cobaltstrike | 738a4782a1812bf18dd2e5238dc50c805dcc29e7aae3fac3be47878958888212

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

372cb383188bc58fd7d2e8c57b022e7e
SHA1

c8df94183d6fa92f54e556473f3404fa918dda8a
SHA256

738a4782a1812bf18dd2e5238dc50c805dcc29e7aae3fac3be47878958888212
SHA512

9ce7ef2285e3cebec10e178db174eb4e37db73024a6831d6803ae2db75b2f5bfd3fad115a32241684501ef78be46f698326adf7f2568e0dfe24453b5a3c41f03
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUo:Q+856utgpPF8u/7o

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023408-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023411-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023410-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023412-25.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023413-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023415-34.dat	cobalt_reflective_dll
behavioral2/files/0x000c0000000006c3-41.dat	cobalt_reflective_dll
behavioral2/files/0x0016000000016216-47.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022974-54.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023382-58.dat	cobalt_reflective_dll
behavioral2/files/0x000900000002295d-67.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023384-73.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002340d-80.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023418-94.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341a-107.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341b-111.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023419-102.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023417-87.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341c-118.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341e-128.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341d-125.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023408-4.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023411-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023410-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023412-25.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023413-28.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023415-34.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000c0000000006c3-41.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0016000000016216-47.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0006000000022974-54.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0009000000023382-58.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000900000002295d-67.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000c000000023384-73.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000800000002340d-80.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023418-94.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002341a-107.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002341b-111.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023419-102.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023417-87.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002341c-118.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002341e-128.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002341d-125.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/2244-0-0x00007FF6D2750000-0x00007FF6D2AA4000-memory.dmp	UPX
behavioral2/files/0x0009000000023408-4.dat	UPX
behavioral2/memory/3636-8-0x00007FF668600000-0x00007FF668954000-memory.dmp	UPX
behavioral2/files/0x0007000000023411-10.dat	UPX
behavioral2/files/0x0007000000023410-11.dat	UPX
behavioral2/memory/2736-23-0x00007FF635C50000-0x00007FF635FA4000-memory.dmp	UPX
behavioral2/files/0x0007000000023412-25.dat	UPX
behavioral2/memory/4136-24-0x00007FF6B7E30000-0x00007FF6B8184000-memory.dmp	UPX
behavioral2/memory/1880-12-0x00007FF634050000-0x00007FF6343A4000-memory.dmp	UPX
behavioral2/files/0x0007000000023413-28.dat	UPX
behavioral2/memory/1136-31-0x00007FF60EFF0000-0x00007FF60F344000-memory.dmp	UPX
behavioral2/files/0x0007000000023415-34.dat	UPX
behavioral2/memory/904-38-0x00007FF7B1E00000-0x00007FF7B2154000-memory.dmp	UPX
behavioral2/files/0x000c0000000006c3-41.dat	UPX
behavioral2/memory/4108-44-0x00007FF7DE3F0000-0x00007FF7DE744000-memory.dmp	UPX
behavioral2/files/0x0016000000016216-47.dat	UPX
behavioral2/files/0x0006000000022974-54.dat	UPX
behavioral2/memory/3608-56-0x00007FF7E85E0000-0x00007FF7E8934000-memory.dmp	UPX
behavioral2/memory/2348-50-0x00007FF7845F0000-0x00007FF784944000-memory.dmp	UPX
behavioral2/files/0x0009000000023382-58.dat	UPX
behavioral2/memory/2244-60-0x00007FF6D2750000-0x00007FF6D2AA4000-memory.dmp	UPX
behavioral2/memory/1548-63-0x00007FF7350A0000-0x00007FF7353F4000-memory.dmp	UPX
behavioral2/files/0x000900000002295d-67.dat	UPX
behavioral2/files/0x000c000000023384-73.dat	UPX
behavioral2/memory/1880-72-0x00007FF634050000-0x00007FF6343A4000-memory.dmp	UPX
behavioral2/memory/3636-69-0x00007FF668600000-0x00007FF668954000-memory.dmp	UPX
behavioral2/files/0x000800000002340d-80.dat	UPX
behavioral2/memory/4996-79-0x00007FF659FB0000-0x00007FF65A304000-memory.dmp	UPX
behavioral2/memory/2736-84-0x00007FF635C50000-0x00007FF635FA4000-memory.dmp	UPX
behavioral2/memory/1892-82-0x00007FF69FFF0000-0x00007FF6A0344000-memory.dmp	UPX
behavioral2/memory/5092-89-0x00007FF78B890000-0x00007FF78BBE4000-memory.dmp	UPX
behavioral2/memory/2884-90-0x00007FF6C3E70000-0x00007FF6C41C4000-memory.dmp	UPX
behavioral2/files/0x0007000000023418-94.dat	UPX
behavioral2/memory/4136-96-0x00007FF6B7E30000-0x00007FF6B8184000-memory.dmp	UPX
behavioral2/files/0x000700000002341a-107.dat	UPX
behavioral2/files/0x000700000002341b-111.dat	UPX
behavioral2/memory/392-112-0x00007FF61DE70000-0x00007FF61E1C4000-memory.dmp	UPX
behavioral2/memory/4040-113-0x00007FF67B640000-0x00007FF67B994000-memory.dmp	UPX
behavioral2/files/0x0007000000023419-102.dat	UPX
behavioral2/memory/2456-101-0x00007FF7CA080000-0x00007FF7CA3D4000-memory.dmp	UPX
behavioral2/memory/3280-99-0x00007FF6AD8B0000-0x00007FF6ADC04000-memory.dmp	UPX
behavioral2/files/0x0007000000023417-87.dat	UPX
behavioral2/files/0x000700000002341c-118.dat	UPX
behavioral2/files/0x000700000002341e-128.dat	UPX
behavioral2/files/0x000700000002341d-125.dat	UPX
behavioral2/memory/4108-130-0x00007FF7DE3F0000-0x00007FF7DE744000-memory.dmp	UPX
behavioral2/memory/720-131-0x00007FF753AC0000-0x00007FF753E14000-memory.dmp	UPX
behavioral2/memory/2656-133-0x00007FF730700000-0x00007FF730A54000-memory.dmp	UPX
behavioral2/memory/1396-132-0x00007FF76A8F0000-0x00007FF76AC44000-memory.dmp	UPX
behavioral2/memory/3608-134-0x00007FF7E85E0000-0x00007FF7E8934000-memory.dmp	UPX
behavioral2/memory/2456-135-0x00007FF7CA080000-0x00007FF7CA3D4000-memory.dmp	UPX
behavioral2/memory/4040-136-0x00007FF67B640000-0x00007FF67B994000-memory.dmp	UPX
behavioral2/memory/3636-137-0x00007FF668600000-0x00007FF668954000-memory.dmp	UPX
behavioral2/memory/1880-138-0x00007FF634050000-0x00007FF6343A4000-memory.dmp	UPX
behavioral2/memory/2736-139-0x00007FF635C50000-0x00007FF635FA4000-memory.dmp	UPX
behavioral2/memory/4136-140-0x00007FF6B7E30000-0x00007FF6B8184000-memory.dmp	UPX
behavioral2/memory/1136-141-0x00007FF60EFF0000-0x00007FF60F344000-memory.dmp	UPX
behavioral2/memory/904-142-0x00007FF7B1E00000-0x00007FF7B2154000-memory.dmp	UPX
behavioral2/memory/4108-143-0x00007FF7DE3F0000-0x00007FF7DE744000-memory.dmp	UPX
behavioral2/memory/2348-144-0x00007FF7845F0000-0x00007FF784944000-memory.dmp	UPX
behavioral2/memory/3608-145-0x00007FF7E85E0000-0x00007FF7E8934000-memory.dmp	UPX
behavioral2/memory/1548-146-0x00007FF7350A0000-0x00007FF7353F4000-memory.dmp	UPX
behavioral2/memory/4996-147-0x00007FF659FB0000-0x00007FF65A304000-memory.dmp	UPX
behavioral2/memory/1892-148-0x00007FF69FFF0000-0x00007FF6A0344000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2244-0-0x00007FF6D2750000-0x00007FF6D2AA4000-memory.dmp	xmrig
behavioral2/files/0x0009000000023408-4.dat	xmrig
behavioral2/memory/3636-8-0x00007FF668600000-0x00007FF668954000-memory.dmp	xmrig
behavioral2/files/0x0007000000023411-10.dat	xmrig
behavioral2/files/0x0007000000023410-11.dat	xmrig
behavioral2/memory/2736-23-0x00007FF635C50000-0x00007FF635FA4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023412-25.dat	xmrig
behavioral2/memory/4136-24-0x00007FF6B7E30000-0x00007FF6B8184000-memory.dmp	xmrig
behavioral2/memory/1880-12-0x00007FF634050000-0x00007FF6343A4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023413-28.dat	xmrig
behavioral2/memory/1136-31-0x00007FF60EFF0000-0x00007FF60F344000-memory.dmp	xmrig
behavioral2/files/0x0007000000023415-34.dat	xmrig
behavioral2/memory/904-38-0x00007FF7B1E00000-0x00007FF7B2154000-memory.dmp	xmrig
behavioral2/files/0x000c0000000006c3-41.dat	xmrig
behavioral2/memory/4108-44-0x00007FF7DE3F0000-0x00007FF7DE744000-memory.dmp	xmrig
behavioral2/files/0x0016000000016216-47.dat	xmrig
behavioral2/files/0x0006000000022974-54.dat	xmrig
behavioral2/memory/3608-56-0x00007FF7E85E0000-0x00007FF7E8934000-memory.dmp	xmrig
behavioral2/memory/2348-50-0x00007FF7845F0000-0x00007FF784944000-memory.dmp	xmrig
behavioral2/files/0x0009000000023382-58.dat	xmrig
behavioral2/memory/2244-60-0x00007FF6D2750000-0x00007FF6D2AA4000-memory.dmp	xmrig
behavioral2/memory/1548-63-0x00007FF7350A0000-0x00007FF7353F4000-memory.dmp	xmrig
behavioral2/files/0x000900000002295d-67.dat	xmrig
behavioral2/files/0x000c000000023384-73.dat	xmrig
behavioral2/memory/1880-72-0x00007FF634050000-0x00007FF6343A4000-memory.dmp	xmrig
behavioral2/memory/3636-69-0x00007FF668600000-0x00007FF668954000-memory.dmp	xmrig
behavioral2/files/0x000800000002340d-80.dat	xmrig
behavioral2/memory/4996-79-0x00007FF659FB0000-0x00007FF65A304000-memory.dmp	xmrig
behavioral2/memory/2736-84-0x00007FF635C50000-0x00007FF635FA4000-memory.dmp	xmrig
behavioral2/memory/1892-82-0x00007FF69FFF0000-0x00007FF6A0344000-memory.dmp	xmrig
behavioral2/memory/5092-89-0x00007FF78B890000-0x00007FF78BBE4000-memory.dmp	xmrig
behavioral2/memory/2884-90-0x00007FF6C3E70000-0x00007FF6C41C4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023418-94.dat	xmrig
behavioral2/memory/4136-96-0x00007FF6B7E30000-0x00007FF6B8184000-memory.dmp	xmrig
behavioral2/files/0x000700000002341a-107.dat	xmrig
behavioral2/files/0x000700000002341b-111.dat	xmrig
behavioral2/memory/392-112-0x00007FF61DE70000-0x00007FF61E1C4000-memory.dmp	xmrig
behavioral2/memory/4040-113-0x00007FF67B640000-0x00007FF67B994000-memory.dmp	xmrig
behavioral2/files/0x0007000000023419-102.dat	xmrig
behavioral2/memory/2456-101-0x00007FF7CA080000-0x00007FF7CA3D4000-memory.dmp	xmrig
behavioral2/memory/3280-99-0x00007FF6AD8B0000-0x00007FF6ADC04000-memory.dmp	xmrig
behavioral2/files/0x0007000000023417-87.dat	xmrig
behavioral2/files/0x000700000002341c-118.dat	xmrig
behavioral2/files/0x000700000002341e-128.dat	xmrig
behavioral2/files/0x000700000002341d-125.dat	xmrig
behavioral2/memory/4108-130-0x00007FF7DE3F0000-0x00007FF7DE744000-memory.dmp	xmrig
behavioral2/memory/720-131-0x00007FF753AC0000-0x00007FF753E14000-memory.dmp	xmrig
behavioral2/memory/2656-133-0x00007FF730700000-0x00007FF730A54000-memory.dmp	xmrig
behavioral2/memory/1396-132-0x00007FF76A8F0000-0x00007FF76AC44000-memory.dmp	xmrig
behavioral2/memory/3608-134-0x00007FF7E85E0000-0x00007FF7E8934000-memory.dmp	xmrig
behavioral2/memory/2456-135-0x00007FF7CA080000-0x00007FF7CA3D4000-memory.dmp	xmrig
behavioral2/memory/4040-136-0x00007FF67B640000-0x00007FF67B994000-memory.dmp	xmrig
behavioral2/memory/3636-137-0x00007FF668600000-0x00007FF668954000-memory.dmp	xmrig
behavioral2/memory/1880-138-0x00007FF634050000-0x00007FF6343A4000-memory.dmp	xmrig
behavioral2/memory/2736-139-0x00007FF635C50000-0x00007FF635FA4000-memory.dmp	xmrig
behavioral2/memory/4136-140-0x00007FF6B7E30000-0x00007FF6B8184000-memory.dmp	xmrig
behavioral2/memory/1136-141-0x00007FF60EFF0000-0x00007FF60F344000-memory.dmp	xmrig
behavioral2/memory/904-142-0x00007FF7B1E00000-0x00007FF7B2154000-memory.dmp	xmrig
behavioral2/memory/4108-143-0x00007FF7DE3F0000-0x00007FF7DE744000-memory.dmp	xmrig
behavioral2/memory/2348-144-0x00007FF7845F0000-0x00007FF784944000-memory.dmp	xmrig
behavioral2/memory/3608-145-0x00007FF7E85E0000-0x00007FF7E8934000-memory.dmp	xmrig
behavioral2/memory/1548-146-0x00007FF7350A0000-0x00007FF7353F4000-memory.dmp	xmrig
behavioral2/memory/4996-147-0x00007FF659FB0000-0x00007FF65A304000-memory.dmp	xmrig
behavioral2/memory/1892-148-0x00007FF69FFF0000-0x00007FF6A0344000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3636	aQyQJVQ.exe
1880	rShcbhQ.exe
2736	zVZphVO.exe
4136	zehOtcK.exe
1136	segSgFn.exe
904	uQNSSqM.exe
4108	XUOttUq.exe
2348	auKuaMM.exe
3608	jtrQqGv.exe
1548	uJenplH.exe
4996	QlEMiMV.exe
1892	QhDDKyx.exe
5092	aynDWGz.exe
2884	CymZvoL.exe
3280	EnwCVLd.exe
2456	YALKWyH.exe
392	cbdaFwZ.exe
4040	FlvSlWo.exe
720	OpwRHuV.exe
1396	duaQeYn.exe
2656	eLDldgV.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2244-0-0x00007FF6D2750000-0x00007FF6D2AA4000-memory.dmp	upx
behavioral2/files/0x0009000000023408-4.dat	upx
behavioral2/memory/3636-8-0x00007FF668600000-0x00007FF668954000-memory.dmp	upx
behavioral2/files/0x0007000000023411-10.dat	upx
behavioral2/files/0x0007000000023410-11.dat	upx
behavioral2/memory/2736-23-0x00007FF635C50000-0x00007FF635FA4000-memory.dmp	upx
behavioral2/files/0x0007000000023412-25.dat	upx
behavioral2/memory/4136-24-0x00007FF6B7E30000-0x00007FF6B8184000-memory.dmp	upx
behavioral2/memory/1880-12-0x00007FF634050000-0x00007FF6343A4000-memory.dmp	upx
behavioral2/files/0x0007000000023413-28.dat	upx
behavioral2/memory/1136-31-0x00007FF60EFF0000-0x00007FF60F344000-memory.dmp	upx
behavioral2/files/0x0007000000023415-34.dat	upx
behavioral2/memory/904-38-0x00007FF7B1E00000-0x00007FF7B2154000-memory.dmp	upx
behavioral2/files/0x000c0000000006c3-41.dat	upx
behavioral2/memory/4108-44-0x00007FF7DE3F0000-0x00007FF7DE744000-memory.dmp	upx
behavioral2/files/0x0016000000016216-47.dat	upx
behavioral2/files/0x0006000000022974-54.dat	upx
behavioral2/memory/3608-56-0x00007FF7E85E0000-0x00007FF7E8934000-memory.dmp	upx
behavioral2/memory/2348-50-0x00007FF7845F0000-0x00007FF784944000-memory.dmp	upx
behavioral2/files/0x0009000000023382-58.dat	upx
behavioral2/memory/2244-60-0x00007FF6D2750000-0x00007FF6D2AA4000-memory.dmp	upx
behavioral2/memory/1548-63-0x00007FF7350A0000-0x00007FF7353F4000-memory.dmp	upx
behavioral2/files/0x000900000002295d-67.dat	upx
behavioral2/files/0x000c000000023384-73.dat	upx
behavioral2/memory/1880-72-0x00007FF634050000-0x00007FF6343A4000-memory.dmp	upx
behavioral2/memory/3636-69-0x00007FF668600000-0x00007FF668954000-memory.dmp	upx
behavioral2/files/0x000800000002340d-80.dat	upx
behavioral2/memory/4996-79-0x00007FF659FB0000-0x00007FF65A304000-memory.dmp	upx
behavioral2/memory/2736-84-0x00007FF635C50000-0x00007FF635FA4000-memory.dmp	upx
behavioral2/memory/1892-82-0x00007FF69FFF0000-0x00007FF6A0344000-memory.dmp	upx
behavioral2/memory/5092-89-0x00007FF78B890000-0x00007FF78BBE4000-memory.dmp	upx
behavioral2/memory/2884-90-0x00007FF6C3E70000-0x00007FF6C41C4000-memory.dmp	upx
behavioral2/files/0x0007000000023418-94.dat	upx
behavioral2/memory/4136-96-0x00007FF6B7E30000-0x00007FF6B8184000-memory.dmp	upx
behavioral2/files/0x000700000002341a-107.dat	upx
behavioral2/files/0x000700000002341b-111.dat	upx
behavioral2/memory/392-112-0x00007FF61DE70000-0x00007FF61E1C4000-memory.dmp	upx
behavioral2/memory/4040-113-0x00007FF67B640000-0x00007FF67B994000-memory.dmp	upx
behavioral2/files/0x0007000000023419-102.dat	upx
behavioral2/memory/2456-101-0x00007FF7CA080000-0x00007FF7CA3D4000-memory.dmp	upx
behavioral2/memory/3280-99-0x00007FF6AD8B0000-0x00007FF6ADC04000-memory.dmp	upx
behavioral2/files/0x0007000000023417-87.dat	upx
behavioral2/files/0x000700000002341c-118.dat	upx
behavioral2/files/0x000700000002341e-128.dat	upx
behavioral2/files/0x000700000002341d-125.dat	upx
behavioral2/memory/4108-130-0x00007FF7DE3F0000-0x00007FF7DE744000-memory.dmp	upx
behavioral2/memory/720-131-0x00007FF753AC0000-0x00007FF753E14000-memory.dmp	upx
behavioral2/memory/2656-133-0x00007FF730700000-0x00007FF730A54000-memory.dmp	upx
behavioral2/memory/1396-132-0x00007FF76A8F0000-0x00007FF76AC44000-memory.dmp	upx
behavioral2/memory/3608-134-0x00007FF7E85E0000-0x00007FF7E8934000-memory.dmp	upx
behavioral2/memory/2456-135-0x00007FF7CA080000-0x00007FF7CA3D4000-memory.dmp	upx
behavioral2/memory/4040-136-0x00007FF67B640000-0x00007FF67B994000-memory.dmp	upx
behavioral2/memory/3636-137-0x00007FF668600000-0x00007FF668954000-memory.dmp	upx
behavioral2/memory/1880-138-0x00007FF634050000-0x00007FF6343A4000-memory.dmp	upx
behavioral2/memory/2736-139-0x00007FF635C50000-0x00007FF635FA4000-memory.dmp	upx
behavioral2/memory/4136-140-0x00007FF6B7E30000-0x00007FF6B8184000-memory.dmp	upx
behavioral2/memory/1136-141-0x00007FF60EFF0000-0x00007FF60F344000-memory.dmp	upx
behavioral2/memory/904-142-0x00007FF7B1E00000-0x00007FF7B2154000-memory.dmp	upx
behavioral2/memory/4108-143-0x00007FF7DE3F0000-0x00007FF7DE744000-memory.dmp	upx
behavioral2/memory/2348-144-0x00007FF7845F0000-0x00007FF784944000-memory.dmp	upx
behavioral2/memory/3608-145-0x00007FF7E85E0000-0x00007FF7E8934000-memory.dmp	upx
behavioral2/memory/1548-146-0x00007FF7350A0000-0x00007FF7353F4000-memory.dmp	upx
behavioral2/memory/4996-147-0x00007FF659FB0000-0x00007FF65A304000-memory.dmp	upx
behavioral2/memory/1892-148-0x00007FF69FFF0000-0x00007FF6A0344000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\aynDWGz.exe	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FlvSlWo.exe	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\duaQeYn.exe	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zVZphVO.exe	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XUOttUq.exe	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\auKuaMM.exe	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uJenplH.exe	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zehOtcK.exe	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uQNSSqM.exe	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jtrQqGv.exe	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cbdaFwZ.exe	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OpwRHuV.exe	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rShcbhQ.exe	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CymZvoL.exe	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YALKWyH.exe	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QhDDKyx.exe	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EnwCVLd.exe	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eLDldgV.exe	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aQyQJVQ.exe	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\segSgFn.exe	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QlEMiMV.exe	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 3636	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	84
PID 2244 wrote to memory of 3636	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	84
PID 2244 wrote to memory of 1880	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	85
PID 2244 wrote to memory of 1880	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	85
PID 2244 wrote to memory of 2736	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	86
PID 2244 wrote to memory of 2736	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	86
PID 2244 wrote to memory of 4136	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	87
PID 2244 wrote to memory of 4136	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	87
PID 2244 wrote to memory of 1136	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	88
PID 2244 wrote to memory of 1136	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	88
PID 2244 wrote to memory of 904	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	90
PID 2244 wrote to memory of 904	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	90
PID 2244 wrote to memory of 4108	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	95
PID 2244 wrote to memory of 4108	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	95
PID 2244 wrote to memory of 2348	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	96
PID 2244 wrote to memory of 2348	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	96
PID 2244 wrote to memory of 3608	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	98
PID 2244 wrote to memory of 3608	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	98
PID 2244 wrote to memory of 1548	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	99
PID 2244 wrote to memory of 1548	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	99
PID 2244 wrote to memory of 4996	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	102
PID 2244 wrote to memory of 4996	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	102
PID 2244 wrote to memory of 1892	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	103
PID 2244 wrote to memory of 1892	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	103
PID 2244 wrote to memory of 5092	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	104
PID 2244 wrote to memory of 5092	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	104
PID 2244 wrote to memory of 2884	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	105
PID 2244 wrote to memory of 2884	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	105
PID 2244 wrote to memory of 3280	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	106
PID 2244 wrote to memory of 3280	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	106
PID 2244 wrote to memory of 2456	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	107
PID 2244 wrote to memory of 2456	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	107
PID 2244 wrote to memory of 392	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	108
PID 2244 wrote to memory of 392	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	108
PID 2244 wrote to memory of 4040	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	109
PID 2244 wrote to memory of 4040	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	109
PID 2244 wrote to memory of 720	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	110
PID 2244 wrote to memory of 720	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	110
PID 2244 wrote to memory of 1396	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	111
PID 2244 wrote to memory of 1396	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	111
PID 2244 wrote to memory of 2656	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	112
PID 2244 wrote to memory of 2656	2244	2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-02_372cb383188bc58fd7d2e8c57b022e7e_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\System\aQyQJVQ.exe
  C:\Windows\System\aQyQJVQ.exe
  2⤵
  - Executes dropped EXE
  PID:3636
- C:\Windows\System\rShcbhQ.exe
  C:\Windows\System\rShcbhQ.exe
  2⤵
  - Executes dropped EXE
  PID:1880
- C:\Windows\System\zVZphVO.exe
  C:\Windows\System\zVZphVO.exe
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\System\zehOtcK.exe
  C:\Windows\System\zehOtcK.exe
  2⤵
  - Executes dropped EXE
  PID:4136
- C:\Windows\System\segSgFn.exe
  C:\Windows\System\segSgFn.exe
  2⤵
  - Executes dropped EXE
  PID:1136
- C:\Windows\System\uQNSSqM.exe
  C:\Windows\System\uQNSSqM.exe
  2⤵
  - Executes dropped EXE
  PID:904
- C:\Windows\System\XUOttUq.exe
  C:\Windows\System\XUOttUq.exe
  2⤵
  - Executes dropped EXE
  PID:4108
- C:\Windows\System\auKuaMM.exe
  C:\Windows\System\auKuaMM.exe
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\System\jtrQqGv.exe
  C:\Windows\System\jtrQqGv.exe
  2⤵
  - Executes dropped EXE
  PID:3608
- C:\Windows\System\uJenplH.exe
  C:\Windows\System\uJenplH.exe
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Windows\System\QlEMiMV.exe
  C:\Windows\System\QlEMiMV.exe
  2⤵
  - Executes dropped EXE
  PID:4996
- C:\Windows\System\QhDDKyx.exe
  C:\Windows\System\QhDDKyx.exe
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Windows\System\aynDWGz.exe
  C:\Windows\System\aynDWGz.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System\CymZvoL.exe
  C:\Windows\System\CymZvoL.exe
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\System\EnwCVLd.exe
  C:\Windows\System\EnwCVLd.exe
  2⤵
  - Executes dropped EXE
  PID:3280
- C:\Windows\System\YALKWyH.exe
  C:\Windows\System\YALKWyH.exe
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\System\cbdaFwZ.exe
  C:\Windows\System\cbdaFwZ.exe
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Windows\System\FlvSlWo.exe
  C:\Windows\System\FlvSlWo.exe
  2⤵
  - Executes dropped EXE
  PID:4040
- C:\Windows\System\OpwRHuV.exe
  C:\Windows\System\OpwRHuV.exe
  2⤵
  - Executes dropped EXE
  PID:720
- C:\Windows\System\duaQeYn.exe
  C:\Windows\System\duaQeYn.exe
  2⤵
  - Executes dropped EXE
  PID:1396
- C:\Windows\System\eLDldgV.exe
  C:\Windows\System\eLDldgV.exe
  2⤵
  - Executes dropped EXE
  PID:2656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CymZvoL.exe

Filesize
5.9MB

MD5
cbaef74bdfd15da2530b99db9a01f7fe

SHA1
6e443a55395bad4fbf5bf0e1f35bb75e5aee23ce

SHA256
897cb859991d4d253142f22baf7e2f42ed0c3e909b222981b086ee0cafd92775

SHA512
d7a02da38ddb63c2eb4b8c01bd470c055573ec786e69171cad3ba99c05c3cd7852dfac5b329d3317714f492982a69b167ae782e4d7c3985c1d380bd3119b6b9e

Download Submit
C:\Windows\System\EnwCVLd.exe

Filesize
5.9MB

MD5
9827f3142f258dacba04aa21832cd619

SHA1
7b321f0fa1f4642f3b1ae127786d559dbb01833e

SHA256
9d35b55b783616a3426a49d2c048e14f64cbe0ff4399482442b871e1c1c292ce

SHA512
43b5a9a89fa201be59a11f7a7281c896e61e6df1e59101e37f01500d62b474497dae1166674714554589151173f7692b680ed1a20e4c8fabd86ba8b627cfa092

Download Submit
C:\Windows\System\FlvSlWo.exe

Filesize
5.9MB

MD5
c0de9b34a5b13e9b7a243051541ac408

SHA1
cc68d810e9b2639106b77f6ed05ef453c59a48f7

SHA256
b94d5cfa138a43c74687056c584510fe066e2a6a48cce5772b0cf27d508e9754

SHA512
d4725b26c0caa19378e4ef7c9743d08a9b1e71fb984ce9987fa70a6a632b1bfabce6c6a892868fd2cf420df41b3c7069f139deb826c59daae39487085a64fa20

Download Submit
C:\Windows\System\OpwRHuV.exe

Filesize
5.9MB

MD5
cfd1f9860987d4de30671019a017330e

SHA1
791e5329334e53a664d272d1792b82c286c593bf

SHA256
f3b905855872444bc3e42a33d5c0227bea2920ce2d00150271dfbd8f4d9dd4a7

SHA512
5ac9451e47c02d5f057f36f20c0854cf06872a8819cf5a4fe399ac61f14250bedfad03a89e0ded2df564cd7db6c8be733ce702390b747f74b586d49ecb1f1e17

Download Submit
C:\Windows\System\QhDDKyx.exe

Filesize
5.9MB

MD5
20644235997c573a8bc72d60b669d781

SHA1
577d824104a98086dd07165daadae7249fa29fbd

SHA256
3d3cf158cc464d40001b9bc5a0ee5ce88e58be8197045932fce0ed75170824cb

SHA512
1f70a80e61102894db7e4f4b6ac776326c3734381ec432d06b96eb30869d543d12c96b5e37f9c1aa6780d83c90bd44ea20997c451a55916045cee51477d620bb

Download Submit
C:\Windows\System\QlEMiMV.exe

Filesize
5.9MB

MD5
ca9de3118cc981ae4ba7bebe2ea2c5e4

SHA1
dbf0d676e01596c43b38783b17b47a318b0b6696

SHA256
1abd17e1c53cb253ba0564d3a5c213da41a9ab9d607d8f252f671ac8ba12e349

SHA512
16226d14413b3dd6b29fd579f215dbad2c52041b5e0c1b3bc885c317168e30a9ad7df4fc3f5244b932ac4eb7c653619403eb36a4bd943b04c510a9f5918876c6

Download Submit
C:\Windows\System\XUOttUq.exe

Filesize
5.9MB

MD5
018f7a115d71197135cd6a855a7fe05c

SHA1
7ef5f59e2088752a98fd2e29fa786e08d9b20aff

SHA256
dadf166080998eedf747fc98317bb1be21ee961e56d764916e9eadbd58a82f80

SHA512
d7872c6b41006c4043272167069e0eadf995d512c7817b8dfaa6c7c10e66bb19d8c3e03fa460733c1a6a26eb8e0fd714b02736c01d934c84f33489322a590903

Download Submit
C:\Windows\System\YALKWyH.exe

Filesize
5.9MB

MD5
149fab0cccc1e2e737cf22f3ba339515

SHA1
5d6b6c67e632d8dbc41e5b6eabf08c0755995752

SHA256
61b0c116d94d532121203e3a54526931aa0aca468da49ba00e1c206d7546d10e

SHA512
33ae60f89d003402e2cc0764f8b124773a36bd187b909e37977fb0e0a7e802f70a65cf2ec1554cee692355aaa78f5694865ee30512777a2e04fe38b0b0eb4b0f

Download Submit
C:\Windows\System\aQyQJVQ.exe

Filesize
5.9MB

MD5
72e24e5749fdcd152a9d06b775ec8463

SHA1
0f3a725dcf4eabcbcb478246e0ed661047d73b2a

SHA256
05aeb0de7f25300492423a77c9d353c1d335fa42e9b1eb65b4ce4238ea29c473

SHA512
c1ddd80395049dbc85221dbaa84e49a633ce76e3962e3f113077a8dbe47db5406a2425dc2be4e5244284593d21c837c490b6c958edf83a6dea24cbddcd6c549d

Download Submit
C:\Windows\System\auKuaMM.exe

Filesize
5.9MB

MD5
5b03552052dc2f70169b8c8d38c3a12a

SHA1
6835397beeacf60e04f4d5524a7daf9f438e8f19

SHA256
806a5ad5c6ebdd59168691fb98f5bb005baa42bac104aa7dace8a9f69503d508

SHA512
b3bf2ff2a99380a289207293ca8f49ea3c1dbf916156d4788261d5544abac9e0fb322b5d0d969ce4513bd9f2bd14de760bc8280b3a9c401745cfc0755a978edb

Download Submit
C:\Windows\System\aynDWGz.exe

Filesize
5.9MB

MD5
77b415d1c8be8d41fe831cdc3e1669f4

SHA1
c126a8c1bde03219dc8617bed0adf770a63268d1

SHA256
a48434399c9078244f95142e1a838a32000d68eaf5a2f030e7ee9d04f64923ae

SHA512
fa7a1ea89ade62d3e826750c582a34220b300c99df3bef10323c9daa36d74f585f8eed897c87672807f6449e9ce5820990fbdaf6547435998b01c986aa0e4d98

Download Submit
C:\Windows\System\cbdaFwZ.exe

Filesize
5.9MB

MD5
66d6e98c2399350c8b7481572f53ab70

SHA1
dcbcf4119dec72a267edcb9c60508e2dfc571f41

SHA256
79035d03f523b9d2c8445e0f03ca95c9dc51190e427244406c9cfc6072448ced

SHA512
66fbcb86828ef1b44b5b70cc5e43fb5be08fc6fc3e76fb976c9a18b292260febf8378d36f7db562a3a0e8c7c3efc8b8e461e11f4d73ad4de2bcbe442e8d94c9d

Download Submit
C:\Windows\System\duaQeYn.exe

Filesize
5.9MB

MD5
37f77db7d0ffb2fa2cce998335c165c4

SHA1
ad791f979f72eb1805d48d1accf9d775fe153b4c

SHA256
5ef720b738dbea863046e8d95ab880c8bb8960e4225739ae6a5fc8c8cecca32a

SHA512
9e4bae231339e5e8330ae9f9926ca4cf11366162826246cb6c11f094e6f283f3bf7b147b71d9ccfd8bc7276b7208f9867912a5620c44cdbd9e3569342173d969

Download Submit
C:\Windows\System\eLDldgV.exe

Filesize
5.9MB

MD5
877b5c4027a6ffa121e4b6376cf45054

SHA1
be5b3acc5b168b8ccc9faf172fed7432a12980ab

SHA256
039933c103e2a42e52122a4705a298994d40560f1cdffb689d46f58b527b79fd

SHA512
856973ecd113123ad3dc80459638ec5602a1c1d1b0807058ff3fce6ed24ffbd7b3cfffd2d2e2c565396ead435bd6c2969e62948c0b79f84fcefd90b380a9107b

Download Submit
C:\Windows\System\jtrQqGv.exe

Filesize
5.9MB

MD5
630b26db735b00751755092cd8d8096f

SHA1
9f442ed608c6a492681af223173cddf5c30beb0b

SHA256
db2669736478aa033464bcd19dfeab32277c24952238581b97f981be9432fa22

SHA512
1998f5d53531e452ef25da9c48ea9e0ca170d6628962d1bcf5d28be91aa8a77a02056870e118bab108c8d57d4116dff9d41f8eddf0f22293437074f68546cc4e

Download Submit
C:\Windows\System\rShcbhQ.exe

Filesize
5.9MB

MD5
5ae5acf854aec54afc50e2d925c13ef1

SHA1
e6c937b248d8b7664435adf80ed010727ae95248

SHA256
8398349f78ce69a74fe0e8d034705a5729ac784c7dfd8651266bd4d97a721941

SHA512
50b93aa0a441973dcd4e01b14175b1e10afb262475f4988a050da2cbb9d6a873001a8f7d07658389464cdf1c9c51ed18c92877fbcd16c30896270325d625a63c

Download Submit
C:\Windows\System\segSgFn.exe

Filesize
5.9MB

MD5
979e95835dc64338af61c74cd57b8860

SHA1
3bd60c0eb4331972cf2ac4d919fe6a60eb4d1d33

SHA256
5c990e889f36a5989378dc11a59bb5ff3e5d73270e071ef499903b7cb608047d

SHA512
01b006d9beec991be98d30f515c938cc2abb402b7b33b60cacb6f30b516b96b8deaaa3d190bcf6eb02d60fb984133ff803d4c2302eb18c2929f36ff2ab6c0b5d

Download Submit
C:\Windows\System\uJenplH.exe

Filesize
5.9MB

MD5
ea42c809ef034ce426a0dad087218b59

SHA1
629c5e04164e96c66e73a46ced7e80bbb6d1b8bc

SHA256
3dbc870fe2b70c2d51977bd069b1716ad3bc7be580af8e5b69003b029f6bd442

SHA512
3275bac5f448c18d0470101a998c74a8af99d1ad9ad4a82425fa68bc71ba39e29e0979933a84aa770e695c749d4d059d83e19efbd1e7931d5f289beec0399f24

Download Submit
C:\Windows\System\uQNSSqM.exe

Filesize
5.9MB

MD5
156f760678ec0f547748f15383dd65e0

SHA1
6c38c10917983b81f85b3b842c709ab0fee97023

SHA256
c0052bc3e6f0c4495033bb30bb4959f1e0dfb997c02bb45ce6819aa0fbda7286

SHA512
c3cc7f6d14f878a0a87ff52919fcdd980826efe858ece5250c0a27d18becc4dc5b3785b19caa76b17f58ce65a460648ae428af1a21ccd7749bd23ad7a08fb9ba

Download Submit
C:\Windows\System\zVZphVO.exe

Filesize
5.9MB

MD5
ab8e3b7257b1b691c19da524c0002f3f

SHA1
abfc218cd96c7c07447dbbaa34a75c5bee1393bf

SHA256
dc113f80b2b1a37890c943f7cc83fa8b8f3eb7ac96c90d34c5a0a7ef86caac56

SHA512
24d839610e1a642f56bd7729e12b2ea0198667154d73bc3f614e8e3ad7a65527f21b75cdf1b7fd901ad6eef016f74c09772920de26d1cdcc18aa726c9d07504d

Download Submit
C:\Windows\System\zehOtcK.exe

Filesize
5.9MB

MD5
a077b31fa173832c72c25b3c04a1dfd5

SHA1
d30160b3527e77e3943307bfe0be40a4589de796

SHA256
3749207fe0ee1cc85ba5d903edd8d383cb8f29b985a1635bd3af8629298ddb30

SHA512
f8f7074b9e61bd136c5edee330f52be137503504ac35355afdc7e2411543bcbb3ee71d10fafe5501e6705ebb4eb72a08f2c8a0589ae3282b6dfac550484ed520

Download Submit
memory/392-112-0x00007FF61DE70000-0x00007FF61E1C4000-memory.dmp

Filesize
3.3MB

Download
memory/392-153-0x00007FF61DE70000-0x00007FF61E1C4000-memory.dmp

Filesize
3.3MB

Download
memory/720-131-0x00007FF753AC0000-0x00007FF753E14000-memory.dmp

Filesize
3.3MB

Download
memory/720-155-0x00007FF753AC0000-0x00007FF753E14000-memory.dmp

Filesize
3.3MB

Download
memory/904-38-0x00007FF7B1E00000-0x00007FF7B2154000-memory.dmp

Filesize
3.3MB

Download
memory/904-142-0x00007FF7B1E00000-0x00007FF7B2154000-memory.dmp

Filesize
3.3MB

Download
memory/1136-141-0x00007FF60EFF0000-0x00007FF60F344000-memory.dmp

Filesize
3.3MB

Download
memory/1136-31-0x00007FF60EFF0000-0x00007FF60F344000-memory.dmp

Filesize
3.3MB

Download
memory/1396-157-0x00007FF76A8F0000-0x00007FF76AC44000-memory.dmp

Filesize
3.3MB

Download
memory/1396-132-0x00007FF76A8F0000-0x00007FF76AC44000-memory.dmp

Filesize
3.3MB

Download
memory/1548-146-0x00007FF7350A0000-0x00007FF7353F4000-memory.dmp

Filesize
3.3MB

Download
memory/1548-63-0x00007FF7350A0000-0x00007FF7353F4000-memory.dmp

Filesize
3.3MB

Download
memory/1880-72-0x00007FF634050000-0x00007FF6343A4000-memory.dmp

Filesize
3.3MB

Download
memory/1880-12-0x00007FF634050000-0x00007FF6343A4000-memory.dmp

Filesize
3.3MB

Download
memory/1880-138-0x00007FF634050000-0x00007FF6343A4000-memory.dmp

Filesize
3.3MB

Download
memory/1892-82-0x00007FF69FFF0000-0x00007FF6A0344000-memory.dmp

Filesize
3.3MB

Download
memory/1892-148-0x00007FF69FFF0000-0x00007FF6A0344000-memory.dmp

Filesize
3.3MB

Download
memory/2244-60-0x00007FF6D2750000-0x00007FF6D2AA4000-memory.dmp

Filesize
3.3MB

Download
memory/2244-0-0x00007FF6D2750000-0x00007FF6D2AA4000-memory.dmp

Filesize
3.3MB

Download
memory/2244-1-0x000002232FEC0000-0x000002232FED0000-memory.dmp

Filesize
64KB

Download
memory/2348-50-0x00007FF7845F0000-0x00007FF784944000-memory.dmp

Filesize
3.3MB

Download
memory/2348-144-0x00007FF7845F0000-0x00007FF784944000-memory.dmp

Filesize
3.3MB

Download
memory/2456-152-0x00007FF7CA080000-0x00007FF7CA3D4000-memory.dmp

Filesize
3.3MB

Download
memory/2456-101-0x00007FF7CA080000-0x00007FF7CA3D4000-memory.dmp

Filesize
3.3MB

Download
memory/2456-135-0x00007FF7CA080000-0x00007FF7CA3D4000-memory.dmp

Filesize
3.3MB

Download
memory/2656-133-0x00007FF730700000-0x00007FF730A54000-memory.dmp

Filesize
3.3MB

Download
memory/2656-156-0x00007FF730700000-0x00007FF730A54000-memory.dmp

Filesize
3.3MB

Download
memory/2736-139-0x00007FF635C50000-0x00007FF635FA4000-memory.dmp

Filesize
3.3MB

Download
memory/2736-23-0x00007FF635C50000-0x00007FF635FA4000-memory.dmp

Filesize
3.3MB

Download
memory/2736-84-0x00007FF635C50000-0x00007FF635FA4000-memory.dmp

Filesize
3.3MB

Download
memory/2884-90-0x00007FF6C3E70000-0x00007FF6C41C4000-memory.dmp

Filesize
3.3MB

Download
memory/2884-150-0x00007FF6C3E70000-0x00007FF6C41C4000-memory.dmp

Filesize
3.3MB

Download
memory/3280-151-0x00007FF6AD8B0000-0x00007FF6ADC04000-memory.dmp

Filesize
3.3MB

Download
memory/3280-99-0x00007FF6AD8B0000-0x00007FF6ADC04000-memory.dmp

Filesize
3.3MB

Download
memory/3608-134-0x00007FF7E85E0000-0x00007FF7E8934000-memory.dmp

Filesize
3.3MB

Download
memory/3608-145-0x00007FF7E85E0000-0x00007FF7E8934000-memory.dmp

Filesize
3.3MB

Download
memory/3608-56-0x00007FF7E85E0000-0x00007FF7E8934000-memory.dmp

Filesize
3.3MB

Download
memory/3636-69-0x00007FF668600000-0x00007FF668954000-memory.dmp

Filesize
3.3MB

Download
memory/3636-8-0x00007FF668600000-0x00007FF668954000-memory.dmp

Filesize
3.3MB

Download
memory/3636-137-0x00007FF668600000-0x00007FF668954000-memory.dmp

Filesize
3.3MB

Download
memory/4040-136-0x00007FF67B640000-0x00007FF67B994000-memory.dmp

Filesize
3.3MB

Download
memory/4040-113-0x00007FF67B640000-0x00007FF67B994000-memory.dmp

Filesize
3.3MB

Download
memory/4040-154-0x00007FF67B640000-0x00007FF67B994000-memory.dmp

Filesize
3.3MB

Download
memory/4108-44-0x00007FF7DE3F0000-0x00007FF7DE744000-memory.dmp

Filesize
3.3MB

Download
memory/4108-130-0x00007FF7DE3F0000-0x00007FF7DE744000-memory.dmp

Filesize
3.3MB

Download
memory/4108-143-0x00007FF7DE3F0000-0x00007FF7DE744000-memory.dmp

Filesize
3.3MB

Download
memory/4136-140-0x00007FF6B7E30000-0x00007FF6B8184000-memory.dmp

Filesize
3.3MB

Download
memory/4136-24-0x00007FF6B7E30000-0x00007FF6B8184000-memory.dmp

Filesize
3.3MB

Download
memory/4136-96-0x00007FF6B7E30000-0x00007FF6B8184000-memory.dmp

Filesize
3.3MB

Download
memory/4996-147-0x00007FF659FB0000-0x00007FF65A304000-memory.dmp

Filesize
3.3MB

Download
memory/4996-79-0x00007FF659FB0000-0x00007FF65A304000-memory.dmp

Filesize
3.3MB

Download
memory/5092-149-0x00007FF78B890000-0x00007FF78BBE4000-memory.dmp

Filesize
3.3MB

Download
memory/5092-89-0x00007FF78B890000-0x00007FF78BBE4000-memory.dmp

Filesize
3.3MB

Download