cobaltstrike | 81e7a296dd70b62bacc74171cdf65a076a2f7e86c80dc9b840c99d7d00de32d6

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 02:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

5b022da848e8642900b292882debe9d4
SHA1

1048595bd5fe60f3b411160909b653aae6e11618
SHA256

81e7a296dd70b62bacc74171cdf65a076a2f7e86c80dc9b840c99d7d00de32d6
SHA512

07ca9b767209631146f1ea589e062bb2fd88e58edd6d3b8eb211bf41483f765068c3a7ebe76813c3df9f88651b4136c288d9817b6f9ef5a4a6df660b31e9286b
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUt:Q+856utgpPF8u/7t

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000233b4-4.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233b8-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233b9-10.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233ba-24.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233bb-30.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000233b5-35.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233bd-40.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233bf-49.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233be-50.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c0-58.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c1-64.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c2-72.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c3-79.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c4-86.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c5-93.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c6-98.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c7-103.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c9-117.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233cb-126.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233ca-124.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c8-114.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x00080000000233b4-4.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233b8-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233b9-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233ba-24.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233bb-30.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00080000000233b5-35.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233bd-40.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233bf-49.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233be-50.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233c0-58.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233c1-64.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233c2-72.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233c3-79.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233c4-86.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233c5-93.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233c6-98.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233c7-103.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233c9-117.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233cb-126.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233ca-124.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233c8-114.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/1636-0-0x00007FF6E6B10000-0x00007FF6E6E64000-memory.dmp	UPX
behavioral2/files/0x00080000000233b4-4.dat	UPX
behavioral2/files/0x00070000000233b8-11.dat	UPX
behavioral2/memory/3132-12-0x00007FF62BC50000-0x00007FF62BFA4000-memory.dmp	UPX
behavioral2/files/0x00070000000233b9-10.dat	UPX
behavioral2/memory/1088-8-0x00007FF67D340000-0x00007FF67D694000-memory.dmp	UPX
behavioral2/files/0x00070000000233ba-24.dat	UPX
behavioral2/memory/3184-26-0x00007FF6417B0000-0x00007FF641B04000-memory.dmp	UPX
behavioral2/memory/1176-20-0x00007FF6DD920000-0x00007FF6DDC74000-memory.dmp	UPX
behavioral2/files/0x00070000000233bb-30.dat	UPX
behavioral2/files/0x00080000000233b5-35.dat	UPX
behavioral2/files/0x00070000000233bd-40.dat	UPX
behavioral2/files/0x00070000000233bf-49.dat	UPX
behavioral2/files/0x00070000000233be-50.dat	UPX
behavioral2/memory/624-43-0x00007FF662CF0000-0x00007FF663044000-memory.dmp	UPX
behavioral2/memory/5092-32-0x00007FF61D740000-0x00007FF61DA94000-memory.dmp	UPX
behavioral2/memory/2512-54-0x00007FF705560000-0x00007FF7058B4000-memory.dmp	UPX
behavioral2/memory/4860-56-0x00007FF72F8F0000-0x00007FF72FC44000-memory.dmp	UPX
behavioral2/memory/3240-55-0x00007FF7224F0000-0x00007FF722844000-memory.dmp	UPX
behavioral2/files/0x00070000000233c0-58.dat	UPX
behavioral2/memory/3172-61-0x00007FF719580000-0x00007FF7198D4000-memory.dmp	UPX
behavioral2/files/0x00070000000233c1-64.dat	UPX
behavioral2/memory/1636-67-0x00007FF6E6B10000-0x00007FF6E6E64000-memory.dmp	UPX
behavioral2/memory/1356-69-0x00007FF7B8890000-0x00007FF7B8BE4000-memory.dmp	UPX
behavioral2/files/0x00070000000233c2-72.dat	UPX
behavioral2/files/0x00070000000233c3-79.dat	UPX
behavioral2/memory/3472-76-0x00007FF69B980000-0x00007FF69BCD4000-memory.dmp	UPX
behavioral2/memory/1088-75-0x00007FF67D340000-0x00007FF67D694000-memory.dmp	UPX
behavioral2/memory/4220-83-0x00007FF7FDDC0000-0x00007FF7FE114000-memory.dmp	UPX
behavioral2/files/0x00070000000233c4-86.dat	UPX
behavioral2/memory/3132-82-0x00007FF62BC50000-0x00007FF62BFA4000-memory.dmp	UPX
behavioral2/files/0x00070000000233c5-93.dat	UPX
behavioral2/files/0x00070000000233c6-98.dat	UPX
behavioral2/memory/2384-96-0x00007FF6B38C0000-0x00007FF6B3C14000-memory.dmp	UPX
behavioral2/memory/4320-87-0x00007FF76BFE0000-0x00007FF76C334000-memory.dmp	UPX
behavioral2/files/0x00070000000233c7-103.dat	UPX
behavioral2/memory/2740-105-0x00007FF7D0050000-0x00007FF7D03A4000-memory.dmp	UPX
behavioral2/memory/3140-111-0x00007FF6E7F30000-0x00007FF6E8284000-memory.dmp	UPX
behavioral2/files/0x00070000000233c9-117.dat	UPX
behavioral2/files/0x00070000000233cb-126.dat	UPX
behavioral2/files/0x00070000000233ca-124.dat	UPX
behavioral2/files/0x00070000000233c8-114.dat	UPX
behavioral2/memory/1528-104-0x00007FF6587F0000-0x00007FF658B44000-memory.dmp	UPX
behavioral2/memory/2856-128-0x00007FF688C40000-0x00007FF688F94000-memory.dmp	UPX
behavioral2/memory/3028-129-0x00007FF6BEBD0000-0x00007FF6BEF24000-memory.dmp	UPX
behavioral2/memory/1044-130-0x00007FF7A4900000-0x00007FF7A4C54000-memory.dmp	UPX
behavioral2/memory/3172-131-0x00007FF719580000-0x00007FF7198D4000-memory.dmp	UPX
behavioral2/memory/1356-132-0x00007FF7B8890000-0x00007FF7B8BE4000-memory.dmp	UPX
behavioral2/memory/4320-133-0x00007FF76BFE0000-0x00007FF76C334000-memory.dmp	UPX
behavioral2/memory/2740-134-0x00007FF7D0050000-0x00007FF7D03A4000-memory.dmp	UPX
behavioral2/memory/3140-135-0x00007FF6E7F30000-0x00007FF6E8284000-memory.dmp	UPX
behavioral2/memory/1088-136-0x00007FF67D340000-0x00007FF67D694000-memory.dmp	UPX
behavioral2/memory/3132-137-0x00007FF62BC50000-0x00007FF62BFA4000-memory.dmp	UPX
behavioral2/memory/1176-138-0x00007FF6DD920000-0x00007FF6DDC74000-memory.dmp	UPX
behavioral2/memory/3184-139-0x00007FF6417B0000-0x00007FF641B04000-memory.dmp	UPX
behavioral2/memory/5092-140-0x00007FF61D740000-0x00007FF61DA94000-memory.dmp	UPX
behavioral2/memory/624-141-0x00007FF662CF0000-0x00007FF663044000-memory.dmp	UPX
behavioral2/memory/2512-142-0x00007FF705560000-0x00007FF7058B4000-memory.dmp	UPX
behavioral2/memory/3240-144-0x00007FF7224F0000-0x00007FF722844000-memory.dmp	UPX
behavioral2/memory/4860-143-0x00007FF72F8F0000-0x00007FF72FC44000-memory.dmp	UPX
behavioral2/memory/3172-145-0x00007FF719580000-0x00007FF7198D4000-memory.dmp	UPX
behavioral2/memory/1356-146-0x00007FF7B8890000-0x00007FF7B8BE4000-memory.dmp	UPX
behavioral2/memory/3472-147-0x00007FF69B980000-0x00007FF69BCD4000-memory.dmp	UPX
behavioral2/memory/4220-148-0x00007FF7FDDC0000-0x00007FF7FE114000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/1636-0-0x00007FF6E6B10000-0x00007FF6E6E64000-memory.dmp	xmrig
behavioral2/files/0x00080000000233b4-4.dat	xmrig
behavioral2/files/0x00070000000233b8-11.dat	xmrig
behavioral2/memory/3132-12-0x00007FF62BC50000-0x00007FF62BFA4000-memory.dmp	xmrig
behavioral2/files/0x00070000000233b9-10.dat	xmrig
behavioral2/memory/1088-8-0x00007FF67D340000-0x00007FF67D694000-memory.dmp	xmrig
behavioral2/files/0x00070000000233ba-24.dat	xmrig
behavioral2/memory/3184-26-0x00007FF6417B0000-0x00007FF641B04000-memory.dmp	xmrig
behavioral2/memory/1176-20-0x00007FF6DD920000-0x00007FF6DDC74000-memory.dmp	xmrig
behavioral2/files/0x00070000000233bb-30.dat	xmrig
behavioral2/files/0x00080000000233b5-35.dat	xmrig
behavioral2/files/0x00070000000233bd-40.dat	xmrig
behavioral2/files/0x00070000000233bf-49.dat	xmrig
behavioral2/files/0x00070000000233be-50.dat	xmrig
behavioral2/memory/624-43-0x00007FF662CF0000-0x00007FF663044000-memory.dmp	xmrig
behavioral2/memory/5092-32-0x00007FF61D740000-0x00007FF61DA94000-memory.dmp	xmrig
behavioral2/memory/2512-54-0x00007FF705560000-0x00007FF7058B4000-memory.dmp	xmrig
behavioral2/memory/4860-56-0x00007FF72F8F0000-0x00007FF72FC44000-memory.dmp	xmrig
behavioral2/memory/3240-55-0x00007FF7224F0000-0x00007FF722844000-memory.dmp	xmrig
behavioral2/files/0x00070000000233c0-58.dat	xmrig
behavioral2/memory/3172-61-0x00007FF719580000-0x00007FF7198D4000-memory.dmp	xmrig
behavioral2/files/0x00070000000233c1-64.dat	xmrig
behavioral2/memory/1636-67-0x00007FF6E6B10000-0x00007FF6E6E64000-memory.dmp	xmrig
behavioral2/memory/1356-69-0x00007FF7B8890000-0x00007FF7B8BE4000-memory.dmp	xmrig
behavioral2/files/0x00070000000233c2-72.dat	xmrig
behavioral2/files/0x00070000000233c3-79.dat	xmrig
behavioral2/memory/3472-76-0x00007FF69B980000-0x00007FF69BCD4000-memory.dmp	xmrig
behavioral2/memory/1088-75-0x00007FF67D340000-0x00007FF67D694000-memory.dmp	xmrig
behavioral2/memory/4220-83-0x00007FF7FDDC0000-0x00007FF7FE114000-memory.dmp	xmrig
behavioral2/files/0x00070000000233c4-86.dat	xmrig
behavioral2/memory/3132-82-0x00007FF62BC50000-0x00007FF62BFA4000-memory.dmp	xmrig
behavioral2/files/0x00070000000233c5-93.dat	xmrig
behavioral2/files/0x00070000000233c6-98.dat	xmrig
behavioral2/memory/2384-96-0x00007FF6B38C0000-0x00007FF6B3C14000-memory.dmp	xmrig
behavioral2/memory/4320-87-0x00007FF76BFE0000-0x00007FF76C334000-memory.dmp	xmrig
behavioral2/files/0x00070000000233c7-103.dat	xmrig
behavioral2/memory/2740-105-0x00007FF7D0050000-0x00007FF7D03A4000-memory.dmp	xmrig
behavioral2/memory/3140-111-0x00007FF6E7F30000-0x00007FF6E8284000-memory.dmp	xmrig
behavioral2/files/0x00070000000233c9-117.dat	xmrig
behavioral2/files/0x00070000000233cb-126.dat	xmrig
behavioral2/files/0x00070000000233ca-124.dat	xmrig
behavioral2/files/0x00070000000233c8-114.dat	xmrig
behavioral2/memory/1528-104-0x00007FF6587F0000-0x00007FF658B44000-memory.dmp	xmrig
behavioral2/memory/2856-128-0x00007FF688C40000-0x00007FF688F94000-memory.dmp	xmrig
behavioral2/memory/3028-129-0x00007FF6BEBD0000-0x00007FF6BEF24000-memory.dmp	xmrig
behavioral2/memory/1044-130-0x00007FF7A4900000-0x00007FF7A4C54000-memory.dmp	xmrig
behavioral2/memory/3172-131-0x00007FF719580000-0x00007FF7198D4000-memory.dmp	xmrig
behavioral2/memory/1356-132-0x00007FF7B8890000-0x00007FF7B8BE4000-memory.dmp	xmrig
behavioral2/memory/4320-133-0x00007FF76BFE0000-0x00007FF76C334000-memory.dmp	xmrig
behavioral2/memory/2740-134-0x00007FF7D0050000-0x00007FF7D03A4000-memory.dmp	xmrig
behavioral2/memory/3140-135-0x00007FF6E7F30000-0x00007FF6E8284000-memory.dmp	xmrig
behavioral2/memory/1088-136-0x00007FF67D340000-0x00007FF67D694000-memory.dmp	xmrig
behavioral2/memory/3132-137-0x00007FF62BC50000-0x00007FF62BFA4000-memory.dmp	xmrig
behavioral2/memory/1176-138-0x00007FF6DD920000-0x00007FF6DDC74000-memory.dmp	xmrig
behavioral2/memory/3184-139-0x00007FF6417B0000-0x00007FF641B04000-memory.dmp	xmrig
behavioral2/memory/5092-140-0x00007FF61D740000-0x00007FF61DA94000-memory.dmp	xmrig
behavioral2/memory/624-141-0x00007FF662CF0000-0x00007FF663044000-memory.dmp	xmrig
behavioral2/memory/2512-142-0x00007FF705560000-0x00007FF7058B4000-memory.dmp	xmrig
behavioral2/memory/3240-144-0x00007FF7224F0000-0x00007FF722844000-memory.dmp	xmrig
behavioral2/memory/4860-143-0x00007FF72F8F0000-0x00007FF72FC44000-memory.dmp	xmrig
behavioral2/memory/3172-145-0x00007FF719580000-0x00007FF7198D4000-memory.dmp	xmrig
behavioral2/memory/1356-146-0x00007FF7B8890000-0x00007FF7B8BE4000-memory.dmp	xmrig
behavioral2/memory/3472-147-0x00007FF69B980000-0x00007FF69BCD4000-memory.dmp	xmrig
behavioral2/memory/4220-148-0x00007FF7FDDC0000-0x00007FF7FE114000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1088	oyOuYad.exe
3132	huhLdAN.exe
1176	xxQbAqw.exe
3184	MEaLZel.exe
5092	obkbYrp.exe
624	SUAHZoL.exe
2512	cIMyMZU.exe
4860	ONNzxZe.exe
3240	oAolQCI.exe
3172	mtGPguj.exe
1356	kSifaxI.exe
3472	YLRlsVf.exe
4220	MIyEjNL.exe
4320	BOhDVaR.exe
2384	TIlxtVs.exe
1528	HJkmoir.exe
2740	OsCwLFI.exe
3140	IWhJtlL.exe
2856	gmOtYQb.exe
3028	GAFWFsB.exe
1044	WsOsFac.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1636-0-0x00007FF6E6B10000-0x00007FF6E6E64000-memory.dmp	upx
behavioral2/files/0x00080000000233b4-4.dat	upx
behavioral2/files/0x00070000000233b8-11.dat	upx
behavioral2/memory/3132-12-0x00007FF62BC50000-0x00007FF62BFA4000-memory.dmp	upx
behavioral2/files/0x00070000000233b9-10.dat	upx
behavioral2/memory/1088-8-0x00007FF67D340000-0x00007FF67D694000-memory.dmp	upx
behavioral2/files/0x00070000000233ba-24.dat	upx
behavioral2/memory/3184-26-0x00007FF6417B0000-0x00007FF641B04000-memory.dmp	upx
behavioral2/memory/1176-20-0x00007FF6DD920000-0x00007FF6DDC74000-memory.dmp	upx
behavioral2/files/0x00070000000233bb-30.dat	upx
behavioral2/files/0x00080000000233b5-35.dat	upx
behavioral2/files/0x00070000000233bd-40.dat	upx
behavioral2/files/0x00070000000233bf-49.dat	upx
behavioral2/files/0x00070000000233be-50.dat	upx
behavioral2/memory/624-43-0x00007FF662CF0000-0x00007FF663044000-memory.dmp	upx
behavioral2/memory/5092-32-0x00007FF61D740000-0x00007FF61DA94000-memory.dmp	upx
behavioral2/memory/2512-54-0x00007FF705560000-0x00007FF7058B4000-memory.dmp	upx
behavioral2/memory/4860-56-0x00007FF72F8F0000-0x00007FF72FC44000-memory.dmp	upx
behavioral2/memory/3240-55-0x00007FF7224F0000-0x00007FF722844000-memory.dmp	upx
behavioral2/files/0x00070000000233c0-58.dat	upx
behavioral2/memory/3172-61-0x00007FF719580000-0x00007FF7198D4000-memory.dmp	upx
behavioral2/files/0x00070000000233c1-64.dat	upx
behavioral2/memory/1636-67-0x00007FF6E6B10000-0x00007FF6E6E64000-memory.dmp	upx
behavioral2/memory/1356-69-0x00007FF7B8890000-0x00007FF7B8BE4000-memory.dmp	upx
behavioral2/files/0x00070000000233c2-72.dat	upx
behavioral2/files/0x00070000000233c3-79.dat	upx
behavioral2/memory/3472-76-0x00007FF69B980000-0x00007FF69BCD4000-memory.dmp	upx
behavioral2/memory/1088-75-0x00007FF67D340000-0x00007FF67D694000-memory.dmp	upx
behavioral2/memory/4220-83-0x00007FF7FDDC0000-0x00007FF7FE114000-memory.dmp	upx
behavioral2/files/0x00070000000233c4-86.dat	upx
behavioral2/memory/3132-82-0x00007FF62BC50000-0x00007FF62BFA4000-memory.dmp	upx
behavioral2/files/0x00070000000233c5-93.dat	upx
behavioral2/files/0x00070000000233c6-98.dat	upx
behavioral2/memory/2384-96-0x00007FF6B38C0000-0x00007FF6B3C14000-memory.dmp	upx
behavioral2/memory/4320-87-0x00007FF76BFE0000-0x00007FF76C334000-memory.dmp	upx
behavioral2/files/0x00070000000233c7-103.dat	upx
behavioral2/memory/2740-105-0x00007FF7D0050000-0x00007FF7D03A4000-memory.dmp	upx
behavioral2/memory/3140-111-0x00007FF6E7F30000-0x00007FF6E8284000-memory.dmp	upx
behavioral2/files/0x00070000000233c9-117.dat	upx
behavioral2/files/0x00070000000233cb-126.dat	upx
behavioral2/files/0x00070000000233ca-124.dat	upx
behavioral2/files/0x00070000000233c8-114.dat	upx
behavioral2/memory/1528-104-0x00007FF6587F0000-0x00007FF658B44000-memory.dmp	upx
behavioral2/memory/2856-128-0x00007FF688C40000-0x00007FF688F94000-memory.dmp	upx
behavioral2/memory/3028-129-0x00007FF6BEBD0000-0x00007FF6BEF24000-memory.dmp	upx
behavioral2/memory/1044-130-0x00007FF7A4900000-0x00007FF7A4C54000-memory.dmp	upx
behavioral2/memory/3172-131-0x00007FF719580000-0x00007FF7198D4000-memory.dmp	upx
behavioral2/memory/1356-132-0x00007FF7B8890000-0x00007FF7B8BE4000-memory.dmp	upx
behavioral2/memory/4320-133-0x00007FF76BFE0000-0x00007FF76C334000-memory.dmp	upx
behavioral2/memory/2740-134-0x00007FF7D0050000-0x00007FF7D03A4000-memory.dmp	upx
behavioral2/memory/3140-135-0x00007FF6E7F30000-0x00007FF6E8284000-memory.dmp	upx
behavioral2/memory/1088-136-0x00007FF67D340000-0x00007FF67D694000-memory.dmp	upx
behavioral2/memory/3132-137-0x00007FF62BC50000-0x00007FF62BFA4000-memory.dmp	upx
behavioral2/memory/1176-138-0x00007FF6DD920000-0x00007FF6DDC74000-memory.dmp	upx
behavioral2/memory/3184-139-0x00007FF6417B0000-0x00007FF641B04000-memory.dmp	upx
behavioral2/memory/5092-140-0x00007FF61D740000-0x00007FF61DA94000-memory.dmp	upx
behavioral2/memory/624-141-0x00007FF662CF0000-0x00007FF663044000-memory.dmp	upx
behavioral2/memory/2512-142-0x00007FF705560000-0x00007FF7058B4000-memory.dmp	upx
behavioral2/memory/3240-144-0x00007FF7224F0000-0x00007FF722844000-memory.dmp	upx
behavioral2/memory/4860-143-0x00007FF72F8F0000-0x00007FF72FC44000-memory.dmp	upx
behavioral2/memory/3172-145-0x00007FF719580000-0x00007FF7198D4000-memory.dmp	upx
behavioral2/memory/1356-146-0x00007FF7B8890000-0x00007FF7B8BE4000-memory.dmp	upx
behavioral2/memory/3472-147-0x00007FF69B980000-0x00007FF69BCD4000-memory.dmp	upx
behavioral2/memory/4220-148-0x00007FF7FDDC0000-0x00007FF7FE114000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\IWhJtlL.exe	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gmOtYQb.exe	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oyOuYad.exe	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ONNzxZe.exe	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HJkmoir.exe	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GAFWFsB.exe	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\obkbYrp.exe	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cIMyMZU.exe	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kSifaxI.exe	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MIyEjNL.exe	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TIlxtVs.exe	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WsOsFac.exe	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\huhLdAN.exe	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xxQbAqw.exe	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oAolQCI.exe	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mtGPguj.exe	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YLRlsVf.exe	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BOhDVaR.exe	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OsCwLFI.exe	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MEaLZel.exe	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SUAHZoL.exe	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 1088	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	84
PID 1636 wrote to memory of 1088	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	84
PID 1636 wrote to memory of 3132	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	85
PID 1636 wrote to memory of 3132	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	85
PID 1636 wrote to memory of 1176	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	86
PID 1636 wrote to memory of 1176	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	86
PID 1636 wrote to memory of 3184	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	88
PID 1636 wrote to memory of 3184	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	88
PID 1636 wrote to memory of 5092	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	90
PID 1636 wrote to memory of 5092	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	90
PID 1636 wrote to memory of 624	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	91
PID 1636 wrote to memory of 624	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	91
PID 1636 wrote to memory of 2512	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	93
PID 1636 wrote to memory of 2512	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	93
PID 1636 wrote to memory of 4860	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	94
PID 1636 wrote to memory of 4860	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	94
PID 1636 wrote to memory of 3240	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	95
PID 1636 wrote to memory of 3240	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	95
PID 1636 wrote to memory of 3172	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	96
PID 1636 wrote to memory of 3172	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	96
PID 1636 wrote to memory of 1356	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	97
PID 1636 wrote to memory of 1356	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	97
PID 1636 wrote to memory of 3472	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	98
PID 1636 wrote to memory of 3472	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	98
PID 1636 wrote to memory of 4220	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	99
PID 1636 wrote to memory of 4220	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	99
PID 1636 wrote to memory of 4320	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	100
PID 1636 wrote to memory of 4320	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	100
PID 1636 wrote to memory of 2384	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	101
PID 1636 wrote to memory of 2384	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	101
PID 1636 wrote to memory of 1528	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	102
PID 1636 wrote to memory of 1528	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	102
PID 1636 wrote to memory of 2740	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	103
PID 1636 wrote to memory of 2740	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	103
PID 1636 wrote to memory of 3140	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	104
PID 1636 wrote to memory of 3140	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	104
PID 1636 wrote to memory of 2856	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	105
PID 1636 wrote to memory of 2856	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	105
PID 1636 wrote to memory of 3028	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	108
PID 1636 wrote to memory of 3028	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	108
PID 1636 wrote to memory of 1044	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	109
PID 1636 wrote to memory of 1044	1636	2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe	109

C:\Users\Admin\AppData\Local\Temp\2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-28_5b022da848e8642900b292882debe9d4_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\System\oyOuYad.exe
  C:\Windows\System\oyOuYad.exe
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\System\huhLdAN.exe
  C:\Windows\System\huhLdAN.exe
  2⤵
  - Executes dropped EXE
  PID:3132
- C:\Windows\System\xxQbAqw.exe
  C:\Windows\System\xxQbAqw.exe
  2⤵
  - Executes dropped EXE
  PID:1176
- C:\Windows\System\MEaLZel.exe
  C:\Windows\System\MEaLZel.exe
  2⤵
  - Executes dropped EXE
  PID:3184
- C:\Windows\System\obkbYrp.exe
  C:\Windows\System\obkbYrp.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System\SUAHZoL.exe
  C:\Windows\System\SUAHZoL.exe
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\System\cIMyMZU.exe
  C:\Windows\System\cIMyMZU.exe
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\System\ONNzxZe.exe
  C:\Windows\System\ONNzxZe.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System\oAolQCI.exe
  C:\Windows\System\oAolQCI.exe
  2⤵
  - Executes dropped EXE
  PID:3240
- C:\Windows\System\mtGPguj.exe
  C:\Windows\System\mtGPguj.exe
  2⤵
  - Executes dropped EXE
  PID:3172
- C:\Windows\System\kSifaxI.exe
  C:\Windows\System\kSifaxI.exe
  2⤵
  - Executes dropped EXE
  PID:1356
- C:\Windows\System\YLRlsVf.exe
  C:\Windows\System\YLRlsVf.exe
  2⤵
  - Executes dropped EXE
  PID:3472
- C:\Windows\System\MIyEjNL.exe
  C:\Windows\System\MIyEjNL.exe
  2⤵
  - Executes dropped EXE
  PID:4220
- C:\Windows\System\BOhDVaR.exe
  C:\Windows\System\BOhDVaR.exe
  2⤵
  - Executes dropped EXE
  PID:4320
- C:\Windows\System\TIlxtVs.exe
  C:\Windows\System\TIlxtVs.exe
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\System\HJkmoir.exe
  C:\Windows\System\HJkmoir.exe
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Windows\System\OsCwLFI.exe
  C:\Windows\System\OsCwLFI.exe
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\System\IWhJtlL.exe
  C:\Windows\System\IWhJtlL.exe
  2⤵
  - Executes dropped EXE
  PID:3140
- C:\Windows\System\gmOtYQb.exe
  C:\Windows\System\gmOtYQb.exe
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\System\GAFWFsB.exe
  C:\Windows\System\GAFWFsB.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System\WsOsFac.exe
  C:\Windows\System\WsOsFac.exe
  2⤵
  - Executes dropped EXE
  PID:1044

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BOhDVaR.exe

Filesize
5.9MB

MD5
ee11d9f1113ab091d30516af6cec4819

SHA1
d82298b49ccb9b0b36df85cb38e9f60b897662e4

SHA256
acb93d0ff35c6d7f9980a479f130bdb96f502ea57f0311f266ffdf8be106af2a

SHA512
180020f4377c9821b543bb461840ad2965c400cfd27915cc24db55f128194a266608c5b903a4da7a263afc9870a23af655bda12ddc15bc78ecaee9c951cf7330

Download Submit
C:\Windows\System\GAFWFsB.exe

Filesize
5.9MB

MD5
302493636b2f960388498c19ec3dcd4c

SHA1
0cd7ac8c2583c50dc17761ebe5e8be6811bcd245

SHA256
66010265ea037daac77d89a73099ef5ebefa3469d6d68601bca2ec850d994fa4

SHA512
b39e685fbd5b56b75112e8697121b695286e54df858720cd035e4f722346b4ca01e5ef16d2c4756198de97865561562f89ebc178e707904902d286a2e679a687

Download Submit
C:\Windows\System\HJkmoir.exe

Filesize
5.9MB

MD5
b6ddf5b5f606c201813dc279d3333e70

SHA1
30ad330bc2ab79680496a498e32d6d9a3975a07b

SHA256
1e48ee7ac95abc3b8297499b8ea9848d60f88499b83d92ab24de9f397a7920ba

SHA512
2b1e21cb00a1c20c6caae124200973dbce6cb20e43e83b3e65d61508ee9546ebbd5039f5d9c069b6c8b6a7993dd470d1d0cb4e2613dfcf85a6b1944318397487

Download Submit
C:\Windows\System\IWhJtlL.exe

Filesize
5.9MB

MD5
4992fda388cd17d0c2d04b855c8f2083

SHA1
e0fb919c8b683a63ae809a3f8b11baf9f32fab7b

SHA256
84867ee0bd894d0fe14ef48f126df3a6f75976a71a87ea7a64336729a05752c2

SHA512
2069d256428a278ef516b57f4dbb663a7dec6f4f919d71ef7101b141f80adb5507cf39641956fe7d7577f4516b3d69ecb5df8f2d8d843e617818f2b0b440bd69

Download Submit
C:\Windows\System\MEaLZel.exe

Filesize
5.9MB

MD5
d6a6d17d36f5ba3bbf3ffa0e106c3a80

SHA1
9243f050b834ff7763ed459e4e26bb7ddfed6013

SHA256
be1935ddf6da304325fc0d7e8815b3e28439caa4791db22e7fb35aa18c7195d7

SHA512
c3f6764f78a74647b36ce5e0f4e67c1712e03817ada58d2ce8f8aacf57c24296187db6094ffc53b0b1e4d8460b567b34c33b1415b748365d96805eae40dd6411

Download Submit
C:\Windows\System\MIyEjNL.exe

Filesize
5.9MB

MD5
9b9b4ee7899a2d40e416f9ff044efe52

SHA1
a5c8051db06e2e9919f665c4c78285fee7981a60

SHA256
bd7af1021e6f96ddf03f8b5e2ee70cb0f0eb595d45af2389a6bd9ecb7976290d

SHA512
211da5ef614eca0c813decabc04939bb9da9d804fc928561f364815612bcede5e5b4cce6edcbf563dae46c5da43a8bafbaceada19a97ad60517e1e830b32a091

Download Submit
C:\Windows\System\ONNzxZe.exe

Filesize
5.9MB

MD5
3a36b372f8f0acdc7e31625b655ec023

SHA1
fafab9d8afc19c7666699cc928778aa8cfd4ab59

SHA256
0c2178de3f2402e121c94c13b91a2906a3e7bc5083cd77d4024f2bd91abc21df

SHA512
d167643276cc98ade13bb58efcdfaa458a5b655dc3ef96b5db8f5b6794f9c2c3a83ee7c2a44df1aa06adbd62a23ff9795e59d40a9901ffe01ebe848d31f914df

Download Submit
C:\Windows\System\OsCwLFI.exe

Filesize
5.9MB

MD5
51c94a91750325844eb91c27e4f20af4

SHA1
f04c05598b6ddb8ce1580360ba3ebcfb80124232

SHA256
96d601e895309c5090d675c71bb7b0c0aa65d0077e5038cede97617fca2431a4

SHA512
48da0ec748ce611348193d4cdf6a8f65010237ff9c6da4eadd1af0461c2d3ca8052e55631a6dfacceda49fe49cb01db1b83d89e9596d6c540df6f1fffea11044

Download Submit
C:\Windows\System\SUAHZoL.exe

Filesize
5.9MB

MD5
abadf85ecee80cdb7c8679f5239457ba

SHA1
1dd42dcf1430ba3ab056fa7ca0a155bcba7a0b51

SHA256
f71f6c131b3999b08fb8bccb19b89c263157b5c5cd88797e46ef8d241600d84e

SHA512
211c52d47c0604b04d2750946cca366a81d029b5a3dd896592b22b2d5d4f7bcb3c8f84e7eeb249a2b0ee7b25ec063793bd2c0f30518f0c61006b79f7fc0ce414

Download Submit
C:\Windows\System\TIlxtVs.exe

Filesize
5.9MB

MD5
290cec67f193dff2a94be070e61411fb

SHA1
9568cffc35232cd2a48ce09d3092e765efb67dc8

SHA256
2543fab53d55d8517b36cccf71eca6e02d3cf5381acbcd65b9cb1cbf0ab26a92

SHA512
05a500af594e0d97bfd359ef0e2beee1f59c8b58ef6315b4f9ba060f5359637ac55781f84e6c79b31f88f11d219880589d9d9511b3c75457b86e5e9ff50f034b

Download Submit
C:\Windows\System\WsOsFac.exe

Filesize
5.9MB

MD5
3458dbfe23dfa330c4ecbcbd847de824

SHA1
3719935ceaa0383b81d3c64061b80760dbd90227

SHA256
4492d2726e8039b365bf75563aafd26a439e636f6cb32ed22f63d25a087b77ee

SHA512
c05166ae201bdde4524be9e29547853f0997dc167b0b49c2bdb120c7db06d363a106a3b173c7f3c64ea8a9c1cd83cc3b92524e73815f5a26f5ddae9f45b7316b

Download Submit
C:\Windows\System\YLRlsVf.exe

Filesize
5.9MB

MD5
d0311d436397cd23e5cfb8a90bafd77e

SHA1
3ee9fc153f92a5e10a8791246fc6be8b338a4305

SHA256
14abf2ded69d98075defd251f7a32de160d0ba598566747ba5d20693655c8928

SHA512
56e5c303f75bf27bb9efb8ec41f349f2917f51ede0f5c833b81d5cb43e62e8609e0330e6a4cb4bd19d6ff05503d9a24cddeb2b732df04d2fb36850ef8332c4a7

Download Submit
C:\Windows\System\cIMyMZU.exe

Filesize
5.9MB

MD5
795bf78e137e169a68de067d943c4478

SHA1
eeda8b0ffff49609ce197cdf8f4159e50789ee7e

SHA256
2fdeb31c1a01dcfdf697a87c5231b69efce594fae17a8a56fe6bbb7c593d7ac5

SHA512
203eeca809c3e63b712a3d602fbcade7217eb47d0fe4fd331344e8361819c9637d05b25291acbc374a9af484a2c1048a72b4c73913d2691ad900a0af0557b1dc

Download Submit
C:\Windows\System\gmOtYQb.exe

Filesize
5.9MB

MD5
d3ac2f04577a6aacbd1691ec7eb14fc8

SHA1
42990e0c695aa4c5da4e207639830d4571465bf8

SHA256
3107cc7d49958db696d0dcc86cae024725761c5aa83267ac9c3a1b933b536f94

SHA512
7874e9134304476537b983b24b0fa3aca3d7c066e6aea70ba9f3b8834ec4294f388fdb55b3d50062de8eddf215f2bab880f7e1a5864df6656edd5c3389833dbf

Download Submit
C:\Windows\System\huhLdAN.exe

Filesize
5.9MB

MD5
36348abc3cae7ca98db73a4e56226082

SHA1
bd0f37766dfbb7d16ae5c85dd680609dcc17731c

SHA256
d66c5193bf03bf41eda3315f490d13fec68c220571f0a7ccaa727ffe906e782b

SHA512
05e7f9bf78fa060a2db87584565f3189ed8ed5f807f95ddba6df4ce6c45df1f86d23dd8371400cf1c431706a3659eda0b55798f4bcea7bf23c41ed62070be527

Download Submit
C:\Windows\System\kSifaxI.exe

Filesize
5.9MB

MD5
9b7b86f316fc3d6075e4a93c598ee1c4

SHA1
309ac1646d701bcf4ca22a25c775e740ed6e9a5a

SHA256
4dee98e26b98fb0d611c30bbc9caeb508c8d9e9a74f7f1ea0fdc00740c799082

SHA512
88dc309330e6a7663102e99ff327b6c228086825fd56be048d2a18d704de759a7aa4990e6ac1f14dbe141f2c9330ada777ea926d8b9b43e22534ec00b1948fb2

Download Submit
C:\Windows\System\mtGPguj.exe

Filesize
5.9MB

MD5
dfb9dfb8cd407f72684136a2be9f99f5

SHA1
61487f76de51b52d41c402b76e1807144d167bf0

SHA256
c7e1554e75a899d3f4f39e83045de3af2a459d14e71c35c8a0ddc7a524047e91

SHA512
cb04779bf09e73719f9a909c8d93f07e8dd25a65a30ed2c971864125183dd7cc679ea2e587a5c298075cfe13e7374d0a7a703aca1468bc8f75e791efb7b4ff0d

Download Submit
C:\Windows\System\oAolQCI.exe

Filesize
5.9MB

MD5
6679ba76117ca6529a7c8f848b99b495

SHA1
8dad2606aaca73b51b77f78b9ce0944bd87151f6

SHA256
a37f7348d690a531082efdcaf3772d351cb7f44a9ad0fcae8ba84e218c6c22df

SHA512
6e932e11bda5257fe9eb9fe63a7c6b74d6b3ac8875173aaf2bf1507592ac01eb7cb9e6714688d58aeb4c7ed4ada20585f767baeb397707049122a96cc7010a57

Download Submit
C:\Windows\System\obkbYrp.exe

Filesize
5.9MB

MD5
c5a05e67869a22de8a83da557ae42964

SHA1
83ae1019e0957d173649b2316667b3376071594f

SHA256
ab3dbd64ffb3a065c09fc1a3741dc4ff2f12d1f5282c4f4352a3e590769088ba

SHA512
dfeee6e13e57a78f50e43dd6dc24d2d5d639f8feec710f9452cbdcb3b18781099c9893218d2f815b24f7540c9372a43815d95c94bc35de422a5e4d480f1f765a

Download Submit
C:\Windows\System\oyOuYad.exe

Filesize
5.9MB

MD5
08c939029740a0df2823a1861ff5765f

SHA1
b1ea7ebfe8c9949e8e84fbee767fee619c23bc8a

SHA256
919f6440ad8c4104891f88eb444d4f09ea4194f2d8476528187928a057722af1

SHA512
8f4256b5b393a480f49d16a978c293a263d46939e567ece8c8bec88bb386a3be86d8bc6fbcc18240072e0b1b4b50c7c124af76e9fe86b6175536e4c981353933

Download Submit
C:\Windows\System\xxQbAqw.exe

Filesize
5.9MB

MD5
b447636d2936aaf70b1553c1bccfd0de

SHA1
3e09021f9dceaa4863c6b9352af6f71c9af54218

SHA256
f782514aff9838ee4de2d7e8fc7af9563de31f26fc224a13e0a46ceeab5ecce4

SHA512
d195e8ca824ec6e5debea4e10d365767b91235e176833ec2745676ee975e4d06f02bc379b197021e6d7b9885172ea658d25f6fca615d4e6d94fce67d822ae9f8

Download Submit
memory/624-43-0x00007FF662CF0000-0x00007FF663044000-memory.dmp

Filesize
3.3MB

Download
memory/624-141-0x00007FF662CF0000-0x00007FF663044000-memory.dmp

Filesize
3.3MB

Download
memory/1044-156-0x00007FF7A4900000-0x00007FF7A4C54000-memory.dmp

Filesize
3.3MB

Download
memory/1044-130-0x00007FF7A4900000-0x00007FF7A4C54000-memory.dmp

Filesize
3.3MB

Download
memory/1088-136-0x00007FF67D340000-0x00007FF67D694000-memory.dmp

Filesize
3.3MB

Download
memory/1088-75-0x00007FF67D340000-0x00007FF67D694000-memory.dmp

Filesize
3.3MB

Download
memory/1088-8-0x00007FF67D340000-0x00007FF67D694000-memory.dmp

Filesize
3.3MB

Download
memory/1176-138-0x00007FF6DD920000-0x00007FF6DDC74000-memory.dmp

Filesize
3.3MB

Download
memory/1176-20-0x00007FF6DD920000-0x00007FF6DDC74000-memory.dmp

Filesize
3.3MB

Download
memory/1356-69-0x00007FF7B8890000-0x00007FF7B8BE4000-memory.dmp

Filesize
3.3MB

Download
memory/1356-132-0x00007FF7B8890000-0x00007FF7B8BE4000-memory.dmp

Filesize
3.3MB

Download
memory/1356-146-0x00007FF7B8890000-0x00007FF7B8BE4000-memory.dmp

Filesize
3.3MB

Download
memory/1528-151-0x00007FF6587F0000-0x00007FF658B44000-memory.dmp

Filesize
3.3MB

Download
memory/1528-104-0x00007FF6587F0000-0x00007FF658B44000-memory.dmp

Filesize
3.3MB

Download
memory/1636-67-0x00007FF6E6B10000-0x00007FF6E6E64000-memory.dmp

Filesize
3.3MB

Download
memory/1636-0-0x00007FF6E6B10000-0x00007FF6E6E64000-memory.dmp

Filesize
3.3MB

Download
memory/1636-1-0x00000277DB5C0000-0x00000277DB5D0000-memory.dmp

Filesize
64KB

Download
memory/2384-150-0x00007FF6B38C0000-0x00007FF6B3C14000-memory.dmp

Filesize
3.3MB

Download
memory/2384-96-0x00007FF6B38C0000-0x00007FF6B3C14000-memory.dmp

Filesize
3.3MB

Download
memory/2512-54-0x00007FF705560000-0x00007FF7058B4000-memory.dmp

Filesize
3.3MB

Download
memory/2512-142-0x00007FF705560000-0x00007FF7058B4000-memory.dmp

Filesize
3.3MB

Download
memory/2740-134-0x00007FF7D0050000-0x00007FF7D03A4000-memory.dmp

Filesize
3.3MB

Download
memory/2740-105-0x00007FF7D0050000-0x00007FF7D03A4000-memory.dmp

Filesize
3.3MB

Download
memory/2740-152-0x00007FF7D0050000-0x00007FF7D03A4000-memory.dmp

Filesize
3.3MB

Download
memory/2856-153-0x00007FF688C40000-0x00007FF688F94000-memory.dmp

Filesize
3.3MB

Download
memory/2856-128-0x00007FF688C40000-0x00007FF688F94000-memory.dmp

Filesize
3.3MB

Download
memory/3028-155-0x00007FF6BEBD0000-0x00007FF6BEF24000-memory.dmp

Filesize
3.3MB

Download
memory/3028-129-0x00007FF6BEBD0000-0x00007FF6BEF24000-memory.dmp

Filesize
3.3MB

Download
memory/3132-137-0x00007FF62BC50000-0x00007FF62BFA4000-memory.dmp

Filesize
3.3MB

Download
memory/3132-12-0x00007FF62BC50000-0x00007FF62BFA4000-memory.dmp

Filesize
3.3MB

Download
memory/3132-82-0x00007FF62BC50000-0x00007FF62BFA4000-memory.dmp

Filesize
3.3MB

Download
memory/3140-135-0x00007FF6E7F30000-0x00007FF6E8284000-memory.dmp

Filesize
3.3MB

Download
memory/3140-111-0x00007FF6E7F30000-0x00007FF6E8284000-memory.dmp

Filesize
3.3MB

Download
memory/3140-154-0x00007FF6E7F30000-0x00007FF6E8284000-memory.dmp

Filesize
3.3MB

Download
memory/3172-61-0x00007FF719580000-0x00007FF7198D4000-memory.dmp

Filesize
3.3MB

Download
memory/3172-131-0x00007FF719580000-0x00007FF7198D4000-memory.dmp

Filesize
3.3MB

Download
memory/3172-145-0x00007FF719580000-0x00007FF7198D4000-memory.dmp

Filesize
3.3MB

Download
memory/3184-139-0x00007FF6417B0000-0x00007FF641B04000-memory.dmp

Filesize
3.3MB

Download
memory/3184-26-0x00007FF6417B0000-0x00007FF641B04000-memory.dmp

Filesize
3.3MB

Download
memory/3240-55-0x00007FF7224F0000-0x00007FF722844000-memory.dmp

Filesize
3.3MB

Download
memory/3240-144-0x00007FF7224F0000-0x00007FF722844000-memory.dmp

Filesize
3.3MB

Download
memory/3472-76-0x00007FF69B980000-0x00007FF69BCD4000-memory.dmp

Filesize
3.3MB

Download
memory/3472-147-0x00007FF69B980000-0x00007FF69BCD4000-memory.dmp

Filesize
3.3MB

Download
memory/4220-148-0x00007FF7FDDC0000-0x00007FF7FE114000-memory.dmp

Filesize
3.3MB

Download
memory/4220-83-0x00007FF7FDDC0000-0x00007FF7FE114000-memory.dmp

Filesize
3.3MB

Download
memory/4320-149-0x00007FF76BFE0000-0x00007FF76C334000-memory.dmp

Filesize
3.3MB

Download
memory/4320-133-0x00007FF76BFE0000-0x00007FF76C334000-memory.dmp

Filesize
3.3MB

Download
memory/4320-87-0x00007FF76BFE0000-0x00007FF76C334000-memory.dmp

Filesize
3.3MB

Download
memory/4860-56-0x00007FF72F8F0000-0x00007FF72FC44000-memory.dmp

Filesize
3.3MB

Download
memory/4860-143-0x00007FF72F8F0000-0x00007FF72FC44000-memory.dmp

Filesize
3.3MB

Download
memory/5092-32-0x00007FF61D740000-0x00007FF61DA94000-memory.dmp

Filesize
3.3MB

Download
memory/5092-140-0x00007FF61D740000-0x00007FF61DA94000-memory.dmp

Filesize
3.3MB

Download