cobaltstrike | 3c79a9b858916e1af23434c0dc37b77966b4387eca93732c276aa7d76f5f348d

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

289b0ae0a4dcff2ea9698e6f45a99466
SHA1

8e791c837a1bacc1b3346886013e55fd06fac7ae
SHA256

3c79a9b858916e1af23434c0dc37b77966b4387eca93732c276aa7d76f5f348d
SHA512

bea0e8a3c42867ab283b05162a9715c5b1432063520d15f878a6d41510142743137c2198ac5942011d25da67bacd9f385ec3a4f73393a433af8121eb24e69880
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU9:Q+856utgpPF8u/79

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0007000000023298-5.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023421-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023425-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023426-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023427-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023428-36.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023429-41.dat	cobalt_reflective_dll
behavioral2/files/0x000900000002337b-48.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023422-60.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023380-72.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342d-80.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342b-78.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342c-76.dat	cobalt_reflective_dll
behavioral2/files/0x000a00000002337c-58.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342e-90.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342f-104.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023432-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023430-112.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023431-111.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023434-131.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023433-128.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023298-5.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0008000000023421-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023425-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023426-23.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023427-34.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023428-36.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023429-41.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000900000002337b-48.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0008000000023422-60.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000b000000023380-72.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342d-80.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342b-78.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342c-76.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000a00000002337c-58.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342e-90.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342f-104.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023432-115.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023430-112.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023431-111.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023434-131.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023433-128.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/1848-0-0x00007FF644760000-0x00007FF644AB4000-memory.dmp	UPX
behavioral2/files/0x0007000000023298-5.dat	UPX
behavioral2/memory/1344-8-0x00007FF722640000-0x00007FF722994000-memory.dmp	UPX
behavioral2/files/0x0008000000023421-11.dat	UPX
behavioral2/files/0x0007000000023425-10.dat	UPX
behavioral2/memory/4856-15-0x00007FF6B8C80000-0x00007FF6B8FD4000-memory.dmp	UPX
behavioral2/files/0x0007000000023426-23.dat	UPX
behavioral2/memory/3612-22-0x00007FF7EE0C0000-0x00007FF7EE414000-memory.dmp	UPX
behavioral2/memory/4564-31-0x00007FF6793E0000-0x00007FF679734000-memory.dmp	UPX
behavioral2/files/0x0007000000023427-34.dat	UPX
behavioral2/files/0x0007000000023428-36.dat	UPX
behavioral2/memory/1436-38-0x00007FF6BA220000-0x00007FF6BA574000-memory.dmp	UPX
behavioral2/memory/3256-27-0x00007FF732780000-0x00007FF732AD4000-memory.dmp	UPX
behavioral2/files/0x0007000000023429-41.dat	UPX
behavioral2/memory/1980-44-0x00007FF7D6680000-0x00007FF7D69D4000-memory.dmp	UPX
behavioral2/files/0x000900000002337b-48.dat	UPX
behavioral2/files/0x0008000000023422-60.dat	UPX
behavioral2/memory/972-61-0x00007FF718310000-0x00007FF718664000-memory.dmp	UPX
behavioral2/files/0x000b000000023380-72.dat	UPX
behavioral2/files/0x000700000002342d-80.dat	UPX
behavioral2/files/0x000700000002342b-78.dat	UPX
behavioral2/files/0x000700000002342c-76.dat	UPX
behavioral2/memory/924-69-0x00007FF764C50000-0x00007FF764FA4000-memory.dmp	UPX
behavioral2/memory/1848-68-0x00007FF644760000-0x00007FF644AB4000-memory.dmp	UPX
behavioral2/files/0x000a00000002337c-58.dat	UPX
behavioral2/memory/3204-63-0x00007FF6E8800000-0x00007FF6E8B54000-memory.dmp	UPX
behavioral2/memory/1968-52-0x00007FF792DA0000-0x00007FF7930F4000-memory.dmp	UPX
behavioral2/memory/1344-85-0x00007FF722640000-0x00007FF722994000-memory.dmp	UPX
behavioral2/memory/1524-86-0x00007FF683CD0000-0x00007FF684024000-memory.dmp	UPX
behavioral2/files/0x000700000002342e-90.dat	UPX
behavioral2/memory/1652-100-0x00007FF657430000-0x00007FF657784000-memory.dmp	UPX
behavioral2/files/0x000700000002342f-104.dat	UPX
behavioral2/memory/4564-108-0x00007FF6793E0000-0x00007FF679734000-memory.dmp	UPX
behavioral2/memory/2188-116-0x00007FF776DB0000-0x00007FF777104000-memory.dmp	UPX
behavioral2/memory/1556-119-0x00007FF7E4F30000-0x00007FF7E5284000-memory.dmp	UPX
behavioral2/memory/1108-118-0x00007FF73FB60000-0x00007FF73FEB4000-memory.dmp	UPX
behavioral2/files/0x0007000000023432-115.dat	UPX
behavioral2/memory/1436-114-0x00007FF6BA220000-0x00007FF6BA574000-memory.dmp	UPX
behavioral2/memory/3256-107-0x00007FF732780000-0x00007FF732AD4000-memory.dmp	UPX
behavioral2/memory/2116-106-0x00007FF6EAF90000-0x00007FF6EB2E4000-memory.dmp	UPX
behavioral2/files/0x0007000000023430-112.dat	UPX
behavioral2/files/0x0007000000023431-111.dat	UPX
behavioral2/memory/1980-127-0x00007FF7D6680000-0x00007FF7D69D4000-memory.dmp	UPX
behavioral2/memory/4672-133-0x00007FF676C90000-0x00007FF676FE4000-memory.dmp	UPX
behavioral2/files/0x0007000000023434-131.dat	UPX
behavioral2/memory/4056-130-0x00007FF6A3030000-0x00007FF6A3384000-memory.dmp	UPX
behavioral2/files/0x0007000000023433-128.dat	UPX
behavioral2/memory/4856-96-0x00007FF6B8C80000-0x00007FF6B8FD4000-memory.dmp	UPX
behavioral2/memory/1068-92-0x00007FF6240D0000-0x00007FF624424000-memory.dmp	UPX
behavioral2/memory/1212-89-0x00007FF7C0E60000-0x00007FF7C11B4000-memory.dmp	UPX
behavioral2/memory/972-135-0x00007FF718310000-0x00007FF718664000-memory.dmp	UPX
behavioral2/memory/3204-136-0x00007FF6E8800000-0x00007FF6E8B54000-memory.dmp	UPX
behavioral2/memory/924-137-0x00007FF764C50000-0x00007FF764FA4000-memory.dmp	UPX
behavioral2/memory/2116-138-0x00007FF6EAF90000-0x00007FF6EB2E4000-memory.dmp	UPX
behavioral2/memory/1108-139-0x00007FF73FB60000-0x00007FF73FEB4000-memory.dmp	UPX
behavioral2/memory/1556-140-0x00007FF7E4F30000-0x00007FF7E5284000-memory.dmp	UPX
behavioral2/memory/4056-141-0x00007FF6A3030000-0x00007FF6A3384000-memory.dmp	UPX
behavioral2/memory/1344-142-0x00007FF722640000-0x00007FF722994000-memory.dmp	UPX
behavioral2/memory/4856-143-0x00007FF6B8C80000-0x00007FF6B8FD4000-memory.dmp	UPX
behavioral2/memory/3612-144-0x00007FF7EE0C0000-0x00007FF7EE414000-memory.dmp	UPX
behavioral2/memory/3256-145-0x00007FF732780000-0x00007FF732AD4000-memory.dmp	UPX
behavioral2/memory/4564-146-0x00007FF6793E0000-0x00007FF679734000-memory.dmp	UPX
behavioral2/memory/1436-147-0x00007FF6BA220000-0x00007FF6BA574000-memory.dmp	UPX
behavioral2/memory/1980-148-0x00007FF7D6680000-0x00007FF7D69D4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/1848-0-0x00007FF644760000-0x00007FF644AB4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023298-5.dat	xmrig
behavioral2/memory/1344-8-0x00007FF722640000-0x00007FF722994000-memory.dmp	xmrig
behavioral2/files/0x0008000000023421-11.dat	xmrig
behavioral2/files/0x0007000000023425-10.dat	xmrig
behavioral2/memory/4856-15-0x00007FF6B8C80000-0x00007FF6B8FD4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023426-23.dat	xmrig
behavioral2/memory/3612-22-0x00007FF7EE0C0000-0x00007FF7EE414000-memory.dmp	xmrig
behavioral2/memory/4564-31-0x00007FF6793E0000-0x00007FF679734000-memory.dmp	xmrig
behavioral2/files/0x0007000000023427-34.dat	xmrig
behavioral2/files/0x0007000000023428-36.dat	xmrig
behavioral2/memory/1436-38-0x00007FF6BA220000-0x00007FF6BA574000-memory.dmp	xmrig
behavioral2/memory/3256-27-0x00007FF732780000-0x00007FF732AD4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023429-41.dat	xmrig
behavioral2/memory/1980-44-0x00007FF7D6680000-0x00007FF7D69D4000-memory.dmp	xmrig
behavioral2/files/0x000900000002337b-48.dat	xmrig
behavioral2/files/0x0008000000023422-60.dat	xmrig
behavioral2/memory/972-61-0x00007FF718310000-0x00007FF718664000-memory.dmp	xmrig
behavioral2/files/0x000b000000023380-72.dat	xmrig
behavioral2/files/0x000700000002342d-80.dat	xmrig
behavioral2/files/0x000700000002342b-78.dat	xmrig
behavioral2/files/0x000700000002342c-76.dat	xmrig
behavioral2/memory/924-69-0x00007FF764C50000-0x00007FF764FA4000-memory.dmp	xmrig
behavioral2/memory/1848-68-0x00007FF644760000-0x00007FF644AB4000-memory.dmp	xmrig
behavioral2/files/0x000a00000002337c-58.dat	xmrig
behavioral2/memory/3204-63-0x00007FF6E8800000-0x00007FF6E8B54000-memory.dmp	xmrig
behavioral2/memory/1968-52-0x00007FF792DA0000-0x00007FF7930F4000-memory.dmp	xmrig
behavioral2/memory/1344-85-0x00007FF722640000-0x00007FF722994000-memory.dmp	xmrig
behavioral2/memory/1524-86-0x00007FF683CD0000-0x00007FF684024000-memory.dmp	xmrig
behavioral2/files/0x000700000002342e-90.dat	xmrig
behavioral2/memory/1652-100-0x00007FF657430000-0x00007FF657784000-memory.dmp	xmrig
behavioral2/files/0x000700000002342f-104.dat	xmrig
behavioral2/memory/4564-108-0x00007FF6793E0000-0x00007FF679734000-memory.dmp	xmrig
behavioral2/memory/2188-116-0x00007FF776DB0000-0x00007FF777104000-memory.dmp	xmrig
behavioral2/memory/1556-119-0x00007FF7E4F30000-0x00007FF7E5284000-memory.dmp	xmrig
behavioral2/memory/1108-118-0x00007FF73FB60000-0x00007FF73FEB4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023432-115.dat	xmrig
behavioral2/memory/1436-114-0x00007FF6BA220000-0x00007FF6BA574000-memory.dmp	xmrig
behavioral2/memory/3256-107-0x00007FF732780000-0x00007FF732AD4000-memory.dmp	xmrig
behavioral2/memory/2116-106-0x00007FF6EAF90000-0x00007FF6EB2E4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023430-112.dat	xmrig
behavioral2/files/0x0007000000023431-111.dat	xmrig
behavioral2/memory/1980-127-0x00007FF7D6680000-0x00007FF7D69D4000-memory.dmp	xmrig
behavioral2/memory/4672-133-0x00007FF676C90000-0x00007FF676FE4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023434-131.dat	xmrig
behavioral2/memory/4056-130-0x00007FF6A3030000-0x00007FF6A3384000-memory.dmp	xmrig
behavioral2/files/0x0007000000023433-128.dat	xmrig
behavioral2/memory/4856-96-0x00007FF6B8C80000-0x00007FF6B8FD4000-memory.dmp	xmrig
behavioral2/memory/1068-92-0x00007FF6240D0000-0x00007FF624424000-memory.dmp	xmrig
behavioral2/memory/1212-89-0x00007FF7C0E60000-0x00007FF7C11B4000-memory.dmp	xmrig
behavioral2/memory/972-135-0x00007FF718310000-0x00007FF718664000-memory.dmp	xmrig
behavioral2/memory/3204-136-0x00007FF6E8800000-0x00007FF6E8B54000-memory.dmp	xmrig
behavioral2/memory/924-137-0x00007FF764C50000-0x00007FF764FA4000-memory.dmp	xmrig
behavioral2/memory/2116-138-0x00007FF6EAF90000-0x00007FF6EB2E4000-memory.dmp	xmrig
behavioral2/memory/1108-139-0x00007FF73FB60000-0x00007FF73FEB4000-memory.dmp	xmrig
behavioral2/memory/1556-140-0x00007FF7E4F30000-0x00007FF7E5284000-memory.dmp	xmrig
behavioral2/memory/4056-141-0x00007FF6A3030000-0x00007FF6A3384000-memory.dmp	xmrig
behavioral2/memory/1344-142-0x00007FF722640000-0x00007FF722994000-memory.dmp	xmrig
behavioral2/memory/4856-143-0x00007FF6B8C80000-0x00007FF6B8FD4000-memory.dmp	xmrig
behavioral2/memory/3612-144-0x00007FF7EE0C0000-0x00007FF7EE414000-memory.dmp	xmrig
behavioral2/memory/3256-145-0x00007FF732780000-0x00007FF732AD4000-memory.dmp	xmrig
behavioral2/memory/4564-146-0x00007FF6793E0000-0x00007FF679734000-memory.dmp	xmrig
behavioral2/memory/1436-147-0x00007FF6BA220000-0x00007FF6BA574000-memory.dmp	xmrig
behavioral2/memory/1980-148-0x00007FF7D6680000-0x00007FF7D69D4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1344	jdIRnHN.exe
4856	swZJIme.exe
3612	QqvNDtP.exe
3256	BZnLdvi.exe
4564	NqPxgYG.exe
1436	jgFGgBL.exe
1980	vHGrHAo.exe
1968	xgjGuDU.exe
972	HDkfRYo.exe
3204	fatmKSM.exe
924	iyeykwV.exe
1524	SjzcwOJ.exe
1212	totXyoj.exe
1068	PuQyMzu.exe
1652	obmioMI.exe
2116	qsDyPZo.exe
2188	ExUUjhR.exe
1108	roGdvJd.exe
1556	YlcIbuH.exe
4056	MiuiIBT.exe
4672	rNtTJJT.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1848-0-0x00007FF644760000-0x00007FF644AB4000-memory.dmp	upx
behavioral2/files/0x0007000000023298-5.dat	upx
behavioral2/memory/1344-8-0x00007FF722640000-0x00007FF722994000-memory.dmp	upx
behavioral2/files/0x0008000000023421-11.dat	upx
behavioral2/files/0x0007000000023425-10.dat	upx
behavioral2/memory/4856-15-0x00007FF6B8C80000-0x00007FF6B8FD4000-memory.dmp	upx
behavioral2/files/0x0007000000023426-23.dat	upx
behavioral2/memory/3612-22-0x00007FF7EE0C0000-0x00007FF7EE414000-memory.dmp	upx
behavioral2/memory/4564-31-0x00007FF6793E0000-0x00007FF679734000-memory.dmp	upx
behavioral2/files/0x0007000000023427-34.dat	upx
behavioral2/files/0x0007000000023428-36.dat	upx
behavioral2/memory/1436-38-0x00007FF6BA220000-0x00007FF6BA574000-memory.dmp	upx
behavioral2/memory/3256-27-0x00007FF732780000-0x00007FF732AD4000-memory.dmp	upx
behavioral2/files/0x0007000000023429-41.dat	upx
behavioral2/memory/1980-44-0x00007FF7D6680000-0x00007FF7D69D4000-memory.dmp	upx
behavioral2/files/0x000900000002337b-48.dat	upx
behavioral2/files/0x0008000000023422-60.dat	upx
behavioral2/memory/972-61-0x00007FF718310000-0x00007FF718664000-memory.dmp	upx
behavioral2/files/0x000b000000023380-72.dat	upx
behavioral2/files/0x000700000002342d-80.dat	upx
behavioral2/files/0x000700000002342b-78.dat	upx
behavioral2/files/0x000700000002342c-76.dat	upx
behavioral2/memory/924-69-0x00007FF764C50000-0x00007FF764FA4000-memory.dmp	upx
behavioral2/memory/1848-68-0x00007FF644760000-0x00007FF644AB4000-memory.dmp	upx
behavioral2/files/0x000a00000002337c-58.dat	upx
behavioral2/memory/3204-63-0x00007FF6E8800000-0x00007FF6E8B54000-memory.dmp	upx
behavioral2/memory/1968-52-0x00007FF792DA0000-0x00007FF7930F4000-memory.dmp	upx
behavioral2/memory/1344-85-0x00007FF722640000-0x00007FF722994000-memory.dmp	upx
behavioral2/memory/1524-86-0x00007FF683CD0000-0x00007FF684024000-memory.dmp	upx
behavioral2/files/0x000700000002342e-90.dat	upx
behavioral2/memory/1652-100-0x00007FF657430000-0x00007FF657784000-memory.dmp	upx
behavioral2/files/0x000700000002342f-104.dat	upx
behavioral2/memory/4564-108-0x00007FF6793E0000-0x00007FF679734000-memory.dmp	upx
behavioral2/memory/2188-116-0x00007FF776DB0000-0x00007FF777104000-memory.dmp	upx
behavioral2/memory/1556-119-0x00007FF7E4F30000-0x00007FF7E5284000-memory.dmp	upx
behavioral2/memory/1108-118-0x00007FF73FB60000-0x00007FF73FEB4000-memory.dmp	upx
behavioral2/files/0x0007000000023432-115.dat	upx
behavioral2/memory/1436-114-0x00007FF6BA220000-0x00007FF6BA574000-memory.dmp	upx
behavioral2/memory/3256-107-0x00007FF732780000-0x00007FF732AD4000-memory.dmp	upx
behavioral2/memory/2116-106-0x00007FF6EAF90000-0x00007FF6EB2E4000-memory.dmp	upx
behavioral2/files/0x0007000000023430-112.dat	upx
behavioral2/files/0x0007000000023431-111.dat	upx
behavioral2/memory/1980-127-0x00007FF7D6680000-0x00007FF7D69D4000-memory.dmp	upx
behavioral2/memory/4672-133-0x00007FF676C90000-0x00007FF676FE4000-memory.dmp	upx
behavioral2/files/0x0007000000023434-131.dat	upx
behavioral2/memory/4056-130-0x00007FF6A3030000-0x00007FF6A3384000-memory.dmp	upx
behavioral2/files/0x0007000000023433-128.dat	upx
behavioral2/memory/4856-96-0x00007FF6B8C80000-0x00007FF6B8FD4000-memory.dmp	upx
behavioral2/memory/1068-92-0x00007FF6240D0000-0x00007FF624424000-memory.dmp	upx
behavioral2/memory/1212-89-0x00007FF7C0E60000-0x00007FF7C11B4000-memory.dmp	upx
behavioral2/memory/972-135-0x00007FF718310000-0x00007FF718664000-memory.dmp	upx
behavioral2/memory/3204-136-0x00007FF6E8800000-0x00007FF6E8B54000-memory.dmp	upx
behavioral2/memory/924-137-0x00007FF764C50000-0x00007FF764FA4000-memory.dmp	upx
behavioral2/memory/2116-138-0x00007FF6EAF90000-0x00007FF6EB2E4000-memory.dmp	upx
behavioral2/memory/1108-139-0x00007FF73FB60000-0x00007FF73FEB4000-memory.dmp	upx
behavioral2/memory/1556-140-0x00007FF7E4F30000-0x00007FF7E5284000-memory.dmp	upx
behavioral2/memory/4056-141-0x00007FF6A3030000-0x00007FF6A3384000-memory.dmp	upx
behavioral2/memory/1344-142-0x00007FF722640000-0x00007FF722994000-memory.dmp	upx
behavioral2/memory/4856-143-0x00007FF6B8C80000-0x00007FF6B8FD4000-memory.dmp	upx
behavioral2/memory/3612-144-0x00007FF7EE0C0000-0x00007FF7EE414000-memory.dmp	upx
behavioral2/memory/3256-145-0x00007FF732780000-0x00007FF732AD4000-memory.dmp	upx
behavioral2/memory/4564-146-0x00007FF6793E0000-0x00007FF679734000-memory.dmp	upx
behavioral2/memory/1436-147-0x00007FF6BA220000-0x00007FF6BA574000-memory.dmp	upx
behavioral2/memory/1980-148-0x00007FF7D6680000-0x00007FF7D69D4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\jdIRnHN.exe	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\swZJIme.exe	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xgjGuDU.exe	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fatmKSM.exe	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\totXyoj.exe	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SjzcwOJ.exe	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\obmioMI.exe	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ExUUjhR.exe	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\roGdvJd.exe	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MiuiIBT.exe	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BZnLdvi.exe	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vHGrHAo.exe	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qsDyPZo.exe	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QqvNDtP.exe	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NqPxgYG.exe	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jgFGgBL.exe	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HDkfRYo.exe	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iyeykwV.exe	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PuQyMzu.exe	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YlcIbuH.exe	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rNtTJJT.exe	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 1344	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	83
PID 1848 wrote to memory of 1344	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	83
PID 1848 wrote to memory of 4856	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	84
PID 1848 wrote to memory of 4856	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	84
PID 1848 wrote to memory of 3612	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	86
PID 1848 wrote to memory of 3612	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	86
PID 1848 wrote to memory of 3256	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	87
PID 1848 wrote to memory of 3256	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	87
PID 1848 wrote to memory of 4564	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	91
PID 1848 wrote to memory of 4564	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	91
PID 1848 wrote to memory of 1436	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	92
PID 1848 wrote to memory of 1436	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	92
PID 1848 wrote to memory of 1980	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	93
PID 1848 wrote to memory of 1980	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	93
PID 1848 wrote to memory of 1968	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	94
PID 1848 wrote to memory of 1968	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	94
PID 1848 wrote to memory of 972	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	95
PID 1848 wrote to memory of 972	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	95
PID 1848 wrote to memory of 924	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	96
PID 1848 wrote to memory of 924	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	96
PID 1848 wrote to memory of 3204	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	97
PID 1848 wrote to memory of 3204	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	97
PID 1848 wrote to memory of 1212	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	98
PID 1848 wrote to memory of 1212	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	98
PID 1848 wrote to memory of 1524	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	99
PID 1848 wrote to memory of 1524	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	99
PID 1848 wrote to memory of 1068	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	100
PID 1848 wrote to memory of 1068	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	100
PID 1848 wrote to memory of 1652	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	101
PID 1848 wrote to memory of 1652	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	101
PID 1848 wrote to memory of 2116	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	102
PID 1848 wrote to memory of 2116	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	102
PID 1848 wrote to memory of 2188	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	103
PID 1848 wrote to memory of 2188	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	103
PID 1848 wrote to memory of 1108	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	104
PID 1848 wrote to memory of 1108	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	104
PID 1848 wrote to memory of 1556	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	105
PID 1848 wrote to memory of 1556	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	105
PID 1848 wrote to memory of 4056	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	106
PID 1848 wrote to memory of 4056	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	106
PID 1848 wrote to memory of 4672	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	107
PID 1848 wrote to memory of 4672	1848	2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_289b0ae0a4dcff2ea9698e6f45a99466_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Windows\System\jdIRnHN.exe
  C:\Windows\System\jdIRnHN.exe
  2⤵
  - Executes dropped EXE
  PID:1344
- C:\Windows\System\swZJIme.exe
  C:\Windows\System\swZJIme.exe
  2⤵
  - Executes dropped EXE
  PID:4856
- C:\Windows\System\QqvNDtP.exe
  C:\Windows\System\QqvNDtP.exe
  2⤵
  - Executes dropped EXE
  PID:3612
- C:\Windows\System\BZnLdvi.exe
  C:\Windows\System\BZnLdvi.exe
  2⤵
  - Executes dropped EXE
  PID:3256
- C:\Windows\System\NqPxgYG.exe
  C:\Windows\System\NqPxgYG.exe
  2⤵
  - Executes dropped EXE
  PID:4564
- C:\Windows\System\jgFGgBL.exe
  C:\Windows\System\jgFGgBL.exe
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\System\vHGrHAo.exe
  C:\Windows\System\vHGrHAo.exe
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\System\xgjGuDU.exe
  C:\Windows\System\xgjGuDU.exe
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\System\HDkfRYo.exe
  C:\Windows\System\HDkfRYo.exe
  2⤵
  - Executes dropped EXE
  PID:972
- C:\Windows\System\iyeykwV.exe
  C:\Windows\System\iyeykwV.exe
  2⤵
  - Executes dropped EXE
  PID:924
- C:\Windows\System\fatmKSM.exe
  C:\Windows\System\fatmKSM.exe
  2⤵
  - Executes dropped EXE
  PID:3204
- C:\Windows\System\totXyoj.exe
  C:\Windows\System\totXyoj.exe
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\Windows\System\SjzcwOJ.exe
  C:\Windows\System\SjzcwOJ.exe
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\System\PuQyMzu.exe
  C:\Windows\System\PuQyMzu.exe
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\System\obmioMI.exe
  C:\Windows\System\obmioMI.exe
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\System\qsDyPZo.exe
  C:\Windows\System\qsDyPZo.exe
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Windows\System\ExUUjhR.exe
  C:\Windows\System\ExUUjhR.exe
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\System\roGdvJd.exe
  C:\Windows\System\roGdvJd.exe
  2⤵
  - Executes dropped EXE
  PID:1108
- C:\Windows\System\YlcIbuH.exe
  C:\Windows\System\YlcIbuH.exe
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\System\MiuiIBT.exe
  C:\Windows\System\MiuiIBT.exe
  2⤵
  - Executes dropped EXE
  PID:4056
- C:\Windows\System\rNtTJJT.exe
  C:\Windows\System\rNtTJJT.exe
  2⤵
  - Executes dropped EXE
  PID:4672

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BZnLdvi.exe

Filesize
5.9MB

MD5
9764772b56293c9afcec8ee9e10b2434

SHA1
8353d984a48b146a40eec5cd07bc52da7f53b32b

SHA256
c96c79d01d53ac1708ba1f88898766e1479233a2090418a4e0e0ca4fde89819d

SHA512
a2f3244d76d90e74fb9592b25609ece3d77e9aa0ecf72695acbaf82634d3cca186b3dc0fda1bee54c6e70b01f5d2d71b48ed9983da12c4012a2739714790fe16

Download Submit
C:\Windows\System\ExUUjhR.exe

Filesize
5.9MB

MD5
e4d5cd71877386b5213f3e311ecb725c

SHA1
1cd79e8e5a35f24aa6f9f964aab947586a13783f

SHA256
c26167479c187b6897f91b72dc3251a715c14a28b0294c1c42aed634e02cfe3c

SHA512
a38fde0d5110174a635b060c3686d6f99f5a88e883088720ae779db201ff2269e574d730f65a0394ed6142ca255f38d6c3696fc5beb5540aa0c16cdd777b628d

Download Submit
C:\Windows\System\HDkfRYo.exe

Filesize
5.9MB

MD5
8da5da0080438cea4fb3b6c980796cf9

SHA1
277b09bee1db9fc407031e6ea40e5bc1c9e03b96

SHA256
6274647d969d48220e48734683e1ae072e6835534d0ac7765d1cbfd0fd4c1a26

SHA512
acbe7d37360cc14c6b5d7e7f5b2bb5c7e5cbc862297dd368c82bd8334cada7b844983649676b2d2364fcda1a7043ace36952ce24b2762e8796bd29e31a552df5

Download Submit
C:\Windows\System\MiuiIBT.exe

Filesize
5.9MB

MD5
5131d9a488ba800c452f5dd381354625

SHA1
b105434ae4ef42347ac99b2429654c18086afd05

SHA256
eb7e1f477a67cfb2900c10ba99fab879ed58b30770a3d0fda969de173161e863

SHA512
7d5e6a2f121f9095ed1155758f36983a721cc253bc16f8ad1d611f3154702d5df51c7e370772fedf048b3c0eadbaca3e17266555e554ccaaefa1383fc19f36c3

Download Submit
C:\Windows\System\NqPxgYG.exe

Filesize
5.9MB

MD5
8ac3422e6b6b8480189526848ebbff0e

SHA1
6de5c528347de79ee8b3263e834f0a5bf51dee2c

SHA256
a49226a8e1bc4c0a73b57329d9a7bda8034c3c6ec92544015e83a1291c618b01

SHA512
a65e6e58504cd567825a92f9be7be0b21391f7bb7d7bac8f1e3806dcc8f9bea29839877b5013113960f3d0362ac4836c263d76ddee86fe7808d50aad27f898b5

Download Submit
C:\Windows\System\PuQyMzu.exe

Filesize
5.9MB

MD5
9bb1c9b822ccd4b48ba4988ee7108605

SHA1
7fcfe1530715e0715cf389a2595f6cd2bac5425f

SHA256
db220201fe8c1fd41de9d4dbc8f1b05bce1ae78c610e9747b53b10899aefa8f5

SHA512
0ceb8fc1672f051dbc1db54ee2a0759d41dada21bb35e3f71df6fad4f6b69b9959c9d425904d5a2e0891110158c0efbbfe1489d0ee61b6920c5a4791035d87e0

Download Submit
C:\Windows\System\QqvNDtP.exe

Filesize
5.9MB

MD5
207542ff35d7511ddae2c550eedbfc97

SHA1
b77f026f751ee349f0fe691f25f2f13ce9a5c19e

SHA256
fd3d2b7bbede74e1ddcc93c26c77ebbdc10e1e63b79064567156b75da08fc29b

SHA512
1ce8225d4c17d066fb611b0bc028a1b93069936005307db960b9c6362c94af72132b46e3c25a0a17eb050250b865c84701e20452b341795859dd32ccef098a9e

Download Submit
C:\Windows\System\SjzcwOJ.exe

Filesize
5.9MB

MD5
0eff23fe03b6b164155add5574cc8621

SHA1
c81936068d0bc6ecf03f8daf18decb5a1737cafa

SHA256
6f8d0609acb2ddc30667735b0c781446384046b959c8b5d72abd27b01bd6a31b

SHA512
8d98658975d8735302aaafd839ed58da8ca1ea61c3d630eaa81569003a9919e3ed111be0cffb0011bd0cc208e855287eec7c0ca56381b6412ce27ab988ef7883

Download Submit
C:\Windows\System\YlcIbuH.exe

Filesize
5.9MB

MD5
22500af49df3f7d5cb497f59f1d2343d

SHA1
08bcd83e4291005458b716eed9ac81db6f16b578

SHA256
f77f91effa6a99a7d2153c5b1a4b014fd342a65c4911842061760b90340cf806

SHA512
ca047b71a462d8c9d3b91263ab53adc3696921307f857af5a5661025e953ce0cf4f60017fa24ac1af010098893c992570e6ae4c89fc1a5118b148531289f30d1

Download Submit
C:\Windows\System\fatmKSM.exe

Filesize
5.9MB

MD5
116cfa79566a5d1a4771c4e5d5225825

SHA1
c140429e61378d732fa04785e88f3b0b08401a1c

SHA256
0659a94349adfeaeadc9fecd525b6dda7bca215e7eb7dec24547792f70fa3f58

SHA512
ce8b9ea7530211ea4e62552df822fa54a0c4ee9e94b830d888e5c90b6a4332855b632291002204917e1f79cd1d706d57faf3f532abefe3859e26879ea5bea3df

Download Submit
C:\Windows\System\iyeykwV.exe

Filesize
5.9MB

MD5
caee90f627429590342bd11b3c16daae

SHA1
ea11e744a69667bfa95581c742bfa0c7208cea87

SHA256
66993c9abdeae63e73f81d45cddeee19c1847599c97ea3d15e5e506001eb76df

SHA512
410d4020330f2a2c3f3739e2c97108bd6fe06625d613d25664f4c11484fb7f44d5989c36e9eebdc95dac36268f9ef12dfffbbd846c8e88fc72788ef784071f7d

Download Submit
C:\Windows\System\jdIRnHN.exe

Filesize
5.9MB

MD5
97e6c07d86354b6a90bee812b0be3af1

SHA1
089923667a2522c692cfe1ab839c312ea11933b7

SHA256
618992ec39e401d7e28b7602e7ebb77e5e4c58436baebd4246439970947bc756

SHA512
6764f63b680895140a59f0c2e8cd0bf843958255b1fe940ea89b51857520c8e9cf7ed3d07df0c6c9b7a3a94f8b1f4a7f6b5dbf5ad92a0a159cc6297c8e3676e3

Download Submit
C:\Windows\System\jgFGgBL.exe

Filesize
5.9MB

MD5
033d29a3df98e37ae544f8b6f864275e

SHA1
5b0ce463f8c61364473e0cbfab3ae9de686ffcb2

SHA256
0d443c93d3fdec1d3a73b56f547370c3bb632d8093844b897137f3e1da536530

SHA512
0eed706b29476318ff8048a6ea69d554d1c93f34edf04da231108bb75ea8dd2c4f057aa23ac63c5464226646264f809bd0ee757ae959a8af48e83db50e31a684

Download Submit
C:\Windows\System\obmioMI.exe

Filesize
5.9MB

MD5
75d3aacc47bc089b46360dcfbbac0cb7

SHA1
19aa10a33f367341903f1287b62bbfcec6a49104

SHA256
4411467ac22831611655da9626cfda2668bad0b293348cf3af81245b04960a54

SHA512
c1d8b74b94273260aaf5fcaf527b3e239c36cd3deeae60b065a643f793f9eca9b8c2da11de3e96fcb71fbc8a92623f87122c142809d01e30f79108e7d9833c7a

Download Submit
C:\Windows\System\qsDyPZo.exe

Filesize
5.9MB

MD5
b9b19d182b50f03938e2c10d7b52df3a

SHA1
9ee71a82ca5ec4006341228a61b359f0262aa506

SHA256
2a7126093b0156e3db4f010b2f2fa7101bfad3c3f81544cd9d81536e899d0b99

SHA512
2ec8bd1f9b0a63ed12b7a94353da7de0b3e4a731902554aa2b1c942edc197c72fa43ffb0ffcb34bf04657a18d3ecd18ce1394e1b4fb0a22b780821dae7d7f850

Download Submit
C:\Windows\System\rNtTJJT.exe

Filesize
5.9MB

MD5
c47fef8655ef0289b8554c55450cccf8

SHA1
2b4747d6694e04d4d17a487ae9aa4c87d2b917c4

SHA256
c27ac2073eae068db028bf6626c20bef49a8ecbb42cb2e2e74f734fbd810533d

SHA512
f228e45d581a27896790fed5a396c7af5886ebe812e614fbfd776e48c4ae9a9e16652702f0948d58f8e0acc759c063904ef297539e462307e2ba314af64c8885

Download Submit
C:\Windows\System\roGdvJd.exe

Filesize
5.9MB

MD5
9c5e5cee7a65458c27b288af23014c4d

SHA1
4a1cc59216ceeb8c71cbdbbb69e6399d6f60e057

SHA256
a816041ba2339c310fde29a201b41b7312b5fff11993946ddecb8ce94234aab8

SHA512
9cdba238517602bf991b512d432ac17c54899d727bdd2e021dccc0498e624cd2138c121f8cd72444106e0b182f08cc4b0293f1b84ab7eac749bae4da02d57e51

Download Submit
C:\Windows\System\swZJIme.exe

Filesize
5.9MB

MD5
b7e0a3cd92f8c6e7c7e0bc663eea513e

SHA1
af561d0939bbe773bbffe4f72a7c749cf45725dd

SHA256
7b5204c16a18da4643f4059423187fb5d63b0f78876ded972e4564c1b595b05c

SHA512
8c7713336993ce6391c3f983a60f5a2c0f2bac1a1f91936b6e60a57509ec348b676dd4022e0432a7d3b43727a5d567be44811a26874e625c2543d982195cf9bc

Download Submit
C:\Windows\System\totXyoj.exe

Filesize
5.9MB

MD5
99c31942d149913e26dd9a71fab2b113

SHA1
8042aabfc056729713fed4366cdb3832a2ce49ad

SHA256
6b32e399cfebb698844953bc0d75585a5dca0ab8410e20ad31e7c067fa43df3b

SHA512
835cddc0cc2b80203322c02e8d8c26782f81e168121180640901a4eb7a52d740c5ff4a051de2aeba19078193511f4485e3a8ad87e6411ebea14ef89177122879

Download Submit
C:\Windows\System\vHGrHAo.exe

Filesize
5.9MB

MD5
afe1ff1f23a3868865d6a623e55b9b74

SHA1
453730eb97722869ac45a52ba0de7bfc0bad436e

SHA256
681a932ca734219bda5540834a05e80e95747ec1658dacfcb50f637085bd0a84

SHA512
e3ee5d148824d06dc7a43835c12e56b9c55fd515b0dabc7631995efc8d6dc88b33a49757051035e2f141637fb17afd7c754617c9306464a36bb4c1bd1a1dcd44

Download Submit
C:\Windows\System\xgjGuDU.exe

Filesize
5.9MB

MD5
eda30f5f044b6a94ee702dc6d6b8d11c

SHA1
404816de913d2c42ccfeecdb270be732b6ba1705

SHA256
ce3c8b71aac273965eb5cdcf9b17c6f0ee4224079cec52efaf3e6ba272618bd0

SHA512
94724e38af0e4a6ff3ee4edd2b2d39badda0e42787cef116bcbb9d2308a6d5c24ce20d944dae1d6c19cbbb54e102d70fb4594932fbca7af348e1fcceb9eeb1dc

Download Submit
memory/924-137-0x00007FF764C50000-0x00007FF764FA4000-memory.dmp

Filesize
3.3MB

Download
memory/924-69-0x00007FF764C50000-0x00007FF764FA4000-memory.dmp

Filesize
3.3MB

Download
memory/924-151-0x00007FF764C50000-0x00007FF764FA4000-memory.dmp

Filesize
3.3MB

Download
memory/972-61-0x00007FF718310000-0x00007FF718664000-memory.dmp

Filesize
3.3MB

Download
memory/972-150-0x00007FF718310000-0x00007FF718664000-memory.dmp

Filesize
3.3MB

Download
memory/972-135-0x00007FF718310000-0x00007FF718664000-memory.dmp

Filesize
3.3MB

Download
memory/1068-152-0x00007FF6240D0000-0x00007FF624424000-memory.dmp

Filesize
3.3MB

Download
memory/1068-92-0x00007FF6240D0000-0x00007FF624424000-memory.dmp

Filesize
3.3MB

Download
memory/1108-139-0x00007FF73FB60000-0x00007FF73FEB4000-memory.dmp

Filesize
3.3MB

Download
memory/1108-118-0x00007FF73FB60000-0x00007FF73FEB4000-memory.dmp

Filesize
3.3MB

Download
memory/1108-162-0x00007FF73FB60000-0x00007FF73FEB4000-memory.dmp

Filesize
3.3MB

Download
memory/1212-153-0x00007FF7C0E60000-0x00007FF7C11B4000-memory.dmp

Filesize
3.3MB

Download
memory/1212-89-0x00007FF7C0E60000-0x00007FF7C11B4000-memory.dmp

Filesize
3.3MB

Download
memory/1344-85-0x00007FF722640000-0x00007FF722994000-memory.dmp

Filesize
3.3MB

Download
memory/1344-142-0x00007FF722640000-0x00007FF722994000-memory.dmp

Filesize
3.3MB

Download
memory/1344-8-0x00007FF722640000-0x00007FF722994000-memory.dmp

Filesize
3.3MB

Download
memory/1436-114-0x00007FF6BA220000-0x00007FF6BA574000-memory.dmp

Filesize
3.3MB

Download
memory/1436-147-0x00007FF6BA220000-0x00007FF6BA574000-memory.dmp

Filesize
3.3MB

Download
memory/1436-38-0x00007FF6BA220000-0x00007FF6BA574000-memory.dmp

Filesize
3.3MB

Download
memory/1524-86-0x00007FF683CD0000-0x00007FF684024000-memory.dmp

Filesize
3.3MB

Download
memory/1524-154-0x00007FF683CD0000-0x00007FF684024000-memory.dmp

Filesize
3.3MB

Download
memory/1556-159-0x00007FF7E4F30000-0x00007FF7E5284000-memory.dmp

Filesize
3.3MB

Download
memory/1556-140-0x00007FF7E4F30000-0x00007FF7E5284000-memory.dmp

Filesize
3.3MB

Download
memory/1556-119-0x00007FF7E4F30000-0x00007FF7E5284000-memory.dmp

Filesize
3.3MB

Download
memory/1652-100-0x00007FF657430000-0x00007FF657784000-memory.dmp

Filesize
3.3MB

Download
memory/1652-156-0x00007FF657430000-0x00007FF657784000-memory.dmp

Filesize
3.3MB

Download
memory/1848-1-0x000001DC9E4B0000-0x000001DC9E4C0000-memory.dmp

Filesize
64KB

Download
memory/1848-0-0x00007FF644760000-0x00007FF644AB4000-memory.dmp

Filesize
3.3MB

Download
memory/1848-68-0x00007FF644760000-0x00007FF644AB4000-memory.dmp

Filesize
3.3MB

Download
memory/1968-149-0x00007FF792DA0000-0x00007FF7930F4000-memory.dmp

Filesize
3.3MB

Download
memory/1968-52-0x00007FF792DA0000-0x00007FF7930F4000-memory.dmp

Filesize
3.3MB

Download
memory/1980-127-0x00007FF7D6680000-0x00007FF7D69D4000-memory.dmp

Filesize
3.3MB

Download
memory/1980-148-0x00007FF7D6680000-0x00007FF7D69D4000-memory.dmp

Filesize
3.3MB

Download
memory/1980-44-0x00007FF7D6680000-0x00007FF7D69D4000-memory.dmp

Filesize
3.3MB

Download
memory/2116-138-0x00007FF6EAF90000-0x00007FF6EB2E4000-memory.dmp

Filesize
3.3MB

Download
memory/2116-157-0x00007FF6EAF90000-0x00007FF6EB2E4000-memory.dmp

Filesize
3.3MB

Download
memory/2116-106-0x00007FF6EAF90000-0x00007FF6EB2E4000-memory.dmp

Filesize
3.3MB

Download
memory/2188-158-0x00007FF776DB0000-0x00007FF777104000-memory.dmp

Filesize
3.3MB

Download
memory/2188-116-0x00007FF776DB0000-0x00007FF777104000-memory.dmp

Filesize
3.3MB

Download
memory/3204-136-0x00007FF6E8800000-0x00007FF6E8B54000-memory.dmp

Filesize
3.3MB

Download
memory/3204-155-0x00007FF6E8800000-0x00007FF6E8B54000-memory.dmp

Filesize
3.3MB

Download
memory/3204-63-0x00007FF6E8800000-0x00007FF6E8B54000-memory.dmp

Filesize
3.3MB

Download
memory/3256-145-0x00007FF732780000-0x00007FF732AD4000-memory.dmp

Filesize
3.3MB

Download
memory/3256-27-0x00007FF732780000-0x00007FF732AD4000-memory.dmp

Filesize
3.3MB

Download
memory/3256-107-0x00007FF732780000-0x00007FF732AD4000-memory.dmp

Filesize
3.3MB

Download
memory/3612-22-0x00007FF7EE0C0000-0x00007FF7EE414000-memory.dmp

Filesize
3.3MB

Download
memory/3612-144-0x00007FF7EE0C0000-0x00007FF7EE414000-memory.dmp

Filesize
3.3MB

Download
memory/4056-141-0x00007FF6A3030000-0x00007FF6A3384000-memory.dmp

Filesize
3.3MB

Download
memory/4056-130-0x00007FF6A3030000-0x00007FF6A3384000-memory.dmp

Filesize
3.3MB

Download
memory/4056-160-0x00007FF6A3030000-0x00007FF6A3384000-memory.dmp

Filesize
3.3MB

Download
memory/4564-31-0x00007FF6793E0000-0x00007FF679734000-memory.dmp

Filesize
3.3MB

Download
memory/4564-146-0x00007FF6793E0000-0x00007FF679734000-memory.dmp

Filesize
3.3MB

Download
memory/4564-108-0x00007FF6793E0000-0x00007FF679734000-memory.dmp

Filesize
3.3MB

Download
memory/4672-161-0x00007FF676C90000-0x00007FF676FE4000-memory.dmp

Filesize
3.3MB

Download
memory/4672-133-0x00007FF676C90000-0x00007FF676FE4000-memory.dmp

Filesize
3.3MB

Download
memory/4856-15-0x00007FF6B8C80000-0x00007FF6B8FD4000-memory.dmp

Filesize
3.3MB

Download
memory/4856-143-0x00007FF6B8C80000-0x00007FF6B8FD4000-memory.dmp

Filesize
3.3MB

Download
memory/4856-96-0x00007FF6B8C80000-0x00007FF6B8FD4000-memory.dmp

Filesize
3.3MB

Download