cobaltstrike | b0e1026312a3cb1967f8d3f60c9e4dc24f6b524bc8492b992802c9d6f82894c4

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

1ecb9d0787b6b3d13e1e185bd91ee021
SHA1

db0ced9c7d323267c7b693a8e0cfcbc50155601e
SHA256

b0e1026312a3cb1967f8d3f60c9e4dc24f6b524bc8492b992802c9d6f82894c4
SHA512

d5caab03dcf66f5fd91301991fe6d41aebf01be33dec63233a622c52f6bc1610c29aec559aa225e7eadadc6ffbdeee6665de583d04ba29b50a73d514dab04106
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU1:Q+856utgpPF8u/71

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023405-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023406-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023407-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023409-25.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023408-28.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340b-36.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340d-47.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340c-51.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340e-61.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340a-55.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340f-64.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023410-70.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023411-78.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023412-85.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023413-91.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023414-98.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023416-113.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023417-117.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023418-125.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023419-127.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023415-106.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023405-5.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023406-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023407-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023409-25.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023408-28.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340b-36.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340d-47.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340c-51.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340e-61.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340a-55.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340f-64.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023410-70.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023411-78.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023412-85.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023413-91.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023414-98.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023416-113.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023417-117.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023418-125.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023419-127.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023415-106.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/1868-0-0x00007FF7AB320000-0x00007FF7AB674000-memory.dmp	UPX
behavioral2/files/0x0008000000023405-5.dat	UPX
behavioral2/files/0x0007000000023406-11.dat	UPX
behavioral2/files/0x0007000000023407-10.dat	UPX
behavioral2/files/0x0007000000023409-25.dat	UPX
behavioral2/files/0x0007000000023408-28.dat	UPX
behavioral2/files/0x000700000002340b-36.dat	UPX
behavioral2/files/0x000700000002340d-47.dat	UPX
behavioral2/files/0x000700000002340c-51.dat	UPX
behavioral2/files/0x000700000002340e-61.dat	UPX
behavioral2/memory/1972-60-0x00007FF7F33B0000-0x00007FF7F3704000-memory.dmp	UPX
behavioral2/memory/3056-59-0x00007FF6D9410000-0x00007FF6D9764000-memory.dmp	UPX
behavioral2/files/0x000700000002340a-55.dat	UPX
behavioral2/memory/1728-54-0x00007FF74CB40000-0x00007FF74CE94000-memory.dmp	UPX
behavioral2/memory/2976-50-0x00007FF7FE460000-0x00007FF7FE7B4000-memory.dmp	UPX
behavioral2/memory/4728-46-0x00007FF7DDAA0000-0x00007FF7DDDF4000-memory.dmp	UPX
behavioral2/memory/3484-33-0x00007FF7B4F20000-0x00007FF7B5274000-memory.dmp	UPX
behavioral2/memory/1216-27-0x00007FF7AFF90000-0x00007FF7B02E4000-memory.dmp	UPX
behavioral2/memory/1520-26-0x00007FF78A410000-0x00007FF78A764000-memory.dmp	UPX
behavioral2/memory/1552-15-0x00007FF7E9240000-0x00007FF7E9594000-memory.dmp	UPX
behavioral2/memory/456-8-0x00007FF7A9D90000-0x00007FF7AA0E4000-memory.dmp	UPX
behavioral2/files/0x000700000002340f-64.dat	UPX
behavioral2/files/0x0007000000023410-70.dat	UPX
behavioral2/memory/3064-68-0x00007FF786490000-0x00007FF7867E4000-memory.dmp	UPX
behavioral2/memory/3472-74-0x00007FF632550000-0x00007FF6328A4000-memory.dmp	UPX
behavioral2/files/0x0007000000023411-78.dat	UPX
behavioral2/memory/1868-80-0x00007FF7AB320000-0x00007FF7AB674000-memory.dmp	UPX
behavioral2/files/0x0007000000023412-85.dat	UPX
behavioral2/files/0x0007000000023413-91.dat	UPX
behavioral2/memory/3464-96-0x00007FF6EF4C0000-0x00007FF6EF814000-memory.dmp	UPX
behavioral2/files/0x0007000000023414-98.dat	UPX
behavioral2/files/0x0007000000023416-113.dat	UPX
behavioral2/files/0x0007000000023417-117.dat	UPX
behavioral2/files/0x0007000000023418-125.dat	UPX
behavioral2/files/0x0007000000023419-127.dat	UPX
behavioral2/memory/4728-110-0x00007FF7DDAA0000-0x00007FF7DDDF4000-memory.dmp	UPX
behavioral2/memory/3092-109-0x00007FF7DB280000-0x00007FF7DB5D4000-memory.dmp	UPX
behavioral2/files/0x0007000000023415-106.dat	UPX
behavioral2/memory/1216-103-0x00007FF7AFF90000-0x00007FF7B02E4000-memory.dmp	UPX
behavioral2/memory/1520-95-0x00007FF78A410000-0x00007FF78A764000-memory.dmp	UPX
behavioral2/memory/1068-94-0x00007FF67CC50000-0x00007FF67CFA4000-memory.dmp	UPX
behavioral2/memory/1552-90-0x00007FF7E9240000-0x00007FF7E9594000-memory.dmp	UPX
behavioral2/memory/456-88-0x00007FF7A9D90000-0x00007FF7AA0E4000-memory.dmp	UPX
behavioral2/memory/3280-83-0x00007FF645F10000-0x00007FF646264000-memory.dmp	UPX
behavioral2/memory/4172-131-0x00007FF7169D0000-0x00007FF716D24000-memory.dmp	UPX
behavioral2/memory/2792-130-0x00007FF6C1DA0000-0x00007FF6C20F4000-memory.dmp	UPX
behavioral2/memory/1728-134-0x00007FF74CB40000-0x00007FF74CE94000-memory.dmp	UPX
behavioral2/memory/4400-135-0x00007FF7BEE80000-0x00007FF7BF1D4000-memory.dmp	UPX
behavioral2/memory/2976-133-0x00007FF7FE460000-0x00007FF7FE7B4000-memory.dmp	UPX
behavioral2/memory/812-132-0x00007FF7021C0000-0x00007FF702514000-memory.dmp	UPX
behavioral2/memory/5012-129-0x00007FF6122E0000-0x00007FF612634000-memory.dmp	UPX
behavioral2/memory/3056-136-0x00007FF6D9410000-0x00007FF6D9764000-memory.dmp	UPX
behavioral2/memory/1972-137-0x00007FF7F33B0000-0x00007FF7F3704000-memory.dmp	UPX
behavioral2/memory/3472-138-0x00007FF632550000-0x00007FF6328A4000-memory.dmp	UPX
behavioral2/memory/3464-139-0x00007FF6EF4C0000-0x00007FF6EF814000-memory.dmp	UPX
behavioral2/memory/456-140-0x00007FF7A9D90000-0x00007FF7AA0E4000-memory.dmp	UPX
behavioral2/memory/1552-141-0x00007FF7E9240000-0x00007FF7E9594000-memory.dmp	UPX
behavioral2/memory/1520-142-0x00007FF78A410000-0x00007FF78A764000-memory.dmp	UPX
behavioral2/memory/3484-143-0x00007FF7B4F20000-0x00007FF7B5274000-memory.dmp	UPX
behavioral2/memory/1216-144-0x00007FF7AFF90000-0x00007FF7B02E4000-memory.dmp	UPX
behavioral2/memory/4728-145-0x00007FF7DDAA0000-0x00007FF7DDDF4000-memory.dmp	UPX
behavioral2/memory/2976-146-0x00007FF7FE460000-0x00007FF7FE7B4000-memory.dmp	UPX
behavioral2/memory/1728-147-0x00007FF74CB40000-0x00007FF74CE94000-memory.dmp	UPX
behavioral2/memory/3056-148-0x00007FF6D9410000-0x00007FF6D9764000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/1868-0-0x00007FF7AB320000-0x00007FF7AB674000-memory.dmp	xmrig
behavioral2/files/0x0008000000023405-5.dat	xmrig
behavioral2/files/0x0007000000023406-11.dat	xmrig
behavioral2/files/0x0007000000023407-10.dat	xmrig
behavioral2/files/0x0007000000023409-25.dat	xmrig
behavioral2/files/0x0007000000023408-28.dat	xmrig
behavioral2/files/0x000700000002340b-36.dat	xmrig
behavioral2/files/0x000700000002340d-47.dat	xmrig
behavioral2/files/0x000700000002340c-51.dat	xmrig
behavioral2/files/0x000700000002340e-61.dat	xmrig
behavioral2/memory/1972-60-0x00007FF7F33B0000-0x00007FF7F3704000-memory.dmp	xmrig
behavioral2/memory/3056-59-0x00007FF6D9410000-0x00007FF6D9764000-memory.dmp	xmrig
behavioral2/files/0x000700000002340a-55.dat	xmrig
behavioral2/memory/1728-54-0x00007FF74CB40000-0x00007FF74CE94000-memory.dmp	xmrig
behavioral2/memory/2976-50-0x00007FF7FE460000-0x00007FF7FE7B4000-memory.dmp	xmrig
behavioral2/memory/4728-46-0x00007FF7DDAA0000-0x00007FF7DDDF4000-memory.dmp	xmrig
behavioral2/memory/3484-33-0x00007FF7B4F20000-0x00007FF7B5274000-memory.dmp	xmrig
behavioral2/memory/1216-27-0x00007FF7AFF90000-0x00007FF7B02E4000-memory.dmp	xmrig
behavioral2/memory/1520-26-0x00007FF78A410000-0x00007FF78A764000-memory.dmp	xmrig
behavioral2/memory/1552-15-0x00007FF7E9240000-0x00007FF7E9594000-memory.dmp	xmrig
behavioral2/memory/456-8-0x00007FF7A9D90000-0x00007FF7AA0E4000-memory.dmp	xmrig
behavioral2/files/0x000700000002340f-64.dat	xmrig
behavioral2/files/0x0007000000023410-70.dat	xmrig
behavioral2/memory/3064-68-0x00007FF786490000-0x00007FF7867E4000-memory.dmp	xmrig
behavioral2/memory/3472-74-0x00007FF632550000-0x00007FF6328A4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023411-78.dat	xmrig
behavioral2/memory/1868-80-0x00007FF7AB320000-0x00007FF7AB674000-memory.dmp	xmrig
behavioral2/files/0x0007000000023412-85.dat	xmrig
behavioral2/files/0x0007000000023413-91.dat	xmrig
behavioral2/memory/3464-96-0x00007FF6EF4C0000-0x00007FF6EF814000-memory.dmp	xmrig
behavioral2/files/0x0007000000023414-98.dat	xmrig
behavioral2/files/0x0007000000023416-113.dat	xmrig
behavioral2/files/0x0007000000023417-117.dat	xmrig
behavioral2/files/0x0007000000023418-125.dat	xmrig
behavioral2/files/0x0007000000023419-127.dat	xmrig
behavioral2/memory/4728-110-0x00007FF7DDAA0000-0x00007FF7DDDF4000-memory.dmp	xmrig
behavioral2/memory/3092-109-0x00007FF7DB280000-0x00007FF7DB5D4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023415-106.dat	xmrig
behavioral2/memory/1216-103-0x00007FF7AFF90000-0x00007FF7B02E4000-memory.dmp	xmrig
behavioral2/memory/1520-95-0x00007FF78A410000-0x00007FF78A764000-memory.dmp	xmrig
behavioral2/memory/1068-94-0x00007FF67CC50000-0x00007FF67CFA4000-memory.dmp	xmrig
behavioral2/memory/1552-90-0x00007FF7E9240000-0x00007FF7E9594000-memory.dmp	xmrig
behavioral2/memory/456-88-0x00007FF7A9D90000-0x00007FF7AA0E4000-memory.dmp	xmrig
behavioral2/memory/3280-83-0x00007FF645F10000-0x00007FF646264000-memory.dmp	xmrig
behavioral2/memory/4172-131-0x00007FF7169D0000-0x00007FF716D24000-memory.dmp	xmrig
behavioral2/memory/2792-130-0x00007FF6C1DA0000-0x00007FF6C20F4000-memory.dmp	xmrig
behavioral2/memory/1728-134-0x00007FF74CB40000-0x00007FF74CE94000-memory.dmp	xmrig
behavioral2/memory/4400-135-0x00007FF7BEE80000-0x00007FF7BF1D4000-memory.dmp	xmrig
behavioral2/memory/2976-133-0x00007FF7FE460000-0x00007FF7FE7B4000-memory.dmp	xmrig
behavioral2/memory/812-132-0x00007FF7021C0000-0x00007FF702514000-memory.dmp	xmrig
behavioral2/memory/5012-129-0x00007FF6122E0000-0x00007FF612634000-memory.dmp	xmrig
behavioral2/memory/3056-136-0x00007FF6D9410000-0x00007FF6D9764000-memory.dmp	xmrig
behavioral2/memory/1972-137-0x00007FF7F33B0000-0x00007FF7F3704000-memory.dmp	xmrig
behavioral2/memory/3472-138-0x00007FF632550000-0x00007FF6328A4000-memory.dmp	xmrig
behavioral2/memory/3464-139-0x00007FF6EF4C0000-0x00007FF6EF814000-memory.dmp	xmrig
behavioral2/memory/456-140-0x00007FF7A9D90000-0x00007FF7AA0E4000-memory.dmp	xmrig
behavioral2/memory/1552-141-0x00007FF7E9240000-0x00007FF7E9594000-memory.dmp	xmrig
behavioral2/memory/1520-142-0x00007FF78A410000-0x00007FF78A764000-memory.dmp	xmrig
behavioral2/memory/3484-143-0x00007FF7B4F20000-0x00007FF7B5274000-memory.dmp	xmrig
behavioral2/memory/1216-144-0x00007FF7AFF90000-0x00007FF7B02E4000-memory.dmp	xmrig
behavioral2/memory/4728-145-0x00007FF7DDAA0000-0x00007FF7DDDF4000-memory.dmp	xmrig
behavioral2/memory/2976-146-0x00007FF7FE460000-0x00007FF7FE7B4000-memory.dmp	xmrig
behavioral2/memory/1728-147-0x00007FF74CB40000-0x00007FF74CE94000-memory.dmp	xmrig
behavioral2/memory/3056-148-0x00007FF6D9410000-0x00007FF6D9764000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
456	QRihNNH.exe
1552	NdvxhwK.exe
1520	NIyGbzw.exe
3484	AgqKmYN.exe
1216	RqrRDEw.exe
4728	QWeSThU.exe
1728	MZwqjnh.exe
2976	bTVkoqW.exe
3056	RQMEAOm.exe
1972	ZJzSQjM.exe
3064	zPbValp.exe
3472	BOoVufM.exe
3280	gaWgmPR.exe
1068	tLNtxLw.exe
3464	mKyesJC.exe
3092	FEfjAva.exe
5012	goSDlEq.exe
4400	ybBjOLt.exe
2792	SImvjyk.exe
4172	IUqFbUU.exe
812	XksYcRi.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1868-0-0x00007FF7AB320000-0x00007FF7AB674000-memory.dmp	upx
behavioral2/files/0x0008000000023405-5.dat	upx
behavioral2/files/0x0007000000023406-11.dat	upx
behavioral2/files/0x0007000000023407-10.dat	upx
behavioral2/files/0x0007000000023409-25.dat	upx
behavioral2/files/0x0007000000023408-28.dat	upx
behavioral2/files/0x000700000002340b-36.dat	upx
behavioral2/files/0x000700000002340d-47.dat	upx
behavioral2/files/0x000700000002340c-51.dat	upx
behavioral2/files/0x000700000002340e-61.dat	upx
behavioral2/memory/1972-60-0x00007FF7F33B0000-0x00007FF7F3704000-memory.dmp	upx
behavioral2/memory/3056-59-0x00007FF6D9410000-0x00007FF6D9764000-memory.dmp	upx
behavioral2/files/0x000700000002340a-55.dat	upx
behavioral2/memory/1728-54-0x00007FF74CB40000-0x00007FF74CE94000-memory.dmp	upx
behavioral2/memory/2976-50-0x00007FF7FE460000-0x00007FF7FE7B4000-memory.dmp	upx
behavioral2/memory/4728-46-0x00007FF7DDAA0000-0x00007FF7DDDF4000-memory.dmp	upx
behavioral2/memory/3484-33-0x00007FF7B4F20000-0x00007FF7B5274000-memory.dmp	upx
behavioral2/memory/1216-27-0x00007FF7AFF90000-0x00007FF7B02E4000-memory.dmp	upx
behavioral2/memory/1520-26-0x00007FF78A410000-0x00007FF78A764000-memory.dmp	upx
behavioral2/memory/1552-15-0x00007FF7E9240000-0x00007FF7E9594000-memory.dmp	upx
behavioral2/memory/456-8-0x00007FF7A9D90000-0x00007FF7AA0E4000-memory.dmp	upx
behavioral2/files/0x000700000002340f-64.dat	upx
behavioral2/files/0x0007000000023410-70.dat	upx
behavioral2/memory/3064-68-0x00007FF786490000-0x00007FF7867E4000-memory.dmp	upx
behavioral2/memory/3472-74-0x00007FF632550000-0x00007FF6328A4000-memory.dmp	upx
behavioral2/files/0x0007000000023411-78.dat	upx
behavioral2/memory/1868-80-0x00007FF7AB320000-0x00007FF7AB674000-memory.dmp	upx
behavioral2/files/0x0007000000023412-85.dat	upx
behavioral2/files/0x0007000000023413-91.dat	upx
behavioral2/memory/3464-96-0x00007FF6EF4C0000-0x00007FF6EF814000-memory.dmp	upx
behavioral2/files/0x0007000000023414-98.dat	upx
behavioral2/files/0x0007000000023416-113.dat	upx
behavioral2/files/0x0007000000023417-117.dat	upx
behavioral2/files/0x0007000000023418-125.dat	upx
behavioral2/files/0x0007000000023419-127.dat	upx
behavioral2/memory/4728-110-0x00007FF7DDAA0000-0x00007FF7DDDF4000-memory.dmp	upx
behavioral2/memory/3092-109-0x00007FF7DB280000-0x00007FF7DB5D4000-memory.dmp	upx
behavioral2/files/0x0007000000023415-106.dat	upx
behavioral2/memory/1216-103-0x00007FF7AFF90000-0x00007FF7B02E4000-memory.dmp	upx
behavioral2/memory/1520-95-0x00007FF78A410000-0x00007FF78A764000-memory.dmp	upx
behavioral2/memory/1068-94-0x00007FF67CC50000-0x00007FF67CFA4000-memory.dmp	upx
behavioral2/memory/1552-90-0x00007FF7E9240000-0x00007FF7E9594000-memory.dmp	upx
behavioral2/memory/456-88-0x00007FF7A9D90000-0x00007FF7AA0E4000-memory.dmp	upx
behavioral2/memory/3280-83-0x00007FF645F10000-0x00007FF646264000-memory.dmp	upx
behavioral2/memory/4172-131-0x00007FF7169D0000-0x00007FF716D24000-memory.dmp	upx
behavioral2/memory/2792-130-0x00007FF6C1DA0000-0x00007FF6C20F4000-memory.dmp	upx
behavioral2/memory/1728-134-0x00007FF74CB40000-0x00007FF74CE94000-memory.dmp	upx
behavioral2/memory/4400-135-0x00007FF7BEE80000-0x00007FF7BF1D4000-memory.dmp	upx
behavioral2/memory/2976-133-0x00007FF7FE460000-0x00007FF7FE7B4000-memory.dmp	upx
behavioral2/memory/812-132-0x00007FF7021C0000-0x00007FF702514000-memory.dmp	upx
behavioral2/memory/5012-129-0x00007FF6122E0000-0x00007FF612634000-memory.dmp	upx
behavioral2/memory/3056-136-0x00007FF6D9410000-0x00007FF6D9764000-memory.dmp	upx
behavioral2/memory/1972-137-0x00007FF7F33B0000-0x00007FF7F3704000-memory.dmp	upx
behavioral2/memory/3472-138-0x00007FF632550000-0x00007FF6328A4000-memory.dmp	upx
behavioral2/memory/3464-139-0x00007FF6EF4C0000-0x00007FF6EF814000-memory.dmp	upx
behavioral2/memory/456-140-0x00007FF7A9D90000-0x00007FF7AA0E4000-memory.dmp	upx
behavioral2/memory/1552-141-0x00007FF7E9240000-0x00007FF7E9594000-memory.dmp	upx
behavioral2/memory/1520-142-0x00007FF78A410000-0x00007FF78A764000-memory.dmp	upx
behavioral2/memory/3484-143-0x00007FF7B4F20000-0x00007FF7B5274000-memory.dmp	upx
behavioral2/memory/1216-144-0x00007FF7AFF90000-0x00007FF7B02E4000-memory.dmp	upx
behavioral2/memory/4728-145-0x00007FF7DDAA0000-0x00007FF7DDDF4000-memory.dmp	upx
behavioral2/memory/2976-146-0x00007FF7FE460000-0x00007FF7FE7B4000-memory.dmp	upx
behavioral2/memory/1728-147-0x00007FF74CB40000-0x00007FF74CE94000-memory.dmp	upx
behavioral2/memory/3056-148-0x00007FF6D9410000-0x00007FF6D9764000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\MZwqjnh.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RQMEAOm.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZJzSQjM.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BOoVufM.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gaWgmPR.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FEfjAva.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NdvxhwK.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AgqKmYN.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SImvjyk.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IUqFbUU.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tLNtxLw.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\goSDlEq.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ybBjOLt.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QRihNNH.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QWeSThU.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mKyesJC.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XksYcRi.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RqrRDEw.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bTVkoqW.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NIyGbzw.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zPbValp.exe	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 456	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	84
PID 1868 wrote to memory of 456	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	84
PID 1868 wrote to memory of 1552	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	85
PID 1868 wrote to memory of 1552	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	85
PID 1868 wrote to memory of 1520	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	86
PID 1868 wrote to memory of 1520	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	86
PID 1868 wrote to memory of 3484	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	87
PID 1868 wrote to memory of 3484	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	87
PID 1868 wrote to memory of 1216	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	88
PID 1868 wrote to memory of 1216	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	88
PID 1868 wrote to memory of 1728	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	89
PID 1868 wrote to memory of 1728	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	89
PID 1868 wrote to memory of 4728	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	90
PID 1868 wrote to memory of 4728	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	90
PID 1868 wrote to memory of 2976	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	91
PID 1868 wrote to memory of 2976	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	91
PID 1868 wrote to memory of 3056	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	92
PID 1868 wrote to memory of 3056	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	92
PID 1868 wrote to memory of 1972	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	93
PID 1868 wrote to memory of 1972	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	93
PID 1868 wrote to memory of 3064	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	94
PID 1868 wrote to memory of 3064	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	94
PID 1868 wrote to memory of 3472	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	95
PID 1868 wrote to memory of 3472	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	95
PID 1868 wrote to memory of 3280	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	97
PID 1868 wrote to memory of 3280	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	97
PID 1868 wrote to memory of 1068	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	100
PID 1868 wrote to memory of 1068	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	100
PID 1868 wrote to memory of 3464	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	101
PID 1868 wrote to memory of 3464	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	101
PID 1868 wrote to memory of 3092	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	102
PID 1868 wrote to memory of 3092	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	102
PID 1868 wrote to memory of 5012	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	103
PID 1868 wrote to memory of 5012	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	103
PID 1868 wrote to memory of 4400	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	104
PID 1868 wrote to memory of 4400	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	104
PID 1868 wrote to memory of 2792	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	105
PID 1868 wrote to memory of 2792	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	105
PID 1868 wrote to memory of 4172	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	106
PID 1868 wrote to memory of 4172	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	106
PID 1868 wrote to memory of 812	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	107
PID 1868 wrote to memory of 812	1868	2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_1ecb9d0787b6b3d13e1e185bd91ee021_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Windows\System\QRihNNH.exe
  C:\Windows\System\QRihNNH.exe
  2⤵
  - Executes dropped EXE
  PID:456
- C:\Windows\System\NdvxhwK.exe
  C:\Windows\System\NdvxhwK.exe
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\System\NIyGbzw.exe
  C:\Windows\System\NIyGbzw.exe
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Windows\System\AgqKmYN.exe
  C:\Windows\System\AgqKmYN.exe
  2⤵
  - Executes dropped EXE
  PID:3484
- C:\Windows\System\RqrRDEw.exe
  C:\Windows\System\RqrRDEw.exe
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\System\MZwqjnh.exe
  C:\Windows\System\MZwqjnh.exe
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\System\QWeSThU.exe
  C:\Windows\System\QWeSThU.exe
  2⤵
  - Executes dropped EXE
  PID:4728
- C:\Windows\System\bTVkoqW.exe
  C:\Windows\System\bTVkoqW.exe
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\System\RQMEAOm.exe
  C:\Windows\System\RQMEAOm.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\System\ZJzSQjM.exe
  C:\Windows\System\ZJzSQjM.exe
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\System\zPbValp.exe
  C:\Windows\System\zPbValp.exe
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Windows\System\BOoVufM.exe
  C:\Windows\System\BOoVufM.exe
  2⤵
  - Executes dropped EXE
  PID:3472
- C:\Windows\System\gaWgmPR.exe
  C:\Windows\System\gaWgmPR.exe
  2⤵
  - Executes dropped EXE
  PID:3280
- C:\Windows\System\tLNtxLw.exe
  C:\Windows\System\tLNtxLw.exe
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\System\mKyesJC.exe
  C:\Windows\System\mKyesJC.exe
  2⤵
  - Executes dropped EXE
  PID:3464
- C:\Windows\System\FEfjAva.exe
  C:\Windows\System\FEfjAva.exe
  2⤵
  - Executes dropped EXE
  PID:3092
- C:\Windows\System\goSDlEq.exe
  C:\Windows\System\goSDlEq.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System\ybBjOLt.exe
  C:\Windows\System\ybBjOLt.exe
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Windows\System\SImvjyk.exe
  C:\Windows\System\SImvjyk.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System\IUqFbUU.exe
  C:\Windows\System\IUqFbUU.exe
  2⤵
  - Executes dropped EXE
  PID:4172
- C:\Windows\System\XksYcRi.exe
  C:\Windows\System\XksYcRi.exe
  2⤵
  - Executes dropped EXE
  PID:812

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AgqKmYN.exe

Filesize
5.9MB

MD5
13243fc08302a15ae2b8ec51c85fa167

SHA1
4b911de15acae4ef667e67328875fe067e8ae232

SHA256
768fea3b3316aad3ad9c9457f4da9abd9f778b72eb11351f5487f9658b6f12a7

SHA512
639289e0bfd7f32a712bf104abadf2b93dced93ac249ebe0ca2c0982da073b3601031ce91885f05917ba658d726192e51a720afa9ba6369e066dc5c38ade61e7

Download Submit
C:\Windows\System\BOoVufM.exe

Filesize
5.9MB

MD5
9fc942d455e2b77587bd94c9a38bd49d

SHA1
121dada525445b4bd2ec28ab74b462c407f990ac

SHA256
2dce24a38aea7c5f12c13be329db08df2bff64b84e1c59c0540339aca0b04ab0

SHA512
975c1cc2e7f3dc7bf5191f4f67a3f2d510ffe97d507e0bc6defa43ec0565ff77964626ef922fc55b1bfcb1ebad0258ead72501e8332fd347f1446e624405ad53

Download Submit
C:\Windows\System\FEfjAva.exe

Filesize
5.9MB

MD5
a012bc91e3506ca9ce47dfc6a17a2a1f

SHA1
01042e1eb41383987948ee1062169cbcf03a5167

SHA256
93d6154457175435399bf87979a91526cbaf684a0a3e954eaf0df686b60482ba

SHA512
93b518f2435195c310ae88d2f94c6975b518c5e37aa4de9aa353e34851dfc4c1e6694892714f9bcfaf40a358adf4d48cd4e16fdee8b36af3aba7c7a53d564b75

Download Submit
C:\Windows\System\IUqFbUU.exe

Filesize
5.9MB

MD5
742fa05c02be681cb6530cfb56ed2409

SHA1
39398b4e8743cdb647d785ae2f6812555bd1f97f

SHA256
5eda9f0999c488a3e04c22302315bd14885f9e664634dc427c019ebe297a3e1c

SHA512
c91b9dedba7abc7eda9a74f46c806de3ba60010e954f1508f5296a4114ab2d3ba8a568afa3547b8152841866f267957b4c9b54e3db22c8023e6b657bde20441e

Download Submit
C:\Windows\System\MZwqjnh.exe

Filesize
5.9MB

MD5
e90753f9842b3005fd55afb11172a1d6

SHA1
c623dd1bb7edf5cee64f84bd183f91318b352bb7

SHA256
e4a361a1c107822bb1dd0fc22ec80f620a562f07a48a38752d4b9e6abcd39c33

SHA512
d301d2695f2c4bbbf0a0d4348a90abf7a67f3d8a5ca7fcd047ccbd8a04ef52c2043ce2b60968e4efdc4165af769c41217a122b6e1e1450b278fa363b4edbd55d

Download Submit
C:\Windows\System\NIyGbzw.exe

Filesize
5.9MB

MD5
9b58a9ec3d3d8e2a70c8128b7f2b3527

SHA1
b85aa9a0dd5106bcddfb031aefc3a505a9483736

SHA256
663fa36807696fe2ef848c359377f20af8f0d41d6b559bb5a049fe31af49b80a

SHA512
c871733114fb031b70d2c814848fc89e10520b874405621cea232c4942c74ef1f4d16e90d71147a4911fd0239a39cde6922f8dcd3be5c742a90fee7314997d3e

Download Submit
C:\Windows\System\NdvxhwK.exe

Filesize
5.9MB

MD5
b9d1bb4ce72ab9a07941ce588bbfb6d2

SHA1
80434fdd345792be4d7440dd322ccc914f2123b3

SHA256
40001884ffda7a70dfb80940708dcd3bc5a24167942115dad8d9f8c1a4ecad46

SHA512
be51848132f8c1184350cdb8778d6c16d9edcd793243b5ce9c8b9783e058fb9799deabc96e653e76fbe620ab123e274369b4daa018a5ab52c0003dd8d2076d90

Download Submit
C:\Windows\System\QRihNNH.exe

Filesize
5.9MB

MD5
2b416e61162b6b46aa84f6a191bfac8d

SHA1
9606830c2c2011882beab22e7e1d47a39c12ca39

SHA256
52ed65839356596b9cf32eea1ca418e994b1a2680b842f3262ab3230e83ffc5a

SHA512
701c5268c9ebd4a2ecee9afe376657843a7084eabf54a8b68b5f5c72636b5a359100c8d151b089162077ad52f9c851cf03bd35f9cc3258be658ae320b798c902

Download Submit
C:\Windows\System\QWeSThU.exe

Filesize
5.9MB

MD5
d554467e6d95d323fdf71d86a9866081

SHA1
50b246f9ccce2f110691ad183de276ca9aa0e382

SHA256
beaff7ed639ef690779e17dc8fb03d7b2f84735d3fbaa692cddec16ba79929e4

SHA512
57649383e9eef295b8922332a4d48a404e8349f93328a9a9207617ebf86f05d863d00751ec9b7792aa176c07263c82e8e04cb294df05ff645996dff83e4173d0

Download Submit
C:\Windows\System\RQMEAOm.exe

Filesize
5.9MB

MD5
e359dfb08a44b5b3109758249e1cfe98

SHA1
b4d76f94fad56bfffea24b0dc520d498997090ae

SHA256
95051e4e5217b9c30f20ac1650bc17ca1d31a850b4a248b688e81f38a91672f7

SHA512
b8bd596505477846c0a3306c7ac7c231abee6d5af408e40cfa6dd014ded9a92dd8e7a7a0fdaa868304338c3ad450b2a63ff5d742ab717b050ea469506fc39efe

Download Submit
C:\Windows\System\RqrRDEw.exe

Filesize
5.9MB

MD5
ebd1e2f0f32b9049b1b76d027d813d0e

SHA1
e1450e38ae81bbfe99075e4f48ec247bcc6d28a8

SHA256
deded8699ed4640d3ecb64db68ca971b70c7ac7711d197d3add279a4beff9ae3

SHA512
f8365a5350deea5656a40db0abb317ac8f25121350f3c3e669b103944c82ff3205c4f0adb9b0317dd7849c97b5e3003ee6e79bd846261965e77516e141f55777

Download Submit
C:\Windows\System\SImvjyk.exe

Filesize
5.9MB

MD5
314328fab5a6380a6ab23250a00db272

SHA1
3680545ac44b9ab73543bc5e29a159ec99bfe283

SHA256
73c9d4275e31f65d9e2aa597f4dee6fd644d3d5f1046bcac53ffde9ad86be54e

SHA512
fc2c477ffa6095516555b6aba3b119cef3ddc844207f1a2c3e778ebdc74bda041a737f7dc3949890a6a074d271c816627099b93a024391ee3f11f956ccc38ca3

Download Submit
C:\Windows\System\XksYcRi.exe

Filesize
5.9MB

MD5
8d23dcad3fba82c8e8c4c92a34819bf0

SHA1
0739d69a17bc69daa810bbb7ac8ecd7d342a1016

SHA256
527d9dde0d4fe9fabb63b2440699e26bbfebb313269605414ffd5a220d567449

SHA512
451b14cb7fee8a60fdf7df64b49a3832835718ef42eaafb54055b32f4254a3c3a42100a5f2248e708c05551b274e73b4a7b34c4ab27880d690b91f6ffb47cf6a

Download Submit
C:\Windows\System\ZJzSQjM.exe

Filesize
5.9MB

MD5
5b881d0a054a0f4d6f217c28a6f51303

SHA1
c5183207902ac81cb189efbcb2bad6b4a11b4190

SHA256
5fe08ea3c10ee593bc65427a0b8077e3b155450a14552234f3b676b3f2d98c15

SHA512
65867fa1efc4bcbcc9e6d4faca64fbed060d9fdc036982be87533206abe2b4344f71660508246b5b2d77d1cafeadb2e7218c39f68eed8048e367b32104dc7cc9

Download Submit
C:\Windows\System\bTVkoqW.exe

Filesize
5.9MB

MD5
6fef0348d5fa2414a51e422cef6c93bd

SHA1
54245527c9086921466e2f975f9c576038d53957

SHA256
3c5a041f809391d4b382ac6ffd200dc5b5720d0b847ca2166fada3dd56bdc138

SHA512
92637450b13a1b12f33411a57b9abb556fa5bcacff74fbd64288dcf6d62430283e2e9de3a84225ffff9f3df7b9369fa46de16642269cd4f02962b4e31f4f2fd0

Download Submit
C:\Windows\System\gaWgmPR.exe

Filesize
5.9MB

MD5
c990b76df881ca4532d4baf013917952

SHA1
e96070c009c0fb2a60e60ef855ec7e810f6ee441

SHA256
47ff08f52cb58081d9db805e2be7642c6ad3aab221d4587f29e1d023886293dc

SHA512
661e1a06d7aa91b32614bbd6652276b087623b49a45f581bf38a7646e21079fd6633389fc2817d2dd64b56fbc1175d2ee295024c4449f46ac3090864d963f90b

Download Submit
C:\Windows\System\goSDlEq.exe

Filesize
5.9MB

MD5
2a45ba2a56743b798c3365dbf99567c0

SHA1
ecb664b10cc126a3229da75751379847eeaf4328

SHA256
b43c869a0089cd7286835448491452963a186f6b90b9887d1fe6d100925c8536

SHA512
42231b68e7b3acc5bcdede51df9ec71607fa927e56f5b1f872009dd14bdcb4fac69b55a67dbce128336b3cf46d95276356be61f137eed7246a4973d87b97a2cf

Download Submit
C:\Windows\System\mKyesJC.exe

Filesize
5.9MB

MD5
2d71f07ba204570a7dbb50bd0bc2b29c

SHA1
a743458b5ce06a20ab5d652b28e632e786197c35

SHA256
abe62c0fc6735ab40a8570b2a5f54943fada5fdd909772c8bf9581627a073d59

SHA512
31b08e6be34ee2e4aff731ee0e30b67cc9a8bc0229fc31d2a6cab1fc19c1a23b1c573d5999287ac187388007faaeacd8add07adf8e6bf4d4c39810a1d8ca75cd

Download Submit
C:\Windows\System\tLNtxLw.exe

Filesize
5.9MB

MD5
96225df87f647364cb481b19a9e571e4

SHA1
57e271d1a77586c1a682b019409c75a8bb4a05bf

SHA256
015611f44b4bf952ddc4dc0a21a8ac24438def5cd6221b619d2ce68515f8b8eb

SHA512
caa2fbb79b055662af7fbefc3e2c3792c7a9de21c7f1e178958d0f47b9ec851a4064e4e29f44c8bc725195ec2af3073322e9b1413b9c1d86282c1e89906efe40

Download Submit
C:\Windows\System\ybBjOLt.exe

Filesize
5.9MB

MD5
bc22e9346cef561a291b5b0cc3e1c248

SHA1
eed62f7afd806e1f40b6c1c57f79bcb24c117d03

SHA256
9b1ff68c2088758ec33acadea98268a0e69dea294b8683efebed6ce52dde2bcb

SHA512
44a12437757300e5fe1414c9a4e3a4f7b4bbc5cd94740a4f4b1496096a7496b61e7bee203e9f77b0da435dee363156d9aa11dda43460549880caf968fa47dee1

Download Submit
C:\Windows\System\zPbValp.exe

Filesize
5.9MB

MD5
5d4604bb7bec7ffd1a8db55e24e503fd

SHA1
741daf9c2a44d0a6b34f02ca4948c1aeaac4a14a

SHA256
b62a777903d65dbd576e0bbe8ccb6d83663343c6edbf8548f4ecde3663efe846

SHA512
c80419c8111a30268c2c2f0266b48c51cb55b1cdcb6a0422987195749c6df745249d601650268870fc9f30f492b0ced9fdaf2ce401fdc5c58f9cda85a1646608

Download Submit
memory/456-140-0x00007FF7A9D90000-0x00007FF7AA0E4000-memory.dmp

Filesize
3.3MB

Download
memory/456-8-0x00007FF7A9D90000-0x00007FF7AA0E4000-memory.dmp

Filesize
3.3MB

Download
memory/456-88-0x00007FF7A9D90000-0x00007FF7AA0E4000-memory.dmp

Filesize
3.3MB

Download
memory/812-132-0x00007FF7021C0000-0x00007FF702514000-memory.dmp

Filesize
3.3MB

Download
memory/812-160-0x00007FF7021C0000-0x00007FF702514000-memory.dmp

Filesize
3.3MB

Download
memory/1068-94-0x00007FF67CC50000-0x00007FF67CFA4000-memory.dmp

Filesize
3.3MB

Download
memory/1068-153-0x00007FF67CC50000-0x00007FF67CFA4000-memory.dmp

Filesize
3.3MB

Download
memory/1216-103-0x00007FF7AFF90000-0x00007FF7B02E4000-memory.dmp

Filesize
3.3MB

Download
memory/1216-27-0x00007FF7AFF90000-0x00007FF7B02E4000-memory.dmp

Filesize
3.3MB

Download
memory/1216-144-0x00007FF7AFF90000-0x00007FF7B02E4000-memory.dmp

Filesize
3.3MB

Download
memory/1520-26-0x00007FF78A410000-0x00007FF78A764000-memory.dmp

Filesize
3.3MB

Download
memory/1520-142-0x00007FF78A410000-0x00007FF78A764000-memory.dmp

Filesize
3.3MB

Download
memory/1520-95-0x00007FF78A410000-0x00007FF78A764000-memory.dmp

Filesize
3.3MB

Download
memory/1552-141-0x00007FF7E9240000-0x00007FF7E9594000-memory.dmp

Filesize
3.3MB

Download
memory/1552-15-0x00007FF7E9240000-0x00007FF7E9594000-memory.dmp

Filesize
3.3MB

Download
memory/1552-90-0x00007FF7E9240000-0x00007FF7E9594000-memory.dmp

Filesize
3.3MB

Download
memory/1728-134-0x00007FF74CB40000-0x00007FF74CE94000-memory.dmp

Filesize
3.3MB

Download
memory/1728-54-0x00007FF74CB40000-0x00007FF74CE94000-memory.dmp

Filesize
3.3MB

Download
memory/1728-147-0x00007FF74CB40000-0x00007FF74CE94000-memory.dmp

Filesize
3.3MB

Download
memory/1868-80-0x00007FF7AB320000-0x00007FF7AB674000-memory.dmp

Filesize
3.3MB

Download
memory/1868-1-0x0000015A48320000-0x0000015A48330000-memory.dmp

Filesize
64KB

Download
memory/1868-0-0x00007FF7AB320000-0x00007FF7AB674000-memory.dmp

Filesize
3.3MB

Download
memory/1972-137-0x00007FF7F33B0000-0x00007FF7F3704000-memory.dmp

Filesize
3.3MB

Download
memory/1972-60-0x00007FF7F33B0000-0x00007FF7F3704000-memory.dmp

Filesize
3.3MB

Download
memory/1972-149-0x00007FF7F33B0000-0x00007FF7F3704000-memory.dmp

Filesize
3.3MB

Download
memory/2792-156-0x00007FF6C1DA0000-0x00007FF6C20F4000-memory.dmp

Filesize
3.3MB

Download
memory/2792-130-0x00007FF6C1DA0000-0x00007FF6C20F4000-memory.dmp

Filesize
3.3MB

Download
memory/2976-146-0x00007FF7FE460000-0x00007FF7FE7B4000-memory.dmp

Filesize
3.3MB

Download
memory/2976-133-0x00007FF7FE460000-0x00007FF7FE7B4000-memory.dmp

Filesize
3.3MB

Download
memory/2976-50-0x00007FF7FE460000-0x00007FF7FE7B4000-memory.dmp

Filesize
3.3MB

Download
memory/3056-148-0x00007FF6D9410000-0x00007FF6D9764000-memory.dmp

Filesize
3.3MB

Download
memory/3056-136-0x00007FF6D9410000-0x00007FF6D9764000-memory.dmp

Filesize
3.3MB

Download
memory/3056-59-0x00007FF6D9410000-0x00007FF6D9764000-memory.dmp

Filesize
3.3MB

Download
memory/3064-150-0x00007FF786490000-0x00007FF7867E4000-memory.dmp

Filesize
3.3MB

Download
memory/3064-68-0x00007FF786490000-0x00007FF7867E4000-memory.dmp

Filesize
3.3MB

Download
memory/3092-109-0x00007FF7DB280000-0x00007FF7DB5D4000-memory.dmp

Filesize
3.3MB

Download
memory/3092-154-0x00007FF7DB280000-0x00007FF7DB5D4000-memory.dmp

Filesize
3.3MB

Download
memory/3280-83-0x00007FF645F10000-0x00007FF646264000-memory.dmp

Filesize
3.3MB

Download
memory/3280-152-0x00007FF645F10000-0x00007FF646264000-memory.dmp

Filesize
3.3MB

Download
memory/3464-139-0x00007FF6EF4C0000-0x00007FF6EF814000-memory.dmp

Filesize
3.3MB

Download
memory/3464-96-0x00007FF6EF4C0000-0x00007FF6EF814000-memory.dmp

Filesize
3.3MB

Download
memory/3464-155-0x00007FF6EF4C0000-0x00007FF6EF814000-memory.dmp

Filesize
3.3MB

Download
memory/3472-138-0x00007FF632550000-0x00007FF6328A4000-memory.dmp

Filesize
3.3MB

Download
memory/3472-74-0x00007FF632550000-0x00007FF6328A4000-memory.dmp

Filesize
3.3MB

Download
memory/3472-151-0x00007FF632550000-0x00007FF6328A4000-memory.dmp

Filesize
3.3MB

Download
memory/3484-143-0x00007FF7B4F20000-0x00007FF7B5274000-memory.dmp

Filesize
3.3MB

Download
memory/3484-33-0x00007FF7B4F20000-0x00007FF7B5274000-memory.dmp

Filesize
3.3MB

Download
memory/4172-131-0x00007FF7169D0000-0x00007FF716D24000-memory.dmp

Filesize
3.3MB

Download
memory/4172-159-0x00007FF7169D0000-0x00007FF716D24000-memory.dmp

Filesize
3.3MB

Download
memory/4400-157-0x00007FF7BEE80000-0x00007FF7BF1D4000-memory.dmp

Filesize
3.3MB

Download
memory/4400-135-0x00007FF7BEE80000-0x00007FF7BF1D4000-memory.dmp

Filesize
3.3MB

Download
memory/4728-46-0x00007FF7DDAA0000-0x00007FF7DDDF4000-memory.dmp

Filesize
3.3MB

Download
memory/4728-110-0x00007FF7DDAA0000-0x00007FF7DDDF4000-memory.dmp

Filesize
3.3MB

Download
memory/4728-145-0x00007FF7DDAA0000-0x00007FF7DDDF4000-memory.dmp

Filesize
3.3MB

Download
memory/5012-129-0x00007FF6122E0000-0x00007FF612634000-memory.dmp

Filesize
3.3MB

Download
memory/5012-158-0x00007FF6122E0000-0x00007FF612634000-memory.dmp

Filesize
3.3MB

Download