cobaltstrike | 6b7f06541946df826c8019760f8c0aa6b7b4293f9d76d7e3e1884b2ee9f45fc9

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

78325fef59f4218f566f53dc512cb2ed
SHA1

0a0b278439d2bce24287c439f70b5544205c4677
SHA256

6b7f06541946df826c8019760f8c0aa6b7b4293f9d76d7e3e1884b2ee9f45fc9
SHA512

4994848b5288045a5fe4e2b7ff4772af12e77771e870d63247198e6e7d247e03ac1da3a279764979e97bdc584c0b4a76e7257c5fa3d6e0fe32116d14297f79fa
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU1:Q+856utgpPF8u/71

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000500000002328f-5.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002341d-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023421-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023424-25.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002341e-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023425-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023426-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023427-46.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342a-66.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023429-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023428-54.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342b-72.dat	cobalt_reflective_dll
behavioral2/files/0x000b00000002339a-80.dat	cobalt_reflective_dll
behavioral2/files/0x0010000000023391-83.dat	cobalt_reflective_dll
behavioral2/files/0x0005000000022ac0-92.dat	cobalt_reflective_dll
behavioral2/files/0x000400000002296c-98.dat	cobalt_reflective_dll
behavioral2/files/0x0003000000022974-105.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342d-112.dat	cobalt_reflective_dll
behavioral2/files/0x0013000000016964-116.dat	cobalt_reflective_dll
behavioral2/files/0x000a0000000233c2-123.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342f-127.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x000500000002328f-5.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000800000002341d-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023421-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023424-25.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000800000002341e-28.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023425-34.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023426-41.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023427-46.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342a-66.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023429-59.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023428-54.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342b-72.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000b00000002339a-80.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0010000000023391-83.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0005000000022ac0-92.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000400000002296c-98.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0003000000022974-105.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342d-112.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0013000000016964-116.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000a0000000233c2-123.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342f-127.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/3332-0-0x00007FF6C5690000-0x00007FF6C59E4000-memory.dmp	UPX
behavioral2/files/0x000500000002328f-5.dat	UPX
behavioral2/memory/4176-8-0x00007FF6EA480000-0x00007FF6EA7D4000-memory.dmp	UPX
behavioral2/files/0x000800000002341d-10.dat	UPX
behavioral2/memory/2892-14-0x00007FF681670000-0x00007FF6819C4000-memory.dmp	UPX
behavioral2/files/0x0007000000023421-11.dat	UPX
behavioral2/files/0x0007000000023424-25.dat	UPX
behavioral2/files/0x000800000002341e-28.dat	UPX
behavioral2/memory/336-30-0x00007FF74A990000-0x00007FF74ACE4000-memory.dmp	UPX
behavioral2/memory/4380-24-0x00007FF78BC30000-0x00007FF78BF84000-memory.dmp	UPX
behavioral2/memory/5100-20-0x00007FF737A60000-0x00007FF737DB4000-memory.dmp	UPX
behavioral2/files/0x0007000000023425-34.dat	UPX
behavioral2/memory/4076-38-0x00007FF719EE0000-0x00007FF71A234000-memory.dmp	UPX
behavioral2/files/0x0007000000023426-41.dat	UPX
behavioral2/files/0x0007000000023427-46.dat	UPX
behavioral2/memory/3196-49-0x00007FF748B20000-0x00007FF748E74000-memory.dmp	UPX
behavioral2/memory/2240-52-0x00007FF7B60C0000-0x00007FF7B6414000-memory.dmp	UPX
behavioral2/memory/628-61-0x00007FF7DCF40000-0x00007FF7DD294000-memory.dmp	UPX
behavioral2/files/0x000700000002342a-66.dat	UPX
behavioral2/memory/4620-65-0x00007FF6C0530000-0x00007FF6C0884000-memory.dmp	UPX
behavioral2/memory/3332-64-0x00007FF6C5690000-0x00007FF6C59E4000-memory.dmp	UPX
behavioral2/files/0x0007000000023429-59.dat	UPX
behavioral2/files/0x0007000000023428-54.dat	UPX
behavioral2/files/0x000700000002342b-72.dat	UPX
behavioral2/memory/4176-69-0x00007FF6EA480000-0x00007FF6EA7D4000-memory.dmp	UPX
behavioral2/files/0x000b00000002339a-80.dat	UPX
behavioral2/memory/4108-78-0x00007FF6971C0000-0x00007FF697514000-memory.dmp	UPX
behavioral2/memory/2860-75-0x00007FF6EF0C0000-0x00007FF6EF414000-memory.dmp	UPX
behavioral2/files/0x0010000000023391-83.dat	UPX
behavioral2/memory/3824-85-0x00007FF69F0F0000-0x00007FF69F444000-memory.dmp	UPX
behavioral2/memory/2876-84-0x00007FF6A8660000-0x00007FF6A89B4000-memory.dmp	UPX
behavioral2/files/0x0005000000022ac0-92.dat	UPX
behavioral2/memory/1688-95-0x00007FF76DD90000-0x00007FF76E0E4000-memory.dmp	UPX
behavioral2/files/0x000400000002296c-98.dat	UPX
behavioral2/memory/4380-94-0x00007FF78BC30000-0x00007FF78BF84000-memory.dmp	UPX
behavioral2/memory/5012-102-0x00007FF6F2040000-0x00007FF6F2394000-memory.dmp	UPX
behavioral2/memory/336-101-0x00007FF74A990000-0x00007FF74ACE4000-memory.dmp	UPX
behavioral2/files/0x0003000000022974-105.dat	UPX
behavioral2/memory/3512-114-0x00007FF7CE660000-0x00007FF7CE9B4000-memory.dmp	UPX
behavioral2/files/0x000700000002342d-112.dat	UPX
behavioral2/memory/2712-111-0x00007FF6404C0000-0x00007FF640814000-memory.dmp	UPX
behavioral2/files/0x0013000000016964-116.dat	UPX
behavioral2/files/0x000a0000000233c2-123.dat	UPX
behavioral2/memory/2968-120-0x00007FF6D66E0000-0x00007FF6D6A34000-memory.dmp	UPX
behavioral2/files/0x000700000002342f-127.dat	UPX
behavioral2/memory/3540-126-0x00007FF6EA0E0000-0x00007FF6EA434000-memory.dmp	UPX
behavioral2/memory/4804-131-0x00007FF621910000-0x00007FF621C64000-memory.dmp	UPX
behavioral2/memory/3824-132-0x00007FF69F0F0000-0x00007FF69F444000-memory.dmp	UPX
behavioral2/memory/3540-133-0x00007FF6EA0E0000-0x00007FF6EA434000-memory.dmp	UPX
behavioral2/memory/4176-134-0x00007FF6EA480000-0x00007FF6EA7D4000-memory.dmp	UPX
behavioral2/memory/2892-135-0x00007FF681670000-0x00007FF6819C4000-memory.dmp	UPX
behavioral2/memory/5100-136-0x00007FF737A60000-0x00007FF737DB4000-memory.dmp	UPX
behavioral2/memory/4380-137-0x00007FF78BC30000-0x00007FF78BF84000-memory.dmp	UPX
behavioral2/memory/336-138-0x00007FF74A990000-0x00007FF74ACE4000-memory.dmp	UPX
behavioral2/memory/4076-139-0x00007FF719EE0000-0x00007FF71A234000-memory.dmp	UPX
behavioral2/memory/3196-140-0x00007FF748B20000-0x00007FF748E74000-memory.dmp	UPX
behavioral2/memory/2240-141-0x00007FF7B60C0000-0x00007FF7B6414000-memory.dmp	UPX
behavioral2/memory/628-142-0x00007FF7DCF40000-0x00007FF7DD294000-memory.dmp	UPX
behavioral2/memory/4620-143-0x00007FF6C0530000-0x00007FF6C0884000-memory.dmp	UPX
behavioral2/memory/2860-144-0x00007FF6EF0C0000-0x00007FF6EF414000-memory.dmp	UPX
behavioral2/memory/4108-145-0x00007FF6971C0000-0x00007FF697514000-memory.dmp	UPX
behavioral2/memory/2876-146-0x00007FF6A8660000-0x00007FF6A89B4000-memory.dmp	UPX
behavioral2/memory/3824-147-0x00007FF69F0F0000-0x00007FF69F444000-memory.dmp	UPX
behavioral2/memory/1688-148-0x00007FF76DD90000-0x00007FF76E0E4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/3332-0-0x00007FF6C5690000-0x00007FF6C59E4000-memory.dmp	xmrig
behavioral2/files/0x000500000002328f-5.dat	xmrig
behavioral2/memory/4176-8-0x00007FF6EA480000-0x00007FF6EA7D4000-memory.dmp	xmrig
behavioral2/files/0x000800000002341d-10.dat	xmrig
behavioral2/memory/2892-14-0x00007FF681670000-0x00007FF6819C4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023421-11.dat	xmrig
behavioral2/files/0x0007000000023424-25.dat	xmrig
behavioral2/files/0x000800000002341e-28.dat	xmrig
behavioral2/memory/336-30-0x00007FF74A990000-0x00007FF74ACE4000-memory.dmp	xmrig
behavioral2/memory/4380-24-0x00007FF78BC30000-0x00007FF78BF84000-memory.dmp	xmrig
behavioral2/memory/5100-20-0x00007FF737A60000-0x00007FF737DB4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023425-34.dat	xmrig
behavioral2/memory/4076-38-0x00007FF719EE0000-0x00007FF71A234000-memory.dmp	xmrig
behavioral2/files/0x0007000000023426-41.dat	xmrig
behavioral2/files/0x0007000000023427-46.dat	xmrig
behavioral2/memory/3196-49-0x00007FF748B20000-0x00007FF748E74000-memory.dmp	xmrig
behavioral2/memory/2240-52-0x00007FF7B60C0000-0x00007FF7B6414000-memory.dmp	xmrig
behavioral2/memory/628-61-0x00007FF7DCF40000-0x00007FF7DD294000-memory.dmp	xmrig
behavioral2/files/0x000700000002342a-66.dat	xmrig
behavioral2/memory/4620-65-0x00007FF6C0530000-0x00007FF6C0884000-memory.dmp	xmrig
behavioral2/memory/3332-64-0x00007FF6C5690000-0x00007FF6C59E4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023429-59.dat	xmrig
behavioral2/files/0x0007000000023428-54.dat	xmrig
behavioral2/files/0x000700000002342b-72.dat	xmrig
behavioral2/memory/4176-69-0x00007FF6EA480000-0x00007FF6EA7D4000-memory.dmp	xmrig
behavioral2/files/0x000b00000002339a-80.dat	xmrig
behavioral2/memory/4108-78-0x00007FF6971C0000-0x00007FF697514000-memory.dmp	xmrig
behavioral2/memory/2860-75-0x00007FF6EF0C0000-0x00007FF6EF414000-memory.dmp	xmrig
behavioral2/files/0x0010000000023391-83.dat	xmrig
behavioral2/memory/3824-85-0x00007FF69F0F0000-0x00007FF69F444000-memory.dmp	xmrig
behavioral2/memory/2876-84-0x00007FF6A8660000-0x00007FF6A89B4000-memory.dmp	xmrig
behavioral2/files/0x0005000000022ac0-92.dat	xmrig
behavioral2/memory/1688-95-0x00007FF76DD90000-0x00007FF76E0E4000-memory.dmp	xmrig
behavioral2/files/0x000400000002296c-98.dat	xmrig
behavioral2/memory/4380-94-0x00007FF78BC30000-0x00007FF78BF84000-memory.dmp	xmrig
behavioral2/memory/5012-102-0x00007FF6F2040000-0x00007FF6F2394000-memory.dmp	xmrig
behavioral2/memory/336-101-0x00007FF74A990000-0x00007FF74ACE4000-memory.dmp	xmrig
behavioral2/files/0x0003000000022974-105.dat	xmrig
behavioral2/memory/3512-114-0x00007FF7CE660000-0x00007FF7CE9B4000-memory.dmp	xmrig
behavioral2/files/0x000700000002342d-112.dat	xmrig
behavioral2/memory/2712-111-0x00007FF6404C0000-0x00007FF640814000-memory.dmp	xmrig
behavioral2/files/0x0013000000016964-116.dat	xmrig
behavioral2/files/0x000a0000000233c2-123.dat	xmrig
behavioral2/memory/2968-120-0x00007FF6D66E0000-0x00007FF6D6A34000-memory.dmp	xmrig
behavioral2/files/0x000700000002342f-127.dat	xmrig
behavioral2/memory/3540-126-0x00007FF6EA0E0000-0x00007FF6EA434000-memory.dmp	xmrig
behavioral2/memory/4804-131-0x00007FF621910000-0x00007FF621C64000-memory.dmp	xmrig
behavioral2/memory/3824-132-0x00007FF69F0F0000-0x00007FF69F444000-memory.dmp	xmrig
behavioral2/memory/3540-133-0x00007FF6EA0E0000-0x00007FF6EA434000-memory.dmp	xmrig
behavioral2/memory/4176-134-0x00007FF6EA480000-0x00007FF6EA7D4000-memory.dmp	xmrig
behavioral2/memory/2892-135-0x00007FF681670000-0x00007FF6819C4000-memory.dmp	xmrig
behavioral2/memory/5100-136-0x00007FF737A60000-0x00007FF737DB4000-memory.dmp	xmrig
behavioral2/memory/4380-137-0x00007FF78BC30000-0x00007FF78BF84000-memory.dmp	xmrig
behavioral2/memory/336-138-0x00007FF74A990000-0x00007FF74ACE4000-memory.dmp	xmrig
behavioral2/memory/4076-139-0x00007FF719EE0000-0x00007FF71A234000-memory.dmp	xmrig
behavioral2/memory/3196-140-0x00007FF748B20000-0x00007FF748E74000-memory.dmp	xmrig
behavioral2/memory/2240-141-0x00007FF7B60C0000-0x00007FF7B6414000-memory.dmp	xmrig
behavioral2/memory/628-142-0x00007FF7DCF40000-0x00007FF7DD294000-memory.dmp	xmrig
behavioral2/memory/4620-143-0x00007FF6C0530000-0x00007FF6C0884000-memory.dmp	xmrig
behavioral2/memory/2860-144-0x00007FF6EF0C0000-0x00007FF6EF414000-memory.dmp	xmrig
behavioral2/memory/4108-145-0x00007FF6971C0000-0x00007FF697514000-memory.dmp	xmrig
behavioral2/memory/2876-146-0x00007FF6A8660000-0x00007FF6A89B4000-memory.dmp	xmrig
behavioral2/memory/3824-147-0x00007FF69F0F0000-0x00007FF69F444000-memory.dmp	xmrig
behavioral2/memory/1688-148-0x00007FF76DD90000-0x00007FF76E0E4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4176	XouROnB.exe
2892	CFCDrBf.exe
5100	WKBaSYP.exe
4380	vRHjTMm.exe
336	xeYSzDc.exe
4076	iMTWOaO.exe
3196	mUsHoMa.exe
2240	QHkDeAN.exe
628	kMsKnUo.exe
4620	XAbIbgi.exe
2860	WBkcRcw.exe
4108	LUfbSWS.exe
2876	iMjGiXg.exe
3824	dHntOPr.exe
1688	UlkuLAZ.exe
5012	rEGVnAF.exe
2712	vLUMZOa.exe
3512	IPLkZyl.exe
2968	PblSJlz.exe
3540	IxAKjrd.exe
4804	zLfgrfa.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3332-0-0x00007FF6C5690000-0x00007FF6C59E4000-memory.dmp	upx
behavioral2/files/0x000500000002328f-5.dat	upx
behavioral2/memory/4176-8-0x00007FF6EA480000-0x00007FF6EA7D4000-memory.dmp	upx
behavioral2/files/0x000800000002341d-10.dat	upx
behavioral2/memory/2892-14-0x00007FF681670000-0x00007FF6819C4000-memory.dmp	upx
behavioral2/files/0x0007000000023421-11.dat	upx
behavioral2/files/0x0007000000023424-25.dat	upx
behavioral2/files/0x000800000002341e-28.dat	upx
behavioral2/memory/336-30-0x00007FF74A990000-0x00007FF74ACE4000-memory.dmp	upx
behavioral2/memory/4380-24-0x00007FF78BC30000-0x00007FF78BF84000-memory.dmp	upx
behavioral2/memory/5100-20-0x00007FF737A60000-0x00007FF737DB4000-memory.dmp	upx
behavioral2/files/0x0007000000023425-34.dat	upx
behavioral2/memory/4076-38-0x00007FF719EE0000-0x00007FF71A234000-memory.dmp	upx
behavioral2/files/0x0007000000023426-41.dat	upx
behavioral2/files/0x0007000000023427-46.dat	upx
behavioral2/memory/3196-49-0x00007FF748B20000-0x00007FF748E74000-memory.dmp	upx
behavioral2/memory/2240-52-0x00007FF7B60C0000-0x00007FF7B6414000-memory.dmp	upx
behavioral2/memory/628-61-0x00007FF7DCF40000-0x00007FF7DD294000-memory.dmp	upx
behavioral2/files/0x000700000002342a-66.dat	upx
behavioral2/memory/4620-65-0x00007FF6C0530000-0x00007FF6C0884000-memory.dmp	upx
behavioral2/memory/3332-64-0x00007FF6C5690000-0x00007FF6C59E4000-memory.dmp	upx
behavioral2/files/0x0007000000023429-59.dat	upx
behavioral2/files/0x0007000000023428-54.dat	upx
behavioral2/files/0x000700000002342b-72.dat	upx
behavioral2/memory/4176-69-0x00007FF6EA480000-0x00007FF6EA7D4000-memory.dmp	upx
behavioral2/files/0x000b00000002339a-80.dat	upx
behavioral2/memory/4108-78-0x00007FF6971C0000-0x00007FF697514000-memory.dmp	upx
behavioral2/memory/2860-75-0x00007FF6EF0C0000-0x00007FF6EF414000-memory.dmp	upx
behavioral2/files/0x0010000000023391-83.dat	upx
behavioral2/memory/3824-85-0x00007FF69F0F0000-0x00007FF69F444000-memory.dmp	upx
behavioral2/memory/2876-84-0x00007FF6A8660000-0x00007FF6A89B4000-memory.dmp	upx
behavioral2/files/0x0005000000022ac0-92.dat	upx
behavioral2/memory/1688-95-0x00007FF76DD90000-0x00007FF76E0E4000-memory.dmp	upx
behavioral2/files/0x000400000002296c-98.dat	upx
behavioral2/memory/4380-94-0x00007FF78BC30000-0x00007FF78BF84000-memory.dmp	upx
behavioral2/memory/5012-102-0x00007FF6F2040000-0x00007FF6F2394000-memory.dmp	upx
behavioral2/memory/336-101-0x00007FF74A990000-0x00007FF74ACE4000-memory.dmp	upx
behavioral2/files/0x0003000000022974-105.dat	upx
behavioral2/memory/3512-114-0x00007FF7CE660000-0x00007FF7CE9B4000-memory.dmp	upx
behavioral2/files/0x000700000002342d-112.dat	upx
behavioral2/memory/2712-111-0x00007FF6404C0000-0x00007FF640814000-memory.dmp	upx
behavioral2/files/0x0013000000016964-116.dat	upx
behavioral2/files/0x000a0000000233c2-123.dat	upx
behavioral2/memory/2968-120-0x00007FF6D66E0000-0x00007FF6D6A34000-memory.dmp	upx
behavioral2/files/0x000700000002342f-127.dat	upx
behavioral2/memory/3540-126-0x00007FF6EA0E0000-0x00007FF6EA434000-memory.dmp	upx
behavioral2/memory/4804-131-0x00007FF621910000-0x00007FF621C64000-memory.dmp	upx
behavioral2/memory/3824-132-0x00007FF69F0F0000-0x00007FF69F444000-memory.dmp	upx
behavioral2/memory/3540-133-0x00007FF6EA0E0000-0x00007FF6EA434000-memory.dmp	upx
behavioral2/memory/4176-134-0x00007FF6EA480000-0x00007FF6EA7D4000-memory.dmp	upx
behavioral2/memory/2892-135-0x00007FF681670000-0x00007FF6819C4000-memory.dmp	upx
behavioral2/memory/5100-136-0x00007FF737A60000-0x00007FF737DB4000-memory.dmp	upx
behavioral2/memory/4380-137-0x00007FF78BC30000-0x00007FF78BF84000-memory.dmp	upx
behavioral2/memory/336-138-0x00007FF74A990000-0x00007FF74ACE4000-memory.dmp	upx
behavioral2/memory/4076-139-0x00007FF719EE0000-0x00007FF71A234000-memory.dmp	upx
behavioral2/memory/3196-140-0x00007FF748B20000-0x00007FF748E74000-memory.dmp	upx
behavioral2/memory/2240-141-0x00007FF7B60C0000-0x00007FF7B6414000-memory.dmp	upx
behavioral2/memory/628-142-0x00007FF7DCF40000-0x00007FF7DD294000-memory.dmp	upx
behavioral2/memory/4620-143-0x00007FF6C0530000-0x00007FF6C0884000-memory.dmp	upx
behavioral2/memory/2860-144-0x00007FF6EF0C0000-0x00007FF6EF414000-memory.dmp	upx
behavioral2/memory/4108-145-0x00007FF6971C0000-0x00007FF697514000-memory.dmp	upx
behavioral2/memory/2876-146-0x00007FF6A8660000-0x00007FF6A89B4000-memory.dmp	upx
behavioral2/memory/3824-147-0x00007FF69F0F0000-0x00007FF69F444000-memory.dmp	upx
behavioral2/memory/1688-148-0x00007FF76DD90000-0x00007FF76E0E4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\WBkcRcw.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LUfbSWS.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dHntOPr.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IPLkZyl.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PblSJlz.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XouROnB.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XAbIbgi.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vRHjTMm.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xeYSzDc.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iMjGiXg.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vLUMZOa.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zLfgrfa.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rEGVnAF.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CFCDrBf.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WKBaSYP.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iMTWOaO.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mUsHoMa.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QHkDeAN.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kMsKnUo.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UlkuLAZ.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IxAKjrd.exe	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3332 wrote to memory of 4176	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	84
PID 3332 wrote to memory of 4176	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	84
PID 3332 wrote to memory of 2892	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	85
PID 3332 wrote to memory of 2892	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	85
PID 3332 wrote to memory of 5100	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	86
PID 3332 wrote to memory of 5100	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	86
PID 3332 wrote to memory of 4380	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	88
PID 3332 wrote to memory of 4380	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	88
PID 3332 wrote to memory of 336	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	89
PID 3332 wrote to memory of 336	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	89
PID 3332 wrote to memory of 4076	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	90
PID 3332 wrote to memory of 4076	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	90
PID 3332 wrote to memory of 3196	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	92
PID 3332 wrote to memory of 3196	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	92
PID 3332 wrote to memory of 2240	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	94
PID 3332 wrote to memory of 2240	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	94
PID 3332 wrote to memory of 628	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	95
PID 3332 wrote to memory of 628	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	95
PID 3332 wrote to memory of 4620	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	96
PID 3332 wrote to memory of 4620	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	96
PID 3332 wrote to memory of 2860	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	97
PID 3332 wrote to memory of 2860	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	97
PID 3332 wrote to memory of 4108	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	98
PID 3332 wrote to memory of 4108	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	98
PID 3332 wrote to memory of 2876	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	99
PID 3332 wrote to memory of 2876	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	99
PID 3332 wrote to memory of 3824	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	100
PID 3332 wrote to memory of 3824	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	100
PID 3332 wrote to memory of 1688	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	101
PID 3332 wrote to memory of 1688	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	101
PID 3332 wrote to memory of 5012	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	102
PID 3332 wrote to memory of 5012	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	102
PID 3332 wrote to memory of 2712	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	104
PID 3332 wrote to memory of 2712	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	104
PID 3332 wrote to memory of 3512	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	107
PID 3332 wrote to memory of 3512	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	107
PID 3332 wrote to memory of 2968	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	108
PID 3332 wrote to memory of 2968	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	108
PID 3332 wrote to memory of 3540	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	110
PID 3332 wrote to memory of 3540	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	110
PID 3332 wrote to memory of 4804	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	111
PID 3332 wrote to memory of 4804	3332	2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_78325fef59f4218f566f53dc512cb2ed_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Windows\System\XouROnB.exe
  C:\Windows\System\XouROnB.exe
  2⤵
  - Executes dropped EXE
  PID:4176
- C:\Windows\System\CFCDrBf.exe
  C:\Windows\System\CFCDrBf.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System\WKBaSYP.exe
  C:\Windows\System\WKBaSYP.exe
  2⤵
  - Executes dropped EXE
  PID:5100
- C:\Windows\System\vRHjTMm.exe
  C:\Windows\System\vRHjTMm.exe
  2⤵
  - Executes dropped EXE
  PID:4380
- C:\Windows\System\xeYSzDc.exe
  C:\Windows\System\xeYSzDc.exe
  2⤵
  - Executes dropped EXE
  PID:336
- C:\Windows\System\iMTWOaO.exe
  C:\Windows\System\iMTWOaO.exe
  2⤵
  - Executes dropped EXE
  PID:4076
- C:\Windows\System\mUsHoMa.exe
  C:\Windows\System\mUsHoMa.exe
  2⤵
  - Executes dropped EXE
  PID:3196
- C:\Windows\System\QHkDeAN.exe
  C:\Windows\System\QHkDeAN.exe
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\System\kMsKnUo.exe
  C:\Windows\System\kMsKnUo.exe
  2⤵
  - Executes dropped EXE
  PID:628
- C:\Windows\System\XAbIbgi.exe
  C:\Windows\System\XAbIbgi.exe
  2⤵
  - Executes dropped EXE
  PID:4620
- C:\Windows\System\WBkcRcw.exe
  C:\Windows\System\WBkcRcw.exe
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\System\LUfbSWS.exe
  C:\Windows\System\LUfbSWS.exe
  2⤵
  - Executes dropped EXE
  PID:4108
- C:\Windows\System\iMjGiXg.exe
  C:\Windows\System\iMjGiXg.exe
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\System\dHntOPr.exe
  C:\Windows\System\dHntOPr.exe
  2⤵
  - Executes dropped EXE
  PID:3824
- C:\Windows\System\UlkuLAZ.exe
  C:\Windows\System\UlkuLAZ.exe
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\System\rEGVnAF.exe
  C:\Windows\System\rEGVnAF.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System\vLUMZOa.exe
  C:\Windows\System\vLUMZOa.exe
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\System\IPLkZyl.exe
  C:\Windows\System\IPLkZyl.exe
  2⤵
  - Executes dropped EXE
  PID:3512
- C:\Windows\System\PblSJlz.exe
  C:\Windows\System\PblSJlz.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System\IxAKjrd.exe
  C:\Windows\System\IxAKjrd.exe
  2⤵
  - Executes dropped EXE
  PID:3540
- C:\Windows\System\zLfgrfa.exe
  C:\Windows\System\zLfgrfa.exe
  2⤵
  - Executes dropped EXE
  PID:4804

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CFCDrBf.exe

Filesize
5.9MB

MD5
b00c2baf0da63cc3f99c57fe89c403e0

SHA1
a869f5006a57f7ede23fb3e862a5a8b611930a4b

SHA256
9bc95116bacd7f5e7cd8f12f60fd50b56cb312307699a7e25f665c2b1c93fb97

SHA512
5dd4a3903b99deb395bbf27f75c27af50f395d43f1e3f403c7bea0108ba387337dae68fccb414892e60bcc606ecccae631e3fea1b11af89ebff3fd6bcb62ba66

Download Submit
C:\Windows\System\IPLkZyl.exe

Filesize
5.9MB

MD5
2d6bac7f7de67bb873dfb65c74358189

SHA1
887993d8ce5745fdde9770780f111415e0bd43b7

SHA256
42a3c0f10e60121a7dac8b7ab8752109c7158bd0cd33e2c2628595e4bd251ae9

SHA512
1f86da1b35f3b7bbd0062de98eb474fdfe18f7d3ff2692e589a15f28e85671bfe8332af006a13cee5d911aa539cf83c08e3a222e866d619cdd7ec5c2414c3174

Download Submit
C:\Windows\System\IxAKjrd.exe

Filesize
5.9MB

MD5
f0a04c123ec3e292fe8bd720c02654ad

SHA1
c7d9b807b95e7ee54155a975245a6b1a4bbae9bf

SHA256
f13a06f363337d901a9980cfeeae4422539aba96c092a55a51b241d8fb9ac691

SHA512
43f18065d5bfe036f2d598dc9ff36220dbb669da9c7cc2b27078feb2cbf22e6107374ce6f3ba1e6b608cd29903c911bc48b5977ed2b345b51760ef4aac66cb24

Download Submit
C:\Windows\System\LUfbSWS.exe

Filesize
5.9MB

MD5
1d011a47a5416ae3d2aa000ada5d8aac

SHA1
8c77cf16f93dd666802dc25f3aa725d66f9fbfbb

SHA256
26fc76068a024575ba6441eece12ba97129e8142e175b736fdfb63cee65943ce

SHA512
b6be1cfd2bdc38d35fe4cd66430fc00b7168eb5e34645c065968bbeb8c6408125ba6bdaabbd2e80215092825a871656f55048c34f586b06a4b181e0557df66ca

Download Submit
C:\Windows\System\PblSJlz.exe

Filesize
5.9MB

MD5
7d57a8c0aad8e4cb88d6be6f52563be4

SHA1
0c9ab36525b1ba3a1bd6c34cc97202fd01a47d4a

SHA256
043999f8362e2d4106925adad35ca6a812b2ab835de72e5ac492e68222438c14

SHA512
b79a6ccf484294abc249e4a78a3dc512762774cff50f67a20ef63f9848c1d8b6a420c24b048c00e11ae72f82f99ecc2995d858b8dec7b5ccb40cd3cfc6549892

Download Submit
C:\Windows\System\QHkDeAN.exe

Filesize
5.9MB

MD5
6fdbbad993120aab0557dadf950eabd4

SHA1
e4fdbed0c9d4bf01053d1c80edc6fb2992c1febe

SHA256
15fbf0f487546ed7c4a7ec030f55129659b3e040f17486afecede9a60d9386fc

SHA512
1e73294d7ec387d738ebaff08053171ebe6008a3c92c173e4eed1e9b59dd891fce8a23203627f68acd88d82cedb7aa696a5935d386d7e2b52c652a677927d61b

Download Submit
C:\Windows\System\UlkuLAZ.exe

Filesize
5.9MB

MD5
cf2ca56bd23b740db9aa5241a71a6729

SHA1
ba2b8042b083ebd363ecfd6b4a7ff64784e46b83

SHA256
d2c6485cd49577b33203fa9a320f0618dfdc7c52999ef717b21c6d286f42cc14

SHA512
2a593760f9c7277b56e27764e9c177da33197c25fbb8390122f6c254ba427d59bf6363f6bc8ba6324e0d087ba72da719765f08a2de28cdd4e55a6f18cec9a60a

Download Submit
C:\Windows\System\WBkcRcw.exe

Filesize
5.9MB

MD5
0e6b3892fd348d9f696ce6bfb223fd12

SHA1
2cd075ade09086e771845e2b6b28e33a0204b53a

SHA256
8a01bb774fe939df6a3baea99d3dea99de79f4f2f096d9521ab9c2da8ec49c4e

SHA512
f6d0d41a33b7cc36f136455efc841dda7be889cdef711ae722b574c971dbd616ce37e3fc6828f169bc381b9011a3446c3c4a30b82f1131806502cead55980c64

Download Submit
C:\Windows\System\WKBaSYP.exe

Filesize
5.9MB

MD5
1f3ac086dc1bdb084f4d4610f50aabdd

SHA1
0c3d9b9122244a0d77c37c964a83ac374ee8ee47

SHA256
8540a0c336be467a587c421cede91e5588011afcd20b730dcd65eaba22009fa5

SHA512
e570b6f2b8fb2680c486cafda7925ec417a7b00e5e3de480ed6f897f064be66dbf5164597e943935d85e4a1f11ef906a76621232f3e6a5e60a06204102251b8b

Download Submit
C:\Windows\System\XAbIbgi.exe

Filesize
5.9MB

MD5
106612f3600dde6dca4eb6b7d03606b8

SHA1
5bb29d2fbb89673d7ca5773905f50b16d4d863e4

SHA256
da31b4cc1e3aef5960443bd6e515f00116d35dd821b76a629c7728fc6d989910

SHA512
bc9c8b43968f2d08cbb9e4c09ecfd52cafc4fbdd1dce56526cbe1c04da4749e1f7831f61f8ddffa336688e1abe566d12660e9d8e3a10e2fd4e82d0ae5e4107af

Download Submit
C:\Windows\System\XouROnB.exe

Filesize
5.9MB

MD5
d403d5635c5cdc078686e81b7c93efb9

SHA1
0d0203ba35557b4f6d2eb01f450765a739256442

SHA256
5b86128386bbf1b6af3ccf6e0655a5560b1d6433a4619aa7056c9cd4cea795a8

SHA512
f42032fea06514b3ce5e53e2ae5618a6e0586fe58855f89a7e9c48bb2aa6f0457493bb6e3db4652e5c9eefccc1d844f7d510d7e5d7218b1bc0635268d3bb8c1e

Download Submit
C:\Windows\System\dHntOPr.exe

Filesize
5.9MB

MD5
93614974811410a624e452f5aff1d600

SHA1
327d03f7b1ac09dfc37b93cca3f1157ecda07093

SHA256
ec9b769962a025e658db8a517347ec81602af574b73091b48f0a6db3a38e324d

SHA512
ade4ad7a72f33c9f8d27f750be93cd461900e4177ce406a2c22fb9f584ede28ad5e924583fd42f280e5228821a7f73db944d1c69dd0a9a16b9dc15bc303ca70c

Download Submit
C:\Windows\System\iMTWOaO.exe

Filesize
5.9MB

MD5
e3b8d7c85cfdc84911e7a92cbb815bc5

SHA1
0ccc6a31440af0c29cf83ddf67c5b39fff26b004

SHA256
4c58ad6039a6a37d0c50c7016491a59ffba1e2f1a17c63bc4ab066a2f06bee79

SHA512
e3ab1a264f314825603d19bbdd8792aa5671c089e1226cd0d857608490f7cc3ff9a282deff5b5a7094189de7417a098c2fb2501b0f1958dff372b52a57c52586

Download Submit
C:\Windows\System\iMjGiXg.exe

Filesize
5.9MB

MD5
c42995b3a4212fed0bfdb8e897494057

SHA1
afbe68bece5cb729417f2cc3f25153ccf9436534

SHA256
a0d8538e382309aad93379a00f88d892ff23e649ed29e28228ea7447d9218098

SHA512
55dcc057153b76bc830b83245959a2573b4a1e1449281b2dc05b1038155faf3030cef9d8fbb5b253ec9ecc930a6d3cd4d241ab0a6da3783b587c2d4ea6da8285

Download Submit
C:\Windows\System\kMsKnUo.exe

Filesize
5.9MB

MD5
caffab6202983fb84e462c42a4f6a294

SHA1
59489a1124d7a64135537374c002d233045b5ae2

SHA256
90d59c4a4d02820823939153b0b5e6ed1251d2be0654882567daf405fef9b703

SHA512
167091c6e401764d466de336de2f713b5e5457e2fa6e2bf68baaad367ee16fb3eb165bed2643e736f236648671b80a4144d3ea38c12a8ebe5e20c6707bfdb340

Download Submit
C:\Windows\System\mUsHoMa.exe

Filesize
5.9MB

MD5
95dde4991502a626c481675b2276e285

SHA1
b08b7f1ae7802615788c419b5b83063a026619c1

SHA256
979c1ebd03e2a42cf252ac987def7c9b2f8ad26967f0268b0e77284cb38e2d30

SHA512
e78975b35a414ee9dd102233a9a8fd9dcbef210996887e2acc9fa970e6b5824c1d6e733e8ec148b385f23f369eecc6bf561b8aec161b26d11e7a9703f30e6068

Download Submit
C:\Windows\System\rEGVnAF.exe

Filesize
5.9MB

MD5
3b9fd65c7efdcfd9a8c2460da79d052a

SHA1
e46dd8261c3d90277e38fb635ed15d4a50d76d6c

SHA256
f05ae1e7d114a82130643414b24ed466ff51fe0bf2c6601539eefe9e91b5093a

SHA512
e4324e4f2045dd96fb4da1b8959c353bff70c980fa10bbb0cc0fc6d4c9f200e7838453f79b50b3a752a409a04bc07ec37184531e352ce0567e269a90234c622a

Download Submit
C:\Windows\System\vLUMZOa.exe

Filesize
5.9MB

MD5
53c1f773cc857179b2f41ff5fc1bf7d0

SHA1
2e725cde83dc8b2e499481f138c8db27458036c2

SHA256
29647c5c2ef64c7c5f9174012807e0a413b7f6d80fae59e13ddf78840b96d1f6

SHA512
bea2be37c861c043fc4dc7117fe796dddf5fa650fbc1213623e55a47ded62c1a66d5c5846c2da2d49857661d1e97908795bd3ba17b55131ed08ecb94f33a0066

Download Submit
C:\Windows\System\vRHjTMm.exe

Filesize
5.9MB

MD5
f582bc911295911f14a232cb5a6c7402

SHA1
725dfe42fc710e36f0ddb4f8dee58cb55769381e

SHA256
3c589f4c24724a7ecf1c36b02c47b933a5032968d9c8774983498fa807dc2806

SHA512
835133d6886bdf9069d8382f827f3a2f334fc57620db74a485611b0e2e5e79f37138b34235ab689df0eb630ff9a615666edb6505cef6a1b7c09a767dc98fd138

Download Submit
C:\Windows\System\xeYSzDc.exe

Filesize
5.9MB

MD5
b6a4d001939013511cc14985c4a03c01

SHA1
1ab27fd31c6cc93cfbfacc8752b17a3c16d6fc8d

SHA256
cf8433a192b615bc3d0a23307f806b6d088f88714ec11b98fb88ce81c0201145

SHA512
9dd5fa628cd6de18f3f3a131fe2e5917291a8394fba8b4a0d8a073296d095c451e88da468a9153ce4ce12c7dda2d778c9ba61d63257efef699ba84c198cadfd9

Download Submit
C:\Windows\System\zLfgrfa.exe

Filesize
5.9MB

MD5
1bf7934b638394de684abb2ea8a25905

SHA1
3ba2d543c0517c58412785041a90ea6ef5ed1e39

SHA256
6a819066bff5a10ed5a3ce446364b5f0f00361e9f966f5c7081d5fff5c22f6ba

SHA512
c0bdbffc5f1a2cbc0097372a53e804669d6bab572eb5281291832c200022ad24da8f1758e1be86cdb7b1858365da5d7aac952fd7925e602a235f842ffe163c41

Download Submit
memory/336-101-0x00007FF74A990000-0x00007FF74ACE4000-memory.dmp

Filesize
3.3MB

Download
memory/336-30-0x00007FF74A990000-0x00007FF74ACE4000-memory.dmp

Filesize
3.3MB

Download
memory/336-138-0x00007FF74A990000-0x00007FF74ACE4000-memory.dmp

Filesize
3.3MB

Download
memory/628-61-0x00007FF7DCF40000-0x00007FF7DD294000-memory.dmp

Filesize
3.3MB

Download
memory/628-142-0x00007FF7DCF40000-0x00007FF7DD294000-memory.dmp

Filesize
3.3MB

Download
memory/1688-95-0x00007FF76DD90000-0x00007FF76E0E4000-memory.dmp

Filesize
3.3MB

Download
memory/1688-148-0x00007FF76DD90000-0x00007FF76E0E4000-memory.dmp

Filesize
3.3MB

Download
memory/2240-52-0x00007FF7B60C0000-0x00007FF7B6414000-memory.dmp

Filesize
3.3MB

Download
memory/2240-141-0x00007FF7B60C0000-0x00007FF7B6414000-memory.dmp

Filesize
3.3MB

Download
memory/2712-111-0x00007FF6404C0000-0x00007FF640814000-memory.dmp

Filesize
3.3MB

Download
memory/2712-150-0x00007FF6404C0000-0x00007FF640814000-memory.dmp

Filesize
3.3MB

Download
memory/2860-144-0x00007FF6EF0C0000-0x00007FF6EF414000-memory.dmp

Filesize
3.3MB

Download
memory/2860-75-0x00007FF6EF0C0000-0x00007FF6EF414000-memory.dmp

Filesize
3.3MB

Download
memory/2876-146-0x00007FF6A8660000-0x00007FF6A89B4000-memory.dmp

Filesize
3.3MB

Download
memory/2876-84-0x00007FF6A8660000-0x00007FF6A89B4000-memory.dmp

Filesize
3.3MB

Download
memory/2892-135-0x00007FF681670000-0x00007FF6819C4000-memory.dmp

Filesize
3.3MB

Download
memory/2892-14-0x00007FF681670000-0x00007FF6819C4000-memory.dmp

Filesize
3.3MB

Download
memory/2968-152-0x00007FF6D66E0000-0x00007FF6D6A34000-memory.dmp

Filesize
3.3MB

Download
memory/2968-120-0x00007FF6D66E0000-0x00007FF6D6A34000-memory.dmp

Filesize
3.3MB

Download
memory/3196-49-0x00007FF748B20000-0x00007FF748E74000-memory.dmp

Filesize
3.3MB

Download
memory/3196-140-0x00007FF748B20000-0x00007FF748E74000-memory.dmp

Filesize
3.3MB

Download
memory/3332-1-0x000001CE17F60000-0x000001CE17F70000-memory.dmp

Filesize
64KB

Download
memory/3332-0-0x00007FF6C5690000-0x00007FF6C59E4000-memory.dmp

Filesize
3.3MB

Download
memory/3332-64-0x00007FF6C5690000-0x00007FF6C59E4000-memory.dmp

Filesize
3.3MB

Download
memory/3512-114-0x00007FF7CE660000-0x00007FF7CE9B4000-memory.dmp

Filesize
3.3MB

Download
memory/3512-151-0x00007FF7CE660000-0x00007FF7CE9B4000-memory.dmp

Filesize
3.3MB

Download
memory/3540-133-0x00007FF6EA0E0000-0x00007FF6EA434000-memory.dmp

Filesize
3.3MB

Download
memory/3540-153-0x00007FF6EA0E0000-0x00007FF6EA434000-memory.dmp

Filesize
3.3MB

Download
memory/3540-126-0x00007FF6EA0E0000-0x00007FF6EA434000-memory.dmp

Filesize
3.3MB

Download
memory/3824-85-0x00007FF69F0F0000-0x00007FF69F444000-memory.dmp

Filesize
3.3MB

Download
memory/3824-147-0x00007FF69F0F0000-0x00007FF69F444000-memory.dmp

Filesize
3.3MB

Download
memory/3824-132-0x00007FF69F0F0000-0x00007FF69F444000-memory.dmp

Filesize
3.3MB

Download
memory/4076-38-0x00007FF719EE0000-0x00007FF71A234000-memory.dmp

Filesize
3.3MB

Download
memory/4076-139-0x00007FF719EE0000-0x00007FF71A234000-memory.dmp

Filesize
3.3MB

Download
memory/4108-78-0x00007FF6971C0000-0x00007FF697514000-memory.dmp

Filesize
3.3MB

Download
memory/4108-145-0x00007FF6971C0000-0x00007FF697514000-memory.dmp

Filesize
3.3MB

Download
memory/4176-8-0x00007FF6EA480000-0x00007FF6EA7D4000-memory.dmp

Filesize
3.3MB

Download
memory/4176-69-0x00007FF6EA480000-0x00007FF6EA7D4000-memory.dmp

Filesize
3.3MB

Download
memory/4176-134-0x00007FF6EA480000-0x00007FF6EA7D4000-memory.dmp

Filesize
3.3MB

Download
memory/4380-94-0x00007FF78BC30000-0x00007FF78BF84000-memory.dmp

Filesize
3.3MB

Download
memory/4380-24-0x00007FF78BC30000-0x00007FF78BF84000-memory.dmp

Filesize
3.3MB

Download
memory/4380-137-0x00007FF78BC30000-0x00007FF78BF84000-memory.dmp

Filesize
3.3MB

Download
memory/4620-65-0x00007FF6C0530000-0x00007FF6C0884000-memory.dmp

Filesize
3.3MB

Download
memory/4620-143-0x00007FF6C0530000-0x00007FF6C0884000-memory.dmp

Filesize
3.3MB

Download
memory/4804-131-0x00007FF621910000-0x00007FF621C64000-memory.dmp

Filesize
3.3MB

Download
memory/4804-154-0x00007FF621910000-0x00007FF621C64000-memory.dmp

Filesize
3.3MB

Download
memory/5012-102-0x00007FF6F2040000-0x00007FF6F2394000-memory.dmp

Filesize
3.3MB

Download
memory/5012-149-0x00007FF6F2040000-0x00007FF6F2394000-memory.dmp

Filesize
3.3MB

Download
memory/5100-20-0x00007FF737A60000-0x00007FF737DB4000-memory.dmp

Filesize
3.3MB

Download
memory/5100-136-0x00007FF737A60000-0x00007FF737DB4000-memory.dmp

Filesize
3.3MB

Download