cobaltstrike | aa6875216d7bb4a05ee952c246c3758b647bd8e66cce6e88b91dfe97599c3d4f

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 13:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

479dbab1b5c5ba607e0d559798ab254c
SHA1

60e08e759a06775bf44c1e47c6c11817bacd5b69
SHA256

aa6875216d7bb4a05ee952c246c3758b647bd8e66cce6e88b91dfe97599c3d4f
SHA512

41688712c7a532bd5387803b1bd37b9a522953a0384f120ef5a16ff20b40ffa5db4f73ff7a6c445f9537cd1437f5902aa13184db7f307b7a32737814da69a195
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUX:Q+856utgpPF8u/7X

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000235e6-4.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235eb-9.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235ea-12.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235ec-20.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235ed-34.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235ee-37.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235ef-41.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000235e7-51.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235f1-60.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235f2-61.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235f3-65.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235f0-56.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235f5-80.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235fa-105.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235fc-118.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235fb-116.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235f9-110.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235f8-101.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235f7-97.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235f6-92.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235f4-82.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x00080000000235e6-4.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000235eb-9.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000235ea-12.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000235ec-20.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000235ed-34.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000235ee-37.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000235ef-41.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00080000000235e7-51.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000235f1-60.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000235f2-61.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000235f3-65.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000235f0-56.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000235f5-80.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000235fa-105.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000235fc-118.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000235fb-116.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000235f9-110.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000235f8-101.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000235f7-97.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000235f6-92.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000235f4-82.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/816-0-0x00007FF6F2B10000-0x00007FF6F2E64000-memory.dmp	UPX
behavioral2/files/0x00080000000235e6-4.dat	UPX
behavioral2/files/0x00070000000235eb-9.dat	UPX
behavioral2/files/0x00070000000235ea-12.dat	UPX
behavioral2/files/0x00070000000235ec-20.dat	UPX
behavioral2/memory/3364-23-0x00007FF6E20A0000-0x00007FF6E23F4000-memory.dmp	UPX
behavioral2/memory/4988-29-0x00007FF7718A0000-0x00007FF771BF4000-memory.dmp	UPX
behavioral2/memory/424-30-0x00007FF616E20000-0x00007FF617174000-memory.dmp	UPX
behavioral2/files/0x00070000000235ed-34.dat	UPX
behavioral2/files/0x00070000000235ee-37.dat	UPX
behavioral2/memory/648-36-0x00007FF7FC510000-0x00007FF7FC864000-memory.dmp	UPX
behavioral2/memory/5084-19-0x00007FF7B37B0000-0x00007FF7B3B04000-memory.dmp	UPX
behavioral2/memory/508-10-0x00007FF7B4430000-0x00007FF7B4784000-memory.dmp	UPX
behavioral2/files/0x00070000000235ef-41.dat	UPX
behavioral2/memory/1080-42-0x00007FF786C10000-0x00007FF786F64000-memory.dmp	UPX
behavioral2/files/0x00080000000235e7-51.dat	UPX
behavioral2/memory/4820-50-0x00007FF7234C0000-0x00007FF723814000-memory.dmp	UPX
behavioral2/files/0x00070000000235f1-60.dat	UPX
behavioral2/files/0x00070000000235f2-61.dat	UPX
behavioral2/memory/2672-59-0x00007FF6D6CD0000-0x00007FF6D7024000-memory.dmp	UPX
behavioral2/files/0x00070000000235f3-65.dat	UPX
behavioral2/memory/816-67-0x00007FF6F2B10000-0x00007FF6F2E64000-memory.dmp	UPX
behavioral2/memory/1732-66-0x00007FF78D490000-0x00007FF78D7E4000-memory.dmp	UPX
behavioral2/memory/4692-64-0x00007FF6E5690000-0x00007FF6E59E4000-memory.dmp	UPX
behavioral2/files/0x00070000000235f0-56.dat	UPX
behavioral2/files/0x00070000000235f5-80.dat	UPX
behavioral2/files/0x00070000000235fa-105.dat	UPX
behavioral2/files/0x00070000000235fc-118.dat	UPX
behavioral2/files/0x00070000000235fb-116.dat	UPX
behavioral2/files/0x00070000000235f9-110.dat	UPX
behavioral2/files/0x00070000000235f8-101.dat	UPX
behavioral2/files/0x00070000000235f7-97.dat	UPX
behavioral2/files/0x00070000000235f6-92.dat	UPX
behavioral2/files/0x00070000000235f4-82.dat	UPX
behavioral2/memory/2548-68-0x00007FF7F00F0000-0x00007FF7F0444000-memory.dmp	UPX
behavioral2/memory/508-120-0x00007FF7B4430000-0x00007FF7B4784000-memory.dmp	UPX
behavioral2/memory/3540-122-0x00007FF6223E0000-0x00007FF622734000-memory.dmp	UPX
behavioral2/memory/3232-123-0x00007FF74C280000-0x00007FF74C5D4000-memory.dmp	UPX
behavioral2/memory/3676-121-0x00007FF6EFB00000-0x00007FF6EFE54000-memory.dmp	UPX
behavioral2/memory/4760-124-0x00007FF6DE9B0000-0x00007FF6DED04000-memory.dmp	UPX
behavioral2/memory/1696-125-0x00007FF6F4BE0000-0x00007FF6F4F34000-memory.dmp	UPX
behavioral2/memory/5104-126-0x00007FF6020C0000-0x00007FF602414000-memory.dmp	UPX
behavioral2/memory/1708-127-0x00007FF729B60000-0x00007FF729EB4000-memory.dmp	UPX
behavioral2/memory/1400-128-0x00007FF7966C0000-0x00007FF796A14000-memory.dmp	UPX
behavioral2/memory/4812-129-0x00007FF652F00000-0x00007FF653254000-memory.dmp	UPX
behavioral2/memory/3364-130-0x00007FF6E20A0000-0x00007FF6E23F4000-memory.dmp	UPX
behavioral2/memory/4988-131-0x00007FF7718A0000-0x00007FF771BF4000-memory.dmp	UPX
behavioral2/memory/424-132-0x00007FF616E20000-0x00007FF617174000-memory.dmp	UPX
behavioral2/memory/648-133-0x00007FF7FC510000-0x00007FF7FC864000-memory.dmp	UPX
behavioral2/memory/1080-134-0x00007FF786C10000-0x00007FF786F64000-memory.dmp	UPX
behavioral2/memory/4820-135-0x00007FF7234C0000-0x00007FF723814000-memory.dmp	UPX
behavioral2/memory/2672-136-0x00007FF6D6CD0000-0x00007FF6D7024000-memory.dmp	UPX
behavioral2/memory/4692-137-0x00007FF6E5690000-0x00007FF6E59E4000-memory.dmp	UPX
behavioral2/memory/1732-138-0x00007FF78D490000-0x00007FF78D7E4000-memory.dmp	UPX
behavioral2/memory/2548-139-0x00007FF7F00F0000-0x00007FF7F0444000-memory.dmp	UPX
behavioral2/memory/508-140-0x00007FF7B4430000-0x00007FF7B4784000-memory.dmp	UPX
behavioral2/memory/5084-141-0x00007FF7B37B0000-0x00007FF7B3B04000-memory.dmp	UPX
behavioral2/memory/4988-142-0x00007FF7718A0000-0x00007FF771BF4000-memory.dmp	UPX
behavioral2/memory/3364-143-0x00007FF6E20A0000-0x00007FF6E23F4000-memory.dmp	UPX
behavioral2/memory/648-144-0x00007FF7FC510000-0x00007FF7FC864000-memory.dmp	UPX
behavioral2/memory/424-145-0x00007FF616E20000-0x00007FF617174000-memory.dmp	UPX
behavioral2/memory/1080-146-0x00007FF786C10000-0x00007FF786F64000-memory.dmp	UPX
behavioral2/memory/4820-147-0x00007FF7234C0000-0x00007FF723814000-memory.dmp	UPX
behavioral2/memory/2672-148-0x00007FF6D6CD0000-0x00007FF6D7024000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/816-0-0x00007FF6F2B10000-0x00007FF6F2E64000-memory.dmp	xmrig
behavioral2/files/0x00080000000235e6-4.dat	xmrig
behavioral2/files/0x00070000000235eb-9.dat	xmrig
behavioral2/files/0x00070000000235ea-12.dat	xmrig
behavioral2/files/0x00070000000235ec-20.dat	xmrig
behavioral2/memory/3364-23-0x00007FF6E20A0000-0x00007FF6E23F4000-memory.dmp	xmrig
behavioral2/memory/4988-29-0x00007FF7718A0000-0x00007FF771BF4000-memory.dmp	xmrig
behavioral2/memory/424-30-0x00007FF616E20000-0x00007FF617174000-memory.dmp	xmrig
behavioral2/files/0x00070000000235ed-34.dat	xmrig
behavioral2/files/0x00070000000235ee-37.dat	xmrig
behavioral2/memory/648-36-0x00007FF7FC510000-0x00007FF7FC864000-memory.dmp	xmrig
behavioral2/memory/5084-19-0x00007FF7B37B0000-0x00007FF7B3B04000-memory.dmp	xmrig
behavioral2/memory/508-10-0x00007FF7B4430000-0x00007FF7B4784000-memory.dmp	xmrig
behavioral2/files/0x00070000000235ef-41.dat	xmrig
behavioral2/memory/1080-42-0x00007FF786C10000-0x00007FF786F64000-memory.dmp	xmrig
behavioral2/files/0x00080000000235e7-51.dat	xmrig
behavioral2/memory/4820-50-0x00007FF7234C0000-0x00007FF723814000-memory.dmp	xmrig
behavioral2/files/0x00070000000235f1-60.dat	xmrig
behavioral2/files/0x00070000000235f2-61.dat	xmrig
behavioral2/memory/2672-59-0x00007FF6D6CD0000-0x00007FF6D7024000-memory.dmp	xmrig
behavioral2/files/0x00070000000235f3-65.dat	xmrig
behavioral2/memory/816-67-0x00007FF6F2B10000-0x00007FF6F2E64000-memory.dmp	xmrig
behavioral2/memory/1732-66-0x00007FF78D490000-0x00007FF78D7E4000-memory.dmp	xmrig
behavioral2/memory/4692-64-0x00007FF6E5690000-0x00007FF6E59E4000-memory.dmp	xmrig
behavioral2/files/0x00070000000235f0-56.dat	xmrig
behavioral2/files/0x00070000000235f5-80.dat	xmrig
behavioral2/files/0x00070000000235fa-105.dat	xmrig
behavioral2/files/0x00070000000235fc-118.dat	xmrig
behavioral2/files/0x00070000000235fb-116.dat	xmrig
behavioral2/files/0x00070000000235f9-110.dat	xmrig
behavioral2/files/0x00070000000235f8-101.dat	xmrig
behavioral2/files/0x00070000000235f7-97.dat	xmrig
behavioral2/files/0x00070000000235f6-92.dat	xmrig
behavioral2/files/0x00070000000235f4-82.dat	xmrig
behavioral2/memory/2548-68-0x00007FF7F00F0000-0x00007FF7F0444000-memory.dmp	xmrig
behavioral2/memory/508-120-0x00007FF7B4430000-0x00007FF7B4784000-memory.dmp	xmrig
behavioral2/memory/3540-122-0x00007FF6223E0000-0x00007FF622734000-memory.dmp	xmrig
behavioral2/memory/3232-123-0x00007FF74C280000-0x00007FF74C5D4000-memory.dmp	xmrig
behavioral2/memory/3676-121-0x00007FF6EFB00000-0x00007FF6EFE54000-memory.dmp	xmrig
behavioral2/memory/4760-124-0x00007FF6DE9B0000-0x00007FF6DED04000-memory.dmp	xmrig
behavioral2/memory/1696-125-0x00007FF6F4BE0000-0x00007FF6F4F34000-memory.dmp	xmrig
behavioral2/memory/5104-126-0x00007FF6020C0000-0x00007FF602414000-memory.dmp	xmrig
behavioral2/memory/1708-127-0x00007FF729B60000-0x00007FF729EB4000-memory.dmp	xmrig
behavioral2/memory/1400-128-0x00007FF7966C0000-0x00007FF796A14000-memory.dmp	xmrig
behavioral2/memory/4812-129-0x00007FF652F00000-0x00007FF653254000-memory.dmp	xmrig
behavioral2/memory/3364-130-0x00007FF6E20A0000-0x00007FF6E23F4000-memory.dmp	xmrig
behavioral2/memory/4988-131-0x00007FF7718A0000-0x00007FF771BF4000-memory.dmp	xmrig
behavioral2/memory/424-132-0x00007FF616E20000-0x00007FF617174000-memory.dmp	xmrig
behavioral2/memory/648-133-0x00007FF7FC510000-0x00007FF7FC864000-memory.dmp	xmrig
behavioral2/memory/1080-134-0x00007FF786C10000-0x00007FF786F64000-memory.dmp	xmrig
behavioral2/memory/4820-135-0x00007FF7234C0000-0x00007FF723814000-memory.dmp	xmrig
behavioral2/memory/2672-136-0x00007FF6D6CD0000-0x00007FF6D7024000-memory.dmp	xmrig
behavioral2/memory/4692-137-0x00007FF6E5690000-0x00007FF6E59E4000-memory.dmp	xmrig
behavioral2/memory/1732-138-0x00007FF78D490000-0x00007FF78D7E4000-memory.dmp	xmrig
behavioral2/memory/2548-139-0x00007FF7F00F0000-0x00007FF7F0444000-memory.dmp	xmrig
behavioral2/memory/508-140-0x00007FF7B4430000-0x00007FF7B4784000-memory.dmp	xmrig
behavioral2/memory/5084-141-0x00007FF7B37B0000-0x00007FF7B3B04000-memory.dmp	xmrig
behavioral2/memory/4988-142-0x00007FF7718A0000-0x00007FF771BF4000-memory.dmp	xmrig
behavioral2/memory/3364-143-0x00007FF6E20A0000-0x00007FF6E23F4000-memory.dmp	xmrig
behavioral2/memory/648-144-0x00007FF7FC510000-0x00007FF7FC864000-memory.dmp	xmrig
behavioral2/memory/424-145-0x00007FF616E20000-0x00007FF617174000-memory.dmp	xmrig
behavioral2/memory/1080-146-0x00007FF786C10000-0x00007FF786F64000-memory.dmp	xmrig
behavioral2/memory/4820-147-0x00007FF7234C0000-0x00007FF723814000-memory.dmp	xmrig
behavioral2/memory/2672-148-0x00007FF6D6CD0000-0x00007FF6D7024000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
508	KJQNDBp.exe
5084	FjRiDad.exe
4988	Jsgtuak.exe
3364	dtMpcSK.exe
424	UkmLhIp.exe
648	LQDTWom.exe
1080	PjsTDUd.exe
4820	bBwsTAk.exe
2672	dSwSqzG.exe
4692	ycmShNX.exe
1732	oFJmUzb.exe
2548	lInKJJv.exe
3676	aEJQLPp.exe
3540	fALzgPA.exe
3232	twzGWAc.exe
4760	sjXBuCN.exe
1696	RvZBtPI.exe
5104	DWoNNLX.exe
1708	BBzvXAq.exe
1400	CHycEYN.exe
4812	gBEEyVF.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/816-0-0x00007FF6F2B10000-0x00007FF6F2E64000-memory.dmp	upx
behavioral2/files/0x00080000000235e6-4.dat	upx
behavioral2/files/0x00070000000235eb-9.dat	upx
behavioral2/files/0x00070000000235ea-12.dat	upx
behavioral2/files/0x00070000000235ec-20.dat	upx
behavioral2/memory/3364-23-0x00007FF6E20A0000-0x00007FF6E23F4000-memory.dmp	upx
behavioral2/memory/4988-29-0x00007FF7718A0000-0x00007FF771BF4000-memory.dmp	upx
behavioral2/memory/424-30-0x00007FF616E20000-0x00007FF617174000-memory.dmp	upx
behavioral2/files/0x00070000000235ed-34.dat	upx
behavioral2/files/0x00070000000235ee-37.dat	upx
behavioral2/memory/648-36-0x00007FF7FC510000-0x00007FF7FC864000-memory.dmp	upx
behavioral2/memory/5084-19-0x00007FF7B37B0000-0x00007FF7B3B04000-memory.dmp	upx
behavioral2/memory/508-10-0x00007FF7B4430000-0x00007FF7B4784000-memory.dmp	upx
behavioral2/files/0x00070000000235ef-41.dat	upx
behavioral2/memory/1080-42-0x00007FF786C10000-0x00007FF786F64000-memory.dmp	upx
behavioral2/files/0x00080000000235e7-51.dat	upx
behavioral2/memory/4820-50-0x00007FF7234C0000-0x00007FF723814000-memory.dmp	upx
behavioral2/files/0x00070000000235f1-60.dat	upx
behavioral2/files/0x00070000000235f2-61.dat	upx
behavioral2/memory/2672-59-0x00007FF6D6CD0000-0x00007FF6D7024000-memory.dmp	upx
behavioral2/files/0x00070000000235f3-65.dat	upx
behavioral2/memory/816-67-0x00007FF6F2B10000-0x00007FF6F2E64000-memory.dmp	upx
behavioral2/memory/1732-66-0x00007FF78D490000-0x00007FF78D7E4000-memory.dmp	upx
behavioral2/memory/4692-64-0x00007FF6E5690000-0x00007FF6E59E4000-memory.dmp	upx
behavioral2/files/0x00070000000235f0-56.dat	upx
behavioral2/files/0x00070000000235f5-80.dat	upx
behavioral2/files/0x00070000000235fa-105.dat	upx
behavioral2/files/0x00070000000235fc-118.dat	upx
behavioral2/files/0x00070000000235fb-116.dat	upx
behavioral2/files/0x00070000000235f9-110.dat	upx
behavioral2/files/0x00070000000235f8-101.dat	upx
behavioral2/files/0x00070000000235f7-97.dat	upx
behavioral2/files/0x00070000000235f6-92.dat	upx
behavioral2/files/0x00070000000235f4-82.dat	upx
behavioral2/memory/2548-68-0x00007FF7F00F0000-0x00007FF7F0444000-memory.dmp	upx
behavioral2/memory/508-120-0x00007FF7B4430000-0x00007FF7B4784000-memory.dmp	upx
behavioral2/memory/3540-122-0x00007FF6223E0000-0x00007FF622734000-memory.dmp	upx
behavioral2/memory/3232-123-0x00007FF74C280000-0x00007FF74C5D4000-memory.dmp	upx
behavioral2/memory/3676-121-0x00007FF6EFB00000-0x00007FF6EFE54000-memory.dmp	upx
behavioral2/memory/4760-124-0x00007FF6DE9B0000-0x00007FF6DED04000-memory.dmp	upx
behavioral2/memory/1696-125-0x00007FF6F4BE0000-0x00007FF6F4F34000-memory.dmp	upx
behavioral2/memory/5104-126-0x00007FF6020C0000-0x00007FF602414000-memory.dmp	upx
behavioral2/memory/1708-127-0x00007FF729B60000-0x00007FF729EB4000-memory.dmp	upx
behavioral2/memory/1400-128-0x00007FF7966C0000-0x00007FF796A14000-memory.dmp	upx
behavioral2/memory/4812-129-0x00007FF652F00000-0x00007FF653254000-memory.dmp	upx
behavioral2/memory/3364-130-0x00007FF6E20A0000-0x00007FF6E23F4000-memory.dmp	upx
behavioral2/memory/4988-131-0x00007FF7718A0000-0x00007FF771BF4000-memory.dmp	upx
behavioral2/memory/424-132-0x00007FF616E20000-0x00007FF617174000-memory.dmp	upx
behavioral2/memory/648-133-0x00007FF7FC510000-0x00007FF7FC864000-memory.dmp	upx
behavioral2/memory/1080-134-0x00007FF786C10000-0x00007FF786F64000-memory.dmp	upx
behavioral2/memory/4820-135-0x00007FF7234C0000-0x00007FF723814000-memory.dmp	upx
behavioral2/memory/2672-136-0x00007FF6D6CD0000-0x00007FF6D7024000-memory.dmp	upx
behavioral2/memory/4692-137-0x00007FF6E5690000-0x00007FF6E59E4000-memory.dmp	upx
behavioral2/memory/1732-138-0x00007FF78D490000-0x00007FF78D7E4000-memory.dmp	upx
behavioral2/memory/2548-139-0x00007FF7F00F0000-0x00007FF7F0444000-memory.dmp	upx
behavioral2/memory/508-140-0x00007FF7B4430000-0x00007FF7B4784000-memory.dmp	upx
behavioral2/memory/5084-141-0x00007FF7B37B0000-0x00007FF7B3B04000-memory.dmp	upx
behavioral2/memory/4988-142-0x00007FF7718A0000-0x00007FF771BF4000-memory.dmp	upx
behavioral2/memory/3364-143-0x00007FF6E20A0000-0x00007FF6E23F4000-memory.dmp	upx
behavioral2/memory/648-144-0x00007FF7FC510000-0x00007FF7FC864000-memory.dmp	upx
behavioral2/memory/424-145-0x00007FF616E20000-0x00007FF617174000-memory.dmp	upx
behavioral2/memory/1080-146-0x00007FF786C10000-0x00007FF786F64000-memory.dmp	upx
behavioral2/memory/4820-147-0x00007FF7234C0000-0x00007FF723814000-memory.dmp	upx
behavioral2/memory/2672-148-0x00007FF6D6CD0000-0x00007FF6D7024000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\LQDTWom.exe	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ycmShNX.exe	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aEJQLPp.exe	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CHycEYN.exe	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gBEEyVF.exe	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FjRiDad.exe	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UkmLhIp.exe	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oFJmUzb.exe	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lInKJJv.exe	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\twzGWAc.exe	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sjXBuCN.exe	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BBzvXAq.exe	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\Jsgtuak.exe	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dtMpcSK.exe	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PjsTDUd.exe	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dSwSqzG.exe	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RvZBtPI.exe	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KJQNDBp.exe	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bBwsTAk.exe	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fALzgPA.exe	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DWoNNLX.exe	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 508	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	91
PID 816 wrote to memory of 508	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	91
PID 816 wrote to memory of 5084	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	92
PID 816 wrote to memory of 5084	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	92
PID 816 wrote to memory of 4988	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	93
PID 816 wrote to memory of 4988	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	93
PID 816 wrote to memory of 3364	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	94
PID 816 wrote to memory of 3364	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	94
PID 816 wrote to memory of 424	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	95
PID 816 wrote to memory of 424	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	95
PID 816 wrote to memory of 648	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	96
PID 816 wrote to memory of 648	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	96
PID 816 wrote to memory of 1080	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	97
PID 816 wrote to memory of 1080	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	97
PID 816 wrote to memory of 4820	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	99
PID 816 wrote to memory of 4820	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	99
PID 816 wrote to memory of 2672	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	100
PID 816 wrote to memory of 2672	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	100
PID 816 wrote to memory of 4692	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	101
PID 816 wrote to memory of 4692	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	101
PID 816 wrote to memory of 1732	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	102
PID 816 wrote to memory of 1732	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	102
PID 816 wrote to memory of 2548	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	103
PID 816 wrote to memory of 2548	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	103
PID 816 wrote to memory of 3676	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	104
PID 816 wrote to memory of 3676	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	104
PID 816 wrote to memory of 3540	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	105
PID 816 wrote to memory of 3540	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	105
PID 816 wrote to memory of 3232	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	106
PID 816 wrote to memory of 3232	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	106
PID 816 wrote to memory of 4760	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	107
PID 816 wrote to memory of 4760	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	107
PID 816 wrote to memory of 1696	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	108
PID 816 wrote to memory of 1696	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	108
PID 816 wrote to memory of 5104	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	109
PID 816 wrote to memory of 5104	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	109
PID 816 wrote to memory of 1708	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	110
PID 816 wrote to memory of 1708	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	110
PID 816 wrote to memory of 1400	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	111
PID 816 wrote to memory of 1400	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	111
PID 816 wrote to memory of 4812	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	112
PID 816 wrote to memory of 4812	816	2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-28_479dbab1b5c5ba607e0d559798ab254c_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:816
- C:\Windows\System\KJQNDBp.exe
  C:\Windows\System\KJQNDBp.exe
  2⤵
  - Executes dropped EXE
  PID:508
- C:\Windows\System\FjRiDad.exe
  C:\Windows\System\FjRiDad.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System\Jsgtuak.exe
  C:\Windows\System\Jsgtuak.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System\dtMpcSK.exe
  C:\Windows\System\dtMpcSK.exe
  2⤵
  - Executes dropped EXE
  PID:3364
- C:\Windows\System\UkmLhIp.exe
  C:\Windows\System\UkmLhIp.exe
  2⤵
  - Executes dropped EXE
  PID:424
- C:\Windows\System\LQDTWom.exe
  C:\Windows\System\LQDTWom.exe
  2⤵
  - Executes dropped EXE
  PID:648
- C:\Windows\System\PjsTDUd.exe
  C:\Windows\System\PjsTDUd.exe
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\System\bBwsTAk.exe
  C:\Windows\System\bBwsTAk.exe
  2⤵
  - Executes dropped EXE
  PID:4820
- C:\Windows\System\dSwSqzG.exe
  C:\Windows\System\dSwSqzG.exe
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\System\ycmShNX.exe
  C:\Windows\System\ycmShNX.exe
  2⤵
  - Executes dropped EXE
  PID:4692
- C:\Windows\System\oFJmUzb.exe
  C:\Windows\System\oFJmUzb.exe
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\System\lInKJJv.exe
  C:\Windows\System\lInKJJv.exe
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\System\aEJQLPp.exe
  C:\Windows\System\aEJQLPp.exe
  2⤵
  - Executes dropped EXE
  PID:3676
- C:\Windows\System\fALzgPA.exe
  C:\Windows\System\fALzgPA.exe
  2⤵
  - Executes dropped EXE
  PID:3540
- C:\Windows\System\twzGWAc.exe
  C:\Windows\System\twzGWAc.exe
  2⤵
  - Executes dropped EXE
  PID:3232
- C:\Windows\System\sjXBuCN.exe
  C:\Windows\System\sjXBuCN.exe
  2⤵
  - Executes dropped EXE
  PID:4760
- C:\Windows\System\RvZBtPI.exe
  C:\Windows\System\RvZBtPI.exe
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Windows\System\DWoNNLX.exe
  C:\Windows\System\DWoNNLX.exe
  2⤵
  - Executes dropped EXE
  PID:5104
- C:\Windows\System\BBzvXAq.exe
  C:\Windows\System\BBzvXAq.exe
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Windows\System\CHycEYN.exe
  C:\Windows\System\CHycEYN.exe
  2⤵
  - Executes dropped EXE
  PID:1400
- C:\Windows\System\gBEEyVF.exe
  C:\Windows\System\gBEEyVF.exe
  2⤵
  - Executes dropped EXE
  PID:4812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4296,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=1420 /prefetch:8
1⤵
PID:3288

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BBzvXAq.exe

Filesize
5.9MB

MD5
528cf4843d33b0f09deaad10550bced7

SHA1
da5163a75175ecd17391f7ca0e8c67e122870b14

SHA256
d303d9821c53298fb641352f3c7f0bb6e46d0041c558796fc35b55043e746c6f

SHA512
30188168dd77ffba6d852ea13ba0c15aa75217eeac886a42b865cd8a8ff49da1eb3281e86ea03cd954cf4ee1845a0b4a1b4ec87f0f337967c649464a610fe04a

Download Submit
C:\Windows\System\CHycEYN.exe

Filesize
5.9MB

MD5
75ee52c91024bb829a68a8a28b92eb60

SHA1
975a45578e2979d550da2b1baf073564244b2ee9

SHA256
26c0b2c00609d4766a3b957f752c8058dc68dd01cec482650732d17cd36e805d

SHA512
2ec62a3d836c9e85d371dc9657d4928296146143a33037d2081ba9f50694d5d8cc6f39a9649932511b3b64934eed8074f0d00aa924a958364f4f679ddb5fd752

Download Submit
C:\Windows\System\DWoNNLX.exe

Filesize
5.9MB

MD5
13507de0762fc0db0cd97d9391333a9c

SHA1
3a8dff13224d91c7bc674a35d859e0805f945502

SHA256
fb37fd6662f1fde73de7592748930e600fcc1ee0a98cd783621ca1c99c70612a

SHA512
b1de68217b0fc20b57bde1f86f8bb74379395641fc6984562671de3d361f17f172923f6f8ccbcd2b6b9a43ea40f9f81d33295a2ba77170c76c9aebf78ec17adb

Download Submit
C:\Windows\System\FjRiDad.exe

Filesize
5.9MB

MD5
966c6a389c3afb440d69662c70781f4c

SHA1
b1097d08e7146fc146b75794fe6c673c28b3486c

SHA256
720d279cf5d6c9f8b7c2568e0495176cb3a6fbea6c86f60eb8428a2840dc6352

SHA512
77786127c295b9adeed2b89781ab97ef2659b2343236060ceed89a0d507ea3725b495f9f4ed67ef7850d6fc4aa21dd8175fd5f847540b20e0705e092c5d0fc13

Download Submit
C:\Windows\System\Jsgtuak.exe

Filesize
5.9MB

MD5
ed5a8ad06df3fd6733ccebb68e8b265f

SHA1
3ab88256c41f6fc90795169932d414f14f512e77

SHA256
b91b2e35611005ad406952813bdedfb6cd3a3d58dc2bb9fbc796124fd2b54273

SHA512
1a7ea60c86673a0e50e6f1e51346b9ed0040cce4ed527340798521deb25c0cb232a95acabea687786f7e6db9008cf4bac8f0fbae30ae0cc4e4880d6af91fcff5

Download Submit
C:\Windows\System\KJQNDBp.exe

Filesize
5.9MB

MD5
7f033fae8974a16c6dd44d506f512779

SHA1
194f94e46fc342c27df5ce3e78f2fcfe47e5348d

SHA256
e0191ff7ebf6d1ecc1fe42eb3fb70baa4f33df30ba68d864e06f26489ceea3b5

SHA512
42a9620b3c69f7c165cd3b7608ef07ecaec206d0eaad83b0b908ccc08aee0df5af657ec7249ae6b171e20ce11f474fd182d61a4efad6df2d4b5eee97566f621f

Download Submit
C:\Windows\System\LQDTWom.exe

Filesize
5.9MB

MD5
5971c64b05c53e9624d65a0d78005704

SHA1
9f33b2357d823508c93d21ffe83260409c1d2824

SHA256
9a544f0bfea7259b190cb50909063fd662c45e074fc0a42cda84d0815de7247c

SHA512
d3e0893ccec3440d104f924c34e738cc7809c99835fda102b730ee09911367353ccafb841d6b6778630bdc901e1d9a20f6be8d51473bbe4b2f163de0d04df0c3

Download Submit
C:\Windows\System\PjsTDUd.exe

Filesize
5.9MB

MD5
efff1a8664b39fa5f073ccc16687bb9b

SHA1
d44b82d7e8c85c636c1aa3f7bcb9104a80433ad9

SHA256
c54b299c839f7b8e67880ffdf6a98a66c2109fc159cd8335c21a70ce656bd64c

SHA512
a3305fdb60891e54f87b0841e8191b9060efa8274e542344d3d6f5436b5c5607ef00e1e1b7bb427f7d169d349ee751f26cf3ee0264fc3a09cdacca58f059baac

Download Submit
C:\Windows\System\RvZBtPI.exe

Filesize
5.9MB

MD5
0905311d51d69b705d7468121e43e84c

SHA1
bc00281099f7df06bd206363b2605bcfef9b1ac5

SHA256
5396581f80a81140b1332cbfaf2a751d74e5e22106fef05e48c5e8e9f658938f

SHA512
55bf1a93e60d58a352d140d178b738261fb00a421ee809752c516853b852346185e1e01a7ec821903a56d3aa89fc38bb404cca30147faf0dfada735cd87abcdc

Download Submit
C:\Windows\System\UkmLhIp.exe

Filesize
5.9MB

MD5
ededc1a087870903eff38c4709c5d9f7

SHA1
bd9e3ed7b5cf4bbbfc0dc89d0b5ea9131db59c22

SHA256
9379fe952fe434079595d379c6fb9b7c8a052929c7f1252e5f7287ddb2ffa480

SHA512
584e17afa5ec9c2c4e118a2fc3aa661a760f922e8c97e76e5bc4114bf1bce89604e40f64e000df86e040394755711f69868d6f32bcd3a42313a29f1dee26a4af

Download Submit
C:\Windows\System\aEJQLPp.exe

Filesize
5.9MB

MD5
6650546119f0542ccfc2628bd840d161

SHA1
bb689bbf25b800c9f40a0fcec58106bba326f899

SHA256
ef0f26828ebd1990ae693064d0ebefdecf19e3176e5e0089daa2d892a23f6307

SHA512
5aa584f8048af71cd698d594255e6e9de01ba6d65f0fd51eb8c16793ef592af6fe2f802ed315949cafb0c8094a71ec967000723effb5373e6d2e51f166ef8a81

Download Submit
C:\Windows\System\bBwsTAk.exe

Filesize
5.9MB

MD5
aafeea00ffb2f92d1bdc31d156ad3a06

SHA1
f24f6be3de06916b0a0991e32764bab782e9e217

SHA256
8c8c2caf7b3d58652057ca6ac373ab5ce165c868c353fcf7d84b16f0533c14c7

SHA512
bb4b6b8cae751a287cda38dacdba40505a572b180bfd4cd4bf8cbd3aed0a0eab4d4f398ffda3d5d9907121fd9390fe66c14a142c976ca69e1fc8e720f505519c

Download Submit
C:\Windows\System\dSwSqzG.exe

Filesize
5.9MB

MD5
0cfb6242a805ea2b096b16ecf642aa59

SHA1
4d31f24644e8c9864f35f0640eadf7e7e3f1bbf7

SHA256
0264ff7b44d827837f3dfb52b71afab3ad47b0d159f72d1cccefa4d4ef69b1f7

SHA512
d194eef418521eeb1cdab3d18b606331b7fcc7d296492fd631de35f0624ca6d90731725180bd64b4e03712ecdcd08820e3360c52db2049a0683a898fe3adc887

Download Submit
C:\Windows\System\dtMpcSK.exe

Filesize
5.9MB

MD5
6c317692554b372cbc378c9b74634881

SHA1
c4be220b20efe2ebecc70e2d08ce16045ce9f01e

SHA256
420cc894c7f30ddb6ca3e38059104aa6c46ca26ec15e75a9d21193336b00b4d2

SHA512
16b3c19a5eb7e3964b5869fe9cb092151c04fca35cf6cb84f43bc4bcc82913c54b70e1a4c3062db25bf2ef7d85476183c038b7d72e910d82bb066c90e0610281

Download Submit
C:\Windows\System\fALzgPA.exe

Filesize
5.9MB

MD5
0c99c0b2c319dc5aaf728918689a1354

SHA1
010b9711b62fa1bf0b64976ca20c3c7c3139f525

SHA256
a1d4380f5b7c5caca5b1ae2fc242837091797247cad946bd4d5cd79548bc233a

SHA512
a6b06da4ebfa173cde063a449a87f2542793687bb059842899f78bb8db150739507594d6d77090bc9cb33e92470219a8cbda881e63b16eea8b75f713b6c197ca

Download Submit
C:\Windows\System\gBEEyVF.exe

Filesize
5.9MB

MD5
0c1cc896dab3a89bd220c9dcbc0862cb

SHA1
239557942311f16dd3ef48557f93378ff29e61c0

SHA256
2c51ea2cfa542733f56f979879ed6f754f59708c3c46dffd99515f171a679d68

SHA512
bc8bc158f4355169e83d5783becb6333ab0658d63e343afc86a98ce3332cd7d19a73dffb587d7a2eea015196acd64f4d493c74ba85881b13d1f60d908cc86034

Download Submit
C:\Windows\System\lInKJJv.exe

Filesize
5.9MB

MD5
17f63b990d96ba9cc80d589e53ed4c97

SHA1
e4843814d970175dc1b20e40a3d12dda6179f09a

SHA256
dd2e5f63c050f046af24dbe256235789dddb16343755767d58869e60d17e9493

SHA512
e4cb585c6eb9ae36d221e3da8f9608cf9259f514f3d73a2f0faa831e89a91eaee7f068110c9f677140928003c0ff7115328b4d745a4ce8db686a1635872c8313

Download Submit
C:\Windows\System\oFJmUzb.exe

Filesize
5.9MB

MD5
7067ebc6935546635a4999a038fe6fc2

SHA1
44ff4ad2aac9f0b7dd3f96ad31c0437aceffcacb

SHA256
85d2d3dc2ec79f4e1577247c4eb1bfa808178c211a272f606f7099ce3ea86e62

SHA512
0e90b87eddabfb80e648281133b751c9763f3b31e6d8cdd5db5f2a5c429b8e2f5a960018f65d7cc7324ed5de40ba72f85ee731d34983a25203491476b4ae35f1

Download Submit
C:\Windows\System\sjXBuCN.exe

Filesize
5.9MB

MD5
f47f2f598fef4306633a508e17a94398

SHA1
40cbcf40fb6f6e32685b25006ea7de4873583c0e

SHA256
13f1f5e3e7c2af497baa56d6a378ade84ef4a337ee34addcdc7d955dce0b6585

SHA512
1e2f4c8a38abc20e048339391c552f2f728301b4a53392f9362019b8841e5f182794a3cb01eeb21ac342369291fce99b9aac23ef0dc6f0376464e6542369b96c

Download Submit
C:\Windows\System\twzGWAc.exe

Filesize
5.9MB

MD5
d5f1485ef7372e5a31312f09544a8d81

SHA1
81977c90ba21782dd9ce7fb796852fd09a22169d

SHA256
b928bd07f4a1797258a0a0f0cc7060c5fafb8e32b56cb8b919724f95c1a8da94

SHA512
6fc5a4845ab5330d7a1dabe4ff9f02a64d6c465d7ed014cb206ba972880f0c91d2aaaa70f980c2260e8b376b928058ffad448d3d7f7ff5a07ddf75b06081d465

Download Submit
C:\Windows\System\ycmShNX.exe

Filesize
5.9MB

MD5
86e1c6fd4109fbf4aa40e07c0e169501

SHA1
2e31417b14c45ac9b1694c327833ca5dc7711cd6

SHA256
3797121425c3d1fb9f68bbfe5713d5bac59f576349dd19b4aebe0b5869a1ef1c

SHA512
ec822dfa7d655673c36551975b7778e66b706f275075a707bf6d1d2e1ecb48f81dd2d571049b5ee2f95d003362a5cd893dff383232970a77fe61a835e60a2822

Download Submit
memory/424-30-0x00007FF616E20000-0x00007FF617174000-memory.dmp

Filesize
3.3MB

Download
memory/424-145-0x00007FF616E20000-0x00007FF617174000-memory.dmp

Filesize
3.3MB

Download
memory/424-132-0x00007FF616E20000-0x00007FF617174000-memory.dmp

Filesize
3.3MB

Download
memory/508-10-0x00007FF7B4430000-0x00007FF7B4784000-memory.dmp

Filesize
3.3MB

Download
memory/508-120-0x00007FF7B4430000-0x00007FF7B4784000-memory.dmp

Filesize
3.3MB

Download
memory/508-140-0x00007FF7B4430000-0x00007FF7B4784000-memory.dmp

Filesize
3.3MB

Download
memory/648-36-0x00007FF7FC510000-0x00007FF7FC864000-memory.dmp

Filesize
3.3MB

Download
memory/648-133-0x00007FF7FC510000-0x00007FF7FC864000-memory.dmp

Filesize
3.3MB

Download
memory/648-144-0x00007FF7FC510000-0x00007FF7FC864000-memory.dmp

Filesize
3.3MB

Download
memory/816-1-0x0000013CF8E50000-0x0000013CF8E60000-memory.dmp

Filesize
64KB

Download
memory/816-67-0x00007FF6F2B10000-0x00007FF6F2E64000-memory.dmp

Filesize
3.3MB

Download
memory/816-0-0x00007FF6F2B10000-0x00007FF6F2E64000-memory.dmp

Filesize
3.3MB

Download
memory/1080-42-0x00007FF786C10000-0x00007FF786F64000-memory.dmp

Filesize
3.3MB

Download
memory/1080-146-0x00007FF786C10000-0x00007FF786F64000-memory.dmp

Filesize
3.3MB

Download
memory/1080-134-0x00007FF786C10000-0x00007FF786F64000-memory.dmp

Filesize
3.3MB

Download
memory/1400-157-0x00007FF7966C0000-0x00007FF796A14000-memory.dmp

Filesize
3.3MB

Download
memory/1400-128-0x00007FF7966C0000-0x00007FF796A14000-memory.dmp

Filesize
3.3MB

Download
memory/1696-156-0x00007FF6F4BE0000-0x00007FF6F4F34000-memory.dmp

Filesize
3.3MB

Download
memory/1696-125-0x00007FF6F4BE0000-0x00007FF6F4F34000-memory.dmp

Filesize
3.3MB

Download
memory/1708-158-0x00007FF729B60000-0x00007FF729EB4000-memory.dmp

Filesize
3.3MB

Download
memory/1708-127-0x00007FF729B60000-0x00007FF729EB4000-memory.dmp

Filesize
3.3MB

Download
memory/1732-138-0x00007FF78D490000-0x00007FF78D7E4000-memory.dmp

Filesize
3.3MB

Download
memory/1732-150-0x00007FF78D490000-0x00007FF78D7E4000-memory.dmp

Filesize
3.3MB

Download
memory/1732-66-0x00007FF78D490000-0x00007FF78D7E4000-memory.dmp

Filesize
3.3MB

Download
memory/2548-151-0x00007FF7F00F0000-0x00007FF7F0444000-memory.dmp

Filesize
3.3MB

Download
memory/2548-68-0x00007FF7F00F0000-0x00007FF7F0444000-memory.dmp

Filesize
3.3MB

Download
memory/2548-139-0x00007FF7F00F0000-0x00007FF7F0444000-memory.dmp

Filesize
3.3MB

Download
memory/2672-148-0x00007FF6D6CD0000-0x00007FF6D7024000-memory.dmp

Filesize
3.3MB

Download
memory/2672-136-0x00007FF6D6CD0000-0x00007FF6D7024000-memory.dmp

Filesize
3.3MB

Download
memory/2672-59-0x00007FF6D6CD0000-0x00007FF6D7024000-memory.dmp

Filesize
3.3MB

Download
memory/3232-154-0x00007FF74C280000-0x00007FF74C5D4000-memory.dmp

Filesize
3.3MB

Download
memory/3232-123-0x00007FF74C280000-0x00007FF74C5D4000-memory.dmp

Filesize
3.3MB

Download
memory/3364-130-0x00007FF6E20A0000-0x00007FF6E23F4000-memory.dmp

Filesize
3.3MB

Download
memory/3364-23-0x00007FF6E20A0000-0x00007FF6E23F4000-memory.dmp

Filesize
3.3MB

Download
memory/3364-143-0x00007FF6E20A0000-0x00007FF6E23F4000-memory.dmp

Filesize
3.3MB

Download
memory/3540-122-0x00007FF6223E0000-0x00007FF622734000-memory.dmp

Filesize
3.3MB

Download
memory/3540-152-0x00007FF6223E0000-0x00007FF622734000-memory.dmp

Filesize
3.3MB

Download
memory/3676-153-0x00007FF6EFB00000-0x00007FF6EFE54000-memory.dmp

Filesize
3.3MB

Download
memory/3676-121-0x00007FF6EFB00000-0x00007FF6EFE54000-memory.dmp

Filesize
3.3MB

Download
memory/4692-149-0x00007FF6E5690000-0x00007FF6E59E4000-memory.dmp

Filesize
3.3MB

Download
memory/4692-64-0x00007FF6E5690000-0x00007FF6E59E4000-memory.dmp

Filesize
3.3MB

Download
memory/4692-137-0x00007FF6E5690000-0x00007FF6E59E4000-memory.dmp

Filesize
3.3MB

Download
memory/4760-155-0x00007FF6DE9B0000-0x00007FF6DED04000-memory.dmp

Filesize
3.3MB

Download
memory/4760-124-0x00007FF6DE9B0000-0x00007FF6DED04000-memory.dmp

Filesize
3.3MB

Download
memory/4812-129-0x00007FF652F00000-0x00007FF653254000-memory.dmp

Filesize
3.3MB

Download
memory/4812-159-0x00007FF652F00000-0x00007FF653254000-memory.dmp

Filesize
3.3MB

Download
memory/4820-147-0x00007FF7234C0000-0x00007FF723814000-memory.dmp

Filesize
3.3MB

Download
memory/4820-135-0x00007FF7234C0000-0x00007FF723814000-memory.dmp

Filesize
3.3MB

Download
memory/4820-50-0x00007FF7234C0000-0x00007FF723814000-memory.dmp

Filesize
3.3MB

Download
memory/4988-131-0x00007FF7718A0000-0x00007FF771BF4000-memory.dmp

Filesize
3.3MB

Download
memory/4988-142-0x00007FF7718A0000-0x00007FF771BF4000-memory.dmp

Filesize
3.3MB

Download
memory/4988-29-0x00007FF7718A0000-0x00007FF771BF4000-memory.dmp

Filesize
3.3MB

Download
memory/5084-141-0x00007FF7B37B0000-0x00007FF7B3B04000-memory.dmp

Filesize
3.3MB

Download
memory/5084-19-0x00007FF7B37B0000-0x00007FF7B3B04000-memory.dmp

Filesize
3.3MB

Download
memory/5104-126-0x00007FF6020C0000-0x00007FF602414000-memory.dmp

Filesize
3.3MB

Download
memory/5104-160-0x00007FF6020C0000-0x00007FF602414000-memory.dmp

Filesize
3.3MB

Download