Analysis

  • max time kernel
    135s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-06-2024 02:14

General

  • Target

    2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe

  • Size

    5.9MB

  • MD5

    be80b41afb6b4c0a81b0617bd0c2ef71

  • SHA1

    cf27f35aa780e9c6728a5fb4d4b6d1a4f7b0937c

  • SHA256

    8ac8284327f888240ceea0fdc99a712f94a6f11b9cac8e60eff78799705fc23c

  • SHA512

    652a7607edc96fc8bb43e849b9467570496462e391bed1e0e0994c4b927e09296bc7ca02bc3a7a27631729b044f4c1a3d8a25d20bfd9c579c73c2665bce7e2cf

  • SSDEEP

    98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUZ:Q+856utgpPF8u/7Z

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 20 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Detects Reflective DLL injection artifacts 20 IoCs
  • UPX dump on OEP (original entry point) 64 IoCs
  • XMRig Miner payload 64 IoCs
  • Executes dropped EXE 21 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4984
    • C:\Windows\System\NmhRBDT.exe
      C:\Windows\System\NmhRBDT.exe
      2⤵
      • Executes dropped EXE
      PID:4844
    • C:\Windows\System\XjSjywS.exe
      C:\Windows\System\XjSjywS.exe
      2⤵
      • Executes dropped EXE
      PID:4860
    • C:\Windows\System\DnPcUHn.exe
      C:\Windows\System\DnPcUHn.exe
      2⤵
      • Executes dropped EXE
      PID:2148
    • C:\Windows\System\NlxJkDw.exe
      C:\Windows\System\NlxJkDw.exe
      2⤵
      • Executes dropped EXE
      PID:3612
    • C:\Windows\System\HNIAYNk.exe
      C:\Windows\System\HNIAYNk.exe
      2⤵
      • Executes dropped EXE
      PID:3464
    • C:\Windows\System\TRjkLJS.exe
      C:\Windows\System\TRjkLJS.exe
      2⤵
      • Executes dropped EXE
      PID:4108
    • C:\Windows\System\BEVDKaT.exe
      C:\Windows\System\BEVDKaT.exe
      2⤵
      • Executes dropped EXE
      PID:4568
    • C:\Windows\System\IchQhdJ.exe
      C:\Windows\System\IchQhdJ.exe
      2⤵
      • Executes dropped EXE
      PID:2960
    • C:\Windows\System\fkLVcUR.exe
      C:\Windows\System\fkLVcUR.exe
      2⤵
      • Executes dropped EXE
      PID:1620
    • C:\Windows\System\IXrTmOH.exe
      C:\Windows\System\IXrTmOH.exe
      2⤵
      • Executes dropped EXE
      PID:2188
    • C:\Windows\System\hPuULMX.exe
      C:\Windows\System\hPuULMX.exe
      2⤵
      • Executes dropped EXE
      PID:4236
    • C:\Windows\System\ThDacIz.exe
      C:\Windows\System\ThDacIz.exe
      2⤵
      • Executes dropped EXE
      PID:3824
    • C:\Windows\System\vttztRb.exe
      C:\Windows\System\vttztRb.exe
      2⤵
      • Executes dropped EXE
      PID:3600
    • C:\Windows\System\nSJSxaM.exe
      C:\Windows\System\nSJSxaM.exe
      2⤵
      • Executes dropped EXE
      PID:1312
    • C:\Windows\System\zdegSql.exe
      C:\Windows\System\zdegSql.exe
      2⤵
      • Executes dropped EXE
      PID:768
    • C:\Windows\System\CwlPVEN.exe
      C:\Windows\System\CwlPVEN.exe
      2⤵
      • Executes dropped EXE
      PID:2316
    • C:\Windows\System\pDexjHh.exe
      C:\Windows\System\pDexjHh.exe
      2⤵
      • Executes dropped EXE
      PID:2172
    • C:\Windows\System\EAeIdhD.exe
      C:\Windows\System\EAeIdhD.exe
      2⤵
      • Executes dropped EXE
      PID:468
    • C:\Windows\System\ViXkhcc.exe
      C:\Windows\System\ViXkhcc.exe
      2⤵
      • Executes dropped EXE
      PID:4164
    • C:\Windows\System\hkVCxqM.exe
      C:\Windows\System\hkVCxqM.exe
      2⤵
      • Executes dropped EXE
      PID:492
    • C:\Windows\System\fTwDGdh.exe
      C:\Windows\System\fTwDGdh.exe
      2⤵
      • Executes dropped EXE
      PID:2176

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System\BEVDKaT.exe

    Filesize

    5.9MB

    MD5

    f6cdfb3d88537b367792cbd894bd98ed

    SHA1

    3d3f99c94c72c456dffcf949bc5d30603a7e936c

    SHA256

    05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86

    SHA512

    0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3

  • C:\Windows\System\BEVDKaT.exe

    Filesize

    5.9MB

    MD5

    8b92fefd22e99b2d4222337bd53e7487

    SHA1

    ae2ec85efaff2167728da9a570e7922a7e993994

    SHA256

    ebba6cf8c8f66975b88b010dcba635e9c7b192dcdfeeb44ef5c7f3aed7301230

    SHA512

    9673f3b79587d09dd0fef764df4703a9d1a1d91adac6e19c1439ee374782829d79b475ccf7f9bcde6e2163697e016d8751d2cfdf7f8e83b8b9a0dee79b1034ab

  • C:\Windows\System\CwlPVEN.exe

    Filesize

    5.8MB

    MD5

    984a8cf637fc9f46a5be1646493a183b

    SHA1

    eff3045fcb5d0b4a9321004fdd3e94f3f336f5af

    SHA256

    0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068

    SHA512

    f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d

  • C:\Windows\System\CwlPVEN.exe

    Filesize

    5.9MB

    MD5

    14c0c501202ef989c5e7ec4e03c61323

    SHA1

    bded9d69e53fc3aafaf4dbc8c7e12d37782f30cd

    SHA256

    863491417c6ea22f4ce0af6ebd9081316de139748a1b9684de1179cf6e3ee774

    SHA512

    c496d7265307736640a049a4e8ba3b6dea75632dec5e76b5b8bac98718eb58b8e1e6548afba6d72407b5102640ed12ac193b6e207185d5a58095c625dbcd077c

  • C:\Windows\System\DnPcUHn.exe

    Filesize

    5.9MB

    MD5

    7891e24f2609f4256ee6c9f758a6432a

    SHA1

    b8ae70840bc4adda356a87a10442a90a60b0a4dd

    SHA256

    5c75c76b2c66582718f42887ce71f51442f397053751eba7cc65a70ff7a46a23

    SHA512

    fe3b98af74328f69a091a6541c63069ef2169bae2ac7f69065f3208faa062cb86001acbff8d834dc38bd0bc02e3f9ffc47a343c777bd033c6b471366677f0bcc

  • C:\Windows\System\EAeIdhD.exe

    Filesize

    5.9MB

    MD5

    c2e2eb364720d85a13441b7c7e657e04

    SHA1

    2e4e5c515e17c9fb6d5d5edcc92a1b6b2344e1bb

    SHA256

    a3dfa0af332c6e533bb22dc8421e15479f3f51af46ad432958e9ce07d4f23233

    SHA512

    c79c3c1c985e774222ef73ccd8cbebe61ad4e40c7162d1387609b781797f4f020e2c6ee6c5069c39c4faa0c9a6d7b349697535f2eeb4d97169926869e4247041

  • C:\Windows\System\EAeIdhD.exe

    Filesize

    5.8MB

    MD5

    d087d60bee972482ba414dde57d94064

    SHA1

    0e58102d75409e85387c950e86f4cc96da371515

    SHA256

    1ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9

    SHA512

    500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b

  • C:\Windows\System\HNIAYNk.exe

    Filesize

    5.9MB

    MD5

    8accae566aab9da58b4aeef107d02918

    SHA1

    8f1ee777b03b99a2a9c8c11ed933af38b11b781e

    SHA256

    edca7de1352fe84bb1bd9722e1413faaf8b35b7cedc1ba327920f9e59975158a

    SHA512

    f3c7803cf64b5f9beae533f515cd6139eabb8f04ce793fddb846f1c9e8726961189b98f27622f3b18ffa48dedbcb311c4b4229d63fb5a0ec2c0133a304766511

  • C:\Windows\System\IXrTmOH.exe

    Filesize

    5.9MB

    MD5

    250d8db05b6cb6049b338f6b383fbfd9

    SHA1

    ce2c6ab8465d0b9041cc8de957bbbed6a93833e0

    SHA256

    0b4bb40b19e9a25ea181d530f014e0e44beb08e1438e0855ff223fe7992a403a

    SHA512

    2aa6c6c92d32641f1317aa228177dcafb710d5bcd844fc86ea65028a70699cf20261d841c804016e594b915a6c9d85e1e9bbcef77ec264ae2915df4e1e546328

  • C:\Windows\System\IchQhdJ.exe

    Filesize

    5.5MB

    MD5

    992e15ebc2245cf970acce9948576d6c

    SHA1

    3322f50d4aebf915abc8a5277cd07a23adf5f127

    SHA256

    34aca34b8538d4e7f9b5ca1806b2281a0382769188fd9d2c13b1e312e96b00f5

    SHA512

    2299491ec9c9bd4a6ac0a40bf192f660f0f17c74b61aa4e0097b4c4f83a6d479f7a76f02af36d33e9826debb7591943213a22619c67db9751ef075d87dd44bf7

  • C:\Windows\System\IchQhdJ.exe

    Filesize

    5.6MB

    MD5

    1e2459942327eb396bd8cd9cbc885d14

    SHA1

    b979cbcb517509c30843efb1d91bef30f1f24a44

    SHA256

    54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a

    SHA512

    62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7

  • C:\Windows\System\NlxJkDw.exe

    Filesize

    5.9MB

    MD5

    d3667e7e04c2ec70f06af63a56f0f789

    SHA1

    33dee0679bcd2fd5d87e1821cdedcceb77405aa0

    SHA256

    4312dde1e624351aaa73110209d80258f6895f112610806b1f90c97c064797fa

    SHA512

    2da66b9d78b92a7b8a851f2770634abc95373be6ac7afcd4dc521eddafee56525ad9cd7f99bc35833f7fa90ecd4f51c64703e3b7171f9bf5006c143757cad890

  • C:\Windows\System\NmhRBDT.exe

    Filesize

    5.9MB

    MD5

    a7a6fc3b5ab329e478fd33474d432cf7

    SHA1

    00c235e83978df533a6b54e3672676a472300401

    SHA256

    a6edae496b561f21c0e4eab1f9dc940f3480b1107632f6119d43fe1d8f738519

    SHA512

    cc66a44a8ee9c4570819910313d769bda8ec8c185c5418c252f894211a3b2365c1e83ffb3f49759c5f2044dbb8c03f188d042c0992c20a97166c13c5e04c0880

  • C:\Windows\System\TRjkLJS.exe

    Filesize

    5.9MB

    MD5

    303f172fb69b585c09f8a12cc3eb00a3

    SHA1

    32a233f25cbc21b1259f8e217cd146bea4a0893c

    SHA256

    2c92f40b35257e94bc90f2ea1b389ce06441cff6558f91aa686638d32e4a2ccb

    SHA512

    ddb36057801834080e75b28e1b04000362d5d0fcb5a3aa24fe8e2fd2319ba25ab3e726b4adb851a76472cd7c883f682cdfcbd5027916229478ef5fd778cec439

  • C:\Windows\System\ThDacIz.exe

    Filesize

    5.9MB

    MD5

    67a5ae984b7db2ab866e1943e34e183a

    SHA1

    b0e5dae93649604f7669893db8061c37bbdce562

    SHA256

    05ba064117846a4368ff545dad29f2640f4fdc3ccbfc79f79745d7e94d30d69c

    SHA512

    9349a1dfaaad966bb41f0b86570dc632e26eb4249ada7495571a94101fcf4af707520ee99c47dbd83d3742dd615b6f1e13ab003c53354883b331e091839b6398

  • C:\Windows\System\ViXkhcc.exe

    Filesize

    5.9MB

    MD5

    3626572e37bdbe37a41abf8c766599ed

    SHA1

    919cc1b646d8c5784b042a10078664d2a727f49f

    SHA256

    6e433e31caf2e450acd96df5f6315c69c3e4b693f3d3175e4af89da5c8d975ad

    SHA512

    de8a8dbe563771ab659ccf4476c498a766734ead5843f323f35fd299b2eefc1aad2cbf99797786c1a7fe4d827fdba82f366c064cb5b6de9212622081bb7a6067

  • C:\Windows\System\XjSjywS.exe

    Filesize

    5.9MB

    MD5

    67629d342ff7050b3735222d9c78d14b

    SHA1

    2deae3ae6621a236959d28eab33ffc05d026a79b

    SHA256

    4d55f08b352bc99e822ab868a92b140c08b743c551a0c216af5ad49bfdda47c4

    SHA512

    35f372461dfe2748b38aeed9b718219fa0d20d2c907d47d784877bf2236449be00d2534f7b49c92ccf3f2b840bb2cc8c31659b7047e5d4bad529cfa879ce6994

  • C:\Windows\System\fTwDGdh.exe

    Filesize

    1.4MB

    MD5

    c2630368f2b0f1676e4f1cfe1abe40fe

    SHA1

    1a1ea934cad8c04d2d7cb52f6d24efa72171b9bb

    SHA256

    ba2b6ec7283487518598a85cf876bd237f0f22469f9ddb98503daa3b393dd952

    SHA512

    0aab36dba19a00b9153d667bd13a12f0f52c3bc100eb4b39808efd5f028076649453c97409b4e3cd94bf4c0fd01aceb1a9a9bb93111ac83c147c79b204a0dec0

  • C:\Windows\System\fTwDGdh.exe

    Filesize

    5.9MB

    MD5

    4e1978304498602f375c7f0171779b3b

    SHA1

    3f64a9376490cb8e749f4c335dc53ed55eca9b0c

    SHA256

    edb1772978ddefe11a3f0c3498a5da99df960a1b2a343f95ae14b7338132033a

    SHA512

    99cfd972f5a031ab61c109393f974f36973cfda4b92f7e156fbbec6acc42f2a0d468be1e617b3ababd78e41ff4e90649116e5069423bf48758e21db3576efa5d

  • C:\Windows\System\fkLVcUR.exe

    Filesize

    5.9MB

    MD5

    5ae4eed7a593ff3f56c7ac5fcd00c4d1

    SHA1

    730b300cd0e998f81f52135b21d6a265749b0964

    SHA256

    db05b8b2745ae97ba68460cc47d128fcef999301332723637869245dea3b2412

    SHA512

    74006c05616848350bc7f837ba2005f90328b33943b7b71b03b501e5ba8a7cbd1ec2a7b295e5b39132194d8cc4a1642cb02a9234d02f3b75da738ce2cfd6dcc5

  • C:\Windows\System\hPuULMX.exe

    Filesize

    5.9MB

    MD5

    64090638d2c164401be64511b1653920

    SHA1

    7a389409960d17f335325014339f50d0231114a7

    SHA256

    191bc44a70b8757cb053ed2a0218a11355b3a26b7171c721e65df4aa87a920fc

    SHA512

    b7a0fb72e3c1bb073454386153fe7e4fa392c9556e511a3c206500bbbbd46efe0038a625c4ce3886bee483f5064b7ec3873e70d5fa43cc2290ef612ef6c0b9dd

  • C:\Windows\System\hkVCxqM.exe

    Filesize

    5.9MB

    MD5

    20885a1e82b980e480bdd9a1297b7d54

    SHA1

    ba4bfd697c59fd05587a0be77065afb5673a5fac

    SHA256

    9fdb8e352bd8da8a72baf57e250c6670ce46c29c7a9bd055bb8a040728707d2c

    SHA512

    9da153b66f616a6d5df57d156faf8a16a72679d5192113b0915127000b1754f13d093a6a5a0c05ae8c2549c342ed404d061b749078b05b165a844e484ab38d88

  • C:\Windows\System\nSJSxaM.exe

    Filesize

    2.0MB

    MD5

    ce95ecfd82cad989d07f01bb5a4e0e62

    SHA1

    9c404e62c6a147d88e2c4214a4a0c1206972e9c1

    SHA256

    593e7bd118d819d8e39ef2651ab132601260307c705634ada0a2db317b292576

    SHA512

    c2ff795a22229b7c15805b1e961a5dfe271dec3d9731c58be06511c88be95cff0caaac2a29a6db9c14604bb11c8d799f874a0f83a490e055a4995d26515db084

  • C:\Windows\System\nSJSxaM.exe

    Filesize

    5.9MB

    MD5

    56711c7cc945116d3533f8f0f0f92b6d

    SHA1

    4ccf479a2b798fd0d6569aa05b82252b9e6af619

    SHA256

    7903e96ed230aa6d4c6a7e2e44bcd4791553379e3e66dedbd0a3e56ec094ed61

    SHA512

    47fd5466efc0c61ff0f92e47c46f75e47067e3a9a43e39cf191aaebd72cc818463b7b06a3993ff20837b514ef41fa91ae9461c176f5f1304820b137dc7bc9b41

  • C:\Windows\System\pDexjHh.exe

    Filesize

    5.9MB

    MD5

    a3a1d1007fc84146c8a69ec68d283ebf

    SHA1

    177b59e56c09073a63fc5fb5b5af33faa4959d2f

    SHA256

    2c18046c2f46105b5d36a80b4a12814cd02e1826c9ee753e096ce0a2cdbed6da

    SHA512

    a8c08fc18b1354053fa2a6ba96847d27ba0c064fd8ef962a7edc27773bec68c600ad831c8790c73f32d083ace40b9267c5e0f5242dccc25a3bbf5d5eea49785d

  • C:\Windows\System\vttztRb.exe

    Filesize

    5.9MB

    MD5

    ee29a6b53cfbe9ed13da73058af639d1

    SHA1

    57b7d190b7c70f98c15a3dfac9fc14d0037c5087

    SHA256

    5a0aca84eb58f9165eaf307a1beaddbc8d551115f8deaa587c8acafd07d33da3

    SHA512

    680a8c498af2bd5f11ec7e361d64cd83f667fdc49fc50a6dcd639f2fdb98af8617f7b587c1e152c13e53eae082e36f63a93e41aaa728bf58b59cb6a098ed752c

  • C:\Windows\System\zdegSql.exe

    Filesize

    5.9MB

    MD5

    355e2d36947e57df747f1e4763dae2c8

    SHA1

    19f41a82de4663509860b79c4acd4e364984aed1

    SHA256

    c35688fe448ffa0531b5b00249296c75825be9754157e8738f8b70c4a98d3c19

    SHA512

    324ae2be6738ad3113643aa7dbc16128544774a231033254428a55d7472c8b172ffce6f34c480cbda31e11d060a56997be8ff935b495e099fb85126330b54492

  • memory/468-156-0x00007FF7F7D10000-0x00007FF7F8064000-memory.dmp

    Filesize

    3.3MB

  • memory/468-129-0x00007FF7F7D10000-0x00007FF7F8064000-memory.dmp

    Filesize

    3.3MB

  • memory/492-158-0x00007FF79EA50000-0x00007FF79EDA4000-memory.dmp

    Filesize

    3.3MB

  • memory/492-130-0x00007FF79EA50000-0x00007FF79EDA4000-memory.dmp

    Filesize

    3.3MB

  • memory/768-137-0x00007FF669AC0000-0x00007FF669E14000-memory.dmp

    Filesize

    3.3MB

  • memory/768-97-0x00007FF669AC0000-0x00007FF669E14000-memory.dmp

    Filesize

    3.3MB

  • memory/768-153-0x00007FF669AC0000-0x00007FF669E14000-memory.dmp

    Filesize

    3.3MB

  • memory/1312-152-0x00007FF6CF080000-0x00007FF6CF3D4000-memory.dmp

    Filesize

    3.3MB

  • memory/1312-92-0x00007FF6CF080000-0x00007FF6CF3D4000-memory.dmp

    Filesize

    3.3MB

  • memory/1620-133-0x00007FF672560000-0x00007FF6728B4000-memory.dmp

    Filesize

    3.3MB

  • memory/1620-147-0x00007FF672560000-0x00007FF6728B4000-memory.dmp

    Filesize

    3.3MB

  • memory/1620-54-0x00007FF672560000-0x00007FF6728B4000-memory.dmp

    Filesize

    3.3MB

  • memory/2148-141-0x00007FF79E610000-0x00007FF79E964000-memory.dmp

    Filesize

    3.3MB

  • memory/2148-20-0x00007FF79E610000-0x00007FF79E964000-memory.dmp

    Filesize

    3.3MB

  • memory/2172-112-0x00007FF603550000-0x00007FF6038A4000-memory.dmp

    Filesize

    3.3MB

  • memory/2172-155-0x00007FF603550000-0x00007FF6038A4000-memory.dmp

    Filesize

    3.3MB

  • memory/2176-131-0x00007FF695B60000-0x00007FF695EB4000-memory.dmp

    Filesize

    3.3MB

  • memory/2176-159-0x00007FF695B60000-0x00007FF695EB4000-memory.dmp

    Filesize

    3.3MB

  • memory/2188-63-0x00007FF6AAEA0000-0x00007FF6AB1F4000-memory.dmp

    Filesize

    3.3MB

  • memory/2188-148-0x00007FF6AAEA0000-0x00007FF6AB1F4000-memory.dmp

    Filesize

    3.3MB

  • memory/2316-138-0x00007FF6EBCC0000-0x00007FF6EC014000-memory.dmp

    Filesize

    3.3MB

  • memory/2316-154-0x00007FF6EBCC0000-0x00007FF6EC014000-memory.dmp

    Filesize

    3.3MB

  • memory/2316-99-0x00007FF6EBCC0000-0x00007FF6EC014000-memory.dmp

    Filesize

    3.3MB

  • memory/2960-50-0x00007FF6FBDC0000-0x00007FF6FC114000-memory.dmp

    Filesize

    3.3MB

  • memory/2960-146-0x00007FF6FBDC0000-0x00007FF6FC114000-memory.dmp

    Filesize

    3.3MB

  • memory/3464-32-0x00007FF7221E0000-0x00007FF722534000-memory.dmp

    Filesize

    3.3MB

  • memory/3464-143-0x00007FF7221E0000-0x00007FF722534000-memory.dmp

    Filesize

    3.3MB

  • memory/3464-98-0x00007FF7221E0000-0x00007FF722534000-memory.dmp

    Filesize

    3.3MB

  • memory/3600-151-0x00007FF6E0810000-0x00007FF6E0B64000-memory.dmp

    Filesize

    3.3MB

  • memory/3600-136-0x00007FF6E0810000-0x00007FF6E0B64000-memory.dmp

    Filesize

    3.3MB

  • memory/3600-82-0x00007FF6E0810000-0x00007FF6E0B64000-memory.dmp

    Filesize

    3.3MB

  • memory/3612-142-0x00007FF6B2320000-0x00007FF6B2674000-memory.dmp

    Filesize

    3.3MB

  • memory/3612-26-0x00007FF6B2320000-0x00007FF6B2674000-memory.dmp

    Filesize

    3.3MB

  • memory/3824-135-0x00007FF7845E0000-0x00007FF784934000-memory.dmp

    Filesize

    3.3MB

  • memory/3824-79-0x00007FF7845E0000-0x00007FF784934000-memory.dmp

    Filesize

    3.3MB

  • memory/3824-150-0x00007FF7845E0000-0x00007FF784934000-memory.dmp

    Filesize

    3.3MB

  • memory/4108-144-0x00007FF6DD1A0000-0x00007FF6DD4F4000-memory.dmp

    Filesize

    3.3MB

  • memory/4108-110-0x00007FF6DD1A0000-0x00007FF6DD4F4000-memory.dmp

    Filesize

    3.3MB

  • memory/4108-38-0x00007FF6DD1A0000-0x00007FF6DD4F4000-memory.dmp

    Filesize

    3.3MB

  • memory/4164-132-0x00007FF7394F0000-0x00007FF739844000-memory.dmp

    Filesize

    3.3MB

  • memory/4164-157-0x00007FF7394F0000-0x00007FF739844000-memory.dmp

    Filesize

    3.3MB

  • memory/4236-134-0x00007FF71C430000-0x00007FF71C784000-memory.dmp

    Filesize

    3.3MB

  • memory/4236-69-0x00007FF71C430000-0x00007FF71C784000-memory.dmp

    Filesize

    3.3MB

  • memory/4236-149-0x00007FF71C430000-0x00007FF71C784000-memory.dmp

    Filesize

    3.3MB

  • memory/4568-44-0x00007FF601C40000-0x00007FF601F94000-memory.dmp

    Filesize

    3.3MB

  • memory/4568-145-0x00007FF601C40000-0x00007FF601F94000-memory.dmp

    Filesize

    3.3MB

  • memory/4844-139-0x00007FF6A4940000-0x00007FF6A4C94000-memory.dmp

    Filesize

    3.3MB

  • memory/4844-68-0x00007FF6A4940000-0x00007FF6A4C94000-memory.dmp

    Filesize

    3.3MB

  • memory/4844-8-0x00007FF6A4940000-0x00007FF6A4C94000-memory.dmp

    Filesize

    3.3MB

  • memory/4860-14-0x00007FF7B5950000-0x00007FF7B5CA4000-memory.dmp

    Filesize

    3.3MB

  • memory/4860-75-0x00007FF7B5950000-0x00007FF7B5CA4000-memory.dmp

    Filesize

    3.3MB

  • memory/4860-140-0x00007FF7B5950000-0x00007FF7B5CA4000-memory.dmp

    Filesize

    3.3MB

  • memory/4984-61-0x00007FF73BD80000-0x00007FF73C0D4000-memory.dmp

    Filesize

    3.3MB

  • memory/4984-0-0x00007FF73BD80000-0x00007FF73C0D4000-memory.dmp

    Filesize

    3.3MB

  • memory/4984-1-0x0000021046DD0000-0x0000021046DE0000-memory.dmp

    Filesize

    64KB