cobaltstrike | 1175fe857654c399c724e4e19074290bd75dc133f9bbc8460e979ee9972fd37d

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

77b0eeffdcde9e87823dfdde0e436d7b
SHA1

25de9721ed2203d6c4e716e872d0a4b33c148402
SHA256

1175fe857654c399c724e4e19074290bd75dc133f9bbc8460e979ee9972fd37d
SHA512

6ac30e89dcde642a5142c23a83bca253d5dab04c2227b91ff804cb9620c3b5a27d7710775b58c9da35bc8263e8d71d4fa961060552640081d2af8c0374391ca0
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUR:Q+856utgpPF8u/7R

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00090000000233f4-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023404-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023403-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023405-22.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023406-27.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023407-31.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340b-65.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340e-80.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023412-100.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023415-111.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023414-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023413-105.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023411-95.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023410-90.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340f-85.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340d-75.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340c-70.dat	cobalt_reflective_dll
behavioral2/files/0x00090000000233fc-57.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340a-55.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023409-50.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023408-46.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x00090000000233f4-4.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023404-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023403-12.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023405-22.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023406-27.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023407-31.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340b-65.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340e-80.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023412-100.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023415-111.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023414-108.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023413-105.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023411-95.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023410-90.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340f-85.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340d-75.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340c-70.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00090000000233fc-57.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340a-55.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023409-50.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023408-46.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/2124-0-0x00007FF656620000-0x00007FF656974000-memory.dmp	UPX
behavioral2/files/0x00090000000233f4-4.dat	UPX
behavioral2/memory/3400-7-0x00007FF7345F0000-0x00007FF734944000-memory.dmp	UPX
behavioral2/files/0x0007000000023404-11.dat	UPX
behavioral2/files/0x0007000000023403-12.dat	UPX
behavioral2/files/0x0007000000023405-22.dat	UPX
behavioral2/files/0x0007000000023406-27.dat	UPX
behavioral2/files/0x0007000000023407-31.dat	UPX
behavioral2/memory/436-42-0x00007FF6C14B0000-0x00007FF6C1804000-memory.dmp	UPX
behavioral2/files/0x000700000002340b-65.dat	UPX
behavioral2/files/0x000700000002340e-80.dat	UPX
behavioral2/files/0x0007000000023412-100.dat	UPX
behavioral2/files/0x0007000000023415-111.dat	UPX
behavioral2/files/0x0007000000023414-108.dat	UPX
behavioral2/files/0x0007000000023413-105.dat	UPX
behavioral2/files/0x0007000000023411-95.dat	UPX
behavioral2/files/0x0007000000023410-90.dat	UPX
behavioral2/files/0x000700000002340f-85.dat	UPX
behavioral2/files/0x000700000002340d-75.dat	UPX
behavioral2/files/0x000700000002340c-70.dat	UPX
behavioral2/files/0x00090000000233fc-57.dat	UPX
behavioral2/files/0x000700000002340a-55.dat	UPX
behavioral2/files/0x0007000000023409-50.dat	UPX
behavioral2/memory/4140-47-0x00007FF70FAC0000-0x00007FF70FE14000-memory.dmp	UPX
behavioral2/files/0x0007000000023408-46.dat	UPX
behavioral2/memory/2732-43-0x00007FF6745B0000-0x00007FF674904000-memory.dmp	UPX
behavioral2/memory/4348-37-0x00007FF6E15E0000-0x00007FF6E1934000-memory.dmp	UPX
behavioral2/memory/3340-34-0x00007FF6DCE40000-0x00007FF6DD194000-memory.dmp	UPX
behavioral2/memory/4540-113-0x00007FF711710000-0x00007FF711A64000-memory.dmp	UPX
behavioral2/memory/4628-114-0x00007FF78DF50000-0x00007FF78E2A4000-memory.dmp	UPX
behavioral2/memory/1860-115-0x00007FF6349C0000-0x00007FF634D14000-memory.dmp	UPX
behavioral2/memory/2864-116-0x00007FF78A770000-0x00007FF78AAC4000-memory.dmp	UPX
behavioral2/memory/4796-117-0x00007FF6DDBA0000-0x00007FF6DDEF4000-memory.dmp	UPX
behavioral2/memory/2684-118-0x00007FF770B00000-0x00007FF770E54000-memory.dmp	UPX
behavioral2/memory/1096-120-0x00007FF67E6A0000-0x00007FF67E9F4000-memory.dmp	UPX
behavioral2/memory/4612-119-0x00007FF6E4B80000-0x00007FF6E4ED4000-memory.dmp	UPX
behavioral2/memory/1384-121-0x00007FF735F50000-0x00007FF7362A4000-memory.dmp	UPX
behavioral2/memory/4968-122-0x00007FF7CC470000-0x00007FF7CC7C4000-memory.dmp	UPX
behavioral2/memory/4424-124-0x00007FF614C60000-0x00007FF614FB4000-memory.dmp	UPX
behavioral2/memory/904-125-0x00007FF766110000-0x00007FF766464000-memory.dmp	UPX
behavioral2/memory/3240-126-0x00007FF6A5C00000-0x00007FF6A5F54000-memory.dmp	UPX
behavioral2/memory/1140-127-0x00007FF6071B0000-0x00007FF607504000-memory.dmp	UPX
behavioral2/memory/4960-123-0x00007FF63B610000-0x00007FF63B964000-memory.dmp	UPX
behavioral2/memory/2124-128-0x00007FF656620000-0x00007FF656974000-memory.dmp	UPX
behavioral2/memory/3400-129-0x00007FF7345F0000-0x00007FF734944000-memory.dmp	UPX
behavioral2/memory/4140-130-0x00007FF70FAC0000-0x00007FF70FE14000-memory.dmp	UPX
behavioral2/memory/3400-131-0x00007FF7345F0000-0x00007FF734944000-memory.dmp	UPX
behavioral2/memory/3340-132-0x00007FF6DCE40000-0x00007FF6DD194000-memory.dmp	UPX
behavioral2/memory/904-133-0x00007FF766110000-0x00007FF766464000-memory.dmp	UPX
behavioral2/memory/4348-134-0x00007FF6E15E0000-0x00007FF6E1934000-memory.dmp	UPX
behavioral2/memory/436-135-0x00007FF6C14B0000-0x00007FF6C1804000-memory.dmp	UPX
behavioral2/memory/2732-136-0x00007FF6745B0000-0x00007FF674904000-memory.dmp	UPX
behavioral2/memory/3240-137-0x00007FF6A5C00000-0x00007FF6A5F54000-memory.dmp	UPX
behavioral2/memory/4140-138-0x00007FF70FAC0000-0x00007FF70FE14000-memory.dmp	UPX
behavioral2/memory/4540-139-0x00007FF711710000-0x00007FF711A64000-memory.dmp	UPX
behavioral2/memory/1140-140-0x00007FF6071B0000-0x00007FF607504000-memory.dmp	UPX
behavioral2/memory/4628-141-0x00007FF78DF50000-0x00007FF78E2A4000-memory.dmp	UPX
behavioral2/memory/1860-145-0x00007FF6349C0000-0x00007FF634D14000-memory.dmp	UPX
behavioral2/memory/4612-146-0x00007FF6E4B80000-0x00007FF6E4ED4000-memory.dmp	UPX
behavioral2/memory/2864-144-0x00007FF78A770000-0x00007FF78AAC4000-memory.dmp	UPX
behavioral2/memory/4796-143-0x00007FF6DDBA0000-0x00007FF6DDEF4000-memory.dmp	UPX
behavioral2/memory/2684-142-0x00007FF770B00000-0x00007FF770E54000-memory.dmp	UPX
behavioral2/memory/1384-150-0x00007FF735F50000-0x00007FF7362A4000-memory.dmp	UPX
behavioral2/memory/4968-151-0x00007FF7CC470000-0x00007FF7CC7C4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2124-0-0x00007FF656620000-0x00007FF656974000-memory.dmp	xmrig
behavioral2/files/0x00090000000233f4-4.dat	xmrig
behavioral2/memory/3400-7-0x00007FF7345F0000-0x00007FF734944000-memory.dmp	xmrig
behavioral2/files/0x0007000000023404-11.dat	xmrig
behavioral2/files/0x0007000000023403-12.dat	xmrig
behavioral2/files/0x0007000000023405-22.dat	xmrig
behavioral2/files/0x0007000000023406-27.dat	xmrig
behavioral2/files/0x0007000000023407-31.dat	xmrig
behavioral2/memory/436-42-0x00007FF6C14B0000-0x00007FF6C1804000-memory.dmp	xmrig
behavioral2/files/0x000700000002340b-65.dat	xmrig
behavioral2/files/0x000700000002340e-80.dat	xmrig
behavioral2/files/0x0007000000023412-100.dat	xmrig
behavioral2/files/0x0007000000023415-111.dat	xmrig
behavioral2/files/0x0007000000023414-108.dat	xmrig
behavioral2/files/0x0007000000023413-105.dat	xmrig
behavioral2/files/0x0007000000023411-95.dat	xmrig
behavioral2/files/0x0007000000023410-90.dat	xmrig
behavioral2/files/0x000700000002340f-85.dat	xmrig
behavioral2/files/0x000700000002340d-75.dat	xmrig
behavioral2/files/0x000700000002340c-70.dat	xmrig
behavioral2/files/0x00090000000233fc-57.dat	xmrig
behavioral2/files/0x000700000002340a-55.dat	xmrig
behavioral2/files/0x0007000000023409-50.dat	xmrig
behavioral2/memory/4140-47-0x00007FF70FAC0000-0x00007FF70FE14000-memory.dmp	xmrig
behavioral2/files/0x0007000000023408-46.dat	xmrig
behavioral2/memory/2732-43-0x00007FF6745B0000-0x00007FF674904000-memory.dmp	xmrig
behavioral2/memory/4348-37-0x00007FF6E15E0000-0x00007FF6E1934000-memory.dmp	xmrig
behavioral2/memory/3340-34-0x00007FF6DCE40000-0x00007FF6DD194000-memory.dmp	xmrig
behavioral2/memory/4540-113-0x00007FF711710000-0x00007FF711A64000-memory.dmp	xmrig
behavioral2/memory/4628-114-0x00007FF78DF50000-0x00007FF78E2A4000-memory.dmp	xmrig
behavioral2/memory/1860-115-0x00007FF6349C0000-0x00007FF634D14000-memory.dmp	xmrig
behavioral2/memory/2864-116-0x00007FF78A770000-0x00007FF78AAC4000-memory.dmp	xmrig
behavioral2/memory/4796-117-0x00007FF6DDBA0000-0x00007FF6DDEF4000-memory.dmp	xmrig
behavioral2/memory/2684-118-0x00007FF770B00000-0x00007FF770E54000-memory.dmp	xmrig
behavioral2/memory/1096-120-0x00007FF67E6A0000-0x00007FF67E9F4000-memory.dmp	xmrig
behavioral2/memory/4612-119-0x00007FF6E4B80000-0x00007FF6E4ED4000-memory.dmp	xmrig
behavioral2/memory/1384-121-0x00007FF735F50000-0x00007FF7362A4000-memory.dmp	xmrig
behavioral2/memory/4968-122-0x00007FF7CC470000-0x00007FF7CC7C4000-memory.dmp	xmrig
behavioral2/memory/4424-124-0x00007FF614C60000-0x00007FF614FB4000-memory.dmp	xmrig
behavioral2/memory/904-125-0x00007FF766110000-0x00007FF766464000-memory.dmp	xmrig
behavioral2/memory/3240-126-0x00007FF6A5C00000-0x00007FF6A5F54000-memory.dmp	xmrig
behavioral2/memory/1140-127-0x00007FF6071B0000-0x00007FF607504000-memory.dmp	xmrig
behavioral2/memory/4960-123-0x00007FF63B610000-0x00007FF63B964000-memory.dmp	xmrig
behavioral2/memory/2124-128-0x00007FF656620000-0x00007FF656974000-memory.dmp	xmrig
behavioral2/memory/3400-129-0x00007FF7345F0000-0x00007FF734944000-memory.dmp	xmrig
behavioral2/memory/4140-130-0x00007FF70FAC0000-0x00007FF70FE14000-memory.dmp	xmrig
behavioral2/memory/3400-131-0x00007FF7345F0000-0x00007FF734944000-memory.dmp	xmrig
behavioral2/memory/3340-132-0x00007FF6DCE40000-0x00007FF6DD194000-memory.dmp	xmrig
behavioral2/memory/904-133-0x00007FF766110000-0x00007FF766464000-memory.dmp	xmrig
behavioral2/memory/4348-134-0x00007FF6E15E0000-0x00007FF6E1934000-memory.dmp	xmrig
behavioral2/memory/436-135-0x00007FF6C14B0000-0x00007FF6C1804000-memory.dmp	xmrig
behavioral2/memory/2732-136-0x00007FF6745B0000-0x00007FF674904000-memory.dmp	xmrig
behavioral2/memory/3240-137-0x00007FF6A5C00000-0x00007FF6A5F54000-memory.dmp	xmrig
behavioral2/memory/4140-138-0x00007FF70FAC0000-0x00007FF70FE14000-memory.dmp	xmrig
behavioral2/memory/4540-139-0x00007FF711710000-0x00007FF711A64000-memory.dmp	xmrig
behavioral2/memory/1140-140-0x00007FF6071B0000-0x00007FF607504000-memory.dmp	xmrig
behavioral2/memory/4628-141-0x00007FF78DF50000-0x00007FF78E2A4000-memory.dmp	xmrig
behavioral2/memory/1860-145-0x00007FF6349C0000-0x00007FF634D14000-memory.dmp	xmrig
behavioral2/memory/4612-146-0x00007FF6E4B80000-0x00007FF6E4ED4000-memory.dmp	xmrig
behavioral2/memory/2864-144-0x00007FF78A770000-0x00007FF78AAC4000-memory.dmp	xmrig
behavioral2/memory/4796-143-0x00007FF6DDBA0000-0x00007FF6DDEF4000-memory.dmp	xmrig
behavioral2/memory/2684-142-0x00007FF770B00000-0x00007FF770E54000-memory.dmp	xmrig
behavioral2/memory/1384-150-0x00007FF735F50000-0x00007FF7362A4000-memory.dmp	xmrig
behavioral2/memory/4968-151-0x00007FF7CC470000-0x00007FF7CC7C4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3400	xpaPJRI.exe
3340	wEUCMeH.exe
904	QhQRwGu.exe
4348	YMRBiuh.exe
436	kugObyK.exe
2732	RgWfLoC.exe
3240	LtudMsO.exe
4140	jKRYFqn.exe
1140	ixufXpA.exe
4540	xSiEPXl.exe
4628	CjBvHRl.exe
1860	RCtDZhW.exe
2864	kRJkmZK.exe
4796	eKRcJgC.exe
2684	uGqrscQ.exe
4612	CpSOrkW.exe
1096	hUYOJqt.exe
1384	sHrCOTL.exe
4968	EyZarqw.exe
4960	NfjKOhf.exe
4424	htzPFrg.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2124-0-0x00007FF656620000-0x00007FF656974000-memory.dmp	upx
behavioral2/files/0x00090000000233f4-4.dat	upx
behavioral2/memory/3400-7-0x00007FF7345F0000-0x00007FF734944000-memory.dmp	upx
behavioral2/files/0x0007000000023404-11.dat	upx
behavioral2/files/0x0007000000023403-12.dat	upx
behavioral2/files/0x0007000000023405-22.dat	upx
behavioral2/files/0x0007000000023406-27.dat	upx
behavioral2/files/0x0007000000023407-31.dat	upx
behavioral2/memory/436-42-0x00007FF6C14B0000-0x00007FF6C1804000-memory.dmp	upx
behavioral2/files/0x000700000002340b-65.dat	upx
behavioral2/files/0x000700000002340e-80.dat	upx
behavioral2/files/0x0007000000023412-100.dat	upx
behavioral2/files/0x0007000000023415-111.dat	upx
behavioral2/files/0x0007000000023414-108.dat	upx
behavioral2/files/0x0007000000023413-105.dat	upx
behavioral2/files/0x0007000000023411-95.dat	upx
behavioral2/files/0x0007000000023410-90.dat	upx
behavioral2/files/0x000700000002340f-85.dat	upx
behavioral2/files/0x000700000002340d-75.dat	upx
behavioral2/files/0x000700000002340c-70.dat	upx
behavioral2/files/0x00090000000233fc-57.dat	upx
behavioral2/files/0x000700000002340a-55.dat	upx
behavioral2/files/0x0007000000023409-50.dat	upx
behavioral2/memory/4140-47-0x00007FF70FAC0000-0x00007FF70FE14000-memory.dmp	upx
behavioral2/files/0x0007000000023408-46.dat	upx
behavioral2/memory/2732-43-0x00007FF6745B0000-0x00007FF674904000-memory.dmp	upx
behavioral2/memory/4348-37-0x00007FF6E15E0000-0x00007FF6E1934000-memory.dmp	upx
behavioral2/memory/3340-34-0x00007FF6DCE40000-0x00007FF6DD194000-memory.dmp	upx
behavioral2/memory/4540-113-0x00007FF711710000-0x00007FF711A64000-memory.dmp	upx
behavioral2/memory/4628-114-0x00007FF78DF50000-0x00007FF78E2A4000-memory.dmp	upx
behavioral2/memory/1860-115-0x00007FF6349C0000-0x00007FF634D14000-memory.dmp	upx
behavioral2/memory/2864-116-0x00007FF78A770000-0x00007FF78AAC4000-memory.dmp	upx
behavioral2/memory/4796-117-0x00007FF6DDBA0000-0x00007FF6DDEF4000-memory.dmp	upx
behavioral2/memory/2684-118-0x00007FF770B00000-0x00007FF770E54000-memory.dmp	upx
behavioral2/memory/1096-120-0x00007FF67E6A0000-0x00007FF67E9F4000-memory.dmp	upx
behavioral2/memory/4612-119-0x00007FF6E4B80000-0x00007FF6E4ED4000-memory.dmp	upx
behavioral2/memory/1384-121-0x00007FF735F50000-0x00007FF7362A4000-memory.dmp	upx
behavioral2/memory/4968-122-0x00007FF7CC470000-0x00007FF7CC7C4000-memory.dmp	upx
behavioral2/memory/4424-124-0x00007FF614C60000-0x00007FF614FB4000-memory.dmp	upx
behavioral2/memory/904-125-0x00007FF766110000-0x00007FF766464000-memory.dmp	upx
behavioral2/memory/3240-126-0x00007FF6A5C00000-0x00007FF6A5F54000-memory.dmp	upx
behavioral2/memory/1140-127-0x00007FF6071B0000-0x00007FF607504000-memory.dmp	upx
behavioral2/memory/4960-123-0x00007FF63B610000-0x00007FF63B964000-memory.dmp	upx
behavioral2/memory/2124-128-0x00007FF656620000-0x00007FF656974000-memory.dmp	upx
behavioral2/memory/3400-129-0x00007FF7345F0000-0x00007FF734944000-memory.dmp	upx
behavioral2/memory/4140-130-0x00007FF70FAC0000-0x00007FF70FE14000-memory.dmp	upx
behavioral2/memory/3400-131-0x00007FF7345F0000-0x00007FF734944000-memory.dmp	upx
behavioral2/memory/3340-132-0x00007FF6DCE40000-0x00007FF6DD194000-memory.dmp	upx
behavioral2/memory/904-133-0x00007FF766110000-0x00007FF766464000-memory.dmp	upx
behavioral2/memory/4348-134-0x00007FF6E15E0000-0x00007FF6E1934000-memory.dmp	upx
behavioral2/memory/436-135-0x00007FF6C14B0000-0x00007FF6C1804000-memory.dmp	upx
behavioral2/memory/2732-136-0x00007FF6745B0000-0x00007FF674904000-memory.dmp	upx
behavioral2/memory/3240-137-0x00007FF6A5C00000-0x00007FF6A5F54000-memory.dmp	upx
behavioral2/memory/4140-138-0x00007FF70FAC0000-0x00007FF70FE14000-memory.dmp	upx
behavioral2/memory/4540-139-0x00007FF711710000-0x00007FF711A64000-memory.dmp	upx
behavioral2/memory/1140-140-0x00007FF6071B0000-0x00007FF607504000-memory.dmp	upx
behavioral2/memory/4628-141-0x00007FF78DF50000-0x00007FF78E2A4000-memory.dmp	upx
behavioral2/memory/1860-145-0x00007FF6349C0000-0x00007FF634D14000-memory.dmp	upx
behavioral2/memory/4612-146-0x00007FF6E4B80000-0x00007FF6E4ED4000-memory.dmp	upx
behavioral2/memory/2864-144-0x00007FF78A770000-0x00007FF78AAC4000-memory.dmp	upx
behavioral2/memory/4796-143-0x00007FF6DDBA0000-0x00007FF6DDEF4000-memory.dmp	upx
behavioral2/memory/2684-142-0x00007FF770B00000-0x00007FF770E54000-memory.dmp	upx
behavioral2/memory/1384-150-0x00007FF735F50000-0x00007FF7362A4000-memory.dmp	upx
behavioral2/memory/4968-151-0x00007FF7CC470000-0x00007FF7CC7C4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\kugObyK.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xSiEPXl.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hUYOJqt.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sHrCOTL.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\htzPFrg.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xpaPJRI.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wEUCMeH.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YMRBiuh.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RgWfLoC.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jKRYFqn.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NfjKOhf.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ixufXpA.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EyZarqw.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uGqrscQ.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CpSOrkW.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QhQRwGu.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LtudMsO.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CjBvHRl.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RCtDZhW.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kRJkmZK.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eKRcJgC.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 3400	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	84
PID 2124 wrote to memory of 3400	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	84
PID 2124 wrote to memory of 3340	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	85
PID 2124 wrote to memory of 3340	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	85
PID 2124 wrote to memory of 904	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	86
PID 2124 wrote to memory of 904	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	86
PID 2124 wrote to memory of 4348	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	87
PID 2124 wrote to memory of 4348	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	87
PID 2124 wrote to memory of 436	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	88
PID 2124 wrote to memory of 436	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	88
PID 2124 wrote to memory of 2732	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	89
PID 2124 wrote to memory of 2732	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	89
PID 2124 wrote to memory of 3240	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	90
PID 2124 wrote to memory of 3240	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	90
PID 2124 wrote to memory of 4140	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	91
PID 2124 wrote to memory of 4140	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	91
PID 2124 wrote to memory of 1140	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	92
PID 2124 wrote to memory of 1140	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	92
PID 2124 wrote to memory of 4540	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	93
PID 2124 wrote to memory of 4540	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	93
PID 2124 wrote to memory of 4628	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	94
PID 2124 wrote to memory of 4628	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	94
PID 2124 wrote to memory of 1860	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	95
PID 2124 wrote to memory of 1860	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	95
PID 2124 wrote to memory of 2864	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	96
PID 2124 wrote to memory of 2864	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	96
PID 2124 wrote to memory of 4796	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	97
PID 2124 wrote to memory of 4796	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	97
PID 2124 wrote to memory of 2684	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	98
PID 2124 wrote to memory of 2684	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	98
PID 2124 wrote to memory of 4612	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	99
PID 2124 wrote to memory of 4612	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	99
PID 2124 wrote to memory of 1096	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	100
PID 2124 wrote to memory of 1096	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	100
PID 2124 wrote to memory of 1384	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	101
PID 2124 wrote to memory of 1384	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	101
PID 2124 wrote to memory of 4968	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	102
PID 2124 wrote to memory of 4968	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	102
PID 2124 wrote to memory of 4960	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	103
PID 2124 wrote to memory of 4960	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	103
PID 2124 wrote to memory of 4424	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	104
PID 2124 wrote to memory of 4424	2124	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\System\xpaPJRI.exe
  C:\Windows\System\xpaPJRI.exe
  2⤵
  - Executes dropped EXE
  PID:3400
- C:\Windows\System\wEUCMeH.exe
  C:\Windows\System\wEUCMeH.exe
  2⤵
  - Executes dropped EXE
  PID:3340
- C:\Windows\System\QhQRwGu.exe
  C:\Windows\System\QhQRwGu.exe
  2⤵
  - Executes dropped EXE
  PID:904
- C:\Windows\System\YMRBiuh.exe
  C:\Windows\System\YMRBiuh.exe
  2⤵
  - Executes dropped EXE
  PID:4348
- C:\Windows\System\kugObyK.exe
  C:\Windows\System\kugObyK.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\System\RgWfLoC.exe
  C:\Windows\System\RgWfLoC.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System\LtudMsO.exe
  C:\Windows\System\LtudMsO.exe
  2⤵
  - Executes dropped EXE
  PID:3240
- C:\Windows\System\jKRYFqn.exe
  C:\Windows\System\jKRYFqn.exe
  2⤵
  - Executes dropped EXE
  PID:4140
- C:\Windows\System\ixufXpA.exe
  C:\Windows\System\ixufXpA.exe
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Windows\System\xSiEPXl.exe
  C:\Windows\System\xSiEPXl.exe
  2⤵
  - Executes dropped EXE
  PID:4540
- C:\Windows\System\CjBvHRl.exe
  C:\Windows\System\CjBvHRl.exe
  2⤵
  - Executes dropped EXE
  PID:4628
- C:\Windows\System\RCtDZhW.exe
  C:\Windows\System\RCtDZhW.exe
  2⤵
  - Executes dropped EXE
  PID:1860
- C:\Windows\System\kRJkmZK.exe
  C:\Windows\System\kRJkmZK.exe
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\System\eKRcJgC.exe
  C:\Windows\System\eKRcJgC.exe
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Windows\System\uGqrscQ.exe
  C:\Windows\System\uGqrscQ.exe
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\System\CpSOrkW.exe
  C:\Windows\System\CpSOrkW.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\System\hUYOJqt.exe
  C:\Windows\System\hUYOJqt.exe
  2⤵
  - Executes dropped EXE
  PID:1096
- C:\Windows\System\sHrCOTL.exe
  C:\Windows\System\sHrCOTL.exe
  2⤵
  - Executes dropped EXE
  PID:1384
- C:\Windows\System\EyZarqw.exe
  C:\Windows\System\EyZarqw.exe
  2⤵
  - Executes dropped EXE
  PID:4968
- C:\Windows\System\NfjKOhf.exe
  C:\Windows\System\NfjKOhf.exe
  2⤵
  - Executes dropped EXE
  PID:4960
- C:\Windows\System\htzPFrg.exe
  C:\Windows\System\htzPFrg.exe
  2⤵
  - Executes dropped EXE
  PID:4424

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CjBvHRl.exe

Filesize
5.9MB

MD5
bfb220dc8a3ff8cecda49cf02f35affb

SHA1
09dcc6228b31ca5c530f7a5a093dcb0a1b04fc69

SHA256
0805d7dafb554e41345e79c52754499556d1cb2a46c15f5e17677d33709ecd57

SHA512
6c226842ab826bc4f4d6523bb3df583bfdb5f41fa09179416d089beafe58b417114a9e6ddf3d5bdbf7e04df655185181469d79d4847ef7a193213899d5a905b2

Download Submit
C:\Windows\System\CpSOrkW.exe

Filesize
5.9MB

MD5
ec545cbdcdc8e9444d799d57898369e9

SHA1
afdcf6a575376170acc119e8a4ee12da47117a24

SHA256
6c89af8ce72e5bbc4418ed8a3a630c1a95289728fa26c795b6a6c9ed63dad09c

SHA512
9447fea94a55640e5c68ed29ae1237eb5e9381e78d34625c10b6e9693b2fde2fae55f2ba8c0c0bf086db37a2b78ef18a2c2db31b12a37ecf361dfc8871e37f4c

Download Submit
C:\Windows\System\EyZarqw.exe

Filesize
5.9MB

MD5
be20456fd34809f83bced88d8c33a573

SHA1
74fc5d14f625907a7716f5f4eec24e443be95bf8

SHA256
ad9b6b0b866c289c4978f91f6676a8570d6b31fe4afcfc29ab54abc6a9a09722

SHA512
7c20b9ba511cd9188ed9e6798b6dc6a784f78d55fa624dee448b90393f036993eebc81eb69bab47b2e35e43bf449f33ad840986c73e7de1338a04a73a25c405c

Download Submit
C:\Windows\System\LtudMsO.exe

Filesize
5.9MB

MD5
10a5f2a37242d1e5588f726b6630de44

SHA1
7fe46280f6e6032771e4df33f3b0e5d041f8439b

SHA256
48ab444b29438cf8b8eb4e81179bf6d2c5ad029af5cc0da123bff793e2424da0

SHA512
355eafda0a2c9c332a04cf28754fa7e11a0d4998aaaa52fd2890823745947cbee14d81967ca1a3d4fa4a773348ff700fea5410c2f6b1463328cbb6ca1715c386

Download Submit
C:\Windows\System\NfjKOhf.exe

Filesize
5.9MB

MD5
1ec7eb4050bf977d7d6e90cdc934c9c1

SHA1
c8376ff119b22fc3f3d21974a8e682ef59bf9df1

SHA256
9d575e28aa5754401e90fa26ede8526bc92a6622783c00c1f58e97376708c502

SHA512
8043cefd1d98e259e0665f5a32d74000f0f1c0089ccd9f5fe1f2138d4c4a645c458a870e9383a21613e295254f40b1b442d32d46ec68855f077b29a879ea78c8

Download Submit
C:\Windows\System\QhQRwGu.exe

Filesize
5.9MB

MD5
761a0f8d85a07ba36ef03be9c3122e9f

SHA1
a89cf559825becc1b42fcdfdb77485edf50c9abd

SHA256
5acba74fe2d1213fb2b4104606e77e3b8050af6763fbe15d33907822141320d2

SHA512
153fbcb4b8e24dd060955ae65ea6a2696196b38c3378c5c354d73361c19a9d9612669335b04f7cd6d2f21108262e0b504a973a7f90288720d8afea7d7c9e8de5

Download Submit
C:\Windows\System\RCtDZhW.exe

Filesize
5.9MB

MD5
f14b021dd578fd5acdb23dcbb742bded

SHA1
fe0ac18895ee7dcac84ed4172c8282345b56b9c5

SHA256
1ecf5790b332ab1b036c0c875a5e4c61e6f556c2a4c3853d7a90eb379edc4c82

SHA512
f6ac46f4b115946bc806e136d0b9883ab549efa50a86dc3fad17493bc5d1f7171446d4476b8ee27161add34b57e8752e53c53b9ff8ebaa556990fd929dc69d65

Download Submit
C:\Windows\System\RgWfLoC.exe

Filesize
5.9MB

MD5
e16e8c4baafed2d8ed5f933ceb4bb89b

SHA1
97fd5b2e6ac78d97fd4a9fb27c6cc5e376fc6e67

SHA256
72fa2c254fd5b6d03d9969bab824aa8a8c008274f4c2a255f7e537bf12dd2888

SHA512
d8a570064138d74a77c9ccb87896b3f700588a1f5faef6b44eca9cda8e4bb3d25a66a9950d44f4074125384ca30b71b154e6729b8f0ade024eb16686719c15af

Download Submit
C:\Windows\System\YMRBiuh.exe

Filesize
5.9MB

MD5
5ce7de4e5065e55919b3326fd5261da9

SHA1
cb5aa70784df230e3d4f73bbc6cd8b6723ca160b

SHA256
68ea716eb21e54c72d65e2c12d82d6b8ccc25b1cff840f28e6054235609d5036

SHA512
75f419bfa16505b38cedd4e9aca8aded164a754db7d17940fc8d73cb0b6eb095d880012609588900fcef6d5b358822cbe96656533d63ef53e2f6bca4023bcac6

Download Submit
C:\Windows\System\eKRcJgC.exe

Filesize
5.9MB

MD5
6f68feb1463a6527678d297f6d41c87b

SHA1
4640bc30597c8841ff8c42adc45c669cb7cfcbd1

SHA256
0b29f7a25332687f440b8c6b72771ca40ea9a2604d749d82b40170629e5db6f4

SHA512
484e5fbd27edf604f6ee46b21585e8622764a6188bd930cc4a7a37260a9d3660bcde9087753f74c09b91c6a4e5f936207d12fbaf18518e955e0ed3759cc0ef9b

Download Submit
C:\Windows\System\hUYOJqt.exe

Filesize
5.9MB

MD5
7b280dc74117c37291cac13c98421656

SHA1
ec21c35b62d37bcd4aa9e4204e99cce1eba677f0

SHA256
e7ab5622838e64752cd7988f0a30cbecb4f8ca4db6bc89b147f112fb10cfba32

SHA512
47ef5625616933ecc6aacdedc5be3cbcd4760fdbb3c76c9137ee2da6c4905caa009a1a6b51413bbbf078c01596ae9a86247fdea6088b88103056af106f9a9a48

Download Submit
C:\Windows\System\htzPFrg.exe

Filesize
5.9MB

MD5
37a145dbf452cb928c6a854326b6d120

SHA1
586632d449236e217891ea32617a12afd0b869a5

SHA256
e9161790ea26c269afea239df0dc8a48d032b22ab0c5c38042b8055dc8f7afe4

SHA512
a9709e85e266ccf14ee1783057a70b426ce790c32442d3be64d2cb7ce2654204b98edc3a6bfe663fc6dbb7f65ac4292ae93a59b5e9c78155bae8f3e779ec38b1

Download Submit
C:\Windows\System\ixufXpA.exe

Filesize
5.9MB

MD5
44ebc699b35531c4dc7bd870193ebc67

SHA1
89186ae0b4d136ecac28541d060fe1e48caff4a7

SHA256
e8679cd290caf2fafecea2e8bc772a2a72afd338561ebaa0cf340b2875f919d2

SHA512
79a84a7f456dd6508708f8b6fc93143153e143adcfcbd5c7255ec47cba921e811c538fb9b6e7bef80284c5915751d5dfc54bf013543a16355643357bcebd1d56

Download Submit
C:\Windows\System\jKRYFqn.exe

Filesize
5.9MB

MD5
33e61ff27d98a34d4f4f12beaa16a21f

SHA1
9b1b02a4dc791a1234e7d8d16b7c795323a5468e

SHA256
2ba4df53f1b0a9c12cf9745b3b950db0caf3a692a393d686c10fe63975100684

SHA512
d0545b9af8412d04076d37eb2afd8f9c7544f0c544a47e532d810fd8d4a616fbf3e52e6cf613f868c27759181dd108895c26eaed21e23c3e1829a19b5a7aba2b

Download Submit
C:\Windows\System\kRJkmZK.exe

Filesize
5.9MB

MD5
2b2a64426b2abbd822ac3213a65a8160

SHA1
590ecca68b64ed4d8461c5ecac02645e60fe956b

SHA256
08d2454435fc4dff54e368afe932850e017986002c65d26bdd9cbae65f84820a

SHA512
7dd98fea3543bcffbbd1028b05d65be0159b62d812b78f59c3c68fe0752113ce83577c2f1daadbd16113425e873b9a71db46ec864562be3ae55b5eba99fedda6

Download Submit
C:\Windows\System\kugObyK.exe

Filesize
5.9MB

MD5
a15c77a66640ffe40f5a146acdc4e003

SHA1
09359c9e92a414a3bb6f90c04656e40ba1380cb9

SHA256
e07f2884c7337d160abbacbbe718157ee336783321c0d9b8b2e54c2db6b46d22

SHA512
c4352d058b03bff7cfbf5d336f162acc4c13087168c305b841534afb6536fabcb302d64f217bdaa2587d43bcd898b404f2f2eccda18f5a1b65834be5272bd35d

Download Submit
C:\Windows\System\sHrCOTL.exe

Filesize
5.9MB

MD5
79e926f43341cc6579e391c537f4f288

SHA1
a4fef9bbaf5ead5a86f55d95bfe7cb0dc0c7eab6

SHA256
89225619df74dbd0bd3a482f03d0a32c21ba4f98a1df10dd0c325abaac47357f

SHA512
9d0b86e8526f04602f35baae1fd54712d10ea425f4676dbd2e61b3629faf46bdf1ebdf5fef192759373c1bea3b2d61d3968b5c0a927b045473834ad56e97ad59

Download Submit
C:\Windows\System\uGqrscQ.exe

Filesize
5.9MB

MD5
6119e1b668df983e8d470f0c324716f3

SHA1
e678128dab4ff09f92c0a3a3b4b176773368f02e

SHA256
0a454ea6454785aa6f2fa72905059d763178efbf4a545747e635b21f864ad09c

SHA512
19c3f305ad8179e7a186887f840075dd582e447478870eba20f26c37037fb7583417cce4117c8263f85631a5a113fd43745f8837012fa4a45da418d3e9cf8516

Download Submit
C:\Windows\System\wEUCMeH.exe

Filesize
5.9MB

MD5
3a62a57556138b74d2c41a1bbd6868ce

SHA1
51100dd2694629aa1a4cef79a38454940eb6a887

SHA256
c2cbf9c5a9663ba059f3e31b003b5dab54a9c060c3b20be160786db9cafed063

SHA512
fe0ee9bfd055b6c4a3aba089ba3ce6db3288b26e1fff89072c846ac5f743bec6184998d011eb480a051f4c8e14cbf663dee610522f1d9ced68a9347bb89fed10

Download Submit
C:\Windows\System\xSiEPXl.exe

Filesize
5.9MB

MD5
4ef3f1bed284cada17e4c3b7b773bc99

SHA1
2f5bb6c06e37b45ae9f4e370e873ac61625422a4

SHA256
b0067214d472b034ba2365f2fc9fc52cc4f208551100ca876b879144cf7b4942

SHA512
2aec2045b5656e1ce286f7e68ebb88d19bc5a4410ea921415ff1dcaca4a0dc1fdcede7939891a45d0c5a060d793f62dd98c2f7d58a99a42ccd859559e9c5e19b

Download Submit
C:\Windows\System\xpaPJRI.exe

Filesize
5.9MB

MD5
1b66d455a400c476cca1c79fb0f8d598

SHA1
99aed1319323ddb94c0e7069574e3d0256290560

SHA256
09d64b784153333800589a37bcf43d3001b5b757b04212210978da700107b209

SHA512
c79a346243204c0b44965101cf73bfa2de7e41308aec37db7f0fe49c44b75d392b885e32c79bcf6ab0664c8df10e6211fe2d2ad584dd5115a481c9e0988d5974

Download Submit
memory/436-42-0x00007FF6C14B0000-0x00007FF6C1804000-memory.dmp

Filesize
3.3MB

Download
memory/436-135-0x00007FF6C14B0000-0x00007FF6C1804000-memory.dmp

Filesize
3.3MB

Download
memory/904-125-0x00007FF766110000-0x00007FF766464000-memory.dmp

Filesize
3.3MB

Download
memory/904-133-0x00007FF766110000-0x00007FF766464000-memory.dmp

Filesize
3.3MB

Download
memory/1096-147-0x00007FF67E6A0000-0x00007FF67E9F4000-memory.dmp

Filesize
3.3MB

Download
memory/1096-120-0x00007FF67E6A0000-0x00007FF67E9F4000-memory.dmp

Filesize
3.3MB

Download
memory/1140-140-0x00007FF6071B0000-0x00007FF607504000-memory.dmp

Filesize
3.3MB

Download
memory/1140-127-0x00007FF6071B0000-0x00007FF607504000-memory.dmp

Filesize
3.3MB

Download
memory/1384-121-0x00007FF735F50000-0x00007FF7362A4000-memory.dmp

Filesize
3.3MB

Download
memory/1384-150-0x00007FF735F50000-0x00007FF7362A4000-memory.dmp

Filesize
3.3MB

Download
memory/1860-115-0x00007FF6349C0000-0x00007FF634D14000-memory.dmp

Filesize
3.3MB

Download
memory/1860-145-0x00007FF6349C0000-0x00007FF634D14000-memory.dmp

Filesize
3.3MB

Download
memory/2124-128-0x00007FF656620000-0x00007FF656974000-memory.dmp

Filesize
3.3MB

Download
memory/2124-0-0x00007FF656620000-0x00007FF656974000-memory.dmp

Filesize
3.3MB

Download
memory/2124-1-0x00000219AA1C0000-0x00000219AA1D0000-memory.dmp

Filesize
64KB

Download
memory/2684-118-0x00007FF770B00000-0x00007FF770E54000-memory.dmp

Filesize
3.3MB

Download
memory/2684-142-0x00007FF770B00000-0x00007FF770E54000-memory.dmp

Filesize
3.3MB

Download
memory/2732-136-0x00007FF6745B0000-0x00007FF674904000-memory.dmp

Filesize
3.3MB

Download
memory/2732-43-0x00007FF6745B0000-0x00007FF674904000-memory.dmp

Filesize
3.3MB

Download
memory/2864-144-0x00007FF78A770000-0x00007FF78AAC4000-memory.dmp

Filesize
3.3MB

Download
memory/2864-116-0x00007FF78A770000-0x00007FF78AAC4000-memory.dmp

Filesize
3.3MB

Download
memory/3240-126-0x00007FF6A5C00000-0x00007FF6A5F54000-memory.dmp

Filesize
3.3MB

Download
memory/3240-137-0x00007FF6A5C00000-0x00007FF6A5F54000-memory.dmp

Filesize
3.3MB

Download
memory/3340-34-0x00007FF6DCE40000-0x00007FF6DD194000-memory.dmp

Filesize
3.3MB

Download
memory/3340-132-0x00007FF6DCE40000-0x00007FF6DD194000-memory.dmp

Filesize
3.3MB

Download
memory/3400-131-0x00007FF7345F0000-0x00007FF734944000-memory.dmp

Filesize
3.3MB

Download
memory/3400-7-0x00007FF7345F0000-0x00007FF734944000-memory.dmp

Filesize
3.3MB

Download
memory/3400-129-0x00007FF7345F0000-0x00007FF734944000-memory.dmp

Filesize
3.3MB

Download
memory/4140-138-0x00007FF70FAC0000-0x00007FF70FE14000-memory.dmp

Filesize
3.3MB

Download
memory/4140-130-0x00007FF70FAC0000-0x00007FF70FE14000-memory.dmp

Filesize
3.3MB

Download
memory/4140-47-0x00007FF70FAC0000-0x00007FF70FE14000-memory.dmp

Filesize
3.3MB

Download
memory/4348-134-0x00007FF6E15E0000-0x00007FF6E1934000-memory.dmp

Filesize
3.3MB

Download
memory/4348-37-0x00007FF6E15E0000-0x00007FF6E1934000-memory.dmp

Filesize
3.3MB

Download
memory/4424-124-0x00007FF614C60000-0x00007FF614FB4000-memory.dmp

Filesize
3.3MB

Download
memory/4424-148-0x00007FF614C60000-0x00007FF614FB4000-memory.dmp

Filesize
3.3MB

Download
memory/4540-113-0x00007FF711710000-0x00007FF711A64000-memory.dmp

Filesize
3.3MB

Download
memory/4540-139-0x00007FF711710000-0x00007FF711A64000-memory.dmp

Filesize
3.3MB

Download
memory/4612-119-0x00007FF6E4B80000-0x00007FF6E4ED4000-memory.dmp

Filesize
3.3MB

Download
memory/4612-146-0x00007FF6E4B80000-0x00007FF6E4ED4000-memory.dmp

Filesize
3.3MB

Download
memory/4628-141-0x00007FF78DF50000-0x00007FF78E2A4000-memory.dmp

Filesize
3.3MB

Download
memory/4628-114-0x00007FF78DF50000-0x00007FF78E2A4000-memory.dmp

Filesize
3.3MB

Download
memory/4796-143-0x00007FF6DDBA0000-0x00007FF6DDEF4000-memory.dmp

Filesize
3.3MB

Download
memory/4796-117-0x00007FF6DDBA0000-0x00007FF6DDEF4000-memory.dmp

Filesize
3.3MB

Download
memory/4960-149-0x00007FF63B610000-0x00007FF63B964000-memory.dmp

Filesize
3.3MB

Download
memory/4960-123-0x00007FF63B610000-0x00007FF63B964000-memory.dmp

Filesize
3.3MB

Download
memory/4968-122-0x00007FF7CC470000-0x00007FF7CC7C4000-memory.dmp

Filesize
3.3MB

Download
memory/4968-151-0x00007FF7CC470000-0x00007FF7CC7C4000-memory.dmp

Filesize
3.3MB

Download