000-memory.dmp	upx
behavioral2/memory/4604-144-0x00007FF74E260000-0x00007FF74E5B1000-memory.dmp	upx
behavioral2/memory/1328-142-0x00007FF7833F0000-0x00007FF783741000-memory.dmp	upx
behavioral2/memory/4636-135-0x00007FF64E610000-0x00007FF64E961000-memory.dmp	upx
behavioral2/memory/3096-149-0x00007FF69B220000-0x00007FF69B571000-memory.dmp	upx
behavioral2/memory/3096-150-0x00007FF69B220000-0x00007FF69B571000-memory.dmp	upx
behavioral2/memory/452-201-0x00007FF7E9F30000-0x00007FF7EA281000-memory.dmp	upx
behavioral2/memory/4936-203-0x00007FF6D5000000-0x00007FF6D5351000-memory.dmp	upx
behavioral2/memory/3324-207-0x00007FF6CC4F0000-0x00007FF6CC841000-memory.dmp	upx
behavioral2/memory/3084-206-0x00007FF793800000-0x00007FF793B51000-memory.dmp	upx
behavioral2/memory/2420-211-0x00007FF71E950000-0x00007FF71ECA1000-memory.dmp	upx
behavioral2/memory/3052-210-0x00007FF7C1E90000-0x00007FF7C21E1000-memory.dmp	upx
behavioral2/memory/3152-213-0x00007FF714260000-0x00007FF7145B1000-memory.dmp	upx
behavioral2/memory/4100-219-0x00007FF617BE0000-0x00007FF617F31000-memory.dmp	upx
behavioral2/memory/396-218-0x00007FF69B4E0000-0x00007FF69B831000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\aINTyKB.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qkIlzze.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kauwcya.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kdXDgBc.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\Jtnsfhz.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CNoXTmc.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iqWSOJt.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RQawgev.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MJkohtJ.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mkOAnUL.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KPWrQNs.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\Zxxmwft.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kBXRWiW.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lhvpCfw.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jFHZTRT.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\Ukjygpi.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FebidDh.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NlzYixN.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fNSPdQd.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\unLDAGC.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SISNNdQ.exe	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3096 wrote to memory of 452	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	84
PID 3096 wrote to memory of 452	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	84
PID 3096 wrote to memory of 4936	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	85
PID 3096 wrote to memory of 4936	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	85
PID 3096 wrote to memory of 3084	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	86
PID 3096 wrote to memory of 3084	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	86
PID 3096 wrote to memory of 3324	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	87
PID 3096 wrote to memory of 3324	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	87
PID 3096 wrote to memory of 3052	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	88
PID 3096 wrote to memory of 3052	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	88
PID 3096 wrote to memory of 2420	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	89
PID 3096 wrote to memory of 2420	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	89
PID 3096 wrote to memory of 3152	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	90
PID 3096 wrote to memory of 3152	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	90
PID 3096 wrote to memory of 396	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	91
PID 3096 wrote to memory of 396	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	91
PID 3096 wrote to memory of 3648	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	92
PID 3096 wrote to memory of 3648	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	92
PID 3096 wrote to memory of 4100	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	93
PID 3096 wrote to memory of 4100	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	93
PID 3096 wrote to memory of 2300	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	94
PID 3096 wrote to memory of 2300	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	94
PID 3096 wrote to memory of 4432	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	95
PID 3096 wrote to memory of 4432	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	95
PID 3096 wrote to memory of 2088	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	96
PID 3096 wrote to memory of 2088	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	96
PID 3096 wrote to memory of 4636	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	97
PID 3096 wrote to memory of 4636	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	97
PID 3096 wrote to memory of 1388	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	98
PID 3096 wrote to memory of 1388	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	98
PID 3096 wrote to memory of 3192	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	99
PID 3096 wrote to memory of 3192	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	99
PID 3096 wrote to memory of 444	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	100
PID 3096 wrote to memory of 444	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	100
PID 3096 wrote to memory of 4972	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	101
PID 3096 wrote to memory of 4972	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	101
PID 3096 wrote to memory of 1328	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	102
PID 3096 wrote to memory of 1328	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	102
PID 3096 wrote to memory of 3388	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	103
PID 3096 wrote to memory of 3388	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	103
PID 3096 wrote to memory of 4604	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	104
PID 3096 wrote to memory of 4604	3096	2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_f75ec048d2aaa9b7e109e0a54629072c_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Windows\System\Ukjygpi.exe
  C:\Windows\System\Ukjygpi.exe
  2⤵
  - Executes dropped EXE
  PID:452
- C:\Windows\System\aINTyKB.exe
  C:\Windows\System\aINTyKB.exe
  2⤵
  - Executes dropped EXE
  PID:4936
- C:\Windows\System\qkIlzze.exe
  C:\Windows\System\qkIlzze.exe
  2⤵
  - Executes dropped EXE
  PID:3084
- C:\Windows\System\FebidDh.exe
  C:\Windows\System\FebidDh.exe
  2⤵
  - Executes dropped EXE
  PID:3324
- C:\Windows\System\KPWrQNs.exe
  C:\Windows\System\KPWrQNs.exe
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\System\NlzYixN.exe
  C:\Windows\System\NlzYixN.exe
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\System\fNSPdQd.exe
  C:\Windows\System\fNSPdQd.exe
  2⤵
  - Executes dropped EXE
  PID:3152
- C:\Windows\System\Zxxmwft.exe
  C:\Windows\System\Zxxmwft.exe
  2⤵
  - Executes dropped EXE
  PID:396
- C:\Windows\System\unLDAGC.exe
  C:\Windows\System\unLDAGC.exe
  2⤵
  - Executes dropped EXE
  PID:3648
- C:\Windows\System\kBXRWiW.exe
  C:\Windows\System\kBXRWiW.exe
  2⤵
  - Executes dropped EXE
  PID:4100
- C:\Windows\System\SISNNdQ.exe
  C:\Windows\System\SISNNdQ.exe
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\System\kauwcya.exe
  C:\Windows\System\kauwcya.exe
  2⤵
  - Executes dropped EXE
  PID:4432
- C:\Windows\System\Jtnsfhz.exe
  C:\Windows\System\Jtnsfhz.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System\CNoXTmc.exe
  C:\Windows\System\CNoXTmc.exe
  2⤵
  - Executes dropped EXE
  PID:4636
- C:\Windows\System\lhvpCfw.exe
  C:\Windows\System\lhvpCfw.exe
  2⤵
  - Executes dropped EXE
  PID:1388
- C:\Windows\System\kdXDgBc.exe
  C:\Windows\System\kdXDgBc.exe
  2⤵
  - Executes dropped EXE
  PID:3192
- C:\Windows\System\iqWSOJt.exe
  C:\Windows\System\iqWSOJt.exe
  2⤵
  - Executes dropped EXE
  PID:444
- C:\Windows\System\RQawgev.exe
  C:\Windows\System\RQawgev.exe
  2⤵
  - Executes dropped EXE
  PID:4972
- C:\Windows\System\MJkohtJ.exe
  C:\Windows\System\MJkohtJ.exe
  2⤵
  - Executes dropped EXE
  PID:1328
- C:\Windows\System\mkOAnUL.exe
  C:\Windows\System\mkOAnUL.exe
  2⤵
  - Executes dropped EXE
  PID:3388
- C:\Windows\System\jFHZTRT.exe
  C:\Windows\System\jFHZTRT.exe
  2⤵
  - Executes dropped EXE
  PID:4604

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CNoXTmc.exe

Filesize
5.2MB

MD5
82646421d093a4e5a33ea47815122294

SHA1
bd7ff7fd661c9c43390b853dc994b0866f743c5d

SHA256
9c532912ca9cfc72a8780dbc7812844df8cdf5081ba2eec1607cf793cc22c2c6

SHA512
49dfa58367b75a9a20ba1d7e7a4b58101d1333d2f122558c229037335f4def1534d3a02888a3b96ad1d80fabd5a76f7d0488f170f9afd166df0e9b3df40db160

Download Submit
C:\Windows\System\FebidDh.exe

Filesize
5.2MB

MD5
b1c2d49b93aa2371be0f155d1327a5a4

SHA1
907d5c2db267a39ba4dd6e6af12efb01b6dd0e56

SHA256
e8a217c4419ad0cb9350b9af8888f940b9876a7853135347848bb6175bb5e6f4

SHA512
88f878ed2fad143650879c7481a158eab0591feb048880419d75e371549659ecb57c5f86656bad4a730f1572e4d1c7b955641af764be822f8074c43a742cbdc3

Download Submit
C:\Windows\System\Jtnsfhz.exe

Filesize
5.2MB

MD5
757950947cf6d11d97f10de5d47e6f0e

SHA1
ab7d5cd3ea255c2ff26c9172ab3038b03edc78ba

SHA256
4e86f20f2164a1eb5706f1164495bb662e8035310a40b2e78c9f7ef0486fbcd6

SHA512
f2fae4c44945797a6ddc21344a1d4b7913570072fae83aeb1a812eace32b663cb97a72d51df083e355893b0efd19aea0c1fa2a2e3d63bcf520e7d8405cfe93d0

Download Submit
C:\Windows\System\KPWrQNs.exe

Filesize
5.2MB

MD5
73be47d635ade7b19128f9edb6fa06ef

SHA1
da632b653412cc2e6d4c3e00d956a766cb2e20c6

SHA256
388dd79bed36a00ac3b7612990a236cafe1ffb6a278afbda151cf7cd973d88f1

SHA512
62d32e412645f1a92aec3995da27ca0762edc35a8fe430fdee19d3833fe8a3cfc8dfc68be7b2e46b334e83c458217fd0b9becb57490446df9ea1bc84f8c4152a

Download Submit
C:\Windows\System\MJkohtJ.exe

Filesize
5.2MB

MD5
5ee1bdce2fe96b7d8b5fcac5fbe3dfdc

SHA1
9686c703d49bcb9a4711dd51ef1309ea78d8c0bc

SHA256
a6fbfdb2a6a5f56fe47ee41ce1adbd572688b9138b2fc4e0b5bfdb913ca11ee8

SHA512
1c9ad3e7cd6cbab1ef4f449679b191e5c08da8592d689881dd3e378fd83eb8221b501988715f584552f1177fec6215a39abab9f680fcd175b3ea0a8e10c5cbb9

Download Submit
C:\Windows\System\NlzYixN.exe

Filesize
5.2MB

MD5
89b75a36825e6140337feb52ea0b39ab

SHA1
9d2ccdf081ed82202da412271beb66fa3d0e628a

SHA256
07ffa1ed6162919fefcdb1db37f6578a0fab96ebff114e8937439990775f7cfc

SHA512
b15c00af4992649929f2d4cd066d8b3163a5ac7905e6f942b627d066a2f1a5226bec84fb8685ebeff1218932ed702c7ce9e33f83a9234f77d16cf5140837cc88

Download Submit
C:\Windows\System\RQawgev.exe

Filesize
5.2MB

MD5
645ae6b11b343433f6cf7d4916e922b5

SHA1
668d4a12b9eee7d862ff1d97ca6ea0f0469dfa8b

SHA256
ce77388a2eb9e7ab255059244478c792aff9f245803dc65853ed9d8598cc1abc

SHA512
bd5c862feac7ccbdb1d362a34414015522a7554b6bb9f7e612bda35ec44822ea4bd81a46eea132e4e9ebb9e32dbff8ff869489e3a583043d7b70333f11f47ca0

Download Submit
C:\Windows\System\SISNNdQ.exe

Filesize
5.2MB

MD5
ad7dbe809b199495166d2ed0dbeed50c

SHA1
05db6f6bd58ab1144b7166360cce2d2b3a4037e3

SHA256
e72ca224f61cca34a7504a4ccec85ab9f7d9c53b04fdad657c43d75237dcd2f6

SHA512
695dd3d6dca38e04d493967ed097c0deb6183df4e183b124793eb0213e1921ff3743d25fea34584f48fb8a4c27cb3d1ab8e4348aa21c86e0c9e7affaa794c1ea

Download Submit
C:\Windows\System\Ukjygpi.exe

Filesize
5.2MB

MD5
a09e7da3572d20d7bec12e9046d7858c

SHA1
0a06ec14eae8aa0d45d027ba178af8088dd148b6

SHA256
38abe61d1017a690e95a6952e2e59ac8e48fc36ad4ecb7ee5ed90eb1375f203a

SHA512
4587228206452350cfad69de71b7d0d35707b0c76162914972403c56dac19353cf2e1e79a5a6ac38a5616f5a114e5982a07e47a6edf0a6437dfe7f1777b2a5b3

Download Submit
C:\Windows\System\Zxxmwft.exe

Filesize
5.2MB

MD5
75d31700721aa90b3de62b33685e5abc

SHA1
4af7bb21068f4a84662367ceafef8b6c664498af

SHA256
03da45aa3f3d8dd058a83a2e8c553354a75061780c5d1f3aeb913295fdc09fc3

SHA512
bd43c0257586f0d710df5212af95e1a8c1931fcf9f9b87715f62627c465c47e17e4f4124de1993881a0bf5769bd5851564ec95aec3bff96d753a2b95ca267ec1

Download Submit
C:\Windows\System\aINTyKB.exe

Filesize
5.2MB

MD5
fcd671f13a4000db4329478f53a11fc8

SHA1
bbb45829e9685cccf1367aec0c111a2acf0d9e5c

SHA256
3e857eaffc664bb81afbcc67bd0db4f389115e6a16a984b8600458eff7949455

SHA512
c6b110c39fceb4146d417ce4034806ceaccebd7c3c1bb54cab19aaac50301ea2b6421bedf5ebccbbf3134939bcbd3630cb4d4ac4246e3f8db7730620bf030ebb

Download Submit
C:\Windows\System\fNSPdQd.exe

Filesize
5.2MB

MD5
4763ed677e55a3cf08c4ffcaad96d91a

SHA1
67b5ca9fc680486cd60e99dc997da02cf4993990

SHA256
3cf54d8f3482bc4c3a37fbfd77813cf3143fbc2a0f643714765674256e4787cb

SHA512
b99932ba944f585acb213ce33319b0bb0555f4aecb9bf8f20ccb2df3b8b457d4a06c481232e7996e04e8fffa7527ff61272da1b2a2e429ca35420b6e995f458d

Download Submit
C:\Windows\System\iqWSOJt.exe

Filesize
5.2MB

MD5
9036468bf524d592ee3330eaee22d009

SHA1
2546d99a43c2bc11d0136f85715d1c2f7414cd87

SHA256
227c435c00603775581a638053aee1af30f97939bbee555685f69ac3874a6fd1

SHA512
500c913b42be1e66fb09f152a9b67e7c351117831963720b6e5afe6188f09a325b92bcf5402f889711f130e1f64742755b52602753d4f7e550c2fc3c0e1f2f77

Download Submit
C:\Windows\System\jFHZTRT.exe

Filesize
5.2MB

MD5
8ab36b57eaada57956bf67a389199a75

SHA1
e9b1d4e4e39991ab7de2bc001a8fe6defe68892d

SHA256
a1253f05533ecbad61a7329131c7d66207472e4e5e0f8d9d2d5b89651f77562b

SHA512
e7d38499f8fea23718bbd34131ccfd9c8cdde5a7fdb34c6af022c255ff06f22f571263d64eecf60e478c4efebd60315e58b02896a5cd69edb01715163d787dfe

Download Submit
C:\Windows\System\kBXRWiW.exe

Filesize
5.2MB

MD5
174825a68c565f529bd8571fe9dcd0c0

SHA1
4f1d842900c952eddf7e47bef738d8d43944fa8c

SHA256
4b15dc9a1a7f52d0e65b5489da946db06d40cc496b2d0da5784388091601d3f5

SHA512
e9761655afc1f53e52845178c9ad276a33a2a14649976b87a9d7dbfdfdc2be7c2962ef427a33a323a7f719c52a46c6f4ff199fd1d0b4bf0b764f72cd4eb51805

Download Submit
C:\Windows\System\kauwcya.exe

Filesize
5.2MB

MD5
4ee26d0ff8f7e26f0c616373dca5d9a5

SHA1
27fe6b0457fe60c069eb749d8dc24c5d792572b2

SHA256
1a721d238412c69727535607b96b0ea8b3fc081c522c6a9ebe8dd5a19bf1a158

SHA512
9733c144e15bc4c6d4fba7c385c4bafc8a7ba77408e96f093f6ea03e83e3a30aa3f49e93c46210526d4b8f774062f3f2e26206f3a5195e7465f3246ebc9b39c7

Download Submit
C:\Windows\System\kdXDgBc.exe

Filesize
5.2MB

MD5
a20044f128fb87185339f2800e6db8ae

SHA1
e71d7fc2ad3a892bc5a260d341569b6bfb5fbf2d

SHA256
47840bceac6cf8e77e3efd1d8e4d1134fd6b9f8a8a28f86ea465d2dccb2b9bd5

SHA512
c644d8d019d480c062631a179fe338df1dacd2c054f93a3ad3711ed4c0fdd19c576300ae957d1db2ddee3e3df7253fa5279ec9ac6e531c162c0637d9622bce07

Download Submit
C:\Windows\System\lhvpCfw.exe

Filesize
5.2MB

MD5
7a21996abb6bed7c39045e74aa3f1369

SHA1
91185054c6cc54f30ff8f45acdd148abb1cc946b

SHA256
9f8ba5ca771aac461de1020f68e7f1774f8e043459896f1e79275ed87f4ebe1e

SHA512
039bc5153d148653d35fcf3ae23a4e6afc3bb62e2bb77265e078f6ec106aacf88e726b27c9c651ea74da82b3689c44382339f1546f755b98548857065b971d1e

Download Submit
C:\Windows\System\mkOAnUL.exe

Filesize
5.2MB

MD5
f66293e543110c672ebbecebda6da15b

SHA1
4667a9ae8463d53c8ee8792bed963e22d6e6b05b

SHA256
266fc7e5aff826ecf11e0b73c6fbc40c962acba5887f6d6cd1918cb31e9668f9

SHA512
03d0e52e8bb9ea205303e26eed0f276603002780efc3cce3649053e7917971db36fcd869464ebd1aa3abfb14610a718fb6f2c0781693e59d3f324ee5e4c61161

Download Submit
C:\Windows\System\qkIlzze.exe

Filesize
5.2MB

MD5
fb60d3b0d36d5dda79dcbdd40b698a6c

SHA1
0c5c76e9921e4861945c8cec47d314e56fc7d676

SHA256
6914ac2649e93d71a409c125d687e59e2727d2b50fb41f5dd9f653ee662df192

SHA512
92064817dce347d71ff30d72e2ae476376ed6169ec2ad6b1cf7e11085073c4f98a6ad38dd5af94e7e516ef1ac6d8bd65999fb924dbc049003a426dd43b416ce0

Download Submit
C:\Windows\System\unLDAGC.exe

Filesize
5.2MB

MD5
03a92617b8bcdce35dc24ebe6ee7e407

SHA1
15e0393e1ce895f41ee3c030d21693293484f36b

SHA256
d921144e5d861afe00e4afa06a37edf254b57c3133dc2c701d0c818d9adb8b95

SHA512
f1fd3bde7b7829ccf3c2d24b67a7e4f660bb34ef198285f89525c891c59b05cbdf5ab9a57f9487f0eff91d4980840373f64fe45fea1d1074f936bc7cbf8fdc95

Download Submit
memory/396-62-0x00007FF69B4E0000-0x00007FF69B831000-memory.dmp

Filesize
3.3MB

Download
memory/396-218-0x00007FF69B4E0000-0x00007FF69B831000-memory.dmp

Filesize
3.3MB

Download
memory/444-139-0x00007FF722A90000-0x00007FF722DE1000-memory.dmp

Filesize
3.3MB

Download
memory/444-237-0x00007FF722A90000-0x00007FF722DE1000-memory.dmp

Filesize
3.3MB

Download
memory/452-6-0x00007FF7E9F30000-0x00007FF7EA281000-memory.dmp

Filesize
3.3MB

Download
memory/452-201-0x00007FF7E9F30000-0x00007FF7EA281000-memory.dmp

Filesize
3.3MB

Download
memory/452-120-0x00007FF7E9F30000-0x00007FF7EA281000-memory.dmp

Filesize
3.3MB

Download
memory/1328-233-0x00007FF7833F0000-0x00007FF783741000-memory.dmp

Filesize
3.3MB

Download
memory/1328-142-0x00007FF7833F0000-0x00007FF783741000-memory.dmp

Filesize
3.3MB

Download
memory/1388-229-0x00007FF748F90000-0x00007FF7492E1000-memory.dmp

Filesize
3.3MB

Download
memory/1388-136-0x00007FF748F90000-0x00007FF7492E1000-memory.dmp

Filesize
3.3MB

Download
memory/2088-133-0x00007FF7EBC10000-0x00007FF7EBF61000-memory.dmp

Filesize
3.3MB

Download
memory/2088-226-0x00007FF7EBC10000-0x00007FF7EBF61000-memory.dmp

Filesize
3.3MB

Download
memory/2300-130-0x00007FF793F50000-0x00007FF7942A1000-memory.dmp

Filesize
3.3MB

Download
memory/2300-71-0x00007FF793F50000-0x00007FF7942A1000-memory.dmp

Filesize
3.3MB

Download
memory/2300-224-0x00007FF793F50000-0x00007FF7942A1000-memory.dmp

Filesize
3.3MB

Download
memory/2420-61-0x00007FF71E950000-0x00007FF71ECA1000-memory.dmp

Filesize
3.3MB

Download
memory/2420-211-0x00007FF71E950000-0x00007FF71ECA1000-memory.dmp

Filesize
3.3MB

Download
memory/3052-210-0x00007FF7C1E90000-0x00007FF7C21E1000-memory.dmp

Filesize
3.3MB

Download
memory/3052-37-0x00007FF7C1E90000-0x00007FF7C21E1000-memory.dmp

Filesize
3.3MB

Download
memory/3084-206-0x00007FF793800000-0x00007FF793B51000-memory.dmp

Filesize
3.3MB

Download
memory/3084-122-0x00007FF793800000-0x00007FF793B51000-memory.dmp

Filesize
3.3MB

Download
memory/3084-25-0x00007FF793800000-0x00007FF793B51000-memory.dmp

Filesize
3.3MB

Download
memory/3096-119-0x00007FF69B220000-0x00007FF69B571000-memory.dmp

Filesize
3.3MB

Download
memory/3096-149-0x00007FF69B220000-0x00007FF69B571000-memory.dmp

Filesize
3.3MB

Download
memory/3096-0-0x00007FF69B220000-0x00007FF69B571000-memory.dmp

Filesize
3.3MB

Download
memory/3096-1-0x0000018ABD870000-0x0000018ABD880000-memory.dmp

Filesize
64KB

Download
memory/3096-150-0x00007FF69B220000-0x00007FF69B571000-memory.dmp

Filesize
3.3MB

Download
memory/3152-126-0x00007FF714260000-0x00007FF7145B1000-memory.dmp

Filesize
3.3MB

Download
memory/3152-213-0x00007FF714260000-0x00007FF7145B1000-memory.dmp

Filesize
3.3MB

Download
memory/3152-48-0x00007FF714260000-0x00007FF7145B1000-memory.dmp

Filesize
3.3MB

Download
memory/3192-137-0x00007FF73F860000-0x00007FF73FBB1000-memory.dmp

Filesize
3.3MB

Download
memory/3192-241-0x00007FF73F860000-0x00007FF73FBB1000-memory.dmp

Filesize
3.3MB

Download
memory/3324-207-0x00007FF6CC4F0000-0x00007FF6CC841000-memory.dmp

Filesize
3.3MB

Download
memory/3324-123-0x00007FF6CC4F0000-0x00007FF6CC841000-memory.dmp

Filesize
3.3MB

Download
memory/3324-31-0x00007FF6CC4F0000-0x00007FF6CC841000-memory.dmp

Filesize
3.3MB

Download
memory/3388-232-0x00007FF79D7F0000-0x00007FF79DB41000-memory.dmp

Filesize
3.3MB

Download
memory/3388-143-0x00007FF79D7F0000-0x00007FF79DB41000-memory.dmp

Filesize
3.3MB

Download
memory/3648-216-0x00007FF7C7150000-0x00007FF7C74A1000-memory.dmp

Filesize
3.3MB

Download
memory/3648-128-0x00007FF7C7150000-0x00007FF7C74A1000-memory.dmp

Filesize
3.3MB

Download
memory/3648-59-0x00007FF7C7150000-0x00007FF7C74A1000-memory.dmp

Filesize
3.3MB

Download
memory/4100-219-0x00007FF617BE0000-0x00007FF617F31000-memory.dmp

Filesize
3.3MB

Download
memory/4100-68-0x00007FF617BE0000-0x00007FF617F31000-memory.dmp

Filesize
3.3MB

Download
memory/4100-129-0x00007FF617BE0000-0x00007FF617F31000-memory.dmp

Filesize
3.3MB

Download
memory/4432-223-0x00007FF63F3D0000-0x00007FF63F721000-memory.dmp

Filesize
3.3MB

Download
memory/4432-72-0x00007FF63F3D0000-0x00007FF63F721000-memory.dmp

Filesize
3.3MB

Download
memory/4432-131-0x00007FF63F3D0000-0x00007FF63F721000-memory.dmp

Filesize
3.3MB

Download
memory/4604-239-0x00007FF74E260000-0x00007FF74E5B1000-memory.dmp

Filesize
3.3MB

Download
memory/4604-144-0x00007FF74E260000-0x00007FF74E5B1000-memory.dmp

Filesize
3.3MB

Download
memory/4636-227-0x00007FF64E610000-0x00007FF64E961000-memory.dmp

Filesize
3.3MB

Download
memory/4636-135-0x00007FF64E610000-0x00007FF64E961000-memory.dmp

Filesize
3.3MB

Download
memory/4936-16-0x00007FF6D5000000-0x00007FF6D5351000-memory.dmp

Filesize
3.3MB

Download
memory/4936-203-0x00007FF6D5000000-0x00007FF6D5351000-memory.dmp

Filesize
3.3MB

Download
memory/4936-121-0x00007FF6D5000000-0x00007FF6D5351000-memory.dmp

Filesize
3.3MB

Download
memory/4972-140-0x00007FF6DD340000-0x00007FF6DD691000-memory.dmp

Filesize
3.3MB

Download
memory/4972-236-0x00007FF6DD340000-0x00007FF6DD691000-memory.dmp

Filesize
3.3MB

Download