cobaltstrike | 4a451c578d041f1738ef7a9d739eaa934406d30d6674996aa5778f5ae47e2d59

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-05-2024 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

0657cf28f814620b2f721c58a6b66f7b
SHA1

9b14f5fca1cf67cea23d58fa24ae2e5f39958915
SHA256

4a451c578d041f1738ef7a9d739eaa934406d30d6674996aa5778f5ae47e2d59
SHA512

5b812938349866009a37b9946f92ff92920b412eb22a933fe0b619abd1b2a450e4f92c3e479dde4f06e3b376e5f350dccb4e83c0fdb1fb3430fd5f08ef95f857
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUf:Q+856utgpPF8u/7f

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023543-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023547-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023548-17.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023549-22.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023544-28.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002354a-35.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002354b-41.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002354c-47.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002354d-53.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002354e-57.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023550-66.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023552-81.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023553-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023551-73.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023554-91.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023556-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023557-109.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023559-115.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002355b-125.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002355a-123.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023558-113.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023543-5.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023547-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023548-17.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023549-22.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0008000000023544-28.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002354a-35.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002354b-41.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002354c-47.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002354d-53.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002354e-57.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023550-66.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023552-81.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023553-84.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023551-73.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023554-91.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023556-99.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023557-109.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023559-115.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002355b-125.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002355a-123.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023558-113.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/2464-0-0x00007FF762210000-0x00007FF762564000-memory.dmp	UPX
behavioral2/files/0x0008000000023543-5.dat	UPX
behavioral2/memory/1408-8-0x00007FF7CDB80000-0x00007FF7CDED4000-memory.dmp	UPX
behavioral2/files/0x0007000000023547-11.dat	UPX
behavioral2/files/0x0007000000023548-17.dat	UPX
behavioral2/memory/2152-20-0x00007FF651950000-0x00007FF651CA4000-memory.dmp	UPX
behavioral2/memory/2124-16-0x00007FF7BDA30000-0x00007FF7BDD84000-memory.dmp	UPX
behavioral2/files/0x0007000000023549-22.dat	UPX
behavioral2/memory/4252-25-0x00007FF7886F0000-0x00007FF788A44000-memory.dmp	UPX
behavioral2/files/0x0008000000023544-28.dat	UPX
behavioral2/files/0x000700000002354a-35.dat	UPX
behavioral2/files/0x000700000002354b-41.dat	UPX
behavioral2/memory/2732-36-0x00007FF751C20000-0x00007FF751F74000-memory.dmp	UPX
behavioral2/memory/1668-33-0x00007FF6A4C70000-0x00007FF6A4FC4000-memory.dmp	UPX
behavioral2/memory/2520-44-0x00007FF77BE10000-0x00007FF77C164000-memory.dmp	UPX
behavioral2/memory/4648-50-0x00007FF6AA110000-0x00007FF6AA464000-memory.dmp	UPX
behavioral2/files/0x000700000002354c-47.dat	UPX
behavioral2/files/0x000700000002354d-53.dat	UPX
behavioral2/files/0x000700000002354e-57.dat	UPX
behavioral2/memory/2464-59-0x00007FF762210000-0x00007FF762564000-memory.dmp	UPX
behavioral2/files/0x0007000000023550-66.dat	UPX
behavioral2/memory/3016-64-0x00007FF694EB0000-0x00007FF695204000-memory.dmp	UPX
behavioral2/memory/3156-58-0x00007FF7B49D0000-0x00007FF7B4D24000-memory.dmp	UPX
behavioral2/memory/1408-71-0x00007FF7CDB80000-0x00007FF7CDED4000-memory.dmp	UPX
behavioral2/memory/1096-74-0x00007FF6885B0000-0x00007FF688904000-memory.dmp	UPX
behavioral2/files/0x0007000000023552-81.dat	UPX
behavioral2/files/0x0007000000023553-84.dat	UPX
behavioral2/memory/876-88-0x00007FF6FC880000-0x00007FF6FCBD4000-memory.dmp	UPX
behavioral2/memory/1716-85-0x00007FF6B52B0000-0x00007FF6B5604000-memory.dmp	UPX
behavioral2/memory/1960-78-0x00007FF6F0600000-0x00007FF6F0954000-memory.dmp	UPX
behavioral2/memory/2124-75-0x00007FF7BDA30000-0x00007FF7BDD84000-memory.dmp	UPX
behavioral2/files/0x0007000000023551-73.dat	UPX
behavioral2/files/0x0007000000023554-91.dat	UPX
behavioral2/memory/1668-94-0x00007FF6A4C70000-0x00007FF6A4FC4000-memory.dmp	UPX
behavioral2/files/0x0007000000023556-99.dat	UPX
behavioral2/memory/4432-98-0x00007FF6DF8D0000-0x00007FF6DFC24000-memory.dmp	UPX
behavioral2/memory/4252-93-0x00007FF7886F0000-0x00007FF788A44000-memory.dmp	UPX
behavioral2/files/0x0007000000023557-109.dat	UPX
behavioral2/files/0x0007000000023559-115.dat	UPX
behavioral2/files/0x000700000002355b-125.dat	UPX
behavioral2/files/0x000700000002355a-123.dat	UPX
behavioral2/files/0x0007000000023558-113.dat	UPX
behavioral2/memory/2732-127-0x00007FF751C20000-0x00007FF751F74000-memory.dmp	UPX
behavioral2/memory/4412-128-0x00007FF65AE00000-0x00007FF65B154000-memory.dmp	UPX
behavioral2/memory/3508-129-0x00007FF73D420000-0x00007FF73D774000-memory.dmp	UPX
behavioral2/memory/2288-131-0x00007FF688890000-0x00007FF688BE4000-memory.dmp	UPX
behavioral2/memory/4492-132-0x00007FF665B70000-0x00007FF665EC4000-memory.dmp	UPX
behavioral2/memory/4772-133-0x00007FF7AD590000-0x00007FF7AD8E4000-memory.dmp	UPX
behavioral2/memory/2424-130-0x00007FF6D2FF0000-0x00007FF6D3344000-memory.dmp	UPX
behavioral2/memory/4648-134-0x00007FF6AA110000-0x00007FF6AA464000-memory.dmp	UPX
behavioral2/memory/3016-135-0x00007FF694EB0000-0x00007FF695204000-memory.dmp	UPX
behavioral2/memory/1960-136-0x00007FF6F0600000-0x00007FF6F0954000-memory.dmp	UPX
behavioral2/memory/876-137-0x00007FF6FC880000-0x00007FF6FCBD4000-memory.dmp	UPX
behavioral2/memory/4432-138-0x00007FF6DF8D0000-0x00007FF6DFC24000-memory.dmp	UPX
behavioral2/memory/1408-139-0x00007FF7CDB80000-0x00007FF7CDED4000-memory.dmp	UPX
behavioral2/memory/2124-140-0x00007FF7BDA30000-0x00007FF7BDD84000-memory.dmp	UPX
behavioral2/memory/2152-141-0x00007FF651950000-0x00007FF651CA4000-memory.dmp	UPX
behavioral2/memory/4252-142-0x00007FF7886F0000-0x00007FF788A44000-memory.dmp	UPX
behavioral2/memory/1668-143-0x00007FF6A4C70000-0x00007FF6A4FC4000-memory.dmp	UPX
behavioral2/memory/2732-144-0x00007FF751C20000-0x00007FF751F74000-memory.dmp	UPX
behavioral2/memory/2520-145-0x00007FF77BE10000-0x00007FF77C164000-memory.dmp	UPX
behavioral2/memory/4648-146-0x00007FF6AA110000-0x00007FF6AA464000-memory.dmp	UPX
behavioral2/memory/3156-147-0x00007FF7B49D0000-0x00007FF7B4D24000-memory.dmp	UPX
behavioral2/memory/3016-148-0x00007FF694EB0000-0x00007FF695204000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2464-0-0x00007FF762210000-0x00007FF762564000-memory.dmp	xmrig
behavioral2/files/0x0008000000023543-5.dat	xmrig
behavioral2/memory/1408-8-0x00007FF7CDB80000-0x00007FF7CDED4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023547-11.dat	xmrig
behavioral2/files/0x0007000000023548-17.dat	xmrig
behavioral2/memory/2152-20-0x00007FF651950000-0x00007FF651CA4000-memory.dmp	xmrig
behavioral2/memory/2124-16-0x00007FF7BDA30000-0x00007FF7BDD84000-memory.dmp	xmrig
behavioral2/files/0x0007000000023549-22.dat	xmrig
behavioral2/memory/4252-25-0x00007FF7886F0000-0x00007FF788A44000-memory.dmp	xmrig
behavioral2/files/0x0008000000023544-28.dat	xmrig
behavioral2/files/0x000700000002354a-35.dat	xmrig
behavioral2/files/0x000700000002354b-41.dat	xmrig
behavioral2/memory/2732-36-0x00007FF751C20000-0x00007FF751F74000-memory.dmp	xmrig
behavioral2/memory/1668-33-0x00007FF6A4C70000-0x00007FF6A4FC4000-memory.dmp	xmrig
behavioral2/memory/2520-44-0x00007FF77BE10000-0x00007FF77C164000-memory.dmp	xmrig
behavioral2/memory/4648-50-0x00007FF6AA110000-0x00007FF6AA464000-memory.dmp	xmrig
behavioral2/files/0x000700000002354c-47.dat	xmrig
behavioral2/files/0x000700000002354d-53.dat	xmrig
behavioral2/files/0x000700000002354e-57.dat	xmrig
behavioral2/memory/2464-59-0x00007FF762210000-0x00007FF762564000-memory.dmp	xmrig
behavioral2/files/0x0007000000023550-66.dat	xmrig
behavioral2/memory/3016-64-0x00007FF694EB0000-0x00007FF695204000-memory.dmp	xmrig
behavioral2/memory/3156-58-0x00007FF7B49D0000-0x00007FF7B4D24000-memory.dmp	xmrig
behavioral2/memory/1408-71-0x00007FF7CDB80000-0x00007FF7CDED4000-memory.dmp	xmrig
behavioral2/memory/1096-74-0x00007FF6885B0000-0x00007FF688904000-memory.dmp	xmrig
behavioral2/files/0x0007000000023552-81.dat	xmrig
behavioral2/files/0x0007000000023553-84.dat	xmrig
behavioral2/memory/876-88-0x00007FF6FC880000-0x00007FF6FCBD4000-memory.dmp	xmrig
behavioral2/memory/1716-85-0x00007FF6B52B0000-0x00007FF6B5604000-memory.dmp	xmrig
behavioral2/memory/1960-78-0x00007FF6F0600000-0x00007FF6F0954000-memory.dmp	xmrig
behavioral2/memory/2124-75-0x00007FF7BDA30000-0x00007FF7BDD84000-memory.dmp	xmrig
behavioral2/files/0x0007000000023551-73.dat	xmrig
behavioral2/files/0x0007000000023554-91.dat	xmrig
behavioral2/memory/1668-94-0x00007FF6A4C70000-0x00007FF6A4FC4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023556-99.dat	xmrig
behavioral2/memory/4432-98-0x00007FF6DF8D0000-0x00007FF6DFC24000-memory.dmp	xmrig
behavioral2/memory/4252-93-0x00007FF7886F0000-0x00007FF788A44000-memory.dmp	xmrig
behavioral2/files/0x0007000000023557-109.dat	xmrig
behavioral2/files/0x0007000000023559-115.dat	xmrig
behavioral2/files/0x000700000002355b-125.dat	xmrig
behavioral2/files/0x000700000002355a-123.dat	xmrig
behavioral2/files/0x0007000000023558-113.dat	xmrig
behavioral2/memory/2732-127-0x00007FF751C20000-0x00007FF751F74000-memory.dmp	xmrig
behavioral2/memory/4412-128-0x00007FF65AE00000-0x00007FF65B154000-memory.dmp	xmrig
behavioral2/memory/3508-129-0x00007FF73D420000-0x00007FF73D774000-memory.dmp	xmrig
behavioral2/memory/2288-131-0x00007FF688890000-0x00007FF688BE4000-memory.dmp	xmrig
behavioral2/memory/4492-132-0x00007FF665B70000-0x00007FF665EC4000-memory.dmp	xmrig
behavioral2/memory/4772-133-0x00007FF7AD590000-0x00007FF7AD8E4000-memory.dmp	xmrig
behavioral2/memory/2424-130-0x00007FF6D2FF0000-0x00007FF6D3344000-memory.dmp	xmrig
behavioral2/memory/4648-134-0x00007FF6AA110000-0x00007FF6AA464000-memory.dmp	xmrig
behavioral2/memory/3016-135-0x00007FF694EB0000-0x00007FF695204000-memory.dmp	xmrig
behavioral2/memory/1960-136-0x00007FF6F0600000-0x00007FF6F0954000-memory.dmp	xmrig
behavioral2/memory/876-137-0x00007FF6FC880000-0x00007FF6FCBD4000-memory.dmp	xmrig
behavioral2/memory/4432-138-0x00007FF6DF8D0000-0x00007FF6DFC24000-memory.dmp	xmrig
behavioral2/memory/1408-139-0x00007FF7CDB80000-0x00007FF7CDED4000-memory.dmp	xmrig
behavioral2/memory/2124-140-0x00007FF7BDA30000-0x00007FF7BDD84000-memory.dmp	xmrig
behavioral2/memory/2152-141-0x00007FF651950000-0x00007FF651CA4000-memory.dmp	xmrig
behavioral2/memory/4252-142-0x00007FF7886F0000-0x00007FF788A44000-memory.dmp	xmrig
behavioral2/memory/1668-143-0x00007FF6A4C70000-0x00007FF6A4FC4000-memory.dmp	xmrig
behavioral2/memory/2732-144-0x00007FF751C20000-0x00007FF751F74000-memory.dmp	xmrig
behavioral2/memory/2520-145-0x00007FF77BE10000-0x00007FF77C164000-memory.dmp	xmrig
behavioral2/memory/4648-146-0x00007FF6AA110000-0x00007FF6AA464000-memory.dmp	xmrig
behavioral2/memory/3156-147-0x00007FF7B49D0000-0x00007FF7B4D24000-memory.dmp	xmrig
behavioral2/memory/3016-148-0x00007FF694EB0000-0x00007FF695204000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1408	usLcgLN.exe
2124	uboOknl.exe
2152	mTeBUmk.exe
4252	rzDoeAN.exe
1668	WyqxyQx.exe
2732	DdarPxe.exe
2520	WcdIRRr.exe
4648	soGLYmj.exe
3156	TkDJMqh.exe
3016	esQCpYP.exe
1096	wnMQgAZ.exe
1960	MbdJUYn.exe
1716	clXAmAA.exe
876	WjgbCxB.exe
4432	wTpvxvh.exe
4412	gTrUrMk.exe
3508	sGqOnqQ.exe
2424	hoAYSZs.exe
2288	ssRRVQl.exe
4492	lfHdUAh.exe
4772	azcQxIA.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2464-0-0x00007FF762210000-0x00007FF762564000-memory.dmp	upx
behavioral2/files/0x0008000000023543-5.dat	upx
behavioral2/memory/1408-8-0x00007FF7CDB80000-0x00007FF7CDED4000-memory.dmp	upx
behavioral2/files/0x0007000000023547-11.dat	upx
behavioral2/files/0x0007000000023548-17.dat	upx
behavioral2/memory/2152-20-0x00007FF651950000-0x00007FF651CA4000-memory.dmp	upx
behavioral2/memory/2124-16-0x00007FF7BDA30000-0x00007FF7BDD84000-memory.dmp	upx
behavioral2/files/0x0007000000023549-22.dat	upx
behavioral2/memory/4252-25-0x00007FF7886F0000-0x00007FF788A44000-memory.dmp	upx
behavioral2/files/0x0008000000023544-28.dat	upx
behavioral2/files/0x000700000002354a-35.dat	upx
behavioral2/files/0x000700000002354b-41.dat	upx
behavioral2/memory/2732-36-0x00007FF751C20000-0x00007FF751F74000-memory.dmp	upx
behavioral2/memory/1668-33-0x00007FF6A4C70000-0x00007FF6A4FC4000-memory.dmp	upx
behavioral2/memory/2520-44-0x00007FF77BE10000-0x00007FF77C164000-memory.dmp	upx
behavioral2/memory/4648-50-0x00007FF6AA110000-0x00007FF6AA464000-memory.dmp	upx
behavioral2/files/0x000700000002354c-47.dat	upx
behavioral2/files/0x000700000002354d-53.dat	upx
behavioral2/files/0x000700000002354e-57.dat	upx
behavioral2/memory/2464-59-0x00007FF762210000-0x00007FF762564000-memory.dmp	upx
behavioral2/files/0x0007000000023550-66.dat	upx
behavioral2/memory/3016-64-0x00007FF694EB0000-0x00007FF695204000-memory.dmp	upx
behavioral2/memory/3156-58-0x00007FF7B49D0000-0x00007FF7B4D24000-memory.dmp	upx
behavioral2/memory/1408-71-0x00007FF7CDB80000-0x00007FF7CDED4000-memory.dmp	upx
behavioral2/memory/1096-74-0x00007FF6885B0000-0x00007FF688904000-memory.dmp	upx
behavioral2/files/0x0007000000023552-81.dat	upx
behavioral2/files/0x0007000000023553-84.dat	upx
behavioral2/memory/876-88-0x00007FF6FC880000-0x00007FF6FCBD4000-memory.dmp	upx
behavioral2/memory/1716-85-0x00007FF6B52B0000-0x00007FF6B5604000-memory.dmp	upx
behavioral2/memory/1960-78-0x00007FF6F0600000-0x00007FF6F0954000-memory.dmp	upx
behavioral2/memory/2124-75-0x00007FF7BDA30000-0x00007FF7BDD84000-memory.dmp	upx
behavioral2/files/0x0007000000023551-73.dat	upx
behavioral2/files/0x0007000000023554-91.dat	upx
behavioral2/memory/1668-94-0x00007FF6A4C70000-0x00007FF6A4FC4000-memory.dmp	upx
behavioral2/files/0x0007000000023556-99.dat	upx
behavioral2/memory/4432-98-0x00007FF6DF8D0000-0x00007FF6DFC24000-memory.dmp	upx
behavioral2/memory/4252-93-0x00007FF7886F0000-0x00007FF788A44000-memory.dmp	upx
behavioral2/files/0x0007000000023557-109.dat	upx
behavioral2/files/0x0007000000023559-115.dat	upx
behavioral2/files/0x000700000002355b-125.dat	upx
behavioral2/files/0x000700000002355a-123.dat	upx
behavioral2/files/0x0007000000023558-113.dat	upx
behavioral2/memory/2732-127-0x00007FF751C20000-0x00007FF751F74000-memory.dmp	upx
behavioral2/memory/4412-128-0x00007FF65AE00000-0x00007FF65B154000-memory.dmp	upx
behavioral2/memory/3508-129-0x00007FF73D420000-0x00007FF73D774000-memory.dmp	upx
behavioral2/memory/2288-131-0x00007FF688890000-0x00007FF688BE4000-memory.dmp	upx
behavioral2/memory/4492-132-0x00007FF665B70000-0x00007FF665EC4000-memory.dmp	upx
behavioral2/memory/4772-133-0x00007FF7AD590000-0x00007FF7AD8E4000-memory.dmp	upx
behavioral2/memory/2424-130-0x00007FF6D2FF0000-0x00007FF6D3344000-memory.dmp	upx
behavioral2/memory/4648-134-0x00007FF6AA110000-0x00007FF6AA464000-memory.dmp	upx
behavioral2/memory/3016-135-0x00007FF694EB0000-0x00007FF695204000-memory.dmp	upx
behavioral2/memory/1960-136-0x00007FF6F0600000-0x00007FF6F0954000-memory.dmp	upx
behavioral2/memory/876-137-0x00007FF6FC880000-0x00007FF6FCBD4000-memory.dmp	upx
behavioral2/memory/4432-138-0x00007FF6DF8D0000-0x00007FF6DFC24000-memory.dmp	upx
behavioral2/memory/1408-139-0x00007FF7CDB80000-0x00007FF7CDED4000-memory.dmp	upx
behavioral2/memory/2124-140-0x00007FF7BDA30000-0x00007FF7BDD84000-memory.dmp	upx
behavioral2/memory/2152-141-0x00007FF651950000-0x00007FF651CA4000-memory.dmp	upx
behavioral2/memory/4252-142-0x00007FF7886F0000-0x00007FF788A44000-memory.dmp	upx
behavioral2/memory/1668-143-0x00007FF6A4C70000-0x00007FF6A4FC4000-memory.dmp	upx
behavioral2/memory/2732-144-0x00007FF751C20000-0x00007FF751F74000-memory.dmp	upx
behavioral2/memory/2520-145-0x00007FF77BE10000-0x00007FF77C164000-memory.dmp	upx
behavioral2/memory/4648-146-0x00007FF6AA110000-0x00007FF6AA464000-memory.dmp	upx
behavioral2/memory/3156-147-0x00007FF7B49D0000-0x00007FF7B4D24000-memory.dmp	upx
behavioral2/memory/3016-148-0x00007FF694EB0000-0x00007FF695204000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\azcQxIA.exe	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\usLcgLN.exe	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WcdIRRr.exe	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\soGLYmj.exe	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\esQCpYP.exe	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wnMQgAZ.exe	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\clXAmAA.exe	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hoAYSZs.exe	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DdarPxe.exe	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wTpvxvh.exe	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sGqOnqQ.exe	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TkDJMqh.exe	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WjgbCxB.exe	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gTrUrMk.exe	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ssRRVQl.exe	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uboOknl.exe	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mTeBUmk.exe	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rzDoeAN.exe	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WyqxyQx.exe	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MbdJUYn.exe	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lfHdUAh.exe	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 1408	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	93
PID 2464 wrote to memory of 1408	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	93
PID 2464 wrote to memory of 2124	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	94
PID 2464 wrote to memory of 2124	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	94
PID 2464 wrote to memory of 2152	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	95
PID 2464 wrote to memory of 2152	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	95
PID 2464 wrote to memory of 4252	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	96
PID 2464 wrote to memory of 4252	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	96
PID 2464 wrote to memory of 1668	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	97
PID 2464 wrote to memory of 1668	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	97
PID 2464 wrote to memory of 2732	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	98
PID 2464 wrote to memory of 2732	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	98
PID 2464 wrote to memory of 2520	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	99
PID 2464 wrote to memory of 2520	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	99
PID 2464 wrote to memory of 4648	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	100
PID 2464 wrote to memory of 4648	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	100
PID 2464 wrote to memory of 3156	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	102
PID 2464 wrote to memory of 3156	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	102
PID 2464 wrote to memory of 3016	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	103
PID 2464 wrote to memory of 3016	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	103
PID 2464 wrote to memory of 1096	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	104
PID 2464 wrote to memory of 1096	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	104
PID 2464 wrote to memory of 1960	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	105
PID 2464 wrote to memory of 1960	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	105
PID 2464 wrote to memory of 1716	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	106
PID 2464 wrote to memory of 1716	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	106
PID 2464 wrote to memory of 876	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	107
PID 2464 wrote to memory of 876	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	107
PID 2464 wrote to memory of 4432	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	108
PID 2464 wrote to memory of 4432	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	108
PID 2464 wrote to memory of 4412	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	109
PID 2464 wrote to memory of 4412	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	109
PID 2464 wrote to memory of 3508	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	110
PID 2464 wrote to memory of 3508	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	110
PID 2464 wrote to memory of 2424	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	111
PID 2464 wrote to memory of 2424	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	111
PID 2464 wrote to memory of 2288	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	112
PID 2464 wrote to memory of 2288	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	112
PID 2464 wrote to memory of 4492	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	113
PID 2464 wrote to memory of 4492	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	113
PID 2464 wrote to memory of 4772	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	114
PID 2464 wrote to memory of 4772	2464	2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_0657cf28f814620b2f721c58a6b66f7b_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\System\usLcgLN.exe
  C:\Windows\System\usLcgLN.exe
  2⤵
  - Executes dropped EXE
  PID:1408
- C:\Windows\System\uboOknl.exe
  C:\Windows\System\uboOknl.exe
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\System\mTeBUmk.exe
  C:\Windows\System\mTeBUmk.exe
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Windows\System\rzDoeAN.exe
  C:\Windows\System\rzDoeAN.exe
  2⤵
  - Executes dropped EXE
  PID:4252
- C:\Windows\System\WyqxyQx.exe
  C:\Windows\System\WyqxyQx.exe
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\System\DdarPxe.exe
  C:\Windows\System\DdarPxe.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System\WcdIRRr.exe
  C:\Windows\System\WcdIRRr.exe
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Windows\System\soGLYmj.exe
  C:\Windows\System\soGLYmj.exe
  2⤵
  - Executes dropped EXE
  PID:4648
- C:\Windows\System\TkDJMqh.exe
  C:\Windows\System\TkDJMqh.exe
  2⤵
  - Executes dropped EXE
  PID:3156
- C:\Windows\System\esQCpYP.exe
  C:\Windows\System\esQCpYP.exe
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\System\wnMQgAZ.exe
  C:\Windows\System\wnMQgAZ.exe
  2⤵
  - Executes dropped EXE
  PID:1096
- C:\Windows\System\MbdJUYn.exe
  C:\Windows\System\MbdJUYn.exe
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\System\clXAmAA.exe
  C:\Windows\System\clXAmAA.exe
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\System\WjgbCxB.exe
  C:\Windows\System\WjgbCxB.exe
  2⤵
  - Executes dropped EXE
  PID:876
- C:\Windows\System\wTpvxvh.exe
  C:\Windows\System\wTpvxvh.exe
  2⤵
  - Executes dropped EXE
  PID:4432
- C:\Windows\System\gTrUrMk.exe
  C:\Windows\System\gTrUrMk.exe
  2⤵
  - Executes dropped EXE
  PID:4412
- C:\Windows\System\sGqOnqQ.exe
  C:\Windows\System\sGqOnqQ.exe
  2⤵
  - Executes dropped EXE
  PID:3508
- C:\Windows\System\hoAYSZs.exe
  C:\Windows\System\hoAYSZs.exe
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\System\ssRRVQl.exe
  C:\Windows\System\ssRRVQl.exe
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\System\lfHdUAh.exe
  C:\Windows\System\lfHdUAh.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System\azcQxIA.exe
  C:\Windows\System\azcQxIA.exe
  2⤵
  - Executes dropped EXE
  PID:4772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3912,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=3976 /prefetch:8
1⤵
PID:5092

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DdarPxe.exe

Filesize
5.9MB

MD5
f35670d7e6944d12603943d94fbe1f06

SHA1
478a3a752bab5aef0a98f53b1e86b4731da231e0

SHA256
c1f09a50e581a186e5498daedb6b89eb5a882cf45e45358f050989b49b9a4d49

SHA512
28ef4defc39d341d189b41b0191dc840c38855d22cbbc010cae76f19b799543b77954c7c3fda4b10db5a5f69f15aa83ea9dd3c4debfd45b9bb423f4f1b01447f

Download Submit
C:\Windows\System\MbdJUYn.exe

Filesize
5.9MB

MD5
e117431d88de99d0ac8acd94d4f66551

SHA1
e7750283fdf4e1330dd4154270caacb33eab33ff

SHA256
42a55e130cb9ac682bd739e9b6a3d318f8768016e69db86ddc471a352dccf9ea

SHA512
add650434e0fb3008805a5379e8698cb3678ee8b70ddf3722fd1258da8940d2af6999e364fabb7104fd8ad15379b45ef21e201cd61fb7c1a80b3942738f31c9a

Download Submit
C:\Windows\System\TkDJMqh.exe

Filesize
5.9MB

MD5
4993f0f1f45f416710b52c6e80c75899

SHA1
12ad08af15bd7c4fe26f1379c7029ea0fa69bc90

SHA256
76a81b3f6d9e6c32c96128a8d4b4aa04e27bc5167887c2a500b48574985ffcda

SHA512
4304070c4574dadfb1f5c2830f424741c767c3c92e2f638cfb46a83b9e67b10fa72d41638f6a3902832c4f81a210bdbf51b3699899868e6ff55a11525a40b328

Download Submit
C:\Windows\System\WcdIRRr.exe

Filesize
5.9MB

MD5
ddd73d57322e4aa87e553c271410c04b

SHA1
43385eca2a543f4c90f918e266ff1418e38b09e4

SHA256
cff29641e48aa0fa5704a5756e8e686a4ebce32ad086881ac4ef76164f0109b1

SHA512
5c7c08c820027d84a7a0ad17f01ae83400ec5f48eb4cdd463ad631ec8786b94caf1f0c4c5e6db728b0824a33444d6e23bf78a50c3e028373bb1df0221e32862d

Download Submit
C:\Windows\System\WjgbCxB.exe

Filesize
5.9MB

MD5
a50eb4193cd3c91ad5ac58337b7a48ab

SHA1
e1ce61f0b7462d30b376ba62a402e90eb4e9fa2a

SHA256
4fa08f6526acd06f8204c57a39e19253b365f5b92678269ee85f8ffb7afdef6a

SHA512
ed3eece6762d116d7b1c85aefa93c97240fda71c86ba272cfdd21c34e08e5dca25c5e7ff1cd843acd54d8c8d3f670ba77b0adb907a981dcdcf0fd31a6525395c

Download Submit
C:\Windows\System\WyqxyQx.exe

Filesize
5.9MB

MD5
a6af52c90f2da111e45758b4e56ef1c3

SHA1
125c55f499ca48d3930b81fbbafb4e3aa464c2da

SHA256
a653ef7f7ffa725cf92a51baae381d7b6e356269b22fcf0d2f90a6a65f72d07d

SHA512
f1ad7fd6e258bc97504b4d76868b5ec78f85d6361d90ff95a0a08a8af0047f611103e6ddef6832f1a9c23c75caa663b06c63fe22de499d0dc5ff15a7f8f93c5c

Download Submit
C:\Windows\System\azcQxIA.exe

Filesize
5.9MB

MD5
375e8adf2764086544857e95d4084748

SHA1
ec1997ce57964316b83d6b7a383dc405792b3d57

SHA256
b90a66b16fab3cf98ec4bba130b90fbff272a4747647bda1555268e496454e82

SHA512
02a80cadf30e5356b8e1e59f07f780cf93328cbe3757eda0eeb448fcea7b78a88d5024b28171d1a4853fae17f6704a14e361daf351402e793ddd72719a745e90

Download Submit
C:\Windows\System\clXAmAA.exe

Filesize
5.9MB

MD5
94d756fcf005cc86453d2ef49da414d5

SHA1
c686cdb911f366041fbe14950102b5993524c9d5

SHA256
bbbaf4fd5c20b78572b4f1f02bba7e4c4fb84ce37b20589c9a161ae2ff6d675e

SHA512
a7cfa24e20035e852c3672ca915415d12910be0a6c9706add8fe104544e3c8e1a54324f18bac37e4fdc50d11598b22488a9f4d924c8fe49543013e4a1ab0be2c

Download Submit
C:\Windows\System\esQCpYP.exe

Filesize
5.9MB

MD5
4e65ad8197e090f22b54ead2c878bc07

SHA1
8a14ed016455ea91f6927e3ba084350b665d84e1

SHA256
a56c9fd21d024569b0edfe9c4585c6e74886ae108ae3d0ddc7929377efee6315

SHA512
30c7c9cbd7f540098fda64f19ff8d39a41a55506a5fa90de8787e5925d31aea585b0022c1f74ba408a1d013e90d55272ca7d283459d99ac237a5b7904421b162

Download Submit
C:\Windows\System\gTrUrMk.exe

Filesize
5.9MB

MD5
6aebd995e36bdf5799d51e560fd9222b

SHA1
02cb12670efa2b9b3073d9e6e5a05b674f6d3ca8

SHA256
67d22d3b77229bf02b76d390b706f4afea14e3e7b15433199385182efc175674

SHA512
1b01eaf23704f3bb2330ed0caccfcf2b02acdf7e0db1832b5eb725af22914dc4d63c0e81d5d1853e6bba586b9f324992bbd7d35b4b1d14c36a787b7959bc920f

Download Submit
C:\Windows\System\hoAYSZs.exe

Filesize
5.9MB

MD5
4605cc2c931bd8eee471665977e17cc8

SHA1
4dd639b9ab5497b4b74f9352bb4ca3ae8fccbb1d

SHA256
198455a55ca7cbfeaaec4fc445bc874a9dcedd59709a7a7e1143577767813be1

SHA512
2bc8d305df9a418cba00420c6536671028d89f39d3e986e835a1f8787e9a916566702c89df1384e17e181fb2356824752177ac2fba94698d2a676fd416e58aa2

Download Submit
C:\Windows\System\lfHdUAh.exe

Filesize
5.9MB

MD5
dd64ff9d943eba34975aad88db386efc

SHA1
0385f1645a6b8b616621a003fded9ba7b5be6166

SHA256
fe747a8c443d6af760f09d24714adbb039af552b73498229b94aef7653b710b6

SHA512
7726014d480715cf766051a8187b619c2930e8f6b2c11b0d1b7568874616f22bb7dbeb9dea57d3a36ccbf249aeec1ff15f27f03e852048699a2b56460949f15d

Download Submit
C:\Windows\System\mTeBUmk.exe

Filesize
5.9MB

MD5
647c09f53c6fd53d59b3b67d023fd92b

SHA1
439b2e7f6b8dd52108839c57c0cec02c50f231a4

SHA256
5a04604be53fdc9997ab78fe0b9451a990f7d71df4ff5a5f33b31056f2105165

SHA512
7ba5d5a0c0efd75271b0b70054a64741af1de3632d52d7f7257f1e5701f1c9395a2173bc9609d0ed9ff99ea6a152035cdd25513189e4fcdc7f74836c6c1ac176

Download Submit
C:\Windows\System\rzDoeAN.exe

Filesize
5.9MB

MD5
97920948fc734b09da47419db14c9a36

SHA1
dbf82fa0820eb161807a043f0517d6fffbaf2387

SHA256
91ec0dec7917f30cd58da31173fcae507e1a07a50ca3dd4183ab639f6b079a80

SHA512
679cd84c88dff6506f6c3ddcf736b66a2e81d68f80e40aeaa328603e1bb106c101cd778fe07355e4c073634462b3013b104cb2dd622f3dd5bd210d5481969093

Download Submit
C:\Windows\System\sGqOnqQ.exe

Filesize
5.9MB

MD5
97f22d0050d5a53bc690aa4fe1adfbc9

SHA1
93278d04462c4c63446a43b2ca3b539d112a7600

SHA256
d9ef044df015edea255f75f1e15a2dbae7084fa8be7b3eaecb7645dc8a1a9e08

SHA512
80779c3d4b75348951aadb2474b57e323648dd7784c849466fe75611a17f83836eac1a664e4e940f6ddbd296b18c4ecb92d81db6bcb5840ac4b9d9639589e248

Download Submit
C:\Windows\System\soGLYmj.exe

Filesize
5.9MB

MD5
232c336283f9bd12fe3fd803176c45cb

SHA1
c90aef75bfed3f8f9272945765a2318dc733bb47

SHA256
a7e37c1b5ab2c36d91ebff745d76c2c0ddadf2842882b8c2e3f5a2d5e3fa6779

SHA512
58a6ef287d3ae6f861cee8ba6884ff4861e8530e23d58c1ca7d4893ea0af84284a59e11c69b8a093fc0f32c476768a5d40f64e2a8532f71dd26333ff08559b41

Download Submit
C:\Windows\System\ssRRVQl.exe

Filesize
5.9MB

MD5
cbd9abe369af84b70b5c170a8df06b9f

SHA1
66d13537a3dd155f4207dc324cc07c941325ca1a

SHA256
f410f0a974aa1737253500723a7f6bc0e7a8872d4aedbf030fa1a2752bd6135f

SHA512
5725010963501f8da36e96c4147fb42fd1925b58867183ce0d5b5c66c13cc67ab3af9377469b47874d8f42eb9176a5daa76a6d99221560e48bc7f07a51854149

Download Submit
C:\Windows\System\uboOknl.exe

Filesize
5.9MB

MD5
381d1e0fa34603002b59c2d2de7a594e

SHA1
493ef3d6eeebf2eb9653271c1d69e3b8560d23c5

SHA256
1abd59c4779fdddd27deb36d6326962c1eba7ba7a18029b902f73b57a193174f

SHA512
5c789116c48dfdc459b9e127b83c3de6746c5e1d0d89293860b950feca8896ba9f07004f3790482b38e101c13c36b634d56dcd3f1e15550865a79b9aa79abc02

Download Submit
C:\Windows\System\usLcgLN.exe

Filesize
5.9MB

MD5
5401c1318784dfe625095c9ce2ab98d2

SHA1
d3ebdad6f04b7423a9511967ff653fce7c786774

SHA256
a1f9c8f7e88507c2e4249f09e14dfb2e7a54e26c8ebef27cfc129d9e58e28e4f

SHA512
d6c882e649fe43788d3dca8c71117af5759f259b9566e9a70dd798da0ecea414d847be2dd9e69666437468c6eb1918e4846ad971dee70cb37290256407ebe20e

Download Submit
C:\Windows\System\wTpvxvh.exe

Filesize
5.9MB

MD5
e0e1bc1f53132a4e8da5bf5dcb1a18c2

SHA1
fade4723fe704bde39a942585057be9a4a51ee47

SHA256
d0c29aaa24746772f4ba0c985ce8dbe99578131b36c4acd889bb8d45a41e8dd8

SHA512
6b52e3f16d2126d38ea00facd3583957349880f3dd8c6aa42abbbe11604333498221263e566e18de59fbc7855a86f9bf0ec103164726eef72fae8d3bbb2e2f94

Download Submit
C:\Windows\System\wnMQgAZ.exe

Filesize
5.9MB

MD5
b09272f9f60e53303264eed2179a07fd

SHA1
8832a1ba7cbccd8b0bec59954fa3c9654d35ccbc

SHA256
19c30fc99e7a72d95288658db71d5e5095aa1dff1dfa69bc80ec2842332a5040

SHA512
57de398415d7f87681d00efdf295b062c47df3874ef9f2030dbe64e3a77ba13989f9befa2ff70a3268ac9703d0b23e67572d183c6a10cb6fd01d9824718caef0

Download Submit
memory/876-137-0x00007FF6FC880000-0x00007FF6FCBD4000-memory.dmp

Filesize
3.3MB

Download
memory/876-152-0x00007FF6FC880000-0x00007FF6FCBD4000-memory.dmp

Filesize
3.3MB

Download
memory/876-88-0x00007FF6FC880000-0x00007FF6FCBD4000-memory.dmp

Filesize
3.3MB

Download
memory/1096-149-0x00007FF6885B0000-0x00007FF688904000-memory.dmp

Filesize
3.3MB

Download
memory/1096-74-0x00007FF6885B0000-0x00007FF688904000-memory.dmp

Filesize
3.3MB

Download
memory/1408-71-0x00007FF7CDB80000-0x00007FF7CDED4000-memory.dmp

Filesize
3.3MB

Download
memory/1408-8-0x00007FF7CDB80000-0x00007FF7CDED4000-memory.dmp

Filesize
3.3MB

Download
memory/1408-139-0x00007FF7CDB80000-0x00007FF7CDED4000-memory.dmp

Filesize
3.3MB

Download
memory/1668-94-0x00007FF6A4C70000-0x00007FF6A4FC4000-memory.dmp

Filesize
3.3MB

Download
memory/1668-143-0x00007FF6A4C70000-0x00007FF6A4FC4000-memory.dmp

Filesize
3.3MB

Download
memory/1668-33-0x00007FF6A4C70000-0x00007FF6A4FC4000-memory.dmp

Filesize
3.3MB

Download
memory/1716-151-0x00007FF6B52B0000-0x00007FF6B5604000-memory.dmp

Filesize
3.3MB

Download
memory/1716-85-0x00007FF6B52B0000-0x00007FF6B5604000-memory.dmp

Filesize
3.3MB

Download
memory/1960-78-0x00007FF6F0600000-0x00007FF6F0954000-memory.dmp

Filesize
3.3MB

Download
memory/1960-150-0x00007FF6F0600000-0x00007FF6F0954000-memory.dmp

Filesize
3.3MB

Download
memory/1960-136-0x00007FF6F0600000-0x00007FF6F0954000-memory.dmp

Filesize
3.3MB

Download
memory/2124-16-0x00007FF7BDA30000-0x00007FF7BDD84000-memory.dmp

Filesize
3.3MB

Download
memory/2124-75-0x00007FF7BDA30000-0x00007FF7BDD84000-memory.dmp

Filesize
3.3MB

Download
memory/2124-140-0x00007FF7BDA30000-0x00007FF7BDD84000-memory.dmp

Filesize
3.3MB

Download
memory/2152-141-0x00007FF651950000-0x00007FF651CA4000-memory.dmp

Filesize
3.3MB

Download
memory/2152-20-0x00007FF651950000-0x00007FF651CA4000-memory.dmp

Filesize
3.3MB

Download
memory/2288-131-0x00007FF688890000-0x00007FF688BE4000-memory.dmp

Filesize
3.3MB

Download
memory/2288-157-0x00007FF688890000-0x00007FF688BE4000-memory.dmp

Filesize
3.3MB

Download
memory/2424-156-0x00007FF6D2FF0000-0x00007FF6D3344000-memory.dmp

Filesize
3.3MB

Download
memory/2424-130-0x00007FF6D2FF0000-0x00007FF6D3344000-memory.dmp

Filesize
3.3MB

Download
memory/2464-1-0x00000169A1AE0000-0x00000169A1AF0000-memory.dmp

Filesize
64KB

Download
memory/2464-0-0x00007FF762210000-0x00007FF762564000-memory.dmp

Filesize
3.3MB

Download
memory/2464-59-0x00007FF762210000-0x00007FF762564000-memory.dmp

Filesize
3.3MB

Download
memory/2520-44-0x00007FF77BE10000-0x00007FF77C164000-memory.dmp

Filesize
3.3MB

Download
memory/2520-145-0x00007FF77BE10000-0x00007FF77C164000-memory.dmp

Filesize
3.3MB

Download
memory/2732-144-0x00007FF751C20000-0x00007FF751F74000-memory.dmp

Filesize
3.3MB

Download
memory/2732-127-0x00007FF751C20000-0x00007FF751F74000-memory.dmp

Filesize
3.3MB

Download
memory/2732-36-0x00007FF751C20000-0x00007FF751F74000-memory.dmp

Filesize
3.3MB

Download
memory/3016-64-0x00007FF694EB0000-0x00007FF695204000-memory.dmp

Filesize
3.3MB

Download
memory/3016-135-0x00007FF694EB0000-0x00007FF695204000-memory.dmp

Filesize
3.3MB

Download
memory/3016-148-0x00007FF694EB0000-0x00007FF695204000-memory.dmp

Filesize
3.3MB

Download
memory/3156-58-0x00007FF7B49D0000-0x00007FF7B4D24000-memory.dmp

Filesize
3.3MB

Download
memory/3156-147-0x00007FF7B49D0000-0x00007FF7B4D24000-memory.dmp

Filesize
3.3MB

Download
memory/3508-155-0x00007FF73D420000-0x00007FF73D774000-memory.dmp

Filesize
3.3MB

Download
memory/3508-129-0x00007FF73D420000-0x00007FF73D774000-memory.dmp

Filesize
3.3MB

Download
memory/4252-142-0x00007FF7886F0000-0x00007FF788A44000-memory.dmp

Filesize
3.3MB

Download
memory/4252-93-0x00007FF7886F0000-0x00007FF788A44000-memory.dmp

Filesize
3.3MB

Download
memory/4252-25-0x00007FF7886F0000-0x00007FF788A44000-memory.dmp

Filesize
3.3MB

Download
memory/4412-128-0x00007FF65AE00000-0x00007FF65B154000-memory.dmp

Filesize
3.3MB

Download
memory/4412-154-0x00007FF65AE00000-0x00007FF65B154000-memory.dmp

Filesize
3.3MB

Download
memory/4432-153-0x00007FF6DF8D0000-0x00007FF6DFC24000-memory.dmp

Filesize
3.3MB

Download
memory/4432-138-0x00007FF6DF8D0000-0x00007FF6DFC24000-memory.dmp

Filesize
3.3MB

Download
memory/4432-98-0x00007FF6DF8D0000-0x00007FF6DFC24000-memory.dmp

Filesize
3.3MB

Download
memory/4492-132-0x00007FF665B70000-0x00007FF665EC4000-memory.dmp

Filesize
3.3MB

Download
memory/4492-158-0x00007FF665B70000-0x00007FF665EC4000-memory.dmp

Filesize
3.3MB

Download
memory/4648-146-0x00007FF6AA110000-0x00007FF6AA464000-memory.dmp

Filesize
3.3MB

Download
memory/4648-50-0x00007FF6AA110000-0x00007FF6AA464000-memory.dmp

Filesize
3.3MB

Download
memory/4648-134-0x00007FF6AA110000-0x00007FF6AA464000-memory.dmp

Filesize
3.3MB

Download
memory/4772-133-0x00007FF7AD590000-0x00007FF7AD8E4000-memory.dmp

Filesize
3.3MB

Download
memory/4772-159-0x00007FF7AD590000-0x00007FF7AD8E4000-memory.dmp

Filesize
3.3MB

Download