cobaltstrike | e2dbe162f976ca89c96f2d8de7229418e6842e8459522b0dcfc8f995fc06ecd7

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

1cea6ebf5e3a8e136678bb226b1647a8
SHA1

bf3cc73f6cd6b54350900a0c50138aff7dfa4477
SHA256

e2dbe162f976ca89c96f2d8de7229418e6842e8459522b0dcfc8f995fc06ecd7
SHA512

804aadd5878b399a3aecc496f741dbfdf9b01dfe6369b750f691178bfa0e4e44e29669d101ad7b256cd1d93819d5c6e4b831e3df66d070fa2b323091cb08e1ab
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUL:Q+856utgpPF8u/7L

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0007000000023298-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023425-7.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023426-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023429-40.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342b-44.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342e-70.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023430-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023434-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023433-104.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023431-99.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342f-81.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342d-75.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342a-65.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342c-63.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023428-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023427-29.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023424-17.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023436-125.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023437-128.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023422-120.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023435-114.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023298-4.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023425-7.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023426-28.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023429-40.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342b-44.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342e-70.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023430-83.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023434-101.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023433-104.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023431-99.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342f-81.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342d-75.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342a-65.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342c-63.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023428-35.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023427-29.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0008000000023424-17.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023436-125.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023437-128.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0008000000023422-120.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023435-114.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/4480-0-0x00007FF62CC70000-0x00007FF62CFC4000-memory.dmp	UPX
behavioral2/files/0x0007000000023298-4.dat	UPX
behavioral2/files/0x0007000000023425-7.dat	UPX
behavioral2/memory/1608-10-0x00007FF632E10000-0x00007FF633164000-memory.dmp	UPX
behavioral2/files/0x0007000000023426-28.dat	UPX
behavioral2/files/0x0007000000023429-40.dat	UPX
behavioral2/files/0x000700000002342b-44.dat	UPX
behavioral2/memory/1360-56-0x00007FF6A6DF0000-0x00007FF6A7144000-memory.dmp	UPX
behavioral2/memory/2572-61-0x00007FF718280000-0x00007FF7185D4000-memory.dmp	UPX
behavioral2/files/0x000700000002342e-70.dat	UPX
behavioral2/files/0x0007000000023430-83.dat	UPX
behavioral2/memory/4480-93-0x00007FF62CC70000-0x00007FF62CFC4000-memory.dmp	UPX
behavioral2/files/0x0007000000023434-101.dat	UPX
behavioral2/memory/1968-106-0x00007FF77C480000-0x00007FF77C7D4000-memory.dmp	UPX
behavioral2/files/0x0007000000023433-104.dat	UPX
behavioral2/memory/1972-103-0x00007FF72D840000-0x00007FF72DB94000-memory.dmp	UPX
behavioral2/files/0x0007000000023431-99.dat	UPX
behavioral2/memory/2764-98-0x00007FF6FD170000-0x00007FF6FD4C4000-memory.dmp	UPX
behavioral2/memory/2240-97-0x00007FF704DF0000-0x00007FF705144000-memory.dmp	UPX
behavioral2/memory/1340-95-0x00007FF7974D0000-0x00007FF797824000-memory.dmp	UPX
behavioral2/memory/1608-94-0x00007FF632E10000-0x00007FF633164000-memory.dmp	UPX
behavioral2/files/0x000700000002342f-81.dat	UPX
behavioral2/files/0x000700000002342d-75.dat	UPX
behavioral2/memory/1980-74-0x00007FF6A4950000-0x00007FF6A4CA4000-memory.dmp	UPX
behavioral2/memory/3676-68-0x00007FF6996F0000-0x00007FF699A44000-memory.dmp	UPX
behavioral2/files/0x000700000002342a-65.dat	UPX
behavioral2/files/0x000700000002342c-63.dat	UPX
behavioral2/memory/3152-67-0x00007FF73AF60000-0x00007FF73B2B4000-memory.dmp	UPX
behavioral2/memory/2616-53-0x00007FF707280000-0x00007FF7075D4000-memory.dmp	UPX
behavioral2/memory/3304-46-0x00007FF758D00000-0x00007FF759054000-memory.dmp	UPX
behavioral2/memory/3692-37-0x00007FF66EC70000-0x00007FF66EFC4000-memory.dmp	UPX
behavioral2/files/0x0007000000023428-35.dat	UPX
behavioral2/memory/3688-31-0x00007FF737520000-0x00007FF737874000-memory.dmp	UPX
behavioral2/files/0x0007000000023427-29.dat	UPX
behavioral2/memory/1060-25-0x00007FF621AB0000-0x00007FF621E04000-memory.dmp	UPX
behavioral2/files/0x0008000000023424-17.dat	UPX
behavioral2/memory/3020-14-0x00007FF624D20000-0x00007FF625074000-memory.dmp	UPX
behavioral2/memory/3688-118-0x00007FF737520000-0x00007FF737874000-memory.dmp	UPX
behavioral2/files/0x0007000000023436-125.dat	UPX
behavioral2/memory/2096-130-0x00007FF611100000-0x00007FF611454000-memory.dmp	UPX
behavioral2/files/0x0007000000023437-128.dat	UPX
behavioral2/memory/3692-126-0x00007FF66EC70000-0x00007FF66EFC4000-memory.dmp	UPX
behavioral2/files/0x0008000000023422-120.dat	UPX
behavioral2/memory/1692-119-0x00007FF6FDC30000-0x00007FF6FDF84000-memory.dmp	UPX
behavioral2/memory/3880-117-0x00007FF79A1D0000-0x00007FF79A524000-memory.dmp	UPX
behavioral2/memory/3372-134-0x00007FF7925A0000-0x00007FF7928F4000-memory.dmp	UPX
behavioral2/memory/2616-133-0x00007FF707280000-0x00007FF7075D4000-memory.dmp	UPX
behavioral2/memory/1060-111-0x00007FF621AB0000-0x00007FF621E04000-memory.dmp	UPX
behavioral2/memory/3020-110-0x00007FF624D20000-0x00007FF625074000-memory.dmp	UPX
behavioral2/files/0x0007000000023435-114.dat	UPX
behavioral2/memory/3152-135-0x00007FF73AF60000-0x00007FF73B2B4000-memory.dmp	UPX
behavioral2/memory/3676-136-0x00007FF6996F0000-0x00007FF699A44000-memory.dmp	UPX
behavioral2/memory/1980-137-0x00007FF6A4950000-0x00007FF6A4CA4000-memory.dmp	UPX
behavioral2/memory/2764-138-0x00007FF6FD170000-0x00007FF6FD4C4000-memory.dmp	UPX
behavioral2/memory/1972-139-0x00007FF72D840000-0x00007FF72DB94000-memory.dmp	UPX
behavioral2/memory/1692-140-0x00007FF6FDC30000-0x00007FF6FDF84000-memory.dmp	UPX
behavioral2/memory/2096-141-0x00007FF611100000-0x00007FF611454000-memory.dmp	UPX
behavioral2/memory/1608-142-0x00007FF632E10000-0x00007FF633164000-memory.dmp	UPX
behavioral2/memory/3020-143-0x00007FF624D20000-0x00007FF625074000-memory.dmp	UPX
behavioral2/memory/1060-144-0x00007FF621AB0000-0x00007FF621E04000-memory.dmp	UPX
behavioral2/memory/3688-145-0x00007FF737520000-0x00007FF737874000-memory.dmp	UPX
behavioral2/memory/3304-146-0x00007FF758D00000-0x00007FF759054000-memory.dmp	UPX
behavioral2/memory/1360-147-0x00007FF6A6DF0000-0x00007FF6A7144000-memory.dmp	UPX
behavioral2/memory/3692-148-0x00007FF66EC70000-0x00007FF66EFC4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4480-0-0x00007FF62CC70000-0x00007FF62CFC4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023298-4.dat	xmrig
behavioral2/files/0x0007000000023425-7.dat	xmrig
behavioral2/memory/1608-10-0x00007FF632E10000-0x00007FF633164000-memory.dmp	xmrig
behavioral2/files/0x0007000000023426-28.dat	xmrig
behavioral2/files/0x0007000000023429-40.dat	xmrig
behavioral2/files/0x000700000002342b-44.dat	xmrig
behavioral2/memory/1360-56-0x00007FF6A6DF0000-0x00007FF6A7144000-memory.dmp	xmrig
behavioral2/memory/2572-61-0x00007FF718280000-0x00007FF7185D4000-memory.dmp	xmrig
behavioral2/files/0x000700000002342e-70.dat	xmrig
behavioral2/files/0x0007000000023430-83.dat	xmrig
behavioral2/memory/4480-93-0x00007FF62CC70000-0x00007FF62CFC4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023434-101.dat	xmrig
behavioral2/memory/1968-106-0x00007FF77C480000-0x00007FF77C7D4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023433-104.dat	xmrig
behavioral2/memory/1972-103-0x00007FF72D840000-0x00007FF72DB94000-memory.dmp	xmrig
behavioral2/files/0x0007000000023431-99.dat	xmrig
behavioral2/memory/2764-98-0x00007FF6FD170000-0x00007FF6FD4C4000-memory.dmp	xmrig
behavioral2/memory/2240-97-0x00007FF704DF0000-0x00007FF705144000-memory.dmp	xmrig
behavioral2/memory/1340-95-0x00007FF7974D0000-0x00007FF797824000-memory.dmp	xmrig
behavioral2/memory/1608-94-0x00007FF632E10000-0x00007FF633164000-memory.dmp	xmrig
behavioral2/files/0x000700000002342f-81.dat	xmrig
behavioral2/files/0x000700000002342d-75.dat	xmrig
behavioral2/memory/1980-74-0x00007FF6A4950000-0x00007FF6A4CA4000-memory.dmp	xmrig
behavioral2/memory/3676-68-0x00007FF6996F0000-0x00007FF699A44000-memory.dmp	xmrig
behavioral2/files/0x000700000002342a-65.dat	xmrig
behavioral2/files/0x000700000002342c-63.dat	xmrig
behavioral2/memory/3152-67-0x00007FF73AF60000-0x00007FF73B2B4000-memory.dmp	xmrig
behavioral2/memory/2616-53-0x00007FF707280000-0x00007FF7075D4000-memory.dmp	xmrig
behavioral2/memory/3304-46-0x00007FF758D00000-0x00007FF759054000-memory.dmp	xmrig
behavioral2/memory/3692-37-0x00007FF66EC70000-0x00007FF66EFC4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023428-35.dat	xmrig
behavioral2/memory/3688-31-0x00007FF737520000-0x00007FF737874000-memory.dmp	xmrig
behavioral2/files/0x0007000000023427-29.dat	xmrig
behavioral2/memory/1060-25-0x00007FF621AB0000-0x00007FF621E04000-memory.dmp	xmrig
behavioral2/files/0x0008000000023424-17.dat	xmrig
behavioral2/memory/3020-14-0x00007FF624D20000-0x00007FF625074000-memory.dmp	xmrig
behavioral2/memory/3688-118-0x00007FF737520000-0x00007FF737874000-memory.dmp	xmrig
behavioral2/files/0x0007000000023436-125.dat	xmrig
behavioral2/memory/2096-130-0x00007FF611100000-0x00007FF611454000-memory.dmp	xmrig
behavioral2/files/0x0007000000023437-128.dat	xmrig
behavioral2/memory/3692-126-0x00007FF66EC70000-0x00007FF66EFC4000-memory.dmp	xmrig
behavioral2/files/0x0008000000023422-120.dat	xmrig
behavioral2/memory/1692-119-0x00007FF6FDC30000-0x00007FF6FDF84000-memory.dmp	xmrig
behavioral2/memory/3880-117-0x00007FF79A1D0000-0x00007FF79A524000-memory.dmp	xmrig
behavioral2/memory/3372-134-0x00007FF7925A0000-0x00007FF7928F4000-memory.dmp	xmrig
behavioral2/memory/2616-133-0x00007FF707280000-0x00007FF7075D4000-memory.dmp	xmrig
behavioral2/memory/1060-111-0x00007FF621AB0000-0x00007FF621E04000-memory.dmp	xmrig
behavioral2/memory/3020-110-0x00007FF624D20000-0x00007FF625074000-memory.dmp	xmrig
behavioral2/files/0x0007000000023435-114.dat	xmrig
behavioral2/memory/3152-135-0x00007FF73AF60000-0x00007FF73B2B4000-memory.dmp	xmrig
behavioral2/memory/3676-136-0x00007FF6996F0000-0x00007FF699A44000-memory.dmp	xmrig
behavioral2/memory/1980-137-0x00007FF6A4950000-0x00007FF6A4CA4000-memory.dmp	xmrig
behavioral2/memory/2764-138-0x00007FF6FD170000-0x00007FF6FD4C4000-memory.dmp	xmrig
behavioral2/memory/1972-139-0x00007FF72D840000-0x00007FF72DB94000-memory.dmp	xmrig
behavioral2/memory/1692-140-0x00007FF6FDC30000-0x00007FF6FDF84000-memory.dmp	xmrig
behavioral2/memory/2096-141-0x00007FF611100000-0x00007FF611454000-memory.dmp	xmrig
behavioral2/memory/1608-142-0x00007FF632E10000-0x00007FF633164000-memory.dmp	xmrig
behavioral2/memory/3020-143-0x00007FF624D20000-0x00007FF625074000-memory.dmp	xmrig
behavioral2/memory/1060-144-0x00007FF621AB0000-0x00007FF621E04000-memory.dmp	xmrig
behavioral2/memory/3688-145-0x00007FF737520000-0x00007FF737874000-memory.dmp	xmrig
behavioral2/memory/3304-146-0x00007FF758D00000-0x00007FF759054000-memory.dmp	xmrig
behavioral2/memory/1360-147-0x00007FF6A6DF0000-0x00007FF6A7144000-memory.dmp	xmrig
behavioral2/memory/3692-148-0x00007FF66EC70000-0x00007FF66EFC4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1608	xmUNewP.exe
3020	ZyBavie.exe
1060	JFuPMpg.exe
3688	NfrRSTw.exe
3692	MHgiVDT.exe
3304	mTwEJpT.exe
2572	pstiRlY.exe
2616	IPMtAWA.exe
1360	HZLmpbE.exe
3152	LAfwGQj.exe
3676	CxdRHrt.exe
1980	QuZvFGd.exe
1340	iqXbaUp.exe
2240	tsrtsqo.exe
2764	hhpSEwh.exe
1972	OfiywxL.exe
1968	lxTmgrA.exe
3880	eweMbQC.exe
1692	dHnPCMx.exe
2096	xIqCzME.exe
3372	yYKESHQ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4480-0-0x00007FF62CC70000-0x00007FF62CFC4000-memory.dmp	upx
behavioral2/files/0x0007000000023298-4.dat	upx
behavioral2/files/0x0007000000023425-7.dat	upx
behavioral2/memory/1608-10-0x00007FF632E10000-0x00007FF633164000-memory.dmp	upx
behavioral2/files/0x0007000000023426-28.dat	upx
behavioral2/files/0x0007000000023429-40.dat	upx
behavioral2/files/0x000700000002342b-44.dat	upx
behavioral2/memory/1360-56-0x00007FF6A6DF0000-0x00007FF6A7144000-memory.dmp	upx
behavioral2/memory/2572-61-0x00007FF718280000-0x00007FF7185D4000-memory.dmp	upx
behavioral2/files/0x000700000002342e-70.dat	upx
behavioral2/files/0x0007000000023430-83.dat	upx
behavioral2/memory/4480-93-0x00007FF62CC70000-0x00007FF62CFC4000-memory.dmp	upx
behavioral2/files/0x0007000000023434-101.dat	upx
behavioral2/memory/1968-106-0x00007FF77C480000-0x00007FF77C7D4000-memory.dmp	upx
behavioral2/files/0x0007000000023433-104.dat	upx
behavioral2/memory/1972-103-0x00007FF72D840000-0x00007FF72DB94000-memory.dmp	upx
behavioral2/files/0x0007000000023431-99.dat	upx
behavioral2/memory/2764-98-0x00007FF6FD170000-0x00007FF6FD4C4000-memory.dmp	upx
behavioral2/memory/2240-97-0x00007FF704DF0000-0x00007FF705144000-memory.dmp	upx
behavioral2/memory/1340-95-0x00007FF7974D0000-0x00007FF797824000-memory.dmp	upx
behavioral2/memory/1608-94-0x00007FF632E10000-0x00007FF633164000-memory.dmp	upx
behavioral2/files/0x000700000002342f-81.dat	upx
behavioral2/files/0x000700000002342d-75.dat	upx
behavioral2/memory/1980-74-0x00007FF6A4950000-0x00007FF6A4CA4000-memory.dmp	upx
behavioral2/memory/3676-68-0x00007FF6996F0000-0x00007FF699A44000-memory.dmp	upx
behavioral2/files/0x000700000002342a-65.dat	upx
behavioral2/files/0x000700000002342c-63.dat	upx
behavioral2/memory/3152-67-0x00007FF73AF60000-0x00007FF73B2B4000-memory.dmp	upx
behavioral2/memory/2616-53-0x00007FF707280000-0x00007FF7075D4000-memory.dmp	upx
behavioral2/memory/3304-46-0x00007FF758D00000-0x00007FF759054000-memory.dmp	upx
behavioral2/memory/3692-37-0x00007FF66EC70000-0x00007FF66EFC4000-memory.dmp	upx
behavioral2/files/0x0007000000023428-35.dat	upx
behavioral2/memory/3688-31-0x00007FF737520000-0x00007FF737874000-memory.dmp	upx
behavioral2/files/0x0007000000023427-29.dat	upx
behavioral2/memory/1060-25-0x00007FF621AB0000-0x00007FF621E04000-memory.dmp	upx
behavioral2/files/0x0008000000023424-17.dat	upx
behavioral2/memory/3020-14-0x00007FF624D20000-0x00007FF625074000-memory.dmp	upx
behavioral2/memory/3688-118-0x00007FF737520000-0x00007FF737874000-memory.dmp	upx
behavioral2/files/0x0007000000023436-125.dat	upx
behavioral2/memory/2096-130-0x00007FF611100000-0x00007FF611454000-memory.dmp	upx
behavioral2/files/0x0007000000023437-128.dat	upx
behavioral2/memory/3692-126-0x00007FF66EC70000-0x00007FF66EFC4000-memory.dmp	upx
behavioral2/files/0x0008000000023422-120.dat	upx
behavioral2/memory/1692-119-0x00007FF6FDC30000-0x00007FF6FDF84000-memory.dmp	upx
behavioral2/memory/3880-117-0x00007FF79A1D0000-0x00007FF79A524000-memory.dmp	upx
behavioral2/memory/3372-134-0x00007FF7925A0000-0x00007FF7928F4000-memory.dmp	upx
behavioral2/memory/2616-133-0x00007FF707280000-0x00007FF7075D4000-memory.dmp	upx
behavioral2/memory/1060-111-0x00007FF621AB0000-0x00007FF621E04000-memory.dmp	upx
behavioral2/memory/3020-110-0x00007FF624D20000-0x00007FF625074000-memory.dmp	upx
behavioral2/files/0x0007000000023435-114.dat	upx
behavioral2/memory/3152-135-0x00007FF73AF60000-0x00007FF73B2B4000-memory.dmp	upx
behavioral2/memory/3676-136-0x00007FF6996F0000-0x00007FF699A44000-memory.dmp	upx
behavioral2/memory/1980-137-0x00007FF6A4950000-0x00007FF6A4CA4000-memory.dmp	upx
behavioral2/memory/2764-138-0x00007FF6FD170000-0x00007FF6FD4C4000-memory.dmp	upx
behavioral2/memory/1972-139-0x00007FF72D840000-0x00007FF72DB94000-memory.dmp	upx
behavioral2/memory/1692-140-0x00007FF6FDC30000-0x00007FF6FDF84000-memory.dmp	upx
behavioral2/memory/2096-141-0x00007FF611100000-0x00007FF611454000-memory.dmp	upx
behavioral2/memory/1608-142-0x00007FF632E10000-0x00007FF633164000-memory.dmp	upx
behavioral2/memory/3020-143-0x00007FF624D20000-0x00007FF625074000-memory.dmp	upx
behavioral2/memory/1060-144-0x00007FF621AB0000-0x00007FF621E04000-memory.dmp	upx
behavioral2/memory/3688-145-0x00007FF737520000-0x00007FF737874000-memory.dmp	upx
behavioral2/memory/3304-146-0x00007FF758D00000-0x00007FF759054000-memory.dmp	upx
behavioral2/memory/1360-147-0x00007FF6A6DF0000-0x00007FF6A7144000-memory.dmp	upx
behavioral2/memory/3692-148-0x00007FF66EC70000-0x00007FF66EFC4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\MHgiVDT.exe	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HZLmpbE.exe	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tsrtsqo.exe	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xIqCzME.exe	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xmUNewP.exe	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZyBavie.exe	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JFuPMpg.exe	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dHnPCMx.exe	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yYKESHQ.exe	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NfrRSTw.exe	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QuZvFGd.exe	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hhpSEwh.exe	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lxTmgrA.exe	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eweMbQC.exe	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IPMtAWA.exe	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CxdRHrt.exe	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OfiywxL.exe	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iqXbaUp.exe	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mTwEJpT.exe	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pstiRlY.exe	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LAfwGQj.exe	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 1608	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	83
PID 4480 wrote to memory of 1608	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	83
PID 4480 wrote to memory of 3020	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	84
PID 4480 wrote to memory of 3020	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	84
PID 4480 wrote to memory of 1060	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	85
PID 4480 wrote to memory of 1060	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	85
PID 4480 wrote to memory of 3692	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	86
PID 4480 wrote to memory of 3692	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	86
PID 4480 wrote to memory of 3688	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	87
PID 4480 wrote to memory of 3688	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	87
PID 4480 wrote to memory of 3304	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	88
PID 4480 wrote to memory of 3304	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	88
PID 4480 wrote to memory of 2572	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	89
PID 4480 wrote to memory of 2572	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	89
PID 4480 wrote to memory of 2616	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	90
PID 4480 wrote to memory of 2616	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	90
PID 4480 wrote to memory of 1360	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	91
PID 4480 wrote to memory of 1360	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	91
PID 4480 wrote to memory of 3152	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	92
PID 4480 wrote to memory of 3152	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	92
PID 4480 wrote to memory of 3676	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	93
PID 4480 wrote to memory of 3676	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	93
PID 4480 wrote to memory of 1980	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	94
PID 4480 wrote to memory of 1980	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	94
PID 4480 wrote to memory of 1340	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	95
PID 4480 wrote to memory of 1340	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	95
PID 4480 wrote to memory of 2240	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	96
PID 4480 wrote to memory of 2240	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	96
PID 4480 wrote to memory of 2764	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	97
PID 4480 wrote to memory of 2764	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	97
PID 4480 wrote to memory of 1972	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	98
PID 4480 wrote to memory of 1972	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	98
PID 4480 wrote to memory of 1968	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	99
PID 4480 wrote to memory of 1968	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	99
PID 4480 wrote to memory of 3880	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	100
PID 4480 wrote to memory of 3880	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	100
PID 4480 wrote to memory of 1692	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	101
PID 4480 wrote to memory of 1692	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	101
PID 4480 wrote to memory of 2096	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	102
PID 4480 wrote to memory of 2096	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	102
PID 4480 wrote to memory of 3372	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	103
PID 4480 wrote to memory of 3372	4480	2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_1cea6ebf5e3a8e136678bb226b1647a8_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Windows\System\xmUNewP.exe
  C:\Windows\System\xmUNewP.exe
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\System\ZyBavie.exe
  C:\Windows\System\ZyBavie.exe
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Windows\System\JFuPMpg.exe
  C:\Windows\System\JFuPMpg.exe
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Windows\System\MHgiVDT.exe
  C:\Windows\System\MHgiVDT.exe
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\Windows\System\NfrRSTw.exe
  C:\Windows\System\NfrRSTw.exe
  2⤵
  - Executes dropped EXE
  PID:3688
- C:\Windows\System\mTwEJpT.exe
  C:\Windows\System\mTwEJpT.exe
  2⤵
  - Executes dropped EXE
  PID:3304
- C:\Windows\System\pstiRlY.exe
  C:\Windows\System\pstiRlY.exe
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\System\IPMtAWA.exe
  C:\Windows\System\IPMtAWA.exe
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\System\HZLmpbE.exe
  C:\Windows\System\HZLmpbE.exe
  2⤵
  - Executes dropped EXE
  PID:1360
- C:\Windows\System\LAfwGQj.exe
  C:\Windows\System\LAfwGQj.exe
  2⤵
  - Executes dropped EXE
  PID:3152
- C:\Windows\System\CxdRHrt.exe
  C:\Windows\System\CxdRHrt.exe
  2⤵
  - Executes dropped EXE
  PID:3676
- C:\Windows\System\QuZvFGd.exe
  C:\Windows\System\QuZvFGd.exe
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\System\iqXbaUp.exe
  C:\Windows\System\iqXbaUp.exe
  2⤵
  - Executes dropped EXE
  PID:1340
- C:\Windows\System\tsrtsqo.exe
  C:\Windows\System\tsrtsqo.exe
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\System\hhpSEwh.exe
  C:\Windows\System\hhpSEwh.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System\OfiywxL.exe
  C:\Windows\System\OfiywxL.exe
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\System\lxTmgrA.exe
  C:\Windows\System\lxTmgrA.exe
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\System\eweMbQC.exe
  C:\Windows\System\eweMbQC.exe
  2⤵
  - Executes dropped EXE
  PID:3880
- C:\Windows\System\dHnPCMx.exe
  C:\Windows\System\dHnPCMx.exe
  2⤵
  - Executes dropped EXE
  PID:1692
- C:\Windows\System\xIqCzME.exe
  C:\Windows\System\xIqCzME.exe
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\System\yYKESHQ.exe
  C:\Windows\System\yYKESHQ.exe
  2⤵
  - Executes dropped EXE
  PID:3372

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CxdRHrt.exe

Filesize
5.9MB

MD5
aa724380880cfde17de930c99d834d27

SHA1
50d6f4cba1e91b75e38636d01a218ec8b1fb17f8

SHA256
9de9451f13b622e23df9b09868dc84396197b9244c54b388cb5c699b08043b26

SHA512
d33e998af9f31f9314e81a3b5874ba2dd4820c2e14fee0ada0f96142c2508f85db500d3e39e9055c1bd0ac78376518fc9a294739053a6a1b463842ccf37de70f

Download Submit
C:\Windows\System\HZLmpbE.exe

Filesize
5.9MB

MD5
ccdc1479eee9db2641aecb08a8ac6103

SHA1
7db95408e786068848025134a80449de4b5321eb

SHA256
47b4d859c90df73cbe6895ec98a1943862a317ff1f4d02802272abea610b7f06

SHA512
e05aef2495b15d3b50e9f73db64425eadcab8c9a9ca3f9157658e95db7c20223a403301ab58e1823117b61293b6a8c86fb21b55dd0b34ecc341300d2887f625a

Download Submit
C:\Windows\System\IPMtAWA.exe

Filesize
5.9MB

MD5
0df539245e15e6e812680069d2974967

SHA1
4485629c14575bba5f84558031aa8bc8a400447d

SHA256
a9b40f7dc178d231ebaf41064b7ea4dbc4e205c02e8960962476b1f09acc6954

SHA512
4aecc9791430aeab8ae87502ead662f9e5dd079beca9a758a1425f41e8f1b08a8430fc4361776a0495245faa51d953454de2df90621c872886dbff1dbfdad995

Download Submit
C:\Windows\System\JFuPMpg.exe

Filesize
5.9MB

MD5
bff3f28efc2895b3f2c75cd5ccc64c5f

SHA1
67a94ff5e46b2c288d39416de4e482aaa904162c

SHA256
2949429fee6e797ba7e04e4ca72c726f36f9d9e55d1ed79050ac0d2fce01d771

SHA512
ae6c56d940ed3f498da1f0802c9fb35c6a91b03843e6fdff11cdde04e52d4dc84bc146c88ab40dc2b1beaf5ef34d610a486da86f21462c7dd70cff20acbbc965

Download Submit
C:\Windows\System\LAfwGQj.exe

Filesize
5.9MB

MD5
9f609991161cde7ce1c89e659fb85334

SHA1
7645a294b20c8d50c06c2228cb2ac31510cdb91e

SHA256
c0c893c19db075ecf1b45c29395bbf657a2e609e9c21c7678110e57adb22c913

SHA512
075d46ca6419772c0c2a5543a5a7df7724ba558158e230656a32b4968e7ff9b0646e67b23dd6e06eff7b1f3f6354594dd8f5704652b6e0c09a12d62eedc19db2

Download Submit
C:\Windows\System\MHgiVDT.exe

Filesize
5.9MB

MD5
dbc3d1367baf7106d5ae0a5ef0117ed9

SHA1
270a721fba4624451e877389acfaa9ce525bf9ec

SHA256
576c7be7edcd11e214aaf3100e7893d28b20d4815390768857532cf38f39d9d4

SHA512
3f4a3263d787ae50e67d74aee92fc9d4991a7fbcdb05c8570d135bff2b991bb2445047f5dbf053fa5194ef2194f2adf515ecce41203f8725a87fd82294c6473f

Download Submit
C:\Windows\System\NfrRSTw.exe

Filesize
5.9MB

MD5
91af4d364587aed9d677d920f4a0b0f4

SHA1
17dbdbe5a3fd7bfe1f6b10aa5555cf6070a30801

SHA256
71f8bc0620ad31c78822d7d7dff7860ed779bb6075c788a4f65b1efc1992465a

SHA512
6698fd136e1a3ba99646af62f3da51f5d77cd232d9407ef1ad02801379956f593386de1812f4b42d3bda05095590b28e1bed952fbc78dc36a65c60985e6b7d08

Download Submit
C:\Windows\System\OfiywxL.exe

Filesize
5.9MB

MD5
12240e4829f0eff80fb9713a44a179b4

SHA1
9339c51d950f8b8a85cf4b982f512018720ede98

SHA256
5472731d776fd212e2ac4b39c1c8779c6bb9afe2a3742797a828ca4048309a31

SHA512
cfafb84b438765ca7c675c6f9793f674ea90f7e60f1da99b50c36f48254482b3a04b0719461556817c4feb203d8a4cce6dcd8425a4a2c22a2c810de8f6856dfd

Download Submit
C:\Windows\System\QuZvFGd.exe

Filesize
5.9MB

MD5
8af2107a893cc633a1faebe4da2508a6

SHA1
e0f85df753f104921a01bc63248e2571257206b9

SHA256
727a29c6766260dd341917c9735f6d98bbe4a45eb2fa05b7f1926aea8a729007

SHA512
d22f045b8a95c0b77afcb8b6e7b0fb22fce7180328fd745c923130f97631a48b215abb57eb9373be0b22d8f2387f39d5188f060b1d1291fbac8d21778fbc7fb8

Download Submit
C:\Windows\System\ZyBavie.exe

Filesize
5.9MB

MD5
811b9904d20ffa6e6ed02db4830551ff

SHA1
bfa212789be931d1b2d95a1691839f9cd46a0637

SHA256
0e16eabd02ac80698d972f11779a4edb7bdec9c8f0a0c8f8d926dc52536b4490

SHA512
737d2b993d96a53c2629e112abbd5ba69136e9ad9bb18881fb9604dd8dd57650853b671475575e752b301161acc4acc2344024d2fddaf2fd6666e17172c7c50c

Download Submit
C:\Windows\System\dHnPCMx.exe

Filesize
5.9MB

MD5
9c5ed81726a81b0dc8df559a05ab7eb4

SHA1
796e749a2c7285330cfb5d2b5a8e3604eaa228b4

SHA256
31e28f6426ec2a2124d54bd8f84b86cafd2802e301db9346965a05e10777442a

SHA512
28f1ae765b473572df04be52dc8c481f71a2ba0a9d9cfc509350a0ef8b273d75d9641ea5ec920f9646496f8e8b231150c5df1ae66881400346079f1bf0bcf5de

Download Submit
C:\Windows\System\eweMbQC.exe

Filesize
5.9MB

MD5
7d22c4982183a7b94e9eacd73435f907

SHA1
9d348f47f96ddaba160ee7fd52d726ff3be22386

SHA256
0ea90381fcaef0c3116825d2ab65d7e8c5c5aac19955a8ae6bd517c8051c6829

SHA512
6e6418cb587337dd681eec2532da947d772ae769d1cb9305e3fb9753f46f270e2854086d3d372f9f0c9c3822f0efde686db9bb6fbccd2c703db7f9641c053273

Download Submit
C:\Windows\System\hhpSEwh.exe

Filesize
5.9MB

MD5
4040f2866ab6bb301cbe904ec7156c0e

SHA1
987636441c8be3bee980a15a524f4fb9c4acb9da

SHA256
7d86c9d1ffffeb50a5a4940513c06c141e4da1dd1978517e908f8ecc74173d55

SHA512
c9c712abefb32f9af0b75b921f68bacb730f1940023e1c363f2c3a49ff3badfcd8b830f82321bfd9232b3cf7465a7c0c2316b4b8a36a8b652394647b55f4629d

Download Submit
C:\Windows\System\iqXbaUp.exe

Filesize
5.9MB

MD5
bf4a56050c00a5f7b4bf410fe14a45de

SHA1
ef0100e0f1c5b4f35c0b0f5075f69124ee9d1a80

SHA256
2787d3923441555a05df7503078309a0788c06c821fdeead08e3296db42042b4

SHA512
6cd36a8ab28ffdccdc576304792f765d0f1f60b70ea3ac6e538427a726844b41ce7d2e1aef685392ef391fc21cda7cf4a72646689a5ba9c5a5e669d06acea923

Download Submit
C:\Windows\System\lxTmgrA.exe

Filesize
5.9MB

MD5
7ee7c41aa732b1989dc7e93d26958be7

SHA1
53dfa6d62831d9e72edfc07f0609129436f133e7

SHA256
7bb4581e6a8b04516a98b65794182bbe05fb0460fecdaf8a2b4e07a223261fbb

SHA512
e2a14b4e04bf49d1597f15658c656d7dfe593cb3ed9d28fc9d3089b1ea25709b5b7e4cf54e02c3faa84d9617820f70193a9666f1c3f64791d2ac435dba5d60e2

Download Submit
C:\Windows\System\mTwEJpT.exe

Filesize
5.9MB

MD5
254c0dce71371372e9f47ca19ce74b2b

SHA1
ea3ecfe7f3fb852701bde4cb6cd457c1c6964ec5

SHA256
356baa5178ec613206d5a8861f84438f0a7abfd072ec808f6b133de7822f16e9

SHA512
27afbdceabdf6f63414f602dc0c94cd718b76b8b1b7d5123c1b60d4c4bf14ab3ee30e4afe09489122e2dc6c490159c21dee64d7d79aa0b0ea7d59e708adcfefa

Download Submit
C:\Windows\System\pstiRlY.exe

Filesize
5.9MB

MD5
377ce2ac1f9dd5ad46bdf862a1ac2ae8

SHA1
e9146d9e7296833f259f89070a316193dd01cf32

SHA256
88761c989558810a24513146165a24ebd1f1c539c01fc02622495db0c2546862

SHA512
13b8fac27068f29df2dae354583d0719b131774b6c524cc735f46a168210b93a59724e53a88ae5be967ece8d20319b21fa5d584e6fbc0a40ba16dbbe5b7558d3

Download Submit
C:\Windows\System\tsrtsqo.exe

Filesize
5.9MB

MD5
332232af70414ac21b0533bf790f9fc6

SHA1
1ae966586b7b91d7f864acbd1f9f0a2c67c4ec1c

SHA256
184add0a6ff4cba97eff621a6f8d06afc89f4f9daf6acbc8f7c1851e85275d67

SHA512
29a16b8f41a914b45b1bed5f941d89314407a9e86e14c2356e36a8b1f2ab0def3cbe45cac8640a04481558d0b3fea6d07fb283d66f72a17c1f3918f29a1a1755

Download Submit
C:\Windows\System\xIqCzME.exe

Filesize
5.9MB

MD5
5bdea3724d9434ebef9664de230d5958

SHA1
42ec14f9f40a55c2f3c5f67ca60dc6e6587901af

SHA256
860f899b5d67dbbc4d7cd992d11d07879669176f2633c9a72c7f76e8cfdd8189

SHA512
0b447b38bfbdc0690e2ed247f20d8a9f7dcf6d6fc8d36fb974acb923fcade6e3709a10a168f9298b255d93092bd5cd19124058a151ae40dab780d401923f4bc9

Download Submit
C:\Windows\System\xmUNewP.exe

Filesize
5.9MB

MD5
f86fa893d1b45d611b03efe0813bb4f6

SHA1
deede9cc3dfb2c6619ba87e4f81acc4ce4e2fe41

SHA256
13ef3e34f8abddf01ceff74584ae34c3a902c550d23aeb67a3e229e8338ffd34

SHA512
53287df404588e2d3ea17e49d814edd4f7c88d3316b5550bae627eae2ee08d8527cc62502fab4cde3cbcbb0a2bab57dc4573c162b849c6e1137ba885f7c22cd8

Download Submit
C:\Windows\System\yYKESHQ.exe

Filesize
5.9MB

MD5
8dae660a33af954cb444b9af9a83c35b

SHA1
739b0c4bbfcfe8514edcf3d136673ed1054da9d5

SHA256
df524b43a3d13b32e122e63d483bb9316f7f3f4a02009c6fb6c1151a23314ca9

SHA512
8d513995f406b19857c28f1e72902815f2a83e25a4d1b11eee508d3eb5f6be77e98c694263f0d21ca9f238ff0572c39fc53e72a20563c30239f32d1b4d1072cb

Download Submit
memory/1060-25-0x00007FF621AB0000-0x00007FF621E04000-memory.dmp

Filesize
3.3MB

Download
memory/1060-144-0x00007FF621AB0000-0x00007FF621E04000-memory.dmp

Filesize
3.3MB

Download
memory/1060-111-0x00007FF621AB0000-0x00007FF621E04000-memory.dmp

Filesize
3.3MB

Download
memory/1340-155-0x00007FF7974D0000-0x00007FF797824000-memory.dmp

Filesize
3.3MB

Download
memory/1340-95-0x00007FF7974D0000-0x00007FF797824000-memory.dmp

Filesize
3.3MB

Download
memory/1360-147-0x00007FF6A6DF0000-0x00007FF6A7144000-memory.dmp

Filesize
3.3MB

Download
memory/1360-56-0x00007FF6A6DF0000-0x00007FF6A7144000-memory.dmp

Filesize
3.3MB

Download
memory/1608-10-0x00007FF632E10000-0x00007FF633164000-memory.dmp

Filesize
3.3MB

Download
memory/1608-142-0x00007FF632E10000-0x00007FF633164000-memory.dmp

Filesize
3.3MB

Download
memory/1608-94-0x00007FF632E10000-0x00007FF633164000-memory.dmp

Filesize
3.3MB

Download
memory/1692-119-0x00007FF6FDC30000-0x00007FF6FDF84000-memory.dmp

Filesize
3.3MB

Download
memory/1692-160-0x00007FF6FDC30000-0x00007FF6FDF84000-memory.dmp

Filesize
3.3MB

Download
memory/1692-140-0x00007FF6FDC30000-0x00007FF6FDF84000-memory.dmp

Filesize
3.3MB

Download
memory/1968-156-0x00007FF77C480000-0x00007FF77C7D4000-memory.dmp

Filesize
3.3MB

Download
memory/1968-106-0x00007FF77C480000-0x00007FF77C7D4000-memory.dmp

Filesize
3.3MB

Download
memory/1972-139-0x00007FF72D840000-0x00007FF72DB94000-memory.dmp

Filesize
3.3MB

Download
memory/1972-158-0x00007FF72D840000-0x00007FF72DB94000-memory.dmp

Filesize
3.3MB

Download
memory/1972-103-0x00007FF72D840000-0x00007FF72DB94000-memory.dmp

Filesize
3.3MB

Download
memory/1980-137-0x00007FF6A4950000-0x00007FF6A4CA4000-memory.dmp

Filesize
3.3MB

Download
memory/1980-74-0x00007FF6A4950000-0x00007FF6A4CA4000-memory.dmp

Filesize
3.3MB

Download
memory/1980-152-0x00007FF6A4950000-0x00007FF6A4CA4000-memory.dmp

Filesize
3.3MB

Download
memory/2096-130-0x00007FF611100000-0x00007FF611454000-memory.dmp

Filesize
3.3MB

Download
memory/2096-162-0x00007FF611100000-0x00007FF611454000-memory.dmp

Filesize
3.3MB

Download
memory/2096-141-0x00007FF611100000-0x00007FF611454000-memory.dmp

Filesize
3.3MB

Download
memory/2240-97-0x00007FF704DF0000-0x00007FF705144000-memory.dmp

Filesize
3.3MB

Download
memory/2240-154-0x00007FF704DF0000-0x00007FF705144000-memory.dmp

Filesize
3.3MB

Download
memory/2572-61-0x00007FF718280000-0x00007FF7185D4000-memory.dmp

Filesize
3.3MB

Download
memory/2572-149-0x00007FF718280000-0x00007FF7185D4000-memory.dmp

Filesize
3.3MB

Download
memory/2616-150-0x00007FF707280000-0x00007FF7075D4000-memory.dmp

Filesize
3.3MB

Download
memory/2616-133-0x00007FF707280000-0x00007FF7075D4000-memory.dmp

Filesize
3.3MB

Download
memory/2616-53-0x00007FF707280000-0x00007FF7075D4000-memory.dmp

Filesize
3.3MB

Download
memory/2764-98-0x00007FF6FD170000-0x00007FF6FD4C4000-memory.dmp

Filesize
3.3MB

Download
memory/2764-157-0x00007FF6FD170000-0x00007FF6FD4C4000-memory.dmp

Filesize
3.3MB

Download
memory/2764-138-0x00007FF6FD170000-0x00007FF6FD4C4000-memory.dmp

Filesize
3.3MB

Download
memory/3020-110-0x00007FF624D20000-0x00007FF625074000-memory.dmp

Filesize
3.3MB

Download
memory/3020-14-0x00007FF624D20000-0x00007FF625074000-memory.dmp

Filesize
3.3MB

Download
memory/3020-143-0x00007FF624D20000-0x00007FF625074000-memory.dmp

Filesize
3.3MB

Download
memory/3152-151-0x00007FF73AF60000-0x00007FF73B2B4000-memory.dmp

Filesize
3.3MB

Download
memory/3152-135-0x00007FF73AF60000-0x00007FF73B2B4000-memory.dmp

Filesize
3.3MB

Download
memory/3152-67-0x00007FF73AF60000-0x00007FF73B2B4000-memory.dmp

Filesize
3.3MB

Download
memory/3304-146-0x00007FF758D00000-0x00007FF759054000-memory.dmp

Filesize
3.3MB

Download
memory/3304-46-0x00007FF758D00000-0x00007FF759054000-memory.dmp

Filesize
3.3MB

Download
memory/3372-161-0x00007FF7925A0000-0x00007FF7928F4000-memory.dmp

Filesize
3.3MB

Download
memory/3372-134-0x00007FF7925A0000-0x00007FF7928F4000-memory.dmp

Filesize
3.3MB

Download
memory/3676-136-0x00007FF6996F0000-0x00007FF699A44000-memory.dmp

Filesize
3.3MB

Download
memory/3676-153-0x00007FF6996F0000-0x00007FF699A44000-memory.dmp

Filesize
3.3MB

Download
memory/3676-68-0x00007FF6996F0000-0x00007FF699A44000-memory.dmp

Filesize
3.3MB

Download
memory/3688-145-0x00007FF737520000-0x00007FF737874000-memory.dmp

Filesize
3.3MB

Download
memory/3688-31-0x00007FF737520000-0x00007FF737874000-memory.dmp

Filesize
3.3MB

Download
memory/3688-118-0x00007FF737520000-0x00007FF737874000-memory.dmp

Filesize
3.3MB

Download
memory/3692-37-0x00007FF66EC70000-0x00007FF66EFC4000-memory.dmp

Filesize
3.3MB

Download
memory/3692-126-0x00007FF66EC70000-0x00007FF66EFC4000-memory.dmp

Filesize
3.3MB

Download
memory/3692-148-0x00007FF66EC70000-0x00007FF66EFC4000-memory.dmp

Filesize
3.3MB

Download
memory/3880-159-0x00007FF79A1D0000-0x00007FF79A524000-memory.dmp

Filesize
3.3MB

Download
memory/3880-117-0x00007FF79A1D0000-0x00007FF79A524000-memory.dmp

Filesize
3.3MB

Download
memory/4480-0-0x00007FF62CC70000-0x00007FF62CFC4000-memory.dmp

Filesize
3.3MB

Download
memory/4480-93-0x00007FF62CC70000-0x00007FF62CFC4000-memory.dmp

Filesize
3.3MB

Download
memory/4480-1-0x000001DD79AB0000-0x000001DD79AC0000-memory.dmp

Filesize
64KB

Download