cobaltstrike | b1e2ee470b78ae5b34e997c2adab810dac726ee69ea7526774c134d487304303

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

f8ee575b38e5e8cb77defb63bb547570
SHA1

278c201404a9c37ba1a860ac18f81adc77e254a8
SHA256

b1e2ee470b78ae5b34e997c2adab810dac726ee69ea7526774c134d487304303
SHA512

dc37534470e319257ac9539677665f3b65b79e157e0116326ebc57c5f6e09b7bb68168ad96e63794506a2129eb814b39fd3cf5ff45573e6976b9f440df193338
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUj:Q+856utgpPF8u/7j

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000900000002340c-4.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341d-9.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341c-10.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341e-24.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023415-30.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023420-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023421-40.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023426-66.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023428-79.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342a-84.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342b-95.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342f-111.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342e-109.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342d-104.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342c-100.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023429-87.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023427-75.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023425-62.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023424-57.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023423-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023422-47.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x000900000002340c-4.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002341d-9.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002341c-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002341e-24.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0009000000023415-30.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023420-34.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023421-40.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023426-66.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023428-79.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342a-84.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342b-95.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342f-111.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342e-109.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342d-104.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342c-100.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023429-87.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023427-75.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023425-62.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023424-57.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023423-52.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023422-47.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/4384-0-0x00007FF6932A0000-0x00007FF6935F4000-memory.dmp	UPX
behavioral2/files/0x000900000002340c-4.dat	UPX
behavioral2/files/0x000700000002341d-9.dat	UPX
behavioral2/memory/4756-14-0x00007FF706AF0000-0x00007FF706E44000-memory.dmp	UPX
behavioral2/files/0x000700000002341c-10.dat	UPX
behavioral2/memory/1020-18-0x00007FF6148D0000-0x00007FF614C24000-memory.dmp	UPX
behavioral2/memory/1560-11-0x00007FF754A30000-0x00007FF754D84000-memory.dmp	UPX
behavioral2/files/0x000700000002341e-24.dat	UPX
behavioral2/files/0x0009000000023415-30.dat	UPX
behavioral2/files/0x0007000000023420-34.dat	UPX
behavioral2/files/0x0007000000023421-40.dat	UPX
behavioral2/files/0x0007000000023426-66.dat	UPX
behavioral2/files/0x0007000000023428-79.dat	UPX
behavioral2/files/0x000700000002342a-84.dat	UPX
behavioral2/files/0x000700000002342b-95.dat	UPX
behavioral2/files/0x000700000002342f-111.dat	UPX
behavioral2/files/0x000700000002342e-109.dat	UPX
behavioral2/files/0x000700000002342d-104.dat	UPX
behavioral2/files/0x000700000002342c-100.dat	UPX
behavioral2/files/0x0007000000023429-87.dat	UPX
behavioral2/files/0x0007000000023427-75.dat	UPX
behavioral2/files/0x0007000000023425-62.dat	UPX
behavioral2/files/0x0007000000023424-57.dat	UPX
behavioral2/files/0x0007000000023423-52.dat	UPX
behavioral2/files/0x0007000000023422-47.dat	UPX
behavioral2/memory/2632-39-0x00007FF69AE00000-0x00007FF69B154000-memory.dmp	UPX
behavioral2/memory/1984-35-0x00007FF745630000-0x00007FF745984000-memory.dmp	UPX
behavioral2/memory/1328-28-0x00007FF656B50000-0x00007FF656EA4000-memory.dmp	UPX
behavioral2/memory/1672-114-0x00007FF789CD0000-0x00007FF78A024000-memory.dmp	UPX
behavioral2/memory/4044-113-0x00007FF6F0E50000-0x00007FF6F11A4000-memory.dmp	UPX
behavioral2/memory/2944-115-0x00007FF7B2CB0000-0x00007FF7B3004000-memory.dmp	UPX
behavioral2/memory/2412-116-0x00007FF7260E0000-0x00007FF726434000-memory.dmp	UPX
behavioral2/memory/1616-118-0x00007FF7A58F0000-0x00007FF7A5C44000-memory.dmp	UPX
behavioral2/memory/5088-117-0x00007FF6303E0000-0x00007FF630734000-memory.dmp	UPX
behavioral2/memory/4188-119-0x00007FF7A32E0000-0x00007FF7A3634000-memory.dmp	UPX
behavioral2/memory/2136-120-0x00007FF7F19A0000-0x00007FF7F1CF4000-memory.dmp	UPX
behavioral2/memory/2116-121-0x00007FF7BCCF0000-0x00007FF7BD044000-memory.dmp	UPX
behavioral2/memory/4924-122-0x00007FF6A7DF0000-0x00007FF6A8144000-memory.dmp	UPX
behavioral2/memory/1848-123-0x00007FF7DC180000-0x00007FF7DC4D4000-memory.dmp	UPX
behavioral2/memory/1648-124-0x00007FF761490000-0x00007FF7617E4000-memory.dmp	UPX
behavioral2/memory/688-125-0x00007FF765B70000-0x00007FF765EC4000-memory.dmp	UPX
behavioral2/memory/1908-126-0x00007FF7525E0000-0x00007FF752934000-memory.dmp	UPX
behavioral2/memory/3208-127-0x00007FF774AF0000-0x00007FF774E44000-memory.dmp	UPX
behavioral2/memory/4384-128-0x00007FF6932A0000-0x00007FF6935F4000-memory.dmp	UPX
behavioral2/memory/4756-129-0x00007FF706AF0000-0x00007FF706E44000-memory.dmp	UPX
behavioral2/memory/1020-130-0x00007FF6148D0000-0x00007FF614C24000-memory.dmp	UPX
behavioral2/memory/1560-131-0x00007FF754A30000-0x00007FF754D84000-memory.dmp	UPX
behavioral2/memory/4756-132-0x00007FF706AF0000-0x00007FF706E44000-memory.dmp	UPX
behavioral2/memory/1020-133-0x00007FF6148D0000-0x00007FF614C24000-memory.dmp	UPX
behavioral2/memory/1328-134-0x00007FF656B50000-0x00007FF656EA4000-memory.dmp	UPX
behavioral2/memory/1984-135-0x00007FF745630000-0x00007FF745984000-memory.dmp	UPX
behavioral2/memory/2632-136-0x00007FF69AE00000-0x00007FF69B154000-memory.dmp	UPX
behavioral2/memory/4044-137-0x00007FF6F0E50000-0x00007FF6F11A4000-memory.dmp	UPX
behavioral2/memory/1672-138-0x00007FF789CD0000-0x00007FF78A024000-memory.dmp	UPX
behavioral2/memory/2944-139-0x00007FF7B2CB0000-0x00007FF7B3004000-memory.dmp	UPX
behavioral2/memory/2412-141-0x00007FF7260E0000-0x00007FF726434000-memory.dmp	UPX
behavioral2/memory/5088-140-0x00007FF6303E0000-0x00007FF630734000-memory.dmp	UPX
behavioral2/memory/1616-144-0x00007FF7A58F0000-0x00007FF7A5C44000-memory.dmp	UPX
behavioral2/memory/2136-143-0x00007FF7F19A0000-0x00007FF7F1CF4000-memory.dmp	UPX
behavioral2/memory/4188-142-0x00007FF7A32E0000-0x00007FF7A3634000-memory.dmp	UPX
behavioral2/memory/2116-147-0x00007FF7BCCF0000-0x00007FF7BD044000-memory.dmp	UPX
behavioral2/memory/1848-146-0x00007FF7DC180000-0x00007FF7DC4D4000-memory.dmp	UPX
behavioral2/memory/4924-145-0x00007FF6A7DF0000-0x00007FF6A8144000-memory.dmp	UPX
behavioral2/memory/3208-148-0x00007FF774AF0000-0x00007FF774E44000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4384-0-0x00007FF6932A0000-0x00007FF6935F4000-memory.dmp	xmrig
behavioral2/files/0x000900000002340c-4.dat	xmrig
behavioral2/files/0x000700000002341d-9.dat	xmrig
behavioral2/memory/4756-14-0x00007FF706AF0000-0x00007FF706E44000-memory.dmp	xmrig
behavioral2/files/0x000700000002341c-10.dat	xmrig
behavioral2/memory/1020-18-0x00007FF6148D0000-0x00007FF614C24000-memory.dmp	xmrig
behavioral2/memory/1560-11-0x00007FF754A30000-0x00007FF754D84000-memory.dmp	xmrig
behavioral2/files/0x000700000002341e-24.dat	xmrig
behavioral2/files/0x0009000000023415-30.dat	xmrig
behavioral2/files/0x0007000000023420-34.dat	xmrig
behavioral2/files/0x0007000000023421-40.dat	xmrig
behavioral2/files/0x0007000000023426-66.dat	xmrig
behavioral2/files/0x0007000000023428-79.dat	xmrig
behavioral2/files/0x000700000002342a-84.dat	xmrig
behavioral2/files/0x000700000002342b-95.dat	xmrig
behavioral2/files/0x000700000002342f-111.dat	xmrig
behavioral2/files/0x000700000002342e-109.dat	xmrig
behavioral2/files/0x000700000002342d-104.dat	xmrig
behavioral2/files/0x000700000002342c-100.dat	xmrig
behavioral2/files/0x0007000000023429-87.dat	xmrig
behavioral2/files/0x0007000000023427-75.dat	xmrig
behavioral2/files/0x0007000000023425-62.dat	xmrig
behavioral2/files/0x0007000000023424-57.dat	xmrig
behavioral2/files/0x0007000000023423-52.dat	xmrig
behavioral2/files/0x0007000000023422-47.dat	xmrig
behavioral2/memory/2632-39-0x00007FF69AE00000-0x00007FF69B154000-memory.dmp	xmrig
behavioral2/memory/1984-35-0x00007FF745630000-0x00007FF745984000-memory.dmp	xmrig
behavioral2/memory/1328-28-0x00007FF656B50000-0x00007FF656EA4000-memory.dmp	xmrig
behavioral2/memory/1672-114-0x00007FF789CD0000-0x00007FF78A024000-memory.dmp	xmrig
behavioral2/memory/4044-113-0x00007FF6F0E50000-0x00007FF6F11A4000-memory.dmp	xmrig
behavioral2/memory/2944-115-0x00007FF7B2CB0000-0x00007FF7B3004000-memory.dmp	xmrig
behavioral2/memory/2412-116-0x00007FF7260E0000-0x00007FF726434000-memory.dmp	xmrig
behavioral2/memory/1616-118-0x00007FF7A58F0000-0x00007FF7A5C44000-memory.dmp	xmrig
behavioral2/memory/5088-117-0x00007FF6303E0000-0x00007FF630734000-memory.dmp	xmrig
behavioral2/memory/4188-119-0x00007FF7A32E0000-0x00007FF7A3634000-memory.dmp	xmrig
behavioral2/memory/2136-120-0x00007FF7F19A0000-0x00007FF7F1CF4000-memory.dmp	xmrig
behavioral2/memory/2116-121-0x00007FF7BCCF0000-0x00007FF7BD044000-memory.dmp	xmrig
behavioral2/memory/4924-122-0x00007FF6A7DF0000-0x00007FF6A8144000-memory.dmp	xmrig
behavioral2/memory/1848-123-0x00007FF7DC180000-0x00007FF7DC4D4000-memory.dmp	xmrig
behavioral2/memory/1648-124-0x00007FF761490000-0x00007FF7617E4000-memory.dmp	xmrig
behavioral2/memory/688-125-0x00007FF765B70000-0x00007FF765EC4000-memory.dmp	xmrig
behavioral2/memory/1908-126-0x00007FF7525E0000-0x00007FF752934000-memory.dmp	xmrig
behavioral2/memory/3208-127-0x00007FF774AF0000-0x00007FF774E44000-memory.dmp	xmrig
behavioral2/memory/4384-128-0x00007FF6932A0000-0x00007FF6935F4000-memory.dmp	xmrig
behavioral2/memory/4756-129-0x00007FF706AF0000-0x00007FF706E44000-memory.dmp	xmrig
behavioral2/memory/1020-130-0x00007FF6148D0000-0x00007FF614C24000-memory.dmp	xmrig
behavioral2/memory/1560-131-0x00007FF754A30000-0x00007FF754D84000-memory.dmp	xmrig
behavioral2/memory/4756-132-0x00007FF706AF0000-0x00007FF706E44000-memory.dmp	xmrig
behavioral2/memory/1020-133-0x00007FF6148D0000-0x00007FF614C24000-memory.dmp	xmrig
behavioral2/memory/1328-134-0x00007FF656B50000-0x00007FF656EA4000-memory.dmp	xmrig
behavioral2/memory/1984-135-0x00007FF745630000-0x00007FF745984000-memory.dmp	xmrig
behavioral2/memory/2632-136-0x00007FF69AE00000-0x00007FF69B154000-memory.dmp	xmrig
behavioral2/memory/4044-137-0x00007FF6F0E50000-0x00007FF6F11A4000-memory.dmp	xmrig
behavioral2/memory/1672-138-0x00007FF789CD0000-0x00007FF78A024000-memory.dmp	xmrig
behavioral2/memory/2944-139-0x00007FF7B2CB0000-0x00007FF7B3004000-memory.dmp	xmrig
behavioral2/memory/2412-141-0x00007FF7260E0000-0x00007FF726434000-memory.dmp	xmrig
behavioral2/memory/5088-140-0x00007FF6303E0000-0x00007FF630734000-memory.dmp	xmrig
behavioral2/memory/1616-144-0x00007FF7A58F0000-0x00007FF7A5C44000-memory.dmp	xmrig
behavioral2/memory/2136-143-0x00007FF7F19A0000-0x00007FF7F1CF4000-memory.dmp	xmrig
behavioral2/memory/4188-142-0x00007FF7A32E0000-0x00007FF7A3634000-memory.dmp	xmrig
behavioral2/memory/2116-147-0x00007FF7BCCF0000-0x00007FF7BD044000-memory.dmp	xmrig
behavioral2/memory/1848-146-0x00007FF7DC180000-0x00007FF7DC4D4000-memory.dmp	xmrig
behavioral2/memory/4924-145-0x00007FF6A7DF0000-0x00007FF6A8144000-memory.dmp	xmrig
behavioral2/memory/3208-148-0x00007FF774AF0000-0x00007FF774E44000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1560	sqSeear.exe
4756	nCcbsDO.exe
1020	WzWjNEz.exe
1328	IFYBNmO.exe
1984	hIUNYIF.exe
2632	VWwnkXK.exe
4044	dAcavbR.exe
1672	VCnwEyz.exe
2944	onSmesP.exe
2412	tgJDtnO.exe
5088	AlnEDjj.exe
1616	DHgGzIA.exe
4188	rvwVFAJ.exe
2136	sSCLtMw.exe
2116	JylfzBz.exe
4924	EyxZQVc.exe
1848	KWpoNVk.exe
1648	UFHzWcU.exe
688	ytYcZOY.exe
1908	oyOrWwL.exe
3208	myDsBgK.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4384-0-0x00007FF6932A0000-0x00007FF6935F4000-memory.dmp	upx
behavioral2/files/0x000900000002340c-4.dat	upx
behavioral2/files/0x000700000002341d-9.dat	upx
behavioral2/memory/4756-14-0x00007FF706AF0000-0x00007FF706E44000-memory.dmp	upx
behavioral2/files/0x000700000002341c-10.dat	upx
behavioral2/memory/1020-18-0x00007FF6148D0000-0x00007FF614C24000-memory.dmp	upx
behavioral2/memory/1560-11-0x00007FF754A30000-0x00007FF754D84000-memory.dmp	upx
behavioral2/files/0x000700000002341e-24.dat	upx
behavioral2/files/0x0009000000023415-30.dat	upx
behavioral2/files/0x0007000000023420-34.dat	upx
behavioral2/files/0x0007000000023421-40.dat	upx
behavioral2/files/0x0007000000023426-66.dat	upx
behavioral2/files/0x0007000000023428-79.dat	upx
behavioral2/files/0x000700000002342a-84.dat	upx
behavioral2/files/0x000700000002342b-95.dat	upx
behavioral2/files/0x000700000002342f-111.dat	upx
behavioral2/files/0x000700000002342e-109.dat	upx
behavioral2/files/0x000700000002342d-104.dat	upx
behavioral2/files/0x000700000002342c-100.dat	upx
behavioral2/files/0x0007000000023429-87.dat	upx
behavioral2/files/0x0007000000023427-75.dat	upx
behavioral2/files/0x0007000000023425-62.dat	upx
behavioral2/files/0x0007000000023424-57.dat	upx
behavioral2/files/0x0007000000023423-52.dat	upx
behavioral2/files/0x0007000000023422-47.dat	upx
behavioral2/memory/2632-39-0x00007FF69AE00000-0x00007FF69B154000-memory.dmp	upx
behavioral2/memory/1984-35-0x00007FF745630000-0x00007FF745984000-memory.dmp	upx
behavioral2/memory/1328-28-0x00007FF656B50000-0x00007FF656EA4000-memory.dmp	upx
behavioral2/memory/1672-114-0x00007FF789CD0000-0x00007FF78A024000-memory.dmp	upx
behavioral2/memory/4044-113-0x00007FF6F0E50000-0x00007FF6F11A4000-memory.dmp	upx
behavioral2/memory/2944-115-0x00007FF7B2CB0000-0x00007FF7B3004000-memory.dmp	upx
behavioral2/memory/2412-116-0x00007FF7260E0000-0x00007FF726434000-memory.dmp	upx
behavioral2/memory/1616-118-0x00007FF7A58F0000-0x00007FF7A5C44000-memory.dmp	upx
behavioral2/memory/5088-117-0x00007FF6303E0000-0x00007FF630734000-memory.dmp	upx
behavioral2/memory/4188-119-0x00007FF7A32E0000-0x00007FF7A3634000-memory.dmp	upx
behavioral2/memory/2136-120-0x00007FF7F19A0000-0x00007FF7F1CF4000-memory.dmp	upx
behavioral2/memory/2116-121-0x00007FF7BCCF0000-0x00007FF7BD044000-memory.dmp	upx
behavioral2/memory/4924-122-0x00007FF6A7DF0000-0x00007FF6A8144000-memory.dmp	upx
behavioral2/memory/1848-123-0x00007FF7DC180000-0x00007FF7DC4D4000-memory.dmp	upx
behavioral2/memory/1648-124-0x00007FF761490000-0x00007FF7617E4000-memory.dmp	upx
behavioral2/memory/688-125-0x00007FF765B70000-0x00007FF765EC4000-memory.dmp	upx
behavioral2/memory/1908-126-0x00007FF7525E0000-0x00007FF752934000-memory.dmp	upx
behavioral2/memory/3208-127-0x00007FF774AF0000-0x00007FF774E44000-memory.dmp	upx
behavioral2/memory/4384-128-0x00007FF6932A0000-0x00007FF6935F4000-memory.dmp	upx
behavioral2/memory/4756-129-0x00007FF706AF0000-0x00007FF706E44000-memory.dmp	upx
behavioral2/memory/1020-130-0x00007FF6148D0000-0x00007FF614C24000-memory.dmp	upx
behavioral2/memory/1560-131-0x00007FF754A30000-0x00007FF754D84000-memory.dmp	upx
behavioral2/memory/4756-132-0x00007FF706AF0000-0x00007FF706E44000-memory.dmp	upx
behavioral2/memory/1020-133-0x00007FF6148D0000-0x00007FF614C24000-memory.dmp	upx
behavioral2/memory/1328-134-0x00007FF656B50000-0x00007FF656EA4000-memory.dmp	upx
behavioral2/memory/1984-135-0x00007FF745630000-0x00007FF745984000-memory.dmp	upx
behavioral2/memory/2632-136-0x00007FF69AE00000-0x00007FF69B154000-memory.dmp	upx
behavioral2/memory/4044-137-0x00007FF6F0E50000-0x00007FF6F11A4000-memory.dmp	upx
behavioral2/memory/1672-138-0x00007FF789CD0000-0x00007FF78A024000-memory.dmp	upx
behavioral2/memory/2944-139-0x00007FF7B2CB0000-0x00007FF7B3004000-memory.dmp	upx
behavioral2/memory/2412-141-0x00007FF7260E0000-0x00007FF726434000-memory.dmp	upx
behavioral2/memory/5088-140-0x00007FF6303E0000-0x00007FF630734000-memory.dmp	upx
behavioral2/memory/1616-144-0x00007FF7A58F0000-0x00007FF7A5C44000-memory.dmp	upx
behavioral2/memory/2136-143-0x00007FF7F19A0000-0x00007FF7F1CF4000-memory.dmp	upx
behavioral2/memory/4188-142-0x00007FF7A32E0000-0x00007FF7A3634000-memory.dmp	upx
behavioral2/memory/2116-147-0x00007FF7BCCF0000-0x00007FF7BD044000-memory.dmp	upx
behavioral2/memory/1848-146-0x00007FF7DC180000-0x00007FF7DC4D4000-memory.dmp	upx
behavioral2/memory/4924-145-0x00007FF6A7DF0000-0x00007FF6A8144000-memory.dmp	upx
behavioral2/memory/3208-148-0x00007FF774AF0000-0x00007FF774E44000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\WzWjNEz.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VCnwEyz.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tgJDtnO.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UFHzWcU.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ytYcZOY.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\myDsBgK.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nCcbsDO.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hIUNYIF.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dAcavbR.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\onSmesP.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DHgGzIA.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EyxZQVc.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sqSeear.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AlnEDjj.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rvwVFAJ.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oyOrWwL.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IFYBNmO.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VWwnkXK.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sSCLtMw.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JylfzBz.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KWpoNVk.exe	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4384 wrote to memory of 1560	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	84
PID 4384 wrote to memory of 1560	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	84
PID 4384 wrote to memory of 4756	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	85
PID 4384 wrote to memory of 4756	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	85
PID 4384 wrote to memory of 1020	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	86
PID 4384 wrote to memory of 1020	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	86
PID 4384 wrote to memory of 1328	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	87
PID 4384 wrote to memory of 1328	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	87
PID 4384 wrote to memory of 1984	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	88
PID 4384 wrote to memory of 1984	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	88
PID 4384 wrote to memory of 2632	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	89
PID 4384 wrote to memory of 2632	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	89
PID 4384 wrote to memory of 4044	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	90
PID 4384 wrote to memory of 4044	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	90
PID 4384 wrote to memory of 1672	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	91
PID 4384 wrote to memory of 1672	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	91
PID 4384 wrote to memory of 2944	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	92
PID 4384 wrote to memory of 2944	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	92
PID 4384 wrote to memory of 2412	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	94
PID 4384 wrote to memory of 2412	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	94
PID 4384 wrote to memory of 5088	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	95
PID 4384 wrote to memory of 5088	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	95
PID 4384 wrote to memory of 1616	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	96
PID 4384 wrote to memory of 1616	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	96
PID 4384 wrote to memory of 4188	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	97
PID 4384 wrote to memory of 4188	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	97
PID 4384 wrote to memory of 2136	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	98
PID 4384 wrote to memory of 2136	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	98
PID 4384 wrote to memory of 2116	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	99
PID 4384 wrote to memory of 2116	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	99
PID 4384 wrote to memory of 4924	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	100
PID 4384 wrote to memory of 4924	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	100
PID 4384 wrote to memory of 1848	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	101
PID 4384 wrote to memory of 1848	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	101
PID 4384 wrote to memory of 1648	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	102
PID 4384 wrote to memory of 1648	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	102
PID 4384 wrote to memory of 688	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	103
PID 4384 wrote to memory of 688	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	103
PID 4384 wrote to memory of 1908	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	104
PID 4384 wrote to memory of 1908	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	104
PID 4384 wrote to memory of 3208	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	105
PID 4384 wrote to memory of 3208	4384	2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-03_f8ee575b38e5e8cb77defb63bb547570_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4384
- C:\Windows\System\sqSeear.exe
  C:\Windows\System\sqSeear.exe
  2⤵
  - Executes dropped EXE
  PID:1560
- C:\Windows\System\nCcbsDO.exe
  C:\Windows\System\nCcbsDO.exe
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Windows\System\WzWjNEz.exe
  C:\Windows\System\WzWjNEz.exe
  2⤵
  - Executes dropped EXE
  PID:1020
- C:\Windows\System\IFYBNmO.exe
  C:\Windows\System\IFYBNmO.exe
  2⤵
  - Executes dropped EXE
  PID:1328
- C:\Windows\System\hIUNYIF.exe
  C:\Windows\System\hIUNYIF.exe
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\System\VWwnkXK.exe
  C:\Windows\System\VWwnkXK.exe
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\System\dAcavbR.exe
  C:\Windows\System\dAcavbR.exe
  2⤵
  - Executes dropped EXE
  PID:4044
- C:\Windows\System\VCnwEyz.exe
  C:\Windows\System\VCnwEyz.exe
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\System\onSmesP.exe
  C:\Windows\System\onSmesP.exe
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\System\tgJDtnO.exe
  C:\Windows\System\tgJDtnO.exe
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\System\AlnEDjj.exe
  C:\Windows\System\AlnEDjj.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\System\DHgGzIA.exe
  C:\Windows\System\DHgGzIA.exe
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\System\rvwVFAJ.exe
  C:\Windows\System\rvwVFAJ.exe
  2⤵
  - Executes dropped EXE
  PID:4188
- C:\Windows\System\sSCLtMw.exe
  C:\Windows\System\sSCLtMw.exe
  2⤵
  - Executes dropped EXE
  PID:2136
- C:\Windows\System\JylfzBz.exe
  C:\Windows\System\JylfzBz.exe
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Windows\System\EyxZQVc.exe
  C:\Windows\System\EyxZQVc.exe
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Windows\System\KWpoNVk.exe
  C:\Windows\System\KWpoNVk.exe
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\System\UFHzWcU.exe
  C:\Windows\System\UFHzWcU.exe
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\System\ytYcZOY.exe
  C:\Windows\System\ytYcZOY.exe
  2⤵
  - Executes dropped EXE
  PID:688
- C:\Windows\System\oyOrWwL.exe
  C:\Windows\System\oyOrWwL.exe
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\System\myDsBgK.exe
  C:\Windows\System\myDsBgK.exe
  2⤵
  - Executes dropped EXE
  PID:3208

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AlnEDjj.exe

Filesize
5.9MB

MD5
42197cc014ee48ee9fc12422b1d4503d

SHA1
5c0b45ae2a7b3d28885f1cc7786f5135e603b019

SHA256
8a736ae006ef5cbf7d944fe003968815638706a4d7731931c4d4a37185b396d5

SHA512
75c05a2229ad697a906c058edefa60b1436ae39b60a895750c5ba3f2dc521fb1e9a3f9672c20d05224607b51fde131e8c71eafe79ae6b113173a0158cd1d63bf

Download Submit
C:\Windows\System\DHgGzIA.exe

Filesize
5.9MB

MD5
c79d99b984408eb4ce86c0da7c568993

SHA1
d1b13c6d5ea60ba13978fc5460b24691f1ac34ea

SHA256
dce6654510292cac9678c43785a8c7ed5eddcd8f8e5555912cfac4c739e8a858

SHA512
315ead560821967efe7e6c63af8e6db596aa93afc8edc3c38176df0a4daff6ef910b96087c95ff6e0f8faa2b5f4d4daab57d7f13c61e6ec58a19ff5a6bea2d7d

Download Submit
C:\Windows\System\EyxZQVc.exe

Filesize
5.9MB

MD5
fad52e880c1988ac966aedbf800ae972

SHA1
254244811814975ef9ce4345c6e440700e3584bd

SHA256
e269f6cc30f46804e894f29bb2e5ad1d4802f747d4ccf0d7be76bf4493179a4a

SHA512
b623040b1df83c2306c7903f9749c0bbb9df40600d641dc844f77b43ab1f47bd3f1c494da8eacbfab6da2361072e9b7e592787ca1192d1cf7e496a81365eb81d

Download Submit
C:\Windows\System\IFYBNmO.exe

Filesize
5.9MB

MD5
f5c8ab6b8d83d82caa2537db02fbf408

SHA1
1c9d29166fba547bedce3a70e75241dfeb90780d

SHA256
04aac98596cd68621bb6ec41a09a84e6728f5f8c2babe3b5706cb81c39dbba47

SHA512
23998691cf857cff43ac3e3f11f7c84a05e011f3be76884a3b2bbb7a8bdf124f40519b030ac203b627cf0ad8a8c5dac75ad45a5ee564c432c40702e4488ff62f

Download Submit
C:\Windows\System\JylfzBz.exe

Filesize
5.9MB

MD5
3743338daf6ea6d3bd92c05dea284b50

SHA1
8954e68846697f001caba354621fe48c65d4b198

SHA256
bb2a6db47a4f94a17b6c7257afeb33a596c9015fe8ec087f0897ff8607092093

SHA512
d1f2c7b31b8c27acbd65fd1696130958fb25043aa5ff0d16b754deb6f3a5bcea8522c93884658ca6166856ea0883256e922b9f267a7dd3292e02cb845b5a56a7

Download Submit
C:\Windows\System\KWpoNVk.exe

Filesize
5.9MB

MD5
aa9af27079f12b8e1458b72b551f2054

SHA1
758a32f3fbf0fc9ee9410dbc6188539003cb3b89

SHA256
7e84ff34edba3399b0e08a323c8d1337f19806fee9e4a606a7f5b8c1564ca260

SHA512
22ef975b52a6b03f7552e909bc0ead9f202edd5eb9be549d38c014f19ce3c02e029e4bd91cf8a5539156f1fe4cb37ec72255097d8e5b6e195024feb36b9a1cc5

Download Submit
C:\Windows\System\UFHzWcU.exe

Filesize
5.9MB

MD5
58924b0b947d56d5a58cd9726d4310ec

SHA1
72f49a36c343f80812a11e23efa309b8995e36d0

SHA256
baf1913d2552fcf9f43f72caf2924794ab74ac440b2e1790c290e090922d9f54

SHA512
a17a182eabb9cdd77c879e6a7ab1ffdc6ac1a5675ee5a89d76bc9e17de7484d186c3f30ae5cc08434a1c50fb5f7f8e54efd65fa36c6138673deba795a598ca95

Download Submit
C:\Windows\System\VCnwEyz.exe

Filesize
5.9MB

MD5
77e6d63462cc7cc320fe4c0675b58118

SHA1
4fd630f46c8f0187fdadfc465d760d58e8e2959e

SHA256
bd8ee33e7cfd65bc02c8a7b2c603c814234958a8318758271821b83425896390

SHA512
b7af0b4da874c502a8f88f556dd9c9a441a1e85dfca08fd0d13afe3f833a41386816abe6241de00278905511a17bea8ea9767df46908a880ada69f7c9a6bc9cd

Download Submit
C:\Windows\System\VWwnkXK.exe

Filesize
5.9MB

MD5
55854ad011a85aeaa257fc4a17964e3b

SHA1
f1ceda79141b21dc519e0ff1fc2069c8dd2769aa

SHA256
93bea78c91e03b462bade6c78d4dade9fccef3c46c1b879035a1705511dbb8a5

SHA512
6e04f2bb905c0e9b3222caf70480cc830e41d6e3212cdf5aa7f580f09e687af99c52b3c8aaca1e6afd74d5009f19aa20fcf0a1eabf1dbbac950873b23e63ef3c

Download Submit
C:\Windows\System\WzWjNEz.exe

Filesize
5.9MB

MD5
894945cc83a0336aae41542aa5e2e75d

SHA1
de1d2fab4cc6bcec47097f490fc30672ba33114d

SHA256
36badd1c757f3f646ba6764aa5f5b94dc0f92674a5ec09d3106d1a1c7008d4ad

SHA512
6afd86ae4b1b119347f5cc0c112f69e4edc782c26a7a564d03af114bd26ba67a872cf530b92d79fcc5013a5c9e9941396a33ff0d8875ff8ac00837175c3fdacf

Download Submit
C:\Windows\System\dAcavbR.exe

Filesize
5.9MB

MD5
ff4d3b3d46e5cd1f3965ec09bf7772c1

SHA1
1153b1a4cda982dd713bb49a8b9f056272c8df87

SHA256
f84dda827562877e88b417dbe80f9147c1e7a31975705b646a99554c718933eb

SHA512
17f0abbe80ffa18c1bdb9ccc434aa1d96da28cf4af8bb0dfee4e4e7f659e386a6a72473940f18fe3d917643faab341570830a1fa8c058e98fb396cc36e6f937a

Download Submit
C:\Windows\System\hIUNYIF.exe

Filesize
5.9MB

MD5
21394d4c9a69e0af77a08d624bd84a8e

SHA1
a06a8a1ce13745f91e2cc41aa7b075c81126a13f

SHA256
40c777d94b4d04ab5515dc05d07583ec2d78e16f9d07ba40c88ec3b74b7edc17

SHA512
3dfa193045a056ab60fc879bb6790d558638c0ed1f05f59016ba58596be9d4c5c4eb777e50c8c13d9b430c2649fa64fc09f03e3992320ad5a4a8fe4f672b3fe1

Download Submit
C:\Windows\System\myDsBgK.exe

Filesize
5.9MB

MD5
00793a0141a0b81f8d8d83fe19eae496

SHA1
ee92846662349492f8e8d608c9ff23af83852032

SHA256
02e684027397db8bc86dc151020fd7813ac5f587d0c94e6beda2cab33eeeeeaa

SHA512
9da6f81eb78d2b36141dfe874af2f190df41b1099abbadbdf14ae6b61856981b012c4b4d7611c7af3450768dc16436a49eae501fc5b4c563b457287a629eb807

Download Submit
C:\Windows\System\nCcbsDO.exe

Filesize
5.9MB

MD5
703da52659691331abdfd2630fcf6350

SHA1
4b56c4514c485fd6da258474ac50ac4a66d08018

SHA256
a41334c85e759eef76d4c8c974d7a955440830dd9dd183da0e40a6a3dae34e28

SHA512
a117427c2afd53155b318162230307e0e14771c1ff964995cb77f6b42fbb5e6c7c31f19366b9dbf5f0f3198ca63604db01a202c1afb6b66af5f00dcbd331575a

Download Submit
C:\Windows\System\onSmesP.exe

Filesize
5.9MB

MD5
ea6cb8aee59427973f7b5244092e9cee

SHA1
8f484a8021460823bd80cac1b4aa4710f6814cf0

SHA256
ec937a0ef6308f6b0ebb0652d4da73c08c5294414324dd86135001f80241c559

SHA512
d0df70e3b18c3cfbe35dfd67009883a0c013513221ab509772fb0c37e1319ed6b38a772301b56f4e6419d914b837c77371d59300c16f63447778aa278c411fcd

Download Submit
C:\Windows\System\oyOrWwL.exe

Filesize
5.9MB

MD5
d8edf06306948e38eeeb3235c2352da1

SHA1
6c42e37648b58ac55c250adebf645a9a1957c59c

SHA256
c8338dd00d485f005517f142883d9e33bbe1f364e8a31116932dd91ec6e2c29d

SHA512
6dd4b3c4ccbfedcb5ef94d3b73c067dcee4ac8875ec8603871bc3ba5186d5f1a95dca147539eb9b7c9b81032eb46630cb09894bbd61267e0d5843c022d931bab

Download Submit
C:\Windows\System\rvwVFAJ.exe

Filesize
5.9MB

MD5
4c2e63bbd80919e323c84e1fb8395699

SHA1
8f4b6ecf60fc26ea964372a1617193401eb8257c

SHA256
d9fe41f53a26ba81c58bd32da94e92cda8713617aa79dec5b65306c2c80a53f8

SHA512
a5d93ec46061badb655ab0935a0650f0fa71d0e1183757895a8738e3f90c3a36060ae63731f56dad529d149f32c497eadfcff92cc1525c06a4b4f5004e4a2153

Download Submit
C:\Windows\System\sSCLtMw.exe

Filesize
5.9MB

MD5
bca39383cfb420248df1794dbbb5a027

SHA1
18e147b06e4c0b0021b8c9308ff54f77769ea932

SHA256
c2a04e71d531b6408380aa04336fd1647288882e4fe6c84f39b7624ffa6385e8

SHA512
2c7a6ecd7cf39f138efcc6775093cad2725b2ee6e9cf67ba231dcdb14d0553d5bb3c21147e5f6ab30e29f248a5e80cfb8b094d1fb81ebfcd12dd18464ee05480

Download Submit
C:\Windows\System\sqSeear.exe

Filesize
5.9MB

MD5
f08af0eaa55abcc05eac837b4bb530ba

SHA1
9a19a6b27d6f99cba72429669d3ae79421c9ecbd

SHA256
c7cf7265849465a67892de12aed75fb5bc68a59e5b0320c828b538a5482cfc4a

SHA512
c05bbc81a380c2720c86465220648349078d18092be5882daac9a770a5d77088dd087a58edee18b324fe9aa7122bbdc9a65d397f9ea9396fc14ab400b2761770

Download Submit
C:\Windows\System\tgJDtnO.exe

Filesize
5.9MB

MD5
2d2817ef19d1e3e1a6edb929218e9d46

SHA1
e38ec52eb22605f620192a518aaeb2e47940e3a5

SHA256
9b385a0833a5ff11e2d08b9277133cd534df40ac25dc892bc629b2774b56a70a

SHA512
58ab840481d722c22ec6b6670791362e6086358f5049fc37e4d7490ea868fceab3c48d4b903e10991b86ce7cf6ff533f8075a8d53bbf628eb910937d7181ecac

Download Submit
C:\Windows\System\ytYcZOY.exe

Filesize
5.9MB

MD5
bb7efb611d24745efbaa9e6babdf6ea2

SHA1
d0ab4e36f213fdae9c951944527a3977df92b4da

SHA256
72c3ceda4dc159a74b4419c3c808319c91fbe53d49bd606aa056fe76759f0116

SHA512
eedc48e1c8c41fcedcd7b07fa10c33c39d0515641d90a87a710e5c842e7eed20b3ab693633a9bcf7574ea197f80b0919e489728831f6df804876787c31a6882f

Download Submit
memory/688-125-0x00007FF765B70000-0x00007FF765EC4000-memory.dmp

Filesize
3.3MB

Download
memory/688-151-0x00007FF765B70000-0x00007FF765EC4000-memory.dmp

Filesize
3.3MB

Download
memory/1020-18-0x00007FF6148D0000-0x00007FF614C24000-memory.dmp

Filesize
3.3MB

Download
memory/1020-130-0x00007FF6148D0000-0x00007FF614C24000-memory.dmp

Filesize
3.3MB

Download
memory/1020-133-0x00007FF6148D0000-0x00007FF614C24000-memory.dmp

Filesize
3.3MB

Download
memory/1328-134-0x00007FF656B50000-0x00007FF656EA4000-memory.dmp

Filesize
3.3MB

Download
memory/1328-28-0x00007FF656B50000-0x00007FF656EA4000-memory.dmp

Filesize
3.3MB

Download
memory/1560-11-0x00007FF754A30000-0x00007FF754D84000-memory.dmp

Filesize
3.3MB

Download
memory/1560-131-0x00007FF754A30000-0x00007FF754D84000-memory.dmp

Filesize
3.3MB

Download
memory/1616-144-0x00007FF7A58F0000-0x00007FF7A5C44000-memory.dmp

Filesize
3.3MB

Download
memory/1616-118-0x00007FF7A58F0000-0x00007FF7A5C44000-memory.dmp

Filesize
3.3MB

Download
memory/1648-150-0x00007FF761490000-0x00007FF7617E4000-memory.dmp

Filesize
3.3MB

Download
memory/1648-124-0x00007FF761490000-0x00007FF7617E4000-memory.dmp

Filesize
3.3MB

Download
memory/1672-138-0x00007FF789CD0000-0x00007FF78A024000-memory.dmp

Filesize
3.3MB

Download
memory/1672-114-0x00007FF789CD0000-0x00007FF78A024000-memory.dmp

Filesize
3.3MB

Download
memory/1848-146-0x00007FF7DC180000-0x00007FF7DC4D4000-memory.dmp

Filesize
3.3MB

Download
memory/1848-123-0x00007FF7DC180000-0x00007FF7DC4D4000-memory.dmp

Filesize
3.3MB

Download
memory/1908-149-0x00007FF7525E0000-0x00007FF752934000-memory.dmp

Filesize
3.3MB

Download
memory/1908-126-0x00007FF7525E0000-0x00007FF752934000-memory.dmp

Filesize
3.3MB

Download
memory/1984-135-0x00007FF745630000-0x00007FF745984000-memory.dmp

Filesize
3.3MB

Download
memory/1984-35-0x00007FF745630000-0x00007FF745984000-memory.dmp

Filesize
3.3MB

Download
memory/2116-121-0x00007FF7BCCF0000-0x00007FF7BD044000-memory.dmp

Filesize
3.3MB

Download
memory/2116-147-0x00007FF7BCCF0000-0x00007FF7BD044000-memory.dmp

Filesize
3.3MB

Download
memory/2136-120-0x00007FF7F19A0000-0x00007FF7F1CF4000-memory.dmp

Filesize
3.3MB

Download
memory/2136-143-0x00007FF7F19A0000-0x00007FF7F1CF4000-memory.dmp

Filesize
3.3MB

Download
memory/2412-116-0x00007FF7260E0000-0x00007FF726434000-memory.dmp

Filesize
3.3MB

Download
memory/2412-141-0x00007FF7260E0000-0x00007FF726434000-memory.dmp

Filesize
3.3MB

Download
memory/2632-39-0x00007FF69AE00000-0x00007FF69B154000-memory.dmp

Filesize
3.3MB

Download
memory/2632-136-0x00007FF69AE00000-0x00007FF69B154000-memory.dmp

Filesize
3.3MB

Download
memory/2944-115-0x00007FF7B2CB0000-0x00007FF7B3004000-memory.dmp

Filesize
3.3MB

Download
memory/2944-139-0x00007FF7B2CB0000-0x00007FF7B3004000-memory.dmp

Filesize
3.3MB

Download
memory/3208-148-0x00007FF774AF0000-0x00007FF774E44000-memory.dmp

Filesize
3.3MB

Download
memory/3208-127-0x00007FF774AF0000-0x00007FF774E44000-memory.dmp

Filesize
3.3MB

Download
memory/4044-137-0x00007FF6F0E50000-0x00007FF6F11A4000-memory.dmp

Filesize
3.3MB

Download
memory/4044-113-0x00007FF6F0E50000-0x00007FF6F11A4000-memory.dmp

Filesize
3.3MB

Download
memory/4188-119-0x00007FF7A32E0000-0x00007FF7A3634000-memory.dmp

Filesize
3.3MB

Download
memory/4188-142-0x00007FF7A32E0000-0x00007FF7A3634000-memory.dmp

Filesize
3.3MB

Download
memory/4384-0-0x00007FF6932A0000-0x00007FF6935F4000-memory.dmp

Filesize
3.3MB

Download
memory/4384-1-0x000001D6B6C50000-0x000001D6B6C60000-memory.dmp

Filesize
64KB

Download
memory/4384-128-0x00007FF6932A0000-0x00007FF6935F4000-memory.dmp

Filesize
3.3MB

Download
memory/4756-132-0x00007FF706AF0000-0x00007FF706E44000-memory.dmp

Filesize
3.3MB

Download
memory/4756-129-0x00007FF706AF0000-0x00007FF706E44000-memory.dmp

Filesize
3.3MB

Download
memory/4756-14-0x00007FF706AF0000-0x00007FF706E44000-memory.dmp

Filesize
3.3MB

Download
memory/4924-122-0x00007FF6A7DF0000-0x00007FF6A8144000-memory.dmp

Filesize
3.3MB

Download
memory/4924-145-0x00007FF6A7DF0000-0x00007FF6A8144000-memory.dmp

Filesize
3.3MB

Download
memory/5088-117-0x00007FF6303E0000-0x00007FF630734000-memory.dmp

Filesize
3.3MB

Download
memory/5088-140-0x00007FF6303E0000-0x00007FF630734000-memory.dmp

Filesize
3.3MB

Download