cobaltstrike | ef617b482ba035bc792feb1158a4392186891afa7200312340b6bc168f645a6f

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

f9840cd71e714941e9d8e8a14d895154
SHA1

3767a895fe743d01d632088a386cddc63553989b
SHA256

ef617b482ba035bc792feb1158a4392186891afa7200312340b6bc168f645a6f
SHA512

678ca4148846a3a48421df5c845d0c975e93d8cf2aed98dc3d12ca5da9f3fc3cb9d5f0dda8682b74ed0343a449c84c174cf531225e122669edeef713442f8937
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU7:Q+856utgpPF8u/77

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023257-4.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002325a-10.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002325d-11.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002325b-24.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002325e-29.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002325f-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023260-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023261-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023262-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023264-60.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023265-68.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023266-73.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023267-78.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023268-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023269-91.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002326a-94.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002326b-98.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002326c-110.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002326d-116.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002326e-122.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023270-126.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023257-4.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000800000002325a-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000800000002325d-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000800000002325b-24.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000800000002325e-29.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002325f-34.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023260-41.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023261-47.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023262-53.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023264-60.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023265-68.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023266-73.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023267-78.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023268-84.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023269-91.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002326a-94.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002326b-98.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002326c-110.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002326d-116.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002326e-122.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023270-126.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/4848-0-0x00007FF62E6D0000-0x00007FF62EA24000-memory.dmp	UPX
behavioral2/files/0x0008000000023257-4.dat	UPX
behavioral2/memory/5036-8-0x00007FF649FC0000-0x00007FF64A314000-memory.dmp	UPX
behavioral2/files/0x000800000002325a-10.dat	UPX
behavioral2/memory/3164-14-0x00007FF6A77A0000-0x00007FF6A7AF4000-memory.dmp	UPX
behavioral2/files/0x000800000002325d-11.dat	UPX
behavioral2/memory/1668-20-0x00007FF6A7820000-0x00007FF6A7B74000-memory.dmp	UPX
behavioral2/files/0x000800000002325b-24.dat	UPX
behavioral2/memory/2376-26-0x00007FF626020000-0x00007FF626374000-memory.dmp	UPX
behavioral2/files/0x000800000002325e-29.dat	UPX
behavioral2/memory/4740-32-0x00007FF788BD0000-0x00007FF788F24000-memory.dmp	UPX
behavioral2/files/0x000700000002325f-34.dat	UPX
behavioral2/memory/1088-37-0x00007FF7C4510000-0x00007FF7C4864000-memory.dmp	UPX
behavioral2/files/0x0007000000023260-41.dat	UPX
behavioral2/files/0x0007000000023261-47.dat	UPX
behavioral2/memory/4932-49-0x00007FF7BA700000-0x00007FF7BAA54000-memory.dmp	UPX
behavioral2/memory/1688-50-0x00007FF6F6160000-0x00007FF6F64B4000-memory.dmp	UPX
behavioral2/files/0x0007000000023262-53.dat	UPX
behavioral2/memory/1656-55-0x00007FF7EB4C0000-0x00007FF7EB814000-memory.dmp	UPX
behavioral2/memory/4848-54-0x00007FF62E6D0000-0x00007FF62EA24000-memory.dmp	UPX
behavioral2/files/0x0007000000023264-60.dat	UPX
behavioral2/files/0x0007000000023265-68.dat	UPX
behavioral2/memory/2620-66-0x00007FF66BD10000-0x00007FF66C064000-memory.dmp	UPX
behavioral2/files/0x0007000000023266-73.dat	UPX
behavioral2/memory/692-72-0x00007FF677980000-0x00007FF677CD4000-memory.dmp	UPX
behavioral2/memory/5036-63-0x00007FF649FC0000-0x00007FF64A314000-memory.dmp	UPX
behavioral2/files/0x0007000000023267-78.dat	UPX
behavioral2/memory/3652-79-0x00007FF751240000-0x00007FF751594000-memory.dmp	UPX
behavioral2/files/0x0007000000023268-84.dat	UPX
behavioral2/memory/1172-80-0x00007FF787A90000-0x00007FF787DE4000-memory.dmp	UPX
behavioral2/files/0x0007000000023269-91.dat	UPX
behavioral2/files/0x000700000002326a-94.dat	UPX
behavioral2/files/0x000700000002326b-98.dat	UPX
behavioral2/files/0x000700000002326c-110.dat	UPX
behavioral2/memory/4472-115-0x00007FF75B310000-0x00007FF75B664000-memory.dmp	UPX
behavioral2/files/0x000700000002326d-116.dat	UPX
behavioral2/memory/468-119-0x00007FF75A720000-0x00007FF75AA74000-memory.dmp	UPX
behavioral2/memory/4736-118-0x00007FF6F6C00000-0x00007FF6F6F54000-memory.dmp	UPX
behavioral2/memory/4544-114-0x00007FF751370000-0x00007FF7516C4000-memory.dmp	UPX
behavioral2/memory/3772-109-0x00007FF629540000-0x00007FF629894000-memory.dmp	UPX
behavioral2/memory/1336-97-0x00007FF6047A0000-0x00007FF604AF4000-memory.dmp	UPX
behavioral2/memory/1668-89-0x00007FF6A7820000-0x00007FF6A7B74000-memory.dmp	UPX
behavioral2/files/0x000700000002326e-122.dat	UPX
behavioral2/files/0x0007000000023270-126.dat	UPX
behavioral2/memory/1088-129-0x00007FF7C4510000-0x00007FF7C4864000-memory.dmp	UPX
behavioral2/memory/3104-130-0x00007FF738760000-0x00007FF738AB4000-memory.dmp	UPX
behavioral2/memory/4628-131-0x00007FF750DE0000-0x00007FF751134000-memory.dmp	UPX
behavioral2/memory/1656-132-0x00007FF7EB4C0000-0x00007FF7EB814000-memory.dmp	UPX
behavioral2/memory/1172-133-0x00007FF787A90000-0x00007FF787DE4000-memory.dmp	UPX
behavioral2/memory/5036-134-0x00007FF649FC0000-0x00007FF64A314000-memory.dmp	UPX
behavioral2/memory/3164-135-0x00007FF6A77A0000-0x00007FF6A7AF4000-memory.dmp	UPX
behavioral2/memory/1668-136-0x00007FF6A7820000-0x00007FF6A7B74000-memory.dmp	UPX
behavioral2/memory/2376-137-0x00007FF626020000-0x00007FF626374000-memory.dmp	UPX
behavioral2/memory/4740-138-0x00007FF788BD0000-0x00007FF788F24000-memory.dmp	UPX
behavioral2/memory/1088-139-0x00007FF7C4510000-0x00007FF7C4864000-memory.dmp	UPX
behavioral2/memory/4932-140-0x00007FF7BA700000-0x00007FF7BAA54000-memory.dmp	UPX
behavioral2/memory/1688-141-0x00007FF6F6160000-0x00007FF6F64B4000-memory.dmp	UPX
behavioral2/memory/1656-142-0x00007FF7EB4C0000-0x00007FF7EB814000-memory.dmp	UPX
behavioral2/memory/2620-143-0x00007FF66BD10000-0x00007FF66C064000-memory.dmp	UPX
behavioral2/memory/692-144-0x00007FF677980000-0x00007FF677CD4000-memory.dmp	UPX
behavioral2/memory/3652-145-0x00007FF751240000-0x00007FF751594000-memory.dmp	UPX
behavioral2/memory/1172-146-0x00007FF787A90000-0x00007FF787DE4000-memory.dmp	UPX
behavioral2/memory/1336-147-0x00007FF6047A0000-0x00007FF604AF4000-memory.dmp	UPX
behavioral2/memory/3772-148-0x00007FF629540000-0x00007FF629894000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4848-0-0x00007FF62E6D0000-0x00007FF62EA24000-memory.dmp	xmrig
behavioral2/files/0x0008000000023257-4.dat	xmrig
behavioral2/memory/5036-8-0x00007FF649FC0000-0x00007FF64A314000-memory.dmp	xmrig
behavioral2/files/0x000800000002325a-10.dat	xmrig
behavioral2/memory/3164-14-0x00007FF6A77A0000-0x00007FF6A7AF4000-memory.dmp	xmrig
behavioral2/files/0x000800000002325d-11.dat	xmrig
behavioral2/memory/1668-20-0x00007FF6A7820000-0x00007FF6A7B74000-memory.dmp	xmrig
behavioral2/files/0x000800000002325b-24.dat	xmrig
behavioral2/memory/2376-26-0x00007FF626020000-0x00007FF626374000-memory.dmp	xmrig
behavioral2/files/0x000800000002325e-29.dat	xmrig
behavioral2/memory/4740-32-0x00007FF788BD0000-0x00007FF788F24000-memory.dmp	xmrig
behavioral2/files/0x000700000002325f-34.dat	xmrig
behavioral2/memory/1088-37-0x00007FF7C4510000-0x00007FF7C4864000-memory.dmp	xmrig
behavioral2/files/0x0007000000023260-41.dat	xmrig
behavioral2/files/0x0007000000023261-47.dat	xmrig
behavioral2/memory/4932-49-0x00007FF7BA700000-0x00007FF7BAA54000-memory.dmp	xmrig
behavioral2/memory/1688-50-0x00007FF6F6160000-0x00007FF6F64B4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023262-53.dat	xmrig
behavioral2/memory/1656-55-0x00007FF7EB4C0000-0x00007FF7EB814000-memory.dmp	xmrig
behavioral2/memory/4848-54-0x00007FF62E6D0000-0x00007FF62EA24000-memory.dmp	xmrig
behavioral2/files/0x0007000000023264-60.dat	xmrig
behavioral2/files/0x0007000000023265-68.dat	xmrig
behavioral2/memory/2620-66-0x00007FF66BD10000-0x00007FF66C064000-memory.dmp	xmrig
behavioral2/files/0x0007000000023266-73.dat	xmrig
behavioral2/memory/692-72-0x00007FF677980000-0x00007FF677CD4000-memory.dmp	xmrig
behavioral2/memory/5036-63-0x00007FF649FC0000-0x00007FF64A314000-memory.dmp	xmrig
behavioral2/files/0x0007000000023267-78.dat	xmrig
behavioral2/memory/3652-79-0x00007FF751240000-0x00007FF751594000-memory.dmp	xmrig
behavioral2/files/0x0007000000023268-84.dat	xmrig
behavioral2/memory/1172-80-0x00007FF787A90000-0x00007FF787DE4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023269-91.dat	xmrig
behavioral2/files/0x000700000002326a-94.dat	xmrig
behavioral2/files/0x000700000002326b-98.dat	xmrig
behavioral2/files/0x000700000002326c-110.dat	xmrig
behavioral2/memory/4472-115-0x00007FF75B310000-0x00007FF75B664000-memory.dmp	xmrig
behavioral2/files/0x000700000002326d-116.dat	xmrig
behavioral2/memory/468-119-0x00007FF75A720000-0x00007FF75AA74000-memory.dmp	xmrig
behavioral2/memory/4736-118-0x00007FF6F6C00000-0x00007FF6F6F54000-memory.dmp	xmrig
behavioral2/memory/4544-114-0x00007FF751370000-0x00007FF7516C4000-memory.dmp	xmrig
behavioral2/memory/3772-109-0x00007FF629540000-0x00007FF629894000-memory.dmp	xmrig
behavioral2/memory/1336-97-0x00007FF6047A0000-0x00007FF604AF4000-memory.dmp	xmrig
behavioral2/memory/1668-89-0x00007FF6A7820000-0x00007FF6A7B74000-memory.dmp	xmrig
behavioral2/files/0x000700000002326e-122.dat	xmrig
behavioral2/files/0x0007000000023270-126.dat	xmrig
behavioral2/memory/1088-129-0x00007FF7C4510000-0x00007FF7C4864000-memory.dmp	xmrig
behavioral2/memory/3104-130-0x00007FF738760000-0x00007FF738AB4000-memory.dmp	xmrig
behavioral2/memory/4628-131-0x00007FF750DE0000-0x00007FF751134000-memory.dmp	xmrig
behavioral2/memory/1656-132-0x00007FF7EB4C0000-0x00007FF7EB814000-memory.dmp	xmrig
behavioral2/memory/1172-133-0x00007FF787A90000-0x00007FF787DE4000-memory.dmp	xmrig
behavioral2/memory/5036-134-0x00007FF649FC0000-0x00007FF64A314000-memory.dmp	xmrig
behavioral2/memory/3164-135-0x00007FF6A77A0000-0x00007FF6A7AF4000-memory.dmp	xmrig
behavioral2/memory/1668-136-0x00007FF6A7820000-0x00007FF6A7B74000-memory.dmp	xmrig
behavioral2/memory/2376-137-0x00007FF626020000-0x00007FF626374000-memory.dmp	xmrig
behavioral2/memory/4740-138-0x00007FF788BD0000-0x00007FF788F24000-memory.dmp	xmrig
behavioral2/memory/1088-139-0x00007FF7C4510000-0x00007FF7C4864000-memory.dmp	xmrig
behavioral2/memory/4932-140-0x00007FF7BA700000-0x00007FF7BAA54000-memory.dmp	xmrig
behavioral2/memory/1688-141-0x00007FF6F6160000-0x00007FF6F64B4000-memory.dmp	xmrig
behavioral2/memory/1656-142-0x00007FF7EB4C0000-0x00007FF7EB814000-memory.dmp	xmrig
behavioral2/memory/2620-143-0x00007FF66BD10000-0x00007FF66C064000-memory.dmp	xmrig
behavioral2/memory/692-144-0x00007FF677980000-0x00007FF677CD4000-memory.dmp	xmrig
behavioral2/memory/3652-145-0x00007FF751240000-0x00007FF751594000-memory.dmp	xmrig
behavioral2/memory/1172-146-0x00007FF787A90000-0x00007FF787DE4000-memory.dmp	xmrig
behavioral2/memory/1336-147-0x00007FF6047A0000-0x00007FF604AF4000-memory.dmp	xmrig
behavioral2/memory/3772-148-0x00007FF629540000-0x00007FF629894000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
5036	PeXBFtb.exe
3164	Iwhzucj.exe
1668	SBpihMR.exe
2376	SYdshWM.exe
4740	NqBGbdY.exe
1088	lbbtODx.exe
4932	QlArYZP.exe
1688	AmdaXPv.exe
1656	FomoJJf.exe
2620	HYYcHev.exe
692	ZMqfbUg.exe
3652	srzHbiA.exe
1172	aYcmsIo.exe
1336	xqVqGaj.exe
3772	ODIoCWi.exe
4544	oLrQbxe.exe
4472	VDXhYUJ.exe
4736	apmDqjx.exe
468	jzDEmkt.exe
3104	KxIaBCZ.exe
4628	eQVyrUp.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4848-0-0x00007FF62E6D0000-0x00007FF62EA24000-memory.dmp	upx
behavioral2/files/0x0008000000023257-4.dat	upx
behavioral2/memory/5036-8-0x00007FF649FC0000-0x00007FF64A314000-memory.dmp	upx
behavioral2/files/0x000800000002325a-10.dat	upx
behavioral2/memory/3164-14-0x00007FF6A77A0000-0x00007FF6A7AF4000-memory.dmp	upx
behavioral2/files/0x000800000002325d-11.dat	upx
behavioral2/memory/1668-20-0x00007FF6A7820000-0x00007FF6A7B74000-memory.dmp	upx
behavioral2/files/0x000800000002325b-24.dat	upx
behavioral2/memory/2376-26-0x00007FF626020000-0x00007FF626374000-memory.dmp	upx
behavioral2/files/0x000800000002325e-29.dat	upx
behavioral2/memory/4740-32-0x00007FF788BD0000-0x00007FF788F24000-memory.dmp	upx
behavioral2/files/0x000700000002325f-34.dat	upx
behavioral2/memory/1088-37-0x00007FF7C4510000-0x00007FF7C4864000-memory.dmp	upx
behavioral2/files/0x0007000000023260-41.dat	upx
behavioral2/files/0x0007000000023261-47.dat	upx
behavioral2/memory/4932-49-0x00007FF7BA700000-0x00007FF7BAA54000-memory.dmp	upx
behavioral2/memory/1688-50-0x00007FF6F6160000-0x00007FF6F64B4000-memory.dmp	upx
behavioral2/files/0x0007000000023262-53.dat	upx
behavioral2/memory/1656-55-0x00007FF7EB4C0000-0x00007FF7EB814000-memory.dmp	upx
behavioral2/memory/4848-54-0x00007FF62E6D0000-0x00007FF62EA24000-memory.dmp	upx
behavioral2/files/0x0007000000023264-60.dat	upx
behavioral2/files/0x0007000000023265-68.dat	upx
behavioral2/memory/2620-66-0x00007FF66BD10000-0x00007FF66C064000-memory.dmp	upx
behavioral2/files/0x0007000000023266-73.dat	upx
behavioral2/memory/692-72-0x00007FF677980000-0x00007FF677CD4000-memory.dmp	upx
behavioral2/memory/5036-63-0x00007FF649FC0000-0x00007FF64A314000-memory.dmp	upx
behavioral2/files/0x0007000000023267-78.dat	upx
behavioral2/memory/3652-79-0x00007FF751240000-0x00007FF751594000-memory.dmp	upx
behavioral2/files/0x0007000000023268-84.dat	upx
behavioral2/memory/1172-80-0x00007FF787A90000-0x00007FF787DE4000-memory.dmp	upx
behavioral2/files/0x0007000000023269-91.dat	upx
behavioral2/files/0x000700000002326a-94.dat	upx
behavioral2/files/0x000700000002326b-98.dat	upx
behavioral2/files/0x000700000002326c-110.dat	upx
behavioral2/memory/4472-115-0x00007FF75B310000-0x00007FF75B664000-memory.dmp	upx
behavioral2/files/0x000700000002326d-116.dat	upx
behavioral2/memory/468-119-0x00007FF75A720000-0x00007FF75AA74000-memory.dmp	upx
behavioral2/memory/4736-118-0x00007FF6F6C00000-0x00007FF6F6F54000-memory.dmp	upx
behavioral2/memory/4544-114-0x00007FF751370000-0x00007FF7516C4000-memory.dmp	upx
behavioral2/memory/3772-109-0x00007FF629540000-0x00007FF629894000-memory.dmp	upx
behavioral2/memory/1336-97-0x00007FF6047A0000-0x00007FF604AF4000-memory.dmp	upx
behavioral2/memory/1668-89-0x00007FF6A7820000-0x00007FF6A7B74000-memory.dmp	upx
behavioral2/files/0x000700000002326e-122.dat	upx
behavioral2/files/0x0007000000023270-126.dat	upx
behavioral2/memory/1088-129-0x00007FF7C4510000-0x00007FF7C4864000-memory.dmp	upx
behavioral2/memory/3104-130-0x00007FF738760000-0x00007FF738AB4000-memory.dmp	upx
behavioral2/memory/4628-131-0x00007FF750DE0000-0x00007FF751134000-memory.dmp	upx
behavioral2/memory/1656-132-0x00007FF7EB4C0000-0x00007FF7EB814000-memory.dmp	upx
behavioral2/memory/1172-133-0x00007FF787A90000-0x00007FF787DE4000-memory.dmp	upx
behavioral2/memory/5036-134-0x00007FF649FC0000-0x00007FF64A314000-memory.dmp	upx
behavioral2/memory/3164-135-0x00007FF6A77A0000-0x00007FF6A7AF4000-memory.dmp	upx
behavioral2/memory/1668-136-0x00007FF6A7820000-0x00007FF6A7B74000-memory.dmp	upx
behavioral2/memory/2376-137-0x00007FF626020000-0x00007FF626374000-memory.dmp	upx
behavioral2/memory/4740-138-0x00007FF788BD0000-0x00007FF788F24000-memory.dmp	upx
behavioral2/memory/1088-139-0x00007FF7C4510000-0x00007FF7C4864000-memory.dmp	upx
behavioral2/memory/4932-140-0x00007FF7BA700000-0x00007FF7BAA54000-memory.dmp	upx
behavioral2/memory/1688-141-0x00007FF6F6160000-0x00007FF6F64B4000-memory.dmp	upx
behavioral2/memory/1656-142-0x00007FF7EB4C0000-0x00007FF7EB814000-memory.dmp	upx
behavioral2/memory/2620-143-0x00007FF66BD10000-0x00007FF66C064000-memory.dmp	upx
behavioral2/memory/692-144-0x00007FF677980000-0x00007FF677CD4000-memory.dmp	upx
behavioral2/memory/3652-145-0x00007FF751240000-0x00007FF751594000-memory.dmp	upx
behavioral2/memory/1172-146-0x00007FF787A90000-0x00007FF787DE4000-memory.dmp	upx
behavioral2/memory/1336-147-0x00007FF6047A0000-0x00007FF604AF4000-memory.dmp	upx
behavioral2/memory/3772-148-0x00007FF629540000-0x00007FF629894000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ODIoCWi.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oLrQbxe.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eQVyrUp.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SBpihMR.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NqBGbdY.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lbbtODx.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aYcmsIo.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\srzHbiA.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jzDEmkt.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QlArYZP.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AmdaXPv.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FomoJJf.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZMqfbUg.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PeXBFtb.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SYdshWM.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HYYcHev.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KxIaBCZ.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\Iwhzucj.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xqVqGaj.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VDXhYUJ.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\apmDqjx.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 5036	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	91
PID 4848 wrote to memory of 5036	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	91
PID 4848 wrote to memory of 3164	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	92
PID 4848 wrote to memory of 3164	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	92
PID 4848 wrote to memory of 1668	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	93
PID 4848 wrote to memory of 1668	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	93
PID 4848 wrote to memory of 2376	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	94
PID 4848 wrote to memory of 2376	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	94
PID 4848 wrote to memory of 4740	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	95
PID 4848 wrote to memory of 4740	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	95
PID 4848 wrote to memory of 1088	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	96
PID 4848 wrote to memory of 1088	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	96
PID 4848 wrote to memory of 4932	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	97
PID 4848 wrote to memory of 4932	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	97
PID 4848 wrote to memory of 1688	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	98
PID 4848 wrote to memory of 1688	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	98
PID 4848 wrote to memory of 1656	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	99
PID 4848 wrote to memory of 1656	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	99
PID 4848 wrote to memory of 2620	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	100
PID 4848 wrote to memory of 2620	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	100
PID 4848 wrote to memory of 692	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	101
PID 4848 wrote to memory of 692	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	101
PID 4848 wrote to memory of 3652	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	102
PID 4848 wrote to memory of 3652	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	102
PID 4848 wrote to memory of 1172	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	103
PID 4848 wrote to memory of 1172	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	103
PID 4848 wrote to memory of 1336	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	104
PID 4848 wrote to memory of 1336	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	104
PID 4848 wrote to memory of 3772	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	105
PID 4848 wrote to memory of 3772	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	105
PID 4848 wrote to memory of 4544	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	106
PID 4848 wrote to memory of 4544	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	106
PID 4848 wrote to memory of 4472	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	107
PID 4848 wrote to memory of 4472	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	107
PID 4848 wrote to memory of 4736	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	108
PID 4848 wrote to memory of 4736	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	108
PID 4848 wrote to memory of 468	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	109
PID 4848 wrote to memory of 468	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	109
PID 4848 wrote to memory of 3104	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	110
PID 4848 wrote to memory of 3104	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	110
PID 4848 wrote to memory of 4628	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	111
PID 4848 wrote to memory of 4628	4848	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Windows\System\PeXBFtb.exe
  C:\Windows\System\PeXBFtb.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System\Iwhzucj.exe
  C:\Windows\System\Iwhzucj.exe
  2⤵
  - Executes dropped EXE
  PID:3164
- C:\Windows\System\SBpihMR.exe
  C:\Windows\System\SBpihMR.exe
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\System\SYdshWM.exe
  C:\Windows\System\SYdshWM.exe
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\System\NqBGbdY.exe
  C:\Windows\System\NqBGbdY.exe
  2⤵
  - Executes dropped EXE
  PID:4740
- C:\Windows\System\lbbtODx.exe
  C:\Windows\System\lbbtODx.exe
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\System\QlArYZP.exe
  C:\Windows\System\QlArYZP.exe
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Windows\System\AmdaXPv.exe
  C:\Windows\System\AmdaXPv.exe
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\System\FomoJJf.exe
  C:\Windows\System\FomoJJf.exe
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\System\HYYcHev.exe
  C:\Windows\System\HYYcHev.exe
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\System\ZMqfbUg.exe
  C:\Windows\System\ZMqfbUg.exe
  2⤵
  - Executes dropped EXE
  PID:692
- C:\Windows\System\srzHbiA.exe
  C:\Windows\System\srzHbiA.exe
  2⤵
  - Executes dropped EXE
  PID:3652
- C:\Windows\System\aYcmsIo.exe
  C:\Windows\System\aYcmsIo.exe
  2⤵
  - Executes dropped EXE
  PID:1172
- C:\Windows\System\xqVqGaj.exe
  C:\Windows\System\xqVqGaj.exe
  2⤵
  - Executes dropped EXE
  PID:1336
- C:\Windows\System\ODIoCWi.exe
  C:\Windows\System\ODIoCWi.exe
  2⤵
  - Executes dropped EXE
  PID:3772
- C:\Windows\System\oLrQbxe.exe
  C:\Windows\System\oLrQbxe.exe
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Windows\System\VDXhYUJ.exe
  C:\Windows\System\VDXhYUJ.exe
  2⤵
  - Executes dropped EXE
  PID:4472
- C:\Windows\System\apmDqjx.exe
  C:\Windows\System\apmDqjx.exe
  2⤵
  - Executes dropped EXE
  PID:4736
- C:\Windows\System\jzDEmkt.exe
  C:\Windows\System\jzDEmkt.exe
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Windows\System\KxIaBCZ.exe
  C:\Windows\System\KxIaBCZ.exe
  2⤵
  - Executes dropped EXE
  PID:3104
- C:\Windows\System\eQVyrUp.exe
  C:\Windows\System\eQVyrUp.exe
  2⤵
  - Executes dropped EXE
  PID:4628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4164 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:1596

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AmdaXPv.exe

Filesize
5.9MB

MD5
bd4af3a6edcb67cfdafa9138ea1f96f5

SHA1
f3e9d8936e1b73e9564f305ddca3494edf8d312a

SHA256
68e504471ed7de5de70f4b9e5e53f38bfb429737e1766783fbcd366530e65ade

SHA512
282543e69795a55107edc5b88eec3659c2381b6cc27913285bb1b1eb2b140d4b05b4dc28e73c50f0a9293489b838c07351e5abcd12ac96f1394bf2a19f9d7e7e

Download Submit
C:\Windows\System\FomoJJf.exe

Filesize
5.9MB

MD5
d07ba373016698b473a6c9802bb3b290

SHA1
22b92a5af644ad9100679a4078897da404f65751

SHA256
bdce3e8de52ce53a0d579e59c2425e1354fb7bb4ef4145f89c9c2a888bf5d35a

SHA512
7f24a1ea7f6faa1a1f9bc85af5cedcf0d64e0e15038426d246afeb5a79491cb3e79e81f844f6175f24ebd8e9ac7e7a5465d342c048c1f41a51b031ae0104ddfa

Download Submit
C:\Windows\System\HYYcHev.exe

Filesize
5.9MB

MD5
6c49c01d6820c6dfc5d61deab91ab071

SHA1
3039216339faf7c5cd88a733bc1873fa4b4eddfd

SHA256
e623b7d2f89d82b5f90abd90aad2e18205d28352dd48e57de145f6994edf192e

SHA512
9e978c7c3b6c40deb57881540be976441b5d25eedd03a350da5b31a99db8781fda1706aa9b583fec8dae759a6439052c49fabfe14ada9583aa7ec17a9f5375fa

Download Submit
C:\Windows\System\Iwhzucj.exe

Filesize
5.9MB

MD5
1b285682435b2c0eb8b3c4234203b6a6

SHA1
81fa593296bfa380a0d8e3ffd7fb97d2a1dc896b

SHA256
6c8faef5e7dbd0dd3b324bd508250c50703231428124be677ce388e31a32e71c

SHA512
feb9b32909124347b059ba7277f867e8623b171ee611d12d07094d5345db2fa34b9daa2c719a26a0c12a60b46725c03311c9f3eb4b6294ea48e6ecc07e909232

Download Submit
C:\Windows\System\KxIaBCZ.exe

Filesize
5.9MB

MD5
8b72dcff34874615b9a536aac2250a6d

SHA1
bc98507550634ba61a3698c1f272ebcb5d294340

SHA256
c43378f79369161a351209a40538287ae5cee65fa01a880d06593d44997e3427

SHA512
11d6d888608f6f203685fcb877fd43a512b5af72ba5a0dbf9318177fe720682a71e4e6bb134115f1ae67f05bb9e440f69fd33bf09567b6e6d9e2c0d691605b89

Download Submit
C:\Windows\System\NqBGbdY.exe

Filesize
5.9MB

MD5
8916a432ccbc5d1969ef593a11c05b9c

SHA1
c1aa341d836476e9d4788f02a738e39a8a512b97

SHA256
b7032891deac8056be7566acf2d34998ef4908eff58ec99491110869a711db2c

SHA512
ff313b7ca57c06430e55bd59b95dd74fdb9cb6850351ff72270d7c23668241bde398fad61de915b950b2a5fbb364cccb2e934405525a392d8b1ac9bcaa38a18c

Download Submit
C:\Windows\System\ODIoCWi.exe

Filesize
5.9MB

MD5
5b780be1824ba69ca76f5190356928de

SHA1
d5942026252382d2f4121e94b91908fbe4993f13

SHA256
814d1fc47695845d39ce39e0186c1e2de99a82b5d23f4f46cdd9b2fa2bfc454f

SHA512
0e7d87be81d42b2430fee95eb9ad630b5c95aed752420512792111b448a1ef612b5285cf4bf6df0a0c7903caf5732955cfe806e66e2893ef702a519f85bf6fde

Download Submit
C:\Windows\System\PeXBFtb.exe

Filesize
5.9MB

MD5
0bbb7f766c8f75c4630651f94f467596

SHA1
75a5ede1612fb02b53ee2f71e89e045325ac5bb8

SHA256
267393451ee8601bb5d7fa73c92d3331fc4e0753a9a3893c64c1b556efe1e92c

SHA512
ba2fbe057ce506110748c834fbe8f8765a35f681bd5b11c2cf13b6c2cb6c001bdf472be970485e760891b966d849375b0648c1345e5bcd34846c774076f8af7b

Download Submit
C:\Windows\System\QlArYZP.exe

Filesize
5.9MB

MD5
38e8443286ae72a5310fb7948d80d63f

SHA1
cc6ef34cc095a479d5ca3e1db2e1203bf3bcc467

SHA256
4e153c97e4a49cf0b6115bedf484caf6a2ea927abdaa56bfe8b4fbdb8136f0fb

SHA512
4dbc77a8b6ee2e13a015b6f04caa6c72a443fa6fe339a4e6e110479fc564506db55b94dd03a27823724fe5b7bbe782a284bbd0dd11bfab678cbf6f8c92091a53

Download Submit
C:\Windows\System\SBpihMR.exe

Filesize
5.9MB

MD5
8e19f9e281e1cd1daa2dc2f42c77aec3

SHA1
bfbe6cb3f59dca63697ba508cbe0f6e2336f9827

SHA256
7f53ed26d9e8993a30d7f2a809274345c4e2eaf49ced0eae3d5255c4933f57d3

SHA512
c939ec165d6ceef9d45351adc1375641c70420da5e65801018bb7e4722bc243ac10250d6ea9c9a5d05ce3468cdd71bf69f72bda8c970ad7d64010c8deae04e03

Download Submit
C:\Windows\System\SYdshWM.exe

Filesize
5.9MB

MD5
e13dc698f9e568a356a2dab46701e107

SHA1
ef94dd8b192f89eb86ef05be0eaec93f8e10612e

SHA256
bcaa4309ab1c823dfc50fdb97f4a865590d3ed8695d84e0e159ab4728290e7ee

SHA512
97f85fc88af94116c3cac4d50441a26536046df1ec704611c71a6977e153abde8ccd59355f8c332ae0422491c484754381abf0721654b7371600b76208c43a72

Download Submit
C:\Windows\System\VDXhYUJ.exe

Filesize
5.9MB

MD5
a9791e062395fa9618767ef2fa2351d2

SHA1
258c8da17e2dfd6175749f8b2f16ccf096d65666

SHA256
b40804c5aace50a9932c9a7d2ce892c00f33117c51f793849bb37129aa402e36

SHA512
c6c6ddbeba9210fb6418ae529a47f10bdfc5276a069234f088bf75e2420a106981e363f32122aff414ff86b82e7c109d9e9abc4cf6f1fd00a0b79abaeec54635

Download Submit
C:\Windows\System\ZMqfbUg.exe

Filesize
5.9MB

MD5
0f510df7652c01192b47650b8497b045

SHA1
49c8f087edb253e4ec3e574ce71e7d9cb9b0f7ff

SHA256
b607078e4681180ac178d020969e75f91c8452bb119958bb7734a6306148e9a9

SHA512
726102f2a0ed80efd40c3ecb40e48fc71075174b6c05f95d7bbec49ea26f41e4e49e6fbc87e3c74d35f47194461c1ba34c31532ce67aa697b7f9698c50aecfcd

Download Submit
C:\Windows\System\aYcmsIo.exe

Filesize
5.9MB

MD5
a4292a8369c2b43a534c31a0d00d0119

SHA1
952e338cfb7ba30b75b7a212474ddddf9ef15619

SHA256
8894a25541ef849cf2e98a0abdc9ecd6d598970a0a970e40d54638fc491dd6a1

SHA512
66c9ebb5e59c3c59316baa8cb139dd4eb0200305cc2800ba36bade742e6d35850d90c4e40faa017d3d128847c2d574d2bf6335aaf552a70a4941a6834f1a95b2

Download Submit
C:\Windows\System\apmDqjx.exe

Filesize
5.9MB

MD5
cd09368f72c1170615f2e81a2029bdb9

SHA1
41ebf9cd680116e66abb29a5b1aa808bbbf964f1

SHA256
76bf853611629dafa1f4fd71c60d82d8340d62aa7b7eb78d060732e29ab8ca4c

SHA512
ccd7e40934054535f1dbc97de1ac3505bf1c7763bf87dfaad33235f8b3745d968255efc8c8eb7a67c4028b03302d917dcb7a0cd21bd18578e817ccd67bcefd85

Download Submit
C:\Windows\System\eQVyrUp.exe

Filesize
5.9MB

MD5
352985654b51591f9be38a5fbec288cc

SHA1
a6b3a6438995fca0fad820db9512bcb525f36fb0

SHA256
b299a92f8165466d0f53ef954ade28f5eb6137986d2c87011dd0fc15123feed7

SHA512
a325c68cae11c2483f83fd4eabc8b1da84f3a6c29766bb70c1a45d6e1008e2a1044035614a88ba6878b7cd148a996bc976948407052b14eaa671d114a00c984e

Download Submit
C:\Windows\System\jzDEmkt.exe

Filesize
5.9MB

MD5
0708bbce9301b8b89c7441fbdbfbb053

SHA1
1940b39dd918e42490ebb0a034f7cbdd193eaabb

SHA256
4f376895c9958601f9f73cd34cfaf81984c5174d3652286dc47cbc8266bda394

SHA512
b1668e1e7afc2dd4c5e890bd0b42e656b1db89b4ea43db5a78dd56d99a7d4268fa1afbeed37b64b830efc8060d553fedba6b5ba8ce5d0f6c4bba6750398cdbdf

Download Submit
C:\Windows\System\lbbtODx.exe

Filesize
5.9MB

MD5
fa47469809292c46b3df564b3cc593de

SHA1
5c6d0a76f493abe0568cfec885a14612899e79fc

SHA256
4ffb3b78a716fed9adf7d6e56bc9cb84283f5f164ef8c698fe056124f91d5713

SHA512
adf77acd2243bffb99190ad674eff0543504a5086d242f20df64c49c886111a2357540423e065ff8dcb35fcd5177b884c28ef61337d25213815b3c4551a40248

Download Submit
C:\Windows\System\oLrQbxe.exe

Filesize
5.9MB

MD5
61431c67ac04a4bbe67662687cdd1ea9

SHA1
3ca5e83da929dc0c097bf2a5a7f3254488ff1ef6

SHA256
0c2a82ea44aab9d86886dfa55feea4e2183a8cc78f47915efb5e04b5ffac33e1

SHA512
2c7c183f295426b047f4c4e6dc31301ff47b8d0ad1e0ab898c2d796d2a374e81ac8dd3ac3f4f2ef4a235329e639e5ef171e374951c30c33e2657461397ee0647

Download Submit
C:\Windows\System\srzHbiA.exe

Filesize
5.9MB

MD5
09b48edbe224e5af841f524519918656

SHA1
5ca13a414a82479ee0b00d2e1b09aa396b836fd6

SHA256
5ddaf3ae7860cdaf4460c6ece13215efae17ff815ddc93d4c49c32f78d0832c9

SHA512
113be57458b8a6aa960b590ba446e8044e7af7ac9fa7a63f6099c2376cd8e9d2526edf8e8d5ea5a11b4ca9e53e47731ac497d8c6da4db719e5fc4d5ff68553d2

Download Submit
C:\Windows\System\xqVqGaj.exe

Filesize
5.9MB

MD5
5c72622e1c85ebf9165e38a543e18af9

SHA1
49120a579e497221e331f8c549bb03974c2ffc68

SHA256
70fdc6a815e8174bcb3b87fc3089cecaecddeeae53b7e291aff71afe7a1858de

SHA512
d0d9113b1f7626c50594a85989629d42f7f3b9f57e42d350b2353df547c9c40aaf5d3e7c03d4967a60cde2bddca5d5f4835692da20f74a5d79489e019422b430

Download Submit
memory/468-119-0x00007FF75A720000-0x00007FF75AA74000-memory.dmp

Filesize
3.3MB

Download
memory/468-152-0x00007FF75A720000-0x00007FF75AA74000-memory.dmp

Filesize
3.3MB

Download
memory/692-72-0x00007FF677980000-0x00007FF677CD4000-memory.dmp

Filesize
3.3MB

Download
memory/692-144-0x00007FF677980000-0x00007FF677CD4000-memory.dmp

Filesize
3.3MB

Download
memory/1088-129-0x00007FF7C4510000-0x00007FF7C4864000-memory.dmp

Filesize
3.3MB

Download
memory/1088-139-0x00007FF7C4510000-0x00007FF7C4864000-memory.dmp

Filesize
3.3MB

Download
memory/1088-37-0x00007FF7C4510000-0x00007FF7C4864000-memory.dmp

Filesize
3.3MB

Download
memory/1172-80-0x00007FF787A90000-0x00007FF787DE4000-memory.dmp

Filesize
3.3MB

Download
memory/1172-146-0x00007FF787A90000-0x00007FF787DE4000-memory.dmp

Filesize
3.3MB

Download
memory/1172-133-0x00007FF787A90000-0x00007FF787DE4000-memory.dmp

Filesize
3.3MB

Download
memory/1336-147-0x00007FF6047A0000-0x00007FF604AF4000-memory.dmp

Filesize
3.3MB

Download
memory/1336-97-0x00007FF6047A0000-0x00007FF604AF4000-memory.dmp

Filesize
3.3MB

Download
memory/1656-142-0x00007FF7EB4C0000-0x00007FF7EB814000-memory.dmp

Filesize
3.3MB

Download
memory/1656-55-0x00007FF7EB4C0000-0x00007FF7EB814000-memory.dmp

Filesize
3.3MB

Download
memory/1656-132-0x00007FF7EB4C0000-0x00007FF7EB814000-memory.dmp

Filesize
3.3MB

Download
memory/1668-20-0x00007FF6A7820000-0x00007FF6A7B74000-memory.dmp

Filesize
3.3MB

Download
memory/1668-136-0x00007FF6A7820000-0x00007FF6A7B74000-memory.dmp

Filesize
3.3MB

Download
memory/1668-89-0x00007FF6A7820000-0x00007FF6A7B74000-memory.dmp

Filesize
3.3MB

Download
memory/1688-50-0x00007FF6F6160000-0x00007FF6F64B4000-memory.dmp

Filesize
3.3MB

Download
memory/1688-141-0x00007FF6F6160000-0x00007FF6F64B4000-memory.dmp

Filesize
3.3MB

Download
memory/2376-26-0x00007FF626020000-0x00007FF626374000-memory.dmp

Filesize
3.3MB

Download
memory/2376-137-0x00007FF626020000-0x00007FF626374000-memory.dmp

Filesize
3.3MB

Download
memory/2620-66-0x00007FF66BD10000-0x00007FF66C064000-memory.dmp

Filesize
3.3MB

Download
memory/2620-143-0x00007FF66BD10000-0x00007FF66C064000-memory.dmp

Filesize
3.3MB

Download
memory/3104-153-0x00007FF738760000-0x00007FF738AB4000-memory.dmp

Filesize
3.3MB

Download
memory/3104-130-0x00007FF738760000-0x00007FF738AB4000-memory.dmp

Filesize
3.3MB

Download
memory/3164-14-0x00007FF6A77A0000-0x00007FF6A7AF4000-memory.dmp

Filesize
3.3MB

Download
memory/3164-135-0x00007FF6A77A0000-0x00007FF6A7AF4000-memory.dmp

Filesize
3.3MB

Download
memory/3652-79-0x00007FF751240000-0x00007FF751594000-memory.dmp

Filesize
3.3MB

Download
memory/3652-145-0x00007FF751240000-0x00007FF751594000-memory.dmp

Filesize
3.3MB

Download
memory/3772-109-0x00007FF629540000-0x00007FF629894000-memory.dmp

Filesize
3.3MB

Download
memory/3772-148-0x00007FF629540000-0x00007FF629894000-memory.dmp

Filesize
3.3MB

Download
memory/4472-150-0x00007FF75B310000-0x00007FF75B664000-memory.dmp

Filesize
3.3MB

Download
memory/4472-115-0x00007FF75B310000-0x00007FF75B664000-memory.dmp

Filesize
3.3MB

Download
memory/4544-149-0x00007FF751370000-0x00007FF7516C4000-memory.dmp

Filesize
3.3MB

Download
memory/4544-114-0x00007FF751370000-0x00007FF7516C4000-memory.dmp

Filesize
3.3MB

Download
memory/4628-131-0x00007FF750DE0000-0x00007FF751134000-memory.dmp

Filesize
3.3MB

Download
memory/4628-154-0x00007FF750DE0000-0x00007FF751134000-memory.dmp

Filesize
3.3MB

Download
memory/4736-151-0x00007FF6F6C00000-0x00007FF6F6F54000-memory.dmp

Filesize
3.3MB

Download
memory/4736-118-0x00007FF6F6C00000-0x00007FF6F6F54000-memory.dmp

Filesize
3.3MB

Download
memory/4740-138-0x00007FF788BD0000-0x00007FF788F24000-memory.dmp

Filesize
3.3MB

Download
memory/4740-32-0x00007FF788BD0000-0x00007FF788F24000-memory.dmp

Filesize
3.3MB

Download
memory/4848-1-0x000001AA81750000-0x000001AA81760000-memory.dmp

Filesize
64KB

Download
memory/4848-0-0x00007FF62E6D0000-0x00007FF62EA24000-memory.dmp

Filesize
3.3MB

Download
memory/4848-54-0x00007FF62E6D0000-0x00007FF62EA24000-memory.dmp

Filesize
3.3MB

Download
memory/4932-140-0x00007FF7BA700000-0x00007FF7BAA54000-memory.dmp

Filesize
3.3MB

Download
memory/4932-49-0x00007FF7BA700000-0x00007FF7BAA54000-memory.dmp

Filesize
3.3MB

Download
memory/5036-134-0x00007FF649FC0000-0x00007FF64A314000-memory.dmp

Filesize
3.3MB

Download
memory/5036-63-0x00007FF649FC0000-0x00007FF64A314000-memory.dmp

Filesize
3.3MB

Download
memory/5036-8-0x00007FF649FC0000-0x00007FF64A314000-memory.dmp

Filesize
3.3MB

Download