cobaltstrike | efc87cd611b6744e4c759195947b061abd3862bb617c47cc123a2d7c5410fb38

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

4f52ed49a877f185ebe060adc9bf6e5c
SHA1

45351d2d819e1da70c6d99854d78c613230b7842
SHA256

efc87cd611b6744e4c759195947b061abd3862bb617c47cc123a2d7c5410fb38
SHA512

56931ad70194852308677ade6e59972db9a0d644429e02211be91781ce20dd6cee065b32c03ff5cbfa357f4513a6106d4412929e316ce4eb247bbc64a1c8c2da
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ld:RWWBibf56utgpPFotBER/mQ32lUh

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\sjlamtc.exe	cobalt_reflective_dll
C:\Windows\System\PoGJaMz.exe	cobalt_reflective_dll
C:\Windows\System\kpQzbJO.exe	cobalt_reflective_dll
C:\Windows\System\UDtvbzr.exe	cobalt_reflective_dll
C:\Windows\System\rUguITL.exe	cobalt_reflective_dll
C:\Windows\System\LcMnCDO.exe	cobalt_reflective_dll
C:\Windows\System\GyNxyMz.exe	cobalt_reflective_dll
C:\Windows\System\IipTwuu.exe	cobalt_reflective_dll
C:\Windows\System\RIoNwbP.exe	cobalt_reflective_dll
C:\Windows\System\sSGfemV.exe	cobalt_reflective_dll
C:\Windows\System\PloDRGf.exe	cobalt_reflective_dll
C:\Windows\System\nvfPKiH.exe	cobalt_reflective_dll
C:\Windows\System\cChBQtk.exe	cobalt_reflective_dll
C:\Windows\System\zBGMXJD.exe	cobalt_reflective_dll
C:\Windows\System\IcYOgqr.exe	cobalt_reflective_dll
C:\Windows\System\eAptDxx.exe	cobalt_reflective_dll
C:\Windows\System\PBjLXkf.exe	cobalt_reflective_dll
C:\Windows\System\RTRETdp.exe	cobalt_reflective_dll
C:\Windows\System\keKGngM.exe	cobalt_reflective_dll
C:\Windows\System\xlYABMa.exe	cobalt_reflective_dll
C:\Windows\System\RKUstCe.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\sjlamtc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\PoGJaMz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\kpQzbJO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\UDtvbzr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\rUguITL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\LcMnCDO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\GyNxyMz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\IipTwuu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\RIoNwbP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\sSGfemV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\PloDRGf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\nvfPKiH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\cChBQtk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\zBGMXJD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\IcYOgqr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\eAptDxx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\PBjLXkf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\RTRETdp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\keKGngM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\xlYABMa.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\RKUstCe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3836-0-0x00007FF64A700000-0x00007FF64AA51000-memory.dmp	UPX
C:\Windows\System\sjlamtc.exe	UPX
C:\Windows\System\PoGJaMz.exe	UPX
C:\Windows\System\kpQzbJO.exe	UPX
C:\Windows\System\UDtvbzr.exe	UPX
behavioral2/memory/2248-31-0x00007FF6CB110000-0x00007FF6CB461000-memory.dmp	UPX
behavioral2/memory/3224-46-0x00007FF624670000-0x00007FF6249C1000-memory.dmp	UPX
C:\Windows\System\rUguITL.exe	UPX
C:\Windows\System\LcMnCDO.exe	UPX
C:\Windows\System\GyNxyMz.exe	UPX
C:\Windows\System\IipTwuu.exe	UPX
C:\Windows\System\RIoNwbP.exe	UPX
behavioral2/memory/2848-20-0x00007FF62CA40000-0x00007FF62CD91000-memory.dmp	UPX
behavioral2/memory/4048-16-0x00007FF7C0DE0000-0x00007FF7C1131000-memory.dmp	UPX
behavioral2/memory/2468-8-0x00007FF621B10000-0x00007FF621E61000-memory.dmp	UPX
behavioral2/memory/2072-50-0x00007FF7A8BB0000-0x00007FF7A8F01000-memory.dmp	UPX
behavioral2/memory/3676-56-0x00007FF702CB0000-0x00007FF703001000-memory.dmp	UPX
C:\Windows\System\sSGfemV.exe	UPX
behavioral2/memory/2180-78-0x00007FF6EF160000-0x00007FF6EF4B1000-memory.dmp	UPX
behavioral2/memory/816-94-0x00007FF7F1A80000-0x00007FF7F1DD1000-memory.dmp	UPX
C:\Windows\System\PloDRGf.exe	UPX
behavioral2/memory/2656-105-0x00007FF7D6D40000-0x00007FF7D7091000-memory.dmp	UPX
behavioral2/memory/3088-111-0x00007FF775F20000-0x00007FF776271000-memory.dmp	UPX
behavioral2/memory/4512-119-0x00007FF724C80000-0x00007FF724FD1000-memory.dmp	UPX
C:\Windows\System\nvfPKiH.exe	UPX
behavioral2/memory/3328-120-0x00007FF76D2D0000-0x00007FF76D621000-memory.dmp	UPX
C:\Windows\System\cChBQtk.exe	UPX
C:\Windows\System\zBGMXJD.exe	UPX
C:\Windows\System\IcYOgqr.exe	UPX
behavioral2/memory/4176-112-0x00007FF7D65E0000-0x00007FF7D6931000-memory.dmp	UPX
C:\Windows\System\eAptDxx.exe	UPX
behavioral2/memory/2184-102-0x00007FF673BC0000-0x00007FF673F11000-memory.dmp	UPX
behavioral2/memory/5080-95-0x00007FF6519B0000-0x00007FF651D01000-memory.dmp	UPX
C:\Windows\System\PBjLXkf.exe	UPX
C:\Windows\System\RTRETdp.exe	UPX
behavioral2/memory/1012-83-0x00007FF7378C0000-0x00007FF737C11000-memory.dmp	UPX
behavioral2/memory/2040-77-0x00007FF7E7B30000-0x00007FF7E7E81000-memory.dmp	UPX
C:\Windows\System\keKGngM.exe	UPX
behavioral2/memory/5084-73-0x00007FF6FA540000-0x00007FF6FA891000-memory.dmp	UPX
C:\Windows\System\xlYABMa.exe	UPX
behavioral2/memory/2364-72-0x00007FF7FE120000-0x00007FF7FE471000-memory.dmp	UPX
C:\Windows\System\RKUstCe.exe	UPX
behavioral2/memory/3836-127-0x00007FF64A700000-0x00007FF64AA51000-memory.dmp	UPX
behavioral2/memory/3676-135-0x00007FF702CB0000-0x00007FF703001000-memory.dmp	UPX
behavioral2/memory/4176-146-0x00007FF7D65E0000-0x00007FF7D6931000-memory.dmp	UPX
behavioral2/memory/3328-147-0x00007FF76D2D0000-0x00007FF76D621000-memory.dmp	UPX
behavioral2/memory/4380-148-0x00007FF69A9A0000-0x00007FF69ACF1000-memory.dmp	UPX
behavioral2/memory/3088-143-0x00007FF775F20000-0x00007FF776271000-memory.dmp	UPX
behavioral2/memory/816-141-0x00007FF7F1A80000-0x00007FF7F1DD1000-memory.dmp	UPX
behavioral2/memory/5084-139-0x00007FF6FA540000-0x00007FF6FA891000-memory.dmp	UPX
behavioral2/memory/2184-144-0x00007FF673BC0000-0x00007FF673F11000-memory.dmp	UPX
behavioral2/memory/2364-137-0x00007FF7FE120000-0x00007FF7FE471000-memory.dmp	UPX
behavioral2/memory/2072-134-0x00007FF7A8BB0000-0x00007FF7A8F01000-memory.dmp	UPX
behavioral2/memory/3224-132-0x00007FF624670000-0x00007FF6249C1000-memory.dmp	UPX
behavioral2/memory/2248-131-0x00007FF6CB110000-0x00007FF6CB461000-memory.dmp	UPX
behavioral2/memory/2848-130-0x00007FF62CA40000-0x00007FF62CD91000-memory.dmp	UPX
behavioral2/memory/4048-129-0x00007FF7C0DE0000-0x00007FF7C1131000-memory.dmp	UPX
behavioral2/memory/2468-128-0x00007FF621B10000-0x00007FF621E61000-memory.dmp	UPX
behavioral2/memory/3836-149-0x00007FF64A700000-0x00007FF64AA51000-memory.dmp	UPX
behavioral2/memory/2468-205-0x00007FF621B10000-0x00007FF621E61000-memory.dmp	UPX
behavioral2/memory/4048-207-0x00007FF7C0DE0000-0x00007FF7C1131000-memory.dmp	UPX
behavioral2/memory/2848-209-0x00007FF62CA40000-0x00007FF62CD91000-memory.dmp	UPX
behavioral2/memory/3224-211-0x00007FF624670000-0x00007FF6249C1000-memory.dmp	UPX
behavioral2/memory/2248-213-0x00007FF6CB110000-0x00007FF6CB461000-memory.dmp	UPX

XMRig Miner payload 45 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4048-16-0x00007FF7C0DE0000-0x00007FF7C1131000-memory.dmp	xmrig
behavioral2/memory/2180-78-0x00007FF6EF160000-0x00007FF6EF4B1000-memory.dmp	xmrig
behavioral2/memory/2656-105-0x00007FF7D6D40000-0x00007FF7D7091000-memory.dmp	xmrig
behavioral2/memory/4512-119-0x00007FF724C80000-0x00007FF724FD1000-memory.dmp	xmrig
behavioral2/memory/5080-95-0x00007FF6519B0000-0x00007FF651D01000-memory.dmp	xmrig
behavioral2/memory/1012-83-0x00007FF7378C0000-0x00007FF737C11000-memory.dmp	xmrig
behavioral2/memory/2040-77-0x00007FF7E7B30000-0x00007FF7E7E81000-memory.dmp	xmrig
behavioral2/memory/3836-127-0x00007FF64A700000-0x00007FF64AA51000-memory.dmp	xmrig
behavioral2/memory/3676-135-0x00007FF702CB0000-0x00007FF703001000-memory.dmp	xmrig
behavioral2/memory/4176-146-0x00007FF7D65E0000-0x00007FF7D6931000-memory.dmp	xmrig
behavioral2/memory/3328-147-0x00007FF76D2D0000-0x00007FF76D621000-memory.dmp	xmrig
behavioral2/memory/4380-148-0x00007FF69A9A0000-0x00007FF69ACF1000-memory.dmp	xmrig
behavioral2/memory/3088-143-0x00007FF775F20000-0x00007FF776271000-memory.dmp	xmrig
behavioral2/memory/816-141-0x00007FF7F1A80000-0x00007FF7F1DD1000-memory.dmp	xmrig
behavioral2/memory/5084-139-0x00007FF6FA540000-0x00007FF6FA891000-memory.dmp	xmrig
behavioral2/memory/2184-144-0x00007FF673BC0000-0x00007FF673F11000-memory.dmp	xmrig
behavioral2/memory/2364-137-0x00007FF7FE120000-0x00007FF7FE471000-memory.dmp	xmrig
behavioral2/memory/2072-134-0x00007FF7A8BB0000-0x00007FF7A8F01000-memory.dmp	xmrig
behavioral2/memory/3224-132-0x00007FF624670000-0x00007FF6249C1000-memory.dmp	xmrig
behavioral2/memory/2248-131-0x00007FF6CB110000-0x00007FF6CB461000-memory.dmp	xmrig
behavioral2/memory/2848-130-0x00007FF62CA40000-0x00007FF62CD91000-memory.dmp	xmrig
behavioral2/memory/4048-129-0x00007FF7C0DE0000-0x00007FF7C1131000-memory.dmp	xmrig
behavioral2/memory/2468-128-0x00007FF621B10000-0x00007FF621E61000-memory.dmp	xmrig
behavioral2/memory/3836-149-0x00007FF64A700000-0x00007FF64AA51000-memory.dmp	xmrig
behavioral2/memory/2468-205-0x00007FF621B10000-0x00007FF621E61000-memory.dmp	xmrig
behavioral2/memory/4048-207-0x00007FF7C0DE0000-0x00007FF7C1131000-memory.dmp	xmrig
behavioral2/memory/2848-209-0x00007FF62CA40000-0x00007FF62CD91000-memory.dmp	xmrig
behavioral2/memory/3224-211-0x00007FF624670000-0x00007FF6249C1000-memory.dmp	xmrig
behavioral2/memory/2248-213-0x00007FF6CB110000-0x00007FF6CB461000-memory.dmp	xmrig
behavioral2/memory/2040-215-0x00007FF7E7B30000-0x00007FF7E7E81000-memory.dmp	xmrig
behavioral2/memory/3676-217-0x00007FF702CB0000-0x00007FF703001000-memory.dmp	xmrig
behavioral2/memory/2364-219-0x00007FF7FE120000-0x00007FF7FE471000-memory.dmp	xmrig
behavioral2/memory/2180-221-0x00007FF6EF160000-0x00007FF6EF4B1000-memory.dmp	xmrig
behavioral2/memory/2072-223-0x00007FF7A8BB0000-0x00007FF7A8F01000-memory.dmp	xmrig
behavioral2/memory/2656-225-0x00007FF7D6D40000-0x00007FF7D7091000-memory.dmp	xmrig
behavioral2/memory/5084-231-0x00007FF6FA540000-0x00007FF6FA891000-memory.dmp	xmrig
behavioral2/memory/1012-233-0x00007FF7378C0000-0x00007FF737C11000-memory.dmp	xmrig
behavioral2/memory/5080-227-0x00007FF6519B0000-0x00007FF651D01000-memory.dmp	xmrig
behavioral2/memory/816-229-0x00007FF7F1A80000-0x00007FF7F1DD1000-memory.dmp	xmrig
behavioral2/memory/3328-235-0x00007FF76D2D0000-0x00007FF76D621000-memory.dmp	xmrig
behavioral2/memory/3088-241-0x00007FF775F20000-0x00007FF776271000-memory.dmp	xmrig
behavioral2/memory/2184-240-0x00007FF673BC0000-0x00007FF673F11000-memory.dmp	xmrig
behavioral2/memory/4176-243-0x00007FF7D65E0000-0x00007FF7D6931000-memory.dmp	xmrig
behavioral2/memory/4512-238-0x00007FF724C80000-0x00007FF724FD1000-memory.dmp	xmrig
behavioral2/memory/4380-245-0x00007FF69A9A0000-0x00007FF69ACF1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

sjlamtc.exePoGJaMz.exekpQzbJO.exeRIoNwbP.exeGyNxyMz.exeUDtvbzr.exeLcMnCDO.exerUguITL.exeIipTwuu.exeRKUstCe.exexlYABMa.exekeKGngM.exeRTRETdp.exePBjLXkf.exesSGfemV.exeeAptDxx.exePloDRGf.exeIcYOgqr.execChBQtk.exenvfPKiH.exezBGMXJD.exe

pid	process
2468	sjlamtc.exe
4048	PoGJaMz.exe
2848	kpQzbJO.exe
2248	RIoNwbP.exe
3224	GyNxyMz.exe
2040	UDtvbzr.exe
2072	LcMnCDO.exe
3676	rUguITL.exe
2180	IipTwuu.exe
2364	RKUstCe.exe
1012	xlYABMa.exe
5084	keKGngM.exe
2656	RTRETdp.exe
816	PBjLXkf.exe
5080	sSGfemV.exe
3088	eAptDxx.exe
2184	PloDRGf.exe
4512	IcYOgqr.exe
4176	cChBQtk.exe
3328	nvfPKiH.exe
4380	zBGMXJD.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3836-0-0x00007FF64A700000-0x00007FF64AA51000-memory.dmp	upx
C:\Windows\System\sjlamtc.exe	upx
C:\Windows\System\PoGJaMz.exe	upx
C:\Windows\System\kpQzbJO.exe	upx
C:\Windows\System\UDtvbzr.exe	upx
behavioral2/memory/2248-31-0x00007FF6CB110000-0x00007FF6CB461000-memory.dmp	upx
behavioral2/memory/3224-46-0x00007FF624670000-0x00007FF6249C1000-memory.dmp	upx
C:\Windows\System\rUguITL.exe	upx
C:\Windows\System\LcMnCDO.exe	upx
C:\Windows\System\GyNxyMz.exe	upx
C:\Windows\System\IipTwuu.exe	upx
C:\Windows\System\RIoNwbP.exe	upx
behavioral2/memory/2848-20-0x00007FF62CA40000-0x00007FF62CD91000-memory.dmp	upx
behavioral2/memory/4048-16-0x00007FF7C0DE0000-0x00007FF7C1131000-memory.dmp	upx
behavioral2/memory/2468-8-0x00007FF621B10000-0x00007FF621E61000-memory.dmp	upx
behavioral2/memory/2072-50-0x00007FF7A8BB0000-0x00007FF7A8F01000-memory.dmp	upx
behavioral2/memory/3676-56-0x00007FF702CB0000-0x00007FF703001000-memory.dmp	upx
C:\Windows\System\sSGfemV.exe	upx
behavioral2/memory/2180-78-0x00007FF6EF160000-0x00007FF6EF4B1000-memory.dmp	upx
behavioral2/memory/816-94-0x00007FF7F1A80000-0x00007FF7F1DD1000-memory.dmp	upx
C:\Windows\System\PloDRGf.exe	upx
behavioral2/memory/2656-105-0x00007FF7D6D40000-0x00007FF7D7091000-memory.dmp	upx
behavioral2/memory/3088-111-0x00007FF775F20000-0x00007FF776271000-memory.dmp	upx
behavioral2/memory/4512-119-0x00007FF724C80000-0x00007FF724FD1000-memory.dmp	upx
C:\Windows\System\nvfPKiH.exe	upx
behavioral2/memory/3328-120-0x00007FF76D2D0000-0x00007FF76D621000-memory.dmp	upx
C:\Windows\System\cChBQtk.exe	upx
C:\Windows\System\zBGMXJD.exe	upx
C:\Windows\System\IcYOgqr.exe	upx
behavioral2/memory/4176-112-0x00007FF7D65E0000-0x00007FF7D6931000-memory.dmp	upx
C:\Windows\System\eAptDxx.exe	upx
behavioral2/memory/2184-102-0x00007FF673BC0000-0x00007FF673F11000-memory.dmp	upx
behavioral2/memory/5080-95-0x00007FF6519B0000-0x00007FF651D01000-memory.dmp	upx
C:\Windows\System\PBjLXkf.exe	upx
C:\Windows\System\RTRETdp.exe	upx
behavioral2/memory/1012-83-0x00007FF7378C0000-0x00007FF737C11000-memory.dmp	upx
behavioral2/memory/2040-77-0x00007FF7E7B30000-0x00007FF7E7E81000-memory.dmp	upx
C:\Windows\System\keKGngM.exe	upx
behavioral2/memory/5084-73-0x00007FF6FA540000-0x00007FF6FA891000-memory.dmp	upx
C:\Windows\System\xlYABMa.exe	upx
behavioral2/memory/2364-72-0x00007FF7FE120000-0x00007FF7FE471000-memory.dmp	upx
C:\Windows\System\RKUstCe.exe	upx
behavioral2/memory/3836-127-0x00007FF64A700000-0x00007FF64AA51000-memory.dmp	upx
behavioral2/memory/3676-135-0x00007FF702CB0000-0x00007FF703001000-memory.dmp	upx
behavioral2/memory/4176-146-0x00007FF7D65E0000-0x00007FF7D6931000-memory.dmp	upx
behavioral2/memory/3328-147-0x00007FF76D2D0000-0x00007FF76D621000-memory.dmp	upx
behavioral2/memory/4380-148-0x00007FF69A9A0000-0x00007FF69ACF1000-memory.dmp	upx
behavioral2/memory/3088-143-0x00007FF775F20000-0x00007FF776271000-memory.dmp	upx
behavioral2/memory/816-141-0x00007FF7F1A80000-0x00007FF7F1DD1000-memory.dmp	upx
behavioral2/memory/5084-139-0x00007FF6FA540000-0x00007FF6FA891000-memory.dmp	upx
behavioral2/memory/2184-144-0x00007FF673BC0000-0x00007FF673F11000-memory.dmp	upx
behavioral2/memory/2364-137-0x00007FF7FE120000-0x00007FF7FE471000-memory.dmp	upx
behavioral2/memory/2072-134-0x00007FF7A8BB0000-0x00007FF7A8F01000-memory.dmp	upx
behavioral2/memory/3224-132-0x00007FF624670000-0x00007FF6249C1000-memory.dmp	upx
behavioral2/memory/2248-131-0x00007FF6CB110000-0x00007FF6CB461000-memory.dmp	upx
behavioral2/memory/2848-130-0x00007FF62CA40000-0x00007FF62CD91000-memory.dmp	upx
behavioral2/memory/4048-129-0x00007FF7C0DE0000-0x00007FF7C1131000-memory.dmp	upx
behavioral2/memory/2468-128-0x00007FF621B10000-0x00007FF621E61000-memory.dmp	upx
behavioral2/memory/3836-149-0x00007FF64A700000-0x00007FF64AA51000-memory.dmp	upx
behavioral2/memory/2468-205-0x00007FF621B10000-0x00007FF621E61000-memory.dmp	upx
behavioral2/memory/4048-207-0x00007FF7C0DE0000-0x00007FF7C1131000-memory.dmp	upx
behavioral2/memory/2848-209-0x00007FF62CA40000-0x00007FF62CD91000-memory.dmp	upx
behavioral2/memory/3224-211-0x00007FF624670000-0x00007FF6249C1000-memory.dmp	upx
behavioral2/memory/2248-213-0x00007FF6CB110000-0x00007FF6CB461000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\kpQzbJO.exe	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RKUstCe.exe	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xlYABMa.exe	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PloDRGf.exe	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cChBQtk.exe	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nvfPKiH.exe	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sjlamtc.exe	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UDtvbzr.exe	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PBjLXkf.exe	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eAptDxx.exe	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zBGMXJD.exe	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PoGJaMz.exe	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RIoNwbP.exe	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GyNxyMz.exe	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LcMnCDO.exe	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IipTwuu.exe	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sSGfemV.exe	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rUguITL.exe	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\keKGngM.exe	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RTRETdp.exe	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IcYOgqr.exe	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 3836 wrote to memory of 2468	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	sjlamtc.exe
PID 3836 wrote to memory of 2468	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	sjlamtc.exe
PID 3836 wrote to memory of 4048	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	PoGJaMz.exe
PID 3836 wrote to memory of 4048	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	PoGJaMz.exe
PID 3836 wrote to memory of 2848	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	kpQzbJO.exe
PID 3836 wrote to memory of 2848	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	kpQzbJO.exe
PID 3836 wrote to memory of 2248	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	RIoNwbP.exe
PID 3836 wrote to memory of 2248	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	RIoNwbP.exe
PID 3836 wrote to memory of 3224	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	GyNxyMz.exe
PID 3836 wrote to memory of 3224	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	GyNxyMz.exe
PID 3836 wrote to memory of 2040	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	UDtvbzr.exe
PID 3836 wrote to memory of 2040	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	UDtvbzr.exe
PID 3836 wrote to memory of 2072	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	LcMnCDO.exe
PID 3836 wrote to memory of 2072	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	LcMnCDO.exe
PID 3836 wrote to memory of 3676	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	rUguITL.exe
PID 3836 wrote to memory of 3676	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	rUguITL.exe
PID 3836 wrote to memory of 2180	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	IipTwuu.exe
PID 3836 wrote to memory of 2180	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	IipTwuu.exe
PID 3836 wrote to memory of 2364	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	RKUstCe.exe
PID 3836 wrote to memory of 2364	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	RKUstCe.exe
PID 3836 wrote to memory of 1012	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	xlYABMa.exe
PID 3836 wrote to memory of 1012	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	xlYABMa.exe
PID 3836 wrote to memory of 5084	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	keKGngM.exe
PID 3836 wrote to memory of 5084	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	keKGngM.exe
PID 3836 wrote to memory of 2656	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	RTRETdp.exe
PID 3836 wrote to memory of 2656	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	RTRETdp.exe
PID 3836 wrote to memory of 816	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	PBjLXkf.exe
PID 3836 wrote to memory of 816	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	PBjLXkf.exe
PID 3836 wrote to memory of 5080	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	sSGfemV.exe
PID 3836 wrote to memory of 5080	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	sSGfemV.exe
PID 3836 wrote to memory of 3088	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	eAptDxx.exe
PID 3836 wrote to memory of 3088	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	eAptDxx.exe
PID 3836 wrote to memory of 2184	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	PloDRGf.exe
PID 3836 wrote to memory of 2184	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	PloDRGf.exe
PID 3836 wrote to memory of 4512	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	IcYOgqr.exe
PID 3836 wrote to memory of 4512	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	IcYOgqr.exe
PID 3836 wrote to memory of 4176	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	cChBQtk.exe
PID 3836 wrote to memory of 4176	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	cChBQtk.exe
PID 3836 wrote to memory of 3328	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	nvfPKiH.exe
PID 3836 wrote to memory of 3328	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	nvfPKiH.exe
PID 3836 wrote to memory of 4380	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	zBGMXJD.exe
PID 3836 wrote to memory of 4380	3836	2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe	zBGMXJD.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-20_4f52ed49a877f185ebe060adc9bf6e5c_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3836

C:\Windows\System\sjlamtc.exe
C:\Windows\System\sjlamtc.exe
2⤵
- Executes dropped EXE
PID:2468

C:\Windows\System\PoGJaMz.exe
C:\Windows\System\PoGJaMz.exe
2⤵
- Executes dropped EXE
PID:4048

C:\Windows\System\kpQzbJO.exe
C:\Windows\System\kpQzbJO.exe
2⤵
- Executes dropped EXE
PID:2848

C:\Windows\System\RIoNwbP.exe
C:\Windows\System\RIoNwbP.exe
2⤵
- Executes dropped EXE
PID:2248

C:\Windows\System\GyNxyMz.exe
C:\Windows\System\GyNxyMz.exe
2⤵
- Executes dropped EXE
PID:3224

C:\Windows\System\UDtvbzr.exe
C:\Windows\System\UDtvbzr.exe
2⤵
- Executes dropped EXE
PID:2040

C:\Windows\System\LcMnCDO.exe
C:\Windows\System\LcMnCDO.exe
2⤵
- Executes dropped EXE
PID:2072

C:\Windows\System\rUguITL.exe
C:\Windows\System\rUguITL.exe
2⤵
- Executes dropped EXE
PID:3676

C:\Windows\System\IipTwuu.exe
C:\Windows\System\IipTwuu.exe
2⤵
- Executes dropped EXE
PID:2180

C:\Windows\System\RKUstCe.exe
C:\Windows\System\RKUstCe.exe
2⤵
- Executes dropped EXE
PID:2364

C:\Windows\System\xlYABMa.exe
C:\Windows\System\xlYABMa.exe
2⤵
- Executes dropped EXE
PID:1012

C:\Windows\System\keKGngM.exe
C:\Windows\System\keKGngM.exe
2⤵
- Executes dropped EXE
PID:5084

C:\Windows\System\RTRETdp.exe
C:\Windows\System\RTRETdp.exe
2⤵
- Executes dropped EXE
PID:2656

C:\Windows\System\PBjLXkf.exe
C:\Windows\System\PBjLXkf.exe
2⤵
- Executes dropped EXE
PID:816

C:\Windows\System\sSGfemV.exe
C:\Windows\System\sSGfemV.exe
2⤵
- Executes dropped EXE
PID:5080

C:\Windows\System\eAptDxx.exe
C:\Windows\System\eAptDxx.exe
2⤵
- Executes dropped EXE
PID:3088

C:\Windows\System\PloDRGf.exe
C:\Windows\System\PloDRGf.exe
2⤵
- Executes dropped EXE
PID:2184

C:\Windows\System\IcYOgqr.exe
C:\Windows\System\IcYOgqr.exe
2⤵
- Executes dropped EXE
PID:4512

C:\Windows\System\cChBQtk.exe
C:\Windows\System\cChBQtk.exe
2⤵
- Executes dropped EXE
PID:4176

C:\Windows\System\nvfPKiH.exe
C:\Windows\System\nvfPKiH.exe
2⤵
- Executes dropped EXE
PID:3328

C:\Windows\System\zBGMXJD.exe
C:\Windows\System\zBGMXJD.exe
2⤵
- Executes dropped EXE
PID:4380

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\GyNxyMz.exe

Filesize
5.2MB

MD5
56fb96dbdd0d7c910c25a550ccb6f185

SHA1
7e2c9a6b86fc50a1c02cad142859613c00f8fe93

SHA256
4e7ba42e959619387dc1a70f829c6f25f06be50fb6d5874a1c5a3394c33552f1

SHA512
ad163a4f5152ac9adc1d03b0624d0f22949022401ed3c1db25248dc67a1ebf3a5a03d1fbd17cc2c447125bdd735608d970fefe2e9c0fa8d3b5933755ebd1d341

Download Submit
C:\Windows\System\IcYOgqr.exe

Filesize
5.2MB

MD5
09d82ac648b1a1ae278d276e2d6d7db8

SHA1
44d490f9d8c6b7a1825d39b75b8df0df851aacee

SHA256
586f5971657d8199ea26384bf99395f464a8fcd461861f06ad28a08fa8adfc93

SHA512
f857354df30f1f0c7aac13b2566c2cf962b332bb55c3122bb2d3acfe1cb93a000114ccce18c9ca08ef86fde55c1a53620ff6ce14ec50188c015a3f9f76c36763

Download Submit
C:\Windows\System\IipTwuu.exe

Filesize
5.2MB

MD5
f3d098679821eb50657182df84bac5c6

SHA1
aefbb9433b9e78cb387f85f2c13192204cc4e72a

SHA256
b72044f995cc629196608a0a10833e575f17a8c9bdbf3f54fbccd582e53e33d4

SHA512
466643ee224943e37fb203bdc73a828d395edc04f02ca7c2e7a1aba51ae5c3e598652fa547c7d7f993c1b56bd6280ca9f83889dce90a44958154e80ccbe2be24

Download Submit
C:\Windows\System\LcMnCDO.exe

Filesize
5.2MB

MD5
c9badae2b64d45bd7fd1460719de0cfe

SHA1
8d1b92e3271b90ca703550428dd626a553ba39a2

SHA256
275776b822ecfd5af5bf43f3702e6e93a4b3e8a7c40b95fdc2f266ec17c6ba20

SHA512
82017e7bf66346891a18a5100aae23579f8dc4d9fd2d6cfeb3a5f2a46a659d7298643ad8e34631aaeb8c117470ecf0d410311a487e039befd9c341a120cd5b87

Download Submit
C:\Windows\System\PBjLXkf.exe

Filesize
5.2MB

MD5
3435e88cbad0e45cce0bdd1ff7edd950

SHA1
cbd4781a16783312743b5379ebc084b6da65b068

SHA256
81fb2f11289d7e784d19a4bce8f2adcebe9912e1f49aeaabc37e92fff022d947

SHA512
c6cfd398252bb171858dea2c9192e741d30fb2817afa78a2e4b4835e4959ad0567d12148f434b462b485a9bb29c665e1a93c7a2f2811a55b30c057eb90b4db8e

Download Submit
C:\Windows\System\PloDRGf.exe

Filesize
5.2MB

MD5
013f6826c9804a78501d4f787a2732af

SHA1
86ad9895ad637b2c84fae7ea88f081902c6d4231

SHA256
de4fa48b07712c9d55f36336b650662ad9c50441321ac6744751f7f4e3c97e83

SHA512
f5adbba6b93aa8cb9608bd15f2f3df811d7b07a3d4e953727e43d85fbded7eccdbe128cfa2a4b2d474d85fe8d01473650a260ae6b546d3298253a52219dc5ecf

Download Submit
C:\Windows\System\PoGJaMz.exe

Filesize
5.2MB

MD5
04bf54df63e4b5100e6a16b41051afa9

SHA1
685997b78c2fe3b8aafc5b043ec7bb24ba5b0f77

SHA256
85284c192d5c3753dbc4b68a2f9bce692fb80deba52857a40cf880fc7d2fd1d6

SHA512
a66ee5cf3772caca8827b9b8d0378cfb2e35372e40a543c42c4ce86aa97cf3296c9b73aa245b43d4fd695bd12fa88fe322ffd96f7d14516492bb0342cf7cef4f

Download Submit
C:\Windows\System\RIoNwbP.exe

Filesize
5.2MB

MD5
897a2e3dcdb552e37e120b69b331b756

SHA1
5cb6020ffdebc3ab1749bc3213a1451610ed84a5

SHA256
e3c62bc328531a0bf8a4605673a02a12a0a9e93d1301d0a36f2b510bcd04a4ca

SHA512
c709b578dfacf1bde91a687d9f232e708664087dd51c4869a854f4f7c90c59121505973b4d04a2f398c44b82c2b298349a7daaa7e5fa62a0deda3db8a43fd467

Download Submit
C:\Windows\System\RKUstCe.exe

Filesize
5.2MB

MD5
3c3dd225a5ccab43ce0712d562bf0c53

SHA1
abdb7fcb6caee8908bfe4ca56658916c734c871d

SHA256
ead33399d1a7f54826194f8453d29c3540352f9034a6fa33256fc1b247fd3596

SHA512
d5d2a6f69da9847c1c677f4f6b4e1720d512e81f1f04af14bd1ae985be896f5306812cc1420abd421b7c90ecdaf07d589c7a1e60a62a8952c1bf8d4da6cf6c44

Download Submit
C:\Windows\System\RTRETdp.exe

Filesize
5.2MB

MD5
ef5bb9ed7b33fd29a11435e6dc4c3aa5

SHA1
24125edacf4d9e302deced1fa89a6f9ce29d70b8

SHA256
6448f4a7336d22db4e15c6d9bea9f172b8d67e55e57fb03d64f339f0687ba60e

SHA512
897cd1068080f4d74963d8ace607496bbd287525cb2f9f759e58719c019ebfa9e51867c57a46f88deb38f2640e4dd44beaf489d22f30c810c5f0da773ec2c561

Download Submit
C:\Windows\System\UDtvbzr.exe

Filesize
5.2MB

MD5
d7da2b90356f4e32d56384a270e6f9e1

SHA1
8234ee8e345aa4adb3920979ea7276a1d0d00997

SHA256
29b21dfd06347d80d99c86717f237547928097336fcb0af83dfb574ad249e60c

SHA512
253562c8031b70a60829c48ea34525ca613513ed9fd92ccc7b9b4dd37baf640ce09a3f7161a134be821dab1cfe0f1a4c6477910cc28bec0572c265c7e48696f4

Download Submit
C:\Windows\System\cChBQtk.exe

Filesize
5.2MB

MD5
91e078fd0bc267b389097200ef6e4614

SHA1
5e63035249a4058ad70cb115819d21ff2c336b40

SHA256
bf263c29b4dd4b6bcbb1192419bf8e3c0fc3936b32772a7fe0a3261b5120191e

SHA512
8e8268739ddd8e0c53622756e327695e853fe8aa6cf95cd46ea65686a9b5d9839eb12dee5a9af35dec2fdcece6891f88a1bf3516ea6d02b0cb2b54402b8596bb

Download Submit
C:\Windows\System\eAptDxx.exe

Filesize
5.2MB

MD5
dbc96ecd7eb7b2a38d3825cbc1044261

SHA1
e05baeb970c2ed31a3ce2f20fcec4e38dddfd508

SHA256
fdd9e252ed0e723e2b70737b803141db1fccc5adb8711edfa1503c6077d59c87

SHA512
47a9043474b4c4b8df3fc3a81f988a920986753e44d98b236b7c33812fe6dba6cbca07b02ca598b1d0c9aa5915c87e0272582545995fb02222b56bf8ec2665fe

Download Submit
C:\Windows\System\keKGngM.exe

Filesize
5.2MB

MD5
ef250d144977cd14f06f74f01e238efe

SHA1
c7c8dc0be1b52611608ed6dc1de9820e689f34ce

SHA256
b30ca490bdd8dec9cdcac6843cd031a48d87d6de05c6a4d7179bfeccc24d23ca

SHA512
5cb072f038dc494cd06f841fc211fadd4dd7a83534cf839bdccfe4311cfae4b983812479138fa8ceb625ff74b7012c11b5063e1089a77c44ac4a559c07f82a8f

Download Submit
C:\Windows\System\kpQzbJO.exe

Filesize
5.2MB

MD5
ad6033fa31de8cf70d4636aa8650d808

SHA1
ec9d9ce447bb60e967d28c18a2cb05c5c285e73f

SHA256
8b72e19e64bbcd0f07f4f98f9e630c2b02aec7b18ca05536ed8254a70dfdab0e

SHA512
02ebabf3b4b5e5a61743ee799425f7c3b1b1899ea462eef0ccd2c9f49627a8c1c828b96a045f29f8b3e8d26bee65e973734c6881cd07936e8f1348861ac2fb5c

Download Submit
C:\Windows\System\nvfPKiH.exe

Filesize
5.2MB

MD5
c8d88dbd879a2bf3462f344f75084969

SHA1
55a3e640c6e660aae67fb8732399c5281560ed1c

SHA256
2371f36dd782e703a8eba020c59117318336f6856bb3bbcd104866d5159dbccd

SHA512
d580d1a4ca327ec498aecf0ef01dc9208340bde3a30e7a35d2f596e5495a9a60411cd7d628793cb6e646cdfb2294eaa22ad85004266b22aef4734008a8d63035

Download Submit
C:\Windows\System\rUguITL.exe

Filesize
5.2MB

MD5
3105d2f92e02246b807508d0d7c3d134

SHA1
e71a4eb98be49269d2df839fd4a07a1b7cc78ef3

SHA256
1b91ec8cd4932a59e92188632117f6fd1f9824306e0649370ac9f0cf54acad3d

SHA512
2af5ff7c81f05ef1f1750232e159b3d4a7d26e2f9d4db64a54170d2bae5b7bbfd6f94e5d4aa9cf56e90ff4d3726d6af58cf5336975bdbd9e1188551ed759220d

Download Submit
C:\Windows\System\sSGfemV.exe

Filesize
5.2MB

MD5
2b22c8926fbc41fe98a780735841065c

SHA1
404b8575b12069022b4ed128f0f1af5b0bc6ecbb

SHA256
88301954ce59940bbfdc73d28a38f3e4802737470ca0b55ebf5323426a2190a0

SHA512
aaf48672028a0dc5cc5c37518f092d2315490974980622861646b96e9cc4f0b4bafb97e7b3e217e8ae9ac205b2e9818c90ab98c357f265e0ae416e6da9cb6a24

Download Submit
C:\Windows\System\sjlamtc.exe

Filesize
5.2MB

MD5
05deb873283787348e8bb755db8ade1c

SHA1
b8f13f55a8eed83222c502918f369661ef71ca5e

SHA256
33148aa1e6a4ace4554316463b5226c220917a478a3a2ffb94aceeeaacaf0de9

SHA512
a31608a75d5b0c01b6664e3618667f5a1219e3f0ba736f2a556c3eb7bec739577384ef0f1e8f6b5ec1cb57ebeec5faabc6095ca56f95fe4354151d105f263abe

Download Submit
C:\Windows\System\xlYABMa.exe

Filesize
5.2MB

MD5
d4139053dbf7f5c5566484361a84a745

SHA1
6e96df120dad6139c019ed36a55d84155acaa218

SHA256
7d26f371b913fb1ce85b3609b5aad5170048dd66ac14c867ba88db037a227032

SHA512
f775cb2d1d44773336764fb77e9e6ac5334e22385ffe83590c3d8bd9e49eed1167114c6959447a4f20673b18476c6648408927c1fb8f412d37f710644e0fa588

Download Submit
C:\Windows\System\zBGMXJD.exe

Filesize
5.2MB

MD5
d322e5243aba2208cb14bbb5239bcbf8

SHA1
74295242ba0f40f8fa55d765850de0c2cbaaafcb

SHA256
f75a6fb8a5bd846223c6bf753b86f9da8d021dd9a7b17ea56c4701cab80a7153

SHA512
b8f0e5c1267ff47f9fe6961e62796042253f34459af0fe80ea35ebfdceea156fcbd7aeecc30bc1829ae5c5e41c1c9fca0ed2e01fea74abd6a7bad19a0fa7cd91

Download Submit
memory/816-141-0x00007FF7F1A80000-0x00007FF7F1DD1000-memory.dmp

Filesize
3.3MB

Download
memory/816-229-0x00007FF7F1A80000-0x00007FF7F1DD1000-memory.dmp

Filesize
3.3MB

Download
memory/816-94-0x00007FF7F1A80000-0x00007FF7F1DD1000-memory.dmp

Filesize
3.3MB

Download
memory/1012-233-0x00007FF7378C0000-0x00007FF737C11000-memory.dmp

Filesize
3.3MB

Download
memory/1012-83-0x00007FF7378C0000-0x00007FF737C11000-memory.dmp

Filesize
3.3MB

Download
memory/2040-215-0x00007FF7E7B30000-0x00007FF7E7E81000-memory.dmp

Filesize
3.3MB

Download
memory/2040-77-0x00007FF7E7B30000-0x00007FF7E7E81000-memory.dmp

Filesize
3.3MB

Download
memory/2072-223-0x00007FF7A8BB0000-0x00007FF7A8F01000-memory.dmp

Filesize
3.3MB

Download
memory/2072-50-0x00007FF7A8BB0000-0x00007FF7A8F01000-memory.dmp

Filesize
3.3MB

Download
memory/2072-134-0x00007FF7A8BB0000-0x00007FF7A8F01000-memory.dmp

Filesize
3.3MB

Download
memory/2180-78-0x00007FF6EF160000-0x00007FF6EF4B1000-memory.dmp

Filesize
3.3MB

Download
memory/2180-221-0x00007FF6EF160000-0x00007FF6EF4B1000-memory.dmp

Filesize
3.3MB

Download
memory/2184-102-0x00007FF673BC0000-0x00007FF673F11000-memory.dmp

Filesize
3.3MB

Download
memory/2184-240-0x00007FF673BC0000-0x00007FF673F11000-memory.dmp

Filesize
3.3MB

Download
memory/2184-144-0x00007FF673BC0000-0x00007FF673F11000-memory.dmp

Filesize
3.3MB

Download
memory/2248-31-0x00007FF6CB110000-0x00007FF6CB461000-memory.dmp

Filesize
3.3MB

Download
memory/2248-213-0x00007FF6CB110000-0x00007FF6CB461000-memory.dmp

Filesize
3.3MB

Download
memory/2248-131-0x00007FF6CB110000-0x00007FF6CB461000-memory.dmp

Filesize
3.3MB

Download
memory/2364-72-0x00007FF7FE120000-0x00007FF7FE471000-memory.dmp

Filesize
3.3MB

Download
memory/2364-137-0x00007FF7FE120000-0x00007FF7FE471000-memory.dmp

Filesize
3.3MB

Download
memory/2364-219-0x00007FF7FE120000-0x00007FF7FE471000-memory.dmp

Filesize
3.3MB

Download
memory/2468-8-0x00007FF621B10000-0x00007FF621E61000-memory.dmp

Filesize
3.3MB

Download
memory/2468-205-0x00007FF621B10000-0x00007FF621E61000-memory.dmp

Filesize
3.3MB

Download
memory/2468-128-0x00007FF621B10000-0x00007FF621E61000-memory.dmp

Filesize
3.3MB

Download
memory/2656-225-0x00007FF7D6D40000-0x00007FF7D7091000-memory.dmp

Filesize
3.3MB

Download
memory/2656-105-0x00007FF7D6D40000-0x00007FF7D7091000-memory.dmp

Filesize
3.3MB

Download
memory/2848-20-0x00007FF62CA40000-0x00007FF62CD91000-memory.dmp

Filesize
3.3MB

Download
memory/2848-209-0x00007FF62CA40000-0x00007FF62CD91000-memory.dmp

Filesize
3.3MB

Download
memory/2848-130-0x00007FF62CA40000-0x00007FF62CD91000-memory.dmp

Filesize
3.3MB

Download
memory/3088-111-0x00007FF775F20000-0x00007FF776271000-memory.dmp

Filesize
3.3MB

Download
memory/3088-241-0x00007FF775F20000-0x00007FF776271000-memory.dmp

Filesize
3.3MB

Download
memory/3088-143-0x00007FF775F20000-0x00007FF776271000-memory.dmp

Filesize
3.3MB

Download
memory/3224-132-0x00007FF624670000-0x00007FF6249C1000-memory.dmp

Filesize
3.3MB

Download
memory/3224-46-0x00007FF624670000-0x00007FF6249C1000-memory.dmp

Filesize
3.3MB

Download
memory/3224-211-0x00007FF624670000-0x00007FF6249C1000-memory.dmp

Filesize
3.3MB

Download
memory/3328-120-0x00007FF76D2D0000-0x00007FF76D621000-memory.dmp

Filesize
3.3MB

Download
memory/3328-235-0x00007FF76D2D0000-0x00007FF76D621000-memory.dmp

Filesize
3.3MB

Download
memory/3328-147-0x00007FF76D2D0000-0x00007FF76D621000-memory.dmp

Filesize
3.3MB

Download
memory/3676-217-0x00007FF702CB0000-0x00007FF703001000-memory.dmp

Filesize
3.3MB

Download
memory/3676-135-0x00007FF702CB0000-0x00007FF703001000-memory.dmp

Filesize
3.3MB

Download
memory/3676-56-0x00007FF702CB0000-0x00007FF703001000-memory.dmp

Filesize
3.3MB

Download
memory/3836-127-0x00007FF64A700000-0x00007FF64AA51000-memory.dmp

Filesize
3.3MB

Download
memory/3836-0-0x00007FF64A700000-0x00007FF64AA51000-memory.dmp

Filesize
3.3MB

Download
memory/3836-1-0x0000022CC6F60000-0x0000022CC6F70000-memory.dmp

Filesize
64KB

Download
memory/3836-149-0x00007FF64A700000-0x00007FF64AA51000-memory.dmp

Filesize
3.3MB

Download
memory/4048-16-0x00007FF7C0DE0000-0x00007FF7C1131000-memory.dmp

Filesize
3.3MB

Download
memory/4048-207-0x00007FF7C0DE0000-0x00007FF7C1131000-memory.dmp

Filesize
3.3MB

Download
memory/4048-129-0x00007FF7C0DE0000-0x00007FF7C1131000-memory.dmp

Filesize
3.3MB

Download
memory/4176-243-0x00007FF7D65E0000-0x00007FF7D6931000-memory.dmp

Filesize
3.3MB

Download
memory/4176-112-0x00007FF7D65E0000-0x00007FF7D6931000-memory.dmp

Filesize
3.3MB

Download
memory/4176-146-0x00007FF7D65E0000-0x00007FF7D6931000-memory.dmp

Filesize
3.3MB

Download
memory/4380-148-0x00007FF69A9A0000-0x00007FF69ACF1000-memory.dmp

Filesize
3.3MB

Download
memory/4380-245-0x00007FF69A9A0000-0x00007FF69ACF1000-memory.dmp

Filesize
3.3MB

Download
memory/4512-238-0x00007FF724C80000-0x00007FF724FD1000-memory.dmp

Filesize
3.3MB

Download
memory/4512-119-0x00007FF724C80000-0x00007FF724FD1000-memory.dmp

Filesize
3.3MB

Download
memory/5080-95-0x00007FF6519B0000-0x00007FF651D01000-memory.dmp

Filesize
3.3MB

Download
memory/5080-227-0x00007FF6519B0000-0x00007FF651D01000-memory.dmp

Filesize
3.3MB

Download
memory/5084-231-0x00007FF6FA540000-0x00007FF6FA891000-memory.dmp

Filesize
3.3MB

Download
memory/5084-73-0x00007FF6FA540000-0x00007FF6FA891000-memory.dmp

Filesize
3.3MB

Download
memory/5084-139-0x00007FF6FA540000-0x00007FF6FA891000-memory.dmp

Filesize
3.3MB

Download